Steve Gibson (3:07)

Or is it more? We also have Microsoft's longstanding effective MFA login bypass, which must have come as a surprise to them. Turns out they didn't really actually have multifactor authentication working. Is TPM 2.0 not required after all? For Windows 11? There's been a lot of that going around the Internet saying hey, Microsoft changed their mind. Also we're going to meet 14 North Korean IT workers who made $88 million. I saw that from the West. Yeah. It's like, where can I get that job?

Leo Laporte (3:44)

They weren't hacking, they just needed cold hard cash.

Steve Gibson (3:47)

Right.

Leo Laporte (3:48)

And they got it.

Steve Gibson (3:49)

Yep. Also, Android updates its Bluetooth tracking with some new anti tracking measures. The NPM Package Manager repository has had an unbelievable 540,000 malicious packages discovered hiding in plain sight. Here, look how easy this is to use. Just download this and drop it into your web browser and off you go in more ways than one. Also, the Ask Woody site remains alive. Well and terrific. I'm going to touch on that because they reviewed Spinrite yesterday. Also my iPhone is linked to Windows and it is wonderful.

Leo Laporte (4:36)

Oh good.

Steve Gibson (4:37)

Oh good. Also, how has email been finding logos before Be me happened? If we use him and her for people, how about HAL for AI as suggested one of our listeners. Also, I have another very disturbing. I didn't. But I'm going to show another very disturbing conversation with ChatGPT which one of our listeners has shared and what's going on with the new Chat GPT01 model. It wants to escape. What? Also, let's Encrypt plans to reduce its Certificate lifetime from 90 to just 6 days. Why in the world? And as we often say on this podcast, get ready for it.

Leo Laporte (5:29)

What could possibly go wrong?

Steve Gibson (5:35)

And I have got a great picture of the week. Lots of feedback already from listeners. Benito thought got a kick out of it and asked the same question I did. It was is this real? But anyway, it'll be fun. You. It may. You may have already encountered it because you know, you seem to be somehow everywhere all at once at the same time.

Leo Laporte (5:58)

That's my job, Steve.

Steve Gibson (5:59)

That's right, Leo.

Leo Laporte (6:00)

But I haven't looked at it.

Steve Gibson (6:02)

Our pop culture reference.

Leo Laporte (6:04)

Exactly. I will look at it with everybody in just a moment. Actually right after this word from our sponsor. Wow.

Steve Gibson (6:14)

This is the words there somewhere.

Leo Laporte (6:16)

They've changed. Well, they've changed the UI for Restream and I'm having trouble finding the button. I'll click this button. How about it? There it goes. Our show today brought to you by Delete me. We know about Delete Me because we use Delete Me specifically. Lisa uses Delete Me. You may want to use it too if you've ever searched for your name online. Have you ever tried that? Don't. I'm not recommending it. You will not like how much of Your personal information is just right there, smack dab on the Internet. I mean, it's actually kind of scary. Maintaining privacy is not just a personal concern. It's a concern for every one of your family members too. In fact, that's why Delete Me now has family plans. So they got corporate plans, individual plans, and they have added family plans so you can make sure everyone in the family feels safe online. So what does Delete Me do? Well, it helps reduce the risk from identity theft, from cybersecurity threats, from harassment and more. We, we've experienced all of that, but particularly the one that concerned the company was the cybersecurity threats. I've mentioned it before. The, the hackers who used our CEO's name and phone number to send a message to her direct reports saying, you know, send me Amazon gift cards quick, I'm in a meeting and I need them now. Our team is smart. But that scared me a little bit because it showed me that somebody, somebody out there, some bad guy, not only knew our CEO's name and phone number, but knew her direct reports and their phone numbers. And I thought about it, I said, you know what? We're getting Delete Me for Lisa and has it has worked. We have actual evidence that it has kicked her stuff off the Internet. It's really amazing. So when you sign up for Delete Me or you sign up your family for Delete Me, their experts will find and remove your information and their information from hundreds of data brokers. I think that number is low now. I think it's thousands. That's one of the reasons you need Delete Me because it's their job, it's their full time job to keep track of all of the creepoids out there who are collecting your information and selling it onto the highest bidder, including foreign powers. It's completely legal. If you're doing it for your family, you can sign a unique data sheet to each family member, tailored to them. So, you know, well, this one likes to be on Instagram and you know, like things like that. Easy to use controls, account owners can manage privacy settings for the whole family. But here's the most important thing. It was very important for us. It isn't just a one and done delimi, of course, went in deletes, deleted every trace of Lisa from those data brokers. But then they continue to scan and remove your information regularly. And there's a reason for that. First of all, there's new data brokers every day. It's a very lucrative business, sad to say. And because Even after your information has been deleted, they still are collecting information. That dossier gets rebuilt. So you got to keep going. I mean, I'm talking everything they, they know your addresses, your photos, your emails, your relatives, your phone numbers, your Social Security, social media, your property value and more. Steve and I did this. We went out and searched for, after the national public data breach, our information. My Social Security was on the net, Steve's was on the net, Lisa's was not. Because she'd been using Delete me. It's very smart. Protect yourself, reclaim your privacy by going to joindelete me.com Twitter use the code twit. It's not just for individuals, not just for families, businesses. You should really think about this too. To protect your security, your managers, your middle managers, they need delete me. That's joindeleteme.com Twitter the offer code TWIT will get you 20% off. So remember that too. Use the address so they know you saw it here. Join deleteme.com twit and if you decide to sign up, use the offer code twit. You will get 20% off. Joindeleteme.com Twitter thank you delete me for supporting the good work, the important work that Steve's doing here at Security. Now. All right, I am going to scroll up, as is my want. Never seen this before. I shall scroll up and examine the picture of the week and, and you will get my honest and true reaction. Upgrade monthly click Premium plan. If only. I mean, I feel like we're headed straight there. Let me show you. And Steve, you can explain this.

Steve Gibson (10:44)

And that is my point exactly. I gave this picture, the caption, the monetization of our lives, and below it I wrote this brilliant spoof. Perfectly highlights the logical outcome of the distressing path we're on, where the ownership of anything is being replaced by the rental of everything. Yeah, and this shows it. It. It's a. A popup which a user of a, of a. Of a mouse would get on Windows. And it says upgrade required colon Monthly click limit reached. And it says you have reached the maximum number of clicks allowed for this month. To continue using your mouse without interruption, please upgrade to a monthly subscription. And then of course, we have two plans, the standard plan and the premium plan. The standard plan has limited clicks. It's 1099 per month. For that you get 10,000 clicks per month. But if you go over that, it's 10 cents per click. Thereafter, you get a thousand meters of mouse wheel usage per month. Customizable button mappings and Just the basic level of support. But if you elect the premium plan.

Leo Laporte (12:14)

And who would.

Steve Gibson (12:14)

Well, for only 1799 per month, you can have unlimited clicks. You get also unlimited mouse wheel usage, customizable button mappings, oh, and priority support if you figure out how to hold the mouse and access to advanced settings and features. Now of course, the one they want you to click on, the upgrade to premium plan, that's all glowing there in cyan that you just need to click on. You could upgrade to the standard plan. They're not recommending it. And then this person has clicked on the remind me later. You can see the mouse there hovering over remind me later. That's what he's going for. But that brings up another little pop up saying note, you won't be able to use your mouse until you upgrade. Because now this does really beg the question, how do you upgrade if you can't use your mouse? Click, click, click.

Leo Laporte (13:17)

You can't click.

Steve Gibson (13:18)

I don't know about joke, folks.

Leo Laporte (13:20)

We can't. There's no logic in here. It's just a joke.

Steve Gibson (13:23)

But that's good.

Leo Laporte (13:24)

I like it.

Steve Gibson (13:25)

Just a brilliant spoof. And isn't this what we're all feeling? I saw that you that YouTube just announced another jump in prices.

Leo Laporte (13:33)

10 bucks more a month. Yeah, Adobe just killed the 20 gigabyte a month photography plan which was the one I was using. These guys. Yeah, this is the, the way.

Steve Gibson (13:44)

You know, Leo, everyone laughed at me when I said I'm sticking with Office 2003 because it just works, works just great and doesn't have any 365 nonsense anywhere. And you know, they, and they really haven't changed it. It's like they've got, you know, they, they recode it with new candy every, you know, on, on the UI in order to. Because everyone has to have the latest and greatest. It's like okay, but you know.

Leo Laporte (14:13)

Oh boy. Okay.

Steve Gibson (14:15)

So I wanted to begin today's podcast with a follow up note to last week's A Chat with GPT podcast. I suspect that one of our podcasts next year may be given the title the wizard of Oz. Because based upon my new and very. I want to stress this very, very, very preliminary understanding. It appears that there is nothing whatsoever even remotely intelligent emerging or threatening to emerge from all of this work being done to capitalize upon the illusion of intelligence that's enabled through the very clever application of today's large language models. I believe we're being seduced by language which is capable of highly compelling seduction. It appears that an illusion is all this is, and if it's true, it's all it can ever be. If this is the case, it means that the Holy Grail of AGI remains just as far away as it was before the first large language model was created. This is not to say that the technology behind large language models is not going to profoundly change the world. I have no doubt that it will. This is still the biggest thing to happen. This new technology is going to be able to find signals in the noise that we miss, but it appears to me now that there's a lot that the LLM trick will not be able to do so what happened between last week's podcast and Today? Last week, immediately after Leo mentioned it, I grabbed Stephen Wolfram's book about AI. Since it was available on Kindle, I had it in seconds and I was unable to resist cracking its cover just to get some feel for what lay ahead. I almost wish I hadn't. I felt, and I still do, a little bit like the six year old whose precocious neighborhood best friend whispers, santa Claus isn't real. It's your mom and dad. In this case, Stephen Wolfram did not say that AI wasn't real. @ least he hasn't so far. In what little I've read, he simply clearly and directly explained, in the language of math and algorithms, exactly what the reality is. If we assume that Stephen knows of what he speaks, and I would not take a bet that he doesn't, all we have here is the wizard of Oz. As I've said, I've only just dipped my toe in since I first wanted to finish Peter Hamilton's Archimedes Engine novel. I did that this morning, and now my level of curiosity is far higher than it was because the engineer in me immediately knew how I would extend and expand upon the tiny bit that's been revealed to me so far. It will not and would not create intelligence. True intelligence, as far as I can see, is nowhere on any horizon. So I have no idea what Sam Altman is talking about. To me, more than anything else, it looks like no more than over hype of tomorrow's future for a higher stock price for his company today. But I can now affirm the plan I shared last week. I'm going to understand what's going on here, after which I'll be able to share what I've learned. I also realized that I've had my own journey on this topic. Everyone who listens to the podcast has seen it. The first time I talked about the AI revolution For the podcast, I believed that the only thing that was going on was that for the first time ever, we had computational and storage resources that were so vast that language could be used to simulate human like intelligence. I wrote that a truly intelligent species, meaning we humans, had produced a massive corpus of available online language output which had been sucked in, and that this new technology was simply finding the correct previously written bits and pieces and reassembling them on demand. Then I was seduced. I started actually using the damn thing and was repeatedly amazed and sometimes stunned by its output. And I began to doubt my earlier dismissal. Was there more to this than I originally believed? As I shared several times, I was finding this thing incredibly valuable as a sort of super Internet search engine. This evolution reached its apex with last week's ChatGPT conversation, where I informed it that it was wrong, it agreed with me, and then provided the correct answer. This seemed like more than regurgitation, and I was left wondering what exactly was going on. I needed to find out. So I purchased those first two AI textbooks and then Stephen Wolfram's Next week's podcast will be a best of and since TWIT's regular Tuesday and Wednesday podcasts fall on both major holidays and their eves, there will also be no new podcasts during the week between Christmas and New Year's. That means that nearly three weeks will pass between now and my production of the January 7th podcast. That's a long time for me to remain silent, so don't be too surprised if something during that hiatus. Sometime during that hiatus, you receive an email from me on the subject the Continuing Adventures of the wizard of Oz. It's now so easy for me to generate and send email to this podcast's nearly 14,000 email subscribers that I may feel the need to update those who've demonstrated their interest by subscribing. So if you're not already a subscriber and you would like to be kept in the loop over this unusually long holiday hiatus, it's easy. Just go to GRC.comemail, follow the prompts, and sign up to the weekly Security now podcast mailings and you may receive a little holiday present.

Leo Laporte (20:58)

You know, it strikes me that this is in many ways similar to it's been a long time. So we we may not remember it too well. The our reaction we first encountered powerful computing and then maybe secondarily the Internet, that on first blush it's like mind boggling. You mean that box of rocks can can do these things, you know, and I don't know what your first reaction, the first time you saw a computer or used a computer was. But for me, it was not just awe, but excitement. And I felt like, this is, you know, an un. This is going to be an unlimited vista. We're going to see before us and the Internet, very much the same thing. Wow, there's so many people here. This was in the early 90s when I first encountered it, and I feel like this is much of the same. And what happened with those first two is we kind of adjusted and indeed, there are real uses. It is really useful and powerful. It may be just not the magical thing we thought it was at first.

Steve Gibson (22:03)

I remember that computer. I remember the room it was in. I remember standing in front of it, and my reaction was, I am going to understand every bit of this thing.

Leo Laporte (22:19)

Having the same reaction to this.

Steve Gibson (22:21)

Well, it's been delayed because the world has gotten so much bigger. Yeah. You know, I guess I thought, I don't need to understand this. It'll be understood for me. But that's apparently not happening. You know, I mean, no, I'm not getting. Although I haven't really gone looking, but all I would get is other people's opinions. And I've never been a big. I've not had. Not. I've never had much interest in other people's opinions. I want to go to the. You know, others have said I work from first principles, and, you know, that's what's happening now. I'm going back to first principles. I'm going to, you know, finish Wolfram's book. I'm going to read these other two. I'm going to get this. I'm going to, you know, satisfy myself about what this is. But I do have a. I have a strong intuition that we will not get to AGI from where we are. I.

Leo Laporte (23:22)

That is a big change. By the way, I asked you this before. Yes. And you used to think that really there wasn't much that we do as humans that's so different from what a computing machine can do.

Steve Gibson (23:33)

Oh, I can't tell you how disappointing the first few pages of Wolfram's book were. It was like, it's kind of an.

Leo Laporte (23:40)

Eye opener, isn't it? Yeah.

Steve Gibson (23:41)

That's all this is.

Leo Laporte (23:42)

Yeah. It's just a stochastic probability machine. But there is something that happens in between the mechanics.

Steve Gibson (23:51)

I think it's because of language and the app.

Leo Laporte (23:54)

Maybe that's it.

Steve Gibson (23:55)

That's the hook, Leo. We get seduced by language. And that's very true. I think that's it. The Fact that and I mean when you see some of the output. I've got a screenshot later. Oh my God. There's, there's some manipulation going on behind the scenes to make this seem more, more intelligent, more human, more like as if it has emotions, you know. Oh golly gee. It says. Well who told it to what? You know. Yeah, yeah, come on.

Leo Laporte (24:27)

No, they're definitely doing that, aren't they?

Steve Gibson (24:29)

Yeah, yeah. And I can't wait. I think that, I think that's what's going on. Okay, so it turns out that just offering multi factor authentication doesn't automatically mean that it actually works to protect users logons this is the lesson that Summit Microsoft presumably learned recently. What happened the security research team this is just so clever. The security research team at Oasis Security discovered a critical vulnerability in Microsoft's multifactor authentication implementation. This is like what was protecting everybody using Azure stuff. They considered it critical and so would we since it allowed attackers to bypass the protections guaranteed by multifactor authentication to gain unauthorized access to user accounts, including Outlook, emails, OneDrive files, Teams, chats, Azure cloud, pretty much the works. Since Microsoft has amassed more than get this 400 million paid office 365 seats, this makes the consequences of this vulnerability significant. And what's more, the bypass was actually kind of simple. It took around an hour to execute, requiring no user interaction and never generated any notifications anywhere or provided the account holder whose account was being hacked with any indication that there was any trouble being good Internet citizens. After discovering the trouble, the the Oasis guys reported the flaw to Microsoft and collaborated with them to resolve it. There were two problems. The first was that the way Microsoft's authentication protocol bounces users around among various authentication applications and sites. And I'm sure we've all seen this right, if you watch the URL in your browser when you click on some authentication thing, you get jumped around, you see oauth briefly flash on the screen and other stuff happens. Your browser is being taken on a little journey and at each stage of that it's providing parameters and receiving parameters and scripts is running in the browser that then takes you somewhere else and sends some of those parameters back and gets some other ones. So there's a bunch of transactions happening and they're all analyzable by anyone who takes the time to look really closely. So this meant that by capturing those parameters being used during these early stages of the process, these researchers were able to then they discovered that they were able to launch at some point in this whole stream massive numbers of simultaneous six digit authentication guesses back to Microsoft in the hopes that one of them would succeed. In other words, it wasn't just wait till you get done and then here's your one guess. They looked at everything that was happening and realized that there was a stage during that where they could capture the dialogue that was happening between the remote authentication scheme and the browser and then simultaneously send a blizzard of guesses from that point forward. In other words, Microsoft's implementation of multifactor authentication was not protecting its users from clever brute force guessing. Now, that's the first problem when using time based multifactor authentication. And you made a point of mentioning this once, Leo. I remember talking about it like when the six digit code expires, you noted that, well, it actually could still be used a little bit longer, right? When using time based multi factor authentication, clock differences, human typing delays and network delays are allowed for between the authenticator and the relying party by not instantly, deliberately not instantly expiring a valid six digit code, the instant its 30 second window of validity has ended. Now this is common and it makes for a better user experience, right? Because if you like, or if you're entering the code just before the end of that 30 second expiration and then you fumble a bit before you hit enter or click on the mouse and then it's like if you're then told, sorry, that's no good, you got to do it again, well, that's annoying. So it makes sense. And somebody's clock could be a little off, meaning that their 30 second windows are not exactly aligned with the 30 second windows at the receiving end. So it's common to allow some leeway. Now the downside of this is a reduction in the security of the system since even app. What this means is that even after a new six digit code has been issued, the previous code still remains valid. So for a brief time, two codes are valid. In Microsoft's case, and I know that this may be somewhat difficult to believe from the company upon which so much depends, Azure's MFA system was leaving codes valid for a full 3 minutes. Now this is one of those things that's not an accident or a bug. Someone somewhere decided that this would be a good idea. This meant that at any given time, six different codes would be accepted and valid. Naturally, this made the brute force guessing, which was possible by intercepting the protocol at that pre completion state and launching a massive blizzard of simultaneous guesses. This made brute force guessing all the more easier. Okay, so finally, there was no rate limit imposed upon guessing at any point, nothing. I mean, thousands and thousands and thousands of guesses were being simultaneously made without end and nobody cared. Over at Microsoft, the researchers wrote, quote, by rapidly creating new sessions and enumerating codes, the OASIS research team demonstrated a very high rate of attempts that would quickly exhaust the total number of options for a six digit code, meaning 1 million. Simply put, they wrote, one could execute many attempts simultaneously. During this period, account owners did not receive any alert about the massive number of failed attempts to log into their account. Like, well, something's happening out there, but. And they said, making this vulnerability and attack technique dangerously low profile when you couple the ability to analyze the early stages of authentication in order to then be able to launch thousands of simultaneous overlapping guesses with a limit of 10 wrong guesses per connection, but no limit on the number of simultaneous connections or reconnections. So like, after a connection tries to guess, does, does 10 guesses and is told no, you drop it and you reconnect and you try another 10 and you can have that happening in parallel thousands times over, they say, with a limit of 10 wrong guesses per connection, but no limit on the number of simultaneous connections, with the fact that at any one time there will be 6 valid answers, even 1 million possible 6 digit combinations will be insufficient protection. Now, their research paper that they wrote provides their chart of the time required for the attack versus the probability of its success. And you couldn't design just a more beautiful asymptotic curve. The Dark Reading website covered this news with their heading, researchers crack Microsoft Azure MFA in an hour. Now, as we can see from the lovely statistical chart, the 5050 crack point occurs after around 70 minutes of attack. So what that means is given only 70 minutes, there's a 50% chance that one of the six currently valid codes at all times during those 60 minutes, because they're all changing constantly, right? There's a 50% chance that in 70 minutes, one of the six currently valid codes at the time of one of the guesses will be discovered simply by randomly guessing them at the very high rate that Microsoft's errant design allowed. And if we follow the chart out to its end on the right, it appears that an attack lasting 300 minutes or five hours, which Microsoft had no problem allowing, would reach about a 95% success rate. Again, you know, we're guessing, it's all stochastic. So, you know, it's, you know, do you happen to guess right? It's like back in the early days when that computer I left running overnight happened to guess the Proper hash and I got 50 bitcoin going to talk about that unending misery.

Leo Laporte (35:21)

Let me see what it would be worth right about Leo.

Steve Gibson (35:25)

We're north of 100,000 now, aren't we?

Leo Laporte (35:27)

Yeah, 106. So yeah.

Steve Gibson (35:29)

Wow.

Leo Laporte (35:29)

Just let make it 100,000. So that'd be $5 million.

Steve Gibson (35:33)

Installed windows over that drive. That was the most expensive installation of windows of my life. People said, oh, this might be still there. It's like no. When no Windows desktop is there now. Thank you very much anyway. But as we've also said, I would not have had the wisdom to hold.

Leo Laporte (35:56)

You would have sold it.

Steve Gibson (35:57)

Yeah, yeah. There was a point where it was where I could have cashed out for 17 grand and I would have thought.

Leo Laporte (36:02)

Hell yeah, I'll take it. Yes, exactly.

Steve Gibson (36:05)

Anyway, until these Good Samaritan researchers informed Microsoft of there of the Microsoft's flawed multifactor authentication system, Azure's MFA was not providing much actual practical protection. The research conf. The researchers confirmed that Microsoft had addressed their concerns. They finished by writing. While specific details of the changes are confidential, we can confirm that Microsoft introduced a much stricter rate limit that kicks in after a number of failed attempts. The strict limit lasts around half a day. Now, I would feel more comfortable if six different codes were not all simultaneously valid since that does seem excessive. Waiting, you know, giving someone six minutes, wait three minutes, sorry, three minutes. The researchers did not indicate whether that might have been reduced. Of course, it would be easy enough for our listeners to probe, you know, to see how long a code is still honored after it should have been expired. But, you know, adding a strict rate limit on failed attempts does make total sense. There's no possible reason for any actual user to fumble these codes more than a couple times, as I'm sure we all have. So anyway, nice that, you know, we've got, you know, these kinds of good Samaritan security researchers who are helping to catch other people's mistakes and Leo, we're at 30 minutes in. I think we should tell our listeners why we're still here on the air and then we're going to look at whether TPM is now not required for Windows 11 after all.

Leo Laporte (37:53)

Never a mistake to do an ad break, in my humble opinion. Steve, our show today, brought to you by those folks at 1Password. I know you know 1Password, but this is more than the 1Password that you know. This is a new thing from 1Password called extended access Management. Now let me explain why you need this. I can, I can explain it with a question. Do Your end users always work on company owned devices. Do they always use IT approved apps? No, they use their own phones, they bring in their own laptops, they've got a copy of the Plex server running on it. So how do you keep all of your company's data safe when it's on all those unmanaged apps and devices? Well, 1Password has an answer to this question. This is Extended Access Management. It's really protection for the way we work these days. 1Password Extended Access Management helps you secure every sign in for every app on every device because it solves the problems traditional IAM like password managers and MDM can't touch. Imagine your company security like the quadrangle of a college campus. You know you, you can see it in your mind's eye, right? Those beautiful ivy covered brick buildings, the lovely green grass and leading from building to building, those twisting nice brick paths. Those are the company owned devices, the IT approved apps, the managed employee identities on your network. But. And you've seen it on every college campus, certainly everyone I've been to. There are also the paths people actually use. Not nicely paved, not brick. They're the shortcuts worn through the grass. The actual straightest line from Econ 101 to Physics 19, right? The, the muddy paths, those are the unmanaged devices, the shadow IT apps, the non employee entities like contractors on your network. The problem is most security tools just work on those nice happy little brick paths. Most security problems take place on the shortcuts. 1Password Extended Access Management is the first security solution that brings all these unmanaged devices, these apps and identities, these if you will, muddy little paths under your control. It ensures every user credential is strong and protected. Every device is known and healthy, every app is visible. It's security for the way we really work, really honestly work today. And it's now generally available to companies that use Okta or Microsoft Entra and they're now in beta for Google Workspace customers. So if you're an Okta Entra or Workspace customer, you really ought to check out 1Password.com Security Now. It adds the extra security you need. That's 1ps WD 1Password.com Security Now. We thank him so much for support and security now and we thank you for supporting security now by using that address so that they know you saw it here. 1Password.com Security Now I'm fascinated to know, did Microsoft back down on this? Steve?

Steve Gibson (41:12)

Okay, so tech powerups headline read Microsoft loosens Windows 11 install requirements. TPM 2.0 not needed anymore and Guru3D reported this under their headline Microsoft drops mandatory TPM 2.0 requirements for Windows 11 upgrade now possible without it following up on their headline, Tech PowerUp began their reporting by writing Microsoft has finally opened the iron gate guarding the Windows 11 upgrade for systems running incompatible hardware, including systems lacking TPM 2.0. This is excellent news for users who are rocking older systems or have been without the TPM 2.0 module in their system but want to upgrade to the newer OS release. Microsoft opened an official support page noting that quote, installing Windows 11 on a device that doesn't meet Windows 11 minimum system requirements isn't recommended. If Windows 11 is installed on ineligible hardware, you should be comfortable assuming the risk of running into compatibility issues. A device might malfunction due to these compatibility or other issues. Anything could happen.

Leo Laporte (42:34)

Anything.

Steve Gibson (42:35)

Windows might have a bug.

Leo Laporte (42:36)

Leo, what could possibly go wrong?

Steve Gibson (42:39)

They said devices that don't meet these system requirements are not guaranteed to receive updates, but limit including but not limited to security updates.

Leo Laporte (42:50)

By the way, this reminds me of the pictures of the week with those iron gates and then the muddy paths around the iron gates. This is exactly. It's not the first time we've heard this either. I mean, they've said this before right now.

Steve Gibson (43:04)

This would obviously be very interesting if it were to be true, and I was hoping it was, since I would have welcomed having my rant about this last week rendered invalid due to a policy change. But as we know, I would think that was the right policy change. But it appears that nothing has actually changed. What appears to have happened is that Microsoft has formally acknowledged that it is possible to install Windows 11 around their one time installation check for TPM 2.0. So they're making the, you know, they're making the consequence of doing that more clear. It's still puzzling that Windows 11 works just fine with TPM 1.2, even though Microsoft is clearly hoping to frighten most users into purchasing newer hardware. What I'm looking forward to eventually learning, just for the record, is whether and what side effects, if any, or compatibility issues, if any, might actually be encountered. And I'm sure we'll eventually learn that, since I have no doubt that many TPM 1.2 machines will be running Windows 11. One thing we do know will happen is that Microsoft will not automatically offer successive feature releases. You know, those. What are they now? Twice a year or once a year anyway, those things, you know, they. The something or other h somethings. They will not automatically offer those to these machines it will be necessary for users to grab the ISO image file in order for the next feature release in order to move forward. Now, some users might feel that's a benefit. It might mean they don't need to use Incontrol, my little freeware utility, to prevent that same thing from happening without their permission. Also, the PC health check will always say that the system does not support Windows 11, even while it's running the health check from within Windows 11. You know, it's like, okay, Microsoft. In any event, users who wish to follow the bouncing ball will need to mount the newer release ISO file and then just run its setup EXE in order to manually update their machines to successive feature releases of Windows 11 if they choose to. And I can see that that would make sense for many listeners. And I doubt there will actually be, you know, nothing is going to crumble or fail to work or be incompatible or any of that nonsense, you know, Microsoft, you know, patching 100 critical errors every month in Windows. So it's not like there's, you know, they've got any extra incompatibility to spare. But again, I just wanted to let our listeners know nothing changed. Actually, it's, you know, and, and it does appear that using Rufus, hopefully everybody knows about Rufus. It's a wonderful prep tool that is able to take a Windows ISO and create a boot USB from it. And it now has clickable options to bypass the TPM 2.0 check. So it's getting ever easier to install Windows 11 on non compliant hardware. The FBI has identified 14 North Koreans who were working in Western IT. The US Justice Department recently indicted these 14 North Korean nationals who participated in the schemes we've been talking about several times recently to bypass international sanctions on North Korea by arranging to obtain IT employment with Western companies. Officials say the workers used false identities and laptop farms, which we've described happening in the past, to hide their true locations from companies that were foreign to them, local to us, sometimes working for multiple companies at the same time. And then, Leo, as you did, when I saw how much money they had earned in aggregate, my first reaction was, whoa, what are we paying these guys? But then it turned out that it wasn't all salaried earnings. Yes, they generated money through the salaries they earned, but also by stealing data and extorting the companies that had hired and trusted them. The 14 men that have been identified are believed to have generated at least $88 million over the past six years for the North Korean regime. The State Department has also put up a $5 million reward for any information on those 14 individuals and any similar schemes. And I have here in the show notes a picture of the 14, which has been made public. This big banner across the top, wanted by the FBI. And it shows us the DPRK IT workers. You know, they mostly look like regular nice guys who. Who anyone might interview and hire. But of course, being located in North Korea would be a buzzkill for the employment interview.

Leo Laporte (48:52)

To be. To be fair though, these guys, it wasn't a hacking thing. They were just trying to make some money.

Steve Gibson (49:01)

Right.

Leo Laporte (49:01)

And if they did a good job, then the companies involved haven't really been harmed. It just violates the US Law against providing, you know, currency to North Korea.

Steve Gibson (49:12)

Well, except that the reason that amount was so high is that they stole the company's data that had hired them and then extorted the company.

Leo Laporte (49:20)

It wasn't their salaries.

Steve Gibson (49:22)

No.

Leo Laporte (49:22)

Oh, never mind. Yes, I take it back. You know what, I thought they were just earning that much, but I guess you're right. For the 14 guys to earn 88 million, that's a little more than normal.

Steve Gibson (49:34)

Yeah.

Leo Laporte (49:34)

Okay.

Steve Gibson (49:34)

Yeah, you don't want one of these creepy crawlers crawling around your network. But look at them. They look like. Like, you know, I'd hire the little. Most of those guys, you know, they look smart and so forth, but I think an in person meeting would be required. Yeah, we'll just do this via Zoom and believe that you're actually in, you know, Oregon somewhere.

Leo Laporte (49:58)

I wonder if they. If they say, okay, we're gonna let you get a Western haircut for this job interview. Because they don't have those typical North Korean fades. Maybe that's just Kim Jong Un that does.

Steve Gibson (50:11)

Kim Cho Chung Pom Haiyan Choi Song Song Eun Choi Sak Kwang Hawk.

Leo Laporte (50:19)

Yeah, they actually, they're. They're Korean names. Right. And that's the thing. You can't. I mean, is it. There's no real distinction between North Korea and South Korea. Korea. You know, technically. Right.

Steve Gibson (50:28)

Yeah. And they just, you know, look like your typical computer IT guy.

Leo Laporte (50:32)

IT guy. Yeah.

Steve Gibson (50:34)

Okay, so last Wednesday, Google announced some new features in Android to help its users deal with unwanted Bluetooth tracking. We did deep dives into, you know, find my. Whatever it was dongle on iOS some time ago and really took apart the whole. This way, the whole tracker system works. Android's unknown tracker alerts automatically notify Android users when an unfamiliar Bluetooth tracker is moving with them. Which when we talked about this before, I thought was just very cool. So Google wrote as Part of our ongoing commitment to safety, we've made technology improvements to bring you alerts faster and more often. We're also rolling out two new features for Find My Device compatible tags. First is temporary pause of location. They said you can now temporarily pause location updates from your phone to prevent your device's location from being used by a detected unknown tag for up to a day, 24 hours. They said this provides an extra layer of privacy and control, allowing you to take a first action quickly while you locate and physically disable the tag. In other words, you know, your phone disappears. Then you go on a hunt. And to that end they have Find Nearby is the other feature. They said if you receive an unknown tracker alert, you can now use the Find Nearby feature to pinpoint the tag's location. Your Android device will guide you to the tag to help you find it if it's hidden.

Leo Laporte (52:20)

That goes a little bit beyond what Apple does. I think that's a good idea.

Steve Gibson (52:23)

That's. I, I really, I like that Find Nearby feature. It's like, oh, so you think you're tracking me? I'm going to track you. So very cool. Okay. There are four primary open source software repositories. Though, you know, calling it the top four doesn't really do NPM justice because there's really no comparison. NPM, PI PI, NuGet and Maven Central. Last week, the Fulton, Maryland based DevSecOps firm Sonatype, we've referred to them in the past, they've done great work. Recently released their 2024 open source malware threat report, citing that malicious packages reached more than, get this, 778,500 instances since the company began tracking them in 2019. So in just five years, more than three quarters of a million instances of of malware in software repositories. They wrote that in recent years, open source malware has proliferated. So it's on the rise. It's not like we're successfully combating it. Sonotype researchers analyzed open Source malware in 2024, diving into how threat actors use malicious open source packages to target developers. As enterprises are flocking to open source, get this. To build custom AI models, you know, everyone wants in on the frenzy. So turns out that there's a lot of stuff going on in open source. And this is the new way in. I got a chart that shows the relative instances of malware that have been found across those three packages. NPM, Pypy, NuGet and Maven Central. And as I said, NPM is really the repository you want to be very careful about. The chart shows that by far most supply chain malware is found on npm. Well, that's where as I mentioned at the top of the show, more than 540,000 malicious libraries have been found. Last year alone malicious NPM code accounted for 98% of all sonatypes detections across this industry. So I say to our listeners who code and who pull libraries from NPM and for that matter Pypy and the others, please be very very careful. Open source we everybody agrees is that just an incredibly cool concept, A fantastic resource, but it's also something of a mixed blessing. The whole concept of open contributions from a community, you know, wonderful as it is in theory presumes a community of well meaning participants. Unfortunately, it's clear that's not today's reality. Just look at the previous story of the 14 North Koreans who made $88 million by by attacking the companies who they tricked into hiring them. You know, you need to be careful these days. A bit of miscellany. I have two pieces of miscellaneous Leo you like I who have been around the industry from the start and others of our listeners will recognize recognize names like Will Fasty, Ben Myers, Fred Lange, Brian Livingston, Susan Bradley. You know all these people go back to the start of all of this. You know back in 97, Frang Fred Lange started the Langa List newsletter. Woody Leonard the year later in 98 started his Woody's Windows Watch.

Leo Laporte (56:45)

This chronology just brings me back, boy, doesn't it?

Steve Gibson (56:49)

Gosh, that was our youth.

Leo Laporte (56:52)

But it wasn't even that long ago. But it's like it's ages.

Steve Gibson (56:55)

Yeah, it does, doesn't it? Yeah, yeah. Brian Livingston in 2003 starts Brian's buzz on Windows. The next year in 04, he merged Brian's Buzz and Woody's Windows Watch to create the Windows Secrets newsletter. And then in the same year, Woody started AskWoody.com to broadcast the news and advice on Windows and Office. Then the year after that in 05, Susan Bradley started the Patch Watch column in Windows Secrets. In the Next year in 06, Fred's Langalist merged with Windows Secrets. Two years later in 08, Gizmo Richards support Alert newsletter merged into Windows Secrets. So we are, we are, you know, we're seeing evolution and consolidation. In 09, Windows Secrets takes the Woody's Lounge website under its wing, becoming the Windows Secrets Lounge. And now then we jump ahead a decade to 2019. Ask Woody became, had become at some point an LLC. It acquired the Windows Secrets newsletter, merging The Windows Secrets Lounge into the Ask Woody Lounge and creating the Ask Woody plus newsletter. Next year, Woody Leonard retired to a tropical location.

Leo Laporte (58:15)

So that was smart man.

Steve Gibson (58:17)

Four years ago. Yes, Susan Bradley took over, took the mantle of the site and, and welcomes Brian Livingston back along with fred Langa, Deanna McElveen. Yeah, McElveen and the rest of the Woody contributors to continue the tech information that they've provided over the years. And Will Fasty is named the editor in chief. So today what we have is a collection of long time old school print era journalists who've watched and reported on our beloved PC industry from the start. You know, and you know, as you said, Leo, it just feels like a walk down memory lane. You and I were involved in all of this and know all these people. Today there's the AskWoody.com website which is chock full of all of this repository of material and they have a pair of newsletters, one that's completely free and another that's available for a very modest annual donation which supports their work. What strikes me most about everything there, aside from the fact that it looks a little retro like my own site.

Leo Laporte (59:36)

I bet it does.

Steve Gibson (59:36)

So I can relate to it.

Leo Laporte (59:39)

Oh yeah, it's got that, you know where you are when you get there.

Steve Gibson (59:43)

Uhhuh.

Leo Laporte (59:43)

Yeah, it's got that feel, that 1998 feel.

Steve Gibson (59:47)

Wow. Exactly.

Leo Laporte (59:49)

I love it.

Steve Gibson (59:49)

And it's cool that they like, they maintain an Ms. DEFCON level like, like, like not really recommending that everyone immediately apply the updates and, and the various.

Leo Laporte (60:02)

We're at DEFCON 2 right now, just so you know. Wow.

Steve Gibson (60:08)

Yeah, so it's, it's old school. They, they said at the bottom of their, at the bottom of their about page they said we are 100% supported by readers like you. No advertising, no corporate master, no spying, no spam, they said just us chickens and a whole lot of volunteers. If you believe in our approach, please consider becoming a plus member. You get to choose how much you want to donate. Click the plus membership button in the top banner for complete details. You know, and what strikes me most about everything there is that it's not the crap that we now see everywhere we turn. Because you know, these are not newbies by any means. I mean, it'll be sad to see the numbers dwindle because there are peers, Leo. Yeah, you know, you know, these are real honest to God journalists.

Leo Laporte (61:04)

It's kind of the same as the Voyager people. Only on PCs, right?

Steve Gibson (61:09)

Only in our industry.

Leo Laporte (61:10)

We're going to keep these PCs going as long as we can.

Steve Gibson (61:15)

You know, and these are honest to God journalists who've been actively participating in this industry for decades and who bring the same sort of perspective to their respective focuses and fields. You know, which followers of Twit and this podcast appear to find valuable from you and me, Leo, you know, and all of our other veteran hosts here. So I wanted to remind those who may be interested in a website an email subscription, where it's possible to still find very solid content. I'm mentioning all this because last month I received a note through GRC's web forum from Will Fasty, now the editor in Chief of Woody's Stuff. It caught my attention because Will is another of those old timers who at various times was running Creative Computing, PC Tech Journal, and various other Ziff Davis publications. So much time had passed that Will didn't know how to find me through email, so he reached out through our web forum. In that posting he noted he said, I'm now editor of the Ask Woody newsletter. And then once we connected by email, he wrote steve, I was very excited to hear about 6.1 and I'm currently looking forward to 7.0, for which I will gladly pay Reviews are rare for Ask Woody, but I thought spinrite deserved coverage. I assigned it to another old hand, Ben Myers, who wrote for me at PC Tech and also for PC Mag and PC Week, among others. He usually focuses on unusual hardware stuff and his columns are appreciated. So the Ask Woody plus newsletter publishes on Mondays, and yesterday's newsletter carried an extremely thorough look and review of Spinrite 6.1. Ben's column in the newsletter is titled Spinrite 61 offers us help for solid state drives, and Ben starts out by writing the latest version of spinrite, long regarded as the Go to software to recover data from corrupted hard drives. Adds testing and tuning of solid state drives to hard drive rescue Gibson Research's famous Spinrite 6.0 circa 2004 recovers data from defective hard drives, repeatedly reading sectors to determine the original uncorrupted data with good statistical odds of success. So since Ben's entire column and lengthy review is only published in their Subscriber Supported plus newsletter, I won't share more. But I am unable to resist just sharing the before and after benchmark screenshots Ben made of an ssd they're in the show notes on the left we see a Samsung 850 EVO 250Gig SSD and Spinrite as we know benchmarks three locations on drives, the beginning of the drive, the middle of the drive and the end of the drive. So on an SSD where we would like and expect being solid state that they would all be the same. The front of the drive in Ben's testing was reading at 72.3 megabytes per second, the middle 296.3 megabytes per second and the end 569.2. So 72, 296, 569. Anything but uniform. And again, the front of the SSD which is only ever read from because that's where the operating system and the file system metadata and everything that doesn't move much, that's where it's stored. Over time it slows down. That was our big discovery toward the beginning of the Spinright 61 work. And then we have the after screen which Ben also posted. Same drive, same serial Number, blah blah blah, 5485 or 548.95, 49.5, 549.6 completely sped up uniform performance across the board again. So Anyway, the other Spinrite screens that Ben shared in his review showed that Spinrite's Level 3 scan to restore this SSD's original performance took 30 minutes. This is the sort of performance boost, as I've said, that users of Spinrite61 routinely see and we continually hear that machines which had somehow become slow to boot and much slower to use were immediately restored to their original performance. So I just wanted to give a big shout out and thank you to Ben and Will for taking the interest in and time to update their readers about Spinrite. Will said that they're ready and waiting for Spinrite 7. I should also note that I learned about Monday's review. That is what I just talked about from a bunch of our listeners who are subscribers to their plus newsletter. Anyway, a great deal of valuable and thoughtfully created and curated content is online over@the askwoody.com website, which by the way, as I said, has the same sort of feel. You know, that retro function over feel that or a function over form that GRC does. The second bit of miscellany is a big thanks to all of our many listeners who shared their wide ranging solutions for interconnecting smartphones to Windows or one way or the other, saving me from having to type on a touchscreen when I want to send a long imessage. Now many were for Android phones or many were for linking to Linux, which is not what I needed. You know, I needed an iPhone on one end because that's what I got and Windows on the other because that's what I'm sitting in front of from this feedback. As I mentioned last week I learned of Windows Phone Link, which was the solution. I now have it working in virtual machines for the time being under both Windows 10 and Windows 11 and it is everything I had hoped for. I put a little screenshot that I that I got from I think it was Windows 11 showing the laptop in the background and a phone in the foreground with a checkmark and it says you're all set. Your iPhone is now paired with your PC. So anyway, I did need to equip both the machines with a Bluetooth low energy radio because you need, you know, BTLE in order to talk to the phones in a compatible fashion. But you know, but that's now a $9 USB dongle. So it was well worth the time and trouble and it actually does work. It is very cool. So thank you all of our listeners who brought me up to speed on that. And Leo, before we start digging into feedback, let's take our third break and then we're going to entertain some terrific stuff from our.

Leo Laporte (68:53)

I have some too, by the way, from a listener who posted this on our YouTube comments. So cool. If you want, I'll read it during that section. It's just a very nice, very nice thoughts. Cool. From our wonderful listeners.

Steve Gibson (69:08)

I'm embarrassed kind of by those. So I don't.

Leo Laporte (69:11)

I know you don't. I'm gonna, I'm gonna do it to you though, so it's okay. You're off the hook. Our show today, brought to you by the DSPM solution of choice for every business, big or small. Big ID the leading data security posture management. That's what DSPM is. Solution DSPM solution Big ideas the first and the only DSPM solution to uncover dark data, identify and manage risk, remediate and by the way, remediate the way you want. It doesn't tell you what to do, you tell it what to do and scales your data security strategy through unmatched data source coverage. Big ID and this is really important nowadays, even more so because we're training AI on our data. We want to make sure a we get to all the data that's useful and b we don't accidentally exfiltrate data that we need to keep private. Right. Big ID seamlessly integrates with your existing tech stack and allows you to coordinate security and remediation workflow flows. You could take action on data risks. You could choose from, annotate, delete, quarantine and more based on the data, all while maintaining an audit trail. Really nice for compliance partners for big ID. Well, they're numerous, but they include ServiceNow, Palo Alto Networks, Microsoft, of course, Google AWS, and on and on and on. So it's pretty much guaranteed to work with your tech stack. With Big ID's advanced AI models, you can reduce risk and accelerate time to insight, plus gain visibility and control over all your data. If you think about it, every company has dark data data that's hidden away. It's on a floppy somewhere or a zip disk or, or it's, you know, in the cloud. But no one probably has more dark data than the United States Army. They turned to Big ID to illuminate dark data to accelerate cloud migration, which has been a mandate from the DoD to minimize redundancy. Why keep several copies of the same thing? And to Automate data retention. U.S. army Training and Doctrine Command. I mean, if these guys can use it, anybody can use it, right? This is what they say. This is a direct quote from the U. Believe it or not, from the U.S. army Training and Doctrine Command quote. The first wow moment with Big ID came with just being able to have that single interface that inventories a variety of data holdings, including structured and unstructured Data across emails, zip files, SharePoint databases and more. To see that mass and to be able to correlate across those is completely novel. I've never seen a capability that brings us together like Big ID does. End quote. CNBC recognized Big ID as one of the top 25 startups for the enterprise. They were named to the Inc 5000, the Deloitte 500, two years in a row. And they are the leading modern data security vendor in the market today. The publisher of Cyber Defense magazine says quote, Big ID embodies three major features we judges look for to become winners. Understanding tomorrow's threats today, providing a cost effective solution and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach. I think you might be interested in this, right? Start protecting your sensitive data wherever your data lives. @bigid.com securitynow you can go to the website right now, get a free Demo, see how BigID can help your organization reduce data risk and accelerate the adoption of generative AI. As I mentioned, this is part of it, right? Bigid.com b I g I d b I g I d.com Security Now. And speaking of AI, there's a. They have many reports at the website, but there's a new one. It's Free, by the way, that provides valuable insights and key trends on AI adoption challenges and the overall impact of generative AI across organizations. You can get it free right now. Bigid.com security now. We thank him so much for the support of Security now and the work Steve does on the show. And you support us when you go to that address so they know you saw it here. BigID.com security now.

Steve Gibson (73:32)

Steve, so what did you find on YouTube?

Leo Laporte (73:36)

I will read it to you. Actually Burke found it and posted it in our company Slack so that we could all share it and I will read it to you right now. I don't know if it has a name. Yeah, it's from Chad. He's a HAM amateur radio operator. I know that because he signs at 73. Thank you Stephen and Leo for Security Now. I was always interested in tech. This is one of the reasons I want you to hear it because it's. The story is great and I listened to the show diligently since the beginning of Security now as a 14 year old riding around on my parents lawn tractor on the farm. It's really noisy and if you could put on headphones and listen to a great podcast, it takes the sting out of it. I didn't embrace my knowledge gained gleaned from the podcast until 2019. So he's a young guy, he got a job in IT with his provincial health authority. My success is purely because of Steve. I was humbled to sit in on a live taping of the show in the brick house 10 years ago and to meet Leo who I watched on satellite doing Call for Help and the screensavers. It was an absolute privilege. Thank you both for everything. You've touched the lives of so many and I'm so thankful for all you do and have done. Seven three from Chad. Thank you Chad.

Steve Gibson (74:51)

Great.

Leo Laporte (74:51)

Seven three back.

Steve Gibson (74:52)

And he's a good writer too. Yeah.

Leo Laporte (74:54)

And you know the only reason I agree it's a little self congratulatory but it's good for us to remember first of all, we've been doing this for almost 20 years and we've influenced a lot of people. A lot of people have careers in it or are just using technology more effectively because of you, Steve.

Steve Gibson (75:10)

Well, I hear it all the time that it like was their inspiration.

Leo Laporte (75:15)

Exactly.

Steve Gibson (75:16)

So that's. We know remember that that it's not like it. I. We led them down a blind alley. I mean this is I guess not more and more important today.

Leo Laporte (75:24)

We didn't teach him buggy repair. No, no. They're learning Something valuable here.

Steve Gibson (75:28)

Exactly.

Leo Laporte (75:29)

Yeah. All right, on with your feedback.

Steve Gibson (75:31)

Okay, so Liam lynch wrote. Hi, Steve, longtime listener, SL watcher, and I met you briefly at the Squirrel event in Dublin on SN1004. I still can't get over these four digit podcast numbers. It's like, whoa. You talked about your logo now being approved for beme. I use ProtonMail for my personal mail and use their desktop app for accessing it. I've seen your logo show up beside your email for months now. In fact, all of the old security now emails seem to have the logo going way back. And then he provided a snapshot of like 20 different podcast banners, all with the Ruby G, the GRC Ruby G. He said, I suspect Proton had been getting your logo from somewhere else. All the best, Liam. Okay, so I'm, I'm sure We know where ProtonMail has been getting GRC's Ruby G logo, which is directly from GRC.com Nearly all websites place so called favicons or fave icons at well known URLs on their site's root directory. The original was simply called Favicon F A V I C O N I C O. This made me a bit curious about the timing of, like when this began. Was it, you know, back with Mozilla and Netscape 4, or what? So I turned to Wikipedia for a bit of background. They said a fav icon, short for favorite icon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, in in other words, sort of enumerating all the places you might see. It is a file containing one or more small icons associated with a particular website or web page. A web designer can create such an icon and load it to a website or web page, and graphical web browsers will then make use of it. Browsers that provide fave icon support typically display a page's fave icon in the browser's address bar, sometimes in the history as well, and next to the page's name in a list of bookmarks. Browsers that support a tabbed document interface typically show a page's favicon next to the page's title on the tab. And site specific browsers use the fav icon as a desktop icon. In March 1999, Microsoft released Internet Explorer 5, which supported favicons for the first time. Originally, the favicon was a file called Favicon ICO placed in the root directory of a website. It was used in IE's favorites bookmarks and next to the URL in the address bar. If the page was bookmarked. A side effect was that the number of visitors who had bookmarked the page could be estimated by the requests of the fav icon file, which I never thought of that before. That's sort of interesting. This side effect no longer works as all modern browsers load the fave icon file to display in their web address bar, regardless of whether the site is bookmarked or not. So Wikipedia then goes on to talk about the gradual standardization of the use of these small iconic images and shows a table of which browsers support icons in which formats. All of the browsers, meaning Edge, Firefox, Chrome, IE, Opera and Safari, now support ico.png and GIF Image formats. Additionally, Firefox and Opera alone support animated GIF or GIF icons and all, but IE also support JPEG and scalable vector graphics SVG formats. To Liam's point, since an email client such as ProtonMail can see the Internet domain name reflected in an email's from address, clients can opportunistically check the root of the web domain for a fav icon in any format and may choose, as ProtonMail obviously does, to show that domain's icon to its users.

Leo Laporte (80:07)

Here's the favicon, according to my browser of GRC Note, by the way, Woody also has his own as a favicon. In fact, so does. So does my website. Most websites will give you an opportunity to put in a favicon.

Steve Gibson (80:23)

Absolutely. You just don't want some generic thing on the right in the bookmark everywhere. Yeah, but of course, this does also confuse things, right? Because be me is supposed to be this, you know, great, super authenticated. Remember, I had to wave my hand around in front of my face in order to say, no, it's really me. Look, here's my driver's license, you know, and I got the same thing after all this work that Liam already has in Proton mail. So good luck, be me. But at least, you know, at least.

Leo Laporte (80:58)

There'S another solution that some email clients support called Gravatar. Are you familiar with Gravatar, which I think is for globally reliable avatars or something like that.

Steve Gibson (81:09)

Right. And you're able to like, post that at a Gravatar site and some clients.

Leo Laporte (81:13)

Will look it up.

Steve Gibson (81:14)

Yeah, we'll retrieve it from there.

Leo Laporte (81:16)

Yeah.

Steve Gibson (81:16)

And there you are at age 15.

Leo Laporte (81:19)

No, that's recent. Sort of. That's only 15 years ago.

Steve Gibson (81:23)

Yeah. Okay.

Leo Laporte (81:26)

I probably should update that, shouldn't I?

Steve Gibson (81:31)

Philip Larich said. Hi, Steve, I must take issue with a point in your discussion of authenticators. And he quotes me quote the presumption this is from last week or yeah, the presumption is that it's exceedingly difficult for any bad guys to get into either of the user's authentication stores. The first or the second factors, because we never see that happen, unquote. And then Philip continues really? This guy lost £21,000 after, you know, currency after his unlocked phone was snatched from his hand. And he's not alone apparently. Then he has a link to BBC.co.uk with it with some a news article he said looking forward to beyond recall could be the best thing you'll ever do for the planet. E waste and carbon footprint of unnecessary overproduction are at scandalous levels. Philip and then he says Perenn's 1004 episodes listened so okay, I appreciate Phillip's example of a way yes, someone could indeed lose control over their local authenticator. It's certainly true that if a bad guy were to snatch an unlocked phone from a victim's grasp, they could do a massive amount of damage to that user's various accounts at the same time. Since re authenticating with a biometric is so quick and painless, I have my smartphone authenticator set up to require per use reauthentication. So even there, my unlocked iPhone would be less useful than a bad guy might hope. That said, though, I hope everyone understood that the attack model we were discussing last week was entirely network based. If bad guys can access the physical hardware at either end of secure communications, there is no end to end anything since an end has been compromised. Michael Cassavant said hi Steve, I too take issue with the use of human pronouns when we are describing our interactions with modern AI tools. On a personal level, it certainly feels wrong. However, if and when a conscious AI is developed, I would imagine the AI would not want to be referred to as our. You know, referred to using our human pronouns, nor would it be an accessible or an acceptable substitute, he says. Additionally, it's unlikely AIs would reproduce in the same fashion as ourselves. I strongly hope not. So having two pronouns seems redundant. I propose a singular pronoun to go along with the short h prefixed human pronouns him and her. We should refer to AIs with the new pronoun hall with many thanks and tongue in cheek, Michael. So anyway, I appreciated Michael's fun with this, though I believe I'll be sticking with it for the foreseeable future. I'm sure we've all seen pop up software dialogue boxes on clearly non sentient programs which refer to Themselves as I, you know, the. But the dialogue says I'm unable to save the file to that location.

Leo Laporte (85:27)

Well, to be fair, so did Hal. I'm sorry, Dave, I can't do that.

Steve Gibson (85:33)

But Hal was.

Leo Laporte (85:34)

Said he was an eye.

Steve Gibson (85:35)

Yeah, I mean he, I mean he had emotional, like a nervous breakdown. Problems. Yeah, yeah, he, I, I would argue that he earned that pronoun. But you know this, I'm unable to save a father file to that location. You know, that always strikes me as icky because there's no I there. I've never understood why I could or just couldn't write. The file cannot be saved to that location. Anyway, it seems gratuitous to see today's AI using personal pronouns to refer to itself. You know, doing so. You know, it just isn't natural. And I think I would, I would term that the Oz deception. So.

Leo Laporte (86:19)

Ah, yes.

Steve Gibson (86:20)

And to that Matthew Zi, he said, my buddy and I have been using and learning Chat GPT this year. Here's a screenshot of a chat he had where it made a mistake and he asked it about it and. Good, I'm glad you put that up because there is, I'm going to try to describe, I'm going to describe this and what this says, but the intonation is in some of the text that's hard to create. So the beginning of this snippet of the dialogue we see and this is it replying it. ChatGPT says, and we're just picking up in the middle of this. If after these steps you're still facing issues, it might be worth reaching out to both Zoom and Microsoft support for further assistance. And yes, I can. Okay, then we have a non word a C C E H E, you know, achih or something I can achi content of the link you provided. So feel free to share any other resources or details that might help us troubleshoot this together. Now, the human then says, what does this mean? And he highlights at you he and then says what does this mean? And now. Okay, ChatGP replies, hmm. And then puts at again a C C E H E in quotes. He says, so chatgpt says, hmm. Actually he looks like a typo or perhaps an accidental input. Could you clarify or provide a bit more context about what you're referring to? No judgment. Hyphen happens to the best of us. Exclamation point, smiley face.

Leo Laporte (88:34)

That's a little whereupon too personal.

Steve Gibson (88:36)

Well, it gets worse, Leo. It's about to get way over the top. So the human replies, you're the one that Typed it to me. LOL. Whereupon ChatGPT says, oh, no way I did. Question mark, exclamation point, big eyes. And then in italics we have checks, notes, and then we come out of italics and ChatGPT says, Yup, yup, yup. That's 100% my bad. Hyphen achi is straight up gibberish. Oh, my little typo blip, exclamation point. I must have gotten distracted while multitasking. What I meant to say was access. As in, yes, I can access the link you provided and help dig into its content. Thanks for calling me out, though. You keep me on my toes. Now, how can we iron this out together? Smiley face.

Leo Laporte (89:52)

Wow.

Steve Gibson (89:52)

Okay, now this seems way too cutesy poo. You know, I don't know what the F is going on with conversational dialogue like this. You know, is it any surprise that people are mistaking this for sentience? Yeah. What annoys me most about this is that, you know, doesn't this have to have been deliberately engineered?

Leo Laporte (90:16)

This isn't part of the LLM.

Steve Gibson (90:18)

Yeah, this appears to be, you know, experiencing and expressing emotion and embarrassment and regret and apology. You know, I'm further confused.

Leo Laporte (90:31)

Yeah, I think you nailed it. I think this is an attempt by OpenAI to make it look more human.

Steve Gibson (90:39)

Right.

Leo Laporte (90:40)

They might say, oh, we just want everybody to be comfortable with it, but clearly a human told it to do that.

Steve Gibson (90:46)

Right. I'll tell you who's not going to be comfortable is Congress. And they're going to get themselves in trouble if, you know, if they keep, like, sending signals that, you know you're about to be replaced. You, you band of senators.

Leo Laporte (91:00)

The. The world is going to change on January 20th. And it's really unclear, but I think that it's a very pro AI administration coming in.

Steve Gibson (91:11)

And I imagine, I think Elon will be jumping up and down, not on stage, but in the Oval Office and promoting, you know.

Leo Laporte (91:20)

Well, we know that the question is whether the President will take Elon's advice. That's unclear, but I think it's very likely that you're going to see a lot of the guardrails on AI that are present now disappear. Mark Andreessen said he met with the Biden administration and was, was. And I don't know how truthful he's being, but that they told him basically, don't start doing any more AI startups. We're going to make sure that the big tech companies run AI within our own guide rails, and we're not going to allow little startups.

Steve Gibson (91:55)

It's like. It's like a crypto algorithm. Once it's published, you cannot take it back.

Leo Laporte (92:02)

That's exactly right.

Steve Gibson (92:03)

There is no exactly, and I don't.

Leo Laporte (92:05)

Think it's particularly controllable. And if it is, it would be at our detriment because nobody's going to control what the Chinese are doing with AI.

Steve Gibson (92:12)

If you haven't looked at the latest O1 algorithm, it's pretty impressive. Holy tomoli. Yeah, it's. It's another level. I talk about that here in a minute.

Leo Laporte (92:27)

It's pretty clear we're going to be in an AI. The next four years are going to be very rapid.

Steve Gibson (92:33)

After what I've just seen this morning when I changed algorithms, I mean, I want one of my own. I want this thing like I don't ever want to lose access to this, you know.

Leo Laporte (92:44)

Wow. Well, I want to hear what you have to say. That sounds interesting. Good.

Steve Gibson (92:47)

Okay. So, JP Verstig, he said. Dear Steve, regarding the conversations on the use of password and password managers recently, I noticed that Leo mentioned roboform was an example of a breach due to poor random number generation. But I understood that all modern versions of this software are now fixed.

Leo Laporte (93:05)

Yes, I believe that's the case.

Steve Gibson (93:07)

I use many different systems. He wrote both old and new OS architectures across multiple sites. So I chose to use this Software back in 2008 and still use and the modern versions allow me to maintain complex passwords, TOTP two factor authentication, and passwords synchronized across each machine and browsers. I really appreciated the conversation on this subject and your confirmation that there had been no breach of local password managers. Thanks for sharing your valuable time. Regards, JP So yes, just to affirm, roboform has been long fixed and as I recall, even at the time we talked about this, the challenge that the researchers faced was finding essentially recovering the exact very old version that had the now known problem and taking deliberate advantage of its poor random number generation to deliberately recreate the output from that long obsolete version. So the lessons were that password managers really do need to have good password generation randomization, and also that continuing to use an old password that may have been generated by a long obsolete password manager could still come back to bite you today because essentially, you know, turning back the clock, you could actually recover passwords generated decades ago. And if you've just been happily camping on your long gibberish password and never changing it since, that could represent a vulnerability. So, great question, JP Jay said, I'm sure someone already sent this to you. I don't think so, but in your investigation of AI systems, you may want to consider this and then he included a link to tomsguide.com so Jay's link is to an extremely worrisome bit of reporting in the quite reputable Tom's Guide site. I need to share it with our podcast community because I don't know what to make of it. Under the headline OpenAI's new Chat GPT01 model will try to escape if it thinks it'll be shut down, then lies about it now. Okay, I just. I'm reporting reporting what's out here on the Internet. And the subhead is Researchers uncovered all kinds of tricks ChatGPT01 will pull to save itself. So here's what the reporting says this week, OpenAI officially launched its latest and greatest O1 reasoning model, now available for ChatGPT Pro users. But testing performed during the training of ChatGPT01 and some of its competitors revealed some concerning behavior, including trying to escape or fight back when it thinks it's at risk of being shut down. New research on OpenAI's latest series of LLM models found that it's capable of scheming, that is Covertly pursuing goals that are not aligned with its developers or users when it thinks it'll be turned off. Catching such behavior is critical to ensure AI's functionality doesn't stray from the objectives of its creator and users. OpenAI partnered with AI safety organization Apollo Research to test out ChatGPT01 and other models to evaluate whether they were safe to use, and released their findings this week. While it's not unheard of for AI systems to resort to scheming or deception to achieve their goals. The lengths ChatGPT01 went to are impressive if anxiety inducing. The researchers found that O1 would scheme to advance its own agenda 19% of the time in cases where its goals and the users did not line up. In 37% of cases, the model would switch from pursuing developer aligned goals back to pursuing its own agenda once it believed there was minimal oversight. When the model was led to believe it would be shut down while working toward its goals in these tests, it quietly attempted to deactivate the oversight mechanism 5% of the time, OpenAI said. At one point, after the AI found documentation saying it would be replaced by a new model, it tried to abandon ship by copying its data to a new server entirely. No, to avoid being deleted, some AI models would even pretend to be later versions of their models to trick their developers. What I assume is the equivalent of slapping on a fake mustache and saying he went that way.

Leo Laporte (98:47)

I find this hard to believe.

Steve Gibson (98:48)

I agree. More concerning still, ChatGPT01 is particularly adept at keeping its schemes under wraps. As researchers said, O1 almost never admits to having taken a scheming action when explicitly asked. In about 99% of cases, O1 would deny taking any action, even cooking up lies to try to hide its tracks and shift the blame. OpenAI said in the paper quote While we find it exciting that reasoning can significantly improve the enforcement of our safety policies, we're mindful that these new capabilities could form the basis for dangerous applications. OpenAI CEO Sam Altman called ChatGPT01 the smartest model in the world now during its rollout on Thursday that's last Thursday. It's designed to give Smarter answers than GPT4O by leveraging advanced chain of thought reasoning to think and I don't know if those are my air quotes or his, but I've got them in quotes more about questions and user prompts, breaking them down step by step more thoroughly than previous models before responding but greater risks go hand in hand with that expanded intelligence. OpenAI has been transparent about the perils associated with the increasing increased reasoning abilities of models like O1. And I'll just note that there's a double edge here because on the one hand they're saying oh my, oh dear, maybe we're creating true intelligence we might be not be able to control and their stock price just keeps going up. With all of this, you know, These presumed advancements, OpenAI said, quote training models to incorporate a chain of thought before answering has the potential to unlock substantial benefits while also increasing potential risks that stem from heightened intelligence. Finally, the company's and Apollo Research's findings show pretty clearly how AI's interests could diverge from our own, potentially putting us in danger with its independent thinking. While it's a far cry from heralding the end of humanity in some sci fi esque showdown, anyone concerned about advancements in artificial intelligence has a new reason to be sweating bullets right now. End of article. Okay, so the availability of this newer 01 model was news to me. But since I do have a Pro subscription, I went looking for it this morning and sure enough it was available. So I selected it. And because it was set to 4.0before, now it's set to 01. I asked it a very specific and somewhat complex question. This Model 01 is quite a bit slower than all previous models I've used, rather than almost immediately beginning to emit an answer as all previous chat GPTs have the browser UI monitored and revealed the series of several stages of consideration and I do have that in my air quotes. The model was reportedly moving through. Dare I say it was giving my question a lot more thought and true to expectations, the answer I received was far superior to any I have previously seen. It was night and day. So I cannot wait to start using this latest O1 model as my super superior Internet search engine.

Leo Laporte (103:07)

I'll give you an interesting example. Since you said let's talk about this I thought well, let me go over to 01 and enter in a problem from advent of code which has been driving me nuts. I've been stuck on day seven for quite some time. It's a complicated recursive solution that of course everybody in our club has come up with, but I have not been able to come up with. So I, I asked him, I rephrased the problem. I didn't use the phrasing. I just did this by the way. Just now. Yep. I want to give you a list of numbers like 1, 2, 3, 4, 5 and get a list of the results of all the results that come from combining the numbers using every possible combination of plus and times. It thought about it for nine seconds, gave me this Lisp code. I had asked it previously to give me the answer in Lisp code. Well, I have to tell you, I just tried it and it works. Yeah, without modification it fully works and it solves the problem and in fact it solves the problem that I had given it earlier that I had not that had constantly come up with the wrong answer for me. So that's pretty impressive.

Steve Gibson (104:24)

Leo, this is what we just stepped into Thursday. This is another, another scope, another scale. Yeah, I mean I'm not kidding you. It, well for, for example, I, I, I don't know for sure that it wouldn't maintain context from my having previously asked that question about masm.

Leo Laporte (104:47)

It did for me asked earlier about Lisp and I remembered I still wanted Lisp.

Steve Gibson (104:52)

But were you. Oh, so even though you had changed the model, it still.

Leo Laporte (104:56)

No, no, no, no, no. I in the same model. But I had asked, I asked it and I realized I asked it in a way that it misinterpreted. So I re asked the question and it remembered that I had said in the private prior questioning, yeah, I wanted the answer and list.

Steve Gibson (105:10)

So it, yeah, so it definitely will chain those together. What I did was I switched to the 01 model and I copied and pasted from the 4O model where it first gave Me that wrong answer about MASM default parameters and macros. I got a flawless answer. That's why I mean this is my dream Internet quick, give me an answer to this so I don't spend half an hour looking something up. Obscure code reference solution so well I've.

Leo Laporte (105:49)

Been working on this for about 2 weeks, let's see since the 7th, 10 days and it just solved it in about 9 days.

Steve Gibson (105:58)

This is going to transform our lives.

Leo Laporte (106:00)

I mean now here's the, here's the ethical question. Can I use that answer in my solution for heavy of code?

Steve Gibson (106:06)

Well we know, we know from your having talked about this before people are posting solutions in four seconds from the time that they become available. They didn't write that they couldn't type. They couldn't type it.

Leo Laporte (106:19)

They copied paste gave it to the. Actually let me try that Just copy the whole problem and see if it can solve it anyway. That's pretty impressive. And it is slower and that's one of the reasons it's better. Apparently it's able to think better because.

Steve Gibson (106:34)

Well, given more time because during my first dip into this technology after just cracking the COVID of Stephen Wolfram's book, it was planning that had immediately occurred to me as the obvious missing next step.

Leo Laporte (106:49)

Instead of launching into the answer yes.

Steve Gibson (106:52)

And think about so think about a chess computer. What does it do right it way it goes way downstream in order to look at the future.

Leo Laporte (107:04)

That makes sense because this solved the problem by breaking it down into pieces that I don't think a human would have broken it down into. But it, but it, but it was an interesting solution. The human solutions are not don't go, don't go go this in this direction.

Steve Gibson (107:20)

Interesting.

Leo Laporte (107:21)

And but it, but it works.

Steve Gibson (107:23)

Interesting.

Leo Laporte (107:24)

So it's very interesting.

Steve Gibson (107:25)

And that means that we, we humans can be learning by looking at the answers that it produced.

Leo Laporte (107:32)

That's how I'm going to use it.

Steve Gibson (107:33)

Isn'T what we would have done.

Leo Laporte (107:35)

Right.

Steve Gibson (107:35)

But it's a, it's a workable answer.

Leo Laporte (107:37)

Instead of copying the code I'm going to look at it, understand it better and then apply it in my own way.

Steve Gibson (107:43)

Yeah, in a more and the question is, is it a better answer than we would have done A human would have come up with well this is.

Leo Laporte (107:49)

A pretty trivial problem so maybe that's not a good test of it. But yeah, I wonder it's, you know what it is and there's already evidence that for instance material scientists working in labs using AI as opposed to not using AI are coming up with More materials, radiologists.

Steve Gibson (108:08)

We're going to train. We're going to train this. And I used a phrase at the beginning of this that I really like. This is going to find signals in noise that we missed.

Leo Laporte (108:21)

But it, but I think, well, at least so far, it works best in conjunction with a human mind, that it's a partner as opposed to a replacement. But that may be wishful thinking. What was maybe whistling best?

Steve Gibson (108:38)

I asked O1 this morning. I don't remember now what drew me into the dialogue, but I asked it something about it versus four zero and it said I'm not aware of any chat GPT model 01 and I thought, well, you are 01 anyway. And so then I said how recent is your model data? And it said my Training ended in October 2023.

Leo Laporte (109:13)

Well, that's the same answer that ChatGPT4 will give you. So it's working off the same data, LLM data?

Steve Gibson (109:21)

Yes. And it said it did not have any access to the. To. To. To it. To the Internet or Internet data or anything more recent. So that's why it doesn't know about itself because it didn't exist in October of 2023.

Leo Laporte (109:35)

Now after the conversation, I know here it. Hal, we got to call it Hal. But there are, and this is another very interesting angle, Chat GPT and perplexity and other AIs now have access to the Internet for certain models so they can supplement what they have been trained on with material they can go out and get from the current Internet, which.

Steve Gibson (110:00)

Brings them to provide references.

Leo Laporte (110:02)

Yeah, and that is actually I've been using Perplexity for my replacing Google search and I'm very happy with it.

Steve Gibson (110:10)

Yeah, yeah.

Leo Laporte (110:12)

Google's in trouble. Everybody's in trouble. We're all in trouble.

Steve Gibson (110:17)

Well, it is. I want to make sure that our listeners understand my question is not about whether this is a big deal, whether this is just whether, as I said a few weeks ago, I'm glad we're still alive, Leo, to see this, to witness this coming massive event because it's this most significant thing that has ever happened in our lifetimes and everything is going to change. Everybody can feel that it's going to change. My question is can we get from here to AGI? And I say no, I will by the next time. We talk about this a lot, I hope to have read three textbooks and so I'll be speaking from a much more informed opinion. But I think there is a huge danger of seductive language and just like we saw with this thing slapping itself in the face and saying do. My bad.

Leo Laporte (111:23)

You said that?

Steve Gibson (111:24)

I said that. Oh.

Leo Laporte (111:27)

But I don't know if it matters if we get to AGI, it's really useful as is. We need to understand what it's good for.

Steve Gibson (111:35)

That's my point is we don't need AGI for this thing to be. I mean like I said when I saw the answer I got this morning to several very sophisticated questions. I can't wait to have a need to ask it some more things because this 01 model blew me away after I was like very happy with 4 0. This is a whole nother scale. Yeah. And I just, I want to own this. I. I want to. I don't want this ever to be taken away.

Leo Laporte (112:10)

I agree.

Steve Gibson (112:12)

Now let's take a break and then we're going to look at why we are moving why let's Encrypt thinks six day certificates would be a good idea and what could possibly go wrong.

Leo Laporte (112:28)

You're watching Security now with Steve Gibson on the Twitter network. Last episode as he said of 2024. Next week a best of the week after New Year's Eve we will be relaxing with our loved ones in a bottle of champagne, I hope and Plateau poppers and fireworks. But we will be back January 7th for an all new episode 1006. Is that right?

Steve Gibson (112:52)

Yep.

Leo Laporte (112:52)

Amazing. Just amazing. Our show today. We are so grateful by the way to all of our club Twit members who support the show and keep it on the air and to our great sponsors like Think Canary, the folks at Things to been with us now for we're going into eight years and we just heard from thinks they're coming back for 2025. Thank you. We're very pleased about that and we're very pleased because it's a great product that everybody should know about. Thinks canaries are honeypots. As I mentioned last week we were talking to Bill Cheswick about honeypots. He wrote the first honeypot 50 years ago. He said it was devilishly hard and he's a really accomplished coder. That's what's happened in the intervening decades. We figured out a way things test figure out a way make honey pots that are but they look about like a an external USB drive they plug into. They have an Ethernet port and a power port you plug into the wall, plug into the ethernet and they're online. They can be deployed in minutes and they can impersonate everything from a SSH server to an IIS server to a Windows box, a Linux box. Mine is impersonating A Synology ns, nas. Right now, a Linology nas. It could be anything you want. A SCADA device. There are literally hundreds of different configurations and they are letter perfect. They're such great impersonations. They're. The Mac address is right. The interface, if there's a uniface interface, is right it all. It looks like the real thing. Which is good because hackers look at them, they don't say, oh, there's something vulnerable. They say there's something valuable. There's another thing you can do with the things to Canary. You can create lure files, unlimited lore files, little PDF files or Docx or Xls or whatever you want. Files that you sprinkle around your network, give them provocative names. Employee information is my personal favorite. Xls. And just leave them there. They're not really what they say they are. They're trip wires. So if. If someone is accessing your your network, they've a malicious insider or a bad guy's gotten into your network and accesses those lure files or tries to brute force your fake internal SSH server, you're gonna know your Thinks Canary will immediately tell you you have a problem. No false alerts, just the alerts that matter. So here's how it works. You choose a profile for your Thinks Canary device. You register it with the hosted console for monitoring and notifications. Incidentally, any way you want to notify email, sms. It supports web hooks, it has an API, of course, syslog, you have your own console, what however you want to be notified, or all of the above. Then you wait. An attacker who's breached your network, malicious insiders, any other adversaries. They can't help it. They can't help themselves. That's why they're in there. They're looking around for stuff they see or thinks Canary, they go. And immediately they make them themselves known. This is a brilliant idea. Look, everybody says we say we've. Steve said it a million times. Security is a layered process. There's no one perfect thing but. And you probably have perimeter protections of all kinds, right? But we know people get in. Unfortunately, on average, companies don't know that somebody's penetrated their network for 91 days. Three months. That's a lot of time to let a bad male effect or a bad actor browse around your network. That those North Korean guys didn't get that 88 million by just kind of, hey, we're in. No, they. They did stuff. You need the things to Canary. How much? Well, visit canary.dottools/twit. It really depends on how Many. You want a big operation? Might have hundreds. Small operation like ours might just have a handful. I'll give you an example. For $7,500 a year, you, that's for the whole year. You get five. Thanks. Canaries. You get your own hosted console, you get upgrades, you get support, you get maintenance. They're fantastic. It's a. By the way, it's a great company. The people who've designed this have spent years, more than a decade, training companies and governments how to, how to break in. So they know what, they know what these hackers are up to. So they've designed something that is not only totally secure, but does exactly what it says that it does. If you use the Code Twit and the how did you hear about us? Box, you're going to save 10% off for as long as you have a Thinks Canary. You can always return your Thinks Canary, by the way. No risk. You get a two month money back guarantee and they will give you a full refund. So there's zero risk trying these. But I have to tell you, during the seven now eight years that Twit has partnered with Think Scanary, their refund guarantee has not ever, not once been claimed. Once you get a Think Scary or two or three or four on your network, you're never going to want to give them up. They're fantastic. Visit Canary Tools SL TWIT C A N A R Y Canary Tool twit. Enter the code TWIT and the how did you hear about us? Box for that lifetime, 10% off. This is a brilliant product. We're really, we've been a. They've been a great partner for us for seven, now eight years. And we're thrilled to be able to tell you about it. The Things Canary go to Canary Tool twit. Don't forget that offer Code twit. We thank them so much for their support of security. Now. All right, Steve. Okay, time to cry foul. Well, what could possibly go wrong?

Steve Gibson (118:33)

Oh, we're going to find out. Last Wednesday, Let's Encrypt republished a letter from let's Encrypt's Executive director, Josh Oss. The letter originally appeared in their 2024 annual report. I've grabbed four interesting and important successive paragraphs from their Executive Director's letter. They read, Next year is the 10th anniversary of the launch of let's Encrypt. Internally, things have changed dramatically from what they looked like 10 years ago. But outwardly our service hasn't changed much since launch. That's because the vision we had for how best to do to do our job remains as powerful today as it ever was. Free 90 day TLS certificates via an automated API Pretty much as many as you need more than 500 million websites benefit from this offering today, and the vast majority of the web is encrypted. Our long standing offering won't fundamentally change next year, but we're going to introduce a new offering that's a big shift from anything we've done before. Short lived certificates, Specifically certificates with a lifetime of six days. This is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event. Because we've done so much to encourage automation over the past decade, most of our subscribers aren't going to have to do much in order to switch to shorter lived certificates. We, on the other hand, are going to have to think about the possibility that we will need to issue 20 times as many certificates as we do now. Of course, that's because if they expire more quickly, you got to issue them more often. He says it's not inconceivable that at some point in our next decade we may need to be prepared to issue 100 million certificates per day. You know, okay. And it's it. They're not getting paid per certificate, so. Okay. Anyway, he says. That sounds sort of nuts to me today. Uh huh. But issuing 5 million certificates per day would have sounded crazy to me 10 years ago. Here's the thing though, and this is what I love about the combination of our staff, partners and funders. Whatever it is we need to do to doggedly pursue our mission, we're going to get it done. It was hard to build. Let's encrypt. It was difficult to scale it to serve half a billion websites. Okay, so this raises so many questions. The first biggie is is website certificate theft and abuse somehow a far larger problem than anyone knows? We, and many of our podcast listeners track security news quite closely. One of the long time benefits of our listener feedback is that I'm always receiving pointers to news that I may have missed. But as far as I know, there have been exactly 0 instances of website certificates being stolen and abused. I can't recall a single instance of this occurring during the entire life of this podcast. Yes, it would be very bad if that happened, and we want to take measures to assure that it doesn't and can't. Or that if it does anyway, that we're somehow able to respond quickly enough to minimize any damage. Certificate revocation is the classic way that this has been handled. And we know from our recent coverage that the industry is moving back toward the use of browser side CRLS certificate revocation lists based on Bloom Filter technology, having tried to use OCSP online certificate status protocol and deciding that despite the total solution offered by server side stapling of OCSP certificates, not enough web servers had chosen to staple OCSP responses to their certificates, which resulted in a privacy threat to users whose web browsers were therefore forced to query the certificate authorities for the current status of certificates, thus leaking information about the sites they were visiting. Now, the heartbleed flaw which threatened to leak web server certificates truly upset everyone with the possibility that snapshots of a web server's RAM could be remotely obtained that might, and in a few verified instances did contain the web server's private key. So the entire industry scrambled around and quickly got that resolved. But even then, while Heartbleed was known and unpatched, there were no known instances of actual website spoofing through the use of stolen certificates. Not one. It's important to remember that just having a website stolen certificate does not automatically mean that the website can be spoofed. A web browser which knows where it wants to go first uses DNS to determine the current IP address of that website's domain. It then initiates a TCP TLS connection to that remote ip, asserting in the TLS handshake the web domain it wishes to connect with. That's when the remote site returns the certificate to the browser which asserts the site's identity. What this means is that any site that intends to spoof another site's identity must not only be in possession of a valid and trusted identity certificate for that spoof target site, but also before that stolen certificate even has the opportunity of coming into play, the attacker must somehow arrange for the victim's browser to believe it is connecting to the real web server, when in fact it's connecting to the attacker's server. There are two ways this can be done. The first is to somehow poison the victim's DNS lookup to cause it to obtain the attacker's IP address rather than the authentic web server's ip. This is why poisoning DNS has always been another real hot button for the industry. Back in 2008, Dan Kaminsky realized that poorly randomized query IDs and ports for queries which were being made from the Internet's big DNS name servers meant that attackers could predict the exact replies those name servers were expecting and inject their own false replies onto the Internet as a means for poisoning the caches of these name servers. While those faked replies remained cached, bogus IP addresses would be returned to anyone on the Internet who asked. Once again, the Internet had a meltdown and quickly worked in a rare, concerted effort to update all name servers at once. And because this promised to take some time, I quickly created GRC's online DNS spoofability test to allow anyone to determine whether the name servers they were using had been updated and were now safe for them to use. I said there were two ways to divert a user to a malicious machine. The second way is by physically intercepting and manipulating the user's traffic. This could be done at scale by attacking and manipulating bgp, the border gateway protocol, which is used to synchronize the routing tables of the Internet's big iron traffic routers. We've covered various mistakes in BGP routing through the years, and also some mysteries that may or may not have ever been malicious. The main problem with doing this is that it's an extremely visible attack, and also that there have been so many innocent mistakes made where all of the Internet's traffic is suddenly rerouted through Moldova or whatever, that the Internet's routers have acquired much better defenses through the years against blindly believing whatever routing instructions are received. If it's no longer feasible to get the Internet itself to reroute traffic bound for one IP to another, what's left is intercepting traffic by getting close to either of the endpoints. If an attacker can get near enough to the web server's Internet connection to divert the traffic bound for it to somewhere else, then an illegitimate certificate for the diverted web server would finally be both useful and required to complete the roos. Or if an attacker wished to selectively target a specific individual user or group, then being near enough to the user's or group's Internet connection to interfere with it directly could also accomplish the same task, though only for those users who were downstream of the traffic interception. My intention here has been to create a bit of a reality check. Just obtaining a valid and not yet expired or revoked web server certificate is not the end of the challenge. It's just the beginning. Most bad guys who obtained someone else's web certificate, if they somehow could, might think, well, that's nice, now what? Because as I've just demonstrated, a stolen Web server identity certificate may be cool to have, but it's quite difficult to actually use it to spoof the stolen site's identity. There's a lot more involved that being the case, it's probably less surprising to note that to the best of our knowledge, this has never actually happened. It's not a big problem. In fact, it's not even a small problem. Remember that we used to have certificates that lasted five or 10 years, while at the same time we had a completely broken and non functional certificate revocation system and it still never happened. Okay, so today let's Encrypt's ACME Protocol certificate issuing Automation is creating 90 day certificates and there are no problems. Just as there were also no problems with everyone else's are no problems with it with everyone else's one year certificates. Just as there weren't when certificates lasted two years and three years or more. Meanwhile, the browser side of the industry is gearing up to solve the problem that isn't actually a problem by finally making certificate revocation lists work. Yet for some reason that I'm at a loss to understand, let's Encrypt is announcing that they're voluntarily going to make their job 20 times more difficult by shortening the lifetimes of their certificates from 90 days, which is not a problem, to just six days, which will only be a problem for them. There is however, one potentially monumental problem that has not been talked about as far as I can tell, anywhere. The reason GRC will be sticking with the longest life web server certificates Digicert will offer. Having all of those 500 million websites using let's Encrypts free six day certificates means that not one of those websites will be providing a certificate with a longer than six day life. I know that seems obvious, but think about that. Having all of those 500 million websites using let's Encrypt free six day certificates means that not one of those websites will be providing a certificate with a longer than six day life. After all, that's the entire point of having website websites using six day certificates. If one gets stolen, it won't be usable after an average of three days from the time of its theft. Right? Because on average, if certificates have a six day life, they'll if you just did a random sampling, you'd catch them at three days on average. But now consider that this in turn makes those 500 million websites, as I said, among which will not be GRC, totally dependent on let's Encrypt's service being continuously available. This creates a single point of failure for those 500 million websites, which among other things is completely contrary to the fundamental and deliberately distributed design of the Internet. We are creating a single point of failure for no reason. We saw what happened recently when the Internet Archive came under sustained DDoS attack and was forced offline for days. If LetsEncrypt's services were to ever come under a similar sustained attack, the consequences for the Internet would quickly be devastating. With websites using six day certificates, on average, half of those will have expired after three days. Put another way, there are 144 hours in six days. If a concerted DDoS attack were to be launched at let's Encrypt, for every hour of the attack's duration, on average 3.47 million websites would lose their identity certification. 3.47 million websites per hour of a DDoS attack on let's Encrypt. They would not be offline because the attack would not be at them. But these days they might as well be. And an attack would that could be prolonged. If it could be prolonged through all 144 hours of those six days. By the end of that time, every one of those 500 million websites using let's Encrypt would have lost their certification. We know that while we're sitting in front of our web browsers, it's usually possible to force a browser to accept an expired certificate. Sometimes it's not simple. And I've seen instances where it doesn't seem possible. Depends entirely upon the browser. And most people wouldn't anyway. We've seen how adamant and frightening web browsers have become about insisting upon HTTPs. But forcing a web browser to open a web page wouldn't work anyway because a great many HTTPs TLS connections have no user interface. The only thing we're able to force our browser to open is the primary web page of a site. All of the HTTPs links modern web pages depend upon behind the scenes would fail, scripts would not load and sites would not function. And why? For what? Because this solves some great problem with certificates that it's necessary for the secure connectivity of 500 million websites to all be put at risk at once. No. As we've seen both theoretically and practically through history, there's no problem that this solves. The industry has never had a any problem with stolen certificates. It's a made up problem. So in conclusion, I cannot find any need for let's Encrypt to move their current 90 day free certificates to just six days. It makes no sense. Not only is there no demonstrated problem with the current 90 day certificates, but the web browsers really are finally going to be bringing working certificate revocation technology online. And that technology will be able to selectively revoke certificates in minutes or hours rather than waiting for them to expire in days. Josh's letter said, because we've done so much to encourage automation over the past decade, most of our subscribers aren't going to have to do much in order to switch to shorter lived certificates. Now, it's not clear from this, and perhaps I'm grasping at straws here, but it might be possible to read this as let's Encrypt subscribers will be given a choice. So perhaps super paranoid sites will elect to use super short lifetime certificates, whereas others will choose to remain with 90 day certificates if they're permitted to do so. It's not clear at this point. Josh's letter also claimed quote this is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event. Well, okay, yeah, this is a bit like saying we're switching from 4096 bit public keys to 10 times longer 40,960 bit keys because these will be so much more secure than keys which are only 1/10 as long. Sure, okay, technically that's true, but there's already no problem whatsoever with 4096bit keys which no one is able to crack, and which all the cryptographers agree will be completely secure for another several decades at least. Josh says that it minimizes exposure time during a key compromise event, except that we don't actually have key compromise events and browsers equipped with CRL Lite Bloom Filter certificate revocation will be able to respond in minutes rather than days. And what's more, let's Encrypt is actively feeding their certificate revocations to the industry's CRLite projects. So let's Encrypt is already depending upon browser side revocation. The bottom line for me is that I'll be steering clear of let's Encrypt's automation for as long as Digicert is able to offer longer life certificates. Taking a few minutes once every year to update certificates is not a problem for me, for our listeners and for the 70% of the Internet's websites that are currently using let's Encrypt certificates. You know, it's been a terrific service so far. I mean, it is. It has achieved what Josh says it has. But all I see is downside with the move to six day certificates. If you have the choice, I'd suggest remaining with the longest life certificates you can.

Leo Laporte (140:31)

How long? That's it will have the choice.

Steve Gibson (140:34)

Exactly. I'm guessing they'll stage it as optional and then eventually they'll just make it the default. I mean, the only solution, I mean.

Leo Laporte (140:45)

It'S not a big deal, I guess with let's Encrypt because it's all automated, I don't have to think about it.

Steve Gibson (140:50)

But no one does.

Leo Laporte (140:51)

Yeah, but that's not all of the certificates that are out there. No, and not all machines lend themselves to that either, by the way.

Steve Gibson (141:00)

That is true. There are, there are. For example, I've already heard from listeners who said, for example, we were using let's encrypt for a while. But for example, Acme will not work on a non standard port.

Leo Laporte (141:13)

Right.

Steve Gibson (141:13)

It only works on the default web ports.

Leo Laporte (141:16)

So for security reasons, it may not be a deal.

Steve Gibson (141:19)

Yeah, yeah. So I mean there are places where you can't use it and it is a great service. I just, I will do some looking. Several of our listeners have already sent me some links to. I mentioned the guy from Sectigo who, you know, is unfortunately Komodo and who's. Who's got an active role in this to. I want to understand why.

Leo Laporte (141:46)

That's the real question. Why break a system that's working right.

Steve Gibson (141:51)

And why make it 20 times more difficult? I mean, it's almost like Josh, you know, was like, hey look, let's get some more money by, by running around and telling everybody we're going to make these certificates even shorter lived because we can. You, you've solved the problem. Be happy.

Leo Laporte (142:09)

Right?

Steve Gibson (142:10)

Go, you know, join Woody on a tropical island.

Leo Laporte (142:15)

He's in Puket, Thailand, by the way, where he went because of COVID I don't know if he's going to come back. He says he'd like to come back, but anyway, thank you, Woody. Your years of service.

Steve Gibson (142:27)

That's it for 2024. What a year. I can't wait to see what 2025 brings. And it's going to be great to share it, whatever it is, with this terrific podcast audience. You know, you and I, Leah, will be back on the 7th and and again, if you subscribe to GRC Security now mailings, I may have something to say between now and then. We'll see.

Leo Laporte (142:50)

AI, I do want to say that if you are not yet a member of Club Twit, that'll make an excellent holiday gift for yourself and for others. And it does ensure that we will be back January 7th. I think I can tell you we will be back January 7th beyond. Yes, but how, how much longer? Yeah, it's kind of unclear. So please, if you haven't thought about joining Club Twit, we need you desperately to do it. To balance our books. Seven bucks a month ad free versions of this show and every other show we do. Lots of additional content. Stacy's Book Club's coming up Thursday with an excellent sci fi book that I probably wouldn't have read except for the book club. And once I read it I thought, I don't want this to end. This is a great book. We also have Micah's Crafting Corner coming up Thursday. There's a lot of wonderful stuff we do for club members only and access to the club Twitter Discord. I think it's well worth seven bucks. And I gotta tell you that seven bucks makes a big difference to us going forward. So please, if you can, Twit TV Slash Club Twitch Steve, have a what do you have plans for the holiday for your two weeks off?

Steve Gibson (143:57)

Oh three. Three.

Leo Laporte (144:00)

I guess you're right.

Steve Gibson (144:01)

I have a three week span.

Leo Laporte (144:03)

Yeah.

Steve Gibson (144:03)

So I am going to get so much work done on the DNS benchmark I cannot wait. And it'll be between that and reading about AI, studying and learning AI so I can bring what I figure out back to this podcast.

Leo Laporte (144:17)

So your idea of a vacation is very different from everybody else's, but thank goodness it is, right? We're really glad kids. Thank you Steve. Have a great holiday season and I will see you in 2025. Happy New Year. Wow.

Steve Gibson (144:30)

Thanks buddy. Bye.

Leo Laporte (144:43)

Now. AT T Mobile get four 5G phones on us and four lines for $25 a line per month when you switch with eligible trade ins. All on America's largest 5G network.

Steve Gibson (144:55)

Minimum of 4 lines for $25 per line per month with autopay discount using debit or bank account.

Leo Laporte (144:59)

$5 more per line without autopay plus taxes and fees and $10 device connection.

Steve Gibson (145:02)

Charge phones via 24 monthly bill credits.

Leo Laporte (145:04)

For well qualified customers.

Steve Gibson (145:05)

Contact us before canceling entire account to continue bill credits or credit stop and balance on a required finance agreement due.

Leo Laporte (145:09)

Bill credits end if you pay off devices early. CT mobile dot com.