Leo Laporte (3:24)

Oh, that's a very good point.

Steve Gibson (3:28)

Right. If Apple believed that they could design and field a truly and totally secure last resort backdoor means of accessing their devices in the event that the world depended upon it, I believe that they would have designed such a backdoor. And I believe that they did deliberately and purposefully or their own needs. Yes. And I do not think less of them for it. In fact, I think that the case could be made that it would be irresponsible for Apple not to have provided such a backdoor. Yeah.

Leo Laporte (4:16)

What if Dr. Evil had an iPhone with the launch codes on it? Right.

Steve Gibson (4:20)

Well, that's where I'm going here. We'll likely never know whether any external agency may have made them do it. And yes, doing so could hardly be more controversial. But I can imagine a conversation among just a very few at the very top of Apple, Tim Cook and his head of engineering and of security, they had to have had a conversation about whether it should be possible under some set of truly dire circumstances for them to get into somebody else's locked phone. Obviously, the security of such a system would be more critical than anything. But their head of engineering security would have explained, as I did last week, that as long as the secret access details never escaped, because it's impossible to probe anything that must be accompanied by a signature hash, there would truly be no way for this backdoor to be discovered. As I said last week, from everything we've seen, it was designed to be released in the field where it would be active yet totally safe. So if Tim Cook were told that Apple could design and build and build in an utterly secure emergency, prevent the end of world escape hatch into their otherwise utterly and brutally secure devices, and this escape hatch could never possibly be opened by anyone else, ever. I imagine Tim would have said under those conditions. Yes. I think that most CEOs who are in the position to understand that with great power comes great responsibility. When assured that could not possibly be maliciously discovered and abused to damage, their users would say, yes, build it in. I trust Apple as much as it's possible to trust any commercial entity operating within the United States. I believe that they absolutely will protect the privacy of their users to the true and absolute limit of their ability. If the FBI were to obtain a locked iPhone known to contain exactly as you said, Leo, the location and relevant disarming details of a nuclear weapon set on a timer and hidden somewhere in Manhattan. I would be thanking Apple for having the foresight to create a super secure means for them and them alone to gain entry to their device. And I'd argue that in doing so they did have the best interests of their customers in mind. In this scenario, a great many iPhone users lives would be saved. There are all manner of conspiracy theories possible here. Yeah, obviously, and this one of mine is only one of many, but of all the possible theories, I believe this one fits the facts best and makes the most sense. Of course the first thing everyone will say is yeah, but Gibson, they did lose control of it and it was being used by malware to hurt some of Apple's users. And that's true. In fact, that's the only reason the world learned of it. If this scenario is correct, Apple never divulged this to any entity and never would. This would never have been meant for the FBI, CIA or NSA to have for their own use. If an impossibly high bar were reached, Tim Cook would say, have an agent bring us the phone and we'll see what we can do. But somewhere within Apple were people who did know. Perhaps someone inside was set up and compromised by a foreign group. Perhaps Apple had a long standing molecule. Perhaps it was a gambling debt, or the threat of some extremely embarrassing personal information being disclosed. One thing we've learned and seen over and over on this podcast is that when all of the security technology is truly bulletproof, the human factor becomes the lowest hanging fruit. Just ask LastPass how they feel about the human factor which bit them badly. Okay, so where does this leave us today? We know that all Apple iPhones containing the A12 through A16 chips contain this backdoor and always will. We don't know that it's the only backdoor those chipsets contain, as we touched on last week. But Apple doesn't need a another back door since they still have access to this one. They locked a door in front of this one, but they can always unlock it again after being contacted by Kaspersky. Apple's iOS updates blocked the memory mapped I O access that was discovered being taken advantage of by malware. But Apple is able to run any software they choose on their own phones, which means that Apple still has access to this backdoor should they ever need to use it. And this means that they've lost plausible deniability. They have the ability to open any iPhone that they absolutely must so this poses a new problem for Apple when law enforcement now comes knocking with a court order, as it's almost certain to with, you know, way below that bar, requests for random iPhone unlocking to assist in this or that case. So this is a new mess for Apple. No, I'm sure they're facing that. Apple's most recent silicon is the A17. Yet Kaspersky told us that this facility had only been seen in the A12 through A16. If the malware did not contain that initial unique per chip generation unlock code for the A17 silicon, and we know that it didn't, then this same backdoor might still be present in today's iPhone 15 and other A17 based devices. That's the most reasonable assumption since it was there for the first, for the previous five generations. Apple obviously likes to have it. But what about the next iteration of silicon for the A18? Another thing we don't know is what policy change this disclosure may have for the future. We don't know how committed Apple was to to having this capability, but I think I've made a strong argument for the idea that it has to have it. Have they been scared off? Well, maybe. We'll see what happens now. You know, as I said, with law enforcement asking them to unlock everybody's iPhone, will they move it to a different location within the ARM 64 bit address space, yet keep it around? As we were after last week, we're left with a handful of unanswered and unanswerable questions. But my intention here was to hone this down to explore what appears to be the single most likely scenario Apple designed and is quite proud of. The GPU section of those chips which contains the backdoor hardware. There's no chance they were not aware of the little hash algorithm protected DMA engine built into one corner of the chip. People within Apple knew. Listeners of this podcast know that I always separate policy decisions from mistakes which unfortunately happen. So I sincerely hope that Apple's policy was to guard this as perhaps their most closely held secret, and specifically that it was never their policy to disclose it to any outside agency of any kind, for any reason. Somewhere, however, a mistake happened. And I'd wager that by now Apple knows where and how that mistake occurred.

Leo Laporte (13:58)

Well, I hope you're enjoying this best stuff. It's always fun to do these, and I have to tell you, it's a lot of work and I really appreciate our team, the people who work so hard. Anthony Nielsen, our creative director, our producers and editors, Benito Gonzalez, Kevin King, John Ashley, they work so hard to put this all together for you. All of our hosts, our contributors do. And of course there's the office people who do work in continuity, like Viva and Sebastian. Our CEO, Lisa. Twit is a. Is a big effort and we think what we're doing is really important. I hope you do too. I hope you enjoy the company and learn from the information. And if you do, I'd like you to consider joining our club because frankly, in 2025, that's the only thing that's going to keep Twit going. If you like what you hear and you want to continue, please, seven bucks a month, consider joining Club Twit. Twit TV Club Twit. You get ad free versions of all the shows, access to our Discord special programming you don't get anywhere else. But really the main thing you get is that warm and fuzzy feeling that you're keeping Twit going. We need your help. I hate to beg, but we really do. Twit TV Club Twit. But enough of that. On with the show.

Steve Gibson (15:15)

Everybody knows how bullish and excited I am about Google's privacy sandbox. Yes, we all, we all know I'm a bit of a fanboy for technology. And this is a bunch of very interesting new technology that solves some very old problems. Google clearly understands that their economic model is endangered due to the fundamental tension that exists between advertisers, primarily themselves, who demand to know everything possible about the viewers of their ads, and those viewers, along with their governments, who are becoming increasingly concerned about privacy and anonymity. The emergence of global privacy control and the return of DNT Do Not Track has not gone unnoticed by anyone whose cash flow depends upon knowing something about the visitors to their websites. As we've been covering this through the years, we've watched Google iterate on a solution to this very thorny problem. And I believe, though, the final solution was to transfer the entire problem into the user's browser, that they found a solution that really can work. But, and this is a huge but that informs today's title topic, it appears that the rest of the world does not plan to go down without a fight. Not everyone is convinced. Apparently not everyone believes that they're going to need to follow Google. And it turns out that there is a workaround that is not good. So a recent Financial Times headline read, Amazon strikes Ad data deal with reach as Google kills off cookies. Which was followed by the subhead media sector scrambles to deal with fallout from phase out of cross website trackers so with a little bit of editing for the content for our listeners, the Financial Times writes. Tech giant Amazon has struck a deal with the UK's largest publisher, Reach, to obtain customer data to target online advertising as the media industry scrambles to respond to Google's move to axe cookies. In one of the first such agreements in Europe, Amazon and Reach unveiled a partnership on Monday designed to compensate for the loss of third party cookies that help gather information about users by tracking their activity across websites to help target advertising. Google said this month that it had started to remove cookies on its Chrome browser following a similar move by Apple to block them over Safari, aiming to switch off all third party cookies by the end of the year, Reach said it will partner with Amazon on sharing contextual first party data, for example allowing advertisers to know what articles people are looking at, with the US tech group using the information to sell more targeted advertising on the UK publishers sites, the company said. The deal comes quote as the advertising world tackles deprecation of third party cookies, a long anticipated industry milestone that Google kickstarted in early January, unquote. Financial details for the arrangement were not revealed. The partnership involves the contextual advertising of Mantis, originally a brand safety tool that could ensure that brands were not being presented next to potentially harmful or inappropriate content. The tool is also now used to place ads next to content users may want to see, helping to better target specific audiences with relevant advertising. Other publishers Publishers also use Mantis, Amazon's ad director EU of EU Ad Tech says. Fraser Lock said that quote, as the industry shifts towards an environment where cookies are not available, first party contextual signals are critical in helping us develop actionable insights that enable our advertisers to reach relevant audiences without sacrificing reach relevancy or ad performance. The loss of cookies means that almost all Internet users will become close to unidentifiable for advertisers. The risk for advertisers is that their advertising offer becomes much less valuable at a time when they're already losing ad revenues, which has led to thousands of job cuts in the past year. Reach last year announced 450 roles would be axed. Other media groups are also looking at deals involving their customer data, according to industry executives. Some publishers are experimenting more with registration pages or paywalls that mean people first give first party information that they can use, such as email addresses and logins. Reach is already seeking to harvest more such data from readers. John Steinberg, chief executive of Future, said that the quote elimination of third party cookies is one of the biggest changes to the advertising market in the digital age, unquote. He added that, quote, advertisers and agencies will be looking to publishers that have high quality editorial scale and rich first party data, unquote and predicted that, quote, advertisers, agencies and quality publishers will will work even more closely together to reach audiences that drive outcomes for brands, unquote. Sir Martin Sorell, chief executive of advertising firm S4Capital, said that some clients that did not have access to first party data on their customers were panicking. He said that there would be more focus on getting customers to sign up to websites with their information as companies attempted to boost their stores of consented data, unquote okay, so let's think about this for a minute. This notion of requiring more user signups is interesting, and it's not something that had occurred to me before. This article makes it clear that the advertising industry is not going to let go and go down without a fight. They don't want to change. They don't want to adopt Google's strongly anonymous interest based solution. No, they want to continue to know everything they possibly can about everyone, which is something Google's dominant Chrome browser will begin actively working to prevent, at least using the traditional tracking methodology. So what are they going to do? And what's up with this signing into sites business? It occurred to me that one way of thinking about the traditional presence of third party tracking cookies is that because they effectively identify who is going from site to site on the Internet, there's no need for us to explicitly sign up when we arrive somewhere for the purpose of identifying ourselves to the site and its advertisers. Cookies do that for us, silently and unseen on our behalf. Who we are when we visit a website is already known from all of the cookies our browsers transmit in response to all of the transparent pixels and beacons and scripts and ads that laden today's typical website. But soon all of that traditional silent, continuous background identification tracking is going to be prevented, and the advertising industry is finally waking up to that reality. What this means for a website itself is significant, perhaps even drastic. A reduction in advertising revenue, since, as we know, advertisers will pay much more for an advertisement that's shown to someone who whose interests and history they know. That allows them to choose the most relevant ads from their inventory, which makes the presentation of the ad that the viewer sees more valuable and thus generates more revenue for the website that's hosting the ad. And that's of course been the whole point of all this tracking that's why websites themselves have have never been anti tracking and it's the reason so many websites cause their visitors browsers to contact so many third party domains. It's good for business from the website's perspective and it increases the site's revenue. And besides, visitors don't see any of that happening. So tomorrow, when visitors swing by a website with Chrome which no longer allows tracking and those visitors are therefore anonymous and far less valuable to that site's advertisers, how does a website itself de anonymize its visitors to know who they are for the purpose of identifying them to its advertisers so that those advertisers will pay that site as much money as possible? The answer is horrible and is apparently on the horizon. The website will require its visitors to register and sign up before its content and its ads can be viewed. At the end of that Financial Times piece they quoted Sir Martin Sorel, the Chief Executive of advertising at S4 Capital, saying quote, Some clients that did not have access to first party data on their customers were panicking and that there would be more focus on getting customers to sign up to websites with their information as companies attempt to boost their stores of consented data. Now, these websites won't be charging any money for this signup. It's not money from their visitors they want. It's the identities of those visitors that for the first time they need to obtain from that first party relationship in order to share that information with their advertisers so that they can be paid top dollar for the ads displayed on their websites. And you can be 100% certain that the fine print of every such site's publicly posted policy Privacy policy will state that any information they obtain may may be shared with their business partners and affiliates, meaning the advertisers on their sites. We thought those cookie permission popups were bad, but things might soon be getting much worse and those sign up to create an account forms may also attempt to obtain as much demographic information as possible about their visitors. You know. Oh, while you're here creating an account, please tell us a bit more about yourself by filling out the form below so that we can better tailor our content to your needs and interests. Uh huh. Right. Such form fill will likely be a one time event per browser, since a persistent first party logon cookie will then be given to to our browser to hold and return to the site. So it will only be a brief hassle once, but the result of filling out a form to create an account at every site which might begin to Require one will be that our visits to that site will no longer even have the pretense of anonymity. We will be known to that site and thus we will in turn be known to every one of that site's advertisers. We may forget that we have an account there. We may find our name shown in the upper right hand corner of the screen with a menu allowing us to log out, change our email address, our password, etc. And password managers are likely going to become even more important because typical Internet users will be juggling many more Internet login accounts than they've ever needed before. Historically, we only ever needed to log on to a site when we had we had some need to create an enduring relationship with that site. That is what promises to change. Sites with which we have no interest or need to be known will begin insisting that we tell them who we are in exchange for access to their content, even though it'll be free. And the reason for their insistence will be that we become a much more valuable visitor. Once they're able in turn to tell their advertisers exactly who we are. And it's all perfectly legal. Because no tracking is happening, we sign up and implicitly grant our permission for our real world identities to be shared with any and all of that site's business associates. Most people will have no idea what's going on. Maybe it won't actually be that big a deal. It won't be obvious why sites they've been visiting for years are suddenly asking them to create an account. They already have lots of other accounts everywhere else and the site won't be asking for money just for their identities, which most people are not concerned about divulging. One thing we can be certain of is that a trend of forced identification before the content of an advertising supported website can be viewed will cause the EFF to have a conniption. Nothing could ever be more antithetical to to their principles. The EFF wants nothing short of absolute and complete anonymity for all users of the Internet. So this represents a massive step directly away from that goal. The EFF would be well served in fact to get behind Google's initiative, which is far more privacy preserving than this end around that appears to be looming. It almost makes third party cookie tracking look attractive by comparison. I don't want to be forced to create accounts for every low value website I might visit briefly. If this happens, it's going to change the way the Internet feels. It's going to be interesting to see how all this shakes out. And yes, I am more glad than ever to be going past episode 999 since it's going to be very, very interesting to be observing and sharing what comes next.

Leo Laporte (31:55)

It's been a crazy year with Chrome and Google and all of the weird things they're doing to try to make it possible to hold two thoughts simultaneously. Advertising good, Advertising bad. We'll see if they can figure it out. You're watching Security Now's Best of 2024. We're glad you're here.

T-Mobile Ad (32:16)

After investing billions to light up our network, T Mobile is America's largest 5G network. Plus right now you can switch keep your phone and we'll pay it off up to $800. See how you can save on every plan versus Verizon and at&t@t mobile.com KeepAndSwitch.

Pets Best Insurance Ad (32:35)

Up to four lines via virtual prepaid card. Allow 15 days qualifying unlock device credit service ported 90 plus days with the device, an eligible carrier and timely redemption required Card has no cash access and expires in six months.

Pets Best Insurance Ad (32:45)

The following ad is sponsored by Pets Best Insurance Services. Your pet is your bestie, your therapist, your preferred match. It's easy to love them, even when they sneak your snacks. It's easy to protect them too, with pet insurance coverage from Pets Best because it's all fun and games until they chew on something they shouldn't. With perfect timing, Pets Best helps protect your furry friend and your budget friend from this imperfect world. Get up to 90% on eligible vet bills for less than a dollar a day. Find your Perfect match@petsbest.com Pet insurance products offered and administered by Pets Best Insurance Services, LLC are underwritten by American Pet Insurance Company or Independence American Insurance Company for all terms visit petsbest.com backslash policy.

Leo Laporte (33:31)

2424 continued with a little shock for people who had used Microsoft's BitLocker encryption watch.

Steve Gibson (33:42)

Okay, so BitLocker chipped or cracked the number one most sent to me news item of the past week. Wow. It was like everybody seen this, seen this, seen this? Oh yeah. Was the revelation that PCs whose secret key storage trusted platform module functions are provided by a separate TPM chip outside of the main cpu, are vulnerable to compromise by someone with physical access to the machine. This came as a surprise to many people who assumed that this would not be the case and that their mass storage systems were more protected than they turn out to be by Microsoft's BitLocker during system boot up. The small unencrypted startup portion of Windows sees that bitlocker is enabled and configured on the machine, and that the system has a TPM chip which contains the decryption key. So that pre boot code says to the TPM chip, hey there, I need the super secret encryption key that you're holding. And the TPM chip replies, yeah, got it right here. Here it comes, no problem. And then sends it over to the processor. The only glitch here is that anyone with a hardware probe is able to connect the probe to the communicating chips of the processor or the TPM chip, or perhaps even to the traces on the printed circuit board which interconnect those two if those traces happen to lie on the surface. Once connected, the computer can be booted and that entire happy conversation can be passively monitored. Neither end of the conversation will be any the wiser, and the probe is able to intercept and capture the TPM chips reply to the processor's request for the BitLocker decryption key. These are the sorts of tricks that the NSA not only knows about, but has doubtless taken advantage of who knows how many times. But it's not made more widely obvious until a clever hacker like this stack smashing guy that was his handle comes along and shines a very bright light on it. So it's a wonderful thing that he did. And I should note that this is not the first time this has come to light. It happened a few years ago and a few years before that. So it's the kind of thing that surfaces every so often and people go, what? Oh my God. Okay. The fundamental weakness in the design is that the TPM's key storage and the consumer of that stored key are located in separate components whose communication pins are readily accessible. And the obvious solution to this dilemma is to integrate the TPM's storage functions into the system's processor so that their highly sensitive communication remains internal and inaccessible to casual eavesdropping. And as it turns out, that's exactly what more recent intel and AMD processors have done. So this inherent vulnerability to physical attack occupies a window in time where discrete TPM modules exist and are being maybe overly depended upon for their security and before their functions had been integrated into the CPU. It's also unclear, like just broadly, whether all future CPUs will always include a fully integrated TPM, or whether intel and AMD will only do this for some higher end models, or perversely, it turns out, some lower end models. Anyway, all of this created such a stir in the industry that yesterday, On Monday, the 12th Ars Technica posted a very nice piece about the whole issue, and under the subhead, what PCs are affected? The Ars guy wrote BitLocker is a form of full disk encryption that exists mostly to prevent someone who steals your laptop from taking the drive out, sticking it into another system, and accessing your data without requiring your account password. In other words, they're unable to start up your laptop, so they just take the hard drive out and stick it in a different machine, which they know how to start up. Many modern Windows 10 and 11 systems, they write, use BitLocker by default. When you sign into a Microsoft account. In Windows 11 Home or Pro. On a system with a TPM, your drive is typically encrypted automatically and a recovery key is uploaded to your Microsoft account. In a Windows 11 Pro system, you can turn on BitLocker manually whether you use a Microsoft account or not, backing up the recovery key any way you see fit, they say. Regardless, a potential BitLocker exploit could affect the personal data on millions of machines. So how big of a deal is this new example of an old attack? For many individuals, the answer is probably not very. One barrier to entry for attackers is technical. Many modern systems use firmware TPM modules or ftpms that are built directly into most processors.

Leo Laporte (40:00)

I think all AMD systems do that, right?

Steve Gibson (40:03)

Right, yeah. In cheaper machines, he writes, this can be a way to save on manufacturing. Why buy a separate chip if you could just use a feature of the CPU you're already paying for? In other systems, including those that advertise compatibility with Microsoft's Pluton security processors, it's marketed as a security feature that specifically integrates these kinds of so called sniffing attacks. That's because there's no external communication bus to sniff for an ftpm. It's integrated into the processor. So any communication between the TPM and the rest of the system also happens inside the processor. Virtually all self built Windows 11 compatible desktops will use FTPMS, as will modern budget desktops and laptops. We checked four recent sub $500 intel and AMD laptops from Acer and Lenovo all used firmware TPMS. Ditto for four self built desktops with motherboards from Asus, Gigabyte and ASRock. Ironically, if you're using a high end Windows laptop, your laptop is slightly more likely to to be using a dedicated external TPM chip, which means you might be vulnerable. The easiest way to tell what type of TPM you have is to go into the Windows Security center, go to the Device Security screen and click Security Processor details. If your TPM's manufacturer is listed as intel for Intel Systems or AMD for AMD systems. You're most likely using your system's FTPM and this exploit won't work on your system. The same goes for anything with Microsoft listed as the TPM manufacturer, which generally means the computer uses pluton. But if you see another manufacturer listed that is not Intel, AMD or Microsoft, you're probably using a dedicated external tpm, he said. I saw STM Microelectronics tpms. That's a very popular one in a recent high end asus Zenbook, Dell XPS 13 and mid range Lenovo ThinkPad stack smashing. The guy who publicized this again, you know, reminded everybody of this. Also posted photos of a ThinkPad X1 carbon gen 11 with a hardware TPM and all the pins someone would need to try to nab the encryption key as evidence that not all modern systems has switched over to ftpms. Admittedly something I had initially assumed, he wrote, laptops made before 2015 or 2016 are all virtually guaranteed to be using external hardware TPMs when they have any. That's not to say FTPMs are completely infallible. Some security researchers have been able to defeat the firmware TPMS in some of AMD's processors with quote, two to three hours of physical access to the target Device, unquote. Firmware TPMs are just aren't susceptible to the kind of physical Raspberry PI based attack that stack smashing demonstrated. Okay, so there is some good news here, at least in the form of what you can do if you really need and want the best possible protection. It's possible to add a pin to the boot up process even now, so that the additional factor of something you know can be used to strongly resist TPM only attacks. Microsoft provides a couple of very good and extensive pages which focus upon hardening BitLocker against attacks. I've included links to those articles in the show Notes. But to give you a sense for the process of adding a pin to your system right now, ours explains under their subhead so what can you do about it? They say most individual users don't need to worry about this kind of attack. Many consumer systems don't use dedicated TPM chips at all, and accessing your data requires a fairly skilled attacker who's very interested in pulling the data off your specific PC rather than wiping it and reselling or stripping it for parts, he says. This is not true of business users who deal with confidential information on their work laptops, but their IT departments hopefully do not need to tell anyone to do that. Okay, so if you want to give yourself an extra layer of protection, Microsoft recommends setting up an enhanced PIN that is required at startup in addition to the theoretically sniffable key that the TPM provides it admins can enable this remotely via Group Policy. To enable it on your own system, open the local Group Policy editor using you know, Windows R to open the run and then type GP edit msc, hit Enter, then navigate to computer configuration Administrative templates, Windows components, BitLocker, driver encryption and Operating system drives Enable both the require additional authentication at startup and allow enhanced pins for startup. Then open a command prompt window as an admin and type manager, BDE hyphen protectors, hyphen, add c colon hyphen, TPM and pin that command. And this is all in the show notes. Of course that command will immediately prompt you to set a PIN for the drive. I would think of it as a password anyway, he says once you've done this, the next time you boot, the system will ask for a PIN before it boots into Windows. He says an attacker with physical access to your system and a sufficient amount of time may be able to gain access by brute forcing this pin. So it's important to make it complex like any good password. And again, I would make it really good if you're taking the time to do it at all. Why not if he finishes? A highly motivated, technically skilled attacker with extended physical access to your device may still be able to find a way around these safeguards. Regardless, having disk encryption enabled keeps your data safer than it would be with no encryption at all. And that will be enough to deter lesser skilled casual attackers from being able to get at your stuff. So ultimately we're facing the same trade off as always, convenience versus security. In the absence of a very strong PIN password, anyone using a system that is in any way able to decrypt itself without their assistance should recognize the inherent danger of that. If the system escapes their control, bad guys might be able to arrange to have the system do the same thing for them. That is decrypt without anything that they don't know. Requiring something you know is the only true protection, maybe something else that you have if you if that could be arranged. That's what I did when I did my little European trip to introduce Squirrel is I had my laptop, you know, linked to my phone and my iPhone had to be present at the same time. Bitlocking or bitlockering a drive is certainly useful since it will provide, you know, it will strongly prevent anyone who separates the drive from the machine, from obtaining anything that's protected in any way. So bitlocker. Yes. Pin, yes. And as we've seen, it's possible to add a PIN after the fact. And if your pin is weak, you can still strengthen it and you should consider doing so.

Leo Laporte (49:12)

Do we still like Veracrypt? Would you Prefer VeraCrypt to BitLocker? BitLocker is so convenient.

Steve Gibson (49:18)

But it's convenient and VeraCrypt is 100% strong. I was thinking the same thing. BitLocker suffers a little bit from the, you know, the monoculture effect of everybody having it and it just being built in. On the other hand, its convenience means that it won't get in anyone's way.

Leo Laporte (49:39)

Right? Yeah. You just log in the computer as normal.

Steve Gibson (49:43)

Yeah, yeah.

Leo Laporte (49:44)

But if you wanted really better security, I think Veracrypt is. We still. That's still our choice. Now that. Now that. What was it? Its predecessor. I forgot now.

Steve Gibson (49:56)

What was it?

Leo Laporte (49:57)

True.

Steve Gibson (49:58)

Crypt is gone.

Leo Laporte (49:59)

Yeah, yeah, Yep. All right. If your PIN is weak, you can still straighten it. The motto of the day.

Steve Gibson (50:06)

If the pin is weak, you can still straighten it. I like it. Leo.

Leo Laporte (50:11)

That's Kalia, who is a textile worker. I do want to ask a little tiny favor from all of you, not just Club Twit members. Every year, you may remember, we do a survey of our audience. We want to get to know you a little bit better. It helps us with sales because we can say, you know, as we often do, 70% of our audience, our IT decision makers, that kind of thing. It's a very quick survey. Shouldn't only take you a couple of minutes. Twitter TV slash survey. This is the new 2024, 2025 survey. We're starting a little bit earlier this year than we usually do. It just helps us and it would be a. Be doing us all a favor if you. If you did it. So in between shows, maybe. Twitter TV slash survey. Thank you so much.

Steve Gibson (51:01)

We can guess. We know that PQ stands for post Quantum. And of course we'd be right. So is this Apple's third attempt at a post quantum protocol after 1 and 2 somehow failed or fell short?

Leo Laporte (51:19)

What? No.

Steve Gibson (51:20)

You know, PQ3. What happened to PQ1 and PQ2? No. Apple has apparently invented levels of security and put themselves at the top of the heap. So PQ3 offers what they call level three security. So here's how sear s e a R Apple's Security Engineering and Architecture Group, introduced this new protocol in their recent blog posting. They write, today we are announcing the most significant cryptographic security upgrade in imessage history with the introduction of PQ3, a groundbreaking post quantum cryptographic protocol that advances the state of the art of end to end secure messaging. With compromise, resilient encryption and extensive defenses against even highly sophisticated quantum attacks, PQ3 is the first messaging protocol to reach what we call Level 3 security, providing protocol protections that surpass those in all other widely deployed messaging apps. To our knowledge, PQ3 has the strongest security properties of any at scale messaging protocol in the world. Well, so they're proud of their work and they've decided to say that not only will imessage be using an explicitly quantum safe encrypting messaging technology, but that theirs is bigger than, I mean better than anyone else's. Since so far this appears to be as much a marketing promotion as a technical disclosure, it's worth noting that they've outlined the four levels of messaging security which places them alone at the top of the heap. Apple has defined four levels of messaging with levels 0 and 1 being pre quantum, offering no protection from from quantum computing breakthroughs being able to break their encryption, and levels 2 and 3 being post quantum. Level 0 is defined as no end to end encryption by default and they place QQ, Skype, Telegram and WeChat into this Level 0 category. Now this causes me to be immediately skeptical, you know, of this as being marketing nonsense, since although I have never had any respect for Telegram's ad hoc basement cryptography which they defend not with any sound theory, but by offering a reward to anyone who can break it, we all know that Telegram is encrypted and that everyone using it is using it because it's encrypted. So lumping it into level zero and saying that it's not encrypted by default is at best very disingenuous and I think it should be beneath Apple. But okay, level one are those pre encryption algorithms. I'm sorry, Pre quantum because 0 and 1 are both pre quantum non quantum safe. So level 1 are those pre quantum algorithms that Apple says are are encrypted by default. The messaging apps they have placed in level one are Line, Viber, WhatsApp and the previous signal, you know, before they added post quantum encryption which we covered a few months ago and the previous imessage before it added, you know, PQ3, which actually it hasn't quite added yet, but it's going to. Now we move into the quantum safe realm for levels 2 and 3. Since signal beat Apple to the quantum safe punch it's sitting all by its lonesome at level two with the sole feature of offering post quantum crypto with end to end encryption by default, presumably as Signals relatively new PQXDH protocol moves into WhatsApp and other messaging platforms based on Signals Open technologies. Those other messaging apps will also inherit level 2 status, lifting them from the lowly levels of 0 and 1. But Apple's new PQ3 iMessaging system adds an additional feature that signal lacks, which is how Apple granted themselves sole dominion over level three. Apple's PQ3 adds ongoing post quantum rekeying to its messaging, which they make a point of noting Signal currently lacks this blog posting was clearly written by the marketing people, so it's freighted with far more self aggrandizing text than would ever be found in a technical cryptographic protocol disclosure, which this is not. But I need to share some of it to set the stage, since what Apple feels is important about PQ3 is its attribute of ongoing re keying. So to that end, Apple reminds us when iMessage launched in 2011, it was first widely available. It was the first widely available messaging app to provide end to end encryption by default. And we've significantly upgraded its cryptography over the years. The most recently strengthened I'm sorry, we most recently strengthened the iMessage cryptographic protocol in 2019 by switching from RSA to elliptic curve cryptography and by protecting encryption keys on device with the secure enclave, making them significantly harder to extract from a device even for the most sophisticated adversaries. That protocol update went even further with an additional layer of defense, a periodic rekey mechanism to provide cryptographic self healing even in the extremely unlikely case that a key ever became compromised. Again, extremely unlikely case that a key ever became compromised, they acknowledge. But now they have re keying. So it's possible each of these advances were formally verified by symbolic evaluation, a best practice that provides strong assurances of the security of cryptographic protocols. And about all that I agree. Okay, so Apple has had on the fly ongoing rekeying in imessage from for some time and it's clear that they're going to be selling this as a differentiator for PQ3 to distance themselves from the competition. After telling us a whole bunch more about how wonderful they are, they get down to explaining their level system and why they believe PQ3 is an important differentiator. Here's what they say and I skipped all the other stuff they said to reason through how various messaging applications mitigate attacks, it's helpful to Place them along a spectrum of security properties. There's no standard comparison to employ for this purpose, so we lay out our own simple coarse grained progression of messaging security levels. We start with classical cryptography and progress through toward quantum security, which addresses current and future threats from quantum computers. Most existing messaging apps fall either into level zero, no end to end encryption by default and no quantum security, or level one with end to end encryption by default, but no quantum security. A few months ago, Signal added support for the PQXDH protocol, becoming the first large scale messaging app to introduce post quantum security in the initial key establishment. This is a welcome and critical step that by our scale elevated signal from low. They didn't say lowly. From level one to level two security. At level two, the application of post quantum cryptography is limited to the initial key establishment providing quantum security only if the conversation key material is never compromised. But today's sophisticated adversaries already have incentives to compromise encryption keys because doing so gives them the ability to decrypt messages protected by those keys for as long as the keys don't change. To best protect end to end encrypted messaging, the post quantum keys need to change on an ongoing basis to place an upper bound on how much of a conversation can be exposed by any single point in time key compromise both now and with future quantum computers. Therefore, we believe messaging protocols should go even further and attain level three security where post quantum cryptography is used to secure both the initial key establishment and the ongoing message exchange with the ability to rapidly and automatically restore the cryptographic security of a conversation, even if a given key becomes compromised. Okay, it would be very interesting to hear Signals rebuttal to this since it's entirely possible that this is mostly irrelevant. Largely irrelevant marketing speak. It's not that it's not true and that continuous key rotation is not useful. We've talked about this in the past. Key rotation gives a cryptographic protocol a highly desirable property known as perfect forward secrecy. Essentially, the keys the parties are using to protect their conversation from prying eyes are ephemeral. A conversation flow is broken up and compartmentalized by the key that's in use at the moment. But the protocol never allows a single key to be used for long. The key is periodically changed. The reason I'd like to hear a rebuttal from Signal is that their protocol signals protocol has always featured perfect forward secrecy. Remember axolotl?

Leo Laporte (63:11)

Yeah. Yes, which is for the same purpose as re keying.

Steve Gibson (63:17)

Yes, it is re keying. Oh, here's what Wikipedia says I'm quoting from Wikipedia. In cryptography, the double Ratchet algorithm, previously referred to as the Axolotl ratchet, is a key management algorithm that was developed by Trevor Perrin and moxie Marlinspike in 2013. Oh huh. It can be used as part of a cryptographic protocol to provide end to end encryption for instant messaging after an initial key exchange. It manages the ongoing renewal and maintenance of short lived session keys. It combines a cryptographic so called ratchet based on the Diffie Hellman key exchange and a ratchet based on a key derivation function such as a hash function and is therefore called a double ratchet. The algorithm provides forward secrecy for messages and implicit renegotiation of forward keys properties for which the protocol is named right in 2013. In other words, it would be nice to hear from signal since Apple appears to be suggesting that they alone are offering the property of perfect forward secrecy for quantum safe messaging when it certainly appears that Signal got there 11 years ago. This is not to say that having this feature in imessage is not a good thing, but appears that Apple may not actually be alone at PQ's level three, much as they would like to be.

Leo Laporte (65:04)

That's what Steve is so good at. Those deep dives. You're just seeing a section of the entire discussion. It was more than half an hour on Apple's PQ3, but that's what we love Steve, right? We get down to the nitty gritty details. Glad you're here. Happy holidays. You're watching Our best of 2024 after.

T-Mobile Ad (65:25)

Investing billions to light up our network, T Mobile is America's largest 5G network. Plus right now you can switch. Keep your phone and we'll pay it off up to $800. See how you can save on every plan versus Verizon and at and t@t.

Pets Best Insurance Ad (65:39)

Mobile.Com KeepAndSwitch up to four lines via virtual prepaid card. Allow 15 days qualifying unlock device credit service ported 90 plus days with device and eligible carrier and timely redemption required Card has no cash access and expires in six months.

Pets Best Insurance Ad (65:53)

The following ad is sponsored by Pets Best Insurance Services. Your pet is your bestie, your therapist, your preferred match. It's easy to love them, even when they sneak your snacks. It's easy to protect them too, with pet insurance coverage from Pets Best because it's all fun and games until they chew on something they shouldn't. With perfect timing, Pets Best helps protect your furry friend and your budget from this imperfect world. Get up to 90% on eligible vet bills for less than a dollar a day. Find your perfect match@petsbest.com pet insurance products offered and administered by Pets Best Insurance Services, LLC or at underwritten by American Pet Insurance Company or Independence American Insurance Company for all terms, visit petsbest.com policy.

Leo Laporte (66:39)

All right, now we get into something that was a huge topic towards the end of the year. Microsoft's Recall. This was Steve's first reaction 50 gigabyte pile of nonsense.

Steve Gibson (66:54)

So since we began the podcast with a general theme of how AI, which is not even close to being intelligent, is being misapplied during these early days, I feel as though a security and privacy focused podcast like this one ought to take note of the new recall feature that will be part of the next generation arm based Windows 11, what's known as Copilot plus laptop PCs. First of all, yes, it does appear that ARM processors have finally come far enough along to be able to carry the weight of Windows on their processors. And while having Windows on ARM will certainly create a new array of challenges, like for example, the lack of specific hardware drivers that only exist for intel kernels in the more self contained applications where drivers are much less used, such as laptops, where power consumption and battery life trumps pretty much any other consideration, it's foreseeable that Windows may finally be able to find a home on ARM today. Laptop and tablet form factor machines containing Qualcomm Snapdragon ARM processors running Windows 11 have been announced and are in some cases available for pre order from Acer, Asus, Dell, hp, Lenovo, Microsoft and Samsung. It's also worth noting that Intel PCs will also be getting copilot plus at some time in the future, but they will need to have a neural processing engine. Answering the question, what makes Copilot Plus PCs unique? Microsoft writes, Copilot Plus PCs are a new class of Windows 11 PCs that are powered by a turbocharged neural processing unit, an npu, a specialized computer chip for AI intensive processes like real time translations and image generation that can perform more than 40 trillion operations per second. So we have tops trillion operations per seconds. So more than 40 tops and later, Microsoft writes. We are partnering with intel and amd to bring copilot plus PC experiences to PCs with their processors in the future. So potentially everybody's going to be able to get this. Okay, so what is Recall? Microsoft explains, they said you can use recall on CoPilot+PCs to find the content you have viewed on your device. Recall is currently in preview status. During this phase we will collect customer feedback, develop more controls for enterprise customers to manage and govern Recall data and improve the overall experience for users on devices that are not powered by a Snapdragon X series processor, installation of a Windows Update will be required to run Recall. Recall is currently optimized for select languages, including English, Simplified Chinese, French, German, Japanese, and Spanish. This means Recall is able to retrieve snapshots from your PC's timeline based on more sophisticated searches in these languages. During the preview phase, we will enhance optimization for additional languages. Recall can also retrieve snapshots from your PC's timeline based on text to text searches in more than 160 languages. Okay. Fortunately, they then ask themselves, how does Recall work? To which they Reply, recall uses CoPilot+PC advanced processing capabilities to take images of your active screen every few seconds. The snapshots are encrypted and saved on your PC's hard drive. You can use Recall to locate the content you have viewed on your PC using Search or on a Timeline bar that allows you to scroll through your snapshots. Once you find the snapshot that you were looking for in Recall, it will be analyzed and offer you options to interact with with the content. Recall will also enable you to open the snapshot in the original application in which it was created. Whoa.

Pets Best Insurance Ad (72:06)

Really?

Steve Gibson (72:07)

Okay. And as Recall is refined over time, it will open the actual source document, website, or email in a screenshot, which, okay, is mind boggling. But they said this functionality will be improved during Recall's preview phase. So before they let it loose, they said Copilot plus PC storage size determines the number of snapshots that Recall can take and store. The minimum hard drive space needed to run recall is 250 gig, and 50 gigabytes of space must be available. The default allocation for Recall on a device with 256 gigabytes will be 25 gig, which can store approximately three months of snapshots. You can increase the storage allocation for Recall in your PC settings. Old snapshots will be deleted once you use up your allocated storage, allowing new ones to be stored. Okay, so it's sort of a rolling 90 day window. The most. The most recent 90 days of screen snapshots taken every few seconds. Okay. Then they ask, what privacy controls does Recall offer? They respond, Recall is a key part of what makes Copilot Plus PC special, and Microsoft built privacy into Recall's design from the ground up, which of course we all recognize a standard boilerplate, which we all hope is true. They said. On copilot PCs powered by a Snapdragon X series processor, you will see the Recall Taskbar icon. After you first activate your device, you can use that icon to open Recall's settings and make choices about what snapshots Recall collects and stores on your device. You can limit which snapshots Recall collects. For example, you can select specific apps or websites visited in a supported browser to filter out of your snapshots. In addition, you can pause snapshots on demand from the Recall icon in the system tray, clear some or all snapshots that have been stored, or delete all the snapshots from your device.

Leo Laporte (74:42)

We call that, we call Watch porn button now. So, yeah, press the porn button. Yeah.

Steve Gibson (74:50)

And it occurs to me that I later talk about how snapshots of the Windows based Signal app would be a problem.

Leo Laporte (75:04)

That's in the clear.

Steve Gibson (75:05)

Right, right, right. I mean, it's what the user sees. Maybe this allows you to say, don't take snapshots of that window. And we should also remember that what we see is a graphic user interface. But Windows knows the text behind the actual controls that it's displaying. So it doesn't actually have to be. I mean, I guess it's. Who knows what it's doing in detail. But my point is that while we see graphics, there's actual text which is being mapped into bitmapped fonts, which is then being displayed on the screen. So behind the screens, so to speak, Microsoft actually has the raw text which was used to generate the screen.

Leo Laporte (75:59)

Yeah, that makes sense.

Steve Gibson (76:00)

Okay, so they, they said Recall also does not take snapshots of certain kinds of content, including in private web browsing sessions in Microsoft Edge. And by the way, they only said Edge, but I saw elsewhere that it's any of the browsers that have a well defined private browsing mode. They, they, you know, they do not record that. And they said it also treats material protected under digital rights management. You know, DRM stuff. Similarly, like other Windows apps, such as the snipping tool Recall will not store DRM content. And they said, note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard Internet protocols like cloaking password entry. Okay, so we're rolling toward an entirely new capability for Windows PCs where we'll be able to store data, which I presume is somehow indexed first, then encrypted for storage and later access. And unless otherwise instructed and proscribed, this system is indiscriminately taking snapshots of our PC screen content every few seconds and is, by Microsoft's own admission, potentially capturing and saving for later retrieval financial account numbers, monetary balances, contract language, proprietary corporate memos and communications, and who knows what private things we'd really rather never have recorded, or whatever else the user might assume will never go any further. This is where our much beloved and overworked phrase will what could possibly go wrong comes to mind. Does anyone not imagine for an instant that having searchable access to the previous 90 or more days of a PC's screen might be hugely interesting to all manner of both legal and illegal investigators? Corporate espionage is a very real thing. China is moving their enterprises away from Windows as rapidly as they can. But you have to know that cyber attackers, many of the most skillful and persistent, who seem to be persistently based in China, must be besides themselves with delight over this new prospect that we decadent capitalists in the west are going to start having our PCs recording everything that's displayed on their screens. What a great idea. If history teaches us anything, it's that we still have not figured out how to keep a secret, and especially not Microsoft. So what Microsoft is proposing to plant inside all next generation PCs is tantamount to a 50 gigabyte privacy bomb. Maybe it will never go off, but it will certainly be sitting there trying to. And just ask yourself whether law enforcement and intelligence agencies don't also think this sounds like a terrific idea. Oh, you betcha. With great power comes great responsibility, and here clearly there's much to go wrong. Microsoft understands this perception, and so they ask, how is your data protected when using Recall? They explain Recall snapshots are kept on copilot plus PCs themselves on the local hard disk, and are protected using data encryption on your device. And if you have Windows 11 Pro or an Enterprise Windows 11 SKU BitLocker recall screenshots are only linked to a specific user profile and Recall does not share them with other users, make them available for Microsoft to view or use them for targeting advertisements. Screenshots are only available to the person whose profile was used to sign into the device. If two people share a device with different profiles, they'll not be able to access each other's screenshots. If they use the same profile to sign into the device, then they will share a screenshot history and thus, you know, be able to scroll back to see what the other person has been doing. Otherwise, Recall screenshots are not available to other users or access by other applications or services. Okay, so all that really means there is they've done. The obvious thing right is that they've, you know, they've, they've divided the machine in the same way they do currently now, you know, with things like apps that you install for only one profile. So okay, that's what Microsoft had to say. The guys from Ars Technica watched Microsoft's presentation of this last Monday and gave their write up an impressively factual and neutral headline. They said new Windows AI feature records everything you've done on your PC and then they said Recall uses AI features and I okay to take to, quote, take images of your active screen every few seconds, unquote. So so ours wrote. At a Build conference event on Monday, Microsoft revealed a new AI powered feature called Recall for Copilot Plus PCs that will allow Windows 11 users to search and retrieve their past activities on their PC to make it work. Recall records everything users do on their PC, including activities and apps, communications in live meetings, and websites visited for research. Despite encryption and local storage, the new feature raises privacy concerns for certain Windows users. Microsoft says on its website quote recall uses CoPilot plus PC advanced processing capabilities to take images of your active screen every few seconds. The snapshots are encrypted and saved on your on your PC's hard drive, you can Recall to locate the contents you viewed on your PC using search or on a Timeline bar that allows you to scroll through your snapshots, unquote quotes Ars Technica Ars wrote. By performing a recall action, users can access a snapshot from a specific time period, providing context for the event or moment they're searching for. It also allows users to search through teleconference meetings they've participated in and videos watched using an AI powered feature that transcribes and translates speech. At first glance, the Recall feature seems like it may set the stage for potential gross violations of user privacy. Despite reassert reassuring reassurances from Microsoft, that impression persists for second and third glances as well, they said. For example, someone with access to your Windows account could potentially use Recall to see everything you've been doing recently on your PC, which might extend beyond the embarrassing implications of pornography viewing and actually threaten the lives of journalists or perceived enemies of the state. And I'll interject to say, in other words, this puts examining someone's web browser history to shame. How quaint that becomes Ours continues Despite the privacy concerns, Microsoft says that the Recall index remains local and private on device encrypted in a way that is linked to a particular user's account. Microsoft says Recall screenshots are only linked to specific user profile and Recall does not share them with other users, make them available to Microsoft to view anyway, blah blah blah what I just wrote about that. So they said users can pause, stop or delete captured content, and can exclude specific apps or websites. Recall won't take snapshots of in private web browsing sessions in Microsoft Edge or DRM protected content. However, Recall won't actively hide sensitive information like passwords and financial account numbers that appear on screen. Microsoft previously explored a somewhat similar functionality with the Timeline feature in Windows 10, which the company discontinued in 2021, but it didn't take continuous snapshots. Recall also shares some obvious similarities to Rewind, a third party app for Mac we covered in 2022 that logs user activities for later playback, they said. As you might imagine, all this snapshot recording comes at a hardware penalty. To use Recall, users will need to purchase one of the new Copilot Plus PCs powered by Qualcomm Snapdragon X Elite chips, which include the necessary neural processing unit. There are also minimum storage requirements for running Recall. With a minimum of 256 gig of hard drive space and 50 gig of available space, the default allocation for recall on a 256Gig56Gig device is 25Gig, which can store approximately three months of snapshots. Users can adjust the allocation in their PC settings. As far as availability goes, they conclude Microsoft says that Recall is still undergoing testing. Microsoft says on its website Recall is currently in preview status. During this phase, we'll collect customer feedback, develop more controls for enterprise customers to manage and govern Recall data and improve the overall experience for users. Okay, I just should note that the amount of storage Recall uses does scale upward with the size of the system's mass storage, and presumably the duration of the scroll back increases. Similarly, it'll take 25 gigs when 256 is available, 75 gigabytes on a 512 gig drive, and 150 gigabytes from a system with a 1 terabyte drive of primary mass storage. So presumably the more storage the system is able to commandeer, the further it's possible to scroll back through the system's display history. Okay, now while while trying to be objective about this, the first question that leaps into the foreground for me is whether anyone actually needs or wants this. This is a big, you know, I mean, is this a big, previously unappreciated problem that everyone has? Okay, but trying to be objective. First of all, compared to the static contents of a hard drive, Recall would be Objectively, a goldmine of additional new information about the past 90 plus days of someone's life as viewed through their computer activities. And more than ever before, people's entire lives and their private lives are reflected in what's shown on the screens of their computers. Maybe that makes scrolling back through their recorded lives compelling, I don't know. But we know from Microsoft that it will be snapping video conference content on the fly. And as I mentioned, the Windows Signal app that goes to extremes to protect the contents of its chats would presumably be captured. Unless you're able, as I mentioned before, and they sort of suggest you can tell Recall don't record specific applications, so you probably want to turn that off. Or maybe you trust Microsoft and it'll be part of your scroll back. But you know, email screens and nearly everything that happens on a PC would be captured. And of course that's the point, right? But the vast majority of that content will not have been stored on the machine's hard drive ever. Until now. So objectively, the presence of recall clearly introduces a new never before existing liability. And that's what everyone who talks about this sees as a potential for creating havoc where none existed before. So the question, it seems to me, is whether the new value that's created and is returned by recall's scrolling usage history justifies whatever new risk might also be created by its retention of that data. How useful will having all that actually be? I've tried to imagine an instance where I wish I could look back in time at my computer screen. I suppose I don't feel the need since I've never had the option. So if I knew I could scroll my computer screens back in time, I suppose it might be an interesting curiosity, but it really doesn't feel like a feature I've been needing and missing until now. I suppose an analogy would be that the world had no idea what it was missing before the creation of social media. And hasn't that been a big boon to mankind? Now, unfortunately, we seem unable to live without it. Perhaps this will be the same. The bottom line is I think we're just going to need to live with this thing for a while. We're going to need to see whether this is a capability desperately searching for a need, or whether once people get used to having this new thing, they start thinking, how did I ever live without this? However, one thing that is also absolutely objectively true is that everyone will be carrying around a 50 gigabyte privacy bomb that they never had before. Maybe it'll be worth the risk. Only time will tell. Oh and Simon Zarafa posted a tweet from someone who has been poking into Recalls storage. He's detective at Mastodon Social who wrote can confirm that recall data is indeed stored in a SQLite 3 database. The folder it's in is fully accessible only by system and the administrators group. Attempting to access it as a normal user yields the usual you don't currently have permission error. And he said here's how the database is laid out for those curious and he said figured you might appreciate a few screenshots so I put one in the show notes and sure enough it's got a DB browser for SQLite and shows the layout of the table with all of the various components window capture text, index content window capture text index data window text doc size and relations and all kinds of stuff. So anyway, I you know I I guess what this means is that if nothing else, if that data should ever escape from anyone's PC, it will not be difficult for anybody who gets it to open it up and browse around in it because it's just a SQLite 3 database. And Leo, you know, I guess, you know if, if you, if you if search really worked and you were able to search on something that you remember but you didn't write down or didn't record, didn't save, but it was just like right there at your fingertips and bang, it popped up and showed it to you. I guess I could see that that could be compelling.

Leo Laporte (94:09)

We spent a lot more time talking about recall throughout the year and I have a feeling we're not done in 2025. There's going to be a lot more. You're watching the best of 2024 with Steve Gibson's security now. So glad you're here.

T-Mobile Ad (94:23)

After investing billions to light up our network, T Mobile is America's largest 5G network. Plus right now you can switch keep your phone and we'll pay it off up to $800. See how you can save on every plan versus Verizon and at and t@t mobile.com keepandswitch up to four lines via.

Pets Best Insurance Ad (94:43)

Virtual prepaid card will have 15 days qualifying unlock device credit service ported 90 plus days with device and eligible carrier and timely redemption required. Card has no cash access and expires in six months.

Pets Best Insurance Ad (94:52)

The following ad is sponsored by Pets Best Insurance Services. Your pet is your bestie, your therapist your preferred match. It's easy to love them, even when they sneak your snacks. It's easy to protect them too. With pet insurance coverage from Pets Best because it's all fun and games until they chew on something they shouldn't. With perfect timing, Pets Best helps protect your furry friend and your budget from this imperfect world. Get up to 90% on eligible vet bills for less than a dollar a day. Find your Perfect match@petsbest.com Pet insurance products offer Offered and administered by Pets Best Insurance Services, LLC or underwritten by American Pet Insurance Company or Independence American Insurance Company for all terms, visit petsbest.com policy.

Leo Laporte (95:38)

On we go, let's talk about what it was probably. Well, it's hard to pick one of the biggest let's say that security nightmares certainly kept a lot of IT professionals up all weekend.

Steve Gibson (95:52)

So I start this on in the show Notes with a picture from a listener. This shows the blue screens of death at the deserted Delta terminal of the Seattle Tacoma Airport. Yeah, which was taken Friday morning by a listener who's been listening since episode one. And we see three screens. It looks like maybe there's someone back in the distance there, sort of behind one of the screens facing away from us, but otherwise there's nobody in line. There's an empty wheelchair.

Leo Laporte (96:27)

4,000 flights canceled. 4,000 flights canceled. That's my for Delta alone. By the way, Paul Thurat, being a little bit of a pedant, says that's not the blue screen of death, that's a recovery screen. But you know what? It's a blue screen of death.

Steve Gibson (96:47)

Okay, Paul, point taken. So it's fortunate that GRC's incoming email system was already in place and ready for this crowdstrike event. Oh, did I. And I'm going to share some right from the from firsthand accounts from the field because it enabled a number of our listeners to immediately write last week to send some interesting and insightful feedback.

Leo Laporte (97:13)

A lot of our listeners, I sure have very sore feet going from machine.

Steve Gibson (97:16)

To machine all weekend.

Leo Laporte (97:18)

Holy cow.

Steve Gibson (97:20)

In one case, 20,000 workstations. And these people don't hang out on Twitter, so email was the right medium for them. Brian Tillman wrote, I can't wait to hear your comments next week about the current cloud outages happening today. But my wife went to a medical lab this morning for a blood test and was turned away because the facility cannot access its data storage.

Leo Laporte (97:47)

Wow.

Steve Gibson (97:47)

Another listener wrote, Good morning. I'm new to this group, only been. I love this. I'm new to this group, only been listening for the last eight years.

Leo Laporte (97:56)

Oh, newbie, that's right.

Steve Gibson (97:59)

You're gonna have to go back and catch up my friend. He says, I'm sure CrowdStrike will be part of next week's topics. Uh huh, he said. I would love to hear your take on what and how this happened. I'm still up from yesterday fixing our servers and end users computers. I work for a large hospital in Central California and this has just devastated us. We have fixed hundreds of our critical servers by removing the latest file pushed by CrowdStrike and are slowly restoring services back to our end users and community. Thank you for all you do keeping us informed and educated of issues like this. Looking forward to 999 and beyond.

Leo Laporte (98:44)

Oh I like that. Could be our new slogan. 999 and beyond. I like it. That's it.

Steve Gibson (98:52)

Tom Jenkins posted to GRC's news group. CrowdStrike is a zero day defense software so delaying up put the network at risk. I don't know how they managed to release this update with no one testing. It seems obvious at this point. Even casual testing should have shown issues. And of course Tom raises the billion dollar. And I'm not probably exaggerating the billion dollar question. How could this have happened? I will be spending some time on that in a few minutes, but I want to first paint some pictures of what our listeners experienced from firsthand. Tom's posting finished with we had over 100 servers and about 500 workstations offline in this event and recovery was painful. Their fix required the stations to be up. Unfortunately the bad ones were in a boot loop that for recovery required manual entry of individual machine bitlocker keys to apply the fix. And of course that was often a problem because machines that were protected by bitlocker needed to have the recovery keys present in order for them to be for their maintainers to be able to get to the file system even after being booted into safe mode. Because safe mode is not a workaround for BitLocker. Seamus Maranan, who works for a major corporation which he asked me to keep anonymous although I asked for permission. He told me who it is but asked for anonymity. There he said for us the issue started at about 12:45am Eastern Time. We were responding to the issue and let get a load of this response and the way his team operated. So the issue started for him at 12:45am Eastern Time. He said we were responding to the issue by 12:55, 10 minutes later and had confirmed by 1:05am that it was a global level event and communicated that we thought it was related to CrowdStrike. We mobilized our team and had extra resources on site by 1:30am So 25 minutes later, the order of recovery we followed were the servers, production systems, our virtual environment, and finally the individual PCs. In all, there were about 500 individually affected systems across a 1500 acre campus. We were able to get to 95% recovery before our normal office hours started and we were back to normal by 10am okay, now I am quite impressed by the performance of Sheamus's team. To be back up and running by 10am the day of after 500 machines were taken down across a 1500 acre campus taken down in the middle of the night is truly impressive. And I would imagine that whomever his team reports to is likely aware that they had a world class response to a global scale event. Since for example, another of our listeners in Arizona was walking his dog in a mall because it's too hot to walk pets outside during the day in Arizona. He took and sent photos of the sign on Dick's Sporting Goods the following day on Saturday stating that they were closed due to a data outage. So it took, you know, many other companies much longer to recover. A listener named Mark Hull shared this. He said, Steve, thanks for all you do for the security community. I'm a proud spinright owner and have been an IT consultant since the days of DOS 3 and Netware 2. X. Wow. He said, uh huh. Is that. I do a lot of work in enterprise security, have managed CrowdStrike, write code and do lots of work with SCCM. He says Perens, Mississippi, endpoint management as well as custom automation. So I feel I have a good viewpoint on the CrowdStrike disaster. He says CrowdStrike is designed to prevent malware and by doing so provide high availability to all our servers and endpoints. The fact that their software may be responsible for one of the largest global outages is completely unacceptable. As you have said many times, mistakes happen. But this kind of issue represents a global company's complete lack of procedures, policies and design that could easily prevent such a thing from happening. Now of course this is, you know, what, what do they call it something. Quarterbacking.

Leo Laporte (104:10)

Yeah.

Steve Gibson (104:10)

Monday night.

Leo Laporte (104:11)

Yeah, Monday night quarterback.

Steve Gibson (104:12)

Yeah, yeah.

Leo Laporte (104:13)

Okay, 2020 high.

Steve Gibson (104:14)

But yeah. And I do have some explanations for this which we'll get to anyway he said given the crowd strike is continually updated to help defend against and I should just say I know no one's disagreeing with him and you know Congress will be finding out before long, you know, what happened here. But he said given the CrowdStrike is continually updated to help defend against an ever changing list of attacks, the concept of protecting their customers from exactly this type of issue should be core to their design. Working in automation, the rule is that you always have a pilot group to send out software before you send it to everyone, he says. I work with organizations with easily over 100,000 users. If you don't follow these rules, you eventually, eventually live with the impact. In the old days companies would have a testing lab of all kinds of different hardware and OS builds where they could test before sending anything out to production. This would have easily caught the issue, he says. Now it seems that corporations have eliminated this idea since this is not a revenue generating entity, they should research opportunity cost, he says. With the onset of virtualization, I would argue the cost of this approach continues to decrease. And again we're at this point this is speculation because we don't understand how this happened. But he says since it appears this was not being done, another software design approach would be to trickle out the update, then have the code report back metrics from the machines that received the update at some set interval. For instance, every 5, 10, 30 minutes the endpoints could send a few packets with some minor reporting details such as CPU utilization, disk utilization, memory utilization. Then if CrowdStrike pushed an update and the first thousand machines never reported back after five minutes, there would be some automated process to suspend that update and send emails out to the testing team. In the case of endpoints that check back every 10 minutes, you could set a counter and blah blah blah. Anyway, he goes on to explain you know, the sorts of, the sorts of things that make sense for means of preventing this from happening. And yes I agree with him completely from a, from a theoretical standpoint there are all kinds of ways to prevent this. And again as I said we'll wrap up by by looking at some of that in detail. Samuel Gordon Stewart in Canberra, Australia wrote. He said here in Australia it was mid afternoon on a Friday. Most broadcast media suffered major outages limiting their ability to broadcast news or anything else for that matter. Sky News Australia had to resort to taking a feed of Fox News as they couldn't even operate the studio lights. They eventually got back on air with a limited capacity from a small control room in Parliament House. The national government funded broadcaster ABC had to run national news instead of their usual state based news services and couldn't pay any pre play any pre recorded content. So reporters had to read their reports live to camera. A lot of radio stations were still unable to broadcast even Friday night. Supermarkets had their registers go down. One of the big supermarkets near me had half their registers offline. A department Store nearby had only one register. Working train services were halted as the radio systems were all computerized. Airports ground to a halt. Half a dozen banks went offline. Telecommunication companies had outages. Many hospitals reverted to paper forms. A lot of state government systems seem to be affected, but the federal government seem less impacted. And who knows how long it will take for IT departments to be able to physically access PCs which won't boot so they can implement the fix. As you would say, Steve, about allowing a third party unilaterally updating kernel drivers worldwide whenever they want. What could possibly go wrong? After I thanked Samuel for his note, he replied with a bit more writing. In my own workplace, we're offline until Monday. I think we got lucky because our network gateway was the first to take the update and failed before anything else had a chance to receive the update.

Leo Laporte (109:02)

So it took them offline, but fortunately it stopped the update for everybody else. Yeah, that's good.

Steve Gibson (109:10)

Nothing will get fixed until the head office looks at it. But I think they'll be pleasantly surprised that only a couple of devices need fixing and not dozens or more. Not my problem or role these days. Although I did foolishly volunteer to help.

Leo Laporte (109:25)

Good man.

Steve Gibson (109:26)

And I saw the following on my Amazon app. On my iPhone, it said a little. I got a little pop up that said a small number of deliveries may arrive a day later than anticipated due to a third party technology outage.

Leo Laporte (109:43)

Yeah.

Steve Gibson (109:43)

Yep. Meanwhile, in the US almost all airlines were grounded with all their flights canceled. One, however, was apparently flying the friendly skies all by itself.

Leo Laporte (109:57)

Before you repeat this story, it's been debunked.

Steve Gibson (110:00)

I'm not surprised.

Leo Laporte (110:01)

Yeah, it didn't seem possible.

Steve Gibson (110:03)

Yes. Digital Trends reported under the headline A Windows version from 1992 is saving Southwest's butt right now. Anyway.

Leo Laporte (110:15)

Yes, Southwest got saved because they didn't use CrowdStrike is how they got saved. Not because they were using Windows 3.1.

Steve Gibson (110:21)

Exactly. Exactly. There are companies all over the world who. Who are not CrowdStrike users.

Leo Laporte (110:29)

Exactly.

Steve Gibson (110:29)

And it was. Exactly. And so it was only those who had this CS agent sys device driver loading at boot time in their kernel that had this problem. Yep. Yep. So. And, and I. I think that this was made more fun of because in the past, remember that the Southwest Airlines has come under fire for having outdated systems.

Leo Laporte (110:56)

Yes. But not. Not that.

Steve Gibson (110:59)

Yes, they had scheduling systems they hadn't updated for a long time.

Leo Laporte (111:04)

It's an interesting story and somebody on Mastodon kind of went through it and it really is. This happens a lot in journalism nowadays. Somebody tweeted that the Southwest scheduling software looked like it was Windows 95. It wasn't, but looked like that way it got picked up and like Telephone, it got elaborated to the point where Digitrends and a number of other outlets, and including, I might add, myself, reported this story. And then we found out it was, you know, Southwest never confirmed it.

Steve Gibson (111:35)

Yeah, and really, I mean even I'm having problems today on Windows 7 because, you know, increasingly things are saying what are you thinking, Gibson? Like what is wrong with you? So yeah, you have to really, really.

Leo Laporte (111:51)

Work hard to keep everyone up and running, I think.

Steve Gibson (111:54)

Yeah. So I was initially going to share a bunch of tech crunches coverage, but then yesterday Catalyn Simpanu, the editor of the Risky Business newsletter, produced such a perfect summary of this event that only one important point that TechCrunch raised made it later in today's podcast, which I'll get to in a minute. But first, here's Catalan's summary, which was just it's perfect. So he writes around 8.5 million Windows systems went down on Friday in one of the worst IT outages in history. The incident was caused by a faulty configuration Update to the CrowdStrike Falcon security software that caused Windows computers to crash with a blue screen of death. Paul, we realize that's not what it is. Thank you. Since CrowdStrike Falcon is an Enterprise centric EDR, the incident caused crucial IT systems to go down in all the places you don't usually want them to go down. Outages were reported in places like airports, hospitals, banks, energy grids, news organizations, and loads of official government agencies. Planes were grounded across several countries, 9, 11 emergency systems went down, hospitals canceled medical procedures, ATMs went offline, stock trading stopped, buses and trains were delayed, ships got stuck in ports, border and customs checks stopped, Windows based online services went down, he says. For example ICANN, and there's even an unconfirmed report that one nuclear facility was affected. The Mercedes F1 team, where CrowdStrike is a main sponsor, had to deal with the aftermath, hindering engineers from preparing the carts for the upcoming Hungarian gp. Heck, he wrote, even Russia had to deal with some outages. Whoops, I guess they're not quite Windows free yet over there, he says. It was a cluster, you know what on so many levels that it is hard to put into words how much of the world was upended on Friday, with some outages extending into the weekend. Reddit is full of horror stories where admins lost their jobs, faced legal threats, or were forced to sleep at their workplace to help restore networks. There are reports of companies having tens of thousands of systems affected by the update. The recovery steps aren't a walk in the park either. It's not like CrowdStrike or Microsoft could have shipped a new update and fixed things in the span of a few minutes. Instead, users had to boot Windows into safe mode and search and delete a very specific file. The recovery cannot be fully or remotely automated, and an operator must go through the process on each affected system. Microsoft has also released a recovery tool which creates a bootable USB drive that IT admins can use to more quickly recover impacted machines, but an operator still needs to be in front of an affected device. For some super lucky users, the BSOD error corrected itself just by constantly rebooting affected systems. Apparently some systems were able to gain short enough access to networking capabilities to Download the fixed CrowdStrike update file and overwrite the old buggy one. However, this is not the universal recommended fix. There are people reporting that they managed to fix their systems after three reboots, while others needed tens of reboots. It took hours for the debug information to make its way downstream, meaning some of the world's largest companies had to bring their businesses to a halt, losing probably billions in the process. And he said extremely rough estimation, but probably in the correct range, he writes. Unfortunately, the Internet is also full of idiots willing to share their dumb opinions. In the year of the Lord 2024, we had people argue that it's time to ditch security products since they can cause this type of outage. Oh yes, that's the Solution. Eyeroll But CrowdStrike's blunder is not unique or new. For that matter, something similar impacted loads of other vendors before, from Panda Security to Kaspersky and McAfee. Ironically, CrowdStrike's founder and CEO George Kurtz was McAfee's CTO at the time. But don't go spinning conspiracy theories about it. It doesn't actually mean that much, he writes. Stuff like this tends to happen, and quite a lot. As an infosec reporter, I stopped covering these antivirus update blunders after my first or second year because there were so many and the articles were just repetitive. Most impact only a small subset of users, typically on a particular platform or hardware specification. They usually had the same devastating impact, causing BSOD errors and crashing systems because the nature of security software itself, which needs to run inside the operating system kernel so it can tap into everything that happens on a PC. CrowdStrike receipt released an initial postmortem report of the faulty update. On Saturday, it blamed the issue on what the company calls a channel file update, which are special files that update the Falcon endpoint detection and response. That's edr. That's what EDR stands for client with new techniques abused by threat actors. In this case it was channel file two nine one and then he gives us, you know, the, the. The full file name C hyphen00000291 and then something, you know, star.sys that causes the crashes. CrowdStrike says this file is supposed to update the Falcon EDR to detect malware that abuses Windows named pipes to communicate with its command and control server. Such techniques were recently added to several C2 frameworks, tools used by threat actors and penetration testing teams. And CrowdStrike wanted to be on top of the new technique. The company says the Falcon update file unfortunately, yeah, unfortunately triggered a logic error. Since Falcon ran in the Windows kernel, the error brought down the house and caused Windows to crash with a bsod. After that, it was just a house of cards. As the update was delivered to more and more CrowdStrike customers, the dominoes started falling all over the world. Kurtz was the CEO, was adamant on Friday that this was just an error on the company's part and made it explicitly clear that there was no cyber attack against its systems. US government officials also echoed the same thing. For now, CrowdStrike seems to be focused on bringing its customers back online. The incident is likely to have some major repercussions, going beyond the actual technical details and the global outages. What they will be I cannot be sure, he writes, but I smell some politicians waiting to pounce on it with some ideas he has in quotes. Oh great. This might also be the perfect opportunity, a slash excuse for Microsoft to go with Apple's route and kick most security vendors and drivers out of the kernel. But before that, Microsoft might need to convince the EU to dismiss a 2009 agreement first. Per this agreement, Microsoft cannot wall off its OS from third party security tools. The EU and Microsoft reached this arrangement following an anti competitive complaint filed by security software vendors after Microsoft entered the cybersecurity and AV market with Defender, with vendors fearing Microsoft would use its control over Windows to put everyone out of business by neutering their products. Doesn't this sound like, well, oh, sorry, we can't cancel third party cookies because some people are making money with them, right? He writes. After the recent Chinese and Russian hacks of Microsoft cloud infrastructure, we now know very well what happens when Microsoft has a dominant market position, and it's never a good thing. So the existence of this agreement isn't such a bad idea. If Microsoft wants to kick security software out of the kernel, Defender needs to lose it too. Unfortunately, blinding security tools to the kernel now puts everyone in the iOS quandary, where everyone loses visibility into what happens on a system. That's not such a good idea either. So we're back with this argument where we started. In closing, just be aware that threat actors are registering hundreds of CrowdStrike related domains that will most likely be used in spear phishing and malware delivery campaigns. They're so evil, it's honestly one of the best and easiest fishing opportunities we've had in a while. So, as suggested by this week's Picture of the Week, which shows the Windows kernel crash dump resulting from CrowdStrike's detection file update, I will be getting down to the nitty gritty details that underlie exactly what happened, but I want to first finish laying out the entire story. The part of TechCrunch's coverage that I wanted to include was their writing this CrowdStrike, founded in 2011, has quickly grown into a cybersecurity giant. Today, the company provides software and services to 29,000 corporate customers, including around half of Fortune 500 companies for 43 out of 50 US states and eight out of the top 10 tech firms, according to its website. The company's cybersecurity software, Falcon, is used by enterprises to manage security on millions of computers around the world, and now we know exactly how many millions. These businesses include large corporations, hospitals, transportation hubs and government departments. Most consumer devices do not run Falcon and are unaffected by this outage. And here was with that lead up. This was the point. One of the company's biggest recent claims to fame was when it caught a group of Russian government hackers breaking into the Democratic National Committee ahead of the 2016 U.S. presidential election. CrowdStrike is also known for using memorable animal themed names for the hacking groups it tracks based on their nationality, such as Fancy Bear.

Leo Laporte (123:38)

Oh, that's where that could be from.

Steve Gibson (123:40)

Oh, believed to be part of Russia's General Staff Main Intelligence Directorate, or gru Cozy Bear, believed to be part of Russia's Foreign Intelligence Service, or SVR Gothic Panda, believed to be a Chinese government group and Charming Kitten, believed to be an Iranian state backed group. The company even makes action figures to represent these groups, which it sells as swag.

Leo Laporte (124:10)

Oh cool.

Steve Gibson (124:12)

CrowdStrike is so big, it's one of the sponsors of the Mercedes F1 team and this year even aired a Super bowl ad, a first for a cybersecurity company.

Leo Laporte (124:26)

And they were also one of the first cybersecurity companies to advertise on this show. Steve, in fact, we interviewed the CTO some time ago and it's an impressive company, you know. Well, I'm very curious to hear what happened here.

Steve Gibson (124:41)

So, as I have here written, I have not counted the number of times this podcast has mentioned CrowdStrike. It's certainly been so many times that their name will be quite familiar to everyone who's been listening for more than a short while. And not one of those previous mentions was due to some horrible catastrophe they caused. No, as the writer for TechCrunch reminds us, CrowdStrike has been quite instrumental in detecting, tracking and uncovering some of today's most recent and pernicious malware campaigns and the threat actor groups behind them. How are they able to do this? It is entirely due to exactly this same Falcon sensor instrumentation system that's been spread far and wide around the world. It's this sensor network that gives them the visibility into what those 8.5 million machines that had been running it are encountering day to day in the field. And we need that visibility.

Leo Laporte (125:52)

By the way, here's the Aquatic Panda figurine for only $28 on the CrowdStrike swag shop.

Steve Gibson (126:01)

Wow. You've got to be really deep into whatever. Wow.

Leo Laporte (126:08)

Obviously we spent a lot of time talking about this crowd strike incident. In fact, the conversation goes on for another 40 minutes. You can go back in time if you want to episode 984 and watch more. In fact, everything you're seeing here really is a small portion of the larger topics Steve delves into every Tuesday on our network. I hope you're enjoying it and I always encourage you, if you want to know more, to go back to the original episode because usually discussions are very, very elaborate. Happy, Happy Holidays. You're watching Security now. The best of 2024 AT&T customers switching.

T-Mobile Ad (126:47)

To T Mobile has never been easier. We'll pay off your existing phone and give you a new one free. All on America's largest 5G network. Visit t mobile.com CarrierFreedom to switch today.

Pets Best Insurance Ad (126:59)

Pay off up to $650 via virtual prepaid MasterCard in 15 days. Free phone app up to $830 via 24 monthly bill credits plus tax qualifying port in trade and service on go 5G next and credit required. Contact us before canceling entire account to continue bill credits or credit stop and balance and required Finance agreement is due.

Pets Best Insurance Ad (127:13)

The following ad is sponsored by Pets Best Insurance Services. Your pet is your bestie, your therapist your preferred match. It's easy to love them, even when they sneak your snacks. It's easy to protect them, too, with pet insurance coverage from Pets Best, because it's all fun and games until they chew on something they shouldn't. With perfect timing, Pets Best helps protect your furry friend and your budget from this imperfect world. Get up to 90% on eligible vet bills for less than a dollar a day. Find your Perfect match@petsbest.com Pet insurance products offered and administered by Pets Best Insurance Services, LLC are underwritten by American Pet Insurance Company or Independence American Insurance Company. For all terms, visit petsbest.com policy foreign.

Leo Laporte (127:59)

We go with the show into what was something that Steve said would never happen. A 1000th episode.

Steve Gibson (128:09)

I wanted to say, as we conclude this 1000th episode of security now, that providing this weekly podcast with Leo has been, and I'm sure shall continue to be my sincere pleasure. As I've said before, I'm both humbled by and proud of the incredible listenership this podcast has developed over the years. It has been one of the major features of my life. And I'm so glad that you, Leo, thought to ask me 20 years ago whether I might be interested in spending around 20 minutes a week to discuss various topics of Internet security. Just look what happened.

Leo Laporte (128:55)

Oh my goodness.

Steve Gibson (128:56)

So thank you, Leo, for making this possible.

Leo Laporte (128:59)

Thank you, Steve.

Steve Gibson (129:00)

I didn't see where the next thousand will take.

Leo Laporte (129:02)

I just provided you with the platform and you took it from there. It's been really amazing. Our web engineer, Patrick Delahanty, posted some statistics about the show. He said the shortest show we ever did. Do you remember this? We did like an extra thing that was three minutes. I think it was like an update of some kind. I can't remember why, but we had to do an update for some reason. So I guess that will always be the shortest show that there wasn't a whole lot in it. I'm like, I'm trying to scroll back, see if I can find his post. And then he said the longest one we did, I think was close to 3 hours, was 2 hours and 57 minutes.

Steve Gibson (129:45)

Wow. Yeah, I didn't know that we. Actually, I thought that week or two ago was that. That was two and a half hours. And I thought that one was the.

Leo Laporte (129:52)

Well, there's always the outliers. You keep it to two hours. Pretty nice.

Steve Gibson (129:59)

I think that's a target. I think that's A reasonable time. We've got a couple listeners who complain I don't have two hours to spend. It's like, well, okay, so listen to.

Leo Laporte (130:10)

The whole thing then.

Steve Gibson (130:11)

Yeah.

Leo Laporte (130:12)

Nobody's making you. It's not like you have to. My attitude's always been give people usually, you know, you're supposed to give them less than they want in. In. My attitude towards past podcasting is as long as it's longer than your commute, that's. You don't want it to end halfway to work.

Steve Gibson (130:30)

And we know how people feel about those YouTube shorts. We don't want to be.

Leo Laporte (130:34)

There you go. We don't want to be short shorts. No, we are longs. Yeah. I. In the early days of Twit, I tried to keep everything under 70 minutes because people were burning the shows to CDs, and that was the maximum length of a CD, right?

Steve Gibson (130:52)

Yep.

Leo Laporte (130:53)

I don't worry about that anymore. As you probably know, I think we are now, on almost all of our shows, push 2 hours is the shortest that I do. Almost all of them are two and a half to three hours. So you. You actually have the honor of hosting our shirtist show. My shirt. Congratulations.

Steve Gibson (131:15)

And dare I say, most focused.

Leo Laporte (131:18)

Yeah, very focused. And we love that. It is easily the geekiest show we do. And I say that proudly. I think that we, you know, we try to serve a broadish audience because I. I don't want people to say, oh, I don't understand anything he ever talks about. But at the same time, we also want to serve the hardcore person who really gets this and really wants to know deeply what's going on.

Steve Gibson (131:48)

Well. And we do have listeners who write and say, well, I think I understand about 15% of what you guys talk about, but I like it. I don't. I'm not sure what it is, but it, you know, it makes me feel good. And I always get a little something. It's like, okay, great.

Leo Laporte (132:05)

Yeah, that's okay, too. I mean, I've often thought of what we do as aspirational. I was. There's a good documentary about Martha Stewart on Netflix right now. It's actually fascinating. I would watch it even if you're not interested in Martha Stewart, but people said about her and her magazine, nobody can live that way. Nobody can be that perfect. You're setting too high a bar. She says, it's aspirational. Everybody might want beauty in their life and want to be able to have that. Everybody wants to understand what's going on in the world of technology. And if you don't understand at all. You will just keep listening, right?

Steve Gibson (132:40)

Yep.

Leo Laporte (132:41)

Steve, it has been my great honor to know you and work with you for more than 30 years. I can't believe it's been 30 years. It doesn't.

Steve Gibson (132:49)

I know.

Leo Laporte (132:49)

It doesn't feel like at all.

Steve Gibson (132:52)

And that's the good news.

Leo Laporte (132:53)

Yeah.

Steve Gibson (132:53)

Because, you know, we're only at a thousand.

Leo Laporte (132:56)

Yeah, we. Look, we're going to keep doing this as long as we can, but I am so honored and thrilled that you were willing to do this way back then and continue to do it. I know it's a lot of work. Don't. I'm very aware of how much work you put.

Steve Gibson (133:11)

It's a lot of work, but I'm happy to do it. Yeah.

Leo Laporte (133:14)

Here's Patrick Delahanty's note. I found it. The shortest episode of security now was 42 minutes. 4 minutes and 12 seconds. That's this one. Security now 103 SE. Vote for Steve. Do you remember that? That was. You were trying to win the podcast.

Steve Gibson (133:31)

Oh, right, right. The podcast award.

Leo Laporte (133:33)

And I think you did, didn't you?

Steve Gibson (133:34)

We went. We. We won the first several years of podcast awards.

Leo Laporte (133:38)

Yeah. Yeah. Well, and rightly so. And then the. The longest episode, and I have the receipts to prove it. 3:57. But it was a best of, so you don't have to take credit for that.

Steve Gibson (133:51)

Ah, thank goodness. I can't imagine I would have participated in that. Would have been on the floor.

Leo Laporte (133:57)

Yeah. Well, the reason was there were so many good sections. Segments in 2018, we couldn't do less than three hours.

Steve Gibson (134:04)

That's neat.

Leo Laporte (134:05)

Yeah. So that's. That's good. That's fair. I think that's okay. Steve. Thank you from the bottom of my heart for continuing on. I would have been bereft sitting here on this Tuesday afternoon without a Security now. And I know I'm not alone on that. So thank you for all the work. You. So much work every week.

Steve Gibson (134:24)

There's no end in sight. They used to be saying. Our listeners were saying to 999 and beyond. Now I think it's going to be to 1999.

Leo Laporte (134:35)

How about 9999? How long would that take? 200 years.

Steve Gibson (134:40)

Yeah, I'm feeling great. But all. As I said, I do. I do believe in a rational universe.

Leo Laporte (134:50)

Well, but wait. Maybe we're laughing now, but somebody in the future will be listening to AI Steve.

Steve Gibson (134:57)

That's true.

Leo Laporte (134:58)

And episode 10,000.

Steve Gibson (135:00)

I'm sure you could dump all the transcripts into An AI and say, okay, give me the last week's news as Steve would present it.

Leo Laporte (135:11)

Exactly.

Steve Gibson (135:13)

I should note that I already have everything I need with thanks to today's chat GPT4O and it has changed my life for, for the better. I've been using it increasingly as a time saver in sort of in the form of a programming language, super search engine and, and even a syntax checker. I've used it sort of as a crutch when I need to quickly write some throwaway code in a language like PHP where I do not have expertise, but I want to get something done quickly. I just, you know, I'd like, you know, get, solve a quick problem, you know, parse a text file in a certain way into a different format, that sort of thing. In the past, I would take, you know, if it was a somewhat bigger project than that, an hour or two putting queries into Google, following links to Programmer's Corner or Stack Overflow or other similar sites, and I would piece together the language construction that I needed from other similar bits of code that I would find online or if I was unable to find anything useful like, you know, solve the problem, I would then dig deeper in through the languages, actual reference texts to find the usage and the syntax that I needed and then build up from that, you know, because, you know, after you've programmed a bunch of languages, they're all sort of the same largely. I mean, Lisp is a different animal entirely, as is apl, but, but you know, the, the, the procedural languages, it's just a matter of like, okay, what do I use for inequality? What do I use for, you know, how, how exactly are the looping constructs built, that kind of thing, that's no longer what I do because I now have access to a, what I consider a super programming language search engine. Now I ask the experimental coding version of Chat GPT for whatever it is I need. I don't ask it to provide the complete program since that's really not what I want. You know, I love coding in any language because I love puzzles and puzzles are language agnostic, but I do not equally know the details of every other language. There's nothing Chat GPT can tell me about programming assembly language that I have not already known for decades. But if I want to write a quick throwaway utility program like in Visual Basic.net a language that I've spent very little time with and because I like to write an assembly language, you know, but I need to, for example, quickly implement an associative Array, as I did last week, rather than poking around the Internet or scanning through the Visual Basic syntax to find what I'm looking for. I'll now just pose the question to ChatGPT. I'll ask it very specifically and carefully for what I want, and in about two seconds I'll get what I may have previously spent 30 to 60 minutes sussing out online. It has transformed my work path for those sorts of. For that class of problem that I've traditionally had. It's useful whenever I need some details where I do not have expertise is that I think the way I would put it. And I've seen plenty of criticism levied by other programmers of the code Produced by Today's AI. To me it seems misplaced, I.e. their criticism seems misplaced and maybe just a bit nervous and maybe they're also asking the wrong question. I don't ask ChatGPT for a finished product because I know exactly what I want and I'm not even sure I could specify the finished product in words or that that's what it's really good for. So I ask it just for specific bits and pieces and I have to report that the results have been fantastic. I mean it is literally, it's the way I will now. Code languages, I don't know, I think is probably the best way to put it. It's ingested the Internet and you know, obviously we have to use the term it knowing them very advisedly. It doesn't know them, but whatever it is, I am able to like ask it a question and I actually get like really good answers to tight problem domain questions. Okay, but what I want to explore today is what lies beyond what we have today, what the challenges are and what predictions are being made about how and when we may get more, whatever that more is. You know, the there where we want to get is generically known as artificial general intelligence, which is abbreviated AGI. Okay, so let's start by looking at how Wikipedia defines this goal. Wikipedia says artificial general intelligence is a type of artificial intelligence that matches or surpasses human cognitive capabilities across a wide range of cognitive tasks. This contrasts with narrow AI, which is limited to specific tasks. Artificial superintelligence ASI, on the other hand, refers to AGI that greatly exceeds human cognitive capabilities. AGI is considered one of the definitions of strong AI. They say creating AGI is a primary goal of AI research and of companies such as OpenAI and Meta. A 2020 survey identified 72 active AGI research and development projects across 37 countries. The timeline for Achieving AGI remains a subject of ongoing debate among researchers and experts as of 2023. Some argue that it may be possible in years or or decades, others maintain it might take a century or longer, and a minority believe it may never be achieved. Notable AI researcher Geoffrey Hinton has expressed concerns about the rapid progress toward AGI, suggesting it could be achieved sooner than many expect. There's debate on the exact definition of AGI and regarding whether modern large language models LLMs such as GPT4 are early forms of AGI. Contention exists over whether AGI represents an existential risk. Many experts on AI have stated that mitigating the risk of human extinction posed by AGI should be a global priority. Others find the development of AGI to be too remote to present such a risk. AGI is also known as strong AI, full AI, human level AI, or general intelligent action. However, some academic sources reserve the term strong AI for computer programs that experience sentience or consciousness. In contrast, weak AI or narrow AI is able to solve one specific problem but lacks general cognitive abilities. Some academic sources use weak AI as the term to refer more broadly to any programs that neither experience consciousness nor have a mind in the same sense as humans. Related concepts include artificial superintelligence and transformative AI, and artificial superintelligence is a hypothetical type of AGI that is much more generally intelligent than humans. While the notion of transformative AI relates to AI having a large impact on society, thus transforming it. For example, similar to the agricultural or industrial revolutions, a framework for classifying AGI levels was proposed in 2023 with Google DeepMind researchers or by Google DeepMind researchers. They define five levels of AGI emerging, competent, expert, virtuoso, and superhuman. They define, for example, a competent AGI is defined as an AGI that outperforms 50% of skilled adults in a wide range of non physical tasks and a superhuman AGI. In other words, an artificial superintelligence is similarly defined, but with a threshold of 100%. They consider large language models like Chat, GPT, or Lama2 to be instances of the first level emerging AGI. Okay, so we're getting some useful language and terminology for talking about these things. The article that caught my eye last week as we were celebrating the thousandth episode of this podcast was posted on perplexity AI titled Altman predicts AGI by 2025. The perplexity piece turned out not to have much meat, but it did offer the kernel of some interesting thoughts and some additional terminology and talking points, so I still want to share it. Perplexity wrote OpenAI CEO Sam Altman, has stirred the tech community with his prediction that artificial general intelligence AGI could be realized by 2025, a timeline that contrasts sharply with many experts who foresee AGI's arrival much later. Despite skepticism, Altman asserts that OpenAI is on track to achieve this ambitious goal, emphasizing ongoing achievements and substantial funding, while also suggesting that the initial societal impact of AGI might be minimal. In a Y Combinator interview, Altman expressed excitement about the potential developments in AGI for the coming year. However, he also made a surprising claim that the advent of AGI was would have surprisingly little impact on society, at least initially. This statement has sparked debate among AI experts and enthusiasts, given the potentially transformative nature of AGI. And Altman's optimistic timeline stands in stark contrast to many other experts in the field who typically project AGI development to occur much later, around 2050. Despite the skepticism, Altman maintains that OpenAI is actively pursuing this ambitious goal, even suggesting that it might be possible to achieve AGI with current hardware. This confidence, coupled with OpenAI's recent 6.6 billion funding round and its market valuation exceeding 157 billion billion, underscores the company's commitment to pushing the boundaries of AI technology. Achieving Artificial General Intelligence faces several significant technical challenges that extend beyond current AI capabilities. So here we have four bullet points that outline what AGI needs that there's no sign of today. First, common sense reasoning. AGI systems must develop intuitive understanding of the world, including implicit knowledge and unspoken rules to navigate complex social situations and make everyday judgments. Two, context awareness. AGI needs to dynamically adjust behavior and interpretations based on situational factors, environment, and prior experiences. Third, handling uncertainty. AGI must interpret incomplete or ambiguous data, draw inferences from limited information, and make sound decisions in the face of the unknown. And fourth, continual learning. Developing AGI systems that can update their knowledge and capabilities over time without losing previously acquired skills remains a significant challenge. So one thing that occurs to me as I read those four points reasoning, contextual awareness, uncertainty, and learning is that none of the AIs I've ever interacted with has ever asked for any clarification about what I'm asking. That's not something that appears to be wired into the current generation of AI. I'm sure it could be simulated, you know, if it would further raise the stock price of the company doing it. But it wouldn't really matter, right? Because it would be a faked question like that very old Eliza pseudotherapist program from the 70s. You know, you would type into it. I'm feeling sort of cranky today. And it would reply, why do you think you're feeling sort of cranky today? You know, it wasn't really asking a question. It was just programmed to seem like it was, you know, understanding what we were typing in. The point I hope to make is that there's a hollowness to today's AI. You know, it's truly an amazing search engine technology, but it doesn't seem to be much more than that to me. There's no presence or understanding behind its answers. The Perplexity article continues, saying overcoming these hurdles requires advancements in areas such as neural network architectures, reinforcement learning, and transfer learning. Additionally, AGI development demands substantial computational resources and interdisciplinary collaboration among experts in computer science, neuroscience, and cognitive psychology. While some AI leaders like Sam Altman predict AGI by 2025, many experts remain skeptical of such an accelerated timeline. A 2022 survey of 352 AI experts found that the median estimate for AGI development was around 2060, also known as security now episode 2860 90% of the 352 experts surveyed expect to see AGI within 100 years. 90% expect it so not to take longer than 100 years, but the median is is by 2060, so you know, not next year as Sam suggests, they wrote. This more conservative outlet stems from several key challenges. First, the missing ingredient problem. Some researchers argue that current AI systems, while impressive, lack fundamental components necessary for general intelligence. Statistical learning alone may not be sufficient to achieve AGI. Again, the missing ingredient problem. I think that sounds exactly right. Also, training limitations. Creating virtual environments complex enough to train an AGI system to navigate the real world, including human deception, presents significant hurdles. And third, scaling challenges. Despite advancements in large language models, some reports suggest diminishing returns in improvement rates between generations. These factors contribute to a more cautious view among many AI researchers who believe AGI development will likely take decades rather than years to achieve. OpenAI has recently achieved significant milestones in both technological advancement and financial growth. The company successfully closed, and here they're saying again, a massive 6.6 billion funding round valuing at $157 billion. But you know, who cares? That's just, you know, Sam is a good salesman, they said. This round attracted investments from major players like Microsoft, Nvidia and SoftBank, highlighting the tech industry's confidence in OpenAI's potential. The company's flagship product, Chat GPT, has seen exponential growth, now boasting over 250 million weekly active users. And you count me among them, OpenAI has also made substantial inroads into the corporate sector, with 92% of Fortune 500 companies reportedly using its technologies. Despite these successes, OpenAI faces challenges including high operational costs and the need for extensive computing power. The company is projected to incur losses of about $5 billion this year, primarily due to the expenses associated with training and operating its large language models. So when, when I was thinking about this idea of, you know, we're just going to throw all this money at it and, and it's going to solve the problem and, oh, look, you know, the solution is going to be next year, the analogy that hit me was curing cancer, because there sort of is an example of, you know, oh, look, we just, we had a breakthrough and this is going to, you know, cure cancer. It's like, no, we don't really understand enough yet about human biology to, to say that we're going to do that. And, you know, I know that the current administration has been, you know, these cancer moonshots and it's like, okay, have you actually talked to any biologists about this? Or do you just think that you can pour money on it and it's going to do the job? So that's not always the case. So to me, this notion of the missing ingredient is, is the most salient of all of this, is like, what we may have today has become very good at doing what it does, but it may not be extendable. It may never be what we need for AGI. But I think that what I've shared so far gives a bit of calibration about where we are and what the goals of agr, of AGI are.

Leo Laporte (156:20)

That's just the beginning, I think, of Steve's deep dive into AI and artificial general intelligence. He's already pledged to learn more about it and to help us understand AI in the new year. That's one of the things I think Steve does better than anybody else. It's one of the things I'm very proud about our network about Twitter. We cover technology without fear or favor. We try to spread more light than heat. It's not about link bait for us. It's about helping you understand the technology that is coming down the pipe and what you can do with it and what you can do to defend yourself against it. And Steve's one of the best at doing that. We're so glad you were here for our year end episode. Steve will take next week off because it's New Year's Eve and we will get back, reunite, and begin to talking about security once again in 2025 on the following Tuesday every Tuesday 11am I'm sorry at 2pm Pacific 5pm Eastern 2200 UTC. You can watch us live or watch us after the fact at Twitt TV s. And thank you for joining me. Thank you for Steve Gibson. What a blessing he is to all of us and we will see you in 2025. Have a happy holiday and a wonderful, Peaceful and productive 2025. Bye bye.

T-Mobile Ad (157:51)

After investing billions to light up our network, T Mobile is America's largest 5G network. Plus right now you can switch keep your phone and will pay it off up to $800. See how you can save on every plan versus Verizon and AT&T. @t mobile.com KeepAndSwitch up to four lines.

Pets Best Insurance Ad (158:10)

Via virtual prepaid card. Allow 15 days qualifying unlock device credit service ported 90 plus days with device ineligible carrier and timely redemption required. Card has no cash access and expires in six months.