Leo Laporte (4:19)

Isn't that strange? I thought it was odd.

Steve Gibson (4:21)

Yeah, really. CIS's efforts pay off with much improved critical infrastructure security. Let's hope everything continues working for them. And also I've got a bunch of listener feedback, a fun piece of errata, something I completely got wrong that several of our listeners said. What? What are you talking about? And then we're gonna take a deep dive into cracking authenticator keys. And of course we have a picture of the week that will not disappoint if you haven't seen it yet. Leo, great to share your reaction. Oh, good to with our audience.

Leo Laporte (5:00)

I like to scroll up live.

Steve Gibson (5:01)

That's a goodie.

Leo Laporte (5:03)

Very good. It's gonna be a good show as always. I loved last week. It was really fascinating to hear how they came up with the TOTP protocol in such a weird way.

Steve Gibson (5:13)

Well, and it's interesting because when we look at the task of accelerating brute forcing of it, you could take the position that that wacky spin makes it makes it more difficult to run a brute force.

Leo Laporte (5:32)

So maybe that's why they did it.

Steve Gibson (5:34)

Well, it was in 2005. I don't think they were thinking clearly about anything back then. But you know, maybe we'll give them.

Leo Laporte (5:42)

The benefit of the doubt.

Steve Gibson (5:43)

I don't know.

Leo Laporte (5:44)

All right, well we'll talk about in just a bit when we get to brute forcing. Totp, that is the main subject, but as you could just hear, there's a lot more in between there and here. Before we get too much farther down the road, I'd love to tell you about our sponsor for this segment on security. Now, Vanta, I really think this is an interesting company. Trust for you as a company isn't just earned, it's demanded by regulations in many countries. So whether You're a startup founder navigating your first audit, or a seasoned security professional scaling your GRC program. Proving your commitment to security has never been more critical or frankly, more complex. That's where Vanta comes in. Businesses use Vanta to establish that trust by automating compliance needs. And they do it over 35 frameworks. I mean, that's. I didn't even know there were that many. That's SOC2, of course, ISO 27001, but many, many more. Vanta will help you centralize your security workflows, complete those questionnaires up to five times faster, and proactively manage vendor risk. Because at the bottom, that's really what it's all about, isn't it? Vanta can help you start or scale your security program by connecting you with auditors and experts, people with real experience in the field to conduct your audit and set up your security program quickly. Plus, with automation and AI throughout the platform, Vanta gives you time back so you can focus on building your company. Get this over with faster and better with Vanta. Over 9,000 companies, global companies like Atlassian and Quora and Factory, use Vanta to manage risk and prove security in real time for a limited time. Just because you listen to security. Now, you get $1,000 off Vanta, but you have to go to vanta.comsecuritynow v a n t a.comsecuritynow $1,000 off. You know you need it. Why don't you save right now? Vanta.com Security now, we thank Vanda so much for supporting the good work Steve does here. And we thank you for supporting it by going to that special address, vanta.comsecuritynow so they know. Oh, they were watching security. Now that's where they found out all about that. All right, Steve, I have not. I have preserved my virginity. I have not looked at. Maybe that's not the way to describe it. I have not looked at the picture of the week, but I am now about to scroll up.

Steve Gibson (8:21)

I will tell you first that I gave it the caption. So how exactly do you propose we get up there to fix that?

Leo Laporte (8:33)

Okay, there is a scissor lift involved. Oh, wow. Is that real? Holy moly. So there's a scissor lift, but this is above a swimming pool.

Steve Gibson (8:50)

Yeah, it looks like an Olympic size big, big swimming pool. And the. Apparently there's something that's gone wrong up in the beams, like in the middle. Well, not in the middle, but like over the water of the pool. So this scissor lift is like it's up like where they'd be standing on the third story if it were.

Leo Laporte (9:13)

Oh yeah, it's high, you know, so.

Steve Gibson (9:14)

It'S way extended then. But the problem is it's out this where they need to be is over the water. So. So they found some sort of a float which is a, it's a, you know, large rectangular float. And you know, again, that possibly work. Oh, and you'll see that they've got yellow ties to the four corners of the.

Leo Laporte (9:41)

So it doesn't float around well, so.

Steve Gibson (9:43)

That the scissor lift itself doesn't tip over and it doesn't, doesn't roll anywhere. So it's anchored itself to the center of the float and then got pushed out. Now one question I had was like, okay, how do they position themselves? Maybe they did a hand over hand off the top beam in order to.

Leo Laporte (10:08)

Like they float around.

Steve Gibson (10:10)

Like float around. Yeah.

Leo Laporte (10:14)

There are so many questions. So many questions. That's hysterical stuff.

Steve Gibson (10:18)

Looks legitimate to me. I mean, you know, it's, it's, it, it looks real. Wow. And again, I guess you could do one of those things with a long arm if. And park it off to the side of the pool and have the long arm reach out with a guy in a basket as your alternative. But otherwise. Anyway, regardless, a fun picture of the week. How exactly do you propose we get up there to fix that? Okay, Joe, here's what I suggest.

Leo Laporte (10:49)

And then of course, Phoenix Warp in our, in our YouTube chat says, I'm not worried about how they got there. How do they get back?

Steve Gibson (10:59)

Wow. Yeah. Okay, so Patch Tuesday. CrowdStrike's blog was titled January 2025 Patch Tuesday. 10 critical vulnerabilities and 8. 0 days among 159 CVEs. And we touched on this last week, the fact that this was the highest number of patches in that we'd seen from Microsoft in years. Not ever, but quite a while, in other words. Well, which goes to show, as we're always saying, things are not getting any better. Now the article noted that and it said, quote, this month's leading risk type by exploitation technique is remote code execution RCEs with 36% of them being okay. So more than a third are like the worst problem you can have. Remote code execution followed by elevation of privilege. Well, that's the second worst type you could possibly have because once you get in, you need to be able to get the OS's safeguards out of your way in order to do some real damage, which, you know, standard users are largely prevented from doing. Just to protect them from themselves. So they crowdstrike gave us a pie chart which shows around the pie 9% of the problems were security feature bypass. So okay, whatever that is, that's you know, sort of a generic catch. All three 13% denial of service, meaning you crashed something and so its service was thereby denied. Then we get a big light green chunk, that's the 25% which is elevation of privilege. We drop down to 14% for information disclosure. And then the biggest of all at 36% is remote code execution, followed by a little 3% sliver for spoofing. So unfortunately, as we've laid out in the past, of all the vulnerability classes, we know that the two most powerful and desired by the bad guys are remote code execution and elevation of privilege. And of course those were the top two, 36% and 25% respectively. And they don't overlap. Those are, you know, summed. So together that's 61% of all 159 problems were of the most serious kind available. Elevation of privilege, as I said, allows someone to who arranges to get into a system as a regular and somewhat constrained user to bypass the operating system's privilege strictures. And remote code execution can both create the that initial entry into the system, that is enable the way of getting in and then once your privilege has been elevated, allow the bad guys to run the code of their choice to wreak havoc. Viewed by product, Windows itself received 132 of the patches and somewhat chillingly, Microsoft's ESU, that's the Extended security updates for previous Windows operating systems that no longer receive free patches and must have these fixes for Microsoft's own security flaws. Purchased those received 95. And in distant third place was Microsoft Office with a relatively sedate 19 patches. It's interesting that current Windows received 132 patches, whereas older Windows, which Microsoft has stopped fussing with, was down at 95. Which, you know, which Windows would you say is objectively safer to use? It's so easy, you know, to become numb to the idea that these vulnerabilities are being actively exploited. This means that there are somewhere in the world are serious campaigns that are investing heavily because, you know, these are not easy to find. Other people would have found them, you know, white hat hackers, people getting paid to find problems would have found them. And by the way, these are old. We'll get to that in a second. But so my point is somewhere, I mean there is like serious industry at work investing in discovering these subtle vulnerabilities and then deploying exploits to take advantage of them in the real world because these are zero days under active attack. Windows Hyper v NT kernel integration VSP received three patches, all having a severity of of important and a CVSS of 7.8. The three are elevation or privilege vulnerabilities allowing attacker to gain system privileges. Microsoft has indicated that the weaknesses are due to heap based buffer overflow, but has not shared any details of the vulnerabilities or how they learned of them what the source of the disclosure was. Microsoft Office Access receive patches for another three, all having the same severity of important and the same CVSS score of 7.8. But all three of these, I.e. microsoft Access are remote code execution vulnerabilities exploited by opening specially crafted Microsoft Access documents. Microsoft addressed this attack vector by blocking access to certain types of extensions in addition to patching the vulnerabilities. So here again we have one of those fundamental problems of unneeded features coming back to bite them well into the past. And we'll talk about the past in a second. There were three critical rated 9.8 problems which as we know that's that's it's very difficult to get a 10.0. 10.0 is like we see that very rarely, but 9.8 is regarded as this is really important. You got to fix it right now because it's going to happen. The first was a critical remote code execution vulnerability affecting Windows reliable Multicast transport driver RMcast and that has a CVSS as I noted of 9.8. An unauthenticated attacker, meaning anybody out on the public Internet anywhere can exploit this vulnerability by sending specially crafted packets to a Windows I love the name of this Windows Pragmatic General Multicast. That's the pgm the Pragmatic General Multicast open socket on a server without any user interaction. However, exploitation is only possible if a program is actively listening on one of these PGM Pragmatic General Multicast ports. The vulnerability is not exploitable if PGM is installed or enabled, but no programs are listening as receivers. Since PGM does not authenticate requests, it's crucial to protect access to any open ports at the network level, such as with a firewall. Gee, you think? It's strongly advised to avoid exposing a PGM receiver to the public Internet due to these security risks. So that's a problem. Now I have not dug into this to see how likely it is that a machine might have this port publicly exposed, nor what services might be listening for incoming traffic there, but it's clear from its 9.8 rating, which again, they don't want to give to anything that it's, you know, and that it's a remote code execution exploit. If those conditions were met, the result would be, shall we say, not good. The second of three critical rated 9.8 RCEs seems much more worrisome since it affects Windows old Olay Remember object linking and embedding technology which allows embedding and linking to other documents and objects from within documents? That was all the rage back in the early days of Windows in an email attack scenario, which is why this is raising such concern. An attacker could exploit this vulnerability simply by sending a specially crafted email to their victim. Exploitation of this vulnerability might involve either a victim opening the specially crafted email with an affected version of Microsoft Outlook software, but that's not necessary. The Outlook applications displaying of just the preview of the specially crafted email could cause could allow an attacker to remotely execute their own machine on the on the victim and take it over. So. Yikes. Now, given Olay's age, my guess was that this would have been one of those vulnerabilities that Microsoft would have required payment for fixing on their older yet still vulnerable machines. And indeed they list Windows Server 2008 and 2012among the vulnerable systems. Since Server 2008 and 2012 are the equivalent of the desktop Windows 7 and Windows 8, I bet that those desktops are vulnerable to this as well. Their workaround advice is to I love this. Okay, so this is bad. What do we do? Their advice Only view your email as plain text so that Outlook's HTML viewer will not have the chance to invoke Olay for the display of content, which due to this very old bug in Windows Olay like again, right, we're talking 2008. So this has been a problem since 2008 and it was recently found that there was a way to leverage this, which to my point is there's an active industry looking at ways to get into people's Windows networks and probably not end users. Right? They're sending phishing email into enterprises hoping that somebody will just Outlook just has to sniff it and it's curtains. But not if you use the plain text viewer. So and I know this is a hobby horse of mine, but this is why it seems wrong to me that Microsoft wants to sell the patch for this bug. How is it, okay, that they want to charge us for this? What they want to do instead is to force us to move to a newer operating system which has arbitrarily also decided that it may not support the hardware that we have. And as we just saw, these newer operating systems just had significantly more newly introduced vulnerabilities patched compared to the older operating systems that are being allowed now finally to settle down because Microsoft has stopped making them better for us anyway. The third critical 9.8 vulnerability is a trivial to exploit elevation of privilege in good old NT LAN Manager. That's the v1 version which refuses to die because there are things out there that still need Windows to connect to them. So it's remotely exploitable across the Internet. And its low attack complexity means that attackers need minimal system knowledge and consistently can and this is Microsoft saying this can consistently succeed with their payload against a vulnerable component in Windows. To eliminate the danger entirely, don't expose any LAN Manager network ports to the Internet. And of course I've been saying for many years that there is no safe way to expose any of Microsoft's networking services other than two their web server and their email server. All of the other services have been found to be vulnerable over and over and over. And if this simply don't do it admonition is not useful for you because your application needs you to do this, it leaves you with no other choice. Other Microsoft says that the danger can be mitigated by setting Windows LM compatibility level to its maximum value of 5 on all machines. This forcibly disables both the original Lanman and NT Lanman version 1, allowing then only the use of NT Landman version 2. And of course, as I said, we've talked about how this could be a problem in heterogeneous environments where Windows machines have no choice but to communicate with older legacy equipment that for whatever reason cannot be updated. So many such situations like that exist today in the real world. That's just the way the real world still looks. The simplest possible solution to all these I want to highlight again because boy do I use it is to use IP address filtering, simple IP address filtering where only the IP packets of specific remote machines filtered by their IP addresses are allowed to see the older and less secure Windows protocols. Yes, this does make the resulting network slightly more brittle, since firewall rules need updating in the event of IP addresses changing. But it is such a simple and bulletproof solution, and many instances exist where someone casually just exposed SMB protocol server message blocks the NT lanman stuff to the Internet, relying on username and password authentication, saying well you know it's protected, it's not, and they're having connections coming from other fixed locations. If they're fixed, put a filter in front of that Landman port so that only those locations can see it. It's just so simple to do. And it is. I mean, it ends the issue. It's, it. I mean, it's just such a good solution. Okay, before I leave last week's patch Tuesday topic, I should mention a pair of remaining critical remote code execution vulnerabilities which receive CVSS scores of 8.1 despite being remotely exploitable across the Internet. They were spared, you know, that same hair on fire 9.8 rating because their attack complexity was high. But the bad news is they both exist in Windows Remote Desktop Gateway. Once again, nothing but web and email. The reason those are secure is they're publicly exposed, meaning they're not supposed to need to authenticate anybody, anybody can access someone's web server by design and email in order to send them email. But Microsoft just doesn't seem to be able to get authentication right no matter how long, how much time goes by. And boy, we're going to see an example of that in one of our listener feedbacks coming up. Okay, so Remote Desktop gateway has these two 8.1 CVS's. So we've seen problems with this before and unfortunately many enterprises believe that they have no choice other than to expose the Remote Desktop Gateway to the public Internet. I would argue that there are always ways around that, but one needs to care enough first to do so. Hopefully our listeners, you know, none of our listeners are any longer affected by this. They've, they've come up with a way of putting something else in front of their enterprise's Windows Remote Desktop Gateway. To exploit these two vulnerabilities, an attacker needs to win, and we've seen this before, also a race condition by precisely timing their actions. You know, that may be difficult, but most such remote desktop gateways sit unattended and unmonitored, meaning that attackers can try and retry without limit until they succeed. The attack involves connecting to a system running the Remote Desktop Gateway role, then triggering the race condition to create a use after free scenario. So memory is being released somewhere a pointer is still not freed and is pointing to that released memory, which then gets reallocated, giving the attacker a pointer to something that might have some juicy content and gives them the hook. So if successful, Microsoft agrees the attacker could leverage this to execute arbitrary code on the target system. Given the patches available. It appears that this problem was introduced in Server 2012 timeframe since Server 2008 is not affected. So 12 years ago now I certainly, or 13 now I certainly understand that you know, once bitten, large enterprises will understandably be very wary of Windows Update bringing down any of their important applications and infrastructure. It's a devil's bargain. So the best enterprises can do is to give each second Tuesday's updates immediate attention, get the updates deployed as quickly as practical. After verifying that installing them on a few sacrificial systems, you know, keeps all the enterprise infrastructure stuff and critical services functioning. So that said, you know, the smarter thing to do rather than always being reactive to whatever the latest problem is, and as I said, they're not slowing down, they're arguably speeding up, is to really spend some time arranging to not be vulnerable to most of these problems in the first place by placing some other form of additional access control and authentication in front of anything having the need to offer secured public access and exposure. As I said, web and email servers are meant to, to receive anonymous connections from the public Internet. Pretty much nothing else is. What we keep seeing is that the inbuilt authentication for any other private services is just not trustworthy and cannot be and should not be trusted. Once something other than Windows itself is protecting Windows services, none of this stream of ongoing zero day actively being exploited in the wild vulnerabilities will be a source of concern. That's where you want to be. So it's really worth spending some time thinking about how to get yourself into that position.

Leo Laporte (32:34)

What's your sense? So it seems like, I mean this is a huge number of flaws to patch. I mean it's the largest since 2017, I think they said, which would just, on the surface people would say, oh well, look how insecure Windows is. But maybe it's the case that just Windows is in such widespread use that it's more likely that these are discovered and fixed than on a lesser used operating system. Do you think Windows is inherently less secure than any other operating system? Is this a sign of that? You understand what I'm saying?

Steve Gibson (33:15)

I am, I do. On Microsoft's side, no other operating system offers the sprawl of features that Windows does. I mean, the reason. Enterprise. No, I mean Microsoft has, I mean no enterprise, no sizable enterprise cannot use Windows.

Leo Laporte (33:42)

Okay.

Steve Gibson (33:43)

They, you know, no, you know, there are little artsy ad agencies with Macs, right? That's, you know, but there isn't any enterprise or government agency, anything sprawling because it's the one that they have to use to have the features that they want.

Leo Laporte (34:05)

But along with the most features come the most bugs, right?

Steve Gibson (34:08)

Well, yes. And I mean, and it is significant that the older purchase, the Repairs had fewer flaws fixed than the newer operating systems. I mean, they, as you know, and you know, every week on Windows Weekly, you know, you guys are talking, you and Richard and Paul are talking about all, you know, and we got this update and we got this update and all this is added now and this now goes this way. And I mean, Mary Jo used to be kept busy talking about all of this enterprise crap that they just keep adding. Well, any new code is going to be, is going to have some percentage of flaws. That's what we see. And that's why I said that the older operating systems had fewer things to fix because Microsoft stopped screwing with them.

Leo Laporte (34:58)

So it isn't necessarily, I mean, it's more insecure because there's more little edges to attack. But it's not that they're writing worse software. It's just the nature of the beast. And we've said this before, the fact that there were, what is it, 163 patches means there's 163 fewer problems the longer it gets patched. The more it gets patched, the better.

Steve Gibson (35:25)

The only argument to they're not writing worst software is that was it 10,000 known bugs at release of what was it, Windows XT or something?

Leo Laporte (35:39)

A lot of those are cosmetic. And you know, I mean what we care about is security flaws and 10 critical vulnerabilities in 8, 0 days and 100.

Steve Gibson (35:52)

Somewhere in the world people are having that, that aren't listening to this podcast and aren't being sufficiently proactive are having their Windows networks penetrated. We keep hearing about. I mean, I don't cover it anymore because it's so boring is all the ransomware attacks every day, but it's gone. It's like, yes, it's still going on and you know, companies are being victimized and, and so.

Leo Laporte (36:22)

But they don't have a choice. You just said they have to use Windows.

Steve Gibson (36:24)

They don't have a choice. And that's why I also called it a devil's bargain. It is a devil's bargain. You have to use Windows because only it will do the things you need. But it is a system dragging legacy code forward. I mean, it's still got olay in it.

Leo Laporte (36:44)

Object for no fact that old laser Windows 3. And that's another downside is you can't take anything out. Microsoft can't take anything out.

Steve Gibson (36:51)

It'll break something because somebody's using it. Yeah, it's like IE6. It stayed around because people had, you know, enterprises had written applications that only ran on IE6 and it's like, no, no, no, you can't take it. We'll go out of business.

Leo Laporte (37:11)

And when Microsoft is contemplated creating a secure Windows that doesn't have win 32 and you know is a lot safer, they back off because nobody wants it. That's not. Nobody wants that. They don't want the more limited Windows. The whole reason they use Windows is because of all the features.

Steve Gibson (37:29)

Yes. And intel is a perfect example. Intel learned the lesson a long time ago. Forward compatible or backward compatibility as we move forward, you know, you can still run and I do 16 bit code on the spiffiest triple turbocharged gazillion core Xeon double scoop processor, works great boots dos.

Leo Laporte (37:56)

You know, you can't do floating point math, but. Okay. Well, it's an interesting question, right? I mean, I think on the face of it you'd say, well, look at all these flaws. There's, you know, clearly it's a crappy operating system. That's not necessarily the case.

Steve Gibson (38:10)

No, but the takeaway here is don't trust it and pay attention. You can use it and not trust it. Which means don't put it on the public Internet. Put something in front of it that you have to pre authenticate to in order to get to it. Use an overlay network, use Zero trust or something, some other system. Or use, you know, aggressive port filtering so that you're not. So that you know that. So that Russia and China can't just connect to an open port and go, let's see what we can do here.

Leo Laporte (38:47)

You know, second question, and this is really germane to many of our listeners who are not targets. Do you have to worry about this if you're not a natural target?

Steve Gibson (38:58)

No, no. You know, nobody has an individual like me. We don't have remote desktop gateway on our systems and we probably don't have remote desktop exposed. And we're sitting behind a NAT router, which is nature's perfect firewall.

Leo Laporte (39:15)

And I still block IP addresses from Russia and China on my ubiquity. And there's also, I mean, I actually run quite a bit of security software. There's times I can't use sites because it's being blocked for some reason. I can't go to Taylor Lorenz's newsletter.

Steve Gibson (39:29)

Because, and it's annoying that you can't prove a negative. You'll never know what, what attacks you thwarted. But you know, you, you can say, you know, toward the end of your days, well, I've never got hacked.

Leo Laporte (39:43)

Didn't get bit.

Steve Gibson (39:44)

Yep.

Leo Laporte (39:45)

I never have. As far As I know. As far as I know, that's a big one.

Steve Gibson (39:49)

Yeah.

Leo Laporte (39:51)

All right. I'm sorry, I didn't mean to interrupt, but I, I, these are, I know, interesting questions.

Steve Gibson (39:56)

It's good to flesh this out. I mean, and I think you make a very good point. Point. I have said I don't want that job at Microsoft in the same way that I wouldn't want to be in charge of security for Sony Entertainment. I said years and years ago, because it's impossible to secure that.

Leo Laporte (40:14)

As you have said, the hackers, you only have to make one mistake. They can make as many mistakes as they want. You only have to make one to be compromised.

Steve Gibson (40:26)

Right, Right. Every single thing that you do has to be secure.

Leo Laporte (40:32)

Perfect.

Steve Gibson (40:32)

Because they only need one route. In what a world.

Leo Laporte (40:37)

It's fascinating.

Steve Gibson (40:38)

Let's take a break and then we're going to talk about this odd thing Microsoft's decided to do of forcing everyone to get the new version of Outlook.

Leo Laporte (40:47)

This is the new thing. Did you know that Instagram has made every Instagram user follow JD Vance, the new Viking Vice President? You're automatically following him, in fact.

Steve Gibson (40:57)

You're not kidding.

Leo Laporte (40:58)

No. There's this new compulsion thing that's happening that worries me a lot because we forget. But really, these guys who run all of these apps have a lot of control and they can do things that maybe you wouldn't want them to do. I. Anyway, okay. Although I think it's fun to follow jd. He's an interesting fellow. My, my ex texted me. She said I unfollowed him and it got followed again. It's like I. Our show today, brought to you by a company you should be following. You should know about a company I love. Bit Warden. Look, if you listen to the show, you use a password manager, right? If you don't, I have to question your commitment. Like, what are you writing them on? Post it notes. This is the worst thing that people do. I did it for years. I didn't know any better. Use the same password everywhere, right? Easy to remember that monkey123 works everywhere. No, you need a password manager. Now I'm going to assume that you use one. So if you are using one, that's not Bitwarden. I want to explain to you why you might want to look at Bitwarden, especially for your business. But also remember, Bitwarden is free because it's open source. Free forever. Unlimited passwords, unlimited devices for individuals. And so if you've got family members, and I know you do, who think, oh yeah, My password completely secures my birth date, my dog's name and my mother's maiden name. No one would guess that. If they're doing that, tell them about Bitwarden, the trusted leader. And not just passwords in secrets and passkey management. All my passkeys are Bit Warden, which is nice because then I don't have to run and get my phone. It's everywhere I am in today's digital. Now, let's talk about business. Because in today's digital landscape, protecting your organization, if you listen to the show, you know, is more critical than ever. Bit Warden has stepped up to the challenge. They've got some great features now, brand new, designed to simplify and fortify your business password management strategy. For instance, they've expanded their teams plan with robust now Steve It's a SCIM SCIM system for cross domain identity management. I think it's scim. It's a way of provisioning your users, which means if you're an MSP and you have many users or any business, you can streamline access control with these. We're just talking about access control. By integrating seamlessly with leading IDPs like Azure, Active Directory, Okta, OneLogin, JumpCloud, and on and on and on, Bitwarden delivers enterprise level security capabilities that work for businesses of all sizes. And it's just integrated in, so it makes it very easy for you to implement and use. But that's not all. Bitwarden has also redesigned its password manager browser. Those of you, the browser extension, for those of you who use it, you probably noticed, I think it's beautiful. It creates a more intuitive and efficient password management experience. Also, the new extension features a modern interface, faster navigation, clearer organization, smoother workflows. Give it a try. At first it's like, oh, this is different. But as soon as I kind of got it, man, I love it. Makes it easier for individuals and businesses to manage passwords across platforms. Look, this is what sets Bitwarden apart. It's not just about security, it's about simplicity. Bitwarden's setup takes only a few minutes. It's very easy to move to Bitwarden, to move your entire enterprise. They support importing from most password management solutions and as I say over and over they are GPL open source. That means every bit of their code you can inspect and they have regularly audited by third party experts. And they do something a lot of companies don't do. Not only do they do the audit, they publish the audit results in full. So you can assure yourself. It's secure doing what you expect. I think your business deserves a cost effective solution for enhanced audience online security. I hope you do too. Get started today with Bit Warden's free trial of a teams or enterprise plan. And again, if you want to move to Bitwarden or you have family members who are still putting it on post it notes, get started for free forever across all devices. If you're an individual user bitwarden.com twit and if you're a sophisticated individual user and you have and you follow Steve's Trust no one, you'll be glad to know Bitwarden lets you host your own vault because it's open source. There's some very good third party open source servers that you can run that are very ones written in Rust. It's really good. Bitwarden.com TWIT this is the way to go. Absolutely. And we thank him so much for supporting security. Now you support us too when you go to bitwarden.com twit all right Steve, okay, let's see what Microsoft is imposing on us now.

Steve Gibson (45:43)

Yes, before we leave the topic of Microsoft, I want to give a heads up to our listeners about the forthcoming so called new Outlook for Windows. The first I saw of this was a piece of news that said Microsoft will force install a new Outlook email client on both Windows 10 and Windows 11 on February 11 and January 28 respectively. That news blurb was then posted a quote which read, currently there is no way to block the new Outlook from being installed. If you prefer not to have new Outlook show up on your organization's devices, you can remove it after it's installed as part of the update. So I did a bit of poking around and of course that revealed that the sharp folks over at Bleeping Computer were on top of this under their similar headline Microsoft to Force Installation, which I guess is now a term of art. New outlook on Windows 10 PCs in February, they wrote Microsoft will force install the new Outlook email client on Windows 10 system starting with next month's security update. The announcement was made in a new message added to the company's Microsoft 365 Admin center tagged MC 976059 and it applies to Microsoft 365 Apps users. As Redman explains, the new Outlook app will be installed on Windows 10 devices for users who deploy the optional January 28 update and Force installed for all who install the February 11 security update, meaning next February's patch Tuesday, the new Outlook client will run alongside the classic Outlook app and will not modify configurations or user defaults. Microsoft added that there's no way to block it from being installed on Windows 10 devices. However, those who don't want it can remove it afterward, although actually it's a little trickier than that because it'll reinstall it. Well, we'll get there in a second. So they said Microsoft wrote quote New Outlook exists as an installed app on the device. For instance, it can be found in the Apps section of the Start menu. It does not replace existing Classic Outlook or change any configuration user defaults. Both Classic Outlook and New Outlook for Windows can run side by side. Currently there's no way to block this is Microsoft Currently there's no way to block the new Outlook from being installed. If you prefer not to have New Outlook show up on your organization's devices, you can remove it after it's installed as part of the update. Then they said the bleeping computer said the company added in a support document updated on Thursday as last Thursday. So bleeping computer said to remove the new Outlook app package after it's force installed on your Windows device. You can use the and then they Show A A PowerShell cmdlet remove AppX provisioned package cmdlet with the package's name parameter value Microsoft Outlook for Windows they said this can be done by running the following command From a Windows PowerShell prompt and adding a new reg value. And I've got this in the show notes for anyone who's interested, although you can easily find it from bleepingcomputer.com Next they said add a reg string registry setting named blocked oobe updaters with a value of msoutlook. Then they said after removing the Outlook package, Windows Updates will not reinstall the new Outlook client. Otherwise they would like every month you'd have to it would be reinstalling it they said. The first preview version of the new Outlook for Windows was introduced in May of 2022. The app was generally available for personal accounts in September of 2023 via the September 26 Windows Fall Update in the Microsoft Store on Windows 11 and for commercial customers in August of 24. Okay, so this doesn't seem like to me like the end of the world, but you know, I know our listeners. Some may object to having Microsoft force installing a new and presumably unwanted Outlook client onto their machines. One would argue whether a Windows 10 or 11 machine could be considered theirs, but we'll leave that for another time.

Leo Laporte (50:30)

Well yeah, and Mail has always been installed automatically, right?

Steve Gibson (50:33)

Yeah, yeah, that's A good point. You know, so it's sort of there. So this new client is apparently based upon the web version. It's essentially, from what I could gather looking through the Microsoft pages, a port of the web client to a native Windows app. As such, it does not support Outlook's traditional and problematic Pst file format, and it also does not support any. COM component object model integration with Outlook. I also noticed that Microsoft says that unlike traditional Outlook for Windows, the new Outlook offers limited, they, they said limited support for third party email services such as Gmail, Yahoo, and so forth. So if you're, if you've got, you know, your Outlook or an Outlook pulling from multiple other providers, you'll want to, you know, if, if you are wanting to switch to the new one, you'll want to make sure that it can, because Microsoft appears to be moving away from that. Okay, all that said, complete segue here. I want to take this opportunity to mention that I recently switched away from Mozilla's Thunderbird as my email client to something that I am.

Leo Laporte (51:59)

You weren't using Eudora?

Steve Gibson (52:01)

No. And, but that's, you know, thank you, Leo. For years and years you did use your door. Before being driven to Thunderbird, my original true blue email client had always been Qualcomm's Eudora.

Leo Laporte (52:19)

I do.

Steve Gibson (52:19)

In fact, my tech support guy Greg is still using Eudora.

Leo Laporte (52:22)

Wow.

Steve Gibson (52:23)

Works fine. Life was good. I didn't care when Qualcomm support for Eudora ended because Eudora worked for me perfectly. But over time, as other email clients behavior changed, cracks began forming. Emails started coming in to me with high ASCII or Unicode weird like capital A's with umlauts in them added to space characters and for about a year.

Leo Laporte (52:57)

Or so spelled Viagra.

Steve Gibson (53:01)

Yes. Well, it wasn't me spelling it, it was people sending me email. So for a year or so, you know, I manually edited them out of every reply that I was quoting until. I don't know, a couple years ago, I finally decided to switch to Thunderbird. I tried the Bat for a while and that never really took hold. But you know, I then used Thunderbird for several years and truth be told, I've never really been happy with it. I'm very finicky about the appearance of my outbound email, you know, the email that I author. And even when I'm quoting somebody and you know, pretty much everything that I produce I care about, our listeners know that well. And Thunderbirds handling of fonts and formatting, the indentation of email threads and the signatures it Appends to email never made sense to me. It was trying to handle formatting details, but it made things mysterious and deliberately uneditable. It's like, oh, don't worry about it, we'll take care of this for you. I wasn't allowed to fix these things when they didn't look the way I wanted them to because Thunderbirds formatting was not only erroneous, but it was automatic. You know, it apparently believed that it knew better than I did about how things should be. Maybe for some users who just don't care. Great, take care of this for me. But it bugged me. So finally, about two weeks ago, something drove me to seek another email client. As I mentioned, I already had an old copy of the Bat around, so I tried to resurrect that, but it didn't seem to be any kind of an improvement. So I went, oh, and I ought to also mention that Thunderbird really started acting up after I added the whole new GRC email system, because incoming email from our listeners has been quite successful. I've never mentioned that. I have. I think it's 4,484 pieces of email from our listeners. So that really seemed to like Thunderbird kind of got lost somewhere. It would just stop showing me new ones. I'd have to like give it a kick and shut it down and restart it or you know, shake it three times. I mean it just, it just wasn't working. So anyway, so I went. I spent some time two weeks ago cruising around the various top 10 best email client lineups until I stumbled upon one I had never heard of before, named Em Client and life is good once more. Ah, it's a little difficult. And it's got. There's one for the Mac, they have.

Leo Laporte (55:55)

A version Pegasus on Windows which I like.

Steve Gibson (55:59)

And if you like what you've got, I'm not going to try to convince you otherwise. It's a little difficult for me to explain exactly why it's a personal thing. Makes a huge difference to me. And yes, it is a personal taste, personal choice thing. But I can say that after setting it up as an email is an IMAP client and allowing it to synchronize with GRC's email server, I almost immediately felt that I had a handle on my email. It found back and forth email from long ago and knitted them into threads. It allows me to mark things in various names and colored tags and to then view all of my emails and tags as folders which are now dynamic. I can see all my inboxes consolidated into a single view. It doesn't do any mysterious, unwanted and wrong things with nesting of replies. And since my needs are not necessarily aligned with everyone else's, I'll briefly share a broader view from Wikipedia. Wikipedia's EM Client page says EM Client has a range of features for handling email, including advanced rules management, mass mail, delayed send, or a built in translator for incoming and outgoing messages. It supports signatures, quick text and tagging and categorization for easy searching, watch for replies and snooze. Email functions are available as well as direct cloud attachments from cloud services like Dropbox, Google Drive, OneDrive, OwnCloud, or NextCloud. EM client also provides a lookup service for GNU PG Public keys their EM Key book in order to more easily send encrypted communications via email and generally simplify PGP encryption in email communication. EM Client supports all major email platforms including Exchange, gmail, Google Workspace, Office 365, iCloud, and any POP3, SMTP, IMAP or CalDAV server. Automatic setup works for Gmail, Exchange, Office 365, Outlook, iCloud, or other major email services. Following the shutdown of Incredimail, an auto import option was added to transfer data from this platform to EM Client. Since version 8.2, EM Client supports online meetings via Zoom, Microsoft Teams, and Google Meet. EM Client allows extensive appearance customization. EM Client 10, released in 2024, also provides AI features for composing messages and replies, inbox categories and quick actions which allow users to create their own macros. So I need like just give me IMAP please. I mean, my knee. But I need like four accounts to help me organize things. Okay, so here's my complaint. My only complaint is that the free version will only handle a single email account, and as I said, I need at least four. And that would be okay if I could purchase a paid version once, but it's rentalware. Yeah, it's a subscription only available for $40 per year. I rent no other software of any kind and that's something I actively fight against. So this is the first time I have ever capitulated. But come on, at $3.33 per month, it's not expensive allowing installation on three machines. The experience of using this client continues to impress me, and if paying something is what's required to keep this stunning creation alive and maintained, then I'd rather do that than not have any access to it at all. I didn't realize really how unhappy I had been with Thunderbird until I began using EM Client. It's just it's like a continuous happy breeze that washes over me whenever I look at it. Mobile editions are available at no charge and I can't vouch for anything about it other than their Windows Edition, which is all I've used. But as I said, Mac OS, iOS and Android are all there. They claim to be in use in over 100,000 businesses and have 2.5 million users.

Leo Laporte (60:51)

Oh, it has PGP built in.

Steve Gibson (60:53)

Yes, it has PGP built in and also GNU PG Key Management is also built in.

Leo Laporte (61:01)

Oh, I'm down now. I'm interested.

Steve Gibson (61:04)

Yeah, yeah. So for anyone who might be seeking a similar improvement to a major aspect of their lives, EM client is available for download. You can get it feature complete for 30 days in trial mode. I've been tweaking it here and there like removing displayed columns that I don't need and I could not be happier. Oh, it's also possible to export all of the tweaks and preference settings you make into an XML file and then import them into another instance of EM client on a different machine so that you're able to keep cloning all of the improvements that you make as you tune and tweak it. Along the way, I've been moving back and forth among machines, so I've been able to, as I said, to keep the instances looking and operating the same. Anyway, so I just wanted to pass this along in case any of our listeners might be wishing for something better. This could be it. It's you know, www.emclent.com and it's not. I can't give you a comprehensive review because I'm, you know, I haven't done all these other things with it. But my sense is, you know, as you said at the beginning, Leo, everyone's needs and tastes are so different that, you know, no one else's opinion would or should matter, you know, to be other than a pointer. So I'm just giving everybody a pointer. As I said I just you need multiple IMAP accounts and some and like and a consolidated inbox is nice to be able to tag things for follow up and then be able to look at them all as if they were a folder. That's cool. It threads beautifully.

Leo Laporte (62:52)

Anyway, does it show your GRC Ruby logo?

Steve Gibson (62:56)

It does, but I might be getting it from a favicon because it beautifully pulls fave icons from everybody.

Leo Laporte (63:02)

Yeah, I noticed that's what it's using. Yeah, I just installed it. Very easy, very straightforward. I will play with it. Yeah, yeah, it's very interesting yeah, so.

Steve Gibson (63:16)

Anyway, I don't know why but it just, and it could be subtle things like just the way it sorts or filters or something but I'm really happy so I just wanted to share my happiness.

Leo Laporte (63:30)

It has to fit your kind of gestalt.

Steve Gibson (63:33)

Yeah, yeah, yeah, yeah it does.

Leo Laporte (63:36)

Interesting.

Steve Gibson (63:39)

A listener who is apparently listening or maybe he just read the show notes. He said, hi Steve, I've been using em client for 2 years now on the home PC and have been happy with it back back then I bought a license with only a one time upfront cost. Oh, had I, I think they.

Leo Laporte (63:57)

No, I think they still do. Maybe not. No, somebody in the. No, they don't offer.

Steve Gibson (64:00)

He said I added lifetime upgrades to that for another one time fee. So boy had I known I, I would have done that. He says, I see that the company charges monthly, yearly now, but they still have a lifetime upgrade purchase option as well.

Leo Laporte (64:17)

Lifetime upgrades. I see it right here for EM Client.

Steve Gibson (64:22)

He says I bet you can pay once and have the software from now on. It doesn't make sense for them to charge $90.

Leo Laporte (64:29)

What?

Steve Gibson (64:31)

Well so they're, that, I mean that's interesting. And I wonder how many systems you're limited to if you, if that's all of your personally owned systems. Because based on what I've seen, again Leo, I am, I've just, I have a philosophical problem with, with, you know, I understand this whole mode of, of renting software, you know, paying by the month or by the year, it just annoys me. I just want to own it so that it's mine.

Leo Laporte (65:01)

Yeah, yeah, I know what you feel but I think these days developers are saying look, we're going to keep developing it, we're going to keep working on it.

Steve Gibson (65:09)

That one, yes, exactly. And as I said so first of all, thank you whoever you are. He signed ac so I don't know but, but you know, thanks for that. I'm glad to know that. I will, I will look into that because I, I mean I'm so happy with this thing. I would, I would do that if it would solve my problems.

Leo Laporte (65:32)

Good.

Steve Gibson (65:33)

Thank you for the recommendation, Leo. It's, it's, yeah, and, but, but, but, but to the point of paying. If that's what it takes to create a revenue stream to keep it like compatible with everything and up to date and so forth, then it's like okay, yeah, I guess though I would, I, I would prefer the old school option of here's the next version where you know, you, you bought 10, here's what 11 does, right? Do you want these things?

Leo Laporte (65:58)

Right.

Steve Gibson (65:58)

And so it's up to them to entice me to move forward.

Leo Laporte (66:01)

A lot of people do that. I prefer that as well offer the yearly upgrades or whatever. Yeah, yeah.

Steve Gibson (66:08)

And you know me, I like to offer them every two decades. So wait, no wait, wait. I made it free, didn't I? After 20 years quite work out either.

Leo Laporte (66:17)

You're crazy. You're crazy man.

Steve Gibson (66:21)

Okay, we're at an hour, let's take another break and we're going to talk about GoDaddy and then move forward.

Leo Laporte (66:26)

I want to talk about one of my favorite sponsors because we were talking about Zero Trust and this is a company that makes Zero Trust very affordable, very easy to implement. I'm talking about Threat Locker. It is a way to harden your security and never have to worry about Zero day Expo exploits or supply chain attacks again worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. And I think that's a little. They're doing a little side eye to those companies using that other security software. The airline that was brought down for a week. JetBlue didn't have those problems because they used Threat Locker. How does it work? Well imagine taking a proactive and these are the three keywords. Deny by default, deny by default approach to cybersecurity. That means by default you block every action, every process, every user unless explicitly authorized by your team. That's basically the premise of zero trust. Just because somebody's in the network doesn't mean you should trust them. Threat Locker not only makes this easy to do, they also are great for compliance because they provide a and security. They provide a full audit of every action. So that helps you with risk management, you know because you know who was using what when. It also helps you with compliance. You've got that audit trail. They're 24. 7 US based support team is fantastic. They will help you get on board and beyond. They have made. I think this is the company that has made Zero Trust easy for everyone. You could stop the exploitation of trusted applications within your organization. Keep your business secure protected from ransomware. Organizations in any industry of any size because it's very affordable can benefit from Threat Lockers ring fencing. Because you're isolating critical and trusted applications from unintended uses or weaponization. You're limiting attackers lateral movement within the network. Just because they're in doesn't mean they can do anything. Oh and Threat Locker works for Macs too. So your whole network get unprecedented visibility and Control of your cybersecurity quickly, easily cost effectively with ThreatLocker's zero trust endpoint protection platform. You want to know more? How about a 30 day trial? You'll see how easy it is to onboard. 30 days free. See how ThreatLocker can help mitigate unknown threats. 0 days. Stuff you never even heard about. Ensure compliance at the same time. Threatlocker.com that's threatlocker.com by the way. We're getting close to Zero Trust World, their big conference for a limited time. If you go to zero trustworld.threatlocker.com use our code. It's ZTW for Zero Trust World. ZTW TWIT 25 Z TWIT 25. 200 bucks off registration for Zero Trust World 2025. By the way, you get access to everything, all sessions, hands on hacking labs. It even includes meals and an after party. It is a great event. I wish I could go. We're tied up and I really want to go. Jonathan Bennett from the Untitled Linux show is going the most interactive hands on cybersecurity learning event of the year coming up February 19th through the 21st. Bring the family because it's a Caribbean royale in Orlando, Florida so they can go out, have a great time in Orlando while you're learning the latest in security. And if you do register, do us a favor, say do yourself a favor, you're gonna save 200 bucks. But also it helps us because they'll know you saw it here. Use the code ztwit25threatlocker security starts and finishes at the endpoint and there's no better way to do it than Zero Trust. Threatlocker.com and if you want to know more about ZT World, Zero Trust World, go to Zero TrustWorld Threatlocker and that special code again. ZTW for Zero TrustWorld Twit25 all one word. Thank you threat locker for a great product and we're helping our fam here stay safe. God knows we need the help on we go with the show, Mr. G.

Steve Gibson (70:44)

So we've previously covered the various security troubles with GoDaddy's web hosting services. The sense I've had is that adding web hosting was an afterthought behind their domain name services and that that's what got them into trouble because we haven't seen problem with the mainstream domain host or the domain name services. It's been, well, you know, we got to add this feature because you know other registrars are offering hosting. The news is that the US Federal Trade Commission has decided to require GoDaddy to clean up its act. Last Wednesday, the ofTC announced that GoDaddy will be required to bolster its cybersecurity program to address years long deficiencies. The ofTC stated that GoDaddy's failure to use industry standard security measures led to what the FTC called several major security breaches and we covered those at the time between 2019 and 2022. The agency also alleges that GoDaddy deceived its customers about how adequately it safeguards its web hosting product. The agency said that consumers were sent to malicious websites and otherwise harmed after hackers broke into GoDaddy's customers websites and accessed their data. The extensive information security measures which the ftc is requiring GoDaddy to adopt are similar to the reforms the agency also ordered Marriott to implement after that hotel chain and we talked about that famously failed to improve its cybersecurity posture despite being breached three times between 2014 and 2020. In a statement explaining why the FTC had acted, Samuel Levine, director of the FTC's Bureau of Consumer Protection, said millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure their websites and that they and their customers rely on GoDaddy, which has about 5 million hosting clients. Wow failed to track and manage software updates, analyze threats to its shared hosting services, properly log and continuously assess cybersecurity incidents and silo it shared hosting from more insecure platforms. They said. GoDaddy also falsely advertised that it prioritized a strong security program and complied with international frameworks requiring companies take reasonable measures to protect personal data. Consequently, the proposed settlement orders. The settlement order bars GoDaddy from exaggerating its security practices, orders it to design a comprehensive, whatever that means information security program, and directs it to retain an outside company to assess its enhanced cyber security cybersecurity program when it launches and every two years thereafter. So okay, it's interesting that the reporting about this referred to the infamous Marriott Hotels. Remember the Starwood, that Starwood Group breach incident? What we recall from that is that Marriott acquired the independent Starwood Group, whose network security was a lackluster afterthought, if you can call it that. You know, like, like way out of date. They didn't bother to update and there were like known, well known problems. But Marriott the acquirer never took the time to thoroughly vet what they were purchasing and that lack of oversight over their purchase came back to bite them. Now GoDaddy's past is similar inasmuch as it has grown into the behemoth it is today. It's the number one registrar through a long series of mergers and acquisitions, buying up and consolidating independent Internet registrars. And I recall also that their web hosting business was the result of one or more similar acquisitions. So much like Marriott, they purchased something that needed work and was then bitten when their name became tied to that new acquisition's poor security. I'm sure there's a lesson here for any large organization that purchases, you know, any other high tech entity and just sort of decides they want to bring it under their wing and you know, probably promises like, oh, don't worry, we're going to allow you to maintain your autonomy. We're not going to get all in there and micromanage you, okay? But the purchase negotiation should include a very thorough and deep independent third party review of that soon to be acquired company's security practices. For one thing, the enforcement of true security can be expensive, right? I mean, it's one of the reasons it's not done. Not only is it annoying, but it costs something. That means that an entity's true bottom line profit may be inflated due to a lack of sufficient security. It's making lots of money because it's, you know, it's, you know, hoping nothing bad happens. Since any missing security practices would need to be added afterward. A better purchase price might be negotiated once its lack of security had become apparent. And in any event, the buyer will have a better idea about the potential liability that might come along as part of the package if they don't do something about that beforehand. So again, consider the security, you enterprise people out there of anything that you might be acquiring and hope, you know, that you could just leave alone. They probably want to be left alone, but you need to decide if you could afford to do that. I saw a news item that indicated that the U.S. supreme Court appeared to be poised to support the enforcement of age restriction for adult content websites. The determination being made was whether more than one third of the site's content contained adult oriented material. That would be the determination of is this an adult content website? And if so, any such websites would be forced to affirmatively verify any visitor's age before they would be able to view that site's content. And you know, how do we get there from here? It's not clear. We don't have a widespread system in place that prioritizes privacy. And what occurs to me is especially for those adults who want privacy in about the sites they visit, being forced to disclose their identity. That's sort of that's gonna be a problem for them. Anyway, since we just discussed this issue last week, I decided that it was worth mentioning again because I ran across some other news from across the pond about what's to transpire in the United Kingdom and since the verification of age is, is I think clearly a sticky wicket here, I decided to share the news from the uk. The publication the the security site the Record reported the following Last Thursday, they said the United Kingdom's communications regulator Ofcom, that we've oft spoken of, announced on Thursday that online pornography sites must by July, so we've got six months, verify that all of their users are adults or potentially face being blocked by the country's Internet service providers. James Baker of the Open Rights Civil Liberties group who's, you know, going to be taking a counter position, expressed concerns that, quote, the rollout of age verification is likely to create new cybersecurity risks in the form of additional scam porn sites that will trick visitors into handing over personal data to, quote, verify their age, unquote, which hadn't occurred to me either. The Record said Ofcom has set out a range of methods that it considers highly effective for checking users ages, including photo ID matching and checks on credit cards, which you must be 18 to own in Britain. Other age checking methods could be acceptable, said Ofcom, but they must, quote, be technically accurate, robust, reliable and fair in order to be considered highly effective per the definition in the legislation. Specifically, the regulator has stated that the self declaration of age and online payments using a debit card, which do not require a person to be 18, would not be considered effective and could leave those sites open to enforcement action. James Baker said some of the verification methods that Ofcom has defined as highly effective could put people at risk of new cybercrimes. Citing research published with the Electronic Frontier foundation, the age verification measures are part of Britain's controversial Online Safety act, which passed back in 2023 and aims to enforce technology companies to address a range of online harms. Businesses that failed to comply could face a range of enforcement actions, from being fined up to 18 million pounds, which is currently 22.3 million US dollars or 10% of their global revenue, having their websites blocked by British ISPs or even face criminal prosecution for their part. Ofcom's chief executive Melanie Dawes said, quote, for too long, many online services which allow porn and other harmful material have ignored the fact that children are accessing their services. Either they don't ask or when they do, the checks are minimal and easy to avoid. Yeah, like I talked about last week, the yes, I'm 18 button. She said that means companies have effectively been treating all users as if they're adults, leaving children potentially exposed to pornography and other types of harmful content. She said as age checks start to roll out in the coming months, adults will start to notice a difference in how they access certain online services. Services which host their own pornography must start to introduce age checks immediately, while other user to user services, including social media, which allow pornography and certain other types of content harmful to children, will have to follow suit by July at the latest. Baker again of the Open Rights group said there needs to be a specific and enforceable guarantee that age verification systems will be private, safe and secure. The new plan miss this vital step. So place people at risk of data leaks and having their sexual interests exposed to blackmailers and scammers. Wow. So I would say it's very safe to conclude that the handwriting is on the wall here. You know, like it or not, both the US and the UK are going to be seeing some sort of true age verification more than just pressing the button that claims your age, which I guess has just been there to technically let the sites off the hook, saying, well, this visitor said they were 18, so it's on them, not on us. And it's worth noting that whereas it's very difficult for any regulator to ascertain the effective network security of any given organization, it could hardly be any easier for regulators to determine for themselves whether a given website is effectively verifying the ages of its visitors. Just go there from any anonymous IP and see what happens. So I don't know, Leo, you know, will it be a third party entity that produces an age verification service? Will Apple and Google get in? It's just not clear.

Leo Laporte (84:23)

Yeah, there are AI based kind of face recognition technologies. Paris wrote a story on the information about Yoti Y O T I but what you really don't want is for me to have to offer my driver's license to the porn site or go into a. This is something Britain proposed a few years ago. Going to a pub to verify my age by showing my driver's license and getting a certificate from the pub. I don't, it's, it's a huge privacy concern. I think probably the best way to do it would be a third party. If you could trust the third party, maybe a pub isn't such a bad idea. Or a government office where they, they see it, they look at it, they sign a paper that says, yes, you're over 16, you're over 18 and leave it at that. And then all, by the way, unaddressed by any of these regulations.

Steve Gibson (85:17)

Right. All they're saying is we want, you must do this. And yeah, I saw something that was interesting and the idea would be that, that a phone or a computer would have a verified age and identity with photos of you. And you would be required in real time to do essentially a selfie for that app so that it would be seeing your animated real time photo, be able to compare it to the photos it has on record of you internally and say, yes, that's you. So and then, and then itself have an API that a site could verify in order to say, you know, I mean, and that's the thing, the kind of thing that Apple could offer if they were willing to get into this game.

Leo Laporte (86:11)

This is what both Meta and Google and everybody have said is that, you know, Meta says we don't want to do this. X says we don't want to do this. The phone should do it because the phone has enough information. You can, I mean, in many states, I can do, in California, put your driver's license into your phone and use that for age identity without really revealing any other information. So they're saying Apple should be responsible for this. Apple, on the other hand, does not want to be responsible. And I don't blame them. This isn't their problem.

Steve Gibson (86:42)

No, and of course it does. Then it means that anybody who doesn't have the requisite phone.

Leo Laporte (86:49)

Right, that's a problem.

Steve Gibson (86:51)

Disadvantaged, even though they may otherwise qualify. I mean, this is a real mess. You know, I started out talking about how the cyber world is fundamentally different from the real world. That, you know, when, if you were 10 and tried to walk into a strip club, you know, you're.

Leo Laporte (87:11)

Yeah, the real world, the bouncer is going to say, get out of here.

Steve Gibson (87:14)

Exactly. But on the Internet now, no one knows how old you are. I mean, it's a fundamental difference. And we've been ignoring it up until now. Literally. We have been completely just saying, oh well, you know, somebody else's problem.

Leo Laporte (87:32)

I think you could make the case that the people who are proposing this really don't want it to work. They want porn to be banned. That's their real goal. And so in that case, you know, it's kind of disingenuous of themselves and.

Steve Gibson (87:49)

We have real first amendment problems. Well, that's, they can't do that.

Leo Laporte (87:53)

So they have to do this kind of backdoor system. I don't, you know, it's, it's gonna be an interesting few years. But again, as I said, heard that. As I said, I think that hackers are gonna be the freedom fighters and that the people who know how to get around these things, how to use the Internet without giving up your privacy, are going to be the ones who come out on top. So start studying.

Steve Gibson (88:20)

If I were in high school, Leo, I could make some money on the side. I tell you, it's like that first scene in the Matrix where, where, where Neo is selling some contraband digital thing, right? You know, or Mr.

Leo Laporte (88:34)

Robot. Those people are. Those are the ones. And you could be that one. If you're listening to the show, you have the knowledge to become that person. Start thinking about your opsec and can start considering these companies and the federal government as perhaps an adversary and think of ways you can keep them out of your cheese. That's kind of what I think. But, you know, I'm old, I don't need to worry about it. So I'm going to leave that for you young. You young folks.

Steve Gibson (89:05)

Yeah, any AI that takes a look at us, Leo's going to go, whoa, I'm sending every.

Leo Laporte (89:10)

Is there a heartbeat in the house? Every word in the house, every. This show everything to an unknown AI. I don't even know what it is or where the server is.

Steve Gibson (89:19)

Yeah, we know you gave up a lot.

Leo Laporte (89:21)

I give up. And there's benefits, by the way, to that as well. Until they come knocking on your door.

Steve Gibson (89:28)

Blood pressure goes down, it's like.

Leo Laporte (89:30)

And say, Mr. Laporte, come with us. Oh, and then my blood pressure might go back up.

Steve Gibson (89:38)

Okay, so, reinforcing the point I made about never relying upon any single manufacturers public facing remote access authentication, the security of the Fortinet security appliance, a major mainstream device, has once again been found wanting in a posting on the Arctic Wolf security firm's website titled Console Chaos, a campaign targeting publicly exposed management interfaces on Fortinet Fortigate firewalls. They listed four key takeaways. First, Arctic Wolf observed a recent campaign affecting Fortinet Fortigate firewall devices with management interfaces exposed on the public Internet. Everyone heard that, right? With management interfaces exposed to the public Internet, what could possibly go wrong? Number two, the campaign involved unauthorized administrative logons. Imagine that on management interfaces, imagine that of firewalls, creation of new accounts, ssl, VPN authentication through those accounts, and various other configuration changes. Third, while the initial access vector is not definitively confirmed, a zero day vulnerability is highly probable. And I should note, since they posted this, it has been confirmed. And fourth, organizations should urgently disable firewall management access on public interfaces as soon as possible. Once again, that final point. Organizations should urgently disable firewall management access on public interfaces as soon as possible. Organizations should never have had it turned on in the first place. Again, you cannot count on any single vendors authentication layer. Your security put a layer in front of anything that requires authentication always I forgot to mention that this is so serious that CISA and multiple cybersecurity firms warned of a zero day vulnerability in fortigate firewalls that hackers are actively exploiting. CISA ordered all federal civilian agencies to patch the vulnerability by today, January 21, making it one of the shortest deadlines CISA had ever issued, and Fortinet said in an advisory that the bug is being exploited in the wild, but did not say how many customers had been impacted. The company said threat actors attacking organizations with the vulnerability are creating administrative privileged accounts on targeted devices and changing settings related to firewall policies. In other words, reading between the lines, we know that they're creating accounts and enabling SSL VPN so that they can then march right back in and get onto the internal firewall or the internal network behind the firewall. So patching as soon as possible is the responsibility of the owner of the device. But again, this was being exploited before any problem was known and before any patches were available. Secure remote access to a device such as this is entirely possible, but it should never rely solely upon the manufacturer's account logon protections. Always add your own independent layer of authentication. And that seems to be the unintended theme of today's podcast because we're seeing so many instances where people are being hurt by by not doing that. So do it. Okay, so what's up with dji? Lifting firmware? Enforced drone geo fencing? I post the I posed the introduction of this next surprising bit of news as a question, so I'll follow up with and is it really but like it is? So why? I was put onto this by a short one liner in the Risky Business newsletter which said simply DJI gives the middle finger to us facing an impending ban in the U.S. chinese drone maker DJI has removed firmware restrictions preventing its drones from entering no fly zones. So I thought, whoa, if true, I didn't see that coming. And there's no way to smoke that. And that's no way to smoke the peace pipe with authorities in the US The Risky Business News then provided a screenshot of a posting by Matthew Stoller on Blue Sky Social which read, matt posted, Chinese drone maker DJI the World's biggest drone producer is disabling geofencing in the US you can now fly your drone over airports, military bases, prisons, infrastructure, wildfires and the White House if you want. This is a gloves off move by China. He finished and then provided a link to the Viewpoints blog at dji. Okay, so Viewpoints bills itself as the official DJI blog and it's@dji.com I've got a link in the show notes for anyone who's interested. So last week's DJI blog, this was early in the week is titled DJI Updates Geo. That's all CAPS GEO system in US Consumer and enterprise drones and the posting says the update follows changes in Europe in 2024 and aligns with FAA remote ID objectives. DJI has announced updates to its GEO Fencing system, geo, which applies to most of its consumer and enterprise drone products in the United States. These changes will take effect starting from January 13th on both the DJI Fly and DJI Pilot flight apps. This update follows similar changes implemented in the European Union last year. With this update, DJI's fly and pilot flight app operators will see prior DJI geofencing data sets replaced to display official FAA data. Areas previously defined as restricted zones, also known as no fly zones, will be displayed as enhanced warning zones. Aligning with the FAA's designated areas in these zones in app alerts will notify operators flying near FAA designated controlled airspace, placing control in the hands of the drone operators in line with regulatory principles of the operator bearing final responsibility. Okay, so you know they're saying the same thing, but in a kind of in a gentler way. They said to update, operators need to connect their flight app to the Internet and click update on the fly safe pop up notification when DJI and this is them what they're saying when DJI first introduced the Geo system in 2013 so 12 years ago, consumer drones were still a relatively novel technology and formal drone flight rules and regulations were sparse. The GEO Fencing system was created as a voluntary built in safety feature to help foster responsible flight practices and prevent DJI drone operators from unintentionally flying into restricted airspace such as around government buildings, airports or prisons. For many years, DJI has led the drone industry in safety, making several unprecedented commitments which apparently they're backing off to integrating advanced safety systems into its drones, including first to install altitude limits and GPS based geofencing to guide drone pilots away from unsafe locations first to deploy autonomous return to home technology if drones lose connection to their controllers or have critical low batteries first to integrate sensors for nearby obstacles and approaching aircraft first to operate remote identification technology to help authorities identify and monitor airborne drones. Since then, they wrote, global regulations and user awareness have evolved significantly with a greater focus on GEO awareness and remote ID solutions, which makes detection and enforcement much easier. National aviation authorities, including the European Aviation Safety Authority in the eu, the UK Civil Aviation Authority and the FAA in the US have established comprehensive geographical zones for unmanned aircraft systems and enforce drone regulations. This GEO update has been active in the UK and several EU countries since January 2024. Okay, so over the past year, starting with European countries that have implemented geographical maps compliant with existing technical standards, such as Belgium, Germany and France, in June it expanded to Estonia, Finland and Luxembourg. The remaining EU countries under EASA jurisdiction will also receive the update this month. DJI reminds pilots to always ensure flights are conducted safely and in accordance with all local laws and regulations. For flights conducted in enhanced warning zones, the new term drone operators must obtain airspace authorization directly from the FAA and consult the FAA's no drone zone resource for further information. Okay, now while this posting from early last week is far less inflammatory than the middle finger reference I first encountered, you know, it does say the same thing, which is it's going to be the responsibility of the drone operators, not the firmware and the technology to enforce this so called, you know, enhanced warning zones. So in other words, operators will be notified, but the updated firmware will no longer prevent a DJI drone from flying right into and across what was previously designated as a no fly zone. Okay, apparently variations of this middle finger reference were widely picked up and circulated, and this prompted DJI to release a second blog posting later last week on Thursday the 2nd. The blog posting was titled DJI's Geosystem is an Education, not Enforcement Tool. It attempted to clarify DJI's position and I guess mollify the critics, it said. Earlier this week we announced an update to the DJI geofencing system, geo, in which prior DJI geofencing data sets in most of our consumer enterprise drone products in the United States will be replaced with official FAA data. We first introduced the Geo system in 2013 at a time when consumer drones were still and they repeat that paragraph in the first posting, they said. However, some concerning reactions circulating online are either categorically false or seek to politicize this update. Given the current geopolitical climate in the first get the Facts article of the year, we want to take this opportunity to dispute the information and set the record straight. Okay, Fact one They say politics does not drive safety decisions at DJI for over a decade, DJI has led the drone industry in safety, making several unprecedented commitments and investments to integrate advanced safety systems into our drones, often ahead of regulatory requirements and without being prompted by competitors. To suggest that this update is linked to the current political environment in the US is not only false, but also dangerous. Politicizing safety serves no one. We encourage discussions and comments to remain focused on technological facts and evidence. To understand the true reasons behind this Update, read on. Fact 2 Aviation regulators around the world, including the FAA, have advanced the principle of operator responsibility. This GEO update aligns with and respects this principle. Similar updates to the GEO system began in the EU last year with no evidence of increased risk. We had planned to roll this update in the US months ago, but delayed the implementation to ensure the update worked properly. To add, over a decade has passed since DJI introduced the GEO system and regulators have not chosen to mandate geofencing, instead opting for solutions like Remote ID which requires drones to to broadcast the equivalent of a license plate, laanc automated drone flight approvals in controlled airspace, near airports and community based training. Fact 3 the GEO system has always been an educational, not an enforcement tool. The GEO system has always not has has also Sorry, the GEO system has also not been removed. Okay, well, warning zones and in app alerts remain in place, so continue educating pilots on safe flight operations. In other words, it's making them aware, but it's their choice. This change gives back control. They write to operators and provides them the information they need to fly safely. DJI remains committed to promoting safe and responsible flight practices and will continue its community education efforts, reminding pilots to always ensure their flights are conducted safely and in accordance with all local laws and regulations. And finally, fact four in addition to aligning with the FAA's operator responsibility led principles, the update to enhanced warning zones provides two operator benefits. First, reduced operational delays for pilots. The previous no fly zones often placed an unnecessary burden on operators. While a user could receive instantaneous approval through LAANC to fly, they were still required to submit an application to DJI and wait for manual review and an unlocking license. In other words, it was enforced. This process could result in missed opportunities, delayed operations or unnecessary wait times. This was especially challenging for commercial operators, drone businesses and most critically, public safety agencies performing life saving work where delays are simply unacceptable. And second, improved consistency with official FAA data. Previously, the Global Geofencing system relied on ICAO Annex 14 configurations for airspace around airports which did not always align with official FAA data. This mismatch caused confusion among operators unsure about where it was safe to fly. By displaying official FAA data, this update ensures operators can view airspace as FAA intends, clearly understanding where they can and cannot fly, or I should say should or should not fly. And they finished. We hope this explanation clarifies the real reasons behind the updates to the geo system. An opportunity to align with regulatory principles, empower customers with greater control and provide them with accurate official information to confidently operate their drones with safe, within, safe and permitted airspace. And I guess to me that an interesting aspect is that they've deliberately taken themselves out of the loop and, and remove responsibility for creating exceptions to their policies, which is interesting, especially given who knows what's going to happen with them and in the US and legislation. So. But you know, when all is said and done, it's clear that their firmware will no longer be taking responsibility for flatly refusing to allow someone to fly somewhere that it believes they shouldn't. And given the concerns and accusations that have been levied at DJI over the possible use of their, you know, high quality camera equipped drones for unwanted surveillance, it's not a stretch to imagine the conspiracy theories that this would have triggered. And given the United States current political climate with China, which is certainly a thing, I have no idea what's really going on here. You know, if nothing else, it would appear to be an inopportune time for DJI to remove its historically firmware enforced no fly system, which would seem like a good thing for them to have if they're saying, you know, we don't, we have no intention of allowing our drones to be misused for eavesdropping anyway. But I thought it was interesting and I wanted our listeners to know that this had happened.

Leo Laporte (108:45)

Yeah, it's very strange. It's like if you want to get banned faster, do that.

Steve Gibson (108:50)

Exactly. Allow your drones to fly over prisons and military bases and well, Super Bowls coming up.

Leo Laporte (108:58)

And remember, I mean, in the fires in LA that a drone punched a hole in one of the.

Steve Gibson (109:04)

There were only two, they called them super scoopers, which scoop up water. One was grounded because a drone punched a three by six hole in, in the leading edge of its wing.

Leo Laporte (109:16)

And dollars to donuts, it was a dji. I mean, that's what everybody.

Steve Gibson (109:20)

I saw the FBI photo of the debris. It says DJI on the, on the, on a chunk of gray plastic.

Leo Laporte (109:28)

Irresponsible to turn off the geofencing. You know, I have a dji. I love my dji.

Steve Gibson (109:33)

It's the best drone. That's what everybody uses. That is, you know, is a Professional photographer.

Leo Laporte (109:38)

I mean, I guess we should trust everybody that they're not going to do bad things.

Steve Gibson (109:42)

And Leo, have you noticed how movies now have their shots all the time? All the time. It's really nice to be able to offer that.

Leo Laporte (109:51)

Much smoother than a helicopter shot. They replaced.

Steve Gibson (109:54)

They basically replaced the helicopters and much lower cost for movie producers.

Leo Laporte (110:00)

Getting all sorts of interesting shots everywhere now. Yeah. And I immediately go, Lisa and I are watching. I go, drone, drone.

Steve Gibson (110:08)

I say the same thing to Lori while we're watching a movie. It's like, oh, we wouldn't have that were it not for inexpensive drones.

Leo Laporte (110:14)

Yeah, yeah. Not just movies, TV shows everywhere.

Steve Gibson (110:17)

Okay, we're at an hour 40, so a break time. Then we're going to look at CISA's huge improvement in vulnerability, the huge improvement that CISA has driven in vulnerability risk mediation. It's an astonishing graph we have here. Love it in the show notes.

Leo Laporte (110:32)

All right, I will queue it up, but meanwhile, I want to talk to you about our sponsor, Veeam. I think everybody running a business should know about Veeam. I would hope by now we've been talking about them for some time. You know about V eeam your data in your business is everything, right? Without your data, your customers trust turns to digital dust. That's why you need to get data resilient with Veeam's data protection. And get this very important two words you're going to want. Ransomware recovery ensures that you can secure and restore your enterprise data wherever and whenever you need it, no matter what happens. I don't, I. It baffles me because, you know, and I've even asked this on the show, Steve, with. You hear about all these breaches and people paying millions of dollars to bad guys cuz their stuff got ransomware. And I just. The first thing I always say is, didn't they have backups? I mean, it's not as easy as just, you know, you and I backing up to a thumb drive, but. Well, if they had Veeam, they wouldn't have to worry as the number one global market leader in data resilience. That's the term you need to know. Veeam. I mean, this should tell you something. Veeam is trusted by over 77% of the Fortune 500. More than three quarters of the Fortune 500 keep their businesses running when digital disruptions like ransomware strike. That's because Veeam lets you back up and recover data instantly. And it does it across the entire cloud ecosystem. And that's one of the problems. Your data's in a lot of places. Right, But Veeam doesn't, you know, Veeam knows Veeam handles it. Plus with Veeam you might not even get bit in the first place because it proactively detects malicious activity and it does something that even if you didn't have Veeam you should be doing. But I bet you're not. Automates your recovery plans and policies. You have a recovery plan and policy, right? Right. I think, I don't know, I think a lot of companies, it's just like it's not going to happen to us. It's not going to happen to us. It's not going to happen to us. No, you got a plan. Plus if you do get bit, you'll get real time support from ransomware recovery experts. Look, you know this data is the lifeblood of your business and not just data. But reputationally getting hit by ransomware is bad. So get data Resilient with veeam. Go to veeam.com to learn more. V E E A M dot com to learn more. It seems like this should be just like obvious, like a no brainer. Veeam, three quarters of the Fortune 500, that should tell you something. Veeam.com thank you Veeam for supporting security now. And if they ask, I don't know if they will, but if they say, where'd you hear this? You tell them security now. Right? All right. Okay Steve.

Steve Gibson (113:22)

So in its recently published cybersecurity Performance Goals adoption report, and I'm sure that's got an abbreviation, CISA said that the number of critical infrastructure organizations enrolled in its vulnerability scanning service. Remember we talked about that they were going to be doing proactive vulnerability scanning from the Internet to detect problems early doubled over a two year period reaching now 7791 organizations. At the end of August of 2024, CISA added 1200 vulnerabilities to its known exploited vulnerabilities catalog through the same period. And during the two year period of analysis, critical infrastructure organizations enrolled in CIS's vulnerability scanning service reduced their average remediation times from 60 days to 30 days. So cut it in half and cut a month off of what it had been. I have a chart in the show notes showing the average remediation time over the past two years from 2022, the middle of 2022 to the middle of 2024. And it's very clear. It shows federal, international, private and SLTT showing a clear downward trend in remediation times. And of course that's good, right? Oh, yeah, yeah, yeah.

Leo Laporte (114:55)

Okay. Yeah.

Steve Gibson (114:56)

So that's, yeah, faster remediation. Yeah, it looks like it's almost like a third of what it was before overall. So followers of this podcast know firsthand that this is not a simple feat to pull off. It's especially true for any sort of large and lumbering bureaucratic organization that is, you know, bringing your remediation time down like that. But this is truly looking like a significant change in the security posture and active vulnerability reduction, which we know that we need. You know, we talk about, you know, the work that CISA is doing more and more frequently because they're doing so many things surprisingly right. They really are having a huge effect on by raising the awareness of cybersecurity as a crucial consideration for any and every organization. I would say, Leo, over the past, I don't know, five years or so, we've really seen like the notion of cybersecurity, you know, get on the map. Ransomware certainly helped, you know, seeing, you know, the true effect of that being a victim created. Nobody wants that for their organization. But, you know, it really, it's clearly happened now. So anyway, we've come a long way certainly during the 20 years of this podcast.

Leo Laporte (116:23)

Now you deserve some credit. I think you've been fighting the good fight every week.

Steve Gibson (116:27)

Well, you know, just looking, taking a clear, sober look at the news, you know, we end up coming up with a bunch of conclusions that history keeps affirming for. For us, a bit of closing the loop. Listener Earl Rod, he said other stats on six digit numbers that I feel feed our psychological tendency to see patterns where there are none. He said, remembering that only 151,200 of the million have all six digits unique. Okay, so, okay, so you know, we got a million potential, obviously, you know, 000000 to 99999. So a million potential six digit numbers. Of those, only 151,000 and a few more have all six digits unique. 157,600 have at least three of the same digit. That's more than have six unique digits, meaning it is more common to have three of the same digit occurring out of only six. There's only six. So there are more instances of three repeating of a digit repeated three times than all of them being unique. So that's significant. 395,200 out of the million have four or fewer unique digits and 409,510 have at least two consecutive digits the same. So you know, not so 0.4, right? 40%, actually 41% have at least two consecutive digits the same. So I think really there just aren't that many possible possibilities in a six digit number. And also in thinking about this again, we've talked about that famous birthday paradox a lot, right? Given randomly distributed birthdays occurring throughout the year of 365 days, we are surprised by how small a group of people is needed to get a better than 50% chance of there being any two people having the same birthday. A birthday collision. When you think about it, the same thing is happening with our six digit authenticator codes. Here we have six digits and only 10 possibilities for each one of those six digit places. I think that the same sort of counterintuitive experience occurs where the likelihood of inter digit collisions is actually much higher than our intuition would predict. You know, as with the surprising birthday paradox, every digit has a collision possibility with every other one and there aren't that many possibilities for each digit. I received a great piece of feedback from someone who's in the field trying to do the right thing. This is important because Microsoft, as I said earlier, for all practical purposes, owns the enterprise world. This listener's feedback contains a bunch of Microsoft jargon that will mean something to our enterprise listeners. For everyone else, these details are not important because everyone will be able to understand the fundamental dilemma that our enterprises face. So he said, hi Steve, I would like to remain Anonymous. I'm 24 years old and I've been a listener since around episode 900. I work as an IT Systems Admin for a local government in North Carolina. One of my responsibilities is managing security for our city's police department. We are required to comply with the FBI's CJIS, that's criminal justice Information Services Security Policy, which is updated regularly. I've included a link to the policy below. It's 451 pages long and all law enforcement agencies must adhere to it and pass periodic audits. Okay, so to interrupt here for a second, all that sounds like the right thing so far. This clearly sets a high bar that's onerous to meet. But we know from everything we've seen that unless this level of specification and its enforcement by audit are applied, you know, the everything appears to be working, so let's not break it rule will be taken by default. Everyone has too much work to do and no one wants to go looking for trouble. And while first achieving compliance might well be a heavy lift, once things have been tightened up to meet the audited requirements, Remaining compliant should only require a much more modest effort going forward. Okay. Anyway, our listener continues. He says one requirement in the policy found on page 97, requirement number 20, is especially challenging. Surprisingly, that is. All secrets must be hashed and salted. Huh.

Leo Laporte (122:23)

That's nice to hear. That's good.

Steve Gibson (122:25)

But Leo, that it's challenging.

Leo Laporte (122:27)

Yeah.

Steve Gibson (122:28)

Well, okay. He says now, you know, we might wonder why that would be challenging, right? After all, hashing. And. And this is to your point, Leo. Hashing. Insulting stored secrets such as passwords has been standard operating procedure for a very long time. I didn't find the earliest reference to salting hashes in our transcripts. That is I. There are many of them. That's the problem. I had more than 10 pages of search results, but for, well, of salt. So I'm assuming we're not talking about recipes. I found a reference from 2012 where you and I were talking about it as if it was something that everyone knew. Right. So 12 years ago. Yeah, of course, salt. And I imagine we were talking about it from the start. But I was curious for the sake of this discussion, how old the idea of salting a hash for storing secrets was. So I asked the O1 mini model of ChatGPT the following question.

Leo Laporte (123:35)

You're finding a lot of use in these.

Steve Gibson (123:37)

I love this thing. Yes, there are some things it's very good at. I asked it what's the earliest appearance of the recommendation that stored passwords should both be hashed and salted for secure storage? And I received the following reply. The recommendation to store passwords both both hashing and salting, has its roots in the late 1970s, primarily driven by the practical implementations in early operating systems and evolving security best practices. This thing's amazing. It wrote Unix version 7, 1979. One of the earliest and most influential implementations of salted password hashing was introduced with Unix version 7 in 1979. This version of UNIX featured the crypt function which incorporated a 12 bit salt alongside the hashing process.

Leo Laporte (124:42)

Before you go too much farther, do you want to quickly tell us what salting and hashing is?

Steve Gibson (124:47)

Oh, okay.

Leo Laporte (124:50)

Can you do it quickly?

Steve Gibson (124:51)

Yeah, yeah. Okay. The idea is that if you. We would always use a standard hash function like SHA1 that we were talking about with the time based one time passwords. And so the idea is rather than just saving a password, a service would hash the password so that if their database was breached, the passwords themselves in the clear. Like the thing that the user provided would not be stolen. All that any bad guy could get would be the hash. The problem is that you could then a bad guy could run through a bunch of common passwords, hash them in order to determine their hashes, and then look for any matches of the hashes with the stored password. So the idea was to add what was technically termed salt. That's like sprinkling some salt on it. The idea is you would take another value and it doesn't even matter. And actually it would be non encrypted. I was going to say it doesn't matter if it's not a secret. But the idea is you would add the salt to the user's password so that the hash would no longer directly represent what the user password was in order to break simple hash matching problems. And that's why even here In Unix version 7, 12 bits, which is 4096 possible combinations, 12 bits is enough. It doesn't need to be cryptographically strong salt, it just needs to. It's something thrown in to scram to further scramble the hash so that because you're always using the same hash function, you know, a well known hash function. So that's the idea. And in fact, in chat GPT's response, it gave me a purpose for salting, which I skipped here in the show notes. I just wrote down skipping over O1's completely correct explanation of the purpose of salting. It then added under evolution in security practices, it said following the implementation in Unix, the practice of salting hashed passwords became a cornerstone in password security. Early 1980s security literature and guidelines began to formally recommend the use of salts in conjunction with hashing to protect stored passwords. And in subsequent decades, again decades, as computing power increased and new attack vectors emerged, the methods for hashing, eg, transitioning from DES based hashing to more secure algorithms like bcrypt, scrypt and argon 2, salting became more sophisticated, further strengthening password storage mechanisms. And then it ended with key takeaway. While the precise first recommendation in academic or security policy literature might be harder to pinpoint, the practical implementation of hashing with salting In Unix version 7 in 1979 marks the earliest prominent appearance of of this security practice. This implementation set a standard that has been built upon and refined in subsequent years to enhance the security of stored passwords. Okay, I could not have phrased any of that any better.

Leo Laporte (128:49)

Thank you.

Steve Gibson (128:50)

And now we have a marker.

Leo Laporte (128:51)

Yeah.

Steve Gibson (128:52)

This brings us back to our listener who quoted page 97 of the security requirements his IT systems were required to offer. Quote, all secrets must be hashed and salted unquote which he said was especially challenging. He continued Quote this is our listener quote like many small to medium sized cities, we operate on a tight budget and are often behind on adopting the latest technologies. We still rely on Active Directory, which syncs with Microsoft entra, formerly Azure AD, via Microsoft Entra Connect for managing Office 365 products and Exchange online. However, he wrote Active Directory does not SALT user password hashes.

Leo Laporte (129:49)

Jeez, by the way, this is not computationally difficult. It is well known there's no reason not to do that.

Steve Gibson (129:59)

There is none, Leo. It's just obscene at this point, he says, however, Active Directory does not SALT user password hashes comma and it seems Microsoft has no plans to implement this feature. And he's correct.

Leo Laporte (130:19)

Wow.

Steve Gibson (130:20)

Active Directory is still using older LAN Manager or NT LAN Manager user passwords, which have never incorporated salt, even though Unix had it in 1979. As we know, both of these technologies, NT Land Manager and Land Manager are horrifically old and insecure, yet they are still in use. So what are people supposed to do? Our listener continues writing from my research Microsoft Suggested Solution Microsoft's suggested solution is to migrate entirely to the cloud. No kidding. With Entra id Azure Ad eliminating the need for on premise domain controllers and moving all authentication to the cloud. Here's where we run into two major issues. He writes. Limited features in gcc which is GCC is the abbreviation for Government Community Compliance, which is one of the packages that Microsoft offers to governments. He says, we're on the GCC tenant of Microsoft 365, which lacks many features available to regular enterprise customers. I recall you mentioning the federal government's frustration with Microsoft. Local governments face similar challenges. Information about feature differences between Enterprise GCC and GCC High is not easily accessible, especially from Microsoft. We tested a full migration to Entra ID with Intune for device management, but Intune in GCC is noticeably less functional than in the enterprise environment. Many settings and options are grayed out, often with messages indicating that our tenant didn't contain the correct license. And there are the high costs. He says fully migrating to the cloud is expensive with steep annual fees.

Leo Laporte (132:37)

It will require us Microsoft is not updating SMB. They want you to go to the Azure.

Steve Gibson (132:43)

Yeah, he says it would require us to upgrade every user's license from Office 365 to Microsoft 365. Given the lack of features in GCC, it's hard to justify the additional cost. So my question is for IT environments that still rely on on premise Active Directory, what solutions are available to SALT password hashes in Active Directory. Thanks for your insight and I appreciate all the work you do.

Leo Laporte (133:19)

Great question.

Steve Gibson (133:20)

Unfortunately, this is where the expression caught between a rock and a hard place comes in. I'm not an expert on Microsoft's enterprise offerings, for which I will be eternally grateful, but I poked around and nowhere could I find any solution for specifically adding SALT to Active Directory passwords. There are all manner of enhanced security and authentication features, such as Kerberos, but even there, Kerberos authentication uses the unsalted password stored by Active Directory. So on principled grounds, I so strongly dislike the idea of these blanket security requirements driving organizations into Microsoft's cloud services, where they will even be more at Microsoft's mercy than they are today and have, you know, and then have even less recourse when Microsoft raises their rental rates. The only thing I can suggest is that an appeal be made proactively to the auditor that that, you know, that they're beholding to to explain the situation and ask what solutions other government organizations may have found. Has this single requirement driven everyone else into the cloud? Or is there a wink and a nod that allows this one requirement to be quietly ignored? Because I see no way around it. There is no way to add this to Active Directory. Microsoft has moved on. They've moved to the cloud. And if you're, you know, holding on to actually owning your own hardware and and keeping your costs low and leaving things as they are, well, you're going to need an exception because your passwords, believe it or not, have never been salted.

Leo Laporte (135:24)

I will ask Richard tomorrow because he knows a lot about this stuff. He might. Yeah, might have an idea, but I think you're probably right. This is just Microsoft's way of pushing you to the into the cloud.

Steve Gibson (135:34)

Wow. Dean Wheaton said. Hi Steve, I have a suggestion for the podcast. I'm a longtime listener, not quite back to the beginning, but something like 16 years. I'm a member of Club Twit and I do enjoy the respite from advertising. However, I would like to know which advertisers support the show and maybe take advantage of special offers. For instance, for a VPN provider, would Leo consider inserting a short this podcast is supported by blank, which offers 15% off using promo code Blank or whatever short announcement is appropriate, pointing the listener to the show notes, which might have full details in place of each advertisement instead of cutting out the advertisement audio. Best regards, Dean and Maryland. Now to Dean I say I sometimes found myself in a similar situation, so I discovered some time ago that Twit maintains an easy to find sponsors page @Twit TV sponsors.

Leo Laporte (136:43)

And this is also if somebody doesn't buy ads, we take them right off of it. So if they're on here, they are currently supporters.

Steve Gibson (136:51)

Yep. You can also just go to Twit TV and it's in the menu at the top toward the right end of the page. And the entries there include the special discount sponsor codes and their URLs. So anyone can at any time check that out. And that way you'll also get information about Twitch sponsors other than those that may only be a sponsor on this podcast.

Leo Laporte (137:17)

Yeah, all these companies probably show up on Security now once in a while. The only reason they wouldn't be on is because we were sold out and.

Steve Gibson (137:25)

And there's no room for them.

Leo Laporte (137:27)

There's no room for them. Everybody wants to be on your show, I have to tell you. So they all deserve your patronage because they all support security now. It's if, if they could get on, they would be on, but you don't want to.

Steve Gibson (137:39)

And as you scroll through that list on the screen, Leo, I recognize them all from, from, from your reads here during the podcast.

Leo Laporte (137:46)

Yeah, 1Password, bit worse. Bitwarden, cachefly, 1Password and Bitwarden we're on today. Coda, DeleteMe, ExpressVPN. That's the VPN we recommend NetSuite.

Steve Gibson (137:56)

I think threat Locker was also on.

Leo Laporte (137:58)

Threat Locker was just on. Vanta was just on. Veeam was on.

Steve Gibson (138:01)

Very off and on. And Veeam was also on.

Leo Laporte (138:05)

So yeah, I think that the people who pay for no ads might not want to have those little short announcements. So we're just gonna.

Steve Gibson (138:15)

Anyway, it's easy to find for anybody who wants them. You know, just Twit TV and it has sponsors up in the upper right.

Leo Laporte (138:21)

If you click those links, that takes you to the offer, the best offer, the current offer.

Steve Gibson (138:25)

So I have a piece of errata to share because my mistake was picked up by several of our listeners who essentially asked variations of what do you mean sync thing hardly ever updates. This feedback is from our listener Brendan Koop, who offered some interesting additional information. Brendan wrote, I'm catching up on last week's show and I was surprised to hear you say that syncthing is rarely updated. I rarely use Windows and love Notepad, but agree that at times it seems to update just to increase the version number. I think the developer sends political messages with some updates, which is their right. I've been using. I've been a syncthing user from way back when BitTorrent sync went from being a useful free application to a mess with lots of restrictions.

Leo Laporte (139:16)

They sold to Resilio. That's when I moved to syncthing as well.

Steve Gibson (139:18)

Yep, yep, he said. I stumbled onto syncthing and have never looked back. I have syncthing running on more than 25 devices including various Android phones and tablets. I have half a dozen backup servers running on odroid, hc2 and hc4 devices running Linux at various locations. It functions as a live backup system that syncs as files are changing most of the time. There's a local server that should sync quickly while the off site servers can catch up. Even if I shut down the source device before the remote servers are synced up. I can also turn on my laptop when I use it and before long it matches my desktop computers. Not sure what I would do without syncthing.

Leo Laporte (140:12)

It's become my backup strategy entirely. It's just incredible.

Steve Gibson (140:15)

Yeah, he said. One thing I've not heard you talk about is self hosting the Relay and Discovery service.

Leo Laporte (140:22)

Oh, interesting.

Steve Gibson (140:23)

He said. I've been doing that since day one and have it running at five or six locations. I never rely on the public servers that syncthing provides and he says tno he said. When I first started using syncthing it was very early in the development and it was a little rough around the edges. As I recall, it used to update more than monthly and possibly more than weekly at times. A while back they switched to a monthly update cycle and it seems to update at the beginning of the month most months. What made your comment about how rarely they updated it stand out, especially this month, is that they issued two updates shortly after the initial monthly update, which is unusual. In other words, I got it exactly wrong, he said. You picked the worst month in the past couple of years to say they rarely update the software since this is the first time in more than two years they've done it more than twice in one month, he said. I've attached the update log I have on one of my backup servers. Luckily it updates automatically and all of my Linux devices send me an email which my update log with my update log when they update, he said. This month's updates included updates to the Relay and Discovery servers, which doesn't happen often. I had to update them three times this month instead of the normal zero times. And so yes, we have a I won't even try to read it or go through it. But yeah, many, many many updates which somehow I missed. So I certainly stand corrected. I'm obviously not seeing those Update notices for whatever reason. And perhaps I did happen to see one specifically because there were so many of them, you know, last month. And so that caught my attention. In any event, I'm happy to have that corrected. And it's interesting to hear about Brendan's success running his own relay and discovery servers.

Leo Laporte (142:39)

Yeah, I want to do that.

Steve Gibson (142:40)

I've considered doing that. But my particular application, because I've got fixed IPs, allows me to create direct point to point links between remote sync thing instances. I took the trouble to do that, which I've been very happy with after noticing that the use of the communal relaying was dramatically slowing down the resyncing process. In other words, syncthing has become super popular. As you'd expect, there are. Although you can often knit between NAT routers and get a direct point to point connection. As we talked about in the early days of the podcast, using a Rendezvous server in order to help two syncthing instances, both behind nat, still establish a point to point link. Nevertheless, still, there are plenty of cases where that won't happen. So a relay server is needed where both instances go out to the relay server in order to have their traffic relayed as that becomes more popular. And of course this is just a. I don't know who is nice enough to host these relay servers, but they're getting bogged down. So that was slowing down my syncing to a point where it became intolerable. So I went to the effort of establishing point to point links, but I could see the feasibility of running a rendezvous server, you know, a relay and a rendezvous server myself for sync thing. Because like Brendan, it really is a terrific service.

Leo Laporte (144:25)

Yeah. And it would just be for you, right?

Steve Gibson (144:29)

Yeah, I would just use it for myself.

Leo Laporte (144:31)

Internal in the network, which means it be Right.

Steve Gibson (144:34)

Brendan is in TNO mode, so he has pointed his sync thing instances to the IP of his own relay server.

Leo Laporte (144:43)

Right. So you can run public ones. That's interesting. But I presume you can also run private ones. That's interesting. Yeah.

Steve Gibson (144:51)

Right.

Leo Laporte (144:52)

So that's what's going on is that there are people all over the world running public relays and.

Steve Gibson (144:58)

Thank you, all you people.

Leo Laporte (145:00)

Thank you. Yeah, yeah, I had no idea. Wow. Unfortunately, I'm sure it's. It's fragmented, so it doesn't. Nobody gets the whole file or anything.

Steve Gibson (145:09)

Yes, yeah, yes. Well, no, it's all. Oh, Leo. It's all super encrypted. It is, it is absolutely end to end encrypted. So all they're relaying is opaque data that they have absolutely no access to. Yeah, I mean, we wouldn't be. You wouldn't have me know, telling you how much I use it.

Leo Laporte (145:28)

And it's on GitHub, the relay server, so you could easily install it. I bet you there's a. I would hope there's a Synology package because that would make it very much easier for me. Just have it running on Synology. Oh, very interesting.

Steve Gibson (145:44)

Okay, we are at our final break. Before we attack totp.

Leo Laporte (145:51)

Let's go after.

Steve Gibson (145:53)

Let's see.

Leo Laporte (145:54)

I mean, we talk about brute forcing a lot. I think this is going to be a very interesting education in the technique of brute forcing.

Steve Gibson (146:01)

We established such a foundation last week for exactly what is going on here that when the question of is it strong enough came up, I thought, ooh, let's answer that question.

Leo Laporte (146:16)

Yeah.

Steve Gibson (146:16)

Okay, so this week we have another example of an.

Leo Laporte (146:21)

Wait a minute. Before you start, I do want to just say a little bit about Club Twit. Do you mind just a little? A little.

Steve Gibson (146:30)

I get to drink my coffee.

Leo Laporte (146:32)

Drink your coffee while I beg.

Steve Gibson (146:33)

Recaffeinate.

Leo Laporte (146:34)

I'm going to do some begging if you don't mind. If you listen to this show and you get value out of this show. If you listen to every one of our shows and get value out of any of our shows, and I hope you do, because that's why we do it. We really are doing these because we want you to hear and learn and use the stuff we talk about, about whether it's security on this show or Macs on Mac Break Weekly or Windows Weekly. Windows. We're rebranding this week in Google to intelligent machines because I agree with you, Steve. That's the most exciting new thing happening in the world. And it's starting to happen very fast. In fact, today, OpenAI, Oracle and some other companies announced a joint venture and with massive investment, $100 billion now, half a trillion in the next few years, along with SoftBank, to create, get this, the Stargate project to make a giant AI to secure American leadership in AI. If you want to know when Skynet started, I would say today be my guess. Anyway, this is stuff you need to know about. This is stuff we cover and we do it with. And you know this if you listen to Steve, without fear or favor. We want. We're honest. We give you the straight information. We're not hyping stuff. We're giving you the honest information.

Steve Gibson (148:00)

So maybe without favor, I'm not sure about fear.

Leo Laporte (148:03)

Yeah, we might be scared. We could be scared. But no Nobody's afraid here because we're doing God's work. But you could help us because unfortunately it doesn't pay for itself. Yes, we have ads and we are very grateful to our advertisers, but we don't have enough ads to pay the entire. And we've cut, by the way. Don't think we haven't. We closed the studio. Lisa gave me the good news. We're going to be out of that lease. So that's really good news. That saves us money. You know, I'm working out of my house now. We're doing everything we can to cut costs, but the best way for us to go forward, I think is the way I always wanted to go forward, which is to be a listener supported network to the degree that you feel like you get something out of this. Is it worth $7 a month to you? Is it worth a latte or two a month? I'd like to invite you to join Club Twit now. We do give you benefits. Go to Twit TV Club Twit ad free versions of all of the shows. Access to the Club Twit Discord, which is, I think that this is a great social network with smart, interesting people who have lots to say, not just about the shows, but all kinds of topics. We also do a lot of club only events. Thank you. Iridescent Ox proud Club Twit member. I love these guys, I really do. It's not just about the shows, it's about anything people are interested in having to do with tech. You know, there's food, there's everything's interesting here. So you also get those special shows. We've got some, got Micah's crafting corner coming up in just a little bit. Our photo time with Chris Marquardt. I'm gonna schedule another coffee show with Mark Prince, the coffee geek and of course Stacy's Book Club. We have settled on a much more interesting book. Thank goodness. Join the club, please, I beg of you. This is, this is not. We're not pbs, we're just us. We're just your buddies doing what we do, trying to keep you up to date and keep ourselves up to date on what's happening in the world of tech. Twit TV Club. We would love to have you in the club, that's all. Just a little plug, little club plug. If you love your phone but not your carrier, just switch to T Mobile. You can keep your phone, keep your number and we'll help pay it off. Up to $800 per line. You can also use our savings calculator to compare our plans and streaming benefits against Verizon and AT and T. So switch and keep your phone, keep your number and keep more of your moolah. @t mobile.com up to four lines via virtual prepaid card allow 15 days qualifying unlock device credit service port in 90 plus days with device and eligible carrier.

Steve Gibson (150:43)

And timely redemption required.

Leo Laporte (150:45)

Card has no cash access and expires in six months Now Steve Areno Let us talk about brute forcing totp. That's exciting.

Steve Gibson (150:57)

This week we have another example of an instance where a piece of listener feedback I started replying to kept expanding until it had acquired a life of its own. I love it and I realized that our listeners would probably enjoy another journey and thought experiment in a direction this podcast has never taken us. Bizarrely, I mean, except in broad strokes. Following from last week's podcast topic of HotP and TotP, this week we're going to take a detailed look at the task of attacking and cracking a key for the authenticators we all use. We're going to answer the question of whether the 808080 bit keys that most sites give authenticators to use are long enough to contain sufficient entropy. And if by any chance, you tend to skip podcasts from time to time so that you missed last week's main HOTP and TOTP topic, I would strongly suggest that you pause here to first listen to that one, since I need to assume that everyone here is now aware of what happened last week. So this all started with an interesting piece of feedback from our listener, Lachlan Hunt. Lachlan wrote hi Steve, I enjoyed your review of HOTP and TOTP algorithms in episode 1008 and wanted to share some of my own observations. I agree that the algorithms are designed to be very easy. I had previously implemented it as a hobby project and the whole HOTP algorithm can be done in around 10 lines of code. It's a fun coding challenge and I used it to brute force the next year's worth of codes and see when interesting numbers will appear. See the screenshot showing my 1Password 2 Factor Authentication token equaling 000000 and sure enough, he took a picture of his phone. He had presumably set the calendar and clock forward, knowing when it was going to happen, having done this reverse engineering of his own code and then watched it happen and took a picture. So very cool. He said. The widespread use of QR codes for setting up TOTP is not actually defined by either RFC and instead seems to have originated with Google Authenticator and copied by all other implementers. The QR code encodes the secrets as base 32 strings. Now, okay, so base 32 means an Alphabet of 32. So he says, where each character represents five bits, which could because two to the five, two to the fifth is 32. He says, I had a look at the secrets for some of my own accounts to see how long the secrets were. Many sites had secrets with 16 characters, which is only 80 bits. Right? 16 times 5, 16 characters, 32 combinations per character, 5 bits per character. So 80 bits, he says. On the other hand, the longest secret I saw was a full 256 bits, which seems extreme. He said. However, the Hotpot RFC actually requires that the secret key be a minimum of 128 bits with a recommendation to use 160 bits. The ones below 128 bits are technically not compliant, and that's Google, by the way. So he said, finally, I thought it was a nice coincidence that there are a million possible six digit codes and there are a little bit over a million 30 second intervals in a year.

Leo Laporte (155:23)

So it won't repeat for a year. Well, it will. I mean, it repeats, right?

Steve Gibson (155:28)

But yeah, actually it does not repeat, but in a year because it just keeps on going. So you'll get a different set in the second year, but you will probably see them in a different order the next year. That's fine. And not necessarily because you could see the same one five times in one year.

Leo Laporte (155:50)

Right.

Steve Gibson (155:50)

And. And not see any for 10 years.

Leo Laporte (155:52)

Right.

Steve Gibson (155:53)

I mean, that's the nature of true random.

Leo Laporte (155:56)

Yes, yes.

Steve Gibson (155:57)

Okay. So the HotP recommendation of 160 bit secret key input to the SHA1HMAC makes some sense since, as we saw last week, HSA1 produces a 160 bit hash. So that's also the output size of HotP's HMAC. So there's some symmetry there. But the way the HMAC works, and obviously from what what we've just said, and I didn't talk about it last week, the key length can be anything you want because you're just mixing it in, much like you are salting. Very much like you're salting a password hash, you're just throwing the secret into the HMAC and sha, hashing it all together so it can be whatever length that you want. But Lachlan observed that many sites were using secrets having 16 characters, which expanded to only 80 bits. And Google, you know, chief among them. How should we feel about that? Using a key having only 80 bits for this application provides okay, and I'm going to read the number. 1208-925819-61462 917470-6176 unique keys. That's roughly 1.2 million million million million possible keys. So we've got four sets of six zeros following the 1.2. Okay, which brings us to the question of whether this is a sufficient number. To address that question. We need to remember that when judging relative security, everything is about the application in which the various security components will be used. So what's the security model of an HOTP based TOTP authenticator? The purpose of time based authentication is the generation of a completely unpredictable code generated within any 30 second window using an authenticator whose specific key is hidden among more than 1.2 million million million million possible wrong keys would appear to meet that requirement. But one of the key concepts in security is that of a security margin. So how much security margin do 80 bit time based authentication keys provide? To answer that question, we need to examine the system and design an optimal attack to determine a key. Given the proven high quality of SHA1 for pseudo random bit generation, which is then wrapped by the HMAC algorithm, the only known attack on authentication would be brute force guessing of different input keys, which would then be used to generate a specific six digit authentication code output at a specific time. So let's say that we knew our targeted authenticator's output at a given time. So we know the time and the six digit code produced at that time. Given the solid design of the authentication algorithm, which is essentially an extremely well designed cryptographically strong hash function with some ad hoc post hash processing, the only strategy available to us is simple brute force guessing. That is, we can only go forward through that function. We cannot go backward. There's no way to go back, especially from a six digit code, to go back and somehow miraculously get an 80 bit key. There's, there's. The information is obviously not available in, in a, in a six digit code to somehow magically get an 80 bit key. So we, we can only go forward over and over and over. Okay, so let's say that we knew our targeted authenticators output. We start testing all 1.2 million million million million possible keys one at a time, starting at zero.

Leo Laporte (160:50)

It's going to take a while.

Steve Gibson (160:51)

It's going to take a while. Each key we feed into the algorithm is combined with the timestamp for the one time authenticator output. We know that's processed by the HOTP's HMAC SHA1 algorithm, each use of which requires two uses of SHA1 with some Xoring and bit manipulation. That's what the HMAC is. Then, as we saw last week, we perform the extraction of the 4 bytes from the 20 followed by the modulus 1 million division to extract the remainder and to arrive at our first candidate. Six digit code. Being a high quality pseudo random six digit code, this first candidate will have one chance in a million of matching the six digit code we're seeking. The probability of things happening is something that often trips people up. If the probability of something random happening is one in a million, we might tend to assume that giving that one in a million thing one million opportunities.

Leo Laporte (162:09)

To occur, that'll fix it.

Steve Gibson (162:11)

Or in our case, 1 million key guesses that we would probably get a collision of six digit values. And that's true, but it's not guaranteed. Probability theory tells us that even given 1 million guesses of a one in a million event, there's a 36.79% chance of never hitting upon the value we're seeking. 36.79%. So we're probably going to. But it's not guaranteed 36.79% we're not going to hit it. That that does mean that given 1 million guesses there's the reverse, a 63.21% chance that we will hit it. So 63.21% that we will hit it better than 50 50. But it's not certain that we would. For random events it's all about probabilities and 693,147 guesses. So nearly 700,000 would be required to hit the 5050 point. The 50 50% chance of guessing 700,000 guesses, not 500,000. Right. Not half of the 1,700,000 for an even chance of a one in a million guess being correct. So at this point all we can do is keep guessing key values. I should make clear that assuming the key was generated by a purely pseudo random system, there's absolutely no benefit to generating trial key value guesses at random. No key generating algorithm could be any better than any other. And being fancy about it, would just take us some more time and waste some more resources. So to generate successive guesses, we're going to treat the key like a large 80 bit binary number that we simply increment starting at zero will eventually test them all. The problem of course is that 80 is a lot of bits. We've already seen that there are 1.2 million million million million possible combinations of those 80 bits. So let's proceed and see what happens. We keep incrementing our key and keep producing six digit codes until we hit upon the one that the target authenticator produced for the same timestamp. So yay, we found an 80 bit authenticator key that gives the proper six digit output at the proper time. But that's no use to an attacker since it's never going to be that time again. And besides, they already know the proper six digit code for that time. The the goal is to be able to generate the proper code for any time in the future. So for that, the attacker, and we in our case, since we're taking that role, need the one key that will do that. The problem is that there are 1.2 million million million million possible 80 bit keys. And the only thing we've accomplished is to find the first key, counting upward from zero, that produces this one correct six digit code. Since we know that these codes are randomly distributed throughout the entire key space, that means that there will be on average 1.2 million million million. Okay, I've dropped one of the millions, 1.2 million million million total keys that will also produce this same six digit code for this same timestamp. In other words, the discovery of that first matching code is very unlikely to be useful. We still need to eliminate many millions of millions of other keys. To do that, we need some more sample outputs from the target authenticator. So we've just clearly proven one thing. There is absolutely no possible way for an attacker unless they were to get insanely lucky. Like, you know, 1.2 million million million times lucky. No possible way for an attacker who obtains a user's single six digit code at one point in time to reverse engineer a user's authentication key, regardless of how much time and processing power they may have. And note that this is all symmetric crypto, which has always been safe from any threat from quantum computing. So holding out for a quantum computer to arrive isn't going to help us here. This is symmetric crypto. Quantum computing only helps with public keys things. Okay, so as I said, to usefully narrow things down, we need some more sample outputs from the target authenticator. Okay, so let's make that a given. Let's agree that our attacker is able to observe the target authenticator being used with the same key at multiple points in time. Okay, so how many points in time do we need that will allow us to achieve this? As we've seen, each point in time gives us one code in a million and in its first use, out of the total 1.2 million million million million possible keys, this one in a million matching would allow us to select one candidate key out of every million possible keys. So on average, again, because they're not also perfectly distributed, they're randomly distributed. So it effectively reduced the candidate key space by a factor of 1 million. In other words, we're able to use a six digit code generated by the targeted authenticator to weed out a factor of a million possible keys, or phrase differently. Each application of a different six digit code can be used to reduce the remaining candidate key space by a factor of 1 million. Okay, so suddenly that doesn't seem so bad. An 80 bit key space gives us a total of 1.2 million million million million keys. That's four millions. And we've seen that each use of one six digit code for a given point in time will on average eliminate a factor of 1 million wrong keys that do not produce a matching 6 digit output. So that would suggest that the use of four six digit code output samples, each reducing the total key space by a factor of 1 million, would bring the key space down to one or two remaining candidate keys. Okay, so let's go back now to that first test where we were incrementing the 80 bit key and generating a test six digit code to look for a match against the authenticator's known output. We know that we will eventually find a match and that we're just going to go linearly from zero. We're eventually going to find a match and that the probability of that happening is 50% during the first 693,147 tries, rising to 63.21% by the time we've tried the first million keys. So not quite two thirds for assurance of it happening by, you know, by the time we've tried the first million. But regardless, we know it's going to happen sooner or later. So having found the first candidate key that gave us the first proper six digit output, we know that this only reduced the possible key space by a factor of 1 million. So next we try this same candidate key against the second point in time to see whether we obtain the proper second six digit code. This will still be highly unlikely since that first test left 1.2 million million million candidate keys, only one of which is the one we're seeking. But nevertheless, we check the key against the second point in time and almost certainly fail. That means that the first test found a key that produced the proper six digit result at this point in time. But not at the second reference point. So we need to keep searching. We move forward again until we find a match for the first point in time. Then again, check that against the second point in time. As before, there are still so many candidate keys that will pass the first test but fail the second that it's likely to take quite a bit of equip quite a bit more searching until we find a candidate key that passes both the first and the second tests. But we're still a long way from home. Since each of these two first two tests reduces the candidate key space by a factor of 1 million. Together they reduce it by a million million. But since we started out with an 80 bit key, that gave us a key space of 1.2 million million million million. That means that even after finally finding a candidate key that passes the first two tests, that the new key that was found is still only one among the remaining 1.2 million million that will pass that will pass both tests. So it's still exceedingly unlikely that the one we found that passed both of the two first tests is the proper key to test this. We of course check this latest candidate against our third authenticator sample. As we know, there's only one chance in around one that this first key that passed the first two tests will also pass the third. And even if it did by some miracle pass the third test, it would still be one of among 1.2 million keys that would do so. So we would then need to test against a fourth authentication sample output to see whether that key would which somehow managed to pass the first, second and third tests was the one out of 1.2 million that can also pass the force sample test. And since there were 1.2 times 1 million to the fourth possible keys, even this might not be the one we're looking for. And we need to remember that when we succeed in this search, it all boils down to statistics. That 69.3% number which we encountered earlier comes back here. Since we're essentially performing four unrelated one in a million tests against random events where we need all four of them to succeed. So we would need to test on the order of 6.93 times 10 to the 2380 bit keys before we would reach the point of having a 50% chance again, we would need to test on the order of 6.93 times 10 to the 23rd 80 bit keys before we would reach the point of having a 50% chance of finding a first key that passes all four of our one in a million six digit matching tests now 6.93 times 10 to the 23 is 57.3 of the total 80 bit key space to search only to achieve a 50% chance of success. One question to ask is whether there might be any shorter route for brute forcing a solution. I've given this some thought and I cannot see one. I considered various sorts of sieve approaches, like the famous sieve of Eratosthenes, which is used to find primes where you could apply a sieve to these three to three or four samples to weed out. But actually that would be vastly slower than this. Testing against one test is by far the fastest solution. There just isn't a faster way to do this. The algorithm we just examined closely is going to be the fastest to check successive keys against a first test and then to apply successive tests only when they successively succeed. That minimizes the number of tests being performed. And we also know that we will need to test 57.3% of the total 80 bit candidate key space in order to have just a 50% chance of success, with no guarantee even then. And each test with a candidate key will require two uses of SHA1 for the HMEC algorithm and the application of the ad hoc HOTP six digit extraction, it's easy to say 6.93 times 10 to the 23rd, just as it's easy to be glib about 80 bits. But 6.93 times 10 to the23rd is 693 million million billion.

Leo Laporte (177:52)

That's a lot.

Steve Gibson (177:52)

So if an attacker, yeah, if an attacker were able to perform say a million billion of these complete TOTP HOTP candidate key tests per second, we would still be left with 693 million seconds. Now that's. If you could do a million billion per second, you'd be left. We would be left with 22 years full time around the clock without pausing, never stopping, and even then only obtained a 50% chance of cracking a single key of a time based one time password when having a handful of that authenticator's outputs which are necessary and knowing exactly when each of them were generated. Now, modern hardware has become very fast, absolutely the case. But it's generally fast at performing simpler algorithms for which it's been designed, like straight SHA256 hashing for cryptocurrency mining. The hash rates have gone insane there. Ad hoc algorithms, especially something as wacky as HotP, which selects the bits to be divided based upon some bits in a nibble, would be much more difficult to accelerate. So it might be, yes, that you know, even a million billion complete tests per second would be difficult to achieve in practice. And Leo, as we said at the top of the show, that's an advantage of a wacky ad hoc algorithm is it is more acceleration resistant. I don't know if they did it on purpose back in 2005, but it is a consequence of their, you know, ad hoc wacky ality. But that said, given the current performance of crypto mining and, and a million billion tests per Second, taking only 22 years for a 50% chance of success, that's not the sort of security margin that would or should make anyone feel completely comfortable. It's better when realistic estimates come in at, you know, 22 million years rather than just 22 years. This really boils down to how fast the individual tests can be performed. Well, you know, and how many of the testers you can have running at the same time.

Leo Laporte (180:39)

How many times, how fast can you submit a one time code? Is there some way you can download something so you can do it locally or you're just.

Steve Gibson (180:52)

Oh yeah, yeah, yeah. We're not actually asking the other end.

Leo Laporte (180:56)

They don't have to respond.

Steve Gibson (180:57)

Right. We are comparing against the code that the authenticator generated.

Leo Laporte (181:02)

Oh, well, so you're right, this is maybe a little more doable than we'd like.

Steve Gibson (181:06)

Yeah, it is more doable than we like. You know, I'm not at all worried about sites being protected by 80 bit keys, but given that what we've just learned from this exploration, I would feel more comfortable if the keying material had at least 128 bits. That's a difference of 48 bits and that makes a huge difference in difficulty. Adding 48 bits scales the entire problem up by a factor of nearly 281, 475 million times. Wow, 281475 million times. So now we're talking many, many millions of years and we have the sort of security margin that means we never need to think about the problem again.

Leo Laporte (182:04)

But what about quantum computing would.

Steve Gibson (182:06)

No, quantum computers do not help with, with symmetric at all. Okay, so, so there is no help from, from, from, from quantum. Given that the key length being offered is entirely transparent to any authenticator user. Meaning they're, you know, we don't know. We don't, we just scan a QR code. We don't know. There is just no, no reason not to use 128 bits or more for the key 80. It's, you know, it's okay. But more would be better. And 80 should definitely be considered a minimum.

Leo Laporte (182:47)

Very interesting.

Steve Gibson (182:48)

Now we have some basis for judging the security margin.

Leo Laporte (182:54)

Very interesting. And of course, computation is only going to get faster. Orders of magnitude fasters.

Steve Gibson (183:03)

I looked at what the hash rates are on crypto mining farms. Oh my God. They've got. I can't pronounce the number. Quintum zillion, billions of hashes per second. They've gone insane.

Leo Laporte (183:16)

They're all dedicated and this is just a second factor. You still have a password you'd have to get. And so I think it's probably adequate, but.

Steve Gibson (183:26)

Oh yeah, as I said, I'm not worried about it. But now we have. Now we have a basis for judging which we did not have before.

Leo Laporte (183:35)

Good.

Steve Gibson (183:35)

And that's why we do this.

Leo Laporte (183:37)

Yeah.

Steve Gibson (183:37)

I love this crazy podcast.

Leo Laporte (183:39)

I love it. I was told there'd be no math, but obviously I was misinformed. It's nothing but math.

Steve Gibson (183:45)

You were. You're punctuating it with your giggles over my million. Million, million, million, million.

Leo Laporte (183:51)

That's. That's a large number. That was large number. Didn't mean to interrupt. Lachlan, thank you for stimulating this conversation. Very interesting, actually.

Steve Gibson (184:02)

All driven podcast.

Leo Laporte (184:03)

Yeah. All of our comments and questions today were great. Really appreciate it. We love our listeners. Thank you for watching. Thank you for listening. Steve is@grc.com that's his website, the Gibson Research Corporation. You can go there to get his bread and butter, which is spin, right. The world's best mast, storage, recovery, maintenance and performance enhancing utility. You have mass storage, you gotta have spin, right? Go there, get it, Support Steve and his work. There's other free stuff there, lots of it, so it's fun to browse around. He also has some unique versions of this show on his website, including a 16 kilobit audio version to go along with the 64 kilobit audio version. For people who don't have a lot of bandwidth or maybe they're on a limited connection. There's also transcripts, very good transcripts and of course a copy of the show notes there as well. That's all GRC.com at our site, Twitter TV SN, we have that 64 kilobit audio. We also have video and we have a link to the, the YouTube channel dedicated to security now. So it's. If you want to share a clip, that is easiest, best way to do it and it's helpful to us because it turns other people onto the show. So by all means, you know, find something interesting and send it to a friend from the YouTube site. Easiest way, though, just subscribe, as they always say, go where your. Where better podcasts are hosted. Just subscribe in your favorite podcast client and you'll get it automatically, audio or video or most the minute it is available. We record the show on Tuesdays. You should know, right after Mac break weekly, I just got an email from somebody said, why haven't you started yet? It's 1:45. It's like, this is not a TV station, okay? We're not running on a schedule. We're running as fast as we can. We try to get these on as close as possible. But what you're really doing is you're watching kind of behind the scenes our recording of the shows. We expect most people, in fact, we know most people will listen after the fact and that way you can listen exactly, exactly when you want. But if you do want to watch us live for the just for the giggles or to chat along in our chat rooms, we are streamed on eight different platforms. Club Twit members get to watch in the Discord, YouTube, Twitch for everybody else. TikTok now we're back. We're on TikTok. Steve. Thank you, President Trump. We are also on Kik. We are also on X dot com. Thank you, Vice President Elon Musk. We are also on LinkedIn and Facebook. Thank you, Secretary of State Mark Zuckerberg. See the whole fam. All the richest men in the world supporting our little stream. Thank you, guys. We haven't figured out how to get on Amazon yet. We can work on that. The show is, as I said, right after Mac break weekly, which generally works out to 1:30 to 2pm Pacific, let's say 5pm Eastern, 2200 UTC. So watch it live if you wish, but of course download it because you would. Well, you want a copy of it for your records, right? Steve, have a great week. Thank you for everything you do. We really appreciate it.

Steve Gibson (187:12)

We'll be back next week with a binary edition of the podcast. 1010 episode 1010.

Leo Laporte (187:22)

What is that 10?

Steve Gibson (187:23)

That's 1010. Oh, that's binary. Oh, yeah, binary 10. Yes. Eight and two. Yep.

Leo Laporte (187:33)

Thank you so much, Steve Gibson. Thank you all for joining us. We'll see you next time on Security Now.

Steve Gibson (187:38)

Bye.

Leo Laporte (187:49)

If you love your phone but not your carrier, just switch to T Mobile. You can keep your phone, keep your number and we'll help pay it off up to $800 per line. You can also use our savings calculator to compare our plans and streaming benefits against Verizon and AT&T. So switch and keep your phone, keep your number and keep more of your moolah. @t mobile.com up to four lines via virtual prepaid card allow 15 days qualifying unlock device credit service port in 90 plus days with device and eligible carrier and timely redemptor required card has no.

Steve Gibson (188:17)

Cash access and expires in six months. Your business needs AI solutions that are not only ambitious but but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact, secure AI agents connect, prepare and automate your data workflows, helping you gain insights, receive alerts and act with ease through guided apps tailored to your role. Domo is built to meet the challenges of today's AI landscape with a robust, all in one platform powered by trust, flexibility and years of expertise in data and AI innovation. Data is hard. Domo is easy. Learn how Domo can help you unlock your data's full potential@AI.domo.com that's AI.domo.com.