Security Now 1014: FREEDOM Administration Login

Leo Laporte

It's time for Security Now. Steve Gibson is here. We're going to talk about Apple, I don't know, giving in on the UK request for a backdoor. Or maybe they were playing 3D chess. Steve has some opinions. We'll also talk about why it might be illegal to pay that ransomware, how the Spanish soccer league is blocking Cloudflare and causing quite a bit of a mess. And then why your apartment building access control system might not be all that secure. It's all coming up next on Security Now.

Steve Gibson

Podcasts you love from people you trust.

Leo Laporte

This is Twit. This is Security now with Steve Gibson. Episode 1014, recorded Tuesday, February 25, 2025. Freedom Administration Login. It's time for Security now, the show where we protect you and your privacy and your security online. Did I say we? Pardon me, key protects you, Mr. Steve Gibson, the man of the hour.

Steve Gibson

You are inseparable from the podcast, from the network, from, you know.

Leo Laporte

Yeah, but in this case, it will.

Steve Gibson

Not go on without you.

Leo Laporte

I am a member of the audience in this case. I listen to Steve and I hope, I hope you all coming up this week.

Steve Gibson

So I stumbled upon a. It started off as just a regular sort of like security announcement, but the more I looked into it, the more astonishingly, wow, too much caffeine. The more I was astonished. Many adverbs that anybody could be producing a system like this. And it is something that our listeners are going to be able to experience for themselves. The astonishing insecurity of almost ironically, an access control system whose own access control just fails just miserably. Anyway, the title of the podcast is that Freedom Administration Login, which we're gonna have a lot of fun with when we get to it. But first we've got the news that actually we sort of did a preview of it last week. In this case, it's Apple disabling the advanced data protection for new users in the UK and eventually all users. Although they're not saying when and they're not saying why they're not doing it yet. Anyway, my take on it is a little bit different than everybody else's. It looks like I'm probably gonna be wrong, but I'll share it nonetheless. We also have the news that we've been talking a lot recently about paying ransoms. Like, oh, we've got these groups and those groups and we got attorneys and we've got people who specialize in all this. Turns out paying a ransom we should remember is often illegal, so.

Leo Laporte

Oh, interesting.

Steve Gibson

There's that also just a random Piece about X blocking signal me links. Spain's soccer league has blocked an IP of Cloudflare. Unfortunately they got much more than they bargained for when they did that, causing a big mess. We have two new and exceedingly rare vulnerabilities in open SSH which is widely regarded as one of the most well designed and most secure. Thank goodness open source projects that that exists. But whoops, a problem was found. Not not end of the world, but worth looking at. Also, the US seems unable to evict Chinese attackers from its telecom systems. We've had a senator recently say suggest what we should do in response because as if saying and we can't, it's like what? What do you mean we can't? And come to, you know, speaking of that, what are they doing to get in? What is salt typhoon? Is it some, you know, mastermind strategy? Turns out, not so much. And our listeners will not be surprised to discover how China is getting into our networks. We have. Oh, Lisa, Leo.

Leo Laporte

Lisa, hello.

Steve Gibson

By far, by far, I'm not confusing you. By far the largest cryptocurrency heist in history, which occurred just four days ago on Friday. We have an ex nsa, well, the ex NSA head suggesting that the US is actually falling behind on the cybersecurity front lines. We have, as last week I put it out to our listeners, come up with an alternative term for backdoor. The replacement term is a good one suggested by many of our listeners. It does exactly what I was hoping it would do. It is both accurate and clear. We'll touch on that. And then, as I said, we're going to look at a pathetic access control system that just begs to be hacked. And it will be maybe even by some of our own listeners, although not maliciously maybe to help the poor schlubs who have purchased this thing and have just everything wide open.

Leo Laporte

Yeah, you poor schlubs.

Steve Gibson

You schlubs. And we've got a great, great picture of the week. A common theme, but a variation on that theme. A new entry into the ever popular where there's a will, there's a way contest.

Leo Laporte

Oh, that sounds like fun. That's the ones where you should be careful not to electrocute yourself, I think. Yeah. Or fall off or.

Steve Gibson

I've had some great feedback about this. I did the mailing to 16,363 of our listeners last afternoon and a bunch came back and said now this one is one I would not have thought of.

Leo Laporte

Nice. You have more subscribers and we have Club Twit members that's that's actually shifted. For a while it was. We had more Club Twit members. You've have so many subscribers and if you are a subscriber to this show and you're not a Club Twit member, I must ask, why not? Don't you want to support the wonderful Steve Gibson Twitter TV Club Twit? It should. They should. There should be rough parity between those numbers. I think you care enough to subscribe to the the you know, or email Steve.

Steve Gibson

Anyway, my email list subscription is free, so there's that.

Leo Laporte

Steve, how much is a Venti triple quadruple?

Steve Gibson

I. I let the secret out last week. $9.50.

Leo Laporte

Okay, so we're less for one of.

Steve Gibson

My quinty venti latis.

Leo Laporte

We're less than a quinti vente latte at Starbucks once a month. That's all. That seems like a fair deal. You could, you know, keep the $2 and buy a cup of regular coffee. How about that? Our show today, brought to you by. I'm just teasing. Brought to you by Zscaler. We love Zscaler. They're doing something we've talked about a lot on this show, Zero Trust, that's made them a leader in cloud security. You know, the problem is clear. I mean, we all see it. Enterprises have spent billions of dollars on firewalls, you know, perimeter defenses and VPNs. And. But has it helped? No. Breaches are going up like crazy, 18% year over year increase in ransomware attacks, $75 million record payout in 2024. Although since Steve says it's illegal to pay ransomware, I think that number is secretly probably an awful lot higher than $75 million. I mean, we don't have to debate that. It's clear the traditional security tools most people use don't help. In fact, they are expanding your attack service. Those VPNs have public facing IPs that are exploited by bad actors. And now more easily than ever, they're using AI to generate their malware tools. And of course, what happens if a hacker penetrates your extra strong perimeter defenses, often using a vpn? In fact, we just had a story last week about that breach we talked about last week. They used VPN to get inside the perimeter defenses. And once they're in there, there's nothing to stop them from going everywhere, looking in every nook and cranny, exfiltrating privileged customer information, your emails, things like that. It's a nightmare because VPNs and firewalls don't stop lateral Movement. They assume that if a user's connected to the network, hey, they have carte blanche. And then of course they. They exfiltrate all that stuff encrypted. And the. And the firewalls have trouble inspecting that encrypted traffic. And, well, you could see it's not a good situation. Hackers are exploiting traditional security infrastructure like that, using AI to outpace your defenses. But there is a better idea. There's a better way. It's time to rethink your security. We can't let these bad actors win. You need Zscaler Zero Trust plus AI. It stops hackers by hiding your attack surface. You know, there's no public IP address anymore, so apps and IPs are invisible. They've nothing for them to hang their hat on. Also, even if they do get in, it eliminates lateral movement because users are only connected to specific apps, never the entire network. It doesn't assume just because you're in the network, you can do anything you want. And Zscaler continuously verifies every request based on identity and context. It's like a watchdog, you know, that junkyard dog watching your stuff, making sure nobody gets access to it. Unless you say it's okay. Zscaler simplifies security management. It has AI powered automation and they use AI to. To analyze over half a trillion daily transactions. Most of them fine. But looking for those needles in the haystack, the malicious attempts detecting them and stopping them cold. Hackers can't attack what they can't see. Protect your organization with Zscaler zero trust plus AI. You can learn more at zscaler.com security that's zscaler.com security we thank them so much for their support of security now. And you support us. Of course, when you use that address. That way they know you saw it. Here. Zscaler.com Security Steve, I have not looked ahead. I have not seen the picture of the week. Should I scroll up now?

Steve Gibson

It's a good one. As I said, a new entry into the ever popular. Oh dear.

Leo Laporte

This does not look like a good idea at all. Holy moly. I like the way he's managed ground. I guess that's what he's doing with a screwdriver.

Steve Gibson

Yep, that's exactly right. He's stuck the screwdriver into the VGA output in order to get it in touch with the shell of the VGA connector to establish ground. For those who are not seeing this picture, it looks like we have a case either of the power adapter connector of the laptop being loose or maybe you know, that all of those barrel connectors there are, there are several different sizes.

Leo Laporte

They're proprietary. And I bet you he doesn't have one that fits.

Steve Gibson

Yeah, and so. So we've seen before in similar pictures where, you know, somebody used fingernail clippers to jury rig connecting an American outlet or American American plug to European outlets or.

Leo Laporte

Thank God laptops now all use USB C. And you could tell this is a vintage picture. Look at the cell phone in the corner. This is a different era, thank God.

Steve Gibson

So this person was determined to, you know, the battery ran down on his laptop. It's like, okay, I gotta plug this in, gotta work that. But the adapter he has is the right voltage, but it's the wrong connector.

Leo Laporte

I hope it's the right voltage.

Steve Gibson

Oh, yeah, you definitely want to make sure of that. But those various connectors, there are some standards, but they're weak standards, and they have different numbers of millimeters of like inner and outer diameter.

Leo Laporte

I used to have a kit with all the different tips.

Steve Gibson

Right.

Leo Laporte

Remember that?

Steve Gibson

Exactly right, exactly. So it looks like we have a situation here where he does. He's got the wrong tip for his laptop. But he's like, that's not deterring him. So he's got a screwdriver stuck into the VGA output wedged in there in the case in order to obtain system ground. He's got the. The power adapter outer barrel, which is chrome, pulling against the screwdriver. So the ground of the AC adapter is connected to the shaft of the screwdriver, which then goes to the VGA shell to get ground. Then a paperclip has been opened up and stuck into the. The center of the coax of the power adapter. And then he's got a white piece, looks like a piece of insulation because he needs somehow to get the. He needs the opened up paperclip to go into and connect to the center pin of the power connector in the laptop without touching the edges, which of course is ground.

Leo Laporte

I bet he thought he was really smart doing that. I bet he thought I would.

Steve Gibson

I would argue that this guy gets an award, Leo, because the laptop is powered up against all odds of, of this just working.

Leo Laporte

You can tell it's working well, yeah.

Steve Gibson

I mean, here it is. He took a picture. He was so proud. It's like, look what I did.

Leo Laporte

Look what I did. Mom, it works.

Steve Gibson

It works. Yeah. And I can tell, looking at it as an engineer, yes, this would work. It's, you know, it's not going to survive an earthquake of any significance. But, yeah, I would. I think this is great. This is very clever.

Leo Laporte

Don't do this at home.

Steve Gibson

Where there's a will, there's a way.

Leo Laporte

Yeah, that's awesome. By the way, they're telling me in the chat that's not a cell phone, that is a cordless landline. Yeah, that looks.

Steve Gibson

Although still, the laptop's got some. It looks like that weighs. It's got some to it.

Leo Laporte

So you don't see VG. I'm thinking it's a ThinkPad.

Steve Gibson

You know, you're not seeing a VGA output on, like, natively on the laptops.

Leo Laporte

Yeah, you don't see ports like this anymore at all.

Steve Gibson

And, and there is microphone and, and headphone jacks there in, in the foreground. So it does sort of date it. Yeah.

Leo Laporte

Oh, this is good. Nice.

Steve Gibson

Nice piece of work.

Leo Laporte

Great picture. Thank you, Steve. Nice piece of work. Great picture.

Steve Gibson

Okay, so I took Apple's decision as good news. Now, better news would have been for the UK to have decided to back off from their demand that Apple arranged to provide access to the encrypted, stored icloud backup data of anyone, anywhere, for whatever purpose they might have. But that hasn't happened, at least not so far. Apple took the next step in what I'm hoping is a bit of a dance. And that had to happen, you know, one way or another. I feel that, you know, this is the. The issue we've been perched on here for several years now. The one way or the other, the world needs to work out this issue about governments believing that they have the right to breach the privacy of anyone they choose. The question is, do they or don't they? What we're, you know, this has been brought to the fore because the technology we have now prevents that. We have the technology and Apple has implemented it where there's just no way for Apple or a government to access data which has the, as Apple puts it, advanced data protection. You know, all of the possible protections turned on. BBC News reported that ADP stopped being an option for new users starting at 3pm UK time last Friday. Other outlets have subsequently confirmed that ADP is no longer an option for new users in the United Kingdom. In response to the news, our Johns Hopkins cryptography professor Matthew Green posted on X, he said, quote, if you're not in the uk, you should turn on ADP now. The more people who use it, the harder it will be to shut it off this way.

Leo Laporte

I was about to turn ADP on, then I thought, well, that Just puts a big target on my back. Right. That just announces.

Steve Gibson

Maybe it means that you're being counted as somebody who, like you're. Exactly. It is a vote. Okay, so no one in the UK can now activate Advanced Data Protection and existing users will be disabled at a later date. Now that's the thing that I sort of found interesting. My own opinion is that this is Apple intentionally not yet dropping the other shoe. It's an incremental move which allows them to wait to see what the UK chooses to do next. There's little doubt that this move has been forced upon Apple and is not going to be widely embraced. With great joy, I would think, among the UK's voting citizenry. You and I, Leo, were talking about this before we began recording. Your take is, you know, are people really going to care that much? You know, I mean, as evidenced by the fact that most people don't have it turned on. No.

Leo Laporte

It's kind of hard to turn it on and you lose some features.

Steve Gibson

I would like to have it turned on. I can't. As I've said, I've got too many legacy Apple things around here that I'm still wanting to use. And you have to have more modern hardware in order to be able to turn on because it has to be on universally on every device logged into that account or no one gets to play.

Leo Laporte

Yeah, right now my son has a laptop that he hasn't updated and I can't get rid of it because it needs his password to remove it. So I'm kind of stuck.

Steve Gibson

So the UK's parliament now realizes that if Apple is also forced to take the next step, which they haven't yet, of disabling all existing ADP enabled encryption across the uk, that's going to have a far greater negative impact with the UK's politicians being directly blamed for forcing Apple to take away privacy guarantees that those citizens of the UK previously enjoyed and right, they're going to be singled out. Other people at world, you know, the world over get to have this, not people in the uk. So since enabling ADP is something that one needs to do deliberately and as we said, it can be a little, you know, you have to, you have to work at it. In some cases it will be those who most want it who will be having it removed. Now, I'm sure Apple is holding out hope that that won't be necessary. If this first move by Apple is sufficient to have called the UK's bluff, you know, to very clearly demonstrate that it's not joking about this and that it will proceed with removing all remaining iCloud ADP encryption and only then for disadvantaged UK citizens, then Apple can avoid backtracking on existing encryption and can simply resume allowing those who want to turn it on to do so. I don't know what's going to happen, but I'm sure it's quite clear to everyone now that Apple holds all the cards here. I mean, they can be forced to turn it off, but then they're just going to disadvantage UK citizens, the BBC's reporting said. They wrote it is not known how many people have signed up for ADP since it became available to British Apple customers in December 2022. Professor Alan Woodward, a cybersecurity expert at Surrey University, said it was a very disappointing development, unquote, which amounted to, quote, an act of self harm by the government. He told the BBC all the UK government has achieved is to weaken online security and privacy for UK based users and that it was naive, he said of the UK to think they could tell a US technology company what to do globally. Now opinions on this are mixed. However, the BBC reported that online privacy expert Caro Robson said she believed it was, quote, unprecedented. Well, she's right for a company, quote, simply to withdraw a product rather than cooperate with a government, unquote. And of course, you know, we know it's unprecedented, which is precisely why the world has desperately needed this precedent to be set. We don't know which way it's going to go. Robson told the BBC, quote, it would be a very, very worrying precedent if other communications operators felt they could simply withdraw products and not be held accountable by governments. So of course that's a different take than we have. I don't think there's anything worrying about it. This is precisely what Apple needed to do and we already know that Signal and others have said they would follow in Apple's footsteps. Yeah, I don't. You know, what can Signal do? They don't. They, they can't. There's nothing they can do except to leave. If, if the, if the UK says you must build, you know, a means of monitoring your users into your product. The BBC said. Meanwhile, Bruce Daisley, a former senior executive at X, then known as Twitter, they wrote, told BBC Radio 4's PM program, quote, Apple saw this as a point of principle. If they were going to concede this to the uk, then every other government around the world would want this too. And that's a really good point. My feeling is we could not ask for a better test case setup than what we have. New Users are being told they can't have something that they may want, existing users are at risk of losing it. So your move uk. Now, of course, there is a downside and dark side to this which tempers my enthusiasm. What if the democratically elected politicians within the UK decide that they know better than their own citizens? What if they shrug off this first step toward Apple's removal of adp, forcing Apple to take the next step of requiring all existing UK users who have ADP enabled to disable it? What then? So some other reporting on this quoted Mike Chappell, an IT professor at the University of Notre Dame's Mendoza College of Business and a former computer scientist at nsa. He noted that this episode illustrates, quote, one of the fundamental flaws in government efforts to undermine encryption. Faced with having to choose between security and complying with government regulations, companies like Apple tend to remove security features entirely. And here's the worry. Chappell noted that, quote, the net effect is reduced security for everyone. If other governments follow the UK's lead, we risk a future where strong encryption is functionally outlawed, which puts all of us at risk of not just government surveillance, but also to eavesdropping by other bad actors. So in other words, I've been assuming, hoping that the UK's elected parliament would lose this fight with Apple and, you know, their own citizens, and that the rest of the world would take note of that. You know, as I said last week, France is getting ready to push some of their own legislation forward to the same end. But maybe I'm the one who's being naive. You know, we learned that people don't really care all that much about encryption so long as they're able to check out how many likes they've received and that they're fine with trusting their government to do the right thing. You know, obviously on this podcast we're focused on these issues. Maybe most people aren't. We need to accept that this Apple UK standoff might very well break in that direction, and that other governments would then learn exactly the wrong lesson and immediately make similar guarantees or make similar demands, thus forcing a general global retreat on all encryption privacy guarantees.

Leo Laporte

So this is like glasses half full, half empty, I guess, because I have a completely different take. In my view, Apple capitulated and UK government got most of they didn't get all what they wanted, but they got most of what they wanted, which is there's no end to end encryption available from Apple in the uk. So how is that a win for Apple or anybody else? You can no longer do End to end encryption in the uk.

Steve Gibson

Right.

Leo Laporte

That seems strikes me as a capitulation on Apple's part and this will be.

Steve Gibson

Just the first shoe to drop on the UK's part. Well, you're assuming demand from everybody else.

Leo Laporte

Yeah, you're assuming that the British citizens are gonna stand up, say, no, I want my adp. But they're not gonna do that. They're not gonna do that because as you point out, people aren't even aware of the issue. And I think what this is gonna give is a license to every other government to do exactly the same thing. Oh, good. Apple was glad to back down on this. Apple will turn off adp. It's as simple as sending them a secret letter saying, we want a backdoor. They don't need a backdoor anymore in the uk. They don't need a. They have, they've always had a backdoor into icloud.

Steve Gibson

Right, right.

Leo Laporte

I mean it's a legal backdoor. They have to subpoena it. But.

Steve Gibson

Right. As long as you don't have ADP turned on, there is a means by which Apple is able to comply with the demand from the UK courts. Whereas with it turned on, Apple is unable to comply. I mean they, they're, they're able to honestly say, you know, on the stand, we're unable to give you what you want.

Leo Laporte

This is what scares me. This is what I thought would happen, which is that governments are eventually going to tell people, no, you cannot provide end to end encryption to your customers. And when Apple says, okay, fine, that sounds like a capitulation.

Steve Gibson

So what could they have done or nothing. I mean, what is this the problem? Is this inevitable?

Leo Laporte

Leo, they have to withdraw from the uk is the only thing they can.

Steve Gibson

Do encryption or their product.

Leo Laporte

Yeah, they can't withdraw. And by the way, that's not unprecedented. Google withdrew from China and Apple has mostly withdrawn from Russia for similar reasons. Wow. But yes, you're right. I mean, look, we know Apple's not gonna withdraw from the uk. That's not gonna happen.

Steve Gibson

No, no. And the other thing is that this is sort of a fuzzy line. So is it a phone registered by a UK citizen? What about them? Traveling out. But I got a US citizen.

Leo Laporte

This is why I said Apple partly capitulated the request from the federal from the UK government accord. And again, this has never been. Is everybody globally, not just citizens? We want a backdoor to all ADP accounts globally, including for U.S. citizens.

Steve Gibson

Well, all icloud, backup storage, you know. Yeah, yeah, yeah. They want you to, they want It. Oh, very good point. So.

Leo Laporte

So Apple didn't comply fully. Apple only did it in the uk.

Steve Gibson

Yes. They can't get. Well, they can get yours and mine because we don't have ADP turned on, but they can't get any non UK person.

Leo Laporte

Well, truthfully, we don't need it. But what I worry about is the dissidents, the, you know, the, the political opposition, political leaders, intelligence agencies, all of these people, if they want to use an iPhone and they want to use.

Steve Gibson

Icloud use cases for using adp. Strong encryption.

Leo Laporte

Right now, we talked about this on Mac Break Weekly and it is possible to use an iPhone without icloud. And that's what you have to do if you want to be private at this point is you turn off icloud backup. You just don't use icloud because Apple has the keys, just as Google has the keys to Google Drive and Microsoft has the keys to Microsoft's OneDrive.

Steve Gibson

And I think we did learn that when you turn off icloud backup within a short period of time, bugs the.

Leo Laporte

Hell out of you.

Steve Gibson

Apple. Well, yeah, there.

Leo Laporte

What do you mean you're not backing it?

Steve Gibson

Wait, I took a picture with this and it's not over here.

Leo Laporte

It's like, no, Apple will. You're gonna. You were gonna say, I think Apple will delete it.

Steve Gibson

They will scrub your data from the cloud.

Leo Laporte

It's gonna be a while though, and we have to trust that they're gonna do that. That's another thing. They might not. How would we know?

Steve Gibson

Oh, it's Apple though. They want to.

Leo Laporte

Yeah, I don't think they want to store it. No, that's why ADP exists, because they wanted a way to say to governments, no.

Steve Gibson

Yes, and, and essentially it brings them to parody. Remember that Android has had this. Android has end to end encrypted cloud backup for a while now.

Leo Laporte

Yeah.

Steve Gibson

And it's on by default.

Leo Laporte

What we don't know. This leaked out through. I've. And I wish I could. I've forgotten which. Was it? Bloomberg?

Steve Gibson

It was the Washington Post that first.

Leo Laporte

Oh, it was the Post, yes. So the Post found it. It was then confirmed by several other sources. But this is the equivalent of our National Security Letter in the US the government can request this and the rules are you can't say that the government's asked for this. So Apple never said, oh yeah, we got. They just turned off adp.

Steve Gibson

Thus the existence of Warrant Canary. It's a Warrant Canary in effect, if we stop telling you we've never received A warrant, then draw your own conclusions.

Leo Laporte

So the question is, did and why wouldn't they the UK government also send this to everybody else. Google and Microsoft and Signal. And why haven't we heard from those parties? They're by the way, enjoined from saying anything about it as well. Yeah, you know, if you're going to obey the law, you can't say a word about it.

Steve Gibson

And again, this is why regardless of what happens, I'm. You know, this is what we've. This is. Everything has been building to this for the last several years.

Leo Laporte

I just fear it's not going in the right direction.

Steve Gibson

It's not.

Leo Laporte

See, I change your mind, it's half empty.

Steve Gibson

Steve, I'm an optimist. I want. I want the good guys to win. I do.

Leo Laporte

Yeah, well, you better darn well make sure you get some end to end encryption on your stuff and, and start thinking about this if you want to.

Steve Gibson

Well, and if Apple is just the first target, then we're. Then the other chips are going to fall. Right? I mean, by the way I.

Leo Laporte

Look, I don't want to get political on this, but do you think Cash Patel will hold back in any way? The new Director of the CIA?

Steve Gibson

He.

Leo Laporte

I mean, of the FBI.

Steve Gibson

Yeah.

Leo Laporte

Or, or Bongino, whatever it.

Steve Gibson

Hold back in complying with the UK or.

Leo Laporte

No, that's. The FBI is going to go full speed ahead and. Do you want the.

Steve Gibson

And demand the same thing?

Leo Laporte

This is a weapon. We now have a weaponized law enforcement in the United States. This is the time to download some secure encryption and start paying attention to your privacy because law enforcement's going to go after their enemies. And frankly, I'm probably. If they knew about me, I would be one of them. Not Steve. Steve's. No, Steve's a good guy. He would never. I mean, I'm gonna shut up right now. Go ahead.

Steve Gibson

I'm just glad I'm not a teenager. Now, Leo or I the history differently because, you know, I, I got myself into some trouble with, you know, escapades, but boy, I didn't have the Internet to, To tempt me, so. I'm glad for that. Let's talk about our sponsor who's going to tempt our listeners. Oh, and I'm gonna sip on that 9.50 latte.

Leo Laporte

Now there are other ways you could spend that money, Steve. I'm just saying you're. You're automatically a member of the club. Is that what's in there, by the way? Is it quinty venti?

Steve Gibson

No, this is a Smaller cup. It's only got three shots. And I did. And I.

Leo Laporte

And you made it yourself.

Steve Gibson

I made it here before the podcast, yes.

Leo Laporte

So it cost you much less our show today. Well, this is actually very timely. You might want to start thinking about getting some of the information that is already on the Internet about you off this show. Brought to you by Delete Me. Have you ever searched for your name online? You. I don't recommend it. You will not like how much of your personal information is publicly available for anybody who's willing to search. And there's even more for anybody who's willing to pay a buck 50 less than that latte. Maintaining privacy is not just a personal concern. It's a concern for your business. That's why we use Delete Me, because we want to make sure that we don't get spearfished. It's a concern for your family. DeleteMe has plans for individuals, businesses, families. Many plans. Take a look. With Deleteme's family plans, for example, you can ensure that everyone in the family feels safe online. Delete Me for everybody reduces risk from identity theft, cybersecurity threats, harassment, and more. We're very lucky we started using it with Lisa's data. And you may remember the security now where Steve and I searched the national public data broker's database of breach database of hundreds of millions of Social Security numbers, found our Social Security number there, but then did not find leases because we've been using Delete Me. See Delete Me's experts find and remove your information. I should have been using it, but I figured, hey, I got no secrets. I don't have any privacy and no one is going to believe us Spear phishing mail from me, but they might from our CEO. And that's why it was so important to us to subscribe. DeleteMe's experts found and remove and they'll do this for you. Lisa's information. They went through hundreds of data brokers. You can assign a unique data sheet to each family member, tailored to them. With easy to use controls, account owners can manage privacy settings for the whole family. DeleteMe does something that's really important, though. After that initial clean and scan, they will continue to scan and remove your information regularly. And that's important because there are always every day there's another data broker. It's a very profitable business, which I might underline is not illegal at all. It is legal in the United States to sell my Social Security number to anybody. The Chinese government, the FBI, marketers. It's legal. So this is why you need delete me. They will delete addresses, phone numbers, emails, relatives, phone numbers, social media, property values, Social Security numbers, and more. You need to protect yourself. We all do reclaim our privacy by going to joindeleteme.com twit and if you use the offer code twit while you're there, you'll save 20%. That's joindeleteme.com TWiT offer code TWiT for 20% off. So, an idea whose time has come.

Steve Gibson

Shall we? I can tell you that people care who listen to this podcast. You know, I have the GRC science link shortener just to make it easy to refer people to things. The number one shortcut taken of all time was to the national public data breach. Just shy 8 shy of 13,000 clicks on that. And to give you a sense, the second most popular. So that was 12,992. That one. The second most popular is the credit freeze shortcut. And that's only got 3630. Oh, so four times.

Leo Laporte

Holy cow.

Steve Gibson

The, the, the number of clicks. I mean, people really did care about that national public data.

Leo Laporte

Just because, just because I don't. I'm like the canary in the coal mine. I'm the guy who's like, take it all and let's see what happens. But that's just because I've been doing broadcasting for 50 years. I mean, how, how could I have anything to hide by this time? Nothing. On we go.

Steve Gibson

So, podcast 1012, 1012 topic. Its topic was hiding school cyber attacks two weeks ago. And last week we took a look at the latest rising ransomware as a service startup. Well, they started last February, but still they're now number one. And that's Ransom Hub. One thing we didn't touch on at all during either of those recent discussions was the question of the legality of all these ransomware payments that are being made. An editorial about this appeared in a recent Risky Business newsletter, which opened with a reminder regarding the legality of paying ransoms. The newsletter's author wrote a recent CISA report and a series of tweets from Equinix's threat. Intel analyst Will Thomas clarified that quite a few infosec and adjacent cybersecurity experts are not fully aware that paying ransoms to a rising ransomware crew named Ransom Hub carries quite a high risk of breaking US sanctions. The group, he reminds us, launched in February 2024 when it started advertising its ransomware as a service offering in underground hacking forums. They got incredibly lucky because just three weeks later, law enforcement agencies across the globe dismantled Lockbit, which was at the time the largest RaaS, you know, ransomware as a service platform on the market. Okay, now just to intersect here to interject, what the editor meant about their being incredibly lucky was that Ransom Hub had established itself and its presence in the sector just as the current number one RaaS provider, Lockbit was being taken down. This left the RAAS affiliates without any base of operations. But as luck would have it, the new kid on the block, Ransom Hub, just happened to be there to step in to fill Lockbits abandoned role. The editorial continues throughout the year, many of Lock Bit's affiliates slowly found their way to Ransom Hub. By the end of the year, the platform rose to become 2024's most active ransomware operation, with its leak site listing more than 530 victims. A CISA report published last August warned of the group's rise in popularity and increased operations. But as Will Thomas noticed, Ransom Hub also appears to have attracted some unsavory affiliates, namely the members of a cybercrime cartel known as Evil Corp. Evil Corp appears to have begun using Ransom Hub as a final payload around July of last year, dropping the ransomware onto systems previously infected via the fake updates, which is Soc Golish Botnet. Per reports from both Microsoft and Google between late 2017 and 18, Evil Corp previously developed and ran its own ransomware strange such as bitpamer, Wasted Locker, doppelpamer, Hades and Phoenix Locker. The group abandoned its own tools after it was sanctioned in the US in December of 2019. Sanctions that forced companies to flat out refuse to pay ransom. They didn't have any choice, fearing that they would break sanctions and face the wrath of US authorities. Since then, Evil Corp has been jumping between different RAS platforms as part of a clever strategy of hiding their tracks and as a way to avoid scaring their victims with the possibility of sanction violations. With a fresh new coat of both US and UK sanctions issued in October of last year, the risk of breaking sanctions in the case of Ransom Hub infection is higher than ever. So they finishes saying but still, the TLDR here is that if you get hit by Ransom Hub, you better check with your legal team before even thinking of opening your wallet. So you know we know that the rise of ransomware is entirely fueled by the prospect of the bad guys getting ransom payments. They don't care. The bad guys could not care less about any Random Enterprises network insecurities nor their databases full of proprietary customer crap. They couldn't care less. The only thing they care about is cash. And the realization that vulnerable enterprises do care absolutely about their own crap filled databases and about them not being publicly exposed created today's modern ransomware nightmare. So the point being, if it was ever actually possible to pinch the cash flow, the ransomware problem would slow down a lot. But as we observed also last week, that just doesn't appear to be happening there. There will. I think what we're seeing is there are still enough companies that are, that are able to avoid the problem of sanctions, for example, not in the US where this is a problem, but are operating in countries either with loose regulations who or not able to enforce sanctions and so forth that are able to create this, this cash flow into the bad guys wallets. This was kind of odd. I'm unsure why exactly the security and privacy industries are all up in arms over last week's news that X has started blocking its users from including links containing the Signal Me domain. But I saw this like all over the place.

Leo Laporte

Yeah. And I don't even, you know, this is one of those things where by the way I just attested just now posted my signal address. Now I see it and I did get one person message me but so maybe they're shadow banning it. But I don't see them blocking this now. That doesn't mean they didn't. They may have changed. This is often the case as with like Mark Zuckerberg where you do stuff and they say oh, never mind. That was my, my.

Steve Gibson

Okay, so it could already be gone.

Leo Laporte

Yeah, I. Anyway, I was able to post this without being.

Steve Gibson

And do we know if anybody has been able to click it?

Leo Laporte

Because at least one person has messaged me on signal. Yes. Saying welcome. So okay, maybe. Yeah, okay, I know it could be that's you know, been. It could be.

Steve Gibson

Well and it did seem really strange. You get all kinds of weird messages. The blocking was supposed to cover public posts, private DMs and even personal X profiles. And the messages about like when a Signal Me domain was encountered were never clear. You might see sending direct message failed without further explanation. Attempting to post publicly may result in. We can't complete this request because this link has been identified by X or our partners as being potentially harmful. Or you might see this request looks like it might be automated to protect our users from spam and other malicious activity. We can't complete this action right now. Please try again later. And at the time of this being reported, which was late last week, an attempt to add a Signal Me link to a profile bio resulted in an error message Saying account update failed description is considered malware. So. Okay, anyway, maybe that's already gone. Maybe that was, you know, as you say, oh, sorry, we didn't really mean to do that because of backlash that was, you know, created.

Leo Laporte

You never know.

Steve Gibson

And for me, you know, the fact that this was a big deal, you know, the incredible inertia that X has is another. I think it's an interesting object lesson in the inertia we often observe throughout the tech sector and elsewhere. As we know today, there's been an explosion of alternate messaging platforms, you know, like, you know, Signal, in the case of Signal me. But you know, there's Mastodon, Blue sky, discord, Meta's threads, WhatsApp, Instagram, Signal, Telegram and more. Unfortunately, what this has created is a dispersion from what was a valuable single platform concentration which Twitter originally provided. Like if, you know, having everyone on different platforms is far less useful for obviously for contacting everyone than having everyone in the same place. But that's the way things have evolved and it was probably inevitable, right, that there would be alternatives and people would migrate off into their own, own areas. But for what it's worth, it's why I returned to email for my own purposes. As I mentioned at the top of the show, we have, you know, 16, 326 subscribers at this point. I think now it's. I actually got a few during the mailing. Some, some additional people signed up yesterday.

Leo Laporte

Bravo. Good for you.

Steve Gibson

So anyway, I'm not surprised it's gone and we've seen, you know, Twitter flailing back and forth. It's not the first time that I, I'm still calling them Twitter, you know, X has blocked something and then backed off of their blocking.

Leo Laporte

Oh gosh, for a long time they blocked Mastodon links, you know.

Steve Gibson

Right.

Leo Laporte

So.

Steve Gibson

Right.

Leo Laporte

It could easily be that they saw Signal as a competitor as X gets into more and more things and becomes the everything app. That might also be.

Steve Gibson

But yeah, and you know, we know Elon, he's, he's, he's prone to doing things and then, you know, changing his mind. So whatever.

Leo Laporte

By the way, I have, I don't post on X and I only did this for you, but I figured posting my Signal address is probably a good thing to do.

Steve Gibson

Well and actually when I went to X, I'm signed out of it on my browser on my other desktop and I tried on Sunday to log in. I logged in with my username and password. It prompted me for my. From my 6 digit 1 time password. I put it in and it said invalid and so I'm unable to log in there. So yesterday a lot of people have reported that.

Leo Laporte

By the way, don't let your ex account log itself out because it's hard to get back in.

Steve Gibson

Really?

Leo Laporte

Yeah.

Steve Gibson

That's nuts. Well, anyway, so I'm still broken.

Leo Laporte

I don't think it's intentional. I think it's broken.

Steve Gibson

Okay, good. Because I'm still logged in in my other. My desktop and when I came here yesterday morning after the weekend, I like I went to X to see whether I was going to be able to get back in and I did discover that the last, the previous two weeks I had forgotten to post my weekly show notes summary. It used to be only to X where I was.

Leo Laporte

That's where I would get it. Yeah.

Steve Gibson

So I apologize to everybody. I said I'm sorry, my bad, I will and I. And I'm posted there now for. For today's podcast already.

Leo Laporte

So that was an account or device that you hadn't been logged out of yet?

Steve Gibson

Yeah, I never logged out of X on that other machine. I would not have done that.

Leo Laporte

Delivery timed out maybe.

Steve Gibson

I don't know. Yeah, I'm not. You're. That's a very good point. If, because I, I'm in it on my. On this workstation more often than I am there. So it could have been just so many months that I didn't. Didn't go there. That. Yeah, right. The cookie expired.

Leo Laporte

Yeah.

Steve Gibson

Which I know I. I would like to be able to log in there. So hopefully I think if you keep.

Leo Laporte

Trying, you'll get in eventually. Yeah.

Steve Gibson

I first encountered a short, worrisome blurb which read cloudflare blocked in Spain on the weekends. And it read Spanish Internet service providers have started blocking access to some Cloudflare IP addresses on the weekends. The blocks were put in place this month after Spain's soccer league won a lawsuit against Cloudflare for hosting pirate streaming sites. According to reports in local media, the blocks are indirectly blocking access to many legitimate websites including GitHub, Reddit and many private Spanish businesses. So this news was accompanied by a tweet. Some guy on on Twitter is a Tweet at the XC Excel XC3LL tweeted, if you are an APT using Cloudflare as CDN and you see your beacons disappearing every weekend in Spain, it's because football period ISPs are block. ISPs are blocking cloudflare during weekend to avoid ppl. You know, people watching football from pirate streamings as a side effect you cannot use GitHub on weekend.

Leo Laporte

Oh my God. So do you blame the pirates or do you maybe blame the Spanish authorities or.

Steve Gibson

Before I go any further, let me remind everyone that the reason using a crude packet level firewall to perform IP based blocking no longer works is SNI server name indication. What SNI enables in practice is IP sharing at scale. So for example, GRC, my little company has a handful of IPv4 IPs which I treasure, but I now have many more websites and services than I have IPs. I'm being saved by SNI server name indication, which allows the incoming connecting client, as part of its TLS negotiation to specify which remote server the client intends to access at that ip.

Leo Laporte

Is that like port forwarding or.

Steve Gibson

It's just you could think of it as multi domain hosting at a single ip. So there might be hundreds or thousands of domain names whose DNS all resolves to that same single IP interest. So that means that access to hundreds or thousands of individual websites and services would be erroneously blocked if some court were to order the ip that's that also shares that, that, that, that you know, some copyright infringers with, with all the other legitimate sites. So this is a mess. Cloudflare's headline, Cloudflare's own headline read La Liga Understood dangers went ahead anyway.

Leo Laporte

Oh boy.

Steve Gibson

And Cloudflare wrote, cloudflare provides security and reliability services to millions of websites, helping to prevent cyber attacks and make the Internet safer. Like virtually all major cloud service providers, Cloudflare uses shared IP addresses to manage its network, meaning that thousands of domains can be accessed with a single IP address. You know, of course this is how We've solved the IPv4 depletion problem too right? Is by. It's like we could have lots of, lots of domains all sharing a single IPv4 address.

Leo Laporte

I get the difference. It's like port forwarding, except you don't. Since all websites use the same port, you can't just do port forwarding.

Steve Gibson

So you have to do name forward by name. It's exactly. Yeah, exactly. And that's what's exchanged during the TLS handshake. During the TLS handshake, the browser says I'm hoping to hook up to connect to this, this website at this ip. And so then the proper server responds with a certificate for that domain and which the client the web browser then looks at and goes oh yeah, okay, that's a good certificate. Let's go with, with a secure connection. So Cloudflare said. Cloudflare has repeatedly warned about the consequences of IP blocking that fundamentally ignores the way the Internet works. Indeed, other governments in Europe have acknowledged these concerns and concluded that IP blocking violates net neutrality. Although La Liga clearly understood that blocking shared IP addresses would affect the rights of millions of consumers to access hundreds of thousands of websites that do not break the law, La Liga went ahead with the blocking. This appears to reflect a mistaken belief that its commercial interests should take precedence over the rights of millions of consumers to access the open Internet. At the same time, Cloudflare regularly speaks with rights holders and policymakers about better ways to combat illegal piracy and online abuse. While Cloudflare cannot remove content from the Internet that it does not host, we have well developed abuse processes in place to help, by connecting rights holders with service providers who can take effective action. We will continue to push for rational solutions to combat illegal piracy that do not impact the rights of millions of Europeans to browse the Internet. In other words, they're saying, we're not hosting this content, we're just part of the Internet's infrastructure, so don't blame us. We're not the problem. We're offering a solution. So some reporting on this explained Cloudflare statement needs no explanation, but two issues deserve highlighting. According to La Liga's statement, its target behind Cloudflare was a web page with instructions, get this, Leo, on how to download an Android app. Not even the content. Not even pirated content instructions on how to download an app. If that app was the means of accessing the content, that raises an important question. When Cloudflare's IP address was blocked, did that deactivate both the app and the pirated content available through it? If not, blocking many innocent websites appears to have been weighted against the benefit of blocking an instructional web page. They also wrote Cloudflare's suggestion that this was done deliberately could make this a matter for the European Commission at minimum. Perhaps even more remarkable was the unwillingness of the ISPs to do anything despite having the power to do so. The complication, of course, is that Telefonica and Movistar have licenses to distribute La Liga content and very little incentive to step in. Ultimately, customers of Movistar have suffered the most as individuals. This means that a decision was made to block Cloudflare, and in the knowledge that Movie Star customer subscribers would face the most disruption. And then Movie Star was instructed to carry out the blocking against its own customers, as the court envisioned, apparently. Okay, so again, just to be clear, it's the customers of the Spanish ISPs that have taken to blocking websites by IP address that are being impacted because these customers are behind their ISPs, IP based firewalls. After all of this, Spain's La Liga soccer league replied. They wrote, over the last few days, multiple websites across Spain have experienced disruptions, an issue linked to the blocking of a few IP addresses by Internet service providers. Now, just to note, under the court order that La Liga got from some judge somewhere, they wrote, these blocks were implemented following requests from La Liga to combat illegal access to its content, which Cloudflare has facilitated by knowingly protecting criminal organizations for profit. Through this conduct, Cloudflare is actively enabling illegal activities such as human trafficking, prostitution. I know. Pornography, counterfeiting, fraud and scams, among other things. In fact, La Liga identified two IP addresses covered by Cloudflare which provided access to child pornography. This evidence has been fully documented and submitted as part of a formal police report. Okay, now remember, what Liga is objecting to is a web page that provides instructions for downloading an Android app, which in turn allows streaming of live soccer matches. And Cloudflare made clear that it has mechanisms in place for dealing with illegal content. La Liga's statement says Cloudflare is actively enabling illegal activities such as human trafficking, prostitution, pornography, counterfeiting, blah, blah, blah. But it would be more accurate to say the Internet is actively enabling illegal activities such as human trafficking, prostitution, pornography, counterfeiting, fraud and scams, among other things. Because yes, the Internet as a whole does passively enable these things, right alongside all the positive things it also enables. The Internet also enables. And this is of course, the net neutrality issue at the heart of Cloudflare's argument. They're functioning as part of the Internet's content conduit, and they are determined to remain as neutral as possible. La Liga's statement continued. They wrote this action specifically targets IP addresses used to illegally access La Liga content, which were shielded by Cloudflare. Just like other major US tech corporations, Cloudflare enables criminal organizations. So now they've broadened this right. Just like other major US Tech corporations, Cloudflare enables criminal organizations to digitally launder stolen illegal content, making them a complicit party in intellectual property crimes as defined in Article 270.2 of the Spanish Penal Code. Wow. Okay, now you know there's really a simple solution to this. La Liga could simply decide not to stream their soccer matches to the Internet at all, just like in the old days, have fans attend their games, then there's no problem. But no, they of course want all the benefits of this Magical technology without any of the technologically enabled downside, they continue. It's important, they wrote, to emphasize that this is not a broad or indiscriminate block. Right. All evidence to the contrary. You can't get to GitHub on the weekends. And despite the need to issue this explanation in the first place, they said La Liga is absolutely certain and has proof that these IPs are being used to distribute illegal content alongside legitimate material. So they know they're also blocking legitimate content. They said legal businesses affected by these blocks are those that Cloudflare has deliberately used as a digital shield.

Leo Laporte

Oh please.

Steve Gibson

To obscure illegal activity without their knowledge and while profiting from it. Wow. They said more than 50% of pirate IPs illegally distributing LA Liga content are protected by Cloudflare. Despite multiple formal requests from La Liga for Cloudflare to cease its collaboration with pirate sites, the company has refused to cooperate, instead continuing to profit from the criminal activity it helps to conceal. La Liga has repeatedly reached out to Cloudflare requesting voluntary cooperation. However, on Friday, February 7, the US tech company responded in a surprising manner, defending its actions as implausible and incoherent technical excuses. Oh, I'm sorry, Defending its actions with implausible and incoherent technical excuses. This probably just the fact that it's.

Leo Laporte

They don't understand it doing IP sharing.

Steve Gibson

Yes, exactly. This left La Liga with no other option but to take direct action. This issue is not unique to Spain. Similar measures have been taken in other countries to combat piracy of sports content. La Liga fulfilled its due diligence obligations before resorting to this step. And then they said Google, Cloudflare, VPN providers and other entities facilitating private piracy are responsible for the illegal activities they enable and profit from. La Liga, backed by the justice system, will not relent in its efforts to protect football and the interests of its clubs against criminal action related to audio visual fraud and digital laundering. Unquote. So, you know, don't shoot the messenger is a long understood principle. To call out Google, Cloudflare, VPN providers and other entities is to say the Internet. La Liga wants to have all the benefits that derive from having the Internet, which they did not create, carrying their content for effectively no cost, while also wishing to somehow prevent that no cost carriage from being used in ways they disapprove of. It's understandable that when served with an IP blocking court order, those ISPs within the court's reach had no choice other than to block access to that IP for all of their customers and given La Liga's feelings, it's also understandable that they would have made such an appeal to the court. What's missing from the equation is the legal precedent that would prevent the court from producing the ruling that they did. As Cloudflare said in their statement, Cloudflare has repeatedly warned about the consequences of IP blocking that fundamentally ignore the way the Internet works. Indeed, other governments in Europe have acknowledged these concerns and concluded that IP blocking violates net neutrality. So hopefully this issue will escalate and have this lower court ruling overturned with a higher Spanish court. So the precedent will be created in Spain, La Ligas and all others. Current and future appeals will then be thwarted and the principles of net neutrality, which is clearly the only way a sane Internet can function and thrive, will prevail in the end. So I guess we chalk this up to growing pains. Another one of these, you know, problems which technology has created and hasn't yet, you know, the legal system hasn't yet decided how it's going to completely settle on this. We just need more. We need more legal precedent.

Leo Laporte

And a better understanding of how technology works.

Steve Gibson

Yes, exactly. Clearly we need another break.

Leo Laporte

You want some help here? You want a little help from coffee? I'm glad to offer it. Our show today, brought to you by I love this sponsor, US Cloud. I was a little confused when they came on board, so we talked to them. I called them, I said, tell me more about your business. They said, U.S. cloud, we are. What do you think their business would be the number one Microsoft Unified support replacement. I said, oh, okay, that's pretty cool. We actually now that was months ago because we've been talking about them for some time, ever since. In fact, they are the global leader in third party Microsoft support for enterprises. As I get to know their business better, I understand why they support 50 of the Fortune 500 companies. There are three big reasons, in my opinion, that people like us cloud and prefer it. For one thing, you can save your business 30 to 50% switching to US cloud over Microsoft's Unified and Premier support. Let me say that again. 30 to 50% less than Microsoft Unified and Premier support. But less wouldn't be any good if it weren't better. It is. It's faster, twice as fast. Average time to resolution versus Microsoft. So half as much, twice as fast. Okay. And they're there to save you money in ways Microsoft probably never will. For instance, US Cloud is excited to tell you about a new offering. This is, I think, something Microsoft's probably not going to offer. Azure cost optimization. So you Know, I mean, if you think about it, Azure, it's incredibly useful, right? But what happens is, you know, there's a little Azure sprawl, little creepy going on. If you don't evaluate your Azure usage pretty regularly, you might find you're spending more than you need to. Now, from Microsoft's point of view, that's a good thing. Maybe not so much from your point of view. Well, good news. Saving on Azure is easier than you think. Thanks to US Cloud, they offer an eight week Azure engagement. It's powered by VBox that identifies key opportunities to reduce costs across your entire Azure environment. You're not on this trip alone. You're going to get expert guidance. Oh, by the way, this is the third reason people love US Cloud. US Cloud senior engineers have an average of over 16 years with Microsoft products. They know their stuff. They'll be there to work you through this. And at the end of the eight weeks, your interactive dashboard will identify, rebuild and downscale opportunities and unused resources. Now, these are just recommendations. You don't have to do any of them, but if you see some savings there, you can implement them and then reallocate those precious IT dollars towards things you might need. May I suggest perhaps investing your Azure savings in US Cloud's Microsoft support and save even more? Right. That's what a few US Cloud customers have done with this Azure engagement. They've completely eliminated their unified spend, save money on Azure and unified. Sam, the technical operations manager at Bead Gaming B E D E says, and this is his review, we got this off right from the site. He gave us Cloud 5 stars. Sam said, quote, we found some things and this might, you might be in this situation. See if this rings a bell. We found some things that had been running for three years which no one was checking. These VMs were, I don't know, 10 grand a month, he said, but not a massive chunk in the grand scheme of how much we spend on Azure. But once you get to 40 or $50,000 a month, it really starts to add up. When's the last time you looked at your Azure spend? Right, so it's simple. You can stop overpaying for Azure. You can identify and eliminate Azure creep and boost your performance. And you can do it all in eight weeks with US Cloud. Just one of many reasons people love US Cloud. Book a call today with US Cloud and find out how much your team can save. Uscloud.com Faster, better, less expensive support than Microsoft. Uscloud.com Call to book a call today. Get faster Microsoft support for less. They're really an impressive bunch. I had a great time talking to him. You will too. Uscloud.com Steve is now fully caffeinated, hydrated and ready to continue the programs.

Steve Gibson

So indeed, through the years we've noted that vulnerabilities discovered in open SSH are vanishingly rare, and this project as a whole is widely regarded as one of the most secure of any open source project. And this is of course that's a good thing is crucial since Open SSH's role is to be positioned on the front line, exposing itself to the Internet while warding off all attackers. So when QUALYS announces the discovery of two new and potentially weaponizable vulnerabilities in this crucially important remote access technology, well, it gets everybody's attention. Last Wednesday, QUALYS disclosed they said the Qualys threat research unit TRU has identified two vulnerabilities in open SSH. The first, tracked SCVE2025 26465, allows an active machine in the middle attack on the open SSH client when the Verify Host key DNS option is enabled. The second is CVE2025 26466 affects both the open SSH client and server, enabling oops a pre authentication well, okay, it's a denial of service attack, so it's not access. The first attack, the 26465, succeeds regardless of whether the Verify Host key DNS option is set to yes or ask. Its default is no. This attack requires no user interaction and does not depend on the existence of an SSH FP resource record. That's an SSH fingerprint in DNS. In other words, verify host key DNS is an OpenSSL client configuration option that lets the SSH client, the one connecting to an SSH server, look up and verify a server's host key using DNS records, which that's very cool. Another example of DNS being so useful just as an Internet addressable database. So here you can ask for the For a given domains SSH host fingerprint, the vulnerability was introduced. They know exactly when this happened in December whoops. Of 2014. So 10 years ago, just before the release of open SSH 6.8 P1. Although Verify host key DNS is disabled by default, that is normally set to no. So it's not a problem. It's only a problem if it's set to yes or ask. It was enabled by default in FreeBSD from September 2013 until March of 2023. Now, although I don't use the Open SSH client on my own FreeBSD instances. When I saw that the date range included my most recent installation of FreeBSD, I checked and sure enough, FreeBSD's default in a config file for the client is indeed set to yes. So for what it's worth, it is the case that you want to make sure verify host key DNS especially when you're not using DNS. Host key lookup is set to no, but okay, it's not a huge problem. If it is, we'll get there in a second. The second Vulnerability Both the open SSH client and server are vulnerable to this 26, 466 CVE. It's a pre authentication denial of Service attack. It is an asymmetric resource consumption of both memory and cpu, so it can be used to bring down the system that the open SSH server is sitting on. And that's not good. That was introduced in August of 23, so not that far back, shortly before the release of OpenSSH 9.5P1. On the server side, this attack can be mitigated by leveraging other existing mechanisms that OpenSSH provides, such as login, grace time, max startups, and the more recent per source penalties options. The recommended action for this is just to upgrade OpenSSH9.9P2 addresses all these vulnerabilities, and that's what everybody should DO Qualys underscored OpenSSH's terrific security record. They wrote despite these two vulnerabilities, which again, they're not the end of the world. But be good to update open SSH. Overall track record in maintaining confidentiality and integrity has made it a benchmark in software security, ensuring secure communications for organizations worldwide. Okay, so what do these two things mean? Qualys writes in the first instance, if an attacker can perform a man in the middle attack via 26465, the client may accept the attacker's key instead of the legitimate server's key. This would break the integrity of the SSH connection, enabling potential interception or tampering with the session before the user even realizes it. SSH sessions, they wrote, can be a prime target for attackers aiming to intercept credentials or hijack sessions. If compromised, hackers could view or manipulate sensitive data, move across multiple critical servers laterally, and exfiltrate valuable information such as database credentials, and so on. Such breaches can lead to reputational damage, violate compliance mandates such as gdpr, hipaa, pci, dss, and potentially disrupt critical operations by forcing systems downtime to contain the threat. In the second case, SSH is a critical service for remote system admin. If attackers can repeatedly exploit that second flaw, 26466 being a denial of service, they may cause prolonged outages or prevent administrators from managing servers, effectively locking legitimate users out. An enterprise facing this vulnerability could see critical servers become unreachable, interrupting routine operations, installing essential maintenance tasks. They said when Qualys research team confirmed the vulnerability, that Qualys initiated a responsible disclosure process and worked with open SSH to coordinate its announcement and of course its remediation. So bottom line is anyone who's worried about this and who uses the open SSH client may wish to make sure that their client's config file has that verify host key DNS set to no and anyone who relies on open SSH should look for and install updates which are now available. And I just need to mention that Qualys provided a truly beautiful write up of the details of this bug. If if this were a podcast that looked at at the details of software vulnerabilities, then this would be the topic of the week. They show some small snippets of open SSH code directly from the source and carefully describe how they went about discovering the problem, which became a vulnerability after they were able to engineer its exploitation. So the reason I bring this up is anyone who consider themselves to be a bit of a code smith I think would be well served. Looking at that excellent page, I've got the link to it at the bottom of page 10 of the show notes, so I recommend it highly. Okay, so some sobering news was made during last week's Munich Security conference, as reported by Politico, who wrote, the state of Virginia's Senator Mark Warner is working to build support on the Hill, meaning, you know, in Congress, for major changes to America's offensive cyber policy amid the government's continuing failure to fully evict China's Salt Typhoon hackers from US Phone networks. It's like what? Like we know they're in there and this is like this is a problem somehow. What? Speaking to reporters on the sidelines of the Munich Security Conference last week, Warner said he now does not believe the US can ever fully oust the elite Beijing backed hacking group Salt Typhoon from its telecommunications backbone, meaning the U. S's telecommunications backbone. Like what? Without unleashing U S hackers inside China, or at least credibly threatening to in other words, our technology is so weak that we give up and so we're simply going to threaten China to get.

Leo Laporte

Out or else scare them out. You need a rock catcher.

Steve Gibson

Wow.

Leo Laporte

Holy Cow.

Steve Gibson

Mark Warner said, quote, your diplomatic pushback on the Chinese would be a hell of a lot stronger if. If the US could tell China, we're going to go into your networks the exact same way you go into ours, unquote. Now, Warner is the first Democrat Politico wrote to come out so clearly in support of punching back harder in cyberspace against China in the aftermath of the Salt typhoon breaches. With congressional Republicans and members of Trump's new administration having already signaled their support for that shift, Warner said that replacing aging and vulnerable networking equipment could cost the telecom companies tens of billions. Just wait till you hear what the vulnerability is. Tens of billions while evicting the Chinese from every nook and cranny inside the nation's sprawling phone system could take, quote, 50,000 people. Wait, don't we have a whole bunch of people out of work now, Leo? We could put. We could, maybe. We could use them. 50,000 people and a complete shutdown of the network for 12 hours.

Leo Laporte

Oh, because no phones at all.

Steve Gibson

We're just that lame that we. We. We're just. We give up, Jaina. Just. You know. Warner said that he has been in talks with the heads of the congressional intelligence committees and that, quote, consensus was already there, unquote, for a new, more hawkish hacking strategy. The next step, he said, was, quote, putting meat on the bones of that idea. Something that might require the formation of a bipartisan expert commission, he said. He also emphasized that he believed working through the Hill and building support among Democrats was critical to a more robust cyber deterrence strategy. Warner argued that, quote, if it comes from Trump, you know, any Democrats will just say he's just going over the top, unquote. Warner did say he felt part of the long term solution was the promulgation of new cybersecurity regulations for the telecom sector. Yeah, that'd be good. That's something the Biden administration and several congressional Democrats have supported, but the Trump administration has, at least for now, pooh, poohed. Overall, Warner said that he was apoplectic that so few people seem to be paying attention to Salt Typhoon. He said, quote, the fact that people's heads are not exploding still makes me crazy. Unquote. Wow. Okay. Now, as we've often noted, we must assume that the, you know, NSA has just as much penetration into Chinese networks as they have into American networks. I just, you know, we're not going to hear that news. Right? But you have to assume that. It strikes me as a sad state of affairs that our political leaders are now suggesting that we're incapable of securing our own networks and that the only way to get them out of ours is to credibly threaten to do more damage to them through theirs. Okay, so speaking of Salt Typhoon, we've not gone in and done dung dug any sort of a done a deep dig. So I decided to figure out like what the heck. Salt Typhoon has been on the radar of several cybersecurity threat tracking groups for some time. The commonly known Salt Typhoon name is the one it received from Microsoft's Threat Intelligence Group. But the same group, Salt Typhoon, is also known as Red Mike by the Insect Group, which is the Recorded Future Network Intelligent Group's name. Meanwhile, Kaspersky calls them Ghost Emperor and Eset tracks them as and their activities as Famous Sparrow. Now, although Microsoft has not chosen to share their findings within the broader security community, others have the news from Recorded Futures Network Intelligence Group is somewhat dispiriting because it turns out that Red Mike, as these guys call it, is exploiting get this LEO2 very well known long since patched 2 year old vulnerabilities in Cisco's iOS XE web UI yes, you heard that right. The infamous Salt Typhoon has been gaining entry into the world's telecom carriers using an exposed web management user interface. And not only that, they are a pair of Privilege escalation vulnerabilities 202320198 and 202320273 and yes, both dating back to 2023. The the 2198 privilege escalation vulnerability was found in version 16 and earlier of Cisco's iOS XE web UI and the patch for it was published by Cisco in October of 2023. Attackers exploit this vulnerability to gain initial access to the device and issue a Cisco iOS privilege 15 command to create to enable them to then create a local user and password on the device. Following this, the attacker uses the new account, the new local account on the device to access it. They then exploit the the associated 20273 privilege escalation vulnerability to gain root user privileges. And once that's done, the group uses this new privileged user account to change the device's configuration and add a GRE tunnel which is similar to an encrypted VPN link, which then gives them persistent access and data exfiltration. And all of this pain because those telecom carriers have not bothered to update their Cisco iOS firmware to close to fix this 18 month year old vulnerability, both of which were fixed in October of 2023, not to mention leaving a web management UI exposed to The Internet. And that's the underlying cause of all of this mess is Non updated Cisco iOS gear for 18 months and an exposed web management user interface that allows the bad guys, these Chinese hackers, to get in, set up a persistent tunnel back out to them, and then they have unrestricted access to the network of the telecom provider. If we simply. I don't know how it takes 50,000 people to update the firmware on some Cisco devices that are still being supported because this is only a year and a half ago.

Leo Laporte

Government, it's, it's mind boggling government.

Steve Gibson

Let's aim Elon at that Elon here. I mean, he would understand all of that. Elon, go fix this. Update the firmware on the Cisco routers. Just make it so.

Leo Laporte

Yeah, you know, take all those Doge kids and send them out updating firmware. I can get behind that. That's not a bad idea.

Steve Gibson

Okay, now, Leo, for a while I'm sure we were all somewhat intrigued by the news of this or that. Never heard of them before. Cryptocurrency exchange being hacked and losing millions of dollars worth of. Never heard of it before. Cryptocurrency or contracts or, I don't know, monkey icons or whatever. But as also eventually happened with the constant torrent of ransomware attacks, over time they turned out to just be so much background noise, you know, and for the sake of our own sanity, we stopped talking about every one of these because it was just constant.

Leo Laporte

Yeah, but this one's different.

Steve Gibson

But this one is.

Leo Laporte

Holy. Holy cow.

Steve Gibson

Not this time, folks. Under the headline. Boy, that's got to hurt. Is the news that the world's second largest by trading volume, second largest major cryptocurrency exchange was, as they say, taken to the cleaners by a group of quite determined North Korean hackers to the tune of. Is everybody sitting down? Grip your steering wheel firmly if you're. If you're listening to this during your morning commute. $1.5 billion worth of completely liquid Ethereum tokens. $1.5 billion. Wow. This makes it the largest crypto heist ever in history.

Leo Laporte

Probably the largest heist in history. Right?

Steve Gibson

It is.

Leo Laporte

How are you going to steal 1.5 billion from a, you know, armored car?

Steve Gibson

I mean, yes, it is heist of any time in history. Of the world. And it's nearly two and a half times larger than their previous record, which was the theft of $625 million from the Ronin network back in April of 2022. So I have a link in the show notes at the bottom of page 12 showing the fraudulent transaction event on the Ethereum blockchain where 401,346.76888. I mean it goes on forever, you know, with decimal eth are being transferred. That transfer was fraudulent. Ethereum peaked at around $4,000 each in early December of last year and is currently trading around US$2,800 which if you multiply 2800 by 400 1,346 you get around one and a half billion dollars of liquidity that this, that the second largest group, which is Bitpay lost. Okay, so the hack took place just last Friday, February 21st and in addition to being the single largest crypto heist ever, it's also considered to be one of the most complex crypto heists ever.

Leo Laporte

You know, parenthetically kudos to Bybit because we wouldn't know all these details if they hadn't been very transparent.

Steve Gibson

Yes they were and they have not been sunk. They, they said we've got the liquidity to cover this. You know, this does not put us out of business. But they're not happy about it. But yeah, they were very upfront. So the most, not only the biggest but the most complex crypto heist, the blockchain analytics firm Arkham Intelligence and or firms Arkham Intelligence and also the intelligence firm Elliptic have independently claimed that they were able to track the hack to the Lazarus group which is a well known North Korean advanced persistent group, an apt group. What we know is that Lazarus first infiltrated by BITS Network some time ago. They then quietly studied the company's internal procedures, identified and then infected with malware all of the multiple employees who are now required to mutually sign off on any major movement of the company's funds. This multi sign off requirement is obviously designed to solve the problem of any single employee being hacked or phished or scammed or whatever. But that didn't thwart the attack this time. The hackers specifically targeted the process of replenishing the company's active wallets, known as hot wallets where the company's daily operational funds are stored. When hot wallets run dry or low, crypto exchanges will move funds from their reserves from the so called cold wallets to make sure there's enough liquidity to cover users withdrawals and token inter exchanges. The same goes for when hot wallets hold too much money. In those instances, crypto exchanges will move funds back off of the off back to the offline cold reserves to safeguard those reserves from malicious actors and exploits. And limit possible losses. So, you know, that all makes sense. And actually, that's what saved these guys, right? Because they've got something like 10 billion in in total reserve. Only one and a half only, I'm saying, But still not all of it, because they did have a bunch in cold storage, and the bad guys didn't get that. But they did capture one massive transfer of 1.2 billion by bit. CEO Ben Cho says that when his staff wanted to replenish the hot wallets with new funds on Friday, the hackers altered the user interface of the crypto wallet software the company was using to move their funds. The modification appeared on the systems of every one of the multiple engineers who needed to simultaneously sign off in what is known as a multisig transaction. A tweet describing that, that what happened reads, I have a tweet in the show notes from. From some random person who said the attacker somehow. Then we've got four points. First, identified every multisig signer. Second, infected each signer's device with malware. Third, made the UI show a different transaction than what was actually being signed. Fourth, got all signers to approve without suspicion. And then he finished saying, cold wallet security just got redefined. Now, not surprisingly, Bybit's loss of that one and a half billion dollars in ethereal tokens did not go unnoticed. And since this makes many investors nervous about other potential weaknesses, Bybit's security. You know, weaknesses in and about Bybit Security. The company did say that news of the hack had led to a surge in withdrawal requests. CEO Cho wrote that the company had received more than 350,000 requests from customers to withdraw their funds, and that this surge of departing money could lead to delays in processing. In response, Bybit set up a bounty for the recovery of the stolen funds. Get this offering to pay anyone who is able to Recover the funds 10% of anything they're able to recover. I'll take it. This has, in turn set off the biggest bounty hunt on the Internet, with the winners being eligible to earn up to a whopping 150 million million. Right? 10% of one and a half billion. At the same time, not surprisingly, the perpetrators, who were naturally standing by and ready to deal with this massive windfall, quickly began laundering their funds in the hopes of hiding their tracks and diffusing the proceeds of their theft among the world's cryptocurrency exchanges. They're, you know, they're moving quickly because if they leave the funds in their normal wallets, they risk having them hacked back by Multiple parties, including law enforcement, bounty hunters and other threat actors. Another tweet observed, and this was from VXDB, tweeted, Lazarus has started laundering the 1.4 billion stolen ETH. And they said Exch cx, a no KYC exchange, has recorded an abnormal Spike in ETH volume 20k ETH in the past 24 hours versus its usual 800 ETH. Their Bitcoin reserves are also empty, but their ETH reserves have increased by 900%. So yes, that 1.5 billion is, you know, sloshing around within the Internet's exchanges while North Korea tries to, you know, tuck it away in random corners of the Internet so that it's not all in one place and hopefully, you know, can't easily be be tracked and recovered. And since, and you know, we know since blockchain activity can be monitored and tracked, we now have a bit of a shell game underway. So what's our takeaway from this? If we're wise, every event teaches a lesson that prevents its recurrence. And hopefully others are also able to learn and gain from seeing what has befallen others and take away the same lessons without needing to first fall off the same cliff in this case. I think the lesson here is that the systems which manage these massive cryptocurrency reserves need to be far more isolated from everyday systems than they currently are. In other words, they need to be fully air gapped with nothing less being sufficient. These are lessons that the professional intelligence community and those practicing the highest security in the world learned decades ago. And nothing we've done since with our computer and networking technology has served to make air gapping any less necessary. We could easily argue that in fact the reverse is true and that air gapping systems that absolutely and positively must never be compromised has grown more necessary today than ever before. I would bet that Bybit has just learned the same painful lesson. They obviously felt that requiring a multi person, multi keyed funds transfer authorization process would be sufficient. It's certainly better than requiring just one person. They just learned a one and a half billion dollar lesson though, that it wasn't enough.

Leo Laporte

That's amazing. Wow.

Steve Gibson

Wow. Okay, we're going to talk about some sadness about us falling behind in cyberspace after another word from a sponsor. Leo.

Leo Laporte

Very good. Thank you, Steve. Our show for this portion of security now brought to you by longtime sponsor Guys. I really appreciate Thingst Canary. The guys. The guys and gals at Thingst Canary have a lot of experience as pen testers. They've been teaching governments and businesses how to break into computers for more than a decade. And it was after that experience they came up with these incredible Thinks canaries. These are honey pots. They are attractive to the bad guys. They will let you know the minute the bad guys just touch them. Just tap on them a little bit. They can be easily deployed. That's the biggest thing, right? We know honey pots work, but normally they're, you know, they're technically a challenge. You don't want to put something on your network that can make your network more vulnerable. These. Don't these guys really know what they're doing? You want to put something on your network that looks so valuable a hacker cannot resist it. And that's what these things, canaries are. They can represent anything. They can look like a Windows server, a Linux server. You could be a Christmas tree of services, all the lights turned on, or just a few select services turned on. They can be SCADA devices, they can be NASA's. That's what mine is. It's a synology, NAS. They can be, well, I mean, just the sky's the limit. An SSH server, IAS server. They also can create all the. Each of these things can create Lore files, little individual files that look like Excel spreadsheets or word documents or PDFs or whatever you want. And you can give them provocative names like, I don't know, Employee Information Xls, that kind of thing. The minute somebody gets into your network and tries to log into the Things Canary or access those Lore files, or brute force that fake internal SSH server, you're going to get an alert immediately telling you you have a problem. No false alerts, just the alerts that matter. And by the way, they'll alert you however you want. I mean, text message, of course, beeper, email API. They've got a very nice API. Web hooks, slack. I mean, really, any syslog, of course. So if you've got a Thinks Canary and you get an alert, you know, we've got to do something about this. I've only gotten one alert once, and it was indeed a device in our offices that was probing every single other device in the office. We tracked it down quite quickly and got rid of it thanks to the Thinks Canary. So how does this work? You choose a profile for your Things Canary. It's so easy that you'll. You might. You could change it every day if you want. I. It's so much fun too, to play with it. And by the way, the impersonation is excellent. They have the right Mac address, they have the login screen for my synology and s, it's a DSM 7 login screen. It's indistinguishable from the real thing. That's the point. Hackers aren't dumb. They're not going to, but they're going to be fooled by this. Once you choose a profile for Things Canary and then you register it with the hosted console, they'll do the monitoring, the notifications again, any way you want it. Then you just sit back till you need it to wake up attackers who've breached your network or malicious insiders. Basically any adversary who's in your network will make themselves known just by accessing the Things to Canary, trying to log in. You actually get valuable information when you see the email and login they use. For instance, you know a little bit more about what what they know. How much does all this cost? It's really affordable if it depends on of course, how many things Canaries. You need a big operation, a casino back end might have hundreds, bank might have hundreds. A small business like ours, a handful. Let's say you need five Things to Canaries. Well, go to Canary tools twit for $7,500 a year. That's all you get. Five things to Canaries. You get your own hosted console. All the upgrades and the support and the maintenance are built in. And if you use the code Twit in the how'd you hear about us Box, you're going to get 10% off for life. If you want to try before you buy, that's fine. They have a 2 month money back guarantee for a full refund. 60 days to try it. Don't return it though, because you don't hear anything because that's good news, you know, and if you want, you can stage an attack and see what you get back. It's actually, it's. These are amazing. 2 month money back guaranteed. Should reassure you. But I have to tell you, during the, I think it's eight years now that we've partnered with Things Canary, they tell me their refund guarantee has not once, never been claimed. When people install Things Canaries, they not only are grateful, they're relieved. They go, I don't know how we did without it. Thank goodness we've got it. Now visit Canary Tools Twit. Make sure you use that address so they know you saw it on Security. Now enter the code Twit in the hat that you hear about us box and you'll get that 10% off canary tools Twit, we thank you. Thanks, Canary. And now back to Steve Areno okay.

Steve Gibson

So we have North Korean backed hackers stealing around one and a half billion dollars of cryptocurrency.

Leo Laporte

By the way, that's not the first. They've stolen many billions of dollars over the years. That's how they get hard cash.

Steve Gibson

Yeah, it is. Unfortunately it's a profit center for North Korean hackers. They're good at it. Speaking at the. Well the. I was going to say that the former head of the NSA and who's also the ex Cyber Command head said in a wide ranging speech and subsequent interview just this past Saturday, three days ago, that the US Is falling behind its enemies in cyberspace. Wonderful. Speaking at the District Khan Cybersecurity conference in Washington D.C. retired General Paul Nakasone said that, quote, our adversaries are continuing to be able to broaden the spectrum of what they're able to do to us, unquote. And he said, and that the United States is quote, falling increasingly behind its advertise in cyberspace. Unfortunately, he would be in the position to know having led the NSA and then been in charge of Cyber Command. So you know, that's the guy whose opinion you care about. Here's what Cyber Scoop wrote in their coverage of the event. And in fact they were the people who interviewed him. They said. Nakasone said incidents like Chinese government backed breaches of U.S. telecommunications companies and other critical infrastructure, as well as a steady drumbeat of ransomware attacks against U.S. targets illustrate the fact that we're unable to secure our networks, the fact that we're unable to leverage the software that's being provided today, the fact that we have adversaries that continue to maintain this capability. Nakasone, who led NSA and Cybercom from 2018 until early last year and is now founding director of Vanderbilt University's Institute of National Security, said he fears the threats of the future are going to get more dangerous. One example is, quote, we're starting to see the beginnings of the bleed from non kinetic to kinetic for cyber operations. He said. Referring to actual physical damage, Nakasone said, quote, what's next is that we're going to see cyber attacks against a series of platforms being able to actually down platforms with ones and zeros. A board member for OpenAI, Nakasone also talked about how artificial intelligence could make cyber offense more potent. Specifically, he mentioned the notion. Oh God. Of generative targeting, such as the idea of physical drones choosing their targets powered by AI. Because Leo, what could possibly go wrong? He should read some Daniel Suarez to see, you know, how he thinks about the wisdom of autonomous AI powered drones. CyberScoop continues writing, quote, and, and this is quoting him, quote, we're starting to challenge this idea of humans in the loop. And I also offer to you, as we think about artificial intelligence needs, think about cyber weaponry. He said, quote, how far are we talking, how far are we talking to this idea of being able to create an agent that's going to move through your network? That's going to change based upon topology of the network being able to evade the defenses that are there. Choosing targets of the future, unquote. Members of the Trump administration and some members from both parties in Congress have called for the United States to get more aggressive with offensive operations in cyberspace. In a separate conversation with reporters, Nakasone said he agreed with those sentiments. Nakasone's Cyber Command conducted operations dating back to at least 2018 to disrupt Iranian and Russian hackers in conjunction with more defensive hunt forward missions in other nations designed to fortify allies defenses and detect future threats against the United States. He also advocated for a philosophy of persistent engagement. To be in constant contact with cyber enemies proactively rather than reactively. Nakasoni said of offensive operations, quote, we need to do more of that. Certainly it's not just the only thing we need. He said that one of the points of persistent engagement was to ensure anyone who attacked US Election infrastructure knew they would suffer consequences from the United States. He said, quote, can be more forthcoming in terms of some of the things. Oh, can we be more forthcoming in terms of some of the things we did? Yeah, I think there's opportunity. Okay, so that's interesting. That suggests that we did something in response to foreign interference with our national elections, but that whatever it was was kept on the down low. In his speech, Nakasone said the top priority for the United States should be hiring top talent. Under President Donald Trump, the government has been removing some of those who were in the cyber talent pipeline. Eventually, Nakasone said, quote, we're going to have to be able to engage folks again and say, hey, please come and work in government, unquote. It's an open question how long any damage to the trust of potential hires will last. He said another change under Trump is that Defense Secretary Pete Hegseth has reportedly sped up the implementation of a Cyber command overhaul from 180 days. In other words, half a year, 06 months to 45 days, just a month and a half. In response to a question from cyberscoop, Nakasone said, how doable is it? It's really doable when you can get the direction from the secretary. Asked if he was worried about whether the tightened timeline would lead to that implementation suffering, Nakasone answered only that the concepts of Cyber Command 2.0 have been in the works for a while already. And then actually, that's true. I'll just add that The Cyber Command 2.0 initiative was started toward the end of Biden's administration, so that was already underway. And finally, they wrote during a question and answer session with the with the District Con audience, Nakasone did not voice any criticisms of Trump's purge of top military officials such as General Charles C. Q. Q. Brown, chairman of the Joint Chiefs of Staff. While praising Brown's work, Nakasone said, at the end of the day, the president gets to choose his own principal military advisor. So yikes. We're apparently not giving as well as we're getting, as I was assuming and hoping we were. You know, the NSA is as annoyed as we all are over our inability to secure our own networks, and the future planners are seriously considering AI powered attack drones without any of those pesky slow humans in the loop, you know, having second thoughts and gumming up the works. And again, it's just so easy to pose our favorite rhetorical question. What could possibly go wrong? Wow. I wanted to announce the achievement of another of my own milestones for the work that I'm doing on the DNS benchmark. Friday evening I dropped the fifth pre release of the DNS benchmark. And just to be clear, these are not betas or even alphas. They are incremental works in progress. You know, for example, the first of the pre releases was the day after Christmas where the benchmark was first able to query and benchmark remote DNS name servers over IPv6. Until then it was only IPv4. So the December 26th it got IPv6 capability. Last Friday evening's fifth pre release published its new ability to also query name servers using DNS over HTTPs in DNS over tls. So the two encrypted protocols that it will be supporting once it reaches its final version two completion, all of that is now working. And as always, the reason for this wide spectrum testing is so valuable. You know, even though everything appeared to be working perfectly for me, the result of that fifth release has been the discovery of a bunch of things that I had missed a handful of bugs. So that's what I want. I could not be happier. The benchmark is coming along nicely and I have a terrific proving ground of pre release testers who will help me to assure that the benchmark's final release will be as completely bug free as version one of the benchmark was when I released it 16 years ago. So onward. And finally, the great backdoor replacement. Leo. Last week's call for a replacement for the term back door good produced the expected massive wave of replies. So first, thank you everyone. As I mentioned earlier, we now have 16,350 and I think it's actually 353 subscribers to the weekly podcast emails. So I am receiving all the feedback I could ever ask for from all of these listeners. Among the suggestions for backdoors replacement were many fun ideas, but the one that I saw multiple times from multiple suggestions from our listeners and the one that feels best is simply master key. Oh, the idea. Yeah, the idea that Apple or any other similar provider when put in this position would arrange their technology so as to have a master key that implicitly only they would know. I think that term, you know, it's well understood, it's immediately understood, it's clear and it offers precisely the concept that I was looking for. You know, since while the key itself is a secret, the designed in existence of such a key and such a capability is not. So as we know, Apple may decline to ever put, ever support any form of master key. They just may say, no, we never want that. But that's the right term. I like it way better than a backdoor. Again, backdoor just doesn't sound right. It doesn't have the right meaning and connotation. Whereas Apple holding a master key, that's, you know, that's exactly the right thing. And we know they don't want to. Right. They don't want the responsibility. And all of the crypto people will argue if you have a master key, then somebody can pick the lock.

Leo Laporte

You know, we used to call it like key escrow.

Steve Gibson

Yeah, yeah. And you, and you could arrange a key escrow. You can take a big key and break it up in pieces in order to like, you know.

Leo Laporte

Well, you don't have to do escrow. You just have to give it to somebody.

Steve Gibson

You just have to hide it somehow. Protect it somehow. Yeah.

Leo Laporte

So maybe the key escrow is the key that is given to the.

Steve Gibson

Okay, Leo, we are going to talk about the most egregious access to an access control system imaginable after our final break.

Leo Laporte

Great.

Steve Gibson

And this is just gonna. Everybody, in fact everyone's gonna be able to play along with this. You will too, Leo. Just wait for this. This is unbelievable.

C

Hey, prime members, are you tired of ads interfering with your favorite podcasts. Good news With Amazon Music, you have access to the largest catalog of ad free top podcasts included with your prime membership. To start listening, download the Amazon Music app for free or go to Amazon.com ADFreePodcasts that's Amazon.com ADFreeP Podcasts to catch up on the latest episodes without the ads. Dinner time. It's more than just a meal. It's when work comes to a halt, where macaroni masterpieces are made and little moments turn into lasting memories. With the Blue Cash Preferred card, you can get 6% cash back at US supermarkets so you can bring home the flavors that bring everyone together. We did say everyone make the special moments even more rewarding. Learn more@americanexpress.com Explore BCP terms and cash back cap Apply with Blue Cash Preferred.

Leo Laporte

Well, I. We're not going to take long. It's just going to be a quick reminder that yes, we have sponsors. That's wonderful, but they don't provide the full wherewithal to do this show and all the other shows we do. We tightened our belt as much as we can, but we, we need to rely on our listeners, our audience for the rest. And that's why we created Club Twit almost three years ago now as a way for you to support the work Steve and all of our other hosts do here. Doesn't, by the way, it doesn't go to me. It goes to paying the bills, frankly. So if you are not yet a club member, may I make a pitch? There are some real benefits. You get all the shows ad free because you're paying a mere seven bucks a month, the cost of that quinty venti latte plus minus two, minus two two bucks. You also get all of these special events we do. And so forth and so on. And really, you also get the warm and fuzzy feeling to know that you're supporting the shows that we do here. If you want to keep listening to Twitch shows, best way to do it. Twit tv Club Twit. That's all. Enough said. Don't need to belabor the point, Steve. Let's find out what is freedom. And I want to know more about this. Okay.

Steve Gibson

So I assume you have a browser in front of you.

Leo Laporte

Yes.

Steve Gibson

Open it and search the Internet for the phrase, which is the title of today's podcast, Freedom Administration Login.

Leo Laporte

Okay.

Steve Gibson

And I did that a couple days ago and I got a full page of search results.

Leo Laporte

That's not a good sign.

Steve Gibson

I happened to click on the one that began. It was an IP address. 981-742-54140. Do you see that there?

Leo Laporte

Well, I was actually using my AI search engine which was giving me instructions. So let me just go to Google because that's probably the better place to just get the raw results.

Steve Gibson

Yep, Freedom. And that's what I did.

Leo Laporte

Administration.

Steve Gibson

Freedom. Administration login.

Leo Laporte

Okay. Oh look, it's been asked for so many times. Okay. Oh yeah, look at there's the IP addresses. Wait a minute. These are actual servers.

Steve Gibson

Page after page I clicked on the 98.174.254.140. Do you see is that one there?

Leo Laporte

Well, it probably is. It's hard to find it. It's a needle in a freaking a stack. There's 98.191 is that one.

Steve Gibson

I'll try it. I don't know what we get.

Leo Laporte

So this is. This is a login.

Steve Gibson

Okay, now I don't want you to.

Leo Laporte

Go any further because I don't want to be.

Steve Gibson

You don't want to break the law.

Leo Laporte

Prosecuted under the Computer Fraud Act.

Steve Gibson

Today's main story just makes you shake your head, but the underlying lesson is too important to ignore. Even so, if it weren't already so public, I would not be shining any brighter light on it.

Leo Laporte

This is that bad.

Steve Gibson

It's that bad. But I guess I'm glad others have. Even if I would have probably passed, the first sign of something having gone very wrong was the following short news blurb which read quote, default password in Hirsch Building Entry Systems, Hirsch Enterprise. Hirsch Enter phone is the name Hirsch Enter phone. Building entry systems contain a hard coded username and password for their web admin panel that can allow threat actors to unlock doors via the Internet.

Leo Laporte

See, this is a little suspicious. This page I pulled up because the copyright ends 2013. So this is one of those. It's just been left there for that.

Steve Gibson

One probably is 12 years. The IP that I found 98.174.254.140 it was prettier looking than that one I did see.

Leo Laporte

Yeah, there's different. This is the more modern look.

Steve Gibson

Really nice big blue screen with a 3D cube on it is the one that I end up with.

Leo Laporte

See they all look a little different depending I guess on the.

Steve Gibson

So again it's been around for a long time which again sad. Okay, so the. The hard coded username and password for their web admin panel reads this news that can allow threat actors to unlock doors via the Internet. The default creds are for the admin account named Freedom that uses the password.

Leo Laporte

Viscount, which is the company that makes this yes.

Steve Gibson

According to security researcher Eric Daigle, there are more than 700 Hirsch enterphone systems available over the Internet, with most used by apparent by apartment blocks across the US And Canada. Hirsch says customers did not follow their instructions to change the default passwords.

Leo Laporte

However, who reads a manual these days anyway? Really?

Steve Gibson

That pesky. Emanuel hey look, it works. Martha yeah, we're done.

Leo Laporte

Oh my God.

Steve Gibson

Fire it up.

Leo Laporte

Let's okay, what is Freedom used for?

Steve Gibson

It unlocks all the doors of all these apartment buildings.

Leo Laporte

Oh no.

Steve Gibson

And it manages all the entries and all the key fobs and logs everything. Just wait. Just wait.

Leo Laporte

Leo oh, that's not good.

Steve Gibson

Hirsch says customers did not follow their instructions to change the default passwords. However, the misconfigurations discoverer Eric Daigler says customers are never prompted to change the password during the setup process. Tracked as CVE 2020 526793, the vulnerability has a 10 out of 10 severity score and okay, the news says is very likely to be exploited. I'll be surprised if listeners to this podcast haven't already thought, well, I'm in a coffee shop anyway. This likely the understatement of the year. Eric gave his blog posting the title breaking into dozens of apartment buildings in five minutes on my phone and the sub head is what a place to use default credentials. In his posting, Eric shared his entire process of discovery, which is so fun that it bears sharing here, he explained. A few months ago I was on my way to catch the sea bus when I walked by an apartment building with an interesting looking access control panel. I wrote down the mesh Mesh by Viscount brand name and made a note to look at look into it when I had a chance. I ended up just missing my ferry, he says. Per ends the 30 minute Sunday. Headways are brutal, he said. So I decided to see if I could find anything promising on my phone while waiting at Waterfront for the next boat. Googling the name of the system brings up a sales page advertising TCP IP compatibility to remotely program and maintain the system, he says. That sounds promising. So let's try to find a manual mesh by Viscount file type colon PDF. That's a search gets us an installation guide. Page four explains how to log into the system's web ui. Eric attached the screenshot he took of his Android mobile phone, from which we learn, among other things, that his location has very good 5G coverage, but that he's also in rather desperate need of recharging his phone's Dying battery. On that page we see the statement the default logon information for the Freedom Web application as well as the underlying Linux operating system are listed in the table below. Both are case sensitive, you know, and you want to be sure to point that out to the hackers. These should be changed from the default during the software configuration process. And below that is a table showing that the Freedom login has the username Freedom and the all lowercase and the password Viscount all lowercase and that the underlying Linux system has the password guess yes, administrator and the password is blank, so don't need to bother with that pesky Linux password. Eric's blog posting notes default credentials that should be changed with no requirement or explanation of how to do so. Surely no building managers ever leave the defaults, right? And even if they did, they'd surely have no reason to expose this thing to the Internet, right? The screenshot from the manual tells us the web UI login pages title is Freedom Administration Login, which gives us something to search for. Okay? In other words, this web portal's login page has the title Freedom Administration Login, which means that Google will have discovered and happily indexed all of them sitting there wide open on the Internet now. I was hoping that the server might have used some non standard port. Silly me. And everyone can do this right now from home or from your mobile phone. Just like Eric did while he was waiting for the ferry and desperately hoping that his phone's battery would last. Just search the Internet for the phrase Freedom Administration login and you'll be rewarded with countless hits. I clicked on one. The web server is using port 80, not 443, so it's HTTP and not HTTPs, which makes it cheesy for an application like this, but. So I told Firefox that yes, I wanted to go to this old school HTTP site and I have the link in the show notes for anyone who cares. And sure enough, I was greeted with a beautiful big login page for Viscount Systems Freedom. And there in the upper left was the prompt for the systems administrative login, username and password. Naturally, that's as far as I took it. But Eric went in. Here's what he shared under part one of his blog posting. Personally identifiable information galore. He wrote. Exposing the panel to the Internet is dumb. Yeah, that's one word for it. That's a four letter word, that's good dumb. But fortunately none of these systems were accessible using the default. And then he says just kidding, of course they were. The very first result happily lets me in with the Freedom, colon, viscount login that you know that that's the old school way of putting a username and password in the URL, he says. Where you put freedom, colon, viscount, he said. The first interesting thing here is the Users section. Eric shares another screenshot from which we learn that he's now on WI fi and his phone's battery is much happier. The screenshot he shares has blanked out the site's URL for the sake of his blog posting, the building's physical address and the full building residence names. But they're all there in their full glory alongside each resident's unit numbers, so anyone can see exactly who lives where. Eric notes this maps residents full names to their unit numbers. The building address is also used as the site title. That's already not great, but it's worse. In conjunction with the Events section, this is a multi year log of every time a fob associated with a certain suite number accessed an entrance or an elevator. So we can now easily determine that, say, John Snow of Unit 999 at 123 Bear street in Vancouver, B.C. comes home every day at 6pm for good measure, there's also a Users section which exposes every resident's phone number. Then we get to part two Breaking in where Eric writes the personally identifiable information leaks are pretty wild, but the most interesting thing we have access to is the controlled Areas section. In here I can apparently register new access fobs, disable existing ones, and change the doors they're authorized for. The system for this is somewhat convoluted. Fortunately I don't need to understand it at all because I can just unlock any entrance I want through an override function. And there I have a screenshot of that page from the show notes showing main entrance door, main entrance access and a dropdown list box with very pretty colorful icons. Leo showing unlock with a green hasp open and then lock and then lockdown. And I suppose lockdown means that it will no longer unlock for individual users, but yes, you are able to simply choose the green unlocked icon. You'll hear a clunk at the front door and then you can just walk right in. So an attacker has the ability to unlock any of the doors, any of the doors, elevators, everything controlled by this otherwise rather high end building access control system. And Eric notes, so I can break into this building in about five minutes without attracting any attention whatsoever. Neat. And then we get to Eric's part three. How widespread is this? Eric writes, maybe I just got lucky that the default credentials worked on the first result and this is actually really rare. Let's get back to a desktop and scan more properly, he says, which he then does. He uses some semi automatic automated scripting to attempt logging into the 742 exposed instances that his quick search turned up. It might be that using a more robust scanner would find many more, but Those of those 742, Eric's script was able to successfully log in to the building's access control system of 43% of them, just shy of half, leaving them completely vulnerable and unprotected, while also disclosing information about the building's residents that many would find quite objectionable. So why is Eric sharing all this, despite the fact that this is significant and far from being merely a theoretical vulnerability? Presumably because he first tried to do the right thing, but the vendor who indirectly created this mess in the first place could not be bothered to address it. Eric's Responsible disclosure timeline shows that on in last year, at the end of last year, on December 20th he discovered this. So five days before Christmas he was looking. He was waiting for the ferry. A week later on the 27th, he wrote current vendor of Mesh, identified as Hirsch, a subsidiary of Vita Protect Group, contacted them on January 9. The CEO of Identive, former vendor of Mesh, was contacted. Two days later Hirsch Product Security responds requesting details and are asked if they intend to alert their clients on the 29th. Okay, so that was the 11th. So 18 days go by Hirsch replies stating that these vulnerable systems are not following manufacturers recommendations to change the default password.

Leo Laporte

They're holding it wrong.

Steve Gibson

The next day, I know, I love that. The next day on January 30, Hersh asked for an update as to Hirsch was asked for an update as to whether clients running vulnerable systems have been alerted. No response to that. On February 14th the CVE A 26793 was assigned as a 10 out of 10 yes, you everyone knows why. And on the 15th this was published. So anyone who's been listening to this podcast for long will be well aware that there are several fundamental design flaws present here.

Leo Laporte

Really?

Steve Gibson

First and foremost, as Eric briefly noted, there's almost certainly no need for an apartment building's access control system to be exposed to the public Internet. New so while the Linux based web server on the network would need to have its web server bound to the internal LAN interface to allow for administrative access by management on the lan, it should never be bound to the WAN interface. Even Cisco is unable to do this correctly and and and expose web UI to the public Internet. So certainly these clowns Can't. The second thing that's wrong with this picture is the entire concept of built in factory supplied usernames and passwords. Those days must come to an end. And that should have happened long ago. The lesson the industry has learned the hard way over span of decades of trying very hard not to learn it is that usernames and passwords is a place where security must trump convenience and the associated annoyance of the I cannot log into my management portal text upon tech support calls which will result deal with it. There must be no default username and password and also no form of manufacturer hidden backdoor username and password. As we know any of those will be discovered the first time anyone goes looking. The system simply needs to generate a long unique username and password the first time it is started. When it discovers their blank, it needs to use whatever entropy it's been able to gather from the universe up to that point, which is trivial for any connected device given unpredictable network packet timings. Then use that entropy to initialize the username and password to pseudo random gibberish. This cannot be left to chance or to someone reading please change the username and password from their initial default and then presumably thinking yeah, I'll get back to that once everything else has settled down. You know, it is absolutely important for the system to enforce their being changed just once, or being set just once to something completely random and unguessable. Given that the username and password will initially be gibberish, an administrator should be free to change them immediately if they wish. Or the gibberish can be written down, or the user's password manager can be used to record it, or the browser's automatic built in offer to remember it for its user can be accepted. The point is, today's ubiquitous tools mean that gibberish is no longer the daunting problem it once was. So let's have gibberish. We've learned. We've learned that doing what these clowns have done of shipping their system with a publicly documented and thus publicly known username and password, while also allowing the system to be accessed from the Internet is asking for exactly the sort of trouble that will now be visited upon every one of this system's owners, guaranteed. And finally, adding insult to injury, the damn things all have the same web portal page title, meaning that a simple.

Leo Laporte

Google search, it's just too easy.

Steve Gibson

Brings up hundreds and hundreds of potential victims with as Eric's login testing script discovered, a 43% chance of those publicly known usernames and passwords allowing any casual passerby to see who lives there, where exactly they live, to view detailed historical logs of their comings and goings, and to unlock any of the doors that are controlled by the system's so called security. Lord only knows how many other similarly insecure systems exist in the world today. There's no way the owner of these systems, who are obviously not IT trained and focused admins, will ever be made aware of this trouble until they begin suffering from mysteriously unlocked doors and mysterious thefts that cannot be explained because there's no sign of break in. At that point, who's ultimately responsible for the damage that results? Well, yes, the bad guys. You know, it's criminal to do this, but it's going to happen. The saddest thing is that all this is so avoidable by better system design. It would be tempting to conclude that the coders who are designing and implementing such security systems must have no security training. How could they? But who knows? Perhaps the coders did have security training, but when they presented a secure system with a strong password policy system built in and no public access, they were overridden by management demanding an easier to use system that would not burden them with tech support calls and would allow them to have remote access for easier support.

Leo Laporte

That's the bingo right there. Yes, it's about support reducing support expenses.

Steve Gibson

Yes, that worrisome log4j vulnerability that was discovered back in December of 2021, which kicked off our 2022 podcast year, turned out to be more worry than reality for exactly one reason. It was difficult to do. Its fruit was not low hanging. It was up at the top of a very tall tree, well out of reach for all but the most determined and capable hackers. We've learned that not all would be hackers are rocket scientists. There is indeed an upper crust of elite hackers who can hack anything, but their numbers are blessedly few. The great mass of hackers are those who need to be following a script. My point here is that this Freedom Administration login catastrophe doesn't even require a script. It's not low hanging fruit. The fruit has fallen off the tree and is lying on the ground waiting to be picked up or kicked around. A governing rule of computer abuse is the easier it is to abuse, the more often and likely it is to happen. I came to full attention when I encountered this story this week, because it's been a long time since we've encountered anything that's been begging this loudly to be abused. And there's no doubt that it will be, especially when you Add in the fact that the physical street address for the building being managed by these systems is loudly presented at the top of every logged in page.

Leo Laporte

Come on in guys.

Steve Gibson

It's unbelievable. There's no need to guess which buildings may as well have left all their doors permanently unlocked and the schedules of their tenants posted publicly. Given that it's trivial to log in to these portals to determine their physical address, and that the majority of these facilities appear to be located in Canada. So said Eric, a good Samaritan among us might take it upon themselves to log in, determine the building's address, and notify the building's management of this glaring security trouble. If anyone listening to this podcast wishes to do so, despite having the best intentions, I would advise taking some anonymizing precautions.

Leo Laporte

Oh yeah.

Steve Gibson

Since we've seen instances where white hat hackers are still being accused of wrongdoing and technically using even publicly posted credentials to log in when you don't have permission, that's a crime. But it would make for a nice security project for anyone interested in doing some good. And it's somewhat astonishing that the publishers of this atrocity this, you know, it's an atrociously insecure access control system, replied to Eric that, well, you know, vulnerable systems are not following manufacturers recommendations to change the default password. Of course it's their fault. Rather than taking any proactive measures to cure these and any future recommendation failures, well that's a recommendation failure for anyone who might be interested in pursuing this. I've included the link to Eric's blog posting on the last page of this week's Show Notes. I haven't mentioned that even if these systems default username and password are changed, you know, we're still looking at the always questionable security presented by exposed Internet facing web UI portals, right? We know how challenging their security can be. It's some Java, some JSP is the thing that answers this login, that generates this login page. So who knows, you know, where that came from and what, how you know whether that could be bypassed. There well might be some, you know, albeit less trivial means of bypassing these systems login security. Having them exposed to the Internet at all and readily indexed by anyone who looks is just such a bad idea. In any event, no matter what happens from here, this did make a great case study for our 10 14th Security now podcast. Then Leo, you and I will see everyone back here next week for number 1015. Wow.

Leo Laporte

Yes we will. What a great story. And not at all surprising there's so many like that. You know.

Steve Gibson

God.

Leo Laporte

And you didn't even have to use Shodan. Just Google. That's all it took.

Steve Gibson

Google.

Leo Laporte

Wow. I hope I don't get in trouble for showing those Google search results. How could you?

Steve Gibson

I mean, it's, it's Eric's blog posting. I found it on an, on a. Referred to in a different news site. So it's out there. Yeah, otherwise I wouldn't have talked about it. But it's such a good object lesson.

Leo Laporte

It is like how bad.

Steve Gibson

I mean, just how bad it can be. Yeah, this is, this is just egregious.

Leo Laporte

And I think to some degree this is, this happens again and again because companies want to save money on support. And so they know that somebody's going to forget the password that they said on their login screen to control all the locks in their apartment building. And they're going to call them and they say, oh, well, good news.

Steve Gibson

And they're bragging that you can access it over the Internet. You should not be able to access. Access it over the Internet. Who needs to, you know, you know, in, in the rare case that that's necessary, then enable it, but don't have it on by default.

Leo Laporte

Yeah, yeah. I mean, I think in some cases that's probably something they want. The manager's off site or something. I don't know.

Steve Gibson

And somebody paid a bunch of money for this. Leo, it's not like this is free. You know, this was an expensive access control system. It's got controls on the elevators and all the doors and it's logging people's fob use and I mean, I'm sure it's tens of thousands of dollars.

Leo Laporte

Well, if there's any justice, people will sit up and take notice. And the next time somebody needs a security system for their apartment complex, they may not buy freedom.

Steve Gibson

Talk about leaving the back door unlocked.

Leo Laporte

Yeah. Steve Gibson. The front door to his. To all the glories, that is. Steve Gibson is grc. That's his website, the Gibson Research Corporation. There you'll find spinrite, his bread and butter, the world's best mass storage, maintenance, recovery and performance enhancing utility. Soon as you said, DNS benchmark. I look forward to buying the pro version the minute it's available. While you're there, you can also check out this podcast. He's got two unique forms. Three. Well, really everything he's got is unique. He's got a 16 kilobit version of the audio, a 64 kilobit version of the audio. We don't actually do that anymore. We do 128 kilobit. I found out that's because Apple does some RE encoding to some weird, you know, 48 kilobit thing or whatever. And so we want to give them the best quality before they do the RE encoding. You also have transcripts written by Elaine Ferris, a real human being, not an npc. So you can get, you know, read along as you listen or use it to search. It's a great. It should be part of your collection. You know, print it out, put the podcast on CDs and put it on your, in your bookshelf. Then you'll have it. Your, your heirs will have it forever after. There is. What else do you have? That's, that's. I think that's it. 1664 transit. Oh no, show notes. Those are there too. Although you could get those emailed to you ahead of time if you go to grc.com email give Steve your email address. And that's just so that you can email him because he doesn't let anybody who's not been validated ahead of time email him. And he described that in a few episodes back. But there are two checkboxes there where you can subscribe to the Security now newsletter, which is weekly, and then of course the very infrequent newsletter that he sends out with other information. But that's your choice. Those are not checked by default. Grc.comemail we have 128 kilobit audio. It's twice as good at our website, along with the video, which Steve does not have, wisely considering that anonymity is more important than showing his shining face to the world. That's @Twit TV SN. There's also a YouTube channel. You find a link there dedicated to Security now. Great for sharing clips. So if you're going to share a clip, that's the easiest way to do it for you and for your recipient. You can make a clip of just a minute or two or whatever you want of the show and everybody can click on it and open YouTube. That's really transparent for them. They don't have to have a video. Remember the days when you had to have a video player on your computer and it was all so complicated. Much easier now, thanks to YouTube. We also, of course, because it is a podcast, let you subscribe, want you to subscribe, encourage you to subscribe. It's free. All you have to do is get your favorite podcast client and search for security. Now we do the show live. That's another way you can consume it. You can watch live every Tuesday right after Mac Break Weekly, which ends up around sometime between 1:30 and 2pm Pacific 5pm Eastern 2200 UTC. Have I said everything I need to say? Think so. We Stream live on YouTube, Twitch, X.com TikTok, Facebook, LinkedIn, Kik and yes, Club Twit members get to watch in our Club Twit Discord. Steve, have a great week. I will see you back here next Tuesday.

Steve Gibson

Thank you my friend. Till then, Bao, it'll be March. Yay excitement.

Leo Laporte

Stay on top of tech trends without The Time Sink Twit TVs Short form podcasts are built for busy leaders like you, delivering essential insights in minutes. Hands On Mac and Hands On Windows provide quick tips for Mac and PC, while Hands On Tech quickly addresses common tech challenges to keep your operations running smoothly. If your conference room needs an upgrade, Home Theater Geeks explores the best screen and sound systems. And if you like watching the shows, join Club Twit to get full video access, ad free versions and more. Get technology that matters on your schedule. Download our short format shows now at TWiT TV or your favorite podcast player.

C

Dinner time. It's more than just a meal. It's when work comes to a halt, where macaroni masterpieces are made and little moments turn into lasting memories. With the Blue Cash Preferred card, you can get 6% cash back at US supermarkets so you can bring home the flavors that bring everyone together. We did so everyone. Make the special moments even more rewarding. Learn more@americanexpress.com Explore BCP terms and cash Back Cap apply with Blue Cash Preferred.