Security Now 1015: Spatial-Domain Wireless Jamming - All TWiT.tv Shows (Audio)

Summary5 min read

Security Now 1015: Spatial-Domain Wireless Jamming Released on March 5, 2025

Hosts:

Leo Laporte
Steve Gibson

Introduction

In Episode 1015 of Security Now, hosted by Leo Laporte and featuring recurring guest Steve Gibson, the discussion delves into pressing issues in the realm of cybersecurity, including Firefox's updated privacy policies, Signal's contention with Swedish legislation, the aftermath of the Bybit Ethereum heist, and an exploration of groundbreaking technology in wireless jamming.

Firefox's Privacy Policy Changes

Timestamp: 28:04

One of the episode's key discussions centers around Mozilla's recent amendments to Firefox's privacy policy. Steve Gibson expresses his support and understanding of Mozilla's position despite listener backlash.

Steve Gibson (28:04): "Mozilla's updated statement reads, 'We still put a lot of work into making sure that the data that we share with our partners... is stripped of any identifying information.' I believe them. These are the people who said they would never sell our data."

Highlights:

Old vs. New Policy: The previous Firefox FAQ explicitly stated that Mozilla would never sell user data. The updated policy reframes this stance due to broader legal definitions of "sale" in certain jurisdictions.
User Concerns: Users on platforms like GitHub and Reddit criticized Mozilla for the language change, feeling uneasy about the potential for data usage beyond mere functionality.
Mozilla's Defense: Mozilla clarified that the license is necessary to operate Firefox's basic functions, emphasizing that data shared with partners is anonymized or aggregated.
Steve's Stance: Despite understanding the legal necessities, Steve remains committed to using Firefox over browsers like Chrome, viewing Firefox as a vital alternative in the battle against surveillance capitalism.

Signal's Threat to Leave Sweden Over Surveillance Legislation

Timestamp: 38:31

The conversation shifts to Signal Foundation's President Meredith Whittaker's announcement that Signal might withdraw from Sweden if new legislation mandating backdoors is passed.

Steve Gibson (38:31): "Meredith Whitaker, Signal Foundation's president, immediately responded... saying that Signal will pull out of Sweden if the government there passes such a surveillance bill."

Highlights:

Swedish Legislation: The Swedish government is considering laws that would compel communication providers to grant police and security services access to message content.
Signal's Response: Meredith Whittaker has previously threatened to leave other countries like the UK over similar demands, underscoring Signal's commitment to user privacy.
Adoption in Military: Interestingly, despite the potential exit, Signal remains popular within Sweden's armed forces, highlighting its trusted security features.
Implications for Other Platforms: Concerns arise about how other platforms like Apple's iMessage and Google Messenger would respond to such legislation.

Aftermath of the Bybit Ethereum Heist

Timestamp: 43:12

The episode addresses the significant cryptocurrency heist involving Bybit, where approximately $1.5 billion in Ethereum was stolen by North Korean hackers. Steve Gibson provides an in-depth analysis of the incident and its repercussions.

Steve Gibson (59:37): "It's looking like the bad guys are going to largely get away with this."

Highlights:

Attack Origin: Initial reports suggested Bybit was at fault, but later evidence points to a breach at SafeWallet, a service provider utilized by Bybit. The hackers infiltrated SafeWallet, injecting malicious code that targeted Bybit's smart contracts.
Recovery Efforts: Out of the $1.5 billion stolen, Chainalysis reports that only $42 million has been recovered. The complexity of laundering such a vast amount in the transparent blockchain ecosystem poses significant challenges.
Lazarus Bounty Initiative: In response, Bybit established the Lazarus Bounty, offering a 10% reward for the recovery of stolen funds. As of the episode, $140,000 is available, with $4,286 already awarded to 17 participants. The leaderboard shows minimal progress, indicating the difficulty in tracing and reclaiming the funds.
Chainalysis Insights: The movement of Ethereum through various exchanges and token swaps demonstrates the sophisticated methods employed by the hackers to obscure the trail, making recovery arduous.

Mozilla's Commitment to Manifest V2

Timestamp: 60:03

Amidst Chrome's transition to Manifest V3, Mozilla reaffirms its support for Manifest V2, allowing Firefox users to continue utilizing extensions like uBlock Origin.

Steve Gibson (60:03): "Mozilla took the opportunity to reaffirm. Yay. Their commitment to remaining V2 compatible."

Highlights:

Manifest V3 vs. V2: Chrome's enforcement of Manifest V3 has led to the removal of uBlock Origin from its web store, significantly impacting users reliant on robust ad-blocking tools.
Mozilla's Stance: Unlike Chrome, Firefox continues to support both Manifest V2 and V3, ensuring that extensions dependent on V2 features remain functional.
User Impact: This decision preserves the full strength of uBlock Origin for Firefox users, maintaining a high level of privacy and ad-blocking effectiveness.
Steve's Advice: Given the challenges with Chrome, Steve encourages listeners to consider alternatives like Firefox to retain control over their browsing experience.

Spatial-Domain Wireless Jamming: A New Frontier

Timestamp: 145:19

The episode culminates with Steve Gibson introducing a pioneering study on Spatial-Domain Wireless Jamming, a technology poised to revolutionize cyber-espionage and defense mechanisms.

Steve Gibson (145:19): "Spatial Domain Wireless Jamming with Reconfigurable Intelligent Surfaces... it's just so cool...."

Highlights:

Research Overview: Presented at the NDSS Symposium 2025 in San Diego, the study explores the use of Reconfigurable Intelligent Surfaces (RIS) to achieve precise, targeted wireless jamming without affecting neighboring devices.
Technology Mechanics: RIS are engineered surfaces that can digitally control the reflection of radio waves. By adjusting the phase of reflected signals, RIS can focus jamming attacks on specific devices, rendering them inoperative while leaving others untouched.
Advantages Over Traditional Jamming: Unlike reactive jamming, which requires real-time analysis and is position-dependent, spatial-domain jamming using RIS is proactive, allowing attackers to disable target devices without broad-spectrum interference.
Practical Implications: The technology enables low-power, undetectable attacks, posing significant threats to wireless communications by making targeted jamming both feasible and stealthy.
Countermeasures: The study also discusses potential defenses against RIS-based jamming, emphasizing the need for advancements in wireless security protocols to mitigate such sophisticated threats.

Conclusion: Spatial-Domain Wireless Jamming represents a significant advancement in cyber-attack methodologies, highlighting the necessity for continuous research and development in cybersecurity defenses to stay ahead of emerging threats.

Closing Remarks

Throughout the episode, Leo Laporte and Steve Gibson interweave discussions on technical topics with anecdotes and listener feedback, maintaining an engaging and informative dialogue. They emphasize the importance of staying informed and adaptable in the ever-evolving landscape of cybersecurity.

Leo Laporte (173:06): "Security."

The episode serves as a comprehensive exploration of current security challenges and innovations, offering listeners valuable insights into both policy shifts and technological breakthroughs shaping the future of digital security.

Notable Quotes:

Steve Gibson (02:17): "It's an astonishing new technology."
Steve Gibson (28:04): "I believe them. These are the people who said they would never sell our data."
Steve Gibson (145:19): "This is just astonishing technology and it'll... be very useful in a movie theater."

Resources Mentioned:

Memory Safety Standardization: memory-safety.org
Lazarus Bounty Site: GRC_SC1015
Reconfigurable Intelligent Surfaces (RIS): Detailed in the NDSS Symposium 2025 paper

Note: For more detailed insights and visuals, interested listeners are encouraged to visit GRC.com where show notes, transcripts, and related resources are available.

Loading summary

Transcript294 lines

[00:00]
Leo Laporte
It's time for Security now. Steve Gibson is here. We'll talk about Firefox's new privacy policy. And while Steve is not concerned, a signal threatens to leave Sweden. Yet it's coming. I'm telling you. Mozilla's commitment to manifest v2 and UBlock origin. This week, Chrome is pushing out v3. And then we'll talk about a new way to jam radio signals. Very specifically, an individual signal in a sea of signals. It's actually a very cool technology. That and more coming up next on Security Now.
[00:36]
Steve Gibson
Podcasts you love from people you Trust.
[00:40]
Leo Laporte
This is TWiT. This is Security now with Steve Gibson. Episode 1015 recorded Tuesday, March 4, 2025. Spatial Domain Wireless jamming. It's time for security now. Aren't you glad you you. I don't know what you downloaded it, you waited. You're watching. Aren't you glad you're glad we wait, all of us till Tuesday comes around every week I see stories, I go, I can't, I can't wait till hear what Steve thinks about this. Here he is, the man of the hour, Steve Gibson.
[01:19]
Steve Gibson
Aren't you, aren't you glad you're out on your multi mile run and you have something that will. You could. They'll take your mind off the boredom of putting one foot in front of the other.
[01:31]
Leo Laporte
I have a different way of saying it will exercise your brain as you are exercising your legs.
[01:36]
Steve Gibson
Sometimes you need to be careful about, you know, gripping the wheel tightly, not going off the road. You used to sit on a ball, Leo, and we'd have to make sure you were centered.
[01:45]
Leo Laporte
That was dangerous. I now sit in a very comfortable chair. No more balls for me.
[01:49]
Steve Gibson
But I had that strange harness you were sitting on for a while. I was, I was worried about you.
[01:54]
Leo Laporte
Oh, that thing. Yeah, that's gone.
[01:58]
Steve Gibson
So we're at 15 episodes past the big Y1K event.
[02:05]
Leo Laporte
We survived. Everybody survived.
[02:07]
Steve Gibson
10:15, our first for March. Oh, and this is titled Spatial Domain Wireless Jamming.
[02:17]
Leo Laporte
What?
[02:18]
Steve Gibson
And it's not what you think. Oh, I, the, when I heard that, I thought, oh, okay, cool. So spatial domain means, you know, aiming something and jamming stuff, like by blasting something with a signal.
[02:36]
Leo Laporte
Oh, like the Portable Dog Killer.
[02:39]
Steve Gibson
That would be. Yes, that would be wrong. This is an astonishing new technology.
[02:46]
Leo Laporte
Oh, how fun.
[02:47]
Steve Gibson
But we'll get there. First we're gonna look at Firefoxes amending their privacy policy. Followed by the world melting down. Oh, my Lord. I have a few things to say about that. Also, Signal is now threatening to leave Sweden we have. Oh yeah, we have some aftermath of the massive. We talked about it last week. 1.5, 1.45, 1.4 depending upon when and you know how the ethereum is trading versus the dollar on the order of $1.5 billion. Bybit Ethereum Heist. We now know more. Turns out there's a view that suggests it wasn't actually Bybit's fault. I'll explain how. Also we have the Lazarus bounty monitoring and management site. You know you want to create a site if you're going to be managing a 10% commission on the recovery of that $1.5 billion we've got. I'm going to talk about in the wake of you were just talking about you were not wanting to restart Chrome because it was going to want to update and do to you what it just did to Andy as he Talked about on MacBreak weekly, Mozilla has reasserted their commitment to manifest V2, which allows all of us who are still using Mozilla's Firefox to stay with the full strength U block origin. We're going to talk about that.
[04:20]
Leo Laporte
Good.
[04:21]
Steve Gibson
Also, in a major piece of coverage this week, I want to talk about what the ACM's plea for memory safe languages mean for developers. There's a takeaway for anyone who's wondering what language they should focus on. And we're going to also look at what exactly are memory safe languages. Were it not for this spatial domain wireless jamming piece. You know I'm a sucker for research. Like the actual research articles, this would be today's main topic. So we're going to give it some time. Also, Australia has joined the Kaspersky ban. Gmail announced that they're planning to switch from SMS to QR code authentication. And again, the world melted down with all kinds of. I don't want to call them idiots, but I did say the word. Then everyone's screaming about how that's worse than SMS because people can't read QR codes. My take is a little different. It's like, how can that work? Anyway, we'll get there. I do have a listener, actually. I think he's the guy who I'm thinking of who was out running right now while he's listening to this. He'll hear his name mentioned while he's running. Reported a really interesting Spinrite successful. We've got a bunch of feedback which we haven't had lately because I just haven't had enough time. And then we're going to look at an astonishing New technology for targeted radio jamming, targeted WI fi jamming. And Leo, you're not going to believe this. Picture of the week. This is one takes a minute to understand.
[05:58]
Leo Laporte
Lifetime to appreciate.
[06:00]
Steve Gibson
No, actually people out there who, how many times have I said, you know, no, most people really don't have any idea how any of this stuff works. They're just, I mean, and I feel sorry for them. It's just like that, you know, they just, they, they just, it must. If we've heard that, that human lifetimes are being shortened, right? It's like it's no longer. It's because of the anxiety that we, that the techies have created with all this stuff that nobody understands. They know they need it. They have to have their phone charged. But as we're, as we're going to see here, how to get that to happen remains an elusive goal.
[06:48]
Leo Laporte
Oh, this is interesting. This is interesting.
[06:51]
Steve Gibson
All right.
[06:51]
Leo Laporte
I can't wait. Another wonderful episode of Security now just around the corner with Mr. Steve Gibson. But before we get into the meat and I, before I look at this picture of the week, which will take a minute to understand in a lifetime to appreciate, we want to talk about our sponsor for this segment of the show, Legato Security. I love that name. Let me talk about what Legato does. I was so of course we're really careful. We vet our sponsors. And I had a nice conversation with the folks at Legado and was very impressed with what they do. And actually I suggested an analogy. If you're a homeowner and you put in a burglar alarm, or you're a business and you put in a burglar alarm, it's no good if you don't have somebody monitoring it, right? If the burglar alarm goes off in the middle of the night and you're at home, or if you're on vacation and you're a burglar, it's useless. You have monitoring. Well, the same applies to cybersecurity. Now a giant business, I'm sure has its own security 247 security monitoring. But no business small or mid size can afford such a thing. That's why you need Legato Security. They provide the same standard of security controls that those big enterprises depend on. But you don't have to build your own internal security operations center. They call it a soc and Legato has one. In fact, if you go to the website, it is sweet, it is nice. It's like NASA, baby. They're monitoring your security. One of the things I love about Legato, you Don't have to change the tools you use. They work with your existing security infrastructure to give you the monitoring you need as a recognized leader by CRN and MSSP alert in 2024, Legato Security transforms how businesses think about their cybersecurity. Because Legato Security is, as I said, technology agnostic. They will work with your existing tools. They're an mssp, a managed security service provider platform. They provide your business with a custom suite of security solutions tailored to your needs. But but remember they integrate seamlessly with your existing tools. Legato Security eliminates the need for a costly infrastructure overhaul. You don't have to start over. They have though on top of what you've got their proprietary security operations platform. It's called Ensemble. It actually is a great front end to all of the tools you got because you've got a consolidated prioritized actionable alerts in real time on a single pane of glass. So it takes all the signals you're getting from your various security tools and puts them in one place. Look, we were talking Steve, about, about the Google Chrome extension hacks that happened last year. And when did they happen? They happened Christmas Eve because the bad guys knew everybody be home and so they would have free reign to hack at least through Christmas day if not for the next two weeks. Hackers don't take holidays. In fact they like you to take holidays. Hackers start working when you clock out. Legato Securities 100% US based team provides proactive threat detection triage. They'll help you with remediation. They're there for that too 24, 7, 365 days a year. They have a purpose built SOC by the way. I think sometimes people say oh I don't want to lose my job. No, they work with your security team. You still need that security team. But they can focus on the stuff that really matters when it's and they can go home when it's time to clock out. I think this is really a great idea. From entrepreneurs to Fortune 100 companies, Legato Security creates custom MDR solutions that protect businesses so leaders can focus on growth. A recent customer said, quote Legato Security is the only supplier that has delivered everything they said they would and we didn't have to drive them. They just get it done. I was totally impressed with the Legato guys. Legato Security, I love it. They won't call you to tell you you have a problem. When you get a call from them, they'll be there. They'll be calling to say hey, we found a problem. We fixed it. We fixed it. It and security professionals. Legato securities. MSSP is here to augment your security team, not replace them. They're the professionals you want on your team. The pros from Dover who will help you will back up your cyber security forces and fortify your defenses proactively, 24, 7, 365 days a year. It's not enough just to have security tools. You need the expertise to back it up. Oh, they have a great thing. See if your defenses are as strong as you think. Go right now to the website and you can try their free risk assessment tool that will let you know where the gaps are. Visit legato security.com okay. Discover how they can help you regain control. And yeah, enjoy your weekends like you used to. Legato Security. And don't forget that assessment tool. I think you'll find it very, very useful. Thank you, Legato Security. Great to have you on security now because they're kind of doing the same thing we try to do here. All right, I'm ready to scroll up. This is the moment I wait for all week.
[12:14]
Steve Gibson
I gave this this picture. The caption during the phone not charging, tech support call.
[12:23]
Leo Laporte
Oh.
[12:24]
Steve Gibson
The customer asked, what do you mean? USB charger? My phone.
[12:29]
Leo Laporte
I plugged it into the USB charger, but it's not charging. That's not good that it fits so nicely, is it?
[12:37]
Steve Gibson
No, it's not good. In fact, it gave me an appreciation of the fact that we're at, you know, the. The techies who, as I have said, are pretty much responsible for creating the anxiety that everyone experiences now. We've been pretty good about making sure that the plugs and sockets only fit where they're supposed to fit.
[12:57]
Leo Laporte
Yeah.
[12:57]
Steve Gibson
You know, so, you know, you can't stick an ethernet, you know, RJ45 plug in anything where it's really not supposed to go. What? For those who are not seeing this picture, what we have is a USB C charging cable plugged into one of the slots of an AC outlet. Oh, boy. And again, this sort of says, people just don't really understand this technology, but.
[13:33]
Leo Laporte
It fits the hole.
[13:35]
Steve Gibson
It.
[13:36]
Leo Laporte
But, Steve, it fits the hole. Now, you probably wouldn't get electrocuted from that, I hope.
[13:43]
Steve Gibson
I'm hoping that. That the outer metal ground sleeve of the USB C does not go far enough, would not penetrate far enough in to come into contact with the copper spring on either side.
[13:59]
Leo Laporte
I'm just going to try this at home, shall we? Do not. I wonder if it does. Let me just see.
[14:05]
Steve Gibson
Oh.
[14:06]
Leo Laporte
Oh, dear.
[14:07]
Steve Gibson
Yeah. Because you're potentially connecting yourself to one side of the AC line, which could have, let's just say, very negative consequences. Especially if you're one of the other clowns we saw recently who was in a swimming pool while barbecuing hot dogs.
[14:21]
Leo Laporte
On the electric kind of thing he might do. Very funny, Steve. I love it. Thank you.
[14:28]
Steve Gibson
Okay, so by far the biggest brouhaha of the past week, at least among the circles this podcast and its faithful Firefox using listeners move through, has been the concerns raised by Mozilla's change to Firefox's privacy policy. Ars Technica's headline covering this. And believe me, they were just, they, they were one of every tech outlet there. Ours headline read, quote, firefox deletes promise to never sell personal data, asks users not to panic with the follow up, Mozilla says it deleted promise because sale of data is what they have in quoted. You know, quoted sale of data is defined broadly. Okay, so just first to set the background here, ours wrote, Firefox maker Mozilla deleted a promise to never sell its users personal data and is trying to assure worried users that its approach to privacy has. Has not fundamentally changed. Until recently, a Firefox FAQ promised that the browser maker never has and never will sell its user's personal data. An archived version from January 30th. Right. So just, you know, a month and a half ago literally says that. It says so the in the faq, Mozilla asked themselves, does Firefox sell your personal data? Question mark. I mean, it couldn't be any clearer than that answer. Nope, never have, never will, period. And then they go on and we protect you from many of the advertisers who do. Firefox products are designed to protect your privacy, Period. That's a promise, period. So, you know, maybe part of the problem is that they got a little carried away with the, with what they were saying before. On the other hand, it's what error. It's the warm and fuzziness that everybody who would choose Firefox instead of Chrome would want from Mozilla. So ours said that promise is removed from the current version. There's also a notable change in a data privacy fact that used to say, quote, mozilla doesn't sell data about you and we don't buy data about you, period. The data privacy fact now explains that Mozilla is no longer making blanket promises about not selling data because some legal jurisdictions define sale in a very broad way, meaning, like overly broad. And so Mozilla is Just, you know, some. I mean they have attorneys too and you have to do what your attorney tells you or you could get in trouble. So so it says now Mozilla doesn't sell data about you, parens in the way that most people think about selling data, but we don't buy data about you. Since we strive for transparency data and the legal definition of sale of data is extremely broad in some places we've had to step back from making the definitive statements you know and love. We still put a lot of work into making sure that the data that we share with our partners, which we need to do to make Firefox commercially viable, is stripped of any identifying information or share only in the aggregate or is put through our privacy preserving technologies like ohttp. Okay then ours says Mozilla didn't say which legal jurisdictions have these broad definitions. Users criticized Mozilla in discussions on GitHub and Reddit. One area of concern is over new terms of use that say when you upload or input information through Firefox, you hereby grant us a non exclusive royalty free worldwide license to use that information to help you navigate, experience and interact with online content as you indicate with your use of Firefox. Okay, now I'm not an alarmist by nature, as our listeners know, and I'm committed to Firefox, but Firefox is our UI portal to the Internet and to the world. So by definition everything goes through it. Therefore, language that reads when you upload or input information through Firefox, you hereby grant us a non exclusive royalty free worldwide license to use that information to help you navigate, experience and interact with the online content as you indicate with your use of Firefox. Even though I might want to, you know that one is a little bit difficult to rationalize. I don't believe that I want any web browser to be examining any of the information I input through it in any way for any purpose. Ours published the first edition of their report at 9:44am Eastern time last Friday the 28th, the last day of February. They then updated it less than an hour later at 10:20am writing quote, Mozilla has since announced a change to the license language to address user complaints. It now says you give Mozilla the rights necessary to operate Firefox. This includes processing your data as we describe in the Firefox Privacy Notice. It also includes a non exclusive royalty free worldwide license for the purpose of doing as you request with the content you input in Firefox. This does not give Mozilla any ownership in that content. Unquote. Okay, now I had to reread that slowly several times. I think they're saying that in order to serve as a conduit for the information we input through Firefox, they need to say something about their legal position and obligations as our information conduit. Ours continues writing Mozilla also took heat from users after Mozilla employee solicited feedback in a connect.mozilla.org discussion forum. This isn't a question of messaging or clarifying, one person wrote. You cannot ask your users to give you these broad rights to their data. This agreement as currently written is not acceptable. Unquote. Mozilla announced the new terms of use and an updated privacy policy in a blog post on Wednesday. That is, you know, earlier than all this. After seeing criticism, Mozilla added a clarification that said the company needs, quote, a license to allow us to make some of the basic functionality of Firefox possible. Without it, we couldn't use information typed into Firefox, for example, it does not give us ownership of your data or a right to use it for anything other than what is described in the privacy notice. Unquote R said one of the uses described in the privacy notice has to do with users location data. Mozilla says it takes steps to anonymize the data and that users can turn the functionality off entirely. Then quoting Mozilla, Mozilla said Mozilla may also receive location related keywords from your search, such as when you search for Boston and share this with our partners to provide recommended and sponsored content. Where this occurs, Mozilla cannot associate the keyword search with an individual user once the search suggestion has been served. And partners are never able to associate search suggestions with an individual user. You can remove this functionality at any time by turning off sponsored suggestions. More information on how to do this is available in the relevant Firefox support page. And they finish Some users were not convinced by Mozilla's statements about needing a license to use data to provide basic functionality. One person wrote in response to Mozilla's request for feedback. Quote that's a load of crap and you know it. Basic functionality is to download and render web pages. Unquote. Okay, now first of all, I disagree with this disgruntled person since downloading and rendering web pages is no longer all that our web browsers do for us. A perfect example of this is this sentence I'm reading right now. It's in the PDF of the show notes that was originally entered into my Firefox browser, courtesy of Google Docs, an astonishing word processing system that runs in our web browsers. So it's patent nonsense to suggest that the job of today's browsers is only to download and render static web pages. Those days are long past. I think this brings us back to the free lunch dilemma and the reality that there's really no such thing. No one pays for the pays for or purchases the use of any web browser with their own cache. So far as I know, every web browser is free and I have that in quotes to use. And free is in air quotes because are our web browsers truly free? Is it reasonable for us to expect to take and take and take from them while giving nothing in return? We want security. We want browser extension add on stores without malware and abuse. We want absolute cross browser compatibility and secure password storage and cross platform operation. And, and, and, and who's paying for all this? We absolutely know that maintaining a contemporary web browser is incredibly expensive. Microsoft itself was unable to do it. They gave up their independence. And the industry refuses to leave things alone. The World Wide web consortium, the W3C, refuses to stop moving forward when with the introduction of successive advances, they want to evolve the web browser into a fully featured operating system environment. And I'm not saying that's a bad idea, because after all, I'm editing these show notes in an astonishingly full featured word processor, which we would not have if it were not for the W3C pushing forward on features and strong standards. But this means that offering a modern state of the art web browser is not only a matter of finding and fixing bugs, but it also means serious, never ending development to support the continually evolving standards. The result of all this has been the creation of an incredibly capable, complex and expensive to maintain application platform that is so easy to take for granted. Mozilla's updated statement reads, we still put a lot of work into making sure that the data that we share with our partners, which we need to do to make Firefox commercially viable, is stripped of any identifying information or shared only in the aggregate, or is put through our privacy preserving technologies. I for one believe them. These are the people who said they would never sell our data. I believe that their heart is in the right place. So if as a Firefox user, anonymity is all we can obtain from Mozilla in return for their providing us with this amazing tool for free, then I'm fine with that. That's more than we get from Google and Microsoft. What's more I'm very appreciative and I dearly hope we never lose this alternative to being swallowed by the chromium monster.
[27:52]
Leo Laporte
So you're going to keep using Firefox?
[27:54]
Steve Gibson
Absolutely.
[27:55]
Leo Laporte
Yeah.
[27:55]
Steve Gibson
And I hope they stay solvent. I mean, well, that's the main thing.
[27:59]
Leo Laporte
I'm willing to, I'm willing to put up with all of this just because I don't want them to go away.
[28:05]
Steve Gibson
Right.
[28:06]
Leo Laporte
I mean, they're increasingly under pressure. Their, their market share is shrinking dramatically.
[28:13]
Steve Gibson
They're about 6% now.
[28:17]
Leo Laporte
You know, they make. And the way they make money, frankly, is Google. Google basically gives them more than $100 million a year.
[28:23]
Steve Gibson
Yep. And I have my home page left. The home page shows all of that sponsored stuff. And I have no problem having my, you know, when I hit my home button or open Firefox and it comes up, some of those things are interesting. I like scammed on.
[28:39]
Leo Laporte
Yeah, yeah.
[28:40]
Steve Gibson
And it. And it's like, if that's sending some money back to them, I have no problem.
[28:44]
Leo Laporte
Honestly, I feel like we should start paying for more stuff. I know this is a controversial thing to say. We got spoiled when the web started. Everything was free.
[28:55]
Steve Gibson
And remember, no one understood how everything was.
[28:59]
Leo Laporte
How does it, how is it. How is Facebook free? What's going on?
[29:03]
Steve Gibson
You know, and frankly that, you know, Twitter never made money and look what we got.
[29:07]
Leo Laporte
Yeah. So pay for the stuff we care about. You know, I think that that's not a bad thing. And I understand it's expensive, but. But we've been basically hiding the true cost of these things and, and paying for them with surveillance capitalism. So maybe it's time to not hide the true cost.
[29:26]
Steve Gibson
And yeah, I think what we need and we don't have is we need better control of incremental purchase stuff. I mean, like right now. Yes. Some micro payment system where we actually can see what's going on. You know, Roku dings me and I get charge from Hulu and I've got, you know, I've got like charges coming in all different directions. There's no central management of that. And the other thing, I dislike the idea of like, like paying if I open a web page, I don't want to pay like on a per use basis. I want to say I'm willing to pay this much a month. And as long as I do, I get as much use of that as I want. You know, that's the model. And then I can choose if I say, okay, I want to turn that off now, but we're just not There yet one of the things that I think about when I think about this, Leo, is I think about the astonishing amount of money that our government spends, which comes from us paying taxes, which says that if you have a large.
[30:40]
Leo Laporte
Aggregate, that too, because I just paid my taxes and it was a hell of a lot of money.
[30:45]
Steve Gibson
If you, yes. If you have a large aggregate of people who are all contributing, it ends up generating a huge amount of revenue.
[30:54]
Leo Laporte
Yeah.
[30:55]
Steve Gibson
Now the argument is, and no one disagrees, that our government is not always doing the right thing with all that money, that largesse that they have. But, but to me it suggests that if everybody using Firefox were to contribute something, then maybe that makes it viable and it doesn't have to be, you know, that much. I don't know. The other thing we see is that an advertising supported model does work. You know, Twit generates, you know, a significant amount of revenue from its sponsors and thank goodness for that.
[31:33]
Leo Laporte
Yeah, we remember when we started security, now we didn't have any sponsors.
[31:37]
Steve Gibson
No.
[31:37]
Leo Laporte
And I don't know what I was thinking. I thought, oh, I didn't think we'll do it for free. We paid you. We paid me. I had to pay rent, but we thought, well, we could do it with contributions, but it was never enough to do more than it was at most maybe $90,000 a year. Not enough to pay you and me and pay rent, let alone do all the shows that we do. And the club has been very good to us, but it's only about 5% of our revenue. We have to have advertising.
[32:04]
Steve Gibson
And look at Google. I mean, there's the, there's the model of advertising supported Internet presence.
[32:11]
Leo Laporte
Right.
[32:11]
Steve Gibson
So anyway, so my, as you point.
[32:16]
Leo Laporte
Out, I'm really glad you said that. That's a hell of a free word processor.
[32:21]
Steve Gibson
It's unbelievable.
[32:22]
Leo Laporte
Yeah. I mean it's amazing what we've got for free, but it ain't free. And that's important.
[32:28]
Steve Gibson
Yes.
[32:29]
Leo Laporte
You got to understand.
[32:30]
Steve Gibson
And we have Google sheets and all the other stuff. I mean, it is incredible. And so I, so I just sort of wanted to put everyone's outrage over, over Mozilla having to make sure that they're not overstating what they're doing in order to cover their legal backside. And you know, and that we know their heart is in the right place. What they originally said is what they wish they could still say. But the attorneys got in there and said, you know, that's really not correct.
[33:07]
Leo Laporte
Somebody posted on Reddit a diff of the old and the New terms of service and there's this big blank spot where there used to be. We won't sell your data. So I can see why people were upset. But you got to put it in context. I think you're.
[33:24]
Steve Gibson
If they want to sell it anonymously, if they anonymize it and say here in general are the people who are using our browser, how would you like to give them an ad? I have no problem.
[33:35]
Leo Laporte
That's basically what we do. You know, we don't tell people anything about our listeners. We don't even know it. Yes, but we do because of the survey once a year, tell them in aggregate, they're very smart, very good people and you want to advertise to them. And it works. Anyway, thank you.
[33:55]
Steve Gibson
Time for a break and then we're going to talk about signals latest threat.
[34:00]
Leo Laporte
They're this one, another example. How is signal free? Right. I would sure like to know that. How is signal free? It's amazing. Anyway, we'll be back with more of the wonderful Steve Gibson in just a little bit. He's free, but he's brought to you by some very. That's the other thing we do. And I think that that's really important. Not only do we not tell people anything about you personally, we vet everybody. So the sponsors we have are people we use, we know, we trust. I talk to them all, I make sure that they're doing what they say they're doing. Bitwarden's a great example. We Bitwarden is a amazing password manager. It's the trusted leader in passwords. Not just passwords, but secrets. I keep all my secrets in Bit Warden because it's a strong encrypted vault passkey management. You know, when passkeys first came out, you know, they were tied to the device. But I didn't have my iPhone to use pass keys on the desktop and all that kind of stuff. Now I have it all in Bit Warden. So everywhere I have Bit Warden, I've got my Passkeys. With over 10 million users across 180 countries, over 50,000 business customers worldwide. That's wow, 50,000. Bit Warden has entered this year 2025 as the essential security solution for organizations of all sizes. Consistently ranked number one in user satisfaction by G2 and recognized as a leader in software reviews data quadrant, Bit Warden continues to protect businesses worldwide. I bet you didn't know, I mean, everybody knows how great bitwarden is for individuals. It's great for business too. Recently they announced the general availability of Bit Warden's native mobile applications. I've been using the Bitwarden app forever. I didn't realize it wasn't native. It's now native on iOS and Android. That means you get faster load times, improved functionality, you get, you know, platform specific UI which makes it more intuitive to use deeper hardware integration. That's a big deal for security, including biometric authentication and multi device support that enhances usability as well as security. Plus Bitwarden has strengthened its password manager. And I love this with ssh. So I never use a password to log into my SSH servers, I always use keys. But it's a long multi step process to generate the keys, upload them to the server, all this stuff. Now, now you can do it inside Bitwarden. This addresses a critical security challenge where up to 90% of authorized SSH keys in large organizations just go unused because probably it's just too complicated. By centralizing cryptographic key management inside Bitwarden, you enable secure storage. No longer will there be a risk of uploading your private key to GitHub. It makes it easy to import existing keys so you don't have to generate new ones. And this is amazing. You can generate SSH keys now directly within the Bit Warden vault. So it's safer, it's more secure and it's easier for developers and IT professionals. But that's just one of hundreds of great features that set Bitwarden apart. That and frankly they prioritize simplicity. This is a better way to do ssh, a better way to do passwords, a better way to do pass keys setup only takes a few minutes. They support for your business, they'll support importing from existing password management solutions, you know, directly. And if you're curious, you know, this is really important to me. Bit Warden is open source, GPL licensed. You can inspect the source code, anyone can. And they are regularly audited by third party experts and they publish the results of those audits. Look, your business deserves a cost effective solution for enhanced online security. Your business deserves Bit Warden. See for yourself. Get started today with Bit Warden's free trial of a teams or enterprise plan. And as always, it's open source, which means it is free for individual users, all devices, unlimited passwords, pass keys and hardware keys too. If you're an individual, it's, it's a no brainer. Bitwarden.com TWIT I'm pitching the businesses too. It should be a no brainer for you too. It's a great solution. Bitwarden.com TWIT we thank him so much for Supporting security now. And supporting your security now. Now back to Steve with more security.
[38:24]
Steve Gibson
Clearly the ones to use.
[38:26]
Leo Laporte
Oh yeah, you use it right.
[38:27]
Steve Gibson
Every, every argument of, you know, in favor of it.
[38:30]
Leo Laporte
Exactly. Thank you.
[38:32]
Steve Gibson
Okay, so we have. I don't know if it's bad news because I really do want this fight, but we have. So I won't say it's bad news. It's news on the governments versus enforceable privacy saga. Now, Sweden's government has scheduled discussions next month of legislation to require communication providers to allow police and security services access to their message content. Not surprisingly, our friend Meredith Whitaker, Signal Foundation's president, immediately responded to this news, saying that Signal will pull out of Sweden if the government there passes such a surveillance bill. In an interview on Swedish national public television svt, she added that such a backdoor would undermine its entire network and users across the world, not just in Sweden. And as we know, this is the second time Meredith has indicated that Signal would leave a country over its backdoor demands. In 2023, she threatened to leave the UK if the government mandated backdoors in its Online Safety Act. And we all know that these matters are far from settled and they need to be. That's, you know, it's one of the big things happening in, in, in cybersecurity today. Now, not everyone, even in Sweden is on the same page. It turns out that Signal is very popular and widely used within the country's armed forces, where staff were recently asked to start specifically using Signal due to its known and proven super secure messaging capabilities. In a letter to the Swedish government, the Swedish armed forces wrote that the legislation that is this, you know, under consideration could not be realized, quote, without introducing vulnerabilities and backdoors that may be used by third parties, unquote. In other words, the familiar refrain that it's not possible to have it both ways. It's either secure for everyone and from everyone, or it's not truly secure for anyone. The question is what happens with iMessage and Google Messenger? You know, Apple's. As we know Apple shutting down, the enabling of new full end to end icloud storage equipment encryption by UK users is one thing, but what happens if Sweden mandates, as they apparently plan to, that all communications occurring within its borders be decryptable? Just over a year ago, it was last February when we covered Apple's announcement of their PQ3 that was, remember post quantum level three, they created this kind of cockamamie leveling system where signal they put at level two because level two didn't have perfect forward secrecy and they were going to be enabling a dynamic rolling and re keying of all messages which gave them not only post quantum technology but but also so called level three which they just sort of created out of whole cloth. And thus they were claiming last February that it would be fully state of the art encryption. Okay, so now Sweden says, sorry about that, but we've just unilaterally enacted legislation to reverse, remove and restrict the privacy rights Swedish citizens have been enjoying with their use of imessage. You know, we're not going to allow anyone in Sweden to enjoy the benefits of that level of security because you know, it makes us nervous and it might be abused even though everybody has it today and has always had it as long as imessage has been around. Right. Because that's always been encrypted. So we know what signal is going to do. They've made that very clear. And they really have to follow through with their promote with the promise. Right, but what will Apple do? On this topic? I solicited some help from ChatGPT's O3 mini model.
[43:12]
Leo Laporte
Okay, what will Apple do? Is that what you asked it?
[43:15]
Steve Gibson
No, I worked with it to come up with a good acronym for this mess and together we came up with one.
[43:23]
Leo Laporte
Oh good.
[43:23]
Steve Gibson
I present no crypt. No no CR. Ypt which stands for Nationwide outlawing of cryptography. Restricting your privacy to.
[43:38]
Leo Laporte
Wow, that's a good acronym.
[43:40]
Steve Gibson
That good. Wow.
[43:42]
Leo Laporte
Congress should start using CHAT GPT. That's good. No, no crypt.
[43:47]
Steve Gibson
Nationwide outlawing of cryptography. Restricting your privacy too. So Leo, I, you know, I, I hope Sweden goes forward with this. I want, you know, we need this resolved. We need, you know, because Apple, what are they going to do? They can't decrypt imessage. I mean, maybe, but wow. I mean that, that's bigger than saying, okay, well we'll turn off, you know, full end to end encryption for icloud so you, you can get, you know, if someone has got icloud backup on, you'll be able to get into that. But saying we want all your communications decrypted, that's a direct strike, you know, at imessage, what does Apple do? Wow. Okay. Bybit Aftermath. Following up on last week's news of the largest ever cryptocurrency heist by North Korea. The short version is, it looks like they're probably gonna get away with it. I have an interconnection chart here on the show. Notes here at the bottom of page five, which is from chainalysis, which analyzes blockchains. It depicts the complexity of of North Korea's laundering efforts so far. That's literally the movement of pieces of Ethereum between and among exchanges. As, you know, taking, you know, every endpoint that is shown, there is an intermediate address with token swaps and cross chain movements that not only attempt to obscure the stolen funds, but also serve to demonstrate the far reaching consequences of this exploit across the broader crypto ecosystem. Basically, everybody is feeling the effects of this as North Korean anonymously breaks this apart and, you know, tries to move it around. Chainalysis reports that that a whopping 4040 million of the $1.5 billion have been recovered. So, you know, only another $1.46 billion to go, Chainalysis wrote. Despite the severity of Bybit's attack, the inherent transparency of blockchain technology presents a significant challenge for malicious actors attempting to launder stolen funds. Every transaction is recorded on a public ledger, right? I mean, that's the whole concept of Bitcoin and blockchain and the various cryptocurrencies. Every transaction is recorded in a public ledger, which enables authorities, they wrote, and cybersecurity firms to trace and monitor the flow of illicit activities in real time. Collaboration across the crypto ecosystem is paramount in combating these threats. The swift response from Bybit, including its assurance to cover customer losses and its engagement with blockchain forensic experts, exemplifies the industry's commitment to mutual support and resilience. By unifying resources and intelligence, the crypto community can strengthen its defenses against such sophisticated cyber attacks and work toward a more secure digital financial environment. And they finish. We're working with our global teams, customers and partners across both the public and private sectors to support multiple avenues for seizure and recovery in response to this attack. Already, we've worked with contacts in the industry to help freeze more than 42. Ask it's 40 or I wrote 40. Later I saw it's 42 million. So freeze more than 42 million in funds stolen from Bybit and continue to collaborate with public and private sector organizations to seize as much as possible. We will continue to provide updates on this matter. So again, 40 million out of 1.4, 1.5 billion. Okay, that gives you a sense for how difficult it is. Even though all of the transactions are public, clearly the North Koreans behind this were poised and ready. Assuming they were going to get this windfall to break it up in pieces and, and just scatter it to the four corners and then mix it up and move it around and break it down. Into pieces small enough that they wouldn't be individually obvious. Meanwhile, answers to the questions of how Bybit could have screwed up so much so as to lose that 1.4, 1.5 billion in Ethereum to North Korean hackers are beginning to trickle in. What's been learned is that the intrusion into Bybit was less of their making than was originally reported. The actual intrusion originated at the supplier of one of their services, an organization named SafeWallet, which unfortunately is. You know, they wish it was a little safer than it turned out.
[49:44]
Leo Laporte
They need an acronym. Not safe.
[49:49]
Steve Gibson
Safe Wallet is. Is. Is a multi sig Wallet provider. So first of all, who knew such a thing existed? Well, the Bybit guys did and they said, hey, there's this service that does multi sig Wallet provisions. We need that. Let's use them. The new evidence reveals that the North Korean hackers initially hacked Safe Wallet. The hackers injected.
[50:20]
Leo Laporte
Huh.
[50:21]
Steve Gibson
So it was. It's one of those, those managed service provider sort of attacks where it's somebody you subcontracted some of your stuff to got hacked and that's what brought you down.
[50:35]
Leo Laporte
Wow.
[50:36]
Steve Gibson
Yeah. The hackers injected malicious code into the Safe Wallet domain which selectively tar. Selectively targeted Bybits, smart contracts and multi signature process. Safe Wallet says it has now removed the code. One would hope. And also in the meantime, the FBI has independently confirmed, Confirmed North Korea's involvement in the hack and linked it to a group that it tracks as Trader Traitor, which is also Lazarus now. Okay. This notion of a multi sig wallet provider was news to me. So being curious about this, I went over there, I went over to see what they were about and I got a kick out of this. You might do that. Do it, Leo. See if it's still up. I just googled Safe Wallet and they've got curly braces around the name Wallet. I think it's probably just safewallet.com or something. Anyway, when I went to their homepage, I was greeted by an intercept which dimmed the entire screen and gave me a little pop up which required that I click on. I understand. Yep, there, there it is. It says security notice. It said, due to recent security incidents, it is important to always in caps verify transactions that you are approving on your signer wallet. If you can't verify it, don't sign it. And then it says, more information on how to verify a safe transaction can be found in the corresponding help center article with an off site link or off page link and then the big I understand button. So this wasn't there last week and.
[52:39]
Leo Laporte
You can't get through to the rest of the site until you understand.
[52:42]
Steve Gibson
Yeah, that's right. So these guys are like, oops, we gotta, you know, do a little CYA here. So you click on that and then, then you're able to go through now and then an abbreviated form of this message was repeated at the top of the page behind that front page Intercept. Now without digging into the weeds of all this, what we see is evidence of this newer trend, you know, broadly this newer trend of assembling a working system from many various bits and pieces of services offered by others. You know, there's, there's plenty of support for the concept of let's not reinvent the wheel, right? You know, the idea of allowing specialists to focus upon their specialty where they're able to add value. This is the modern day equivalent of, you know, building apps from library components. And of course we've seen that this model can and has suffered from supply chain attacks. So it's not without a downside. In the same way that the managed service provider model caused a lot of cryptocurrency, I mean a lot of ransomware to, to, to creep into the. Remember was it was dental offices a few years ago that were across the board being being hit with, with ransomware demands. Turns out they were all using the same dental services managed service provider. And that's how the bad guys got in. So now we've seen another example of a failure of the online service provider model. Given all the evidence we have now, you know, I would tend to hold the Bybit guys less, I don't know if I would hold them completely harmless, but less responsible because their network wasn't hacked. A service provider whose security they were relying on was hacked. They trusted in the security and integrity of a service whose entire job it was to provide exactly that trusted security. And that service let them down. You know, the very expensive breach more lies at the feet of the Safe Wallet service provider whose network was infiltrated and then was used to perpetrate this one and a half billion dollar heist. So still ouch. Meanwhile, and this page you're going to want to look at. Leo Lazarus bounty.com actually it's a shortcut of the week so it's easy to get to GRC SC0 I'm sorry, 10:15. It's today's episode number. GRC SC 10:15. This is a very cool page. As I noted last week, the Bybit guys know how to motivate the Internet's bounty hunters. Not that it looks like it's actually going to make much difference. But know, as we said, they're offering them a 10% instant payout bounty for the recovery of any of the stolen coinage. They named this the Lazarus bounty after the infamous North Korean gang who, as I noted, the United States, FBI and other and others have independently confirmed was behind the theft. The Bybit guys quickly created a bounty leaderboard and payout tracking website to manage this bounty. That's, as I said, is this week's shortcut of the week. So anybody can get to it by going to GRC SC 1015, which is today's episode number. As of Sunday evening, evening before last, when I was writing this page, the total available bounty is $140,000. So that's 10% of the estimated $1.4 billion that was stolen. And as I noted before, you know, the range varies between 1.4 and 1.5 billion due to fluctuations in the price of Ethereum. The total aggregate awarded so far of that available $140,000 is $4,286. So, you know, 4.2 K, a little over $4,000. And that's spread across 17 bounty recipients. But the largest of those is some guy who managed to find and lock down who $42 million. So that's the 42 million that I mentioned earlier that the chainalysis guys talked about. So what's clear is that the 1.5 billion, 1.4, 1.5 billion was almost too much value to launder in order to keep its subsequent laundering sub transactions from being suspicious. I mean, it was, it was a lot of money to hide in a public ledger system, which is what all of the cryptocurrencies are. That 1.5 billion needed to be broken into a huge number of much smaller transactions, much smaller amounts, and then spread out into many wallets, and then rapidly moved, broken, reassembled, and further mixed. Last week I described the process as something of a shell game. And I think that's a pretty good analogy. And at this point, what are we maybe 10 days downstream and we only have one guy who has managed to, you know, snag 42 million of the 1.4 billion. You know, as the, as the detectives say, the trail is growing colder with each passing day. So it's looking like, you know, those proceeds, very few of them are going to find their way back home. So it'll be interesting though, this Lazarus bounty site, GRC SC 1015, is a. It's got some animated graphics and it's it's kind of fun to create a leaderboard of the recovery effort, but it's. Look at that.
[59:33]
Leo Laporte
If there's only one player, you're not really going to have much of a leaderboard.
[59:38]
Steve Gibson
Yeah, well, Exactly. There are 17 bounty hunters that are listed there last time I checked a couple days ago. But still most of them are just. Are not finding much at all. So it's looking like the bad guys are going to largely get away with this. And we should talk about a good guy, Leo. Who?
[59:59]
Leo Laporte
Our sponsor.
[60:01]
Steve Gibson
Funny you should mention that.
[60:03]
Leo Laporte
You're so. You're so kind. Thank you, Steve.
[60:07]
Steve Gibson
Then we're going to talk about Mozilla's commitment to manifest V2.
[60:11]
Leo Laporte
Oh, good. There's a lot of concern about. Because Chrome just pushed out the update. The V3 update.
[60:19]
Steve Gibson
No more U block Origin for Chrome.
[60:22]
Leo Laporte
I'm going to try not using ublock Origin and just using. I have nextdns. It has most of the same filters available to it. So I think like a pie hole or some other way of doing it. Not on the machine, but on the. On the. More centralized might be sufficient. We'll see.
[60:40]
Steve Gibson
It was interesting to hear Andy talk about it. He updated Chrome, Ublock Origin shut down and he said, oh my God, I can't. I can't surf the web. I mean it was, you know, for him. He experienced a night and day difference without UBlock origin.
[60:56]
Leo Laporte
Absolutely. That's why I can experiment with it because I will know if it isn't working. Right. So I am going to. I'm going to set it up, I'm going to remove UBlock origin and I have next DNS filtering everything anyway and we'll see how well it does on. On all that garbage. Wow. Not that ads are a terrible thing.
[61:18]
Steve Gibson
Many of our advertisers and as Andy said, it was the ads that cover up half the page.
[61:25]
Leo Laporte
It's the intrusive, obnoxious.
[61:27]
Steve Gibson
The really obnoxious ads. No, sorry.
[61:30]
Leo Laporte
Plus there's security issues associated with all this stuff. And that's the script. Yeah. UBlock will block a lot of those scripts and so forth. I've been using this for years. It's going to be interesting to see the web without it. I'll let you know. Meanwhile, let's talk about Veeam, our sponsor for this segment of Security now v. Double Eam. You know, there are a lot of things your. A lot of assets your business has, but I think the most valuable asset is your data. Right. And that includes your emails, it includes your customer lists. It includes proprietary, you know, designs. That's all data. These days, that's the most important thing most companies have. And without your data, your customers trust turns to digital dust. That's why you need Veeam. Veeam's data protection and ransomware recovery, if those are two words that should should get your ears perked up. Veeam's data protection and ransomware recovery ensures that you can secure and restore your enterprise data wherever and whenever you need it, no matter what happens. As we learned last week, in some cases it's illegal to pay ransomware gangs. You don't want to do that. Wouldn't it be better if you could restore your data and be done with it? That's what Veeam does. It's the number one global market leader in data resilience, trusted by over 77% of the Fortune 500. I should really emphasize that more than 3/4 of the Fortune 500 uses Veeam to keep their businesses running. When digital disruptions like ransomware strike, that should tell you something. It's because Veeam lets you backup and recover your data instantly. And it's across your entire cloud ecosystem, wherever that data lives. In fact, in many cases, you won't even have to worry because Veeam will proactively detect malicious activity. And then it also helps you do something you probably should be doing anyway, which is automating your recovery plans and policies. You are prepared. You do have a recovery plan, right? Get real time support from ransomware recovery experts should the worst happen. You are not alone with Veeam. Veeam data is the lifeblood of your business. Get data resilient with Veeam. V E E A m go to veeam.com to learn more. Honestly, why aren't you using Veeam? That's really the question. Ve a m.com we thank him for supporting Steve and the great work he does at Security. Now on we go, Steve.
[64:20]
Steve Gibson
So returning to the topic of Mozilla. Last week, in the wake of Chrome's enforcement of their v3 browser extension manifest and the sun setting of v2, which forced the full strength U block origin to finally and fully leave the Chrome web store. And of course we knew that Gorehill, you know, he said, I'm not going to screw around with this anymore. I'm not going to try to, you know, keep U block origin here. I'm just saying. No. Mozilla took the opportunity to reaffirm. Yay. Their commitment to remaining V2 compatible with their blog posting. Titled Mozilla's approach to manifest v3 what's different and why it matters for Extension users. After some prologue about the role and importance of browser extensions, they explained, right now all major browsers, including Firefox, Chrome and Safari are implementing the latest version of this platform, manifest v3. But different browsers are taking different approaches and those differences affect which extensions you can use. Principle 5 of the Mozilla manifesto states individuals must have the ability to shape the Internet and their own experiences on it. That philosophy drives our approach to manifest V3, they said. First, more creative possibilities for developers. We've introduced a broader range of APIs, including new API functionality that allows extensions to run offline machine learning tasks directly in the browser. Second, support for both both manifest v2 and v3, they said. While some browsers are phasing out manifest v2 entirely, Firefox is keeping it alongside manifest v3. More tools for developers means more choice and innovation for users. I'll just note that Mozilla adding some functionality for running offline machine learning tasks. Nobody cares. Nobody cares about Firefox spinning off some API that Chrome doesn't also support, so good luck with that. But you know, we need Firefox to remain Chromium compatible so that it can display all the web pages that Chrome can anyway, they said. Mozilla said giving people choice and control on the Internet has always been core to Mozilla. It's all about making sure users have the freedom to shape their own experiences online. Google began phasing out Manifest V2 last year and plans to end support for extensions built on it by mid-2025. Well, that came a little early, but that's, you know, that's now that change has real consequences. Chrome users are already losing access to UBlock origin, which I thought was interesting. Mozilla called out by name, that is. It's, you know, there are many extensions that are dependent upon manifest v2 features. UBlock origin is famous, they said UBlock origin one of the most popular ad blockers because it relies on a manifest v2 feature called blocking Web Request. Google's approach replaces Blocking Web Request with declarative. Net Request, which limits how extensions can filter content. And for anyone who is interested, we've gone into this in detail in the past looking at exactly what these two APIs do and how they differ and why V3 support without V2 is a problem, Mozilla said. Since APIs define what extensions can and cannot do inside a Browser, restricting certain APIs can limit what types of extensions are possible. Firefox will continue supporting both blocking Web Request and declarative Net request, giving developers more flexibility and keeping powerful privacy tools available to users. In other words, a superset of either of those of either of the manifests. So we pretty much knew this was what Mozilla had planned, but it's nice to have their intent made very clear. And with the Internet becoming ever more important and websites unfortunately ever more insistent upon monetizing our presence there, it's increasingly important to have a tool like UBlock Origin that that's able to return to us some modem of control. Okay, now as I said, we're going to talk about memory safe languages and this would have been our main topic were it not for the me stumbling upon this this incredibly cool technology that we will get to at the end. So let's talk about this the ACM is the association for Computing Machinery. Its founding in, get this, 1947, when you know, computing machinery was an abacus, makes it not only the world's largest scientific and educational computing society, but also the oldest. It's a non profit professional membership group with nearly 110,000 student and professional members. Based in New York City. It publishes over 50 journals, including the prestigious Journal of the ACM and two general magazines for computer professionals. The Communications of the ACM. Also known as Just Communications or CACM. The ACM's motto is advancing Computing as a Science and Profession. The February issue of the Communications of the ACM in its Security and Privacy section contained an article titled it is time to standardize Principles and Practices for Software Memory Safety. The article was co authored by 21 professionals spanning academia and industry and I mean Google and Microsoft and like everybody, it is a. It was a who's who of of contributing authors. Everybody having expertise in memory safety, research, deployment and policy in it. They argue that standardization is an essential next step. Standardization an essential next step to achieving universal strong memory safety. Okay, and I'm just going to share the introduction of this very long, detailed and well thought out editorial. They wrote for many decades Endemic memory safety vulnerabilities in software trusted computing bases T.C.B.S. is an acronym they use Trusted Computing bases. TCBS have enabled the spread of malware and devastating targeted attacks on critical infrastructure. National security targets companies and individuals around the world. Again, endemic memory safety vulnerabilities in software during the last two years, the information technology industry has seen increasing calls for the adoption of memory safety technologies. These have been framed as part of a broader initiative for secure by design from government, academia and within the industry itself. These calls are grounded in extensive evidence that memory safety vulnerabilities have persistently made up the majority of critical security vulnerabilities over multiple decades and have affected all mainstream software ecosystems and products, and also the growing awareness that these problems are mostly entirely avoidable by using recent advances in strong and scalable memory safety technology. In this Inside Risks column we explore memory safety standardization, which we argue is an essential step to promoting universal strong memory safety in government and industry, and in turn to ensure access to more secure software for all. During the last two decades, a set of research technologies for strong memory safety, memory safe languages, hardware and software protection, formal approaches, and software compartmentalization have reached sufficient maturity to see early deployment in security critical use cases. However, there remains no shared technology neutral terminology or framework with which to specify memory safety requirements. This is needed to enable reliable specification, design, implementation, auditing and procurement of strongly memory safe systems. Failure to speak in a common language makes it difficult to understand the possibilities or communicate accurately with each other, limiting perceived benefits and hence actual demand. The lack of such a framework also acts as an impediment to potential future policy interventions as an impediment to stating requirements to address observed market failures, preventing adoption of these technologies. Standardization will also play a critical role in improving industrial best practice, another key aspect of adoption. Finally, this Inside Risks column is derived from a longer technical report published by the same authors, which includes further case studies and applications, as well as considering the potential implications of various events and interventions on potential candidate adoption timelines. Okay now, whoa. You know, like bureaucratic overload, but it's also easy to read between the lines here what's being said and understand like these are the guys that drive policy at the higher echelon levels. What's being said is that we need to establish a common and universally agreed upon framework and terminology like and that the underlying technologies have reached the required maturity to allow that to happen. So now we need a framework and terminology so that both public government and private commercial sector purchasers of next generation network and security technology will have some actionable means for specifying in their requests for quotes, bids and purchasing contracts that every component of the system has been developed in and is using only memory safe language technologies. In other words, this is coming. The writing is on the wall. And what that writing says is that the time is now for anyone who may have ambitions to sell their future products to government or large enterprises to begin the process of rewriting those products from scratch in approved memory safe languages. I can 100% guarantee that future Purchasing requirements documents will be specifying that only appliances that have been written in pure memory safe languages will be considered for purchase and that if any problem should later occur and it turn out that the proximate cause of the trouble was the use of non memory safe languages, the supplier will be held responsible for the damages due to their having made substantial fraudulent misrepresentations. Wow. That's what's going to happen. This is, this is the responsibility pipeline. So there is a Great website memory safety.org Created by the ISRG, the Internet Safety Research Group. They explain. They said our first goal is to move the Internet's security sensitive software infrastructure to memory safe code. Many of the most critical software vulnerabilities are memory safety issues. And Leo, this is your favorite term, buffer overflow.
[78:36]
Leo Laporte
Oh yeah baby.
[78:37]
Steve Gibson
Memory safety issues in C and C code. They said while there are always. While there are ways to reduce the risk, including fuzzing and static analysis, such mitigations do not eliminate the risk and they consume a lot of resources on an ongoing basis. Using memory safe languages eliminates the entire class of issues. We recognize the amount of work it will take to move significant portions of the Internet C and C software infrastructure to memory safe code, which in other words are rewriting what we already have. They said. But the Internet will be around for a long time. There is time for ambitious efforts to pay off. By being smart about our initial investments, focusing on the most critical components, we can start seeing significant returns within one to two years. Our second goal is to change the way people think about memory safety. Today it's considered perfectly normal and acceptable to deploy software written in languages that are not memory safe, like C and C on a network edge. Despite the overwhelming evidence for how dangerous this is, our hope is that we can get people to fully recognize the risk and view memory safety as a requirement for software in security sensitive roles. Okay, now this effort is called Prosimo P R O S S I M O and it's being funded by contributions from Google, aws, Cisco, the Sovereign Tech Fund, Craig Newmark Philanthropy. Newmark Philanthropy.
[80:47]
Leo Laporte
Philanthropies.
[80:47]
Steve Gibson
Yes, Philanthropies. There we go. Lanthropies. Yes. Chain Guard, Cloudflare, Shopify and all the good guys.
[80:55]
Leo Laporte
This is good.
[80:56]
Steve Gibson
It is really, really good. Their current initiatives include, get this, an implementation of TLS that, that is the transport layer security, the security. We all rely on an implementation of TLS in Rust, the Rust language, where they say let's get the Rust TLS library ready to replace open SSL in As many projects as possible of the Linux project. They write let's make it possible to write memory safe drivers for the Linux kernel. There's a project called Hickory which will be a memory safe high performance, fully recursive DNS resolver and that one is nearly ready for prime time. There is an AV1 project to create a fully memory safe AV1 decoder to deliver great performance. There's a project to develop a high performance memory safe Z live compression library of their pseudo project. They say let's make the utilities that mediate privileges safer. So they're literally going to rewrite sudo in a memory safe language. And they have similar initiatives for ntp, Apache, Curl and various other tools.
[82:25]
Leo Laporte
So if the future always rust though.
[82:29]
Steve Gibson
No, okay. No. In fact, that's exactly where I'm heading here, Leo.
[82:33]
Leo Laporte
Good.
[82:33]
Steve Gibson
Okay, if the future is memory safe languages, which ones are those? Yeah, the memory safety.org site has a page asking and answering, what is memory safety? What I appreciated was that they perfectly summarize this in just two sentences. They wrote memory safety is a property of some programming languages that prevents programmers from introducing certain types of bugs related to how memory is used. That's the first sentence. Second sentence. Since memory safety bugs are often security issues, memory safe languages are more secure than languages that are not memory safe. That's it, Plain and simple. Memory safe languages are more secure. And so why wouldn't industry begin saying, oh well then that's what we want. That's what's going to happen. Could not be more clearly and succinctly stated. Memory safe languages are more secure. Okay, so what languages? That page continues with their answer and explanation writing memory safe languages include Rust, Go, C Sharp, Java, Swift, Python and JavaScript Python.
[84:03]
Leo Laporte
Memory safe is it really?
[84:05]
Steve Gibson
Yeah.
[84:06]
Leo Laporte
Okay.
[84:06]
Steve Gibson
You don't get pointers.
[84:08]
Leo Laporte
No, that's right. With no pointers means. Yeah, okay, that makes. That's fair. Yeah.
[84:12]
Steve Gibson
They said languages that are not memory safe include C, C and Assembly. Yeah.
[84:22]
Leo Laporte
Because you could do anything you want.
[84:24]
Steve Gibson
Maybe no guardrails.
[84:27]
Leo Laporte
No guardrails. If you're writing assembly, it's on you, man.
[84:30]
Steve Gibson
So they said to begin with, they said to begin understanding memory safety bugs, we'll consider the example of an application that maintains to do lists for many users. We'll look at a couple of the most common types of memory safety errors that can occur in programs that are not memory safe. So the first is out of bounds, reads and writes, also known as leo, Memory buffer overflows. Yes, sir.
[85:00]
Leo Laporte
Yes, sir.
[85:01]
Steve Gibson
They said if we have a To do list with 10 items and we ask for the 11th item. What should happen? Clearly we should receive an error of some sort. We should also get an error if we ask for the negative first item. Under these circumstances, a language that is not memory safe may allow a programmer to read whatever memory contents happen to exist before or after the valid contents of the list. This is called an out of bounds read. The memory before the first item of a list might be the last item of someone else's list. The memory after the last item of a list might be the first item of someone else's list. Accessing this memory would be a severe security vulnerability. Programmers can prevent out of bounds reads by diligently checking the index of the item they're asking for against the length of the list. But programmers make mistakes. It's better to use a memory safe language that protects you and your users from the class of bugs. By default, yes, in a memory safe language we will get an error at compile time or a crash at runtime. Crashing the program may be severe, but it's better than letting users steal each other's data. A closely related vulnerability is an out of bounds write in this case, imagine we tried to change the 11th or negative first item in our to do list. Now we'd be changing someone else's to do list and then the second class is is use after free. Imagine we delete a to do list and then later request the first item of that list. Clearly we should receive an error as we should not be able to get items from a deleted list. Languages that are not memory safe allow programs to fetch memory that they've said they are done with and that may now be used for something else. The location in memory may now contain someone else's to do list. This is called a use after free vulnerability. And finally, how common are memory safety vulnerabilities? Okay, they said. In a word, extremely, they said. A recent study found that 60 to 70% of vulnerabilities in iOS and macrosos are memory safety vulnerabilities. Microsoft estimates that 70% of all vulnerabilities in their products over the last decade have been memory safety issues. Google estimated that 90% of Android vulnerabilities are memory safety issues. An analysis of zero days that were discovered being exploited in the wild found that more than 80% of the exploited vulnerabilities were memory safety issues. The slammer worm from 2003 was a buffer overflow, an out of bounds write. So was wannacry an out of bounds write? The Trident exploit Against iPhones used three different memory safety vulnerabilities. Two use after freeze and an out of bounds read. Heartbleed was a memory safety problem. An out of bounds read Stage Fright on Android 2 Out of Bounds writes the ghost vulnerability in Glibc. You betcha an out of bounds write these vulnerabilities and exploits and many others are made possible because C and C are not memory safe. Organizations which write large amounts of C and C inevitably produce large numbers of vulnerabilities that can be directly attributed to a lack of memory safety. These vulnerabilities are exploited to the peril of hospitals, human rights dissidents, and health policy experts. Using C and C is bad for society, bad for your reputation. It's bad for your customers. It is bad.
[89:51]
Leo Laporte
It's bad.
[89:53]
Steve Gibson
Okay, now there's just a little more that I think is worth sharing. They asked what other problems are associated with languages that are not memory safe. They said languages that are not memory safe also negatively impact stability, developer productivity, and application performance. Because languages that are not memory safe tend to allow for more bugs and crashes, application stability can be greatly impacted. Even when crashes are not security sensitive, they are still very poor experience for users. Worse, these bugs can be incredibly difficult for developers to track down. Memory corruption can often cause crashes to occur very far from where the bug actually is. When multi threading is involved, additional bugs can be triggered by slight differences in which thread runs, leading to even more difficult to reproduce bugs. The result is that developers often need to stare at crash reports for hours in order to ascertain the cause of a memory corruption bug. These bugs can remain unfixed for months, with developers absolutely convinced a bug exists but having no idea of how to make progress on uncovering its cause and fixing it. Finally, there's performance. In decades past, one could rely on CPUs getting significantly faster every year or two. This is no longer the case. Instead, CPUs now come with more cores. To take advantage of additional cores, developers are tasked with writing multi threaded code. Unfortunately, multithreading exacerbates the problems associated with with a lack of memory safety. As a result, efforts to take advantage of multi core CPUs are often intractable. In C and C, for example, Mozilla had multiple failed attempts to introduce multi threading into Firefox's C CSS subsystem before finally successfully rewriting the system in multi threaded rust. So what's the right path forward? They ask. Use memory safe languages. There are lots of great ones to choose from. Writing an operating system or kernel or Web browser. Consider rust building for iOS and Mac OS. Swift's got you covered. Network Server Go is a fine choice and those are just a few examples they write. There are many other excellent memory safe languages to choose among and many other wonderful use case pairings.
[92:54]
Leo Laporte
And I might mention common Lisp is memory safe. Racket is memory safe. Most schemes and lisps, in fact all schemes and Lisps to my knowledge, are memory safe. I just want to throw that in.
[93:03]
Steve Gibson
Yes, if you enjoy pounding your head against the wall.
[93:07]
Leo Laporte
If you like parentheses, if you love him.
[93:10]
Steve Gibson
If you don't mind, you know, basically updating the. The printing on the key caps.
[93:21]
Leo Laporte
It's not APL, it's not that bad.
[93:24]
Steve Gibson
For shift 9 and shift 0. You will wear out the legend on your open and close parentheses keys.
[93:34]
Leo Laporte
Oh, that's a good point.
[93:35]
Steve Gibson
Yeah, yeah. Anyway, I wanted to take some time to share this here because I know from the feedback I receive from our listeners that we've got listeners who are wondering about their own paths forward. The points about application stability mean that memory safe languages are not only more secure, they are clearly no one could doubt that they're also inherently more stable. They're easier to debug and easier to maintain when they're used to create solutions and products. We all know that my own native programming language is Assembler, which is essentially the machine's native language, right? With absolutely no guardrails. It would be really interesting to talk to some other truly hardcore coders who are as fluent with Assembler as I am, because my actual feeling is that C and C are dramatically more dangerous than RAW Assembler itself. This is because C's entire design goal, its original design goal, was to be as absolutely low level as possible and just barely enough above the actual machine so as to obtain machine independence. That was what its designers wanted. That's how they designed the language. The result is that the C compiler may not do what its programmer expects. In a way, I think this makes C far more dangerous than Assembler, where there is no middleman to mess things up. You know, I am writing to the machine, it does exactly what I tell it to. And Leo, I did put a little cartoon here at the top of, appropriately page 13 in the show notes. We have in this cartoon sort of a programmer schlubby looking guy. He's at the, he's at the pearly gates and it's. And. And the. And Saint. And Saint Peter is. Is looking at his laptop and, and the, the cartoon shows Saint. Saint Peter saying, says here you should be in hell. But since you coded in assembly, we'll count it as time served. Yeah, so, yeah, anyway, it would be interesting to see whether other assembly language coders feel the same way. One thing we know is that what I produce in assembly language tends to be far more bug free than the code that other coders typically produce and that we encounter written in high level languages. So I don't know the significant takeaway here. However, it should not be that you program an assembler. I'm not suggesting that. I think.
[96:50]
Leo Laporte
Please don't.
[96:51]
Steve Gibson
I should.
[96:52]
Leo Laporte
He's a trained professional, folks.
[96:54]
Steve Gibson
Leo has Lisp and I have assembler and we don't recommend that anybody use either of those. I think it should be a recognition that the only thing that's keeping unsafe and net productivity ineffective language languages like C and C plus going today is inertia. Every listener of this podcast is well aware of what a powerful force inertia can be. We might even label it the main governing force. I think it's like, I think inertia is the universal force. And you know, I'm in its grip myself. Right. I am never dropping my use of assembly language, but I'll be 70 years old in about three weeks, so I am far closer to being done than I am to starting out. My serious advice to anyone who is closer to starting out would be to seriously consider grabbing a development environment for Rust or Go or Swift or Python and spend some time becoming very comfortable with one or more of those next generation memory safe languages. Java is also very strong for internal enterprise development and a huge amount of code that's written is not aimed out to the rest of the world, but it's used inside the enterprise. Those are very nice safe jobs if you can land one. You know, there, there really has been a change here, so I think that you'll want to, you know, you know, increase your possibilities, add comfort in some of those languages to your resume. I think it would be a net boon.
[98:51]
Leo Laporte
And on that, Leo, I agree 100%. Yeah.
[98:55]
Steve Gibson
Yep.
[98:55]
Leo Laporte
It's amazing that people are still using C and C. I mean I look, I love C. C is a beautiful, fun language.
[99:02]
Steve Gibson
It is a beautiful fun language.
[99:04]
Leo Laporte
It's probably has gives me the same thrill that using assembler does for you. Pointers and pointers to pointers and pointers to pointers to pointers.
[99:12]
Steve Gibson
Boy, can you get yourself tangled up.
[99:15]
Leo Laporte
Yes, just malloc some memory and go. But yeah, it's, you know, just the thing is if somebody is really writing an assembly and writing serious Assembler code. They are so deeply enmeshed in what's going on. They're not going to put a pointer to a, to an empty buffer. They don't even have a raise. Right. Yeah. So it's just not going to come up because you know what you're doing, you're in there with the hardware. The problem is C makes it too easy, frankly.
[99:46]
Steve Gibson
Yes. It allows somebody who should not be be running with scissors.
[99:50]
Leo Laporte
Right. To run with scissors.
[99:52]
Steve Gibson
To run with scissors.
[99:53]
Leo Laporte
Exactly. All right, we're gonna take a break. Come back. More to come. I, I'm dying to know what the title of this show is and what it possibly could possibly mean. We will find out soon, folks. We will. But first a word from Threat Locker. I love these guys. They just had their Zero Trust World conference. I wonder how it went. Who went there? Some. Oh, the Untitled Linux show. Jonathan Bennett went. I'm going to have to ask Jonathan how it went. Fascinating stuff. What is Threat Locker? It's the easiest, simplest way to do zero trust affordably, effectively to harden your security with Threat Locker and never have to worry about zero day exploits or supply chain attacks again. Worldwide, companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. I'm really glad. Like memory safe languages, the concept of zero trust has really spread now and is and people get it and they know why it's such a good thing. Imagine taking a proactive. Here's the three key words now. Deny by default approach to cybersecurity. Blocking every action, every process, every user, unless authorized by your team. That's in a nutshell what zero Trust is. Thing is Threat Locker is the most affordable, easiest way to implement it. And you'll like this. It gives you a full audit of every action, which gives you two things. First of all, risk management. Because you know something happened with an app, you know who was using it, you know exactly who was using it and who wasn't using it. Right. It's also great for compliance because you have an audit trail. You have a complex complete audit trail for every action taken. Plus Threat Locker has a very, very good 24, 7 US based support team. They are there to get you on board, but also beyond. They're really, really smart, really useful. In fact, I would encourage you to take advantage of them. This is all about stopping the exploitation of trusted applications within your organization. It's about keeping your business secure, protected from ransomware. Organizations across any industry can benefit from Threat Lockers ring fencing. What it does is isolates critical and trusted applications from unintended users and uses or weaponization. It limits attackers lateral movement within the network because they can't access what they're not authorized to access, which for an attacker is everything. Oh, great. Here this is good news to Threat Locker works for Macs too. So you on your heterogeneous network, you're golden. Get unprecedented visibility and control of your cybersecurity quickly, easily and cost effectively. I was blown away when I checked the prices very affordably with ThreatLocker Zero Trust endpoint protection platform. Visit threatlocker.com, get a free 30 day trial. Can't go lower than that. Free, right? And learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance at the same time. A really great solution. And when you get to the website, look at the people who use ThreatLocker. That'll give you some idea. ThreatLocker.com we thank him so much for supporting Steve Gibson and for giving all of us an easy way to implement Zero Trust. Okay, Steve Areno, what is all of this stuff you're talking about here?
[103:17]
Steve Gibson
Just a quick note that the Australian government has now banned the use of Kaspersky Prosperity products. Oh, interesting systems. Yep. All Australian government agencies must uninstall any existing Kaspersky software by April Fool's Day, April 1. Government officials said that the software poses an unacceptable security risk to Australian government networks, opening it to foreign interference, espionage and sabotage. As we know, it's not fair. There's been no credible evidence shown of any wrongdoing on Kaspersky's part and they remain valuable contributors to global security. But they're Russian, so they're being painted with the same broad brush. And while it may not be fair, it is understandable and you know, could be that they get subverted or be made to do bad things and you know, it's creepy, I understand, so. But it's still sad. Okay, so from reporting by Forbes, that was picked up by ZDNet and pretty much everyone else, we learned that Google's Gmail will be dropping their historical use of less than super secure 6 digit SMS transmitted codes for, you know, being used as a multi factor authentication factor, replacing them with QR codes. So rather than asking a user to enter a code received via text message, users wishing to log in will be presented with a QR code which they'll be asked to scan with their phone. Okay, but it's unclear to me. I mean that's all we were told, that's all we've heard and it's unclear to me how this would work exactly. The original text messaging solution relied upon users having their phone number pre registered with their account. So their ability to receive a random code at that phone number was meant to serve as proof of their control over that pre register phone number and by extension the handset that number is currently associated with. You know, in the parlance of multi factor authentication, this would add an additional factor, the something you have factor, to the username and password, which provide the something you know. The problem with a strong reliance, as we know, upon text messaging is that our telecommunications systems are not secure in the face of outright hacking or various SIM swapping schemes that can and have been used to intercept text messages in the past. But as I said, what's unclear to me is how presenting the user with a QR code solves the problem. The reporting on this says that using a QR code prevents someone from being tricked into revealing the six digit code they've just received. Like some sort of a phishing attack. Okay, so that on screen QR code, which nobody can read, presumably contains a webpage link with a bunch of crypto crap in its URL. You know, that's very fancy, but it's unclear what prevents a bad guy who's trying to log in from receiving that QR code themselves and then scanning it with their phone. You know, what makes it any more secure? You know, thinking that I must be missing something, I checked around and I found that A, this is such big news that everyone else is reporting it too, that B, everyone is just repeating the same information from the one Forbes guy. And that see, the very few people who have stopped to ask exactly how this would work have the same questions I have. You know, just waving our arms around and saying QR codes instead of SMS codes does not a secure login protocol make. Many sites are screaming that having Gmail using QR codes makes the situation worse since users cannot natively read QR codes. So they could be used to get up to all manner of mischief. But stepping back from the hysteria over all this, for a user to authenticate securely with an additional physical factor, that physical factor must be something that an attacker cannot also have. This is what made secure physical tokens. You know, the little dongles, you know, the go to solution when maximum security was required. But a generic smartphone doesn't fill that bill. The only way I can see this working would be for future Gmail users to also have some sort of synchronized Gmail authentication app running in their smartphones. That application would receive the QR code to close the authentication loop. And yes, I know that does sound suspiciously like the technology I originally developed and documented and demonstrated in Sweden and in Ireland and here on Twit many years ago. The Squirrel technology essentially created a physical software token in its user's phone, using a QR code to close the loop. So it'll be interesting to see if Google follows in Squirrel's footsteps in that regard too. And you know what they say about imitation and flattery. Well, there may be some flattery coming my way. Who knows? I can't see how Google does this without adding an app in the user's phone. And you know, that's what I did with Squirrel. And speaking of flattery, a recent podcast listener of ours, Matthias DeWolf, is about to hear me share the experience he wrote to us about after purchasing his first copy of Spinrite. In desperation, he gave his email the subject line Success story Level 3 Dead Kingston SSD and he started off writing, I own a portable Kingston XS2000 USB C4 Terabyte drive to store my backups. He included. He included a link in the email, which I have in the show notes for anyone who may be interested. And I was surprised by the small size of the drives package. It is a lovely little drive. It's like if anybody remembers Matchbooks or match matchbook cars. Matchbox cars, yes, Match boxes. It is just a cute little thing. It's available in 500 gig 1, 2 and 4 terabyte capacities and as might be expected, the 4 terabyte version is a little pricey. It can be purchased online for less than this. I would imagine that it could be purchased for less than the suggested retail, but Kingston site lists the four terabyte drive at 272.88 pounds, which is about US$350 at the moment.
[111:18]
Leo Laporte
Oh that's so.
[111:19]
Steve Gibson
Yeah, yeah, you know. So my point is when a little drive like this diesel for $350, it's not something you want to give up on and die. It had oh boy, he explained. He said I configured the drive with two partitions a 22 terabytes for Linux. And he says Lux encrypted ext 4 and 2 terabyte for Windows, NTFS and BitLocker to go. So this is a techie listener of ours. He said the drive recently started throwing nasty errors when trying to read files from it. I first noticed issues when I was working on the Linux partition while copying a file. The copy operation stalled and the drive completely disappeared from the operating system and he said parens HP Omen laptop running Ubuntu 24.04 Cinnamon and he said. Then he said see messages output at the bottom of the email he said at first I thought it was perhaps a USB bus error or a bad cable. But the issue persisted and I started seeing file copy errors with Explorer hangs and USB disconnects on my Windows 11 OS. While working on the Windows part partition, I got really worried and started investigating. I could reproduce the errors on several laptops and different USB cables and ports. Some files were simply unreadable and caused the drive to disappear from the os. All evidence pointed to an issue with the drive itself. It had become completely unusable and recovering files was a nightmare, he said. One by one keeping track of the ones that killed the drive, he said I knew of the existence of GRC.com shields up and spin right since somewhere in the 90s. And I started listening to the Security now podcasts about a year ago because I started running and got really bored while running for hours.
[113:31]
Leo Laporte
By the way, 150 bucks on Amazon. Oh, so much better.
[113:35]
Steve Gibson
Wait, wait, wait for the 4 terabyte one.
[113:37]
Leo Laporte
Oh 4. That's for 2 terabytes. I don't see the 4 on this, so maybe they don't offer that in the U.S. but two for 150 is not bad. Yeah, needs four.
[113:46]
Steve Gibson
Yeah. And it's a beautiful little thing.
[113:48]
Leo Laporte
It's cute.
[113:48]
Steve Gibson
Yeah, yeah. He said and during the long runs I also heard your stories about the positive effect of spin. Right? Level three runs on the consequences of the read disturb problem that affects SSDs. I put one on one together and suspected this drive might contain a controller that handles the tough. The tough slow reads badly and dies. And it turns out he was exactly right. And he said, side note, I had never. I never had the need for spin. Right? Oh, I was always able to recover my data using open source Linux tools and believe me, I've done a lot of recovery.
[114:29]
Leo Laporte
Here's 4 terabyte 269. So it's a little more expensive. Yeah, yeah, okay, sorry, didn't mean any.
[114:36]
Steve Gibson
I said I've done a lot of recovery. Don't tell anyone that you know a thing or two about computers. They will find you. They will find you with their unreadable disks or NAS appliances.
[114:48]
Leo Laporte
Oh boy.
[114:49]
Steve Gibson
And he said but as I lost access to the disk with other tools, I bought a copy of spinrite. He said I figured it was also the way to support your work. So I went ahead and ran Spin right against the Kingston Drive. Level 2 reads also killed the disk and made it go offline. Repeated runs killed it every time at the same percentage and more or less the same sector. And he actually took a picture of his screen, which I have in the show notes, just for anyone who's curious. It's a screen I am well familiar with, as are many of our early testers of spinrite. It says this drive has just taken itself offline. The drive is now returning device fault status. It must be power cycled, shut down and restarted to clear this condition and perhaps resume operation. Device fault occurs when a drive encounters an exceptional condition from which it cannot recover. This could be transient or permanent, and it might only occur when spinrite is working on a specific sector or region of the drive. It may be possible to resume Spinrite past this sector or region. Unfortunately, Spinrite cannot do this on its own since once this occurs, power cycling is required. And then I it shows the location where this trouble occurred was at 1.8198%.
[116:22]
Leo Laporte
Right at the beginning.
[116:23]
Steve Gibson
81800167 so yeah, right at the. You know, at the start of the drive. He said. He said. So I moved on and tested a partial level 3. I interrupted it at 1% to see if the level 2 read would make it further on the disk afterwards. And behold, it did. This time the Level 2 read died right after the 1% of data I rewrote using the Level 3 scan. Meaning that used to die sooner. But he ran level three up to 1% and now level two was able to read up to the stop the point where he stopped level three because meaning up to the point where level three stopped repairing the drive, he said. So I let it run for three days across the full four terabyte disk. The drive was rewritten completely and no errors were found during the level three scan. I was able to read all my files afterwards, both on Linux and Windows. I am amazed and still trying to understand what your tool is doing differently. I suspect it might be something in the read a sector, write the same sector logic and the lower speed it does it at question mark, he said. I'm also starting to hate SSD technology more and more. Its only advantage is speed. But the industry has done so many bad things and compromised to try to reduce the cost. I had my fair share troubling SSD issues. The most memorable one is probably my bug report to Kingston about their SV1 hundreds two drives. It took me six months to convince them their SSD died and after 126 days of uptime after a cold boot. It took them a long time to believe me. And then discover a 32 bit overflow in the SSD controller firmware. His email provided a link to a Kingston release notes PDF where he quotes it saying quote resolves an issue where. Where the drive becomes unresponsive after continuous usage for 2,982 hours and 37 minutes without power cycle. They said issue does not occur if drive is power cycled prior to the 2,982 hour limit. And his note concludes in any case, he said, I owe you a beer or two. Kind regards, Matthias.
[119:22]
Leo Laporte
Very nice.
[119:23]
Steve Gibson
So, I have a couple of thoughts. First of all, Matthias, I consider our books completely balanced here. You owe me nothing. Though you know I'd be glad to share a beer. You purchased a copy of spinrite, which does indeed allow me to afford to keep GRC on the air and to keep various GRC products alive and moving forward. The revenue from the sales of my software also serves to remind my wonderful wonder life that I'm not completely insane to be spending the majority of my time working on software. You know, that was the deal we made when we met. She knew what she was in for. But a bit of positive reinforcement goes a long way.
[120:05]
Leo Laporte
How did you bring that up? So say, honey, I may disappear for hours at a time from time to time, but I'm not. I'm just writing software.
[120:18]
Steve Gibson
I'm not nuts.
[120:19]
Leo Laporte
And when I come back, my eyes may be a little glazed. I may be kind of walking into walls. That's because my mind is elsewhere.
[120:27]
Steve Gibson
And I'll be more open to you wanting to repholster everything because sure, dear, I will have made some money.
[120:33]
Leo Laporte
Oh, good. Okay. Is she reupholstering everything?
[120:36]
Steve Gibson
No, but you know, just as an example.
[120:39]
Leo Laporte
Yes. So sorry, I didn't mean to interrupt.
[120:42]
Steve Gibson
So you. You have offered a textbook. A textbook perfect use case for spin. Right? And I should say that the only part of. Of. Of your story, Matthias, that made me grimace was that three days were required for a full rewrite of a four terabyte USB connected drive. I'm sure this was largely due to spin, right? Still being hosted by dos, the performance improvement for USB connected drives will be one of the biggest benefits offered by Spinrite 7 because it will run natively under Windows or Wine. And occasionally rewriting entire SSD drives is so beneficial for their health that I'm eagerly looking forward to the day when doing so will be more practical. Even better, when will be Spinright's ability to surgically locate and rewrite only the slow spots of SSDs that have become troublesome. But one step at a time. The other comment that I had was that I have come to feel exactly as matthias has about SSDs. They are screamingly fast, but they cannot be relied upon. I have switched every one of GRC's servers, which were initially all SSD, back to using spinning drives exclusively. Every One of the SSDs I was using eventually died and I had purchased the highest quality, modest size, most reliable Single level cell SSDs available. Didn't matter. Now no data has ever been lost since even the SSDs were running in a RAID 6 configuration with full 2 drive redundancy. I would never run any mission critical drive solo. The non rated SSDs that I use are automatically backed up to Synology NAS boxes which all have spinning disks with with a maximum two drive redundancy. And the working directories where I spend my days are being continuously backed up with sync thing to the same NASA's. So these days, Mass and I know this is what you preach to Leo, Mass storage is just too inexpensive to not plan for its failure. But when something does eventually die, as happened with Matthias's cute little 4 terabyte backup drive, as long as I'm alive, I expect that Spinrite will be there to save the day and will only be getting better at doing so.
[123:33]
Leo Laporte
I am shocked to hear you say you do not purchase SSDs anymore.
[123:40]
Steve Gibson
Nope.
[123:42]
Leo Laporte
I have found them to be more reliable than physically spinning drives. You find them to be less.
[123:49]
Steve Gibson
All I know is that every one of them that I have used in a production environment died.
[123:56]
Leo Laporte
I mean, my Synology is spinning drives, but that's more because it's too expensive to put SSDs in there. But every computer I buy, you'd be hard pressed to buy a PC or a laptop these days with a spinning drive. I don't think they make them anymore.
[124:11]
Steve Gibson
Yeah, and I mean I'm happy for the speed, but. But believe me, they're backed up.
[124:17]
Leo Laporte
Well, I mean I back up anyway. But I've never had an SSD drive. I've had plenty of these, you know, little thumb drives die, but those are crappy. I've never had an SSD or an NVME M2 drive die ever. But I'm not. You say production environment. You mean on your servers?
[124:34]
Steve Gibson
Yes.
[124:35]
Leo Laporte
Yeah, that maybe makes sense. I'm not running a server anywhere except for this.
[124:40]
Steve Gibson
Although Matthias Just had it happen to hit to that little Kingston 4 terabyte. You know, it's a little backup.
[124:46]
Leo Laporte
That doesn't really surprise me. I'm talking about nice internal SSDs.
[124:52]
Steve Gibson
Yeah.
[124:52]
Leo Laporte
I mean, God knows what kind of heat profile that little doohickey has and so forth. So.
[124:58]
Steve Gibson
Yeah.
[124:58]
Leo Laporte
I mean it doesn't look vented at all. So anyway, I'm surprised. Okay. I find SSDs extremely reliable, so. Huh. Okay. You know, back place does that annual report. I should go look. They just published it again because they buy more drives than most people and they may. Let me, let me see what they say because that's interesting.
[125:22]
Steve Gibson
I think everybody in, in the, in the cloud is using spinning drives.
[125:26]
Leo Laporte
Really?
[125:27]
Steve Gibson
They're so much more affordable. I mean they're way more, they're, they're way less expensive.
[125:31]
Leo Laporte
They're cheaper. Yeah. Per gigabyte. But I don't know if it's way less expensive anymore. I think that that's gotten, that's narrowed that difference.
[125:42]
Steve Gibson
Okay, so a little bit of feedback from listeners. Josh Fenton said. Hi Steve, in the latest episode you mentioned that Apple will after some date disable GDP for Apple users in the uk. How would this actually be possible? If the only thing that Apple servers possess is an encrypted blob of data without the key to decrypt it, then wouldn't it be impossible for Apple to unilaterally revert users encrypted data back to plaintext? I can see how they could simply delete the blob, but with syncing across devices enabled, this would result in massive data loss for users. Thanks, Josh Fenton. So I was sure of the answer, but I went over to Apple support to check. Under the topic how to turn off advanced data Protection for icloud, Apple writes, you can turn off advanced data protection at any time. Your device will securely upload the required encryption keys to Apple servers and your account will once again use standard data protection. So your device will securely upload the required encryption keys to Apple servers and otherwise it unblinds Apple to how to decrypt your blob. So what's, what's unique about advanced data protection is that Apple never gets that key which they normally do. So this is something that can be done by the user. This also suggests that a future update to iOS and Mac OS, if it comes to pass, will enable the OS to inform its user that Apple's advanced Data protection feature is being withdrawn from the UK and that after acknowledging this notice, ADP will be disabled globally for their account. At that point, every one of the users logged in devices will disable its local ADP setting and revert to traditional non end to end icloud storage. Or in other words, Apple just gets a copy of the key from the device which disables it and then, and then they are then in compliance with what the UK requires. So seems like it's going to be possible. A listener requesting anonymity said Viscount Systems Freedom Access Control. You know, that's that ridiculous, unbelievably poorly designed access control system we talked about last week. Viscount Systems Freedom Access Control now secures the U.S. department of Homeland Security. What could possibly go wrong? Which uses the physical security system in dozens of field offices of Citizenship and Immigration Services, the department's largest agency. So that's just great. As we'll recall last week, this is the ridiculously insecure system that publishes its default username and password in its notes and tells the user, you know, you really should Change that. But 43% of the people don't. Billy Shurrat said, what was that company you talked about on snow within the last couple of years with a subscription service offering really slick Windows patching and memory? Okay, that would be 0patch.com the numeral 0p a t c h.com and I'm glad that Billy brought them up again. Just remember everybody, Windows 10 will be going out of update service in October and we don't yet know what Microsoft is going to charge end users to continue receiving the patches into the future. But the zero patch guys have said they plan to offer updates for the next five years and on their $27 per year. So again, to my way of thinking, a lot is still up in the air. Is Microsoft really going to charge end users for updates that, that they're, that they're, you know, making available to enterprise customers? You know, are they going to force people to Windows 11 which won't run on hardware that it could run on just because. I don't know. We'll see. David Thompson, or Thompson said, I had a question. What network monitoring software are you using? He said, I've just seen in the past during the DOS on grc, you look up at the top left corner to see the status. Just curious if you had any to share.
[130:45]
Leo Laporte
Somebody paying a little bit of attention.
[130:47]
Steve Gibson
He's being, yes, very observant. You know, I would have done that. And okay, so because my primary servers are running Windows, I've taken to just using the built in Perfmon app performance monitor which monitors the server's performance counters and Windows allows this to be done remotely. But doing that is definitely not safe. This would normally mean exposing Windows infamous Port 445 to the public Internet, which would be begging for a visit from a hostile foreign power. You know, this might be abbreviated omdb, which in this case would stand for over my dead body. So I've arranged to have secure access to to the Windows performance counters of my remote servers without ever exposing any ports to the Internet. But this is a good opportunity for me to mention my very favorite LAN monitoring tool. I use and depend upon it at both of my locations. It is so handy for keeping track of the WAN side of my Internet connections. The tool is called Networks N E T W O R X. It's from a company called softperfect.com s o f t P-E-R f e c t.com and I've talked about it before. I just took a snapshot of its perfect little network monitoring window, which I always have up. The red trace is incoming traffic. So if I or anyone in the household is downloading something, that line will jump up and the green is outgoing traffic. If I do something, for example, like save a large file that's being mirrored to my local nas, that will happen a few seconds later. Syncthing will detect the local change and reach out to the other NAS to clone this changed file there. So I'll notice a jump in the green outgoing bandwidth line while the file is being sent. The author of this tool also knows that a logarithmic scale is what's needed to make this sort of chart useful. So that's an option which I'm using. You can see in the chart that Leo has up and that I have in the show notes that it is at, you know, 10k bits, then the next lineup is 100k bits, then 1.0 megabits, 10 megabits, 100 megabits, and 1.0 gigabits. So it's very the dynamic range of this is what you would want as opposed to a linear chart that's just not nearly as useful. But the coolest thing about this tool, which by the way has a bazillion other features, you know, that most of which I have no use for. But it can do all kinds of different things. The coolest thing is that it's monitoring my router rather than this PC. That's why I'm able to see the NAS using the NAS that is elsewhere on my network, using my network's outgoing bandwidth. This is the chart of my aggregate LAN traffic at the LAN interface, which is the same as the WAN traffic on the other sides of the router. I really love it. I don't know, it's just comfortable to be able to keep an eye on what's going on, to see the traffic coming in and out of your network. You can grab it and try it free for 30 days before deciding whether it's worth 15 bucks to own it forever. You know the decision I made. And while you're over there@softperfect.com look around. The company was founded in the year 2000. They're based in Brisbane, Australia, and from what I've seen, they are doing great work. Something else that might be of interest is a free web browser cache relocator, which they offer. You can. You can do this manually, but this little freebie makes it very easy. In their description of the app, they write Internet browsers intensively use a folder on your hard disk for temporary data. The browser cache. There are various reasons why some users want to relocate this folder. For example, moving the cache to a RAM disk can speed up browsing, offload the hard drive, or reduce the wear and tear on the SSD. SoftPerfect cache relocator is a quick and easy way to move your browser cache. This utility is intended to be used in conjunction with SoftPerfect's RAM disk, which offers all the benefits of creating disks in ram, increasing computer performance, mitigation of the physical disk wear and tear, and reduction of file system fragmentation.
[136:03]
Leo Laporte
It also is a menu item on the Mac, which is really great with all these different reports. This is a really very cool app. This is Mac, Windows and Linux, which app the networks app, the performance monitor that you were talking about.
[136:21]
Steve Gibson
It is so cool. I can't tell you. It is. And for people who use a larger tray, like Windows 10 has a tray at the bottom, it's able to actually run the little chart inside.
[136:37]
Leo Laporte
Well, that's what it's doing here on the Mac. You see. Oh, the chart itself. You. Wow.
[136:40]
Steve Gibson
Yeah, you're able. I'm not sure. It looks like that. That line would be too thin to have.
[136:45]
Leo Laporte
I think it's not going to be able to do that. Yeah, this is great.
[136:49]
Steve Gibson
Oh, 15 bucks. I know. 15 bucks.
[136:52]
Leo Laporte
I'm using Fring right now. This is. I think this is as good, if not better.
[136:56]
Steve Gibson
Switch it to switch Logarithmic. Logarithmic and you get a much better. There's. There ought to be an options.
[137:05]
Leo Laporte
Yeah, I'm sure there is somewhere. I just. This is all new. I just downloaded it on your record.
[137:10]
Steve Gibson
Yeah. Yeah. I didn't realize it was available for the Mac.
[137:12]
Leo Laporte
Yeah. Isn't that great?
[137:13]
Steve Gibson
Yeah. These guys are they really.
[137:15]
Leo Laporte
They know their business, does a net stat window. I mean, this is fantastic.
[137:20]
Steve Gibson
Yeah, there's a bunch of really cool stuff and as I said, also take a look at the other things they offer. There are things that would be of use for like you're able to monitor which applications are using which of your bandwidth and more.
[137:37]
Leo Laporte
So my guess is this is one guy, right, who's just.
[137:41]
Steve Gibson
I think. Yeah, it feels like a one guy.
[137:43]
Leo Laporte
Some Aussie who says, I've been writing this for 20 years and I know how to do it. He's probably doing an assembly.
[137:49]
Steve Gibson
Yep. There are settings.
[137:51]
Leo Laporte
Yeah, let's see. Volume unit. We'll go to the graph. Settings. Probably lock run. That could be there. Very cool.
[137:59]
Steve Gibson
Yeah, it is. It is a beautiful piece of work. I just love having it so.
[138:03]
Leo Laporte
Oh yeah, big difference. Much prefer the logarithmic scale. You're right.
[138:07]
Steve Gibson
Yeah. It's because that way when a biggest.
[138:11]
Leo Laporte
Spike, you'll know it.
[138:12]
Steve Gibson
Yeah. Yes, yes. Because you, you want to be able to see useful information when, when something's not going on and not have it be just pinned to the top of the chart.
[138:23]
Leo Laporte
Right.
[138:23]
Steve Gibson
When. When. When something big is happening.
[138:25]
Leo Laporte
Right. This is great. Very nice, very nice.
[138:29]
Steve Gibson
Let's see. Do we have anything else? Oh, Alfred Dessinger. He said, hi, Steve, I just received this notice. After 31 years, Entrust is out of the CA business.
[138:46]
Leo Laporte
Oh, yay.
[138:49]
Steve Gibson
And that doesn't surprise anyone. You know, as we know, they flagrantly, you know, ignored the CA browser forum. We talked about this extensively last summer when Chrome finally decided they were going to have to pull them out of their root store. They would not be. No certificates issued by them after Halloween October 31st of last year would be honored by Chrome and bye bye. You cannot survive if Chrome is not going to like your certificates. And so basically they sold their. Their existing customer base to go. And of course Sick. Tigo is not the greatest of CAs either. They renamed themselves from Comodo after they ruined the Komodo name.
[139:38]
Leo Laporte
Yes, we know Komodo. Oh, yes.
[139:42]
Steve Gibson
So, okay, one last break and we're going to talk about spatial domain wireless jamming and amazing, amazing technology.
[139:55]
Leo Laporte
The only backblaze report I could find on SSDs. They don't. They use hundreds of thousands of hard drives. They say they install a new hard drive every 20 hard drives. Every minute, so. But the only report I could find was from three years ago, unfortunately. But they did say that SSDs were marginally more reliable than the hard drives that they have, but they only have a few thousand SSDs, so that's probably. I mean, it's more than a anecdote, but it's less than a, you know, reliable statistic, so.
[140:29]
Steve Gibson
Any billy goat.
[140:31]
Leo Laporte
Yeah, you. I mean, of course you should use what you want. I just. You scared me. Because. Because I'm very happy using SSDs everywhere.
[140:39]
Steve Gibson
We want you to be happy. I mean, we have solid state storage in our phones and our laptops, in our tablets. It is the thing to use. But they're not perfect. And engineers have squeezed the crap out of them. And essentially that's why they slow down, is because they are struggling to read. They still do, but their performance gets.
[141:06]
Leo Laporte
And that be maybe more telling than failure rate. This is performance degradation.
[141:11]
Steve Gibson
Yep.
[141:12]
Leo Laporte
And thank God there's spin. Right, that's all.
[141:14]
Steve Gibson
Thank you very much.
[141:16]
Leo Laporte
In fact, I'm getting. A new server is arriving today with a 4 terabyte SSD and a. And a 500 gigabyte or a terabyte boot drive. And I will probably want to run spin right on those before I set it up, won't I? Yes, I will. Steve, Nothing much, no ad block here, but this would be an awesome time for me to mention our club. As I mentioned, I would say only about 5%. Well, let's put it a different way. Advertisers only cover about 95% of our costs. That leaves 5% uncovered. Without that 5%, well, I might not have lights today, or Steve might not be here or our other hosts. We, you know, we want to keep operating at full capacity. We, frankly, we'd love to increase that number because the more members in our club, the more we can do so. This is a blatant begging moment for you. I would love for you to join the club. There are benefits. We're not asking for your $7 without giving you something. No, by the way, that's all it costs. $7 a month. Less than one quinty venti latte at Starbucks, my friends. Did you say it was $9? That's ridiculous.
[142:40]
Steve Gibson
9.50?
[142:41]
Leo Laporte
That's. That's absurd for a cup of coffee. Well, I think $7 is fair considering all the content that we deliver. All the fun, too. You get ad free versions of all the shows because you're. If you're giving us money, we don't need to play ads for you. You wouldn't even be hearing this plug if you were a Club Twit member. Now, I have to point out a lot of Club Twit members say, yeah, I still get the ad feed because I like to hear your ads. So, okay, that's fine. It doesn't mean you can't listen to ads, just you have the option. What you do get also is the Club Twit Discord. And again, not everybody goes into the Club Twit Discord, but when you're there, it's a great place to hang out. Not only during a show to talk about the shows, but also everything else geeks are interested in. All of our shows have forums there. There's a software development group in here. You could talk about what Steve just mentioned about memory, safe coding, languages. Everything's going on. We even have a let's Play segment where they're, where they're playing Minecraft and other games together. We do have a Minecraft server. Thank you. That's back up and running thanks to Lion Admiral 1981, who has kindly volunteered to keep that running. So you get the Discord, you get the ad free shows. You also get some events. For instance, Thursday photo time with Chris Markworth. We do that every month. Micah does his crafting corner. That's coming up in a couple of weeks. Every quarter, Stacy's Book Club and other great events going on. I'll do, I'll do some. I'll turn on the cameras every once in a while just for fun, to say hello. You socialize, you inform. That's right, Newman. It's a great place to hang. If you're not yet a member of Club Twit, I would very much love to ask you to join. And the Discord really is full of fun. A little GIFs and so forth. Twit TV, Club Twit. Enough said. I don't want to belabor it, but thank you in advance. We really appreciate our club members. It's, it's, it's great to have you in Club Twit.
[144:55]
Steve Gibson
Hey, prime members, are you tired of ads interfering with your favorite podcasts? Good news. With Amazon Music, you have access to the largest catalog of ad free top podcasts included with your prime membership. To start listening, download the Amazon music app for free or go to Amazon.com ad freepodcasts. That's Amazon.com ad free podcasts to catch up on the latest episodes without the ads.
[145:20]
Leo Laporte
All right, Steve, you've, you've got to tell me. Oh, what the Hell, this is that you're talking about here?
[145:26]
Steve Gibson
This is mind boggling. Everyone who's been following the podcast for a while knows that the way to my heart is through technical research papers. Nothing beats going to the source and hearing from the researchers who actually did the work. So when I saw this work from a team of German academics, which was presented during last week's Network and distributed system security. That's the NDSS Symposium 2025, which was held in San Diego, California, I knew that I needed to at least put it on everyone's radar. Now, there's no action item takeaway from this, but, you know, I think it was probably the paper's catchy title, Spatial Domain Wireless Jamming with Reconfigurable Intelligent Surfaces, which.
[146:16]
Leo Laporte
Well, that got my attention.
[146:18]
Steve Gibson
That's right. That is a crowd stopper. Okay, so listen to what these guys explain in their papers. Abstract, they said wireless communication infrastructure is a cornerstone of modern digital society, yet it remains vulnerable to the persistent threat of wireless jamming. Attackers can easily create radio interference to overshadow legitimate signals, leading to denial of service. The broadcast nature of radio signal propagation makes such attacks possible in the first place, but at the same time poses a challenge for the attacker. The jamming signal does not only reach the victim device, but also other neighboring devices, preventing precise attack targeting. In this work, we solve this challenge by leveraging the emerging reconfigurable intelligent surface ris. Reconfigurable intelligent surface RIS technology for the first time for precisely targeted delivery of jamming signals.
[147:33]
Leo Laporte
This is bad.
[147:34]
Steve Gibson
Yeah. In particular, we propose a novel approach that allows for for environment adaptive spatial control of wireless jamming signals, granting a new degree of freedom to perform jamming attacks. We explore this novel method with extensive experimentation and demonstrate that our approach can disable the wireless communication of one or multiple victim devices while leaving neighboring devices unaffected. Notably, our method extends to challenging scenarios where wireless devices are very close to each other. We demonstrate complete denial of service of a WI FI device, while a second device located at a distance as close as 5 millimeters. Okay, that's 1/5 of an inch. Remains unaffected, sustaining wireless communication at a data rate of 25 Mbps. Lastly, we conclude by proposing potential countermeasures to thwart RIS based spatial domain wireless jamming attacks. Okay, now I have a picture in the show notes from their paper. It shows a grid of antennas. Now, this immediately suggests that They've created a 2D steerable beam jamming transmitter using a phased grid array. Now, that would be an entirely reasonable conclusion. And it would be wrong if that's what these guys had done. It would be a nice piece of work, but by now it could hardly be novel. What is novel here is that this panel leo does not itself transmit anything. It is entirely passive. It is reflective. It is selectively reflective. And what's somewhat astonishing is that something that is essentially a passive reflector of WI fi or whatever radio signals can arrange to selectively target and deny an active WI fi device located some significant distance away. And I'm like 9 meters, like 27ft away in their in their setup from functioning. This is the sort of cool, I mean uber cool next generation cyber spy tech that the NSA and CIA will want to immediately set up in a lab somewhere to fully explore. It is just so cool. So here's what the inventors of this explain. They said Wireless communication systems are ubiquitous and seamlessly provide connectivity to the smart and interconnected devices that permanently surround us. In our modern daily lives, we frequently use instant messaging, media streaming, health monitoring, and home automation, all of which rely on wireless systems and their constant availability. However, wireless systems utilize a broadcast medium, meaning the, you know, the air, the ether, a broadcast medium that is open to everyone, inherently exposing a large attack surface. One particular critical threat is wireless jamming, which allows malicious actors to perform denial of service attacks with minimal effort. In a classical jamming attack, the adversary transmits an interfering signal that overshadows the desired signal, preventing a victim receiver from correctly decoding it. Crucially, loss of connectivity impacts the functionality of wireless devices and can thus have potentially far reaching consequences, such as smart grids, smart transportation, and health care systems. Recent media reports underscore the real world threat potential of jamming attacks. For example criminals disabling smart home security systems and preventing cars from locking. This basic attack principle has previously been studied by a large body of research. For instance, the attacker can leverage various jamming waveforms such as noise or or replayed victim signals, and vary the attack timing. Jamming constantly or only at certain times. As evident from the many existing attack strategies, wireless jamming has been incrementally refined and has become increasingly sophisticated. One particular example for this is the case of selective jamming attacks. To illustrate a potential attack scenario, consider an adversary attempting to sabotage a complex automated manufacturing process. Distributed actuators might take orders from several previous processing stages that have to be executed in a timely fashion, risking manufacturing failure otherwise. Here, the adversary could use selective jamming to simulate local loss of connectivity or on a single actuator, but not the entire plant, which would likely trigger some emergency shutdown response. So far the only means to realize such a selective jamming attack is via so called reactive jamming where the attacker analyzes all wireless traffic in real time to decide on the fly whether to send a jamming signal relying on the existence of meaningful protocol level information not protected by cryptographic primitives. In our manufacturing plant example, selective disruption of the actuator would require the attacker to receive and identify every packet directed to the recipient before sending a jamming signal. This restricts the attacker positioning rather close to the victim. Other downsides of this approach are that it can be mitigated by fully disguising packet destinations and the attack realization being rather complex and cumbersome. In light of those aspects, we are interested in novel attack strategies resolving the aforementioned shortcomings. Clearly, the ideal solution would be to physically inject a proactive jamming signal directly and only into the victim device, but this is not possible due to the wireless nature of jamming and the inevitable broadcast behavior of radio signal propagation to other non target devices. Thus, we aim to answer the following research question. How can we physically target and jam one device while keeping others operational? We solve this challenge by means of a reconfigurable intelligent surface RIS to devise the first selective jamming mechanism based on taming random wireless radio wave propagation effects. Using RIS based environment adaptive wireless channel control allowing to maximize and minimize wireless signals on specific locations, the attacker gains spatial control over their wireless jamming signals. This opens the door to precise jamming signal delivery towards a target device, disrupting any legitimate signal reception while leaving other non target devices untouched. Other than reactive jamming, this is a true physical layer selection mechanism allowing realization independent of protocol level information. In other words, they don't have to decode what's coming going, they just shut it all down. Moreover, the attacker only needs to detect signals from considered devices, removing the need for any real time monitoring and reaction to ongoing transmissions. In this work we experimentally evaluate risk based spatially selective jamming attacks against WI FI communication, showing that it is possible to target one or multiple devices while keeping non target devices operational. To accomplish this, we exploit that considered devices transmit signals, allowing the attacker to passively adapt to to the scene. Apart from the attack's core mechanism, we study crucial real world aspects such as the attack's robustness against environmental factors. We additionally verify the effectiveness of our attack in real world wireless networks where mechanisms that could counteract the attacker at play, for example Adaptive rate control of WI FI networks. We show that risk based Selective jamming even works despite extreme proximity of devices for example 5 millimeters and investigate the underlying physical mechanisms. Finally, we perform comparison experiments with a directional antenna showing the significance of our risk based approach. In summary, our work makes the following key contributions. We propose the first true physical layer selective targeting mechanism for wireless jamming, enabling environment adaptive attacks in the spatial domain. Second, we present an attack realization based on risks using passive eavesdropping to determine an appropriate risk configuration which is the key to deliver jamming signals towards targeted devices while avoiding non target devices. Third, we present a comprehensive experimental evaluation with commodity WI FI devices, environmental changes and an in depth analysis of the physical properties of our jamming attack. Okay, and one last note about these new risk reconfigurable intelligence surfaces. They write An R I S is an engineered surface to digitally control reflections of radio waves. Digitally control reflections. That's all they're doing is reflecting radio waves. Enabling smart radio environments, they said it is worth noting that risses are likely to become pervasive as they hold the potential to complement future wireless networks such as 6G. Here the propagation medium is considered as a degree of freedom to optimize wireless communication by redirecting radio waves in certain directions, for example to improve signal coverage and eliminate dead zones, to enhance energy efficiency and data throughput and building low complexity base stations. They said An RIS does not generate An RIS does not. And this is what's so just it's shocking to me. An RIS does not actively generate its own signals, but passively reflects existing ambient signals. For this it utilizes some number of identical unit cell reflector elements arranged on a planar surface. Importantly, the reflection coefficient of each reflector is separately tunable to shift the reflection phase. Typically an RIS is realized as a printed circuit board with printed microstrip reflectors, enabling very low cost implementation to reduce complexity. Many rises use one one bit control, for example to select between two reflection phases, 0 degrees and 180 degrees corresponding to the reflection coefficients plus 1 and minus 1. This allows the control circuitry to directly interface with digital logic signals from a microcontroller. The technology is still under development, which is why rises are currently not widely used in practice at the time of writing. First implementations are being made commercially available and field trials are being carried out and then after many pages, a very cool detail. And by the way, I've got the link to the whole PDF at the top of this in the show notes for anyone who wants to dig through it. And I know a couple of our radio Experts are going to be curious. Their paper concludes. In this paper, we investigated the merits of the RISS technology for active wireless jamming attacks. In particular, we have shown that the RIS enables precise physical layer attack targeting in the spatial domain, enabling protocol level agnostic selective jamming. For this, the attacker first determines risk configuration by eavesdropping wireless traffic from the victim devices. In other words, it listens using its antenna grid in order to locate in a two dimensional vector the location of the device it wants to block. Then it switches into passive mode and just by bouncing the radio off of itself that it is receiving ambiently in the environment, it's able to shut down that, that WI FI device. They, they said. Then the attacker uses the wrist to reflect the environment's ambient radio signals with the effect of jamming the wireless communication. This is alien technology, jamming the wireless communication of targeted devices while leaving other devices operational. We have demonstrated the effectiveness of the attack under real world conditions with extensive experimentation using commodity WI FI devices. They used pies and things and an open source risk. Notably, we found that it is possible to differentiate between devices that are located only millimeters apart from each other. Overall, our work underscores the threat of wireless jamming attacks and recognizes the adversarial potential of rises to enhance the landscape of wireless physical layer attacks. Wow. Now you know. I know that our listeners enjoy being clued in, even if with only the broad strokes that I've been able to share here. Just knowing that such capability exists is mind blowing. What this means in practice is that very low power undetectable targeted jamming of specific radios is now possible. It's low power because the device is not itself needing to emit any strong overwhelming radio signal. It's merely selectively inverting the reflected phase of what it receives across the elements of its two dimensional surface. And this reflection property is also what makes it undetectable. Again, because it's not emitting any flooding radio signal that any bug detector can detect. Nothing. It's also undetectable because the sum of these reflections can be focused onto the device, the device's exact antenna location, so that even being half an inch away, no jamming effect would be detectable. As I said earlier, I'd be very surprised if researchers at the NSA and CIA didn't already have their sleeves rolled up. Taking a close look at what this means for our on the ground defensive and offensive operations. This is just astonishing technology and it'll.
[165:50]
Leo Laporte
Be very useful in a movie theater. So there's that.
[165:54]
Steve Gibson
Actually for a While I had an illegal cell phone jammer when I was so. Because I got so upset over people having loud cell phone conversations.
[166:04]
Leo Laporte
See, I knew that.
[166:05]
Steve Gibson
And, and you could use this to. To target that phone.
[166:12]
Leo Laporte
And nobody does it know though what I mean, you're not aiming it how are.
[166:16]
Steve Gibson
No, it actually is aimed.
[166:18]
Leo Laporte
So you aim it.
[166:19]
Steve Gibson
Well, it. It listens across its surface at. Listens to the device transmitting and is able to by the. By the timing of the received signal across this grid of 2D elements. The. Because right. If. If the radio is off at an angle, then the signal will arrive slightly before on one edge of the array versus the other. And so it's able to use the phase of the received signal to determine in 2 degree space where the transmitter is. Then it reverses the scenario, but it doesn't send anything. It simply reflects anything coming in back and is able to shut that radio down. I mean Leo, it's just freaky.
[167:20]
Leo Laporte
Well, I'm sure that the, the folks, the screenwriters at the Recruit and Lioness and Taylor Sheridan, they're all taking note of this. This is now a new tool they can add to.
[167:31]
Steve Gibson
Nobody will believe it. That's the point.
[167:32]
Leo Laporte
That's right.
[167:34]
Steve Gibson
They might as well just use Beaming up Scotty technology because you know, who would. Who would think this would work? And here these guys have done it.
[167:44]
Leo Laporte
You know who would love this is Steve Wozniak. He loved this kind of thing.
[167:48]
Steve Gibson
Yeah, he would.
[167:48]
Leo Laporte
I bet he's making one right now. Very interesting. It's funny, I didn't. I had no idea what you were talking about with the title of the show. But now I still have no idea what you're talking about. Spatial domain wireless jamming. It's exactly what it says.
[168:05]
Steve Gibson
Our listeners need to know that this is possible.
[168:08]
Leo Laporte
Very cool. It's actually really cool. Yeah. Thank you. My friend Steve Gibson is@grc.com that's his home on the Internet. Stands for the Gibson Research Company or Corporation. He. He's there 247 to offer you copies of Spin. Right. If you should happen to have mass storage, you probably need a copy of Spin. Right. I'm firing mine up as soon as my server comes going to boot up into that what a free DOS and whatever it is now you use. What is it called? The DOS that you boughtos. He bought his own operating system. He owns it. Just so you can run spinrite on any, any machine that'll boot up to you couldn't do it on a Mac, unfortunately, but any UEFI or EFI or BIOS machine will work on. Right?
[168:56]
Steve Gibson
Well not on M based the older Intel. Yes but not on the Apple intel device.
[169:02]
Leo Laporte
Yeah well this is going to be a Linux server so before I put the Linux on there I will spin right those drives. It's the world's finest mass storage maintenance recovery and, and this is why I'm going to do a performance enhancing utility. How often do you recommend running that on your SSDs? Maybe yearly or more.
[169:20]
Steve Gibson
I would say annually. Annually. I think that is a good, good trade off. The argument is that it that you know SSD's lifetime is consumed by writing.
[169:30]
Leo Laporte
Right.
[169:30]
Steve Gibson
But we're only talking so you don't.
[169:32]
Leo Laporte
Want to do it too often, you.
[169:33]
Steve Gibson
Don'T want to do it daily but annually, oh my goodness. When you consider that the service life of the device what is maybe 10 years right. So and boy does it make a difference in performance. I mean I guess if you notice.
[169:46]
Leo Laporte
It'S slowing down they could also do it then that would be great right?
[169:48]
Steve Gibson
Any. Yes, exactly. Yeah. And you're able to do a read test non destructively you're able to read and if you see the performance, performance is lagging then it's like well now it's time to do a rewrite.
[170:00]
Leo Laporte
So you could even do a little diagnostic. That's great. GRC.com While you're there of course you can get. Well first thing I would suggest is go to grc.com email validate your email with the system so you can email Steve with questions, comments, suggestions while you're there. You can also sign up to get the show notes emailed to you ahead of time. Usually 24, 48 hours ahead of time you'll get a copy of the show notes so you can look at the picture of the week and laugh along with Steve. You can also get a second newsletter that's a very infrequent emailing about important events. For instance I bet you're going to let us know when DNS benchmark is available.
[170:38]
Steve Gibson
That will be the next email.
[170:39]
Leo Laporte
Yep. GRC.com he has two unique three really if you, if you count the transcripts copies of this show he's got a 16 kilobit audio for the bandwidth impaired. A 64 kilobit audio which we don't do anymore. We used to but we now do 128 kilobit audio. So if you, if you want a smaller download and frankly the 64 kilobit audio is full quality you won't be losing anything that's the place to go. He also has transcripts written by Elaine Ferris. So they're very good. They're not. They're not AI transcripts. They're excellent quality transcripts and show notes all. At GRC.com we have our 128 kilobytes, kilobit audio and our video available at our website. That's Twitter TV SN for security. Now when you're there, you'll see a link to the YouTube channel. Great way to share clips. This show above all others. I think people should be sharing clips with friends, family, people who are looking to jam drone signals, that kind of thing. This is the show to Sherry. Share this. Share that little clip there. It also helps us spread the word. And you can also subscribe in your favorite podcast player and get it automatically, audio or video, the minute it's available. We do stream live so that you can watch it if you want. The very absolute newest version of the show, the freshest version, we stream every Tuesday right after Mac break weekly sometime between 1:30 and 2pm Pacific. That's 4:30 to 5pm Eastern. Now we are going to be heading into a daylight saving time on Sunday. Steve, I hope you're ready to set the clock back. Forward, forward. Don't set it back. You'd really be. You'd be two hours off. Set it forward, spring forward. That means that the time that we will stream is going to change, at least from the point of view of UTC. So 2pm Pacific, 5pm Eastern and now that would be 2100 UTC. So you can watch us live. Eight different places to watch. Club members get to watch on Discord. But there's also YouTube, Twitch, TikTok, X.com, facebook, LinkedIn and Kick. So anywhere you want to watch at those hours, you can watch live. Thanks to our club members for making the show possible, our great sponsors, most importantly, thanks to you, Steve Gibson. I look forward to seeing you again in a week.
[173:01]
Steve Gibson
Next week. Bye.
[173:05]
Leo Laporte
Security.
[173:06]
Steve Gibson
Now.