Security Now 1017: Is YOUR System Vulnerable to RowHammer?

Leo Laporte

It's time for Security Now. Steve Gibson is here. Some really interesting topics we've always wondered about the cryptography used in Telegram's Messenger. Well, now we know what we thought. It's not very good. We'll also talk about did Ukraine really attack x dot com? Why your Firefox might have said, hey, you gotta update us. And then we'll take a look at testing your PC for one of the worst flaws ever, Rowhammer, and how you can do it as a way of kind of giving back. Plus, we're going to get you some great listener feedback and some sci fi recommendations as well from the great Steve Gibson. Next on Security now, podcasts you love from people you trust. This is Twit. This is Security now with Steve Gibson. Episode 1017, recorded Tuesday, March 18, 2025. Is your system vulnerable to Rowhammer? It's time for Security Now. Yes, the show you wait all week for. Our man of the hour. Steve Gibson is here to fill us in on everything that's going on in the. What are you covering your mouth for?

Steve Gibson

So I don't talk over you while you're doing your intro?

Leo Laporte

You know, I don't that, you know. Talk over me all you want. People are not here for me. They're here for you, Mr. G. So.

Steve Gibson

They'Re going to get a lot of that. We got a, I think a really interesting episode. Some researchers, I forgot where they are. The German. I don't know.

Leo Laporte

We'll.

Steve Gibson

We'll find out. It's a mystery right now, but there's three of them, I'm sure of that. And, and, and they.

Leo Laporte

Well, at least we know that much.

Steve Gibson

Oh, it's the Chaos Computer.

Leo Laporte

Oh, it is Germany then.

Steve Gibson

Yeah, yeah, Germany. Yeah, yeah. They decided that no one had really done a large population study of the prevalence of Rowhammer. Rowhammer hasn't gone away. It's still dogging us. The idea being that if you read. If you hammer on a given region of dram, you can upset the neighbors, which is true if you just hammer on your house too.

Leo Laporte

Different kind of neighbor, but yes.

Steve Gibson

And so what we have now, it's over on GitHub. It's downloadable natively. You can install it on a USB thumb drive and run it and get a report on your specific system's susceptibility to row hammer attacks. And as part of this, you optionally upload anonymously your data to their cloud. You're able, if you don't like to do that, or if you want to look at what's being sent first it writes it to the user USB stick and you're able to peruse it and go, oh yeah, there's nothing here that I care about. And off it goes. You get a brownie point from them if you do that. It's a chance to win some lottery. But I think it's like two chicken sticks or something. I mean, it's nothing that you really care about. But they were trying to encourage this because they would like to get a much larger sample size. What they realized was that while, yes, you can demonstrate this bit flipping problem on random systems, we really don't know how big a problem it is. So anyway, everybody who's listening, and hopefully lots more who will find out about this, can run this test, submit their data, generate a much better sense for the prevalence of this. But that's not happening yet. First we're going to talk about the long needed and awaited and oh, it's just poetic, Leo. Analysis of telegram messengers crypto.

Leo Laporte

Only you would think it's poetic, but okay, it's a work of art.

Steve Gibson

We're going to have to pause and just steep in this for a while.

Leo Laporte

I thought we knew how they did it. I thought this was widely known.

Steve Gibson

We always knew it was crap.

Leo Laporte

Oh, telegram.

Steve Gibson

Oh, telegram.

Leo Laporte

Ah, yes. They rolled their own, didn't they?

Steve Gibson

They did.

Leo Laporte

They're not using NaCl.

Steve Gibson

It stinks.

Leo Laporte

Oh, boy.

Steve Gibson

Yeah. But the best thing of this whole part is, and these are like a team of five crypto guys, several from ETH Zurich, and we got a guy from Amazon, but he said, I'm not affiliated with Amazon for this, I'm just a crypto guy. But. But they produced the most eloquent statement of why modern crypto is modern. And it may even. You may get a little wet in the office. Really good. Also, we're gonna look at the truth behind Twitter's recent outage trouble. There was a lot. I got a lot of feedback from our listeners about this expiring embedded Firefox root certificate. And the question is, who was surprised by that? Well, it turns out not so many people. Also, we got AI generated GitHub repos, voice cloning Patch Tuesday and an Apple zero day. The FBI has warned of another novel attack vector that's seeing a lot of sudden action and is one that had never occurred to me. So it's like, oh, let's talk about this. Google is weighed in on age verification and all of that mess. And in a vacuum of age verification of all people, Kazakhstan has decided to come up with their own solution. It's not wonderful.

Leo Laporte

Also, isn't that where Borat's from?

Steve Gibson

Yeah, I think it was his idea in fact. Yeah, probably Also Google. Was Google served with an order from the UK as Apple was.

Leo Laporte

They wouldn't be able to say, would they?

Steve Gibson

That's what people want to know. Can they say also we've got a serious PHP vulnerability that everybody needs to make sure that they don't have because.

Leo Laporte

I don't have php. So I'm glad to say but.

Steve Gibson

Well, lots of servers have PHP on their back end serving their pages. I mean I do.

Leo Laporte

The good news is your forums, right, are in php, aren't they?

Steve Gibson

Yeah, yeah, yeah. And the. But the good news is I'm. I wasn't vulnerable because of the way I set things up but for example that the default XAMPP stack is vulnerable.

Leo Laporte

Yikes.

Steve Gibson

And that's what lots of people use. So I've got to make sure you don't have that. I did take the trouble to update my PHP because the version I was running was vulnerable, but the way I was invoking it wasn't. So anyway, we got a bunch of great listener feedback, some sci fi content reviews and then we're gonna look at how you can find out about your own system's rowhammer vulnerability. So you know, just your average, just your everyday security. Now I thought I'd come home after one of these and I say to my wife, you know, I think maybe this one was a good one.

Leo Laporte

Everyone is a good one. And I might tell you my story, the story of Hairpin Nat. Do you know what hairpin that is?

Steve Gibson

Oh yeah. In fact, it's a way of solving the problem of not being able to access your IoT devices from an isolated network.

Leo Laporte

Well, it turns out I have a Comcast business account, that's what we use to stream and they disable Hairpinnet in their router. And I for the longest, for literally eight months now since we closed the studio have been wondering why I can't get to my self hosted wiki by its name, only by its number. Well, I now know they don't support Hairpin Nat. Who would ever thunk?

Steve Gibson

Who would a thunk, you know who does is the Ubiquiti routers.

Leo Laporte

Yes. So I'm using Ubiquiti behind the Comcast router. Comcast, because I have a static IP address says no, you have to use our router. I might figure out a way around that because that's. They say and actually this was going to be my question to you. We can Save it. They say it's for security reasons. They don't support it. I find that hard to believe now.

Steve Gibson

It's for support reasons they don't support. They don't want to try to explain to Martha or Jeffrey or whomever that, well, look, here's. I mean, because it's tricky to understand that the data goes out essentially on the other side of the router and then is able to do a quick U turn and come back in as something else.

Leo Laporte

It's a good description. It is a hairpin, just so you know. The symptom is I'm running a server, a wiki server internally inside my network on this Comcast router. It's using its static IP address because that's the best way to do it. But I can't reach it from here by name. DNS doesn't work. I can only reach it by number. But if I go outside or I turn off my. It works fine.

Steve Gibson

Works great.

Leo Laporte

Yeah. And I, I never heard of this and so for the longest time I thought my server was broken anyway. You. Of course, I should ask you. Russell found it, our wonderful IT guy. He did a little digging. He said, I think that they turned off hairpin that. You know what, you should never turn off your backups. Let me tell you. This episode of Security now is brought to you by Vanta V A N T A. You know, in business, trust isn't earned. It's not just earned, it's demanded, right? Whether you're a startup founder navigating your first audit or a seasoned security professional scaling your GRC program, proving your commitment to security has never been more critical or more complex. In fact, in many cases, it's a requirement. That's where Vanta comes in. Businesses use Vanta to establish trust by automating compliance needs. And they can do it across 35 different frameworks. SoC2, of course, ISO 27001, all of them really. Vanta will help you centralize security workflows. You can complete your questionnaires up to five times faster. Proactively manage vendor risk too. This is a must have. Vanta can help you start or scale your security program by connecting you with auditors and experts to conduct your audit and set up your security program quickly. Plus, with automation and AI throughout the platform, Vanta gives you time back so you can focus on the more important things, like building your company. Join over 9,000 companies. You want some examples? Atlassian, Quora Factory and 8,997 others. Use Vanta to manage risk, improve Security in real time. For a limited time, our audience gets $1,000 off. $1,000 off. Vanta. Go to vanta.com securitynow v a n t a vanta.com securitynow $1,000 off. You see, because, you know, we're in Silicon Valley or we're near Silicon Valley. Whenever I drive through the Silicon Valley area, you see Vanta's billboards everywhere, and I always have to laugh. They have a cute little alpaca as their. As their. As their. I don't know, their mascot. You can see it right here on the lower third if you're watching the video. But my favorite part of their billboards is their. The tagline compliance. That doesn't suck too much. I just.

Steve Gibson

I don't know why.

Leo Laporte

I'm a. I'm a geek. Thank you, Vanna, for supporting the show. You support us by going to vada for $1,000 off. Now, Steve, as always, I have sealed myself into a soundproof room before the show so that I cannot see the picture of the day. But are you ready? Shall I roll up?

Steve Gibson

I need to tell you first that the caption that I gave this photo, this is one of those that will take a little minute or two to sort of absorb. The caption is the nature of legacy technology.

Leo Laporte

Uh. Oh, all right, I'm gonna roll.

Steve Gibson

Like technology we're never able to quite get rid of, much as we might want to.

Leo Laporte

Don't we know this is Microsoft's sad song. Oh, my God. Oh, that is hysterical. Oh, my. Look at that, kids. Okay, you better tell people that is legacy boy. Yes.

Steve Gibson

Isn't that wonderful?

Leo Laporte

Wow. There's nothing below it. Wow.

Steve Gibson

Once upon a time, there was a phone pole, and it went from the ground up into the air, as phone poles do.

Leo Laporte

They do.

Steve Gibson

And people began stringing wires.

Leo Laporte

Sure.

Steve Gibson

Isn't it wonderful? Oh, it's just wonderful. And so wherever this foam pole was located, it was a very busy region. And over time, it accreted more and more wires, largely running north, south, east, and west, you know, sort of in the. You can see them coming and going. And then something happened. We don't know what happened. But the phone pole, you know, no.

Leo Laporte

Longer necessary, lost its footing.

Steve Gibson

Actually, you're exactly right, Leo. There were so many wires hooked to the top of this foam pole that some industrious person said, you know, I bet we really don't need the foam pole to go all the way to the ground anymore.

Leo Laporte

That's tensegrity. That's what that is. Right there in a nutshell.

Steve Gibson

So some brilliant person or an accident, or we don't know what, but it was very clearly cleanly sawed off below all of this transactional wiring happening at the top of the foam pole so that there's just no more pole below the phone.

Leo Laporte

Unbelievable.

Steve Gibson

Yeah, that's just wonderful. And the nature of legacy technology, you know you can't get rid of it. Right? I mean, you need it. But apparently they had to run a bypass or an underpass or something. Right? Or a pedestrian.

Leo Laporte

I don't know what's. They don't show what's below it. I'm just curious, but that's hysterical. And it. Obviously, it's working. It looks like all those wires have a nice tight. They're taught they're good.

Steve Gibson

Yeah, it didn't droop at all when they cut the pole out from under it. Nope, still there.

Leo Laporte

Wow.

Steve Gibson

Anyway, that's just one of our goodies. That's a good one. Okay, so our listeners, possessing long memories may recall how well repulsed I was by Telegram's design the first time I looked at it and we talked about it on this podcast, it was just a pile of made up nonsense. I mean, it just didn't. It didn't obey any of the rules of cryptography. And since that was the general impression of it, which was shared by the informed crypto community, this was 11 years ago, back in 2014. Pavel Durav, who we talked about a lot back then, his response to the community's shunning of his solution was to say, okay, fine, you don't like what I just came up with in the kitchen table.

Leo Laporte

I think it was his brother who wrote it, as I remember.

Steve Gibson

I think you're right. Yep. And so it was his fault. Pavel said, okay, fine, I'll put up a prize of $200,000. And this was in 2014, when that was more money to anyone who can decipher an encrypted message sent between two Telegram end users. You know, you don't like my crypto, fine, here's 200 grand. Again, the crypto community was unimpressed because that was beside the point. It's about elegance and it's about rule following, which is what you do if you want solid crypto, not someone dangling a carrot. So by 2014, and this was the point, we already knew how to solve these problems correctly, and Telegram wasn't it. Okay. So for this reason, I was very interested, and I knew our listeners would be when I saw that a team of actual cryptographers had finally. And boy, this was not easy. I think it's like 107 pages or something of crap that they had to go wade through. But anyway, they took a good actual hard long look at what can best be described as the ad hoc cryptography which was invented out of whole cloth by Telegram. And I use the phrase actual cryptographers because the the first thing that becomes clear to anyone looking at Telegram is that its designers were not five cryptographers, one from King's College, two from ETH Zurich, one from Tel Aviv University, and the fifth, as I mentioned, from Amazon. Last Monday published a paper containing their findings which was just presented during the EuroCrypt 2025 cryptography conference. I've got a link to the paper it here in the show notes for anyone who doesn't mind scrolling because it is a tour de force. Their paper's title was Analysis of the Telegram Key Exchange and its abstract reads we describe, formally model and prove the security of Telegram's key exchange protocols for client server communications. To achieve this, we develop a suitable multi stage key exchange security model along with pseudocode descriptions of the Telegram protocols that are based on analysis of Telegram's specifications and client source code. We carefully document how our descriptions differ from reality and justify our modeling choices. Our security proofs reduce the security of the protocols to that of their cryptographic building blocks. That's all proper, of course, but the subsequent analysis of those building blocks requires the introduction of a number of novel security assumptions, reflecting many design decisions made by Telegram that are suboptimal from the perspective of formal analysis. Which is a really nice way, a polite way of saying, you know, we did the best we could because we were just handed spaghetti. Anyway, they continue. Along the way we provide a proof of the security for the variant of RSA optimal asymmetric encryption padding used in Telegram and identify a hypothetical attack exploiting current Telegram server behavior, they said. Parens which is not captured in our protocol descriptions, they said. Finally, we reflect on the broader lessons about protocol design that can be taken from our work. And that's where the poetry comes in anyway. So 104 pages later, remember most of the beautiful research stuff that we do here talk about share. There's I don't know, 717 pages, not 104. I think there's 107. Anyway, this was not a short paper, they conclude under the poetic heading the brittle monolith that is Telegram. But it's not just their heading that's poetic. Listen carefully here to how beautifully they describe the way cryptographic protocols should be designed versus what they found lurking in the heart of Telegram. So here's on page 104. They conclude, in theory, the design of a cryptographic protocol has the sole purpose of achieving the protocol's security goals efficiently. In actuality, however, to achieve this goal, it must also achieve the goal of allowing at least a sufficiently motivated expert to convince themselves that the protocol achieves these goals. This is so pretty. In other words, the central insight of what is commonly referred to as modern cryptography is that a cryptographic design is also tasked with being easy to reason about. A fundamental paradigm of achieving this goal is modularity, where different components of the design can be reasoned about in isolation and then generically composed to establish overall security guarantees. Oh, that's just beautiful. This modularity is typically achieved by relying on building blocks that provide strong security guarantees on their own, as opposed to only and potentially in specific compositions, and by breaking the dependency between different components of a protocol by avoiding reuse of secret material. I'll interrupt here just to say that obviously reading between the lines, what they found was that just a bunch of goo was just kind of like thrown in a big pile and scrambled around and connected to itself. And it's like, here you go. I mean, remember, that's what we saw back then anyway, they said Telegram's failure to achieve this design goal is the root cause for the limitations and complexity of our proofs and our seeming need to reach for unstudied assumptions on cryptographic building blocks than would otherwise be necessary. We will now discuss these issues and highlight several of the main Telegram design choices and their effect on our proofs of security. We begin with mere complications, then move on to limitations and seemingly necessary ad hoc assumptions. We finish by briefly recapping our hypothetical attack. We also discuss this is after 104 pages of getting up leading up to this, we also discussed design choices that led to these issues and note that the same design choice often led to several different difficulties for arguing for the security of Telegram, leading to necessary repetitions in what follows. In other words, they're trying to do the best they can when given a mess, and we're trying to agree that this thing was secure. But it wasn't easy. And several pages after that, under the heading reliance on unstudied assumptions, they added in Appendix C, we describe several unstudied, ad hoc and new assumptions that we used in our proofs. These assumptions could have been avoided if, for example, collision resistant hash functions like SHA256 or SHA3 had been used instead of SHA1, meaning that's what Telegram is using, meaning is not collision resistant today, and if proper key derivation functions had been used, meaning it doesn't. So, in other words, the cryptographic design of Telegram is a mess at a time when a mess can, and for very good reasons should be avoided. Telegram is likely secure enough for everything and everyone who's using it and relying upon it. No one is saying it isn't, but its design actively fights against that actually ever being proven. So I suspect that Pavel's $200,000 reward, at least for the foreseeable future, is secure, as is Telegram. But there was no reason to just do it this way, because by the time they were designing crypto, it was already well established how to solve all these problems, and they just didn't. Pavel's brother, as you remind us, Leo, just said, you know, I'm just gonna. We're gonna do our own thing, because who will ever be able to prove it isn't? And he's right. No one can. Those of us who watched the early rise of Twitter will recall the frequently seen fail whale. Its appearance usually indicated that the service, which was struggling to grow fast enough to keep up with its exploding demand back in the early days, was temporarily unable to do so. That is. I mean, there was just too much desire for it. But the good news is those days are now long past. However, last week, Twitter was on the receiving end and someone wrote back and said, steve, why are you still calling it Twitter? Well, cause I started with a retrospective, I suppose, but I just. The only problem I have with X is that it's so unspecific. I mean, people, for what it's worth, the tech press is still saying Twitter. And when you say X, you're almost compelled to say, you know, that service that was formerly known as Twitter, as if you're talking about Prince, that's now a strange glyph. Anyway, Twitter was on the receiving end of a widespread high bandwidth DDoS attack. And as we know, widely sourced, very high bandwidth attacks are now what's required to take major sites and services down. In the case of last week's attacks, those who track such things, and there are a bunch of different groups who do, saw massive traffic originating from IP addresses in the United States and in Vietnam and Brazil as the top three among many other countries. So I was annoyed when Elon Musk later told Larry Kudlow during an interview on Fox Business Network that the attack came from Ukrainian IP addresses. What actually happened was that a group which offers DDoS attacks for hire named Dark Storm Team took credit for X's Monday outages. I don't have any problem when someone has a differing opinion. But Elon could have either said nothing or said he didn't know where the attack originated or why it was launched. You know, it would have been even better and accurate to say that like most modern attacks, they come from all over the globe. And I get it that he's very busy and I would imagine he probably didn't have any actual information at all and he shouldn't be expected to know everything. Like I said, he's busy. But singling out and naming Ukraine as the source of the attack, first of all, was not true, at least from a bandwidth standpoint, which is knowable. And of course, doing so appears to serve a current political agenda.

Leo Laporte

Yeah, but it was propaganda. He. He probably knowingly lied. I don't, I don't. I can't understand how he could not know that it's not true.

Steve Gibson

I just think he's busy. I mean, you know.

Leo Laporte

Well, he's busy.

Steve Gibson

You know, Larry said, hey, Twitter was down. What about that? And he should have said, I haven't been brought up to speed yet. I don't know. Anyway, before, for what it's worth, we do know that it wasn't IP addresses in Ukraine. So I just wanted to clear that up.

Leo Laporte

In fact, there really weren't many coming out of Ukraine. Ukraine, because they don't have much Internet.

Steve Gibson

No, exactly.

Leo Laporte

It's not where you would go if you wanted to do a DDoS attack.

Steve Gibson

No. And frankly, I don't think you can DDoS anyone through Starlink because it doesn't have that much bandwidth. You need landlines that get warm with all the packets that are moving through them. So, interestingly, last Friday, a critical Firefox root certificate expired earlier last week. And this is what generated so much feedback from our listeners, because everyone knows I'm a Firefox fanboy. Mozilla wrote on March 14, 2025, a root certificate used to verify signed content and various add ons for various Mozilla projects, including Firefox, will expire without updating to Firefox version 128 or higher or the ESR. The extended service release 1.15.13 or later for ESR users, including Windows 7.8.8.1 and Mac OS 10.12 through 10.14 users. This expiration, that is the expiration of this root cert, may cause significant issues with add ons, content signing and DRM protected media playback. Now, just to Be clear, this is a root certificate, not the way we normally think of it, not like a public root. This was a private root embedded in the Firefox exe, so that's why it was necessary to have an up to date version of Firefox. Mozilla said if you don't update Firefox, features that rely on remote updates will stop working and your installed add ons will be disabled. DRM protected content such as streaming services may stop playing due to failed updates. Additionally, systems dependent on content verification could stop functioning properly. In other words, lots of bad stuff. They said this update is necessary for all Firefox users running versions earlier than, As I said, 128 or ESR 115.13 including those Firefox for desktop on Windows, macOS and Linux as well as Firefox for Android. If you were sent to this article through an in app message in Firefox, it means your browser version is outdated. It needs to be updated. Okay now, since I'm still using actually I'm sitting in front of it right now Firefox On a Windows 7 machine, I was initially concerned, but I just checked and my ESR edition had already updated itself past well past that point. It's currently at 115.2 1.0 ESR and in researching this further it became clear that unlike those sites which, you know, we sometimes see, I won't say often, where their TLS certificate expirations clearly are catching them by surprise because their site suddenly went offline and it's like oops, we fired the guy that normally updates that every year. In this case, Mozilla was not taken by surprise by this the mainstream version 128 edition, which was recent enough, and that ESR release which Mozilla said would be needed, that that 115.13 were both first made available on July 9th of last year 2024. So like nine months ago. You know, anyone who hasn't updated their Firefox even once since then would have no one to blame other than themselves if something were to go wonky with their client. What this meant was that Mozilla was just reminding everyone for the sake of doing so a few days before that certificate's expiration, which was formally retired nine months before nine months ago, that if for any reason somebody might still be running a Firefox from last summer, then various important things might stop working.

Leo Laporte

This could happen to me though, because Firefox is not my primary browser anymore, but I have it on my machine if you never launch it. It never gets updated. Right. So it's not inconceivable that you could, you know, have it sit there for a year.

Steve Gibson

I think it launched, actually, I think it updates at launch.

Leo Laporte

That's the thing. It would update as soon as I launched it. Right. Or does it say, hey, restart to update? Because I see that on Chrome.

Steve Gibson

I don't get. We don't get that with Firefox unless you go to the about box. But normally it says you're updated. I think that where someone would get caught out would be if they had some version of Firefox or, I mean, some running instance that was never restarted. Like, someone actually sent me a picture of a Firefox error message on a, like, Wendy's fast food drive through kiosk, and it was, you know, like Firefox was unhappy about something. But so, you know, there might be an instance where it would just been running for months on end and never restarted.

Leo Laporte

A kiosk would be exactly that, right? Yeah.

Steve Gibson

Yeah. And, you know, also would be exactly this. Leo. Oh, you. I know.

Leo Laporte

You know, you want to do a little, I don't know, you want to, like, meet one of our sponsors, One of our fine sponsors.

Steve Gibson

We're more than a half hour in, so that's the time to do.

Leo Laporte

You know these guys pretty well. I'm talking about who? Bit Warden.

Steve Gibson

Oh, yeah, I do.

Leo Laporte

Bit Warden, of course, is our favorite password manager, the trusted leader. And not just passwords, but secrets and pass keys as well. In fact, I just saw that, I think it was. Wired magazine picked it as its favorite password manager. And one of the reasons they liked it is the exact reason I like it. It's open source. You know, you can't verify Telegram's crypto except kind of like by poking at it. Because it's not open source. But that's why you want. Anytime you're using crypto, you want to look at the source code, right? Because then you can verify it does what it says it does, and no more and no less. Bitwarden has more than 10 million users now. I'm so happy to say that I think we might have contributed a little bit to that across 180 countries. But I think what a lot of people forget is Bitwarden's great for business, too. Over 50,000 business customers worldwide. In fact, Bitwarden has entered the year as the essential security solution for organizations of all sizes, consistently ranked number one in user satisfaction. That's by G2, recognized as a leader in software reviews, Data Quadrant Bitwarden continues to protect businesses worldwide. Tax season is here. This is kind of a nightmare time for security professionals. For years my tax preparer would email me my return and or they would say okay, send us your documents and stuff. And I'd say encrypted, right? And they'd say well no, just email them, that's fine. Nobody else. Well, tell your financial preparer, your accountant or your tax reporter. Prepare about Bit Warden Send. In fact, if you're a Bit Warden customer, you can use it right now securely send your those financial documents to your tax preparer. With Bit Warden Send it does end to end encryption. So your tax forms remain protected. And here's the thing, the recipient doesn't need an account to access them. So you don't even have to set your preparer up ahead of time. Don't use risky email attachments. Share anything confidential like tax documents with password protection, expiration dates. There's even view limits giving you full control over who can see the sensitive information. Now's the time. This is the month to use Bit Warden. By the way, Bit Warden commissioned some research from 451 Research that among other things showed that despite the rise of multi factor authentication, this was a shocker to me. 65% of enterprises use it. They rely solely on passwords, which really reinforces the need for at the very least, strong password management and security and compliance strategies. In fact, the survey also showed with password management, even though it was cited as the number one IAM challenge for 35% of the organizations, only 21% implemented passwordless authentication pass keys or single sign on, which means those enterprises are facing ongoing credential security risks. If you're not using a password manager, you know your employees are writing the password on a post it note and put it on the monitor. I mean, it's just, it's not good. Bit Warden is the way to go. It offers enterprises essential tools to strengthen their security posture. With end to end encryption you get MFA enforcement secure password sharing, which addresses both current password dependencies and future authentication needs. That's one of the things I like about open source. Bit Warden is up to date because its users contribute. They use, they, they will, they do a pull request and they will add features to Bitwarden. And Bitwarden vets them, looks at the source code, incorporates them in. So Bitwarden is nimble. They are, they are fast at implementing anything that you need for security. But despite all of this, what sets Bitwarden apart is its simplicity. Bit Warden setup only takes a few minutes. They import from most password management solutions. So if you're moving over, it's an easy thing to do. And as I said, it's open source. That means their source code, it's on GitHub, it can be inspected by anyone, is regularly audited by third party experts. That's the only real ironclad guarantee that you're getting something that is totally reliable, totally secure, done right. Your business deserves an effective solution for enhanced online security. See for yourself. Go to bitwarden.com twit you can get a free trial of the teams or enterprise plan. And of course, as always, Bitwarden is free. Unlimited passwords, pass keys, hardware keys for individual users. Free forever for individual users. Bitwarden.com TWIT bitwarden.com TWIT and we thank them so much for their support of security. Now bitwarden.com TWIT I have to show you, Steve. Somebody in our club Twitches showed us. He's watching security now in the barbershop. Put away the Playboys, guys. We've got Steve Gibson. Isn't that awesome?

Steve Gibson

Wow, that's some crazy.

Leo Laporte

Isn't that awesome? This is a club Twit member who I think is the barber. His name is Serio Barber.

Steve Gibson

Okay, well that would explain it then.

Leo Laporte

So I think it's his shop. Anyway, thank you, Serio Barber.

Steve Gibson

You know, for most people getting their haircut, if you can fall asleep during that, that's good.

Leo Laporte

I get sleepy anyway. Getting a haircut. No, this will keep you awake, Steve. Keep you awake. All right, on we go.

Steve Gibson

We knew it was gonna happen. And it's also probably little surprise that it happened not long after AI became the big buzzword. An unknown threat actor has deployed a large number of malicious GitHub repositories which infect users with malware. That's not such news. Trend Micro says descriptions for the repositories have been generated using AI tools. So we're beginning to accelerate the rate at which bogus GitHub malware is, you know, repos are created and descriptions are created, hoping to catch unwitting people looking for solutions. The malicious repositories infect users with the Smoke Loader, which then deploys the Luma Stealer malware to exfiltrate users credentials because they're looking to get developers credentials in order to, you know, launch supply chain attacks to infect their own actual, you know, valid repos and get their stuff widely distributed. So beware of repos that actually, you know, they don't look like they're written by some, you know, Russian national trying to write English anymore that, oh, no, they're good now.

Leo Laporte

They're grammatically perfect. Oh boy, they sound that way too.

Steve Gibson

A consumer report study found that Speechify, Lovo, Play, HT and descript made no efforts to ensure that users had consent to reproduce another person's voice. So these are. Those are four out of the top six. Voice cloning apps don't have any problem if you reproduce someone's voice without their permission. They are, as I said, they are the top four out of those. Four out of the top six have no protections against abuse. They allow threat actors to easily clone anyone's voice. You go given a sample. Consumer Reports study also found that voice cloning scams are seeing a wider adoption across the fraud landscape. You know, where it sounds like your grandma is calling and asking for some money.

Leo Laporte

It's so funny because my mom's stock brokerage, I won't say the name, keeps pushing me to use voice identification.

Steve Gibson

It is so yesterday. I mean, it is just a bad idea.

Leo Laporte

Yeah.

Steve Gibson

Wow. Like, I mean, first of all, it was never good.

Leo Laporte

Right, right. That's my effort. It's convenient, I guess.

Steve Gibson

But yeah, no, maybe it, maybe it just puts people off. Like, oh, you know, if, you know, some Russian is trying to scam you voice, I'll go somewhere else. No. Last Tuesday, Microsoft patched a modest 58 vulnerabilities, among which six were actively exploited. Zero days. You know, that's only a third of what they've done recently, Leo. So that's like, okay, we'll wake up. There was a Windows Win32 kernel subsystem elevation of privilege vulnerability, Windows NTFS information disclosure vulnerability, the fast FAT file system driver remote code execution vulnerability, NTFS information disclosure, another one of those, and an NTFS remote code execution vulnerability, and Microsoft Management Console security feature bypass. So those were all being exploited as zero days among 52 others. So, you know, update when you can. Apple also patched a zero day in their WebKit affecting both iOS andMacOS. Apple did describe it as an extremely sophisticated attack. So not easy to do, but you know, they fixed it. Now, this bit of news was interesting to me, had never occurred to me. The FBI is warning that their agents are increasingly seeing scams involving free online document converter tools. And they posted a note saying that we want to encourage victims to report instances of this scam. They said in this scenario, criminals use free online document conversion tools to load malware onto victims computers, leading to incidents including ransomware, FBI Denver special agent in charge. I wonder, Leo, do they have any non special agents or are all their agents special?

Leo Laporte

Because I think they are all special agents.

Steve Gibson

Come to think of it, they're all special agents. You would want to be like not the special agent, but you don't want to get that. One may not always be special agent in charge, but you could be special agent, right? I think they're all special. Anyway, this guy's name is Mark Michalak and he said, quote, the best way to thwart these fraudsters is to educate people so they don't fall victim in the first place. Amen to that. If you or someone you know has been affected by this scheme, we encourage you to make a report and take actions to protect your assets. Every day we are working to hold these scammers accountable and provide victims with the resources they need. So the FBI said to conduct this scheme. Cybercriminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a doc into a PDF. It might also claim to combine files such as joining multiple jpeg files into one multi page PDF. The suspect program might claim to be an MP3 or MP4 downloading tool. They said these converters and downloading tools will do the task advertised, but the resulting file can contain hidden malware giving criminals access to the victim's computer. The tools can also scrape the submitted files for personally identifying information such as, I don't know who would have a Social Security number in such a file, but okay, dates of birth, phone numbers, et cetera, banking information, cryptocurrency information, seed phrases, wallet addresses and so forth, email addresses and passwords. And they finish saying, unfortunately, many victims don't realize they've been infected by malware until it's too late and their computer is infected with ransomware or their identity's been stolen. The FBI Denver field office encourages victims or attempted victims of this type of scheme to report it to the FBI Internet Crime Compliance center at www.icnumeral3.gov.

Leo Laporte

By the way, I did a search. Not all FBI agents are special agents. Oh, special agents are the criminal investigators or detectives who, in other words, you might have a, you know, the tea lady is just an agent, not a special agent.

Steve Gibson

So they say, like FBI generic agent.

Leo Laporte

Yeah, There are agents. Other employees of the FBI who handle administrative tasks, paperwork or phone calls may be broadly referred to as agents, but are not special agents.

Steve Gibson

So I guess everybody is an agent that's what you are. You're not an employee, you're an agent.

Leo Laporte

Well, I wouldn't go that far either.

Steve Gibson

You think there are non agent employees.

Leo Laporte

You can't be arrested by anybody. But a special agent. Ah, they're senior to the agents. But there may also be other jobs. I'm sure the person who empties the trash in the offices is not an agent.

Steve Gibson

That's a good point.

Leo Laporte

I would think. I don't know. I just. I asked AI. AI told me that.

Steve Gibson

That's good. Well, if we're gonna believe it until we learn otherwise, until we learn.

Leo Laporte

Until it was a hallucination, it was all a dream.

Steve Gibson

Anyway, I just wanted to point this out. I had never occurred to me should have that downloading like using an. Oh.

Leo Laporte

It's occurred to me only because how often do you do a Google search? You've got a document and you want to turn it into a PDF or you've got a word perfect document. And how often does that happen? And in the old days, I used to go out on the Internet and look for tools. Not anymore.

Steve Gibson

It comes right up in a search. How do I convert this? And it says, oh, just click this link for a free document conversion. And you think, oh, good, I don't have to install another one of those stinky programs. I just want to get it done because I only had this one thing to do.

Leo Laporte

What's interesting to me is that they still work. So it sounds like they're taking existing programs and modifying them. Yeah, they still do the job. So I guess that way you go, oh, good, I got the PDF.

Steve Gibson

You don't think about it when Boris asks to purchase your document conversion domain name for big bucks. We got some bitcoin here.

Leo Laporte

Just include your PHP code, please.

Steve Gibson

That's right.

Leo Laporte

Yes.

Steve Gibson

The top court in South Korea rejected Meta's final attempt to dismiss a $4.6 million fine. Five years ago. South Korea's privacy watchdog, we talked about this back then, fined Meta, this was back in 2020, for sharing the data of 3.3 million South Koreans with third parties without their permission or authorization. They Meta lost that battle. Then they appealed. They've now lost the appeal. The final highest court and South Korea said, we need some money, so they've got to pay.

Leo Laporte

Was it a breach or did they actually sell it?

Steve Gibson

It was actually sold. They were just. They were just saying, here's. Here's who's using us in South Korea.

Leo Laporte

See this? So for a long time I've said, oh, you don't have to worry because Meta's never gonna sell your information. They sell that. That's their secret sauce. They sell ads against that information. So they say, well, you want 35 year old men in South Korea, we can deliver that. But to learn that they're actually selling that.

Steve Gibson

Well, actually the article says sharing. So maybe not monetizing overtly, but like with their advertising partners. Right. They want their advertisers to know as much about you as they can because we know that makes it a more valuable ad.

Leo Laporte

Yeah, but they don't. So for them to say here's Steve Gibson's personal information is different than saying, I will sell you an ad that will reach Steve Gibson and people like him because if you give Steve Gibson's personal information, well, who knows what matters? Up to.

Steve Gibson

Yeah. Anyway, what. Apparently the.

Leo Laporte

I have to adjust what I've been telling people is what I'm thinking.

Steve Gibson

The, the search into this said that Meta, without permission five years ago, sharing the data of 3.3 million South Koreans, enough so that they have just lost all of their appeals and are going to have to pay a $4.6 million fine, which of course is a drop in the bucket for Meta. I mean, they're not that, that, that they have that in the petty cash drawer for the delivery guy when he.

Leo Laporte

Comes up, but at least we now know they do that. That's the, the, that's the key to that.

Steve Gibson

Yeah, exactly. Wow. Okay, so Google has weighed in on their side of the age verification requirements. Google is. And speaking of Meta, Google is reportedly to be extremely upset over Meta's sponsorship is what is the way Google phrased it. And, and their push for that Utah age verification bill that we talked about last week, which moved through Utah's legislature, as we know it transfers, the Utah law transfers the responsibility of the task of checking, for example, a suspected child account from the application to the application provider, the store essentially offloading it, offloading the responsibility from individual apps, which is of course why Meta thinks that's a good idea. Last week we looked at what Apple was doing and last Wednesday Google posted their position about this under the title Google's Legislative proposal for Keeping Kids Safe Online. So they're calling it a legislative proposal, meaning we're offering this to, you know, to the legislators, as you know, what we suggest people do. And in an indication of Google's annoyance with Meta, the tagline under that read legislation pushed by Meta would share kids information with millions of developers without parental consent or rules on how it's used. We have a better way. So here's what Google said they wrote. Everyone wants to protect kids and teens online and make sure they engage with age appropriate content. But how it's done matters. There are a variety of fast moving legislative proposals being pushed by Meta and other companies in an effort to offload their own responsibilities to keep kids safe to app stores. These proposals introduce new risks to the privacy of minors without actually addressing the harms that are inspiring lawmakers to act. Google is proposing a more comprehensive legislative framework that shares responsibility between app stores and developers and protects children's privacy and the decision rights of parents. One example of concerning legislation is Utah's App Store Accountability Act. The bill requires app stores to share if a user is a kid or teenager with all app developers, they said parens effectively millions of individual companies close parens without parental consent or rules on how the information is used. That raises real privacy and safety risks, like the potential for bad actors to sell the data or use it for other nefarious purposes. This level of data sharing is not necessary. A weather app doesn't need to know if a user is a kid. I'm still annoyed by the use of the term kid, but okay. By contrast, a social media app does need to make significant decisions about age appropriate content and features. As written, however, the bill helps social media companies avoid that responsibility. Despite the fact that apps are just one of many ways that kids can access these platforms. And by requiring app stores to obtain parental consent for every single app download, it dictates how parents supervise their kids and potentially cuts teens off from digital services like educational or navigation apps. Okay, I don't quite get that, but okay. By contrast, we are focused on solutions we Google that require appropriate user consent and minimize data exposure. Our legislative framework, which we'll share with lawmakers as we continue to engage on this issue, has app stores securely provide, excuse me, industry standard age assurances only to developers who actually need them and ensures that information is used responsibly. Here are more details and we have a few bullet points. First, under privacy preserving age signal shared only with consent, they write. Some legislation, including the Utah bill, require app stores to send information age information to all developers without permission from the user or their parents. In our proposal, only developers who create apps that may be risky for minors would request industry standard age signals from app stores and the information is only then shared with permission from a user or their parent. By just sharing with developers who need the information to deliver age appropriate experiences and only sharing the minimum amount of data needed to provide an age signal, it reduces the risk of sensitive information being shared broadly, 100% agree appropriate safety measures within apps, they wrote. Under our proposal, an age signal helps a developer understand whether a user is an agent or a minor. The developer is then responsible themselves for applying the appropriate safety and privacy protections. For example, an app developer might filter out certain types of content, introduce take a break reminders, or offer different privacy settings when they know a user might be a minor. Because developers know their apps best, they're best positioned to determine when and where an age gate might be beneficial to their users. And that may evolve over time, which is another reason why a one size fits all approach won't adequately protect kids under responsible use of age signals, they wrote. Some legislative proposals create new child safety risks because they establish no guardrails against developers misusing an age signal. Our proposal helps to ensure that age signals are used responsibly, with clear consequences for developers who violate users trust. For example, it protects against a developer improperly accessing or sharing the age signal under no ads Personalization to Minors Alongside with any age assurance proposal, we support banning personalized advertisements targeting users under age 18 as an industry standard. At Google, this is a practice we've long disallowed. It's time for other companies to follow suit and finally, under centralized parental controls, they write. Recognizing that parents sometimes feel overwhelmed by parental controls across different apps, our proposal would provide for a centralized dashboard for parents to manage their children's online activities across different apps in one place and for developers to easily integrate with. Period. So they finish Google has demonstrated our commitment to doing our part to keep kids safe online. We're ready to build on this work, and we'll continue engaging with lawmakers and developers on how to move this legislative framework for age assurance forward. So yes, if that sounds like a lot of what Apple was saying last week, yes. I mean, with Apple and Google being the two gorillas in the market, they appear to be converging onto the same solution. Essentially, parents are able to group the phones of their family members and indicate which phones belong to their minor children. Once this is done, children wishing to download applications with mature ratings will require parental consent. Developers of restricted apps have no need to know anything about those who are downloading and installing their apps. The fact that they're able to do so means that they have permission, either by using an adult's phone or because a parent or guardian gave a child permission. So essentially providing control only where it's necessary. Which is very much like what Apple suggested and we talked about last week. So it feels like that's where we're going. And it also feels like Google is rolling up their sleeves calling this legislation legislative proposal. So you know, they're, they're going to respond to, to legislation like what we just saw happening in Utah and say, no, no, no, let's do it this way. This, you know, this is the way it should be. Unfortunately, our current administration seems upset with Google. I guess actually Biden's was too.

Leo Laporte

So yeah, it was actually Biden's FTC.

Steve Gibson

That brought the, that began the whole antitrust world work. Yeah, I got a kick out of this because I mentioned at the top of the show, Kazakhstan has a different approach. The Kazakhstan government has get this introduced SIM cards specifically designed for use of and by children, all in Kazakhstan. All parents will be required to buy and deploy the new SIM cards for use in their children's devices. The cards come with built in filters to restrict access to dangerous websites and social media. The cards also report a child's location to parents through a special app. So overall, it feels as though things are rapidly becoming a mess with random and uncoordinated legislation being created left and right. And frankly, I lay this at the feet of Apple and Google who both resisted taking the action they could and should have taken on this many years ago. You know, they were like, no, no, no, no, we don't want any responsibility, we don't want any part of this. You know, and it's only when bad legislation and bad solutions are finally being created that now they're saying, oh well, okay, yeah, what you're doing is wrong. Here's how we'll do it. So, you know, I guess, you know, better late than never. Also, one last, one last little bit. The Spanish government passed a bill last week to impose very stiff fines on companies that produce and dispense unlabeled AI generated content. And when I say stefines, we're talking up to 35 million euros or yeah, wow, that'll get your attention. Or 7% of a company's global annual revenue, which, whichever is greater.

Leo Laporte

Whoa.

Steve Gibson

The law intends to curb the spread of deep fakes and non consensual adult content such as producing, you know, fake celebrity videos. Spain is the first country in the EU block to incorporate provisions from the EU AI act into its national legislation. So they're saying we're going to fine you if you do not clearly label content as AI generated.

Leo Laporte

I think that's reasonable. The fine's not, but I think we need it.

Steve Gibson

Yeah, the fine will take your breath away.

Leo Laporte

Yeah, yeah.

Steve Gibson

Okay. We're going to talk about Google and the canary after another break because we're now at an hour in the Google and the canary.

Leo Laporte

Wow.

Steve Gibson

Google and the canary sounds like this. I think it's a reverse canary. I'm not sure if it's a reverse canary. We'll have to think about that.

Leo Laporte

Oh, that's a good point. No, it's. No, it's a canary.

Steve Gibson

It's a canary.

Leo Laporte

Okay, well, we could talk about what the difference is. Yeah, yeah, yeah. Well, we'll talk about it. Put a pin in it.

Steve Gibson

As they say, a canary is published. I'm thinking that a reverse canary is.

Leo Laporte

The absence of something that is the canary.

Steve Gibson

Right, right.

Leo Laporte

So if you say in your legal disclaimers, and we have not never received a warrant from the United States government, and then it disappears, that's a reverse canary. Right. Because you, without saying anything, you have said something. So would Apple did a canary. Glad we get these things cleared up. You see, you don't just learn about security here. You learn about the use of the English language.

Steve Gibson

But I do have this podcast is for the birds, literally.

Leo Laporte

I do have a sponsor here you might want to know about. I love these guys. It's a company called Threat Locker. Oh, man. I spent an hour or two talking to him about what they do. I was not only impressed by what they do, but how affordable is. So, you know, if you listen to the show, ransomware is just crippling businesses all over the world. Phishing emails that started, you know, then. Or infected downloads like Steve was just talking about malicious websites, RDP exploits. How do you defend yourself? You don't want to be the next victim. Well, you need Threat Lockers. Zero trust platform. The key on all of this. It takes a proactive. Here's the three words you need to hear. Deny by default approach. It blocks every unauthorized action, protecting you from both known and unknown threats. And it's trusted by Global enterprises like JetBlue, the Port of Vancouver. Think about this. This is a terrifying thought for them to be shut down by ransomware. They rely on Threat Locker to shield them from zero day exploits, supply chain attacks, and providing complete audit trails, which really helps, not just for compliance, but for just figuring out what's going on, who's doing what. Threat Locker's innovative ring fencing technology isolates critical applications from weaponization. It stops ransomware cold. It limits lateral movement within your network. So important keep those bad guys from snooping around. ThreatLocker works across all industries. Yes, it supports Windows, but also Mac environments and they have great 24. 7 US based support. You get comprehensive visibility and control with Threat Locker. Mark Tolson, who's the IT Director for the City of Champaign, Illinois. It's really gratifying for me to hear city government, state government, schools, universities using Threat Locker. He's an IT Director for the City of Champaign, Illinois. Mark said, quote, threat Locker provides that extra key to block anomalies that nothing else can do. If bad actors got in and tried to execute something, I take comfort knowing that Threat Locker will stop that. Stop worrying about cyber threats. Get unprecedented protection quickly, easily and cost effectively. With Threat Locker, go to the website. You won't believe how effective and how affordable it is. Actually, can you afford not to do it? That's the real question. Threatlocker.com TWIT they have a 30 day free trial. You'll see how easy it is to set up and implement and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. Perfect solution. Threatlocker.com threattwit we thank him so much for supporting Steve's good works here at security now. Threatlocker.com twitt that's how you let them know when you go to that site. Threatlocker.com TWIT that's important. You heard it here. Okay, Steve, I want to hear about Google's Canary.

Steve Gibson

Okay, so last Friday the Record ran a piece that caught my eye. In the wake of what has become an extremely public withdrawal of enabling Apple's strongest privacy guarantees for icloud backup in the uk, Many have wondered, including it turns out, elected members of U.S. legislation about Android and Google, what's their similar status relative to United Kingdom of their even larger Android ecosystem, which is designed and managed by Google?

Leo Laporte

I wonder this too. I figured if they went after Apple, I'm sure they must have gone after Microsoft and Google and everybody else, right?

Steve Gibson

Yes, the Record gave their coverage of this question. The headline Google Refuses to Deny it Received Encryption order from UK Government and apparently they've been asked directly and rather pointedly, the Record wrote Google has refused to deny receiving a secret legal order from the British government, according to a bipartisan group of members of Congress who are concerned Westminster may have demanded that several US technology companies provide its security services with a mechanism to access encrypted messages. It follows the British government reportedly issuing such a legal a secret legal demand, officially known as a technical capability notice, to Apple. Apple is believed to be contesting the demand at a closed court hearing on Friday. And I assume they meant last Friday.

Leo Laporte

In a letter published this most Recent. Friday the 13th. Yeah.

Steve Gibson

Or 14th.

Leo Laporte

Yeah.

Steve Gibson

In a letter published Thursday. Last Thursday, the members of Congress. US Congress complained about the secrecy of this court hearing, arguing it impedes Congress's power to conduct oversight, including by barring US companies from disclosing foreign orders that threaten Americans privacy and cybersecurity. Despite widespread reporting of this TCN issued to Apple, the company, Apple is prohibited from confirming whether it had received such an order under the UK's investigator investigatory powers Act. In their letter, the members of Congress wrote that Apple had informed them, quote, that had it received a technical capabilities notice, it would be barred by UK law from telling Congress whether or not it received such a notice. Companies who have not received such a notice are obviously free to say so, the goo the group wrote. Google also recently told Senator Ron Wyden's office that if it had received a technical capabilities notice, it would be prohibited from disclosing that fact. Experts, including from Britain's own intelligence community, have said that the government's attempts to access encrypted messaging platforms should be more transparent. Academics described the Home Office's ongoing refusal to either confirm or deny the legal demand as unsustainable and unjustifiable. Okay, so what does this mean? I'm here to formally let formally let everyone know who is listening to this podcast know that I have not. I am not in receipt of any such or similar demand from the UK government.

Leo Laporte

I am not either.

Steve Gibson

Scout's honor, I would imagine you are equally free. And now you have. You have said the same thing. So not that that's the UK government has any interest in either of us or anything that we may have encrypted.

Leo Laporte

But we wouldn't be able to say anything had we received received that, including denying it, I presume.

Steve Gibson

Right. I could not apparently confirm or deny.

Leo Laporte

Actually, I bet you could deny it. But if you said I cannot confirm or deny, that's the reverse canary, isn't it? You could say, I mean, you could be lying.

Steve Gibson

So doesn't Google's refusal to simply say as I just have, and as you just have, that they are not in receipt of an order which compels them to not disclose such an order automatically mean that they are in receipt of.

Leo Laporte

A similar order from the UK a reasonable induction? I agree, yes.

Steve Gibson

And also, wouldn't that make sense? Wouldn't we also expect Google to be just as much a subject of this as Apple?

Leo Laporte

Right.

Steve Gibson

And if Google were not. Think about that. If the UK only required Apple to comply, wouldn't that constitute unfair meddling in the direct commercial interests?

Leo Laporte

True.

Steve Gibson

Of these two commercial platforms, forcing Apple to be able to like, publicly be able to decrypt the confidential and private information of their users, while not requiring exactly the same from others would put Apple at a significant commercial disadvantage relative to its competitors. So that's not copacetic. It seems clear that whereas news of Apple's receipt of this leaked out, you know, the same may have happened within Google that is the same receipt of this, but it hasn't leaked, you know, and of course some have suggested that Apple's leakage may have originated from within Apple itself as a means of opening this issue to the disinfecting light of day. So interesting. I think we have to assume that Google is also in receipt of this and they're just, you know, they're, they're not this, they're like, you know, sergeant Schultz, they don't know anything, they're not going to say anything. And I guess many of our listeners, our younger listeners don't know what I'm talking about. But look up Hogan's Heroes and you'll find out. And this brings us to another piece of related reporting from the Record which they posted last Thursday, which was the day before this, they said their headline was Calls Grow for UK To Move Secret Apple Encryption Court Hearing to Public Session. The Record wrote. Politicians and civil society groups in the United Kingdom are calling for a secret court hearing expected on Friday about the British government's encrypted encryption demands on Apple to be held in public. It follows warnings from experts, including from Britain's own intelligence community, that the government's attempts to access encrypted messaging platforms should be more transparent. Academics described the Home Office's ongoing refusal to either confirm or deny the legal demand as unsustainable and unjustifiable. The schedule for the investigative. Why can I. Why can I not say that? Investigatory Powers Tribunal, the only court in the country that can hear certain national security cases, includes a hearing set to take place behind closed doors on Friday, presumably last Friday, featuring the tribunals president, Lord Justice Singh, alongside the Senior High Court Judge Justice Johnson. It follows Apple disabling the option for its British users to protect their iCloud accounts with end to end encryption last month in the wake of a reported legal order from the British government requiring Apple provide it with access to encrypted iCloud accounts. The hearing is purportedly the company's attempt to contest this order, although it is unknown on what legal grounds that attempt is. Being made. So, like, you know, Britain has this law, they're saying, you know, commercial entities that we serve a secret order to must comply. So how do. How does Apple say no? Maybe it's this competitive disadvantage thing I talked about. I don't know. Anyway, the British government continues to say it neither confirms nor denies the existence of such legal demands. Apple has not confirmed the reason the encryption feature was turned off and would be prohibited from doing so.

Leo Laporte

Yeah, they can't say anything.

Steve Gibson

It's just nuts. This whole thing is nuts. This whole, you know, we're giving you secret orders that you can't ever talk about, but it's gonna. But it requires that your behavior be modified.

Leo Laporte

But you remember, we've talked about it. We do the same thing, the Patriot act, you can send. They send out national security letters, and you cannot say that we have received a national security letter and revealed all your information to the government. You can't tell anybody that.

Steve Gibson

I guess the issue here is that Apple cannot comply. And so if they're forced to comply, they're forced to change to roll back their technology.

Leo Laporte

Right.

Steve Gibson

And so that's a big deal, you know.

Leo Laporte

And by the way, our own intelligence services, Tulsi Gabbard, the dni, has said we have a treaty with England that says we won't spy on their people if they don't spy on our people. And this Investigatory Powers act specifically said no encryption. We want to be able to read everything globally, not just for UK citizens. We want to read Steve Gibson's stuff. And that's, according to Tulsi Gabbard, a violation of our own treaties with Great Britain. So that may be where the argument goes in this we'll never know because it's a secret court as well.

Steve Gibson

So in a joint letter that was sent Thursday to the head of this Lord Justice Singh by a collection of British civil liberties groups. Yeah, they asked him to use his discretion because he had discretion to open the hearing to the public, arguing that doing so would not prejudice national security. The campaigners on this, for this issue said they wrote, there's significant public interest in knowing when and on what basis the UK government believes that it can compel a private company to undermine the privacy and security of its customers. They argued that there are no good reasons to keep this hearing entirely private. It's probably embarrassment, right? Given that the existence of the secret legal order has been publicly reported and effectively confirmed by Apple's decision to remove its end to end encrypted service for British icloud users, politicians from opposition parties, including the Conservative Party, Liberal Democrats and Reform have also called. I mean, everybody wants more transparency from the Home Office. David Davis, a Conservative Party politician whose long campaign to limit state surveillance powers, told Sky News the government needed to explain its case to the public if it wants, quote, effectively unfettered access to private data. So this is all good.

Leo Laporte

Secrecy is the authoritarian's friend. That's really sad.

Steve Gibson

And all of this mess, all this noise is what we need. These decisions need to be made. So I'm glad this is all coming to a head.

Leo Laporte

Yeah, me too.

Steve Gibson

It's what we need to have happening because all this needs to be decided one way or the other, you know, and you know, importantly, since the delivery of privacy and confidentiality is a commercial competitive attribute, whatever the rules finally turn out to be must be universally applicable to all parties, equally and evenly, you know, and at this point, nothing about this process of secret UK government compulsion, you know, can become or remain the status quo. It has to change.

Leo Laporte

I agree.

Steve Gibson

Okay, so everybody with PHP based servers, listen up before we get to some feedback from our listeners. I want to make absolutely certain that anyone who's responsible for any PHP based Windows web servers, so not those running Linux, this is not a Linux issue. You know, I'm running Windows based PHP servers at grc, our web forums, our email system, the GRC SC shortcut link redirector, all that's over on its own server. Because these are PHP based. That server is sequestered, it is on. It's an isolated network that has no access to the rest of GRC because it's php for exactly the reason I'm about to be telling everybody about, you know, I had the ability to do that and since it wasn't code that I wrote, it's going to have its own little home where, you know, if it melts down, well, it'll, it's, I'll be unfortunate, but it's got backups and rolling backups and everything. Still, I did not want it to be able to reach over into GRC.com and everything else that's there. So the good news is that the several ways the PHP interpreter and there it is like you know, interpreter, right? We know what a danger interpreters are. The several ways the PHP interpreter can be invoked. Only the oldest original method of using the PHP CG CGI executable gateway or frankly the PHP EXE itself, if it were to be placed in the PHP CGI directory is vulnerable.

Leo Laporte

Well, we've known this for years, right? I mean this is Not a revelation.

Steve Gibson

Well, CGI is not safe, but the XAMPP system still uses it by default. That's what it's using.

Leo Laporte

I remember, I remember putting an open file share on my server. This is many years ago. And what I didn't think, I thought people were going to upload files. They somebody did. They uploaded a PHP file and executed it because I was running cgi, php, cgi and any file in any folder can be executed if it's php. Yep, it's a big flaw. I learned, I learned a lesson then.

Steve Gibson

It's really bad. So none of the newer approaches, including mod php, fast cgi, which is what I'm using, or PHP FPM are vulnerable. However, as I said on Windows, the common use of the so called XAMPP stack is vulnerable in its default configuration because it uses the PHP CGI executable to invoke the PHP interpreter, you know, and XAMPP refers to the Apache Web server, the MariaDB database, and both the PHP and Perl interpreters. So I breathed a personal sigh of relief at this, since all of GRC's many web servers have always been configured to use the fast CGI method of invoking php. Before I talk about this further, the only solution is to move to the current release of a supported PHP, which means if you're on the 8.1 track, be 8.1.29 or later. If you're using 8.2, be it 8.2.20 or later. I'm at 8.2.28 as of yesterday because of this news. I brought my servers up to speed because I was back on a vulnerable version and it's, you know, it's easy to be. That was last summer. And the good news is I have fast cgi, so in this case I wasn't vulnerable. But it's like, yikes. And if you're on PHP 8.3, be at 8.3.8 or later. And unfortunately, this still leaves a massive population of publicly exposed PHP servers vulnerable to complete system takeover. That is, I saw the command line I'm not keeping a secret, but it wasn't worth putting the show notes a command line that, when received by any of these vulnerable PHP systems, causes the system to reach out and download from an external server the content that they then want to execute on the vulnerable host. So I mean, it is really bad. It's as bad as it could be. Okay, so here's the backstory. The news that put me onto this was just published by the Record, they wrote, researchers said Friday. And this is the point, because this, as I said, this is about nine months old, but it's just ramping up. Researchers said Friday that a vulnerability initially exploited mostly in cyber attacks against Japanese organizations is now a potential problem worldwide. The threat intelligence company Gray Noise said exploitation of the bug, tracked as CVE 20, 24, 4577, extends far beyond initial reports, referencing in particular a blog post published Thursday by Cisco Talos. The Talos team had said an unknown attacker was predominantly targeting organizations in Japan in January through the vulnerability, which affects a setup called PHP CGI that runs scripts on web servers. A patch was issued last summer. Cisco Talos said the attacker's apparent goal was to steal access credentials and potentially establish persistence in a system, indicating the likelihood of future attacks. Grain always said it observed similar activity beyond Japan, revealing a far wider exploitation pattern, demanding immediate action from defenders globally, that is. This thing has just. It's recently exploded. Get this, there are 79 known ways to exploit the vulnerability and remotely execute code on a compromised system.

Leo Laporte

And I think we need Paul Simon for this. 79 Ways to Exploit yourself.

Steve Gibson

That's right, yeah. And not only remotely execute code, but remotely execute code which you've induced your server to download for you.

Leo Laporte

Wow.

Steve Gibson

I mean, is really awesome. Really bad. The PHP scripting language they wrote is decades old and is widely used in web deployment, quote attacks. Attempts have been observed across multiple regions, with notable spikes in the U.S. singapore, Japan and other countries throughout January 2025. Cisco Talos said Thursday that the attacker it studied used a command and control server that deploys a full suite of adversarial tools and frameworks. Why not download them all? I mean this thing will let them download anything they want into a vulnerable server and then run them. Yeah, get them all. It is just awful.

Leo Laporte

Put all 79 exploits right.

Steve Gibson

The researchers said they believed the attacker's motive was to move beyond just stealing credentials. Researchers at Symantec had reported exploitation of this CVE last August against a university in Taiwan, not. Not long after the patch was issued. The discovery of this is credited now, Leo, to an old friend of ours whom we have not heard much from recently. Good old Orange Tsai.

Leo Laporte

Oh yeah.

Steve Gibson

At Devcore, Mr. Pwn to own. Uh huh. In just the previous four years, Orange Tsai has won in 2021, 28th of top 100 Microsoft Most Valuable Security Researchers Award. In 2021, the champion of PWN to own Vancouver. Also in that year, the third of top 10 web hacking techniques for exchange server remote code executions. He also won the pony award in 2021 for the best server side bug for exchange server remote code executions. The next year in 22 he was the champion of PWN to own Toronto in 2024. Last year, first of top 10 web hacking techniques for research of confusion attacks and the fourth of top 10 WED hacking techniques for research of worst fit attack. So we know the guy. I mean this guy is a super hacker and a responsible researcher.

Leo Laporte

Last June probably makes a lot of money doing this, I imagine. Yeah, yeah.

Steve Gibson

Last June 6th, when Dev Core published their security alert titled CVE 20244577 php CGI Argument Injection Vulnerability, it drew the security industry's attention. They opened with During Dev Core's continuous offensive research, our team discovered a remote code execution vulnerability in php. Due to the widespread use of the programming language in the web ecosystem and the ease of exploitability. I mean this thing is drop dead simple to exploit and that's one of the big concerns. This is script Kitty Heaven. Devcore, they wrote, classified its severity as critical and promptly reported it to the php official team. The official team released a patch on 6. 6. Please refer to the timeline for disclosure details and I'll interrupt here just to say in their published timeline, we see the way this is all supposed to go. For one thing, the PHP developers well understood the nature of critical bugs. You know, can you say interpreter? I mean they've had their hands full for decades dealing with PHP interpretation bugs. And secondly, they all know or inside and dev Core. So when you get a universal scope bug report marked critical from these guys, your plans for the next several days, if not weeks, just changed. So the timeline says. On May 7, DevCorp reported the issue through the official PHP vulnerability disclosure page. That same day, PHP developers confirmed the vulnerability and emphasized the need for a prompt fix. Nine days later, on May 15th, PHP developers released the first version of the fix and asked for their feedback. Two days later, on the 18th, the developers released the second version of the fix and asked for additional feedback. Another two days later, PHP entered the preparation phase for the new release version. That was May 20th. And then on the 6th of June, the next month, PHP released new versions 8.3.8, 8.2.2.20 and 8.1.29 under description, the Dev Core people. So we're back to the Dev Core disclosure now. Under their description, they explained, while implementing php, the team, meaning the PHP team, did not notice the best fit feature. Get this Leo, you're going to love this bug. Oh my God. The best fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the Previous protection of CVE 2012 Number 1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack. In other words, words, this PHP bug was originally found and fixed 13 years ago. Wow. Back in 2012. But Windows employs its own best fit Unicode character conversion feature, and Orange PSI discovered that many apparently 79 other deliberately crafted Unicode character sequences would be transliterated by Windows on the fly and used to bypass the fix from 2012. So this vulnerability had been there since 2012, never repaired, as it was believed to have been and was under Linux. Because Windows just changes characters as it.

Leo Laporte

Wants to to whatever the best fit would be.

Steve Gibson

That's right. You didn't really mean that. You meant this. It's a better fit. It's a better fit. Yes. And oh, whoops. It bypassed a fix that we put in to prevent that from happening 12 years ago. Wow. Yeah, wow. This thing is so bad, for example, that a single query issued to any vulnerable Windows web server can cause, as I mentioned it, to fetch any remote file named in the query and then execute that file, no matter what it might be on the vulnerable machine. That's not anything that anybody wants to have happen on their server. Under the Impact section of their disclosure, they were very clear. They wrote this vulnerability affects all versions of PHP installed on the Windows operating system. Period. All of them. They also noted since the branch of PHP 8.0, PHP 7, and PHP 5 are end of life and are no longer maintained anymore, server admins can refer to the Am I vulnerable section and the answer just is yes. To find temporary patch recommendations in the Mitigation Measure section, and in that Am I vulnerable? Section, they wrote for the usual case of combinations like Apache, HTTP server and PHP server, administrators can use the two methods listed in this article to determine whether their servers are vulnerable or it's notable to address that Scenario two is also the default configuration for XAMPP for Windows. So all versions of XAMPP installations on Windows are vulnerable by default. As of this writing, it has been verified that when Windows is running in the following locales, an unauthorized attacker can directly execute arbitrary code on the remote server. And so they showed traditional Chinese using code page 950, simplified Chinese using code page 936, and Japanese using code page 932 for Windows running in other locales such as English, Korean and Western European due to the wide range of PDP usage scenarios. In other words, it was just too much for them to check. It's currently not possible to completely enumerate and eliminate all potential exploitation scenarios. They're just too many to fix. Therefore, it is recommended that users conduct a comprehensive assessment, verify their usage scenarios and update PHP to the latest version to ensure security. And you know, even though I was using a non vulnerable fast CGI implementation, I'm not taking any chances. So I, I did move to the latest version yesterday that was written last June. Since then it's been widely confirmed that this vulnerability can be exploited anywhere and on any vulnerable server, regardless of local language configuration. Therefore, by far the safest and most recommended mitigation is to update to a version of PHP that once again fixes this problem. You know, assuming that you have 8.1.2.3, it's just a subversion update, so it should be as simple as just dropping new binaries into the existing PHP directory and then you're good to go. So it should be a simple fix, but I wanted to absolutely be sure because this thing is so bad and it is so likely that many default configurations will be vulnerable and the exploitation of this is ramping up, you know, very, very quickly. So I want to make sure all of our listeners know and anybody that they know that may be running PHP on a Windows server, it's only Windows that is the problem because of the. Of Windows. Unicode. It's Unicode that is doing this. It's that best fit character translation nonsense, which essentially created a workaround on behalf of the attackers for the fix that had been implemented back in 2012 when this was first found.

Leo Laporte

Amazing.

Steve Gibson

Okay, I need to take a catch my breath and sip some coffee and we're going to talk. We're going to look at listener feedback next.

Leo Laporte

I think we all need to catch our breath after that, actually. Jeez, I'll never forget that. I thought I was. I. It must have been the very early days of the show. I think I was giving people a place they could upload something to the server. So I had an open file share. What I didn't understand is that somebody could upload plaintext PHP file that could then execute.

Steve Gibson

Yep.

Leo Laporte

Fortunately I think we. I caught it before it got.

Steve Gibson

I think I remember you talking about it on the show too.

Leo Laporte

It was like that was quite an eye opener. I guess. PHP can be executed if you're using the CGI from any folder anywhere, unless you specifically lock it down. We learn, right? That's the whole point of the show. That's the whole point of being human. We make mistakes and we learn I hope we've learned now that we better back up our data and make sure we have copies of it. This episode of Security now this portion of the episode brought to you by Veeam V E am the data resilience experts. Without your data, your customers trust turns to digital dust. That's why Veeam's data protection and ransomware recovery ensures you could secure and restore your enterprise data wherever and whenever you need it, no matter what happens. I don't know why every company in the world isn't running Veeam, to be honest. It's close. As the number one global market leader in data resilience, Veeam is trusted by over three quarters of the Fortune 577% to be exact, to keep their businesses running when digital disruptions like ransomware strikes. This is no accident. These companies understand they cannot take time out to fix ransomware or pay the ransom or get the reputation damage. That's why they use Veeam. Veeam lets you backup and recover your data instantly. And I didn't realize this, but one of the hard things I should have known about ransomware is data now lives all over the place. With Veeam, you can recover, backup and recover your data across your entire cloud ecosystem. Every bit of it. You may not even get bit in the first place. Veeam proactively detects malicious activity so you can stop a cold. You can also remove the guesswork by automating your recovery plans and policies. You do have a recovery plan and policy in place, right? Well, Veeam will help you if you don't get real time support from ransomware recovery experts should the worst happen. You're not alone. You got Veeam. Data is the lifeblood of your business. Get data Resilient with Veeam V E E A m. Go to veeam.com to learn more. You'd be crazy not to. Veeam.com to learn more. It's the only way. It's the only way, my friends. All right, Steve, I hope you are thoroughly refreshed.

Steve Gibson

You're now in the next phase.

Leo Laporte

What do they call it? The back quarter of the show, or I don't know what they call it.

Steve Gibson

So our listener Sam Miorelli wrote hey, Steve. On the applications thing, meaning employees from North Korea. He said, I run an industrial cybersecurity business. Last year, before we all knew about these things, we got an applicant who we hired to work in person who was incredible on the cv, lots of certs, including for fortigate and video interview we foolishly ignored warning signs when the in person manager first met him post offer and pre start and things seemed a bit off after he started. It was immediately clear the CV didn't reflect his actual skills. You know he was googling how to apply firewall rules on modern GUI firewall admin interfaces when I endorsed him. I chalked up his strange conversation style during the video interview to be from his accent, you know, and cultural as he's from India. And he had all the right answers and wow again, what a great cv. In hindsight, I'm convinced he was using an AI interview helper tool like finalroundai, which I hadn't heard of before. Finalroundai, Ian said. Or Sam. Sam said of course it's impossible to prove these things, so we're having to think harder about how we screen applicants in the future. Lots of phonies out there, not just the North Koreans. So wow. A little bit of feedback from one.

Leo Laporte

Of our listeners and a tip on the AI you might want to use.

Steve Gibson

For your next that's right, if you happen to be interviewing. Want to sound a little more polished, yes, Ian Beckett said. Actually these were a couple tweets at sggrc regarding SN 1012, our episode, he said. And Microsoft's sysinternal tools, he said. These tools are so popular it's astonishing Microsoft's engineers don't securely recode these tools. The little sync toy tool, he said. Download now removed from Microsoft sysinternal site, still provides just about the only way to simply do a regular Windows Sync backup to external drives using a trusted tool. The pitiful inbuilt Windows 11 backup tool's only purpose is seemingly to Drive revenue to OneDrive subscriptions, he said. I really despair of Microsoft nowadays. Unless it generates online services revenue, they have little interest in user experience. Then Ian is of course referring to the DLL injection vulnerabilities that were recently discovered to adversely impact the security of Sysm or the security of the use of sysinternals tools. Rather than loading the standard system DLLs from the system's well known directories, the tools have retained Windows once deliberate, though extremely insecure design of first looking in the executable's own execution directory before looking elsewhere. This allows bad guys to drop their own malicious versions of these DLLs, perhaps even older versions of Microsoft's own signed Windows DLLs that contain long since patched vulnerabilities, allowing them to effectively turn back the clock to be exploited again Microsoft reportedly said tough beans. We're not planning to fix them, they said, which seems irresponsible and as we noted at the time, frankly, even if they were fixed, there's still a massive inventory of them already deployed out in the world and they never receive updates of any kind. So it's a mess. Tycoon Tom tweeted at ggrc, hi Steve, what's that networking app that shows you net traffic? The company was from Australia. He was just, you know, he heard me referring to it.

Leo Laporte

I got it running on my Mac right now.

Steve Gibson

It's a Win, isn't it? Yeah, it's Networks N E T W O R X from a company called Soft Perfect. I've got a link in the show notes for anyone. It's free for 30 days, after which I would be surprised if you don't want it forever for 15 bucks. As I noted, it will easily monitor the local machine, but my favorite feature is that from a local machine it's also able to monitor the real time usage of the entire network by watching the routers, SNMP interface, byte counters.

Leo Laporte

Oh nice. Oh, I forgot about that.

Steve Gibson

Yeah, yeah.

Leo Laporte

Oh, I got to do that. That's great.

Steve Gibson

You're set it up, you're able to set it up to monitor your entire like family or local network.

Leo Laporte

I need to do that. Use.

Steve Gibson

Yeah. Very nice, very cool.

Leo Laporte

Very nice. Nice. Good recommendation. Thank you, John.

Steve Gibson

David Hicken wrote I'm not even sure it deserves a cve. Always talking about the backdoor. The so called backdoor from last week. I'm not even sure it deserves a cve. This may well be similar to the case of the Win32 API and it's a DLL versus the at least one time undocumented API of NT DLL. He said these ESP32 undocumented commands may not be guaranteed to survive the next chip redesign. Device driver writers beware. Cheers, John. Now John's of course talking about last week's back door that wasn't a back door. As we said, there were some undocumented functions in the SoC. These SoC the system on a chip hardware. And he's 100% correct that no one should be relying upon them for their own code. Since being unofficial and undocumented, the Chinese chip maker Expressif should feel free to change their function or remove them entirely at any time. And I also agree that even assigning a CVE in retrospect was ridiculous. Though I understand the discoverers motivation behind doing so. You know they were advertising this as a big bad back door, which was the narrative that most of the tech press picked up on this. So yeah, you know, you got to have a CVE to make it sound more real and scary. Mark Goldstein wrote, thanks for sharing Roger Grimes story on the North Korean hackers. You did an important public service. The recitation of the story was funny and compelling podcasting, he says. I told Roger of your recitation.

Leo Laporte

Oh good, nice.

Steve Gibson

Yep. And mark said, In 2009 I wrote a business plan for my company, America Online. OH, to acquire LastPass, he said. The CEO, the CEO said we were not in the security business. Meaning, you know, AOL was not right. So my proposal was shut down. Although one day I'd visited Joe and his team with dozens of ice cream sandwiches on a hot Washington D.C. day. Mark wrote, after the first breach at LastPass, I searched for a new password manager. I read what cryptologists said. I read FAQs and everything on various password manager websites. Finally, I found that 1Password had written some technical papers including their security model. It explained their various security choices. I could not evaluate all the crypto, but I understood their perspective of the vulnerabilities of password managers. I discovered that they knew users of 1Password could create easy to crack master passwords. So they used the master password along with a strong certificate to create the security for each instance of the Password Manager on a PC, Mac, iPhone, etc. When I create a new instance of 1Password, it copies the strong certificate to the new device. If someone cracks my 16 character password, they still must crack the 64 bit certificate. Good luck, he said. He finished writing. This is why I chose 1Password. Subsequently I use 1Password on my iPhone and Windows PC. Their cross platform implementation of passkeys works great for me. Pass keys on One Password is my security solution. Regards, Mark and I should mention that 1Password is also a sponsor of the Twit network and I wanted to thank him for sharing his note and experiences. And many of us agree that that's a great, you know, that 1Password is doing a terrific job, I should note that I've always also been A fan of 1Password's additional user account entropy, which they introduce using a client side blob. While it means that it must be duplicated and replicated across all of a user's devices, you know that's a one time requirement that then creates and provides very strong additional enduring security forever. Which makes sense to me.

Leo Laporte

Yeah, we've talked about this before and I remember I asked you is it more secure? And you said well if you use a good password. It's not, but just as Mark says, it's for people who use monkey123. But then it makes me wonder, what do you need the password for? You've got the certificate.

Steve Gibson

Yes, right. It's very much the way you and I also use vendors. You and I use certificates for SSH login.

Leo Laporte

That's right, because.

Steve Gibson

So it's both a password to say this is who we are and a certificate so that if somebody else tries to spoof who we are, you know.

Leo Laporte

They can get it. Actually, once I have the certificate set up, use the password anymore. I just automatically log in because super, super strong exchange.

Steve Gibson

Yeah, yeah. An anonymous listener said, steve, please keep my name confidential. He said, I would like to explain to you what happened to LastPass a few years ago. I work for a major cloud distributor and this occurred during a meeting with their CTO at the time. Since LastPass was one of our vendors, I asked what happened and the CTO explained that the dev at home was using Plesk on his personal Mac, which was hacked due to a Plesk media server that had not been updated. That much we know, he said, but the primary issue was that he was logged into the LastPass network from his personal machine. I asked the CTO why he was able to log into LastPass's network from a personal machine, since they had policies in place to prevent that. The CPO confirmed that they did not enforce their own policies. Also, the secret AWS keys where they stored their customer vaults was kept in LastPass corporate secure notes, so was readily accessible to anyone. Wow. Even those who didn't need access to them.

Leo Laporte

And of course, as everyone knows, Plesk is written in php, so it's doubly secure.

Steve Gibson

So your evaluation, he said of the product wasn't wrong. It's a good password manager, but the company itself was not well managed. Regards. So there's a little bit of additional insight that we haven't had previously. Since we cannot know how and where crucial decisions were being made, there's really no way to assign specific blame. But one thing we do know is that LastPass really dropped the ball on the PBKDF iterations issue, and there's really no excuse for that. They just didn't care. We know that because once this was brought to the glaring attention of the industry, then they went to the trouble of autonomously updating everyone's iteration counts later, you know, retroactively. This proves that they could have done so at any time, but never had bothered to before, as we know, I always draw a sharp distinction between policy decisions and mistakes. The LastPass developer, whose machine was doubtless targeted and compromised, was not practicing good security hygiene and LastPass was not managing the connections to their corporate network securely. So the developer made a bad mistake. But not bothering to ever retroactively update original or older PBKF iterations counts as a policy mistake. It wasn't a priority decision to fix that as it should have been. And that's unforgivable, that they need to be held accountable for. And it's only Those people whose LastPass vaults are being cracked retrospectively, retroactively, essentially because they had zero iterations or some, you know, 500, you know, low early iteration count. And that is all on LastPass. Jeff wrote to us, Steve Mandiant is reporting on an espionage campaign by China exploiting Juniper Big Iron routers. And he provided the a link to that from Mandiant, which you know is the Google owned security firm. And he cites it saying quote, end of life hardware and software writing, yeah, that's a thing I see all the time. He said, you don't want to know what I found on the network of my Fortune 500 defense employer last week. It's a bit of a dog bites man story, but it's part of a pattern by China to infiltrate critical infrastructure and hold it at risk as part of their national strategy. Signed Jeff. He says, P.S. ha, I forgot to use my GRC registered email. I appreciate the instant bounce so I could fix that and resend in less than two minutes. Okay, so since Jeff referred to his Fortune 500 defense contractor employer, I left off his last name, though it's familiar to me since he's been an avid provider of feedback through the years. I was familiar with the news that he linked to older Juniper routers have problems that have been resolved in later devices and those older routers are no longer receiving updates, so they're stuck running older firmware that will never be repaired. Still, those routers are well built and running, so it's difficult for any CIO to tell his CFO that, you know, we need some money and a bunch of money to replace some aging network infrastructure equipment. You know, the CFO replies, okay, what's wrong with it? Isn't it still working? And our responsible CIO says, well, well yeah, but it's old and it's no longer being maintained by its manufacturer, so it could have some security weaknesses that could possibly be remotely exploited by foreign hostiles. And the CFO says, so you're saying that as far as you know, there's nothing wrong with it and it's still working just fine, but there might or might not be something wrong with it, and we wouldn't know. And our cio, feeling that he's losing this one, says, yes, that's exactly right, we could be in danger. And the CIO or the, I'm sorry, the CFO ends the discussion saying, okay, I get what you're saying here, I really do. But, you know, we have some very, very pressing needs and they're not what ifs, they're real. It only makes sense for those to take priority. So I don't know how this changes over time. Certainly every one of the C Suite executives appreciates the need for proactive security. That CFO would not blink at the need for an industrial strength firewall appliance to keep the bad guys out if they didn't have one. And I'm sure there was one from the get go. And I'm sure that intellectually, everyone also appreciates the need for security updates and patches. Everything around them is constantly being updated and patched and fixed. Their phones and their PC and now even probably the cars they drive. And we're all being told that these measures keep problems from ever occurring, but we never actually see any of these supposed problems, right? So they remain intangible and it makes it a little difficult to sell. It feels like this is going to require a cultural change and that's just going to take time. And while I intensely dislike the rental model, as we know, you know that the world is moving toward, in the case of keeping older gear secure, there's real value being offered. Where I believe that, for example, Juniper has missed a trick is in choosing to allow their appliance, their older appliances to fall out of maintenance and to not tie its continued operation into an annual paid maintenance agreement. They're leaving money on the table by not keeping their older, by not offering to keep their older devices alive and maintained in return for some cash. The very many companies with older and still working Juniper gear, they're not updating to newer devices because the older devices their customers already have are still working. But those customers do truly need security maintenance for those devices going forward, and they would probably pay for it if they were allowed to, but they're not. They're being told, oh, you gotta, you know, it's obsolete, it's old, it's no longer being maintained. You gotta buy new stuff and it's not cheap, it's a lot more expensive than it was when they bought the first stuff. So why abandon a customer and their ongoing need for security? To me it makes no sense, but that's the way the business is happening. Bruce Olson said, I wanted to make sure you knew about this claim being made by users on Reddit. It seems that the organization behind Zima Boards and that company is called Ice Whale, he said, may be selling user information as some folks have started receiving marketing targeted at email accounts given to Zima Board. He's finished. That's all he had to say. Thanks for all the great work and always looking forward to the next episode. Bruce from Michigan so that's disappointing, right? It's certainly a reason for using an email aliasing service so that this abuse can be controlled by the email's recipient. And in the case of Ice Whale, the Zima board creators, I guess I can't say that I'm surprised. I receive a great deal of promotional email with all manner of special offers and come ons from them, like directly from them. And I just went over to their site and the top of the page has a bright orange scrolling banner saying Sign up now and unlock up to $50 for new members. You know, I mean, so they're very promo happy over there at Ice Whale. And if this concerns you, this argues for purchasing their boards through Amazon, which you can do. But I suppose I would just chalk it up to, you know, the cost associated with obtaining a perfect little single board PC, having two network interfaces, two SATA ports, a PCIe expansion slot and Linux preloaded, all for 90 bucks 90 US dollars and you've got this perfect little machine. It's still the best deal around, even if one does need to give them a temporary throwaway email address. And what was freaky is that I did not plan this. As I was moving through my email feedback, the next note that popped up after Bruce's note about the Ice Whale selling, you know, our contact data was this note from Bill Allen with the subject loving my Zima board. And I've got two pictures that Bill included with his email. In the show notes he wrote Steve, I got started with a Zima board specifically to run spinrite more easily on hard drives in my office, which it does very, very well. But it of course it would because it's what I use to develop Spinrite.

Leo Laporte

6.1 and it's got a SATA port, so you just connect it, right? And it can run three dots.

Steve Gibson

It's got a pair of SATA ports.

Leo Laporte

Yeah, I was going to say, I mean I'm not sure it's better than the Raspberry PI, which is 35 bucks, but that is how it's better. It's got a SATA port.

Steve Gibson

Yeah, well, and it'll run spin, right. And the Raspberry PI won't.

Leo Laporte

Won't, right, exactly.

Steve Gibson

Right, yeah.

Leo Laporte

Is it an X? It's a X86 architecture.

Steve Gibson

The Zima board is. Yes, it is intel based.

Leo Laporte

Interesting.

Steve Gibson

Yeah. Anyway, so he said, but. He said, but the Zima board has turned to a bit of an obsession and a really fun project platform. He said, here's my Zima board system. And he showed us a picture of it all wired up and another picture of a screen. He says, to its right is an outboard PCIe card carrier for the NVMe M2 drive it's booting from. And he said upper left is a Mini Travel Wireless router in client mode. He said down and to the left is an Adderlink IP kvm, which is giving me keyboard, mouse and video access to it across my local network via its internal VNC server, currently running freedos. As shown in the other photo, that free DOS install also has Spinrite 6.1 on it. Of course, he says, thanks for pointing us to the Zima board. Best regards, Bill in Crowley, Texas. So anyway, I've received many similar reports through the years since my discovery of this lovely little device. It's not super powerful. I always purchased the smallest of the three available models since it was just going to be running free dos, which, you know, can be powered basically by a squirrel cage. But these little boards are the machines that built and tested Spin. Right? So anyway, I just thought I would, you know, share that fun bit of feedback. It is a great little solution. Mark Jones wrote one a note that has some detailed lead in But I loved his story, which is a bit of a head shaker. So the subject of his email feedback was AI and Microsoft Defender. Get this, Mark wrote. Dear Steve, Love the show. Loyal listener since episode one. Club Twit Member. I really appreciate you and Leo, I encountered something new that illuminates some of the comments you've made recently about AI. I volunteer with an organization that has websites and a newsletter. About half our membership is employed by one of two big multinationals. Both are Microsoft shops. Both have lots of barbed wire wrapping their IT infrastructure. Microsoft Defender blocks questionable sites. The Sieve is set pretty tight. At one point when I was still working there, GRC.com got blocked and I'll just insert a little note here. For many years I was hosting known viral code for research purposes. At GRC.com the page contained, you know, the various archives and was very clearly marked as, you know, download at your own risk. Everything was red and flashing and, you know, it was very clear that this was, you know, old viruses that people might want to play with. But any search engine or trawling bot sees zip archives containing known dangerous viruses and freaks out. So since there's no interest in that really anymore, that's long since removed and some of those false positives that others were also reporting have ceased Anyway, Mark's note continues I moved 25 years worth of our organization's newsletters to its own site 3 years ago. The site is only 3 php files, some XML for for SEO and a bunch of PDFs. I made the move after consultation with it folks at the company I used to work for prior to retiring. They indicated that simpler was better at keeping out of the crosshairs of security sites. Sites that allow visitors to upload files are particularly troublesome to the corporate IT folks, and our main site, over my protests, has WordPress plugins that accepts uploads. Just recently the site and he's talking about his site Midland chemist.org started being blocked by the corporate Microsoft protection meaning of the of the company he used to work for, which is using Windows Defender, he said. I went to an IT friend and asked how I could fix it. After three years of being okay, the site was suddenly being blocked. He was kind and connected me with someone responsible for the blocking. Here is where AI comes in. Get a load of this. The filters meaning Microsoft Defender filters are now AI based, not rules based. He could not tell me why the site was being blocked because there was no rule being tripped. There are no rules anymore. Something about the site triggered the AI algorithms. No reason could be given. It was just AI, just as you described. AI makes connections that may elude human interpretation. The good news is there is a way to whitelist sites, provided I can find an employee willing to take responsibility. Regards, Mark Wow, you got to love that one. We turned all site blocking over to AI, so it just does whatever it does. We no longer know what or how. Welcome to the future.

Leo Laporte

So this is the Defender that everybody has on their Windows machine, right?

Steve Gibson

Yep.

Leo Laporte

Wow.

Steve Gibson

Yep.

Leo Laporte

Interesting.

Steve Gibson

A listener who just uses his initials PV said, steve, I was recently casting a line out into the sea of Kindle Unlimited suggestions. Unfortunately, I also ran into the Artifact book you talked about before, but I also found a winner. The series is called Dumb Luck and Dead Heroes by Skyler Ramirez it starts out a bit rough in the first book. Both main characters are at very low point in their lives and there's a lot of wallowing in that, but it picks up really fast and there's a lot of crazy fun space adventure and just the right amount of humor. And I thought of this because I know that our listeners enjoy books that incorporate some humor. And he said besides the main books, he has a lot of little side stories that are the strange but true details behind one of Brad's stories. And there's also three books about his best friend who's also a King's Cross assassin, which are a bit of a different tone but fun as well, he said. I generally am not a fan of side stories, but I enjoyed all of these to 1100 and beyond signed PV. So anyway, I appreciate and I am forwarding PV's recommendation without any of my own review, so I can't vouch for and I'm not vouching for the Dumb Luck and Dead Heroes book or series by Skylar Ramirez, but it's got some humor in it and I just wanted to let our listeners know if they're looking for another one of our listeners recommendations while we're on the topic of sci fi reading. For my part, I am remaining ever more deeply hooked on Neal Asher's novels. I'm now into the third of the first five novel Agent Cormac series, and toward the end of the second one I realized that I was really having a good time. As I mentioned, I am super finicky about the quality of writing and these are fully satisfying for me in that regard. And he's building up some really interesting characters. You know, it's still pulp, you know, I'm not meaning to suggest otherwise. And it's not free. Unlike PV's discovery of those Dumb Luck and Dead Heroes novels which he found through Amazon's Kindle Unlimited, these Neil asher novels are $7 each. But as we've said with a five shot Starbucks latte now at $9.50, I am easily obtaining more than $7 worth of entertainment from each of these. And given how much Asher has written and the comments online, that they only get better and better with time. And I'm going back to the beginning and starting from there, I know I'm going to be stuck reading everything that he's written for quite a while. And lastly, before we get to today's main question of just how susceptible any of the PC compatible machines you may have may be to rowhammer attacks, and while I'm reviewing Sci fi stuff. There's something Laurie and I watched and immensely enjoyed last Friday evening. If someone who knew I had a subscription to Apple TV and that I enjoyed science fiction themes were to, if, if some, if some such person were to recommend the Gorge to me, having just watched it Friday night, I would have been appreciative of their recommendation. So having seen and enjoyed the movie immensely, I am hereby making that recommendation to our listeners. As the movie unfolded, it had all the promise of being what I call a perfect movie. And there aren't many of them, they're rare, and this is not one, as it turned out.

Leo Laporte

You got my hopes up.

Steve Gibson

Well, about a third of the way through, I said to my wife, so far, this is a perfect movie. And by that I mean, you know, it's not going to win any awards. But as the plot unfolded, the movie was perfectly paced. It was in no hurry to get where it was going. You had no idea, you could not guess what, what it was about even. I mean, it was, it was a mystery for the viewer. It unfolded gradually. Only necessary facts were revealed. Also, it happened to Star, that actress who played the chess prodigy in the Queen's Gambit. Really like her? Yeah, she's big eyes, very easy on the eyes. She was one of the two protagonists. Okay, So I have to say that it got a bit ridiculous, like maybe they were trying to create a video game tie in in the latter part of the movie. But having said that, I could easily watch the entire first portion of the movie again. I mean, it was so satisfying. And I imagine that a lot of our listeners may be a little less finicky about, you know, people who never die, despite how many shots are fired at them, that kind of thing. But okay, still, you know, I'm no longer 14. I'm not a fan of implausibly ridiculous, over the top violence. But it's there on Apple tv. If you're a subscriber, you already have it waiting for you. And I do recommend it. It was, you know, as I said, it's not an award winner, but it was really enjoyable. And the first half was. It was perfect. It was really good.

Leo Laporte

Good. I'll have to check it out.

Steve Gibson

And Leo, let's give our listeners a recommendation of something else perfect. And then we're going to look at.

Leo Laporte

Rowhammer, in this case, Club Twit. Now, I know those of you who are watching in our discord know all about Club Twit. And I apologize because if you were just. If you had downloaded this, we would have Cut this out. Because that's one of the benefits of Club Twit. People who pay less than a Starbucks Venti Latte, seven bucks a month, get ad free versions of this show and all the other shows. So that is, that is, you know, I think some might say that's the chief benefit. You do get access to our Club Twit Discord, which I think is a significant benefit. That's the hangout for all the Club Twit members. A great bunch of people, great conversations going on and we have lots of events inside the clubhouse for Club Twit members. Coming up tomorrow at 6pm it's kind of a cozy evening of crafting. 6pm Pacific with Micah, Micah Sargent, he's doing, he's building miniature stuff, miniature houses, miniature rooms. But you could do Lego, you could do needlepoint, you could code whatever it is your craft is, build boats, whatever. You could join Micah and a bunch of people for a chat and a get together. We just started doing this. Anthony Nielsen said we need an AI user group. So every fourth Friday we get together and talk about AI. Of course, there's lots of special shows in the club like the Untitled Linux show. Hands on technology, hands on Mac, hands on Windows. Photo time's coming up. April 3rd. Chris Marquardt. I am going to do another coffee segment with Mark Prince. He emailed and said I've got a great guest. I said, let's do it. So there's benefits there. You get access to the club, access to the Discord ad, free versions of all the shows. But really the real benefit is you are supporting what we're doing. If you enjoy the programming, if you find yourself listening to one of our shows more than once a week, I think joining the club would be a great thing for you and for us. Seven bucks a month. Twit tv, Club Twit. That's all it takes. Now if you are already a member of the club or you don't want to be the member of the club, but you want to do something to help us. Of course. And I hear from people a lot. Oh, I buy all the products or many of the products you mentioned. That's a great way to help us support our sponsors. You can even do something as simple as leaving us a review. We found that advertisers pay attention to the reviews. I don't how many stars we have on itunes, I have no idea. I know it's a good show, so I don't pay a lot of attention. But advertisers, they're always looking for a shortcut, they do. So another way you can help us Go to your favorite podcast client. Itunes is probably the most popular and leave us a five star review. Say why you listen to Steve and what you like about the show. That's another way you can help us out. So we are really a user supported, a listener supported network. We have advertisers, yes but but we're nothing without you and your support means the world to us. Let us know what you think. Join Club Twit Twit TV Club Twit. We can't wait to welcome you into the little clubhouse there.

Steve Gibson

Trading shouldn't have Barriers When Robinhood started, it was built to make trading more accessible. Now Robinhood offers more sophisticated trading tools. Experience the future of trading on Robinhood Legend, the all new desktop platform that harnesses intuitive design to deliver a seamless experience for traders. Free to use with a Robinhood account, Robinhood Legend is designed for how you trade with powerful charts including custom intervals down to the tick and over 80 indicators and drawing tools. Trade all your favorite assets including popular stocks and ETFs all in one place. Take your trading to the next level by customizing your layout in seconds and even enter and exit positions in one tap right from the chart. With up to 8 charts per layout, the future of trading is fast, powerful and precise. Experience it now on Robinhood Legend Sign up today. Investing is risky. Robinhood Financial LLC Member SIPC is a registered broker dealer. Other fees may apply. Hey prime members, Are you tired of ads interfering with your favorite podcasts? Good news. With Amazon Music you have access to the largest catalog of ad free top podcasts included with your prime membership. To start listening, download the Amazon Music app for free or go to Amazon.com ADFreePodcasts that's Amazon.com ADFreeP Podcasts to catch up on the latest episodes without the ads.

Leo Laporte

Now back to Steve Areno because I'm dying to find out what's going on here.

Steve Gibson

It's rare that we're able to invite the listeners of this podcast to actively participate themselves in cutting edge security research. But this week a research team that has been looking into and questioning the actual dangers presented by Rowhammer attacks is asking for as much breadth and depth of real world participation from the field as they can get. This amounts to downloading an ISO file, writing it to a thumb drive, then booting and running the Arch Linux OS and Rowhammer data gathering tests that it contains. I immediately downloaded the 1 gig ISO used the latest for me, Rufus version 4.6 for Windows to transfer that ISO onto a 32 gig thumb drive, booted it on my Zima board and let it run in the background while I worked on the podcast. Okay, but let's back up a bit. We've been talking about the many various aspects and versions of the original discovery known as Rowhammer since its first Description back in 2014. It was 11 years ago that this was first found. The essence of the problem is that in the inevitable quest to increase the density of main system dynamic ram, you know, the RAM that's typically measured in tens of gigabytes, engineers squeezed every last bit of noise margin out of their designs. The RAM still worked, systems booted and for the most part ran reliably. But then some clever researchers came along and asked a question no one else had before. They asked what if we were to hammer over and over and over on one row of ram, or on the RAM on either side of one row? Might that confuse the nearby bits? And we know the answer to that question. It turned out that yes, indeed, not only can neighboring bits be affected, but those effects can be powerfully weaponized to completely collapse and bypass the security boundaries and guarantees upon which all modern computing relies for its operational security. During the decade that Followed from since 2014, these surprisingly prevalent and successful attacks have been elaborated upon and expanded by many groups of researchers across the globe. The attacks have been strengthened. As Bruce Schneier reminds us, attacks never get worse, they only ever get stronger. They've been optimized, they've been sped up. Research have even demonstrated web based exploitation via JavaScript code and even using network packets, the receipt of network packets to induce Rowhammer vulnerabilities. And after the industry reacted to the initial news of these exploitable weaknesses with improved designs. You know, like DDR3 was where we were then. DDR4 was supposed to fix it, but didn't. DDR5 was supposed to fix it, but still hasn't. The industry reacted trying to fix this new designs faster refresh detection of Rowhammer attacks on the fly. Anyway, nearly four years ago in May of 2021 Google Security Blog posted Introducing Half Double new hammering technique for DRAM Rowhammering bug. Google summary of their discovery is worth a quick review since it nicely lays out today's situation, they wrote. And so this was six years downstream from the original revolution or revelation of Rowhammer, they said. Today we're sharing details around our discovery of Half Double, a new Rowhammer technique that capitalizes on the worsening physics of some of the newer DRAM chips to alter the contents of memory. Row Hammer is a DRAM vulnerability whereby repeated accesses to one address can tamper with the data stored at other addresses. Much like speculative execution vulnerabilities in CPUs, Rowhammer is a breach of the security guarantees made by the underlying hardware. As an electrical coupling phenomenon within the silicon itself, Rowhammer allows the potential bypass of hardware and software memory protection policies. This can allow untrusted code to break out of its sandbox and take full control of the system. Rowhammer was first discussed in a paper in 2014 for what was then the mainstream generation of DRAM DDR3. The following year, Google's Project Zero released a working privilege escalation exploit. In response, DRAM manufacturers implemented proprietary logic inside their chips that attempted to track frequently accessed addresses and reactively mitigate when necessary. As DDR4 became widely adopted, it appeared as though Rowhammer had faded away, thanks in part to these built in defense mechanisms. However, in 2020 the trespass paper showed how to reverse engineer and neutralize the defense by distributing accesses, demonstrating that Rowhammer techniques are still viable, and we did a podcast on Trespass earlier this year. The Smash research went one step further and demonstrated exploitation from JavaScript without invoking cache management primitives or system calls. Traditionally, Row hammer was understood to operate at a distance of one row. When a DRAM row is accessed repeatedly, the aggressor bit flips were found only in the two adjacent rows the victims on either side. However, with half double, we've observed row hammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength. Given three consecutive rows A, B and C, we were able to attack C by directly by directing a very large number of accesses to A along with just a handful dozens of flips to B. Based on our experiments, accesses to B have a nonlinear gating effect in which they appear to transport the rowhammer effect of A over through B to C. Unlike Trespass, which exploits the blind spots of manufacturer dependent defenses, Half double is an intrinsic property of the underlying silicon substance substrate. This is likely an indication that the electrical coupling responsible for Row Hammer is a property of distance, which makes sense to me the physics involved effectively becoming stronger and becoming stronger and longer ranged as cell geometries continue to shrink, distances greater than 2 are conceivable. Google has been working with JDEC, an independent semiconductor engineering trade organization, along with other industry partners in search of possible solutions for the Rowhammer phenomenon. Jedec has published two documents about DRAM and system level mitigation techniques we are disclosing this work because we believe that it significantly advances the understanding of the Rowhammer phenomenon and that it will help both researchers and industry partners to work together to develop lasting solutions. The challenge is substantial and the ramifications are industry wide. We encourage all stakeholders server, client, mobile, automotive and IoT to join the effort to develop a practical and effective solution that benefits all our users. So everyone is worried about the possibility of what this would mean. But despite all the academic work that's been done, there have never been any reports of actual Rowhammer attacks in the wild. This is reminiscent of Specter and Meltdown, right? But it might also be more relevant to the Y2K worry here, where, despite the fact that the world did not end on Y2K, that may have been largely due to so much work going into making sure beforehand that it would not end. But in the case of all the various Rowhammer attacks, questions have been raised about the attack's true feasibility in real world scenarios. This brings us to the December 2024 presentation at Germany's 38th Chaos Communication Congress, during which a trio of academic researchers observed that the actual practical impact of these various RAM hammering attacks remains unknown and is still therefore largely theoretical. They noted that past academic research always used small they considered them relatively microscopic sample sizes. They said the density of memory cells in modern DRAM is so high that disturbance errors like the Rowhammer effect have become quite frequent. An attacker can exploit Row Hammer to flip bits in inaccessible memory locations by reading the contents of nearby accessible memory Rose since its discovery in 2014, we have seen cat and mouse security game with a continuous stream of new attacks and new defenses. Now in 2024, 10 years after Rowhammer was discovered, it's time to look back and reflect on the progress we've made and give an outlook on the future. Additionally, we will present an open source framework to determine whether your system is vulnerable to row hammer. In 2014, researchers reported a new disturbance effect in modern DRAM that they called Rowhammer. The Rowhammer effect flips bits in inaccessible memory locations just by reading the contents of nearby memory locations that are attack accessible. They trigger the Rowhammer effect by accessing memory locations at a high frequency using memory accesses and flushes. The root problem behind Row Hammer is the continuous increase in cell density in Modern Dram. In early 2015, Seaborn and Dullien were the first two to demonstrate the security impact of this new disturbance effect in two different exploit variants. They demonstrated privilege escalation from the Google Chrome NACL sandbox to native code execution and from unprivileged native code execution to kernel privileges. Later in 2015, Gruss et al. Demonstrated that this effect can even be triggered from JavaScript, which they presented in their talk Rowhammer JS Root Privileges for Web Apps. Now, in 2024, it is precisely 10 years after Rowhammer was observed. Thus, we believe it is time to look back and reflect on the progress we've made. We have seen a seemingly endless cat and mouse security game with a constant stream of new attacks and new defenses. We will discuss the milestone works throughout the last 10 years, talking about the presentation they're about to give to the Chaos Congress, including various mitigations making certain instructions illegal, ECC doubled refresh rate, TRR targeted row refresh, and how they have been bypassed. We show that new Rowhammer attacks push the boundaries further with each defense and challenge. While initial attacks required native code on intel x86 with DDR3 memory, subsequent attacks have also been demonstrated on DDR4 and more recently on DDR5. Attacks also have been demonstrated on mobile arm processors and AMD x86 desktop processors. Furthermore, instead of native code, attacks from Sandbox, JavaScript or even Remote attacks via Network network have been demonstrated as well. Furthermore, we will discuss how the Rowhammer effect can be used to leak memory directly, as well as related effects such as row press. We will discuss these research results and show how they're connected. We will even talk about the lessons learned and derive areas around the Rowhammer effect that have not received sufficient attention so far. We will outline what their future of DRAM disturbance effects may look like, covering more recent effects and trends in computer systems and DRAM technology. Finally, an important aspect of our talk is that we invite everyone to contribute to solving one of the biggest unanswered questions about Rowhammer what is the real world prevalence of the Rowhammer effect? How many systems in their current configurations are vulnerable to Rowhammer? As large scale studies with hundreds to thousands of systems are not easy to perform, such a study has not yet been performed. Therefore, we developed a new framework to check if your system is vulnerable to Rowhammer, incorporating the state of the art Row Hammer techniques and tools. Thus, we invite everyone to participate in this unique opportunity at the 38th Chaos Communication Congress to join forces and close this research gap. The Site they called their overall work Flippy RAM because it's flipping bits. So flip P y r flippy ram but the site has the dot between the r and the am so f l I p p y r dot am you know HTTPs://flipyr am. That's where all of this lives. Anyone who's interested should, you know, go to Flippy R Am. Grab a copy of the open source test tool. They say when you get there. Welcome to our Flippy R AM study. We want to analyze the prevalence of Row Hammer in real world systems. Everybody can participate in our study. The entire source code is open source and available via GitHub. You can either build the ISO yourself or run the entire study using Docker. However, we highly recommend using the ISO image and the ISO is just Flippy dot. You know, Flippy R Am, hammeriso ISO. They said simply follow these steps, download our ISO image and flash it to a USB thumb drive. See the following links for instructions for Windows, Mac and Linux. Boot the system you want to test using the thumb drive you created before. Specify the time the experiment should run and confirm your participation in the study. They said when you do not want to participate in the study, you can still check if your system is vulnerable to Rowhammer without submitting any data. Step four, Wait for the experiment to finish. Step five, you'll get a brief overview of the results. Additionally, the raw results will be stored on the thumb drive for you to inspect afterwards. And six, the results will be uploaded to our server and you can access them using a URL shown at the end of the test. Only if you confirm to participate before. Okay, so first of all, you should know you are asked afterward if you want to do the upload. So there's nothing happening behind your back. None of your data will. Will be. Will sneak away. The default testing time is eight hours. So the idea being, you know, you run this overnight while you're not using your computer and then it's done in the morning.

Leo Laporte

It's a probabilistic attack. It's not. It doesn't work every time you have.

Steve Gibson

Correct. Exactly. And so it requires some patience. And you know, unfortunately they don't have anything cool like a running total on the screen of like Rowhammer strikes, you know, so you're not getting any results available on the way. It does take a while to get going. On my Zima board, I wasn't sure it was working because it went to like, it has four stages and it went to 100% on the first stage. Then it went to 55% on the second stage, where it sat for a long time. The first stage is fetching info, but that's not from the network. It's just from the system, apparently, then retrieving addressing functions at stage two and my Zima board sat there for a long time. But I have also since then run it on one of actually on a next generation GRC server platform that I have not yet deployed. So I mean it's got, I don't know how many cores this thing has.27 or something. And I mean it is a screamer. It acted exactly the same way. It sat at 100% for a while or took a while to get to 100%. Then it then the second stage sat at 55 for a long time. Since I started it yesterday afternoon on the server and let it run until this morning. I let it run for 16 hours. I should have known nothing would show because this is a server platform with error correcting. You know, it's got ECC ram, server ram, which is un usual and it came back completely clean. But on the other hand it was nice to actually see that validated. So it will take some time. Once it finishes, you get a summary on the screen. It writes a long report in log files in text on another partition that it creates on your thumb drive which you are able to look at. And then this morning I got a big QR code that I took a picture of with my phone and the phone also wanted to open it. And so I haven't had a chance to look at it. But there you get a detailed report from their server which analyzes an incredible amount of information. I mean these log files, I don't know how many hundred hundreds of log files I had that it had written out. So anyway, for what it's worth, I'll be uploading and I did all of my results and I would hope others would too to give them as large a cross section. I think it'd be interesting if you have older machines to see whether, you know, like old DDR3 or DDR4 machines to see if they're being. If they're actually vulnerable to rowhammer attacks.

Leo Laporte

Now they say Macintoshes, you can run this on a Mac.

Steve Gibson

Yeah, okay.

Leo Laporte

Yeah, so it's not an X86.

Steve Gibson

Yeah, I don't have any non X86 hardware here or I would have done that. But I imagine that it is multi platform.

Leo Laporte

So anything with DDR 3, 4, 5 is five immune.

Steve Gibson

No, five's not immune. Attacks have surfaced for DDR 5. Basically everything we have in the world now is still vulnerable to Rowhammer to some degree.

Leo Laporte

Yeah, interesting.

Steve Gibson

And they said, I mean this is dumb. They said as an incentive, the following two rewards can be won. When you upload a valid data set, you'll receive A cryptographic token. This token is generated by hashing random data and when you upload your data set, you will save this token separately in our database. Or no, I'm sorry, we will save this token separately in our database. This means the token is not associated with your data set. This ensures that you can participate in the raffle without linking the token to your data set. Please make sure to bookmark or save the token then. They said the first 10 valid tokens they receive via email will get a Flippy RAM T shirt. I'm sure those are long since gone. And then everyone who sends us an email with a valid token will participate in a raffle and have your chance to win a €10Amazon gift card. The more tokens you send us, the higher your chances are. So token away. Anyway, they've got two releases of the tool so far, version 1.0 and 1.0.1. They published the SHA256 hashes of both if you. Both the ISOs if you want to make sure that they weren't tampered with. Although I've never understood the logic of that because if someone was going to tamper with the ISO, they would just tamper with the S with the posted Sh256 also. Yeah, anyway, fine. Anyway, at the bottom of the show notes, I have a link to the Chaos Communication Congress presentation. It's a multilingual soundtrack, so it's probably available in your language if you want to listen to the whole presentation. And I hope our listeners will, you know, have some fun. Copy it to a thumb drive, run it on your machines overnight, see what you find out. Let me know via our Security now feedback because it'd be fun just to share some of our listeners results and also submit your data to them. It's all anonymous, no information that you care about. I mean you're booting from scratch right on a, you know, and they, they, they tell you if you're, if you're worried about any of your mass storage devices, you know, disconnect them while you're running the test and then the machine knows nothing about you, has no ability. But you can also look at the source code and I'm sure these are good guys in any event. So a fun thing for our listeners to While you're waiting for episode one 1018 and it runs for eight hours.

Leo Laporte

That's the fixed amount of time. Or can it run for a different amount of time?

Steve Gibson

It defaults to eight. It's got hours and minutes in a little field and you can change it I changed it to 16 for my server. If I had 16 hours, I was going to be away from it, so what the heck.

Leo Laporte

Yeah. And I mean, honestly, it's conceivable that it wouldn't even get a hit in that amount of time, so. Right. I mean, there's no. Like I said, it's probabilistic. It's not.

Steve Gibson

It's going to be interesting to see what our listeners find. I did not get much satisfaction from the Zima board. I think that its hardware, you know, it is sort of an embedded system, so it's not a full PC. And a number of the tests that they had the Zima board did not qualify for.

Leo Laporte

Right, right.

Steve Gibson

So it'll just be interesting to have it run on more systems.

Leo Laporte

Very cool.

Steve Gibson

Yeah.

Leo Laporte

Yeah. You can find out why. You know, I meant to mention this. When you read the message from the person who wanted to remember the name of the network speed tester, you do very complete show notes, which have links to all this stuff. So you don't have to write to Steve to say, what was the name of that thing you mentioned last week? Just go to GRC.com and get the show notes. It'll be undoubtedly in there. The show notes are practically a transcript of the show. And then of course, there's the transcripts there as well, as well as two unique versions of the audio of the show. Steve does 16 and 64 kilobit mp3s of the show. So if you want a smaller version of it, you can get it there. We have. That's@grc.com, we have the 128 kilobit version version and the video at our site, grc.com also the home of Spinrite, which would run lovely on a Zima board, if you have one, or anything, you can. You have to have a machine that can boot into bios. Yes, correct. Yeah. Yeah. That's why the Zima board's a good idea, because then you could test the hard drive on something that does boot into bios. Yeah.

Steve Gibson

And in fact, in order to run this test, I had to enable UEFI on the Zima board because I had it disabled because I wasn't using it during the summer. Right.

Leo Laporte

You don't use it. Yeah. Grc.com, get the world's best mass storage maintenance recovery and performance utility. That's Steve's bread and butter. There's lots of free stuff there, too. Lots of information. And if you want to email Steve or if you want to get copies of the show notes mailed to you or as occasional, very occasional email blasts. You can go to GRC.comemail and submit your email address. Steve does leave those boxes unchecked. So if you want the newsletter, make sure you check those boxes for those two different emails that Steve sends. One every week, one very rarely. GRC.com email. That's also how you have to the.

Steve Gibson

Other one only once ever so far.

Leo Laporte

That's very rare. You do have to do that if you want to email Steve because he just rejects every email out of hand unless he knows your address. So validate your address. GRC.com email our website for the show TWIT TV SN as in Security. Now you can get copies of the show there. There's a link to the YouTube channel. There are links to a couple of podcast clients that you could use to subscribe. But really any podcast client is going to have security now on it. And that's the best way to get the show, whether you want audio or video. Of course, Club Twit members have their own special feeds that have no ads. So that's why you pay seven bucks a month for that. What else can I tell you? Join the Club TV Club Twit. Leave a review for the show that would be very much appreciated. Five stars if possible. Don't mark us down a star for, I don't know, for anything. It's five stars. That's it. Period. That's it. That's all there is to it. What else do we do? The show every Tuesday, 11am Pacific, 2pm Eastern Time, 1800 UTC. And I mention that because you can watch us do it live. Certainly not a requirement. But if you would like to see the very freshest first edition of this show, you can watch if you're in the club on Discord or YouTube or Twitch or TikTok or X dot com. These are all open to all Kik, Facebook and LinkedIn. Eight different ways to watch live. We will be back next Tuesday with the dynamic ever lovin Steve Gibson for more security news. Steve, have a wonderful week and I'll see you then.

Steve Gibson

Right on, my friend. Bye.

Leo Laporte

Security. Now.

Steve Gibson

Here in America, work is in trouble. We've offshored our manufacturing, sent away good.

Leo Laporte

Jobs and lost so much ability to make things.

Steve Gibson

American Giant is a company that's pushing back against this tide.

Leo Laporte

They make high quality clothing, sweatshirts, jeans.

Steve Gibson

Dresses, jackets and so much more right here in the USA. Visit american-giant.com and get 20% off your first order when you use code STAPLE20 at checkout. That's 20% off your first order at american-giant.com, promo code STAPLE20.