Security Now 1020: Multi-Perspective Issuance Corroboration - All TWiT.tv Shows (Audio)

Summary6 min read

All TWiT.tv Shows (Audio) – Security Now Episode 1020: Multi-Perspective Issuance Corroboration

Release Date: April 9, 2025

Hosts: Leo Laporte and Steve Gibson

Introduction

In the 1,020th episode of Security Now, hosted by Leo Laporte and Steve Gibson, the duo delves into a myriad of pressing security issues, ranging from critical vulnerabilities in widely-used software to significant policy changes affecting digital security practices. The episode, named "Multi-Perspective Issuance Corroboration," serves as a comprehensive exploration of current cybersecurity challenges and advancements.

Key Discussions and Insights

1. Multi-Perspective Issuance Corroboration (MPIC)

At [05:24], Steve Gibson introduces the main topic of the week: Multi-Perspective Issuance Corroboration (MPIC). This new requirement, unanimously adopted by the CA Browser Forum, mandates Certificate Authorities (CAs) to perform domain control validations from multiple geographic and network perspectives to mitigate the risk of Border Gateway Protocol (BGP) attacks and prefix hijacking.

Notable Quote:

"MPIC enhances existing domain control validation methods by reducing the likelihood that routing attacks can result in fraudulently issued certificates."
— Steve Gibson [05:27]

2. Canon Printer Driver Vulnerabilities

Steve details a severe vulnerability in Canon printer drivers, rated with a critical CVSS score of 9.4 ([15:00]). This flaw allows malicious actors to execute arbitrary code on affected systems without requiring elevated privileges or user interaction. The vulnerability, identified in the Enhanced Metafile (EMF) processing of the printer driver, poses a significant threat, especially since the drivers are signed by Microsoft, making exploitation straightforward.

Notable Quote:

"The vulnerability could allow malicious actors to compromise printing operations and, in severe cases, execute arbitrary code on affected systems."
— Steve Gibson [20:32]

3. Fisher Paykel's Exceptional Cybersecurity Practices

In response to listener feedback, Leo and Steve discuss the exemplary cybersecurity measures implemented by Fisher Paykel, a home appliance manufacturer. The company has integrated robust security protocols, such as WPA3, security-by-design principles, and regular penetration testing, to secure their connected appliances.

Notable Quote:

"They have security controls that provide independent redundancy to protect against malicious attacks."
— Steve Gibson [30:27]

4. France’s Phishing Test on School Children

Steve recounts a French government initiative where over two and a half million school children were subjected to a phishing test. The attempt to engage students with a lure promising game cheats resulted in only about 8% being deceived, showcasing a commendable level of cybersecurity awareness among the youth.

Notable Quote:

"French school children are not gullible. It turns out the French government tried to trick them and failed."
— Leo Laporte [43:14]

5. WordPress MU Plugins Vulnerability

The discussion shifts to WordPress, highlighting a vulnerability introduced three years prior with the "Must Use Plugins" (MU Plugins) feature. Hackers have exploited this by embedding malware within MU Plugins, which are automatically enabled and hidden from regular admin views, making detection and removal challenging.

Notable Quote:

"Hackers are breaking into WordPress sites and dropping malware in the MU plugins folder, knowing it will get automatically executed and won't show up in the site back end management."
— Steve Gibson [44:04]

6. Oracle’s Security Breaches

Steve addresses recent security breaches at Oracle, including unauthorized access to Oracle Health’s medical data and theft from their cloud services. Despite significant evidence, Oracle has denied these breaches, failing to comply with mandatory reporting requirements set by the U.S. Securities and Exchange Commission (SEC).

Notable Quote:

"Oracle has chosen to remain entirely silent, even though doing so is a clear breach of reporting law."
— Steve Gibson [51:41]

7. Utah’s App Store Accountability Act

Leo and Steve explore Utah's newly signed App Store Accountability Act, which mandates age verification and parental consent for users under 18 interacting with certain apps. This legislation marks a significant shift in regulating digital content consumption among minors.

Notable Quote:

"If we're going to decide that children's age matters, then responsibility needs to be taken somehow."
— Steve Gibson [51:42]

8. AI Bots DDoSing Free and Open Source Software (FOSS) Repositories

A concerning trend is discussed where AI-driven bots are inadvertently causing Distributed Denial of Service (DDoS) attacks on FOSS repositories. These bots, driven by the insatiable appetite for data to train AI models, are overwhelming critical infrastructure, leading to increased downtime and bandwidth costs.

Notable Quote:

"The arms race between data-hungry bots and those attempting to defend open source infrastructure seems likely to escalate further."
— Steve Gibson [67:58]

9. Gmail’s “End-to-End” Encryption Claims

The hosts analyze Google's announcement of purported end-to-end encryption for Gmail's corporate users. While Google claims that encryption occurs within the user's browser, Steve argues that true end-to-end encryption requires that only the sender and receiver have the means to encrypt and decrypt messages, which isn't fully achieved in this implementation.

Notable Quote:

"It is an interesting regulatory hack, but a hack it is."
— Steve Gibson [110:41]

10. Apache Parquet’s CVE 10.0 Vulnerability

Concluding the technical discussions, Steve warns about a critical CVE (CVE-2025-30065) affecting Apache Parquet, an open-source columnar storage format. This vulnerability allows for remote code execution, underscoring the necessity for immediate updates to mitigate potential exploitation.

Notable Quote:

"If you're using Parquet, update immediately because you want to beat the bad guys to it."
— Steve Gibson [114:12]

Advertisements and Sponsor Messages

Throughout the episode, sponsors such as Material Security, ThreatLocker, Thinkst Canary, Bitwarden, and DeleteMe are featured, each highlighting their contributions to enhancing cybersecurity measures. Highlights include:

Material Security: Emphasizes their cloud-focused security toolkit for email protection, leveraging intelligent automation to bolster security without hindering productivity.
ThreatLocker: Promotes their Zero Trust platform designed to prevent ransomware and limit lateral movement within networks.
Thinkst Canary: Showcases their honeypot solutions that act as tripwires for detecting unauthorized access within networks.
Bitwarden: Advocates for their secure password management solutions, essential for both individual and enterprise users.
DeleteMe: Focuses on their services to remove personal information from data brokers, enhancing privacy and security.

Notable Sponsor Quote:

"Protect your digital workspace, empower your team, secure your future with Material."
— Steve Gibson [86:24]

Listener Feedback and Interactions

The episode features various listener interactions, including:

Issues with Two-Factor Authentication: One listener experiences incessant authentication reset requests, highlighting the importance of robust security measures.
Moving Away from Windows: An anonymous security researcher discusses transitioning to open-source solutions to avoid escalating licensing costs from Microsoft.
Buffer Bloat Tribute: A heartfelt mention of Dave Todd, a pioneer in identifying and resolving buffer bloat issues, underscores the community’s appreciation for contributions to internet robustness.

Notable Listener Quote:

"I've been a long-time Security Now listener and I've always appreciated your insightful commentary and analysis mixed with some humor on all things related to cybersecurity."
— Steve Gibson [125:02]

Concluding Remarks

As the episode wraps up, Leo and Steve reflect on the enduring relevance of Security Now, celebrating its longevity and the community it has built over two decades. They emphasize the importance of staying informed and proactive in the ever-evolving landscape of cybersecurity.

Notable Closing Quote:

"If privacy is important to you, this is a really good way to do it."
— Leo Laporte [155:14]

Conclusion

Episode 1020 of Security Now offers a thorough examination of contemporary cybersecurity threats and innovations. From critical software vulnerabilities and policy changes to the unintended consequences of AI advancements, the hosts provide listeners with valuable insights and actionable advice to navigate the complex digital security terrain.

For detailed show notes, transcripts, and additional resources mentioned in this episode, visit grc.com.

Loading summary

Transcript274 lines

[00:00]
Leo Laporte
It's time for Security Now. Steve Gibson is here. Lots to talk about. Including a 10.0 CVSS score for a problem in Apache parquet. French school children are not gullible. It turns out the French government tried to trick them and failed. And then we'll find out what Multi Perspective Issuance Corroboration is and why you might need it. That and a whole lot more coming up next on Security Now.
[00:27]
Steve Gibson
Podcasts you love from people you tr.
[00:32]
Leo Laporte
This is TWiT. This is Security now with Steve Gibson. Episode 1020, recorded April 8, 2025. Multi perspective issuance Corroboration. It's time for Security now the show we talk about your safety, your privacy, your security, and a bunch of other stuff that geeks are interested in. With this guy right here, I think you officially are the king of geeks, Steve Gibson.
[01:05]
Steve Gibson
I would wear that badge proudly, wouldn't you?
[01:08]
Leo Laporte
Yeah.
[01:08]
Steve Gibson
Yes, I would.
[01:09]
Leo Laporte
You have earned it over the years. Now 70 of them. Congratulations. That's amazing.
[01:15]
Steve Gibson
We had a listener who had a T shirt made and sent me a photo. Just say no to port 80. I love it. From last week's podcast, which reminded me I had some made a while ago that just said born to Code. Because if I put on, I make a fresh cup of coffee, put on some quiet music, sit down in front of my computer and like some problems to solve, it is my happy place. There's like, nothing like it.
[01:51]
Leo Laporte
Yeah.
[01:52]
Steve Gibson
That is just.
[01:53]
Leo Laporte
I get sad when I hear about Vibe coding and AI replacing engineers, because I think it is, independent of whether it's a useful economic exercise, a wonderful fun thing to do.
[02:06]
Steve Gibson
A buddy of mine sent a link yesterday to a blog post. There's a guy named. I think it's Ken Schiff, but that sounds like. It's like his last name. I've shortened it. Anyway, he pops the lids on intel chips, intel processors, and then takes photo micrographs of the chip and then reverse engineers the circuitry. And this particular blog posting was about the times 3 multiplier hardware in the Pentium. And that was like they had like a dedicated strip of silicon that was for multiplying by three. That's all it did. And then it was like, okay, why is there a hardware times three multiplier? And actually it's not difficult to multiply by three in binary, right? Because you just shift over by one and sum. But it turns out that they don't do binary multiplication. They do base 8 multiplication in the hardware. It's like, what? Anyway, so this guy has just gone so into this. And so I read the blog posting and I thought, you know, this kind of thing, the designers of that never were understood. They didn't get credit for it. I'm sure they were working within a small community of just incredible silicon design wizards, and hopefully that was all they needed. But there's just. There's like this incredible wizardry in stuff back then, and it does feel like those days are leaving, sort of like turning coding over to AI. Unfortunately, coding makes so much sense for AI because it is so rigorously logical and so complex. And you should be able to say to an AI, does this do what I want? And it would just say, no, not even close.
[04:21]
Leo Laporte
Well, you know, it's a computer talking to a computer. Of course. It kind of makes sense that a computer would do that. Well, yeah, but at the same time, it's a. What? You know, people in grade school, I know, everybody said, well, what am I learning, you know, algebra for? I'm never going to use algebra. It's not about the algebra, it's about the pleasure of it and the kind of. The formal reasoning, which is a great thing to learn.
[04:47]
Steve Gibson
Right.
[04:47]
Leo Laporte
I think everybody. I think coding should remain in the curriculum, even if it's not something you end up teaching well.
[04:53]
Steve Gibson
And teaching math is much the same way. It's just. It's good for your brain to think in abstractions some of the time. Which is why we have this podcast. Leo, this is Security now, episode 1020 for Patch Tuesday. We actually have a picture that is apropos. I think you're gonna enjoy it when we get to it. Today's title, I wasn't sure it was gonna fit, actually. It strained the margins of the show. Notes.
[05:24]
Leo Laporte
It's a little long and also a little obscure. I.
[05:28]
Steve Gibson
Very obscure, yes. And it wasn't until my own description of the backstory behind this grew that I thought, well, this is our topic for the week. Multi Perspective Issuance Corroboration. Mpic okay. And why, as of the middle of last month, the CA browser forum, the people who manage the certificates, the issuance and the consumption for web browsers, why they unanimously voted to require themselves to do this. Multi Perspective Issuance Corroboration. So this is a big change that just happened in the requirements for issuing web browser certificates, which we're going to get to after we look at Canon printer driver vulnerabilities, enabling Windows kernel exploitation, and the astonishing cybersecurity awareness which has been shown by a household appliance manufacturer. A listener pointed me me to this company. I Think they're Australian or maybe they're. I don't remember where they are. Yeah, New Zealand maybe. Anyway, unbelievable that they have a page that they. Because they're. They're into connection and connected appliances. They understand what their obligation is if they're going to do it like none other. Also France tried to hook two and a half million school children in a phishing test. We're going to look at the results of that. WordPress 3 years ago added an abuse prone feature. Any guess what happened? And Oracle, is there something you would like to tell us that you have not so far. Some problems over there. They're like, what? No, nothing to see here. Just, you know, what's that big lump under the carpet? Don't worry about that. Utah's governor just signed the App Store Accountability act into law. We've talked about the legislation passing through their lower bodies. It's now law in Utah. Now what? Also it turns out that AI bots hungry for new data are inadvertently ddosing fossil projects.
[08:09]
Leo Laporte
Yeah, this is a problem. Yeah.
[08:11]
Steve Gibson
Also no Microsoft Account, no Windows 11. A change been made to the dev channel. Coming soon to your next Windows 11 installation. Also Gmail claims it now offers end to end encryption. Well, it kind of sort of does somewhat. It is the definition of a hack and will talk about it. Also a dreaded CVSS 10.0 was discovered in something called Apache parquet. Not yes, sorry but 10.0 everybody. So that's as bad as it gets. We got a bunch of listener feedback. Believe it or not had time for that too. And then we're going to look at what is multi perspective issuance corroboration and why must all certificate authorities now do it. And of course we've got a great picture of the week. So I think maybe Leo, this podcast will finally be a good one.
[09:18]
Leo Laporte
Finally after 1,019 episodes.
[09:20]
Steve Gibson
I think we got the hang of it now.
[09:23]
Leo Laporte
There are people who Sunday you should stop by and say hello. Our 20th anniversary twit is is this Sunday after 20 years. Patrick Norton's gonna come by Samitpul Samid will be on Alan Malvantano and we're getting videos from all of our viewers. I've been asking everybody if you want to share your memory of the first time you saw Twitter, the first time you saw me and Steve maybe back in the screensavers days. Share a video with us. We got a lot of them. It's gonna be a lot of fun. That's on Sunday. Can you believe it? Long time we've been doing this Steve.
[09:58]
Steve Gibson
Well, and I asked Benito, I said I thought that the number of Sunday's twit was 1027.
[10:05]
Leo Laporte
It is, I think.
[10:06]
Steve Gibson
And today is 1020 for us. So security now a little ahead, only started seven weeks later.
[10:13]
Leo Laporte
Right. Well, maybe because you never stop. You know, for the first 15 years, you wouldn't even take the Christmas holiday off.
[10:22]
Steve Gibson
And it was that tattoo that did it. I thought, okay, I'm quitting on Christmas from now on.
[10:28]
Leo Laporte
There might be a few days. But, yeah, roughly seven weeks later was very quickly after it. Yes, yes. And you're coming up on your 20th, right? When is that going to be, do we know? August, I think. Yeah. 20 years. I don't feel that old. I really don't. We started doing this in our late 40s.
[10:51]
Steve Gibson
What's cool is that we have really been on the podcast through huge changes in the industry. Yeah, I mean, like, you know, viruses moving from one person's thumb drive to the next, or computer to computer. I mean, that was a thing.
[11:10]
Leo Laporte
And, you know, there's a great movie just came out called Black Bag. I don't want to spoil it. It's Michael Fassbender and Cate Blanchett and you should watch it. Have you seen it?
[11:25]
Steve Gibson
No.
[11:26]
Leo Laporte
But the only reason I mention this is there's a moment when they're talking about this exploit that is a deadly exploit. And they said it's based on stuxnet and we've designed it for air gapped computers. And I was thinking, man, they must listen to security now. It was a really, it was technically a really great moment in that movie. It's a fun spy movie. But you know what? That's one of the things I think maybe you could take a little bit of credit for. Hollywood is a little more savvy in the content, the computer content that you see on screen.
[12:00]
Steve Gibson
Been very impressed with, with, with what they're doing now. I just think that it's percolated down into the culture.
[12:07]
Leo Laporte
The people are writing this now are part of the.
[12:10]
Steve Gibson
Or they actually know we need to get a tech guy to help us with the script. And so there's some script apology. There was a series, and I meant to mention it, except it wasn't that good. But it was about prime factorization.
[12:28]
Leo Laporte
Yes. I was going to ask you. I haven't watched it. I was going to ask you about it.
[12:33]
Steve Gibson
Yeah, it was worthwhile. The premise was that it was known that our security industry, our security infrastructure, understood that it was possible to factor primes. So they didn't Want it to be made public. So they were spying on all the top mathematicians who were working in the field that might stumble upon this. And so anyway, it was, you know, I mean, again, that's where I was thinking, wow, they got a lot of this right?
[13:15]
Leo Laporte
I was ready to lambaste them. I thought, this is going to be terrible.
[13:19]
Steve Gibson
There were some things that were not correct. They didn't actually say. It wasn't factorization, but it was primes. They understood that something about primes are important. Something about primes. Oh, it was patterns in primes. It was. Some guy was like, oh, he's like, figured out that like a pattern in primes. But it turns out that this. So this was a conspiracy to keep this from. Being. Keep it quiet discovered to keep it quiet. That went back decades. And so anyway, it was, it was, I would say it was, it was fun.
[13:49]
Leo Laporte
And you and I both watched Robert De Niro's Zero Day, which also had some technical accuracy in it. So, you know, they're getting better. Anyway, time to take a break. Nothing but technical accuracy just around the corner. And our picture of the week with first.
[14:08]
Steve Gibson
Also technically accurate.
[14:10]
Leo Laporte
Yes. Is it? Oh good, I haven't looked yet. All right. I like to save it for the show. Our show today brought to you by a brand new sponsor, Material. This is something everybody needs. Gosh knows we need it. It's the multi layered detection and response toolkit for email. I think we all know email is one of the primary vectors these days for malware. So phishing spear phishing attacks and so forth. Your cloud Office isn't really another app. It's the heart of your business. It is for us, right? We use Google Cloud. Maybe you use Microsoft 365. But traditional security tools aren't really designed for that kind of cloud architecture. They treat email documents as afterthoughts. Meanwhile, your most critical assets are remaining exposed. So that's where material comes in. Material transforms Cloud workspace protection with a. I think I talked to them the other day and was blown away. A revolutionary approach. It goes beyond the kind of traditional security paradigms. Let me kind of explain this as best I can. You get dedicated security for modern workspaces. Google Workspace, Microsoft 365 purpose built protection is designed specifically for those platforms and it's across the entire security life cycle. So it defends your organization before, during and after potential incidents. It doesn't just block them. It's there for you no matter what happens. Material allows you to scale security without scaling your team using intelligent Automation to multiply your security team's impact. Materiel provides security that respects how people work. That's really important, right? Because if security is hard to use or gets in people's way, they'll go around. Eliminates that impossible choice we're all familiar with between robust protection and productivity. They've really managed to make it work. Material delivers comprehensive threat defenses through four critical capabilities. Of course there's phishing protection. That's job one. AI power detection that identifies sophisticated attacks. And what I like about Material, it doesn't delete the email, it doesn't take it off the server. It just protects you from it and identifies it. So you can look at it and say, yeah, that's a phishing attack, I'm glad we dodged it. Or no, that wasn't a phishing attack. And you can recover the email. So they've done this very nicely. They also help you with data loss prevention, intelligent content protection and sensitive data management. Posture management. They identify misconfigurations and risky user behaviors. That's fantastic. And identity protection, they have comprehensive control over access and verification. And what I love about this, you don't have to filter your email through their servers. They use built in APIs of both Google Workspace and Microsoft 365 to do all of this. So it's really an easy thing for you to implement, set up and you don't give over control of what your email system is doing. Right? The head of security at figma, they love it at figma, by the way, they said this about material. Quote. It's rare to find modern security tools with a pleasant usable ui. Being at figma, obviously we're attracted to well designed interfaces. Materials interface was just so smooth and slick. From automatic threat investigation to custom detection workflows, Material converts manual security tasks into streamlined intelligent processes. By the way, you need it that way because you need to be able to respond over and over again instantly. Right? Humans just can't do it. You gotta have assistance, you gotta have automation. They also provide visibility across your entire digital workspace. So your security team can focus on strategic initiatives instead of endless alert triage. And if you're on a security team, I think you know what I'm talking about. Protect your digital workspace, empower your team, secure your future with material. It's really cool. You can actually go to Material Security, that's their website, Material Security. You can learn more there. You can book a demo, they have a self running demo you can take a look at. You can actually see what it looks like. When you get a phishing email and. And the process and so forth. And I love it that it's API based. They don't mention it in the copy here, but I was really blown away. Both Google Workspace and Microsoft 365 have very capable APIs that let this third party really do all the security you need without redirecting your email. It's material security. Check it out. It's really important. If you're using, as we do, Google Workspace or Microsoft 365. All right, let us go back to the show and Steve Gibson's picture.
[18:54]
Steve Gibson
Those dot security domains cost $2,500 a year.
[18:59]
Leo Laporte
Oh, you looked at it, I bet. Yeah.
[19:01]
Steve Gibson
And I don't think that's in keeping with the founder's intent for the way the Internet would work.
[19:07]
Leo Laporte
That's expensive. Yeah. These custom emails really, you know, but on the other hand, they're nice. Like I have Leo pizza. And I think if you wanted to.
[19:15]
Steve Gibson
Well.
[19:19]
Leo Laporte
All right, let's look at the. Let's look at the picture of the week, Mr. Gibson.
[19:24]
Steve Gibson
I'll scroll up here. I gave the caption making the switch from Windows to Linux. I'm trying to understand apropos of last week's podcast about the EU os.
[19:37]
Leo Laporte
If you scroll all the way up, you get it a little bit better. Okay. Broken telephone pole.
[19:43]
Steve Gibson
Ah, yes. And again, this just. These pictures beg so many questions. So for those who can't believe, see, we've got a buckling broken telephone pole that some hapless lineman has tried to keep erect with duct tape. Oh, my God.
[20:08]
Leo Laporte
Duct tape keeping the world together.
[20:10]
Steve Gibson
It looks like maybe there's some sticks on the outer side that were used. Like some splints. Exactly. So it was like splinted and then duct tape. The splints were duct taped to the pole, just trying to keep it up. But then over to the right, we see the one that I've labeled Linux, which has like a new pile of dirt at the edge foot.
[20:33]
Leo Laporte
It's the replacement pole, clearly.
[20:35]
Steve Gibson
Yeah, exactly. It must be there. And then, I don't know why, there's a little rope strung between.
[20:39]
Leo Laporte
That's the funniest thing. I don't understand that either.
[20:42]
Steve Gibson
It's like a leash. It's like, don't go away, boy. Stick close.
[20:46]
Leo Laporte
That is the funniest thing ever. Duct tape, man, holds the world together.
[20:51]
Steve Gibson
It is. Yes, exactly.
[20:53]
Leo Laporte
And Windows is the duct tape solution. And of course, the brand new perfectly formed pole is Linux. I like that, Steve. Thank you. That's right.
[21:04]
Steve Gibson
It's one of the expressions we have around the house. When one of us wakes up and something is stiff, we say, oh, get the duct tape.
[21:11]
Leo Laporte
Really? Okay, I'm not sure. That was maybe a little too much information.
[21:15]
Steve Gibson
Oh, like a stiff muscle.
[21:16]
Leo Laporte
Oh, my shoulder.
[21:18]
Steve Gibson
Yes, indeed. Shoulder, sorry, shoulder.
[21:20]
Leo Laporte
Of course. Get the duct tape. You never know.
[21:24]
Steve Gibson
That's right.
[21:25]
Leo Laporte
I have a vision of you duct taped to the bed. Okay, so maybe that's not.
[21:30]
Steve Gibson
Okay, so the Microsoft Offensive Research and Security Engineering. This is one of those reverse engineered acronyms. The, the abbreviation is Morse. Morse. Microsoft Defensive Research and Security Engineering. They've identified a crucial security vulnerability within a range of Canon printer drivers. Canon being a leading very popular printer which threatens users across, well, anybody who's using that printer, who would be a target. The vulnerability could reportedly allow malicious actors to compromise printing operations and in severe cases execute arbitrary code on affected systems. We did a podcast years ago that I thought was one of our better ones where we looked at the threat that something as innocuous seeming as a network printer in an enterprise could pose. Because it was discovered that advanced persistent threat actors were actually setting up shops in enterprises. Printers which were not being scanned. They didn't have Windows Defender running on them. It was just a printer. But turns out it's a computer, probably running Linux of some flavor. And they were able to just stay ensconced inside this printer for quite some time anyway. This has a cvss, the concept of a printer driver. In this case, not the printer itself, but the printer driver in a Windows system has a CVSS score of 9.4. As we know, that's a high severity risk. It's up at the high end of the scale and it has a 9.4 due to its lack of complexity. Very easy to leverage the bugs in these Canon printer drivers. You, you do not need any, any, any elevated privileges to use it, nor any user interaction. The potential for high impact compromise of confidentiality is there. So 9.4. It provides a path to deliberate memory corruption during the EMF recode processing, which is something that the printer driver does probably. EMF is enhanced metaphile, I'm pretty sure. And unfortunately, this opens systems that do not use Canon printers to the infamous BYOVD attacks, where BYOVD is short for bring your own vulnerable driver. The problem is these vulnerable Canon printer drivers were originally signed by Microsoft. Microsoft blessed them, allowing them then to be loaded without a second thought into Windows so they can't be altered at all, or that would break the signature and then Windows would refuse to load the driver into the kernel. No need to alter the driver because it's buggy and now the bugs have been found. So malware can bring along one of these flawed Canon printer drivers, drop it onto the system, get it loaded into the kernel, and then leverage the flaw in order to take over the system. They are. When an entity has Canon printers, they're there by default across a variety of printers, including their production models, home and office automation, multifunction printers, and laser printers. So all that a malicious application needs to do is cause a print job to be processed through the vulnerable driver. That allows the attacker to gain control and have kernel level access, which is to say root on the system. Canon has acknowledged the issue and has promised to be releasing updated drivers as soon as they can. So if you are a Canon user, that means your system already has these vulnerable drivers in it and doesn't you know, the malware doesn't need to bring its own along. So keep an eye out for any updates that the Canon offers. You'll certainly want to make sure that you are receiving Canon's notifications of updates. And I imagine that what will happen as soon as the new drivers are present and given some opportunity for them to to filter out into the ecosystem is that before long Windows Defender and the other Endpoint management third party software will start explicitly looking for these known vulnerable drivers and say, you really don't want to be loading this. And that's the way the bring your own vulnerable driver problem will get resolved, is that as soon as replacements are available so that functionality isn't killed when the vulnerable driver is removed, then those drivers will just be blacklisted and you won't be able to load them into Windows anymore. So all this takes time and as we know, everything now is an arms race to see how much, how much infiltration and how much damage can be done before the problem is resolved. Okay, I talked about an astonishing home appliance company. This was thanks to a piece of feedback that we received from listener Dave Morell. David wrote, Every home IoT device maker should follow the lead of this home appliance maker about the only thing. And Leo, I have to say, when I was looking at this site, I thought, oh, these look like appliances Leo would want. I mean, they are really beautiful.
[27:39]
Leo Laporte
Don't tempt me, Steve.
[27:41]
Steve Gibson
The company is Fisher Paykel. Yep, you got it up on the site. Now he said about the only thing they could have added is advice to use a Yubikey or similar, meaning they really get it. And he said they really get it. He said. And it even looks like you can buy these. Oh, they're New Zealand. You can buy these New Zealand made home appliances in the U.S. personally, I'm quite happy not having IOT in my home appliances. Okay, so David's note made me curious. I went over to the Fisher Paykel website. It's F I S H E R P A y k e l.com and I discovered that they have an entire page devoted to the cybersecurity of their well connected appliances. So to give everyone a sense for what's there on this home appliance makers site, they wrote, we're vigilant about securing your connected appliance. We understand that the security of our products is of the utmost importance to our customers. We build appliances around these core security values. The fact that they even know the term core security values, they use WPA3.
[29:00]
Leo Laporte
That's all I needed to see. It's like, wow, astonishing. It's like in there somewhere.
[29:06]
Steve Gibson
I have to say, Leo, I wonder if someone's going to be smiling when he hears me reading this because he's a security now podcast listener. I mean, because like, I mean some guy at Fisher Paykel, because it feels like it doesn't.
[29:20]
Leo Laporte
It sounds like you would say the.
[29:21]
Steve Gibson
Guy'S been listening to us. The page says security is ingrained in our business culture and in the way we developed your connected appliance. It's a business policy that security is built in to every aspect of our process. It's built in during all phases of development, manufacturing and maintenance. Your appliance is secure without user configuration or specific router settings. He said. Security by design, security controls to protect appliance data, user authentication and authorization and how the system will be securely maintained are integrated into the functional features of the appliance. The software meets industry best practice coding standards. Who talks about the coating of their dishwasher and is developed by the test driven development software method.
[30:28]
Leo Laporte
Yeah, right on.
[30:30]
Steve Gibson
The guys must have like some nephew who's into serious security or something. This is just amazing. They said any third party and open source software is analyzed for security and the safety of your appliance and data. Prior to deployment, the appliance undergoes extensive software security and performance testing. Security penetration testing on the connected system and its components. The appliance, mobile app and cloud is done regularly. Post deployment. Software updates are released to ensure the appliance has the latest security code to protect your appliance and data. I mean, I almost want to buy this stuff just to support these people. It's amazing. They said under security by default, every connected appliance has all security features enabled when the appliance is first connected. No special configurations or specific router settings are needed. Your appliance connects to your WI FI router using the WPA3 network security protocol as standard with WPA2 for backwards compatibility. The appliance does this even if your router is not set to this configuration. That's just one example. So awesome of how security by default is engineered into your appliance. And then defense in depth. Every component of our connected appliance ecosystem has security controls that provide independent redundancy to protect against malicious attacks. We ensure security controls are implemented in layers for data protection at rest and in transit. I wish these guys made, like, some social networking software because we could give it to our government and it would be way more secure than what they're using.
[32:38]
Leo Laporte
Wow.
[32:39]
Steve Gibson
They said this layered approach strengthens the security of our entire ecosystem. We're continuously testing and reviewing the security systems. If needed, these layers can be updated and improved by software updates. And for transparency, our security controls and methodologies are industry standard. Our goal is to communicate our additions with openness and accountability. We are industry leaders in IoT security and promote transparency to help educate our customers. Reach out to us. If you have any questions or concerns, please see below under our ratings section for current evaluations of our appliance products.
[33:26]
Leo Laporte
They look pretty darn good. You're right, Steve. And you can buy them in the.
[33:29]
Steve Gibson
U.S. oh, they're gorgeous. I mean, the equipment is beautiful, Leo. I mean, the people who did the industrial design are friends with the people who did the security design. I mean, it is top notch. Look at that. Yeah, we're in.
[33:45]
Leo Laporte
Also top prices. $15,000 for an oven.
[33:49]
Steve Gibson
Oh, but, honey, it'll sing you to sleep.
[33:53]
Leo Laporte
I have Internet connectivity on my. On my oven.
[33:56]
Steve Gibson
Of course you do.
[33:57]
Leo Laporte
The only value at all is it will. It will tell you when the oven's preheated. On your phone said, hey, your oven's ready.
[34:06]
Steve Gibson
Go put your roast in.
[34:08]
Leo Laporte
Go put your roast in. It's ready. That's it.
[34:10]
Steve Gibson
We're doors open, industry leaders in IoT security. Actually, we could use that for our refrigerator. Luckily, our refrigerator sounds a lot with you.
[34:19]
Leo Laporte
Yeah.
[34:19]
Steve Gibson
Lori just walks away. I don't know what is going on, but it's like, honey, you know, not only are the lights on, but the refrigerator is open.
[34:27]
Leo Laporte
So. Yeah, yeah, I've done that.
[34:28]
Steve Gibson
Anyway, reach out to us, they said, if you have any questions or concerns, please see Below under our rating section for current evaluations of our appliance products. We ensure these best practices are applied to your Appliance and its IoT ecosystem. Through regular penetration testing. We work with ethical hackers and security researchers to evaluate the security of your smart appliance and system through third party evaluations. It's just astonishing. And then they said under our ratings, we are proud to have achieved the gold verification level for UL's Underwriter Laboratories IoT security rating. I didn't know Underwriter Laboratories did IoT security rating. With thorough evaluations conducted every year since we first achieved this rating, we continually demonstrate gold level security capabilities that align with industry best practices. This is an oven, folks. This is not like a server or a router or an endpoint security device. This is somebody's microwave.
[35:41]
Leo Laporte
That's just unbelievable.
[35:43]
Steve Gibson
Astonishing. So anyway, props and a salute to fisherpaykel.com and if anyone from there is listening to this podcast, congratulations. Oh and Leo, if you suspect that your appliance has been compromised or you have identified a security vulnerability in one of our connected appliances, we urge you to contact our appliances Security incident response team.
[36:12]
Leo Laporte
Holy cow.
[36:14]
Steve Gibson
@Israel.Com and here it comes. Note we support PGP encryption using the Fisher and Paykel appliances information security PGP key.
[36:30]
Leo Laporte
All right, now I'm going to give you the bad news. Oh, it's a subsidiary of Haier which is a giant Chinese multinational. So I mean you know, maybe they could, maybe they could spread the word throughout the entire higher.
[36:48]
Steve Gibson
I wonder if they probably, they probably use open source but don't publish their, their, their firmware.
[36:54]
Leo Laporte
Yeah, I mean I think you know, every, nowadays every this would company was acquired obviously. Yeah. It hires a giant monster conglomerate. So.
[37:05]
Steve Gibson
Right. So they did, they just sucked them up because they said these guys are doing it right. We want, we want.
[37:10]
Leo Laporte
They have to have a high end brand. Right.
[37:12]
Steve Gibson
We want a piece of their action.
[37:13]
Leo Laporte
Because they have low end brands. Yeah.
[37:16]
Steve Gibson
Oh and get this Leo, I just. This, this I couldn't imagine after all that they then have a sort of A, an FAQ Q&A thing where they talk about to their customers how to enhance their security and they, if they finish with separate networks, security experts recommend creating separate and secure networks dedicated for your IoT devices. Which makes me think are they listening to this podcast that separate from your network used for banking or e commerce activities or that which handles your most private and sensitive data, you can further segregate your networks based on the IoT device itself. There are two methods for this when using one Internet connection, using one router and setting up a guest access or a guest network within the router settings or use separate routers paired with your Internet connection.
[38:17]
Leo Laporte
Oh, they definitely listen to this show.
[38:23]
Steve Gibson
Incredible. If you choose to set up a guest network, ensure the password for the guest network is strong and if available, ensure that access to local network resources is turned off. This may also be called isolate. Anyway, I am utterly astonished by these people and it's a good thing this is April 8th and not last week's April 1st podcast, because this would have made the best imaginable April Fool's spoof, since no one would ever believe that I hadn't made this entire thing up from scratch, you know, and Leo, if the rest of the world designed and built their equipment like these guys, it feels as though our job here would be done.
[39:08]
Leo Laporte
That's impressive. I wish all, yeah, I wish all Iot stuff was like this. That's incredible.
[39:13]
Steve Gibson
Incredible.
[39:13]
Leo Laporte
Yeah.
[39:14]
Steve Gibson
Well, we're going to talk about France's fishing test after you tell our listeners how it is that we're still here.
[39:21]
Leo Laporte
Ah, that's a very good question after almost 20 years. Well, I think we could safely say it has a little bit to do with our fine sponsors. Steve.
[39:32]
Steve Gibson
Oops.
[39:33]
Leo Laporte
That is not what I want to show you. What is that? We go our show today, brought to you by and I think you know this company. We've mentioned it before. Threatlocker. Really cool company. I think if you listen to the show, it's pretty clear ransomware is just devastating companies worldwide.
[40:02]
Steve Gibson
Remember that site are the ransomware listing.
[40:04]
Leo Laporte
Site Every day another dozen.
[40:06]
Steve Gibson
Oh my God. I looked again. It was astonishing.
[40:10]
Leo Laporte
It's, it's mind boggling. They're doing it with phishing emails, they're doing it with infected downloads, malicious websites, RDP exploits. I'm going to make a T shirt says close port 135. Don't be the next victim. Threat lockers. Zero trust platform. This is really, this is the gold standard in security. Zero Trust takes a proactive deny by default approach. It blocks, that's the key, by the way. Deny by default. It blocks every unauthorized action, protecting you from both known and completely unknown zero day. Never heard of it before. Custom coded just for you threats. It's trusted by big companies and small Global enterprises like JetBlue, infrastructure companies like the Port of Vancouver. You know, if you're a seaport and you've got container ships coming in and an entire region and in case of the Port of Vancouver, probably entire country relying on on your being reliable and up. You need to protect yourself. They use Threat Locker to shield themselves from zero day exploits and supply chain attacks. And this is great. Provide complete audit trails for compliance Threat Lockers innovative ring fencing technology isolates those critical applications from weaponization. It stops ransomware, limits lateral movement within your network. It really works in all industries. In fact, it even supports Mac environments. So no matter even if you have a heterogeneous network, this is a great solution. Very affordable. By the way, go look at the pricing. I was stunned. Any company should do this. It's totally affordable. They provide 24. 7 US based support. You get comprehensive visibility and control. Here's from another governmental organization that cannot afford to be ransomware. Mark Tolson, he's the IT director for the city of Champaign, Illinois. You know, this is a perfect example because they are mission critical operation but they don't have an infinite budget. Right? Threat Locker is a great solution. Here's what Mark says. He says, quote Threat Locker provides that extra key to block anomalies that nothing else can do. If bad actors got in and tried to execute something, I take comfort in knowing Threat Locker will stop that. That's the beauty of Threat Locker. Zero trust. Stop worrying about cyber threats. Get unprecedented protection quickly, easily and cost effectively with Threat Locker. All you have to do to find out more and get a free 30 day trial is go to threatlocker.com twit learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance at the same time. Threatlocker.com TWIT we thank him so much for supporting the show. And please use that address so they know you saw it here. Threatlocker.com TWIT oh, I'm on the wrong side. Switching around. All right, Steve.
[43:15]
Steve Gibson
Okay, so the French government recently conducted a large scale phishing test targeting more than two and a half million middle and high school students. The bait was a link that advertised cheats and cracked games, which instead redirected any students who were foolish enough to click on it to a phishing awareness video. Now what was interesting was according to France's privacy watchdog, over 210,000 students did click the link. But that's only one in 12 students out of a population of two and a half million.
[44:04]
Leo Laporte
Impressive.
[44:04]
Steve Gibson
Yes, 8%. And you know, while yes, 210,000 is a lot of individual students, they fared way better than the 1/3 click rate which is typically seen in corporate environments. So the old, the old folks in the corporations like oh, I can get free socks for life. Great. But you know, these kids are like, I don't think so. This looks like junk. So congratulations. As we've observed before, with 521 million websites built on WordPress. 521 million.
[44:51]
Leo Laporte
That's mind boggling.
[44:52]
Steve Gibson
It is. It's like 43.5% of all websites in the world are WordPress. So its security, WordPress security is always a top concern. So much of the Internet depends upon it. So when three years ago in 2022, WordPress added a feature attackers could only dream of having, it's hardly surprising that it didn't take long for it to be abused. WordPress's site describes this nifty new feature known as Must use Plugins. It's like, what could possibly go wrong? Which is our rhetorical question, they said. This is how they described this feature. Must use plugins, AKA MU plugins are plugins installed in a special directory inside the content folder and which are automatically enabled on all sites in the installation. Must use plugins do not show in the default list of plugins on the plugins page of WP Admin, although they do appear in a special must use section. And they cannot be disabled except by removing the plugin file from the must use directory, which is found in WP content. MU plugins by default for web hosts, MU plugins are commonly used to add support for host specific features, especially those where their absence would break the site. Must use plugins are always on with no need to enable via admin, and users cannot disable them by accident. They're enabled simply by uploading a file to the MU plugins directly without having to log in. Even this, of course, as I said, is where we queue one of our favorite rhetorical questions. What could possibly go wrong? Yes, you just have the file there, and WordPress won't show it to the admin, won't require you to be logged in to enable it. In fact, you can't enable it. It's always enabled and you can't disable it because they said, well, it would break the site if this plugin wasn't there. So we're just going to, if it's present in this directory, run it. GoDaddy's security team provides the answer to the question about what could possibly go wrong. And unfortunately that's not rhetorical, to no one's surprise, except, I suppose, the creators of this very abuse prone feature. I mean, they must be surprised, but like, duh, hackers are now abusing this little known WordPress feature to install and hide Their malware from site Admins. According to GoDaddy's team, threat actors have been found to be abusing, to no one's surprise, must use plugins since at least February of this year, and that abuse has recently grown worse. It's like, hey, this works, let's use it everywhere. Hackers are breaking into WordPress sites and dropping malware in the MU plugins folder, knowing it will get automatically executed and won't show up in the site back end management. As an added benefit, because it's a relatively unknown and under the radar feature, many WordPress security tools don't even scan the MU plugins folder for threats. They're not even looking. Sucuri has seen attackers use MU plugins folder to deploy backdoors and web shells, host SEO spam on hacked sites, as well as hijack and redirect traffic to malicious sites. The wide and widening spectrum of abuse suggests this feature is gaining popularity and traction among underground groups. A security analyst said. The fact that we've seen so many infections inside the MU plugins directory suggests that attackers are actively targeting this directory as a persistent foothold. WordPress site owners and admins are advised to keep a watch on the content of that folder. If it's currently empty, unused and unneeded, delete it entirely and make sure it stays deleted. So stepping back from all this, it appears that the design of this makes it far too easy to both use and abuse. With a design like this, it's, you know, it's not possible to have ease of use without also inviting ease of abuse. So again, to our listeners, given that that more than 500 million sites or more than 43% of the Internet is WordPress, it must be that our listeners of this that are big chunk of our listeners are affiliated one way or the other with sites that are being run by WordPress. So take a check. It's under the WP content directory, the default content directory MU plugins. It's probably empty. WordPress brought it along for the last three years, since 2022. It's more than likely whatever your host is, it doesn't need it, but it's there waiting to be abused. First of all, make sure that if there's anything in there that you know what it is and why it's there, get rid of it and get rid of its directory. If you don't know that you need it because this is under active exploitation, you know they do have to break in somehow first. But achieving persistence or planting malware somewhere where it won't Be found and quickly discovered is the second part of the challenge. And if it's a WordPress based site and the MU plugins directory is there, just waiting to run something that you drop in, that's what the bad guys are going to do. Meanwhile.
[51:42]
Leo Laporte
Meanwhile.
[51:43]
Steve Gibson
Meanwhile, Oracle, the massive organization with designs on running TikTok. Although I thought that was interesting. Leo, by the way, we should mention that on Sunday's Twitch show you had Jason Calacanis. Who? He's a great guest. You've had him through the years.
[52:04]
Leo Laporte
Yeah, he's an old friend.
[52:05]
Steve Gibson
Yeah, he's an old friend. Super smart guy. And he happened to mention. The thing that made me think of it is he was thinking that Amazon. Right. Wasn't that what Jason thought?
[52:16]
Leo Laporte
He said Amazon's gonna be the TikTok. Yeah, we'll see.
[52:21]
Steve Gibson
Manager. We'll see. What we'd heard was that it was gonna be Oracle, that down in Texas, the big database company, and they were gonna be managing TikTok and retaining TikTok's US domestic domestic data anyway, whether or not that happens, whether it's Oracle or Amazon. And TikTok just got another 75 day extension right from. Because the boom was about to be lowered on it again.
[52:48]
Leo Laporte
Yeah, yeah. Saturday was the deadline.
[52:50]
Steve Gibson
Yeah. Okay, so Oracle appears to be having a problem with confession. According to Bloomberg sources, hackers breached Oracle Health and stole medical data from the company's servers. The hack took place well back at the end of January and the hackers are using the stolen data to extort US medical providers. So this is not, you know, apocryphal this actually happened. Yet Oracle has said nothing. They've made no report of any breach as is required by law to the security the U.S. securities and Exchange Commission. But wait, there's more. This is the second suspected breach at Oracle after a different hacking group claimed to have hacked the company's cloud service in early March. Lawrence Abrams wrote about this for his Bleeping Computer site under the headline Oracle customers confirm data stolen in alleged cloud breach is valid. Lawrence wrote, despite Oracle denying a breach of its Oracle cloud, federated single sign on login servers and the theft of account data for 6 million people. Bleeping Computer has confirmed with multiple companies that associated data samples shared by the threat actor are valid. Last week, a person named Rose87168 claimed to have breached Oracle cloud servers and began selling the alleged authentication data and encrypted passwords of 6 million users. The threat actor also said that stolen single sign on and LDAP passwords could be decrypted using the info in the stolen files and offered to share some of the data with anyone who could help recover them. The threat actor released multiple text files consisting of a database, LDAP data and A list of 140,621 domains for companies and government agencies that were allegedly impacted by by the breach. It should be noted, wrote Lawrence, that some of the company domains look like tests and there are multiple domains per company. In addition to the data, Rose87168 shared an archive.org URL with bleeping computer for a text file hosted on the login us2.oraclecloud.com server that contained their email address. This file indicates that the threat actor could create files on Oracle's server indicating an actual breach. However, Oracle has denied that it suffered a breach of Oracle Cloud and has refused to respond to any further questions about the incident. The company told Bleeping Computer, meaning Oracle told Bleeping Computer, quote there has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data, he said. This denial, however, contradicts findings from Bleeping Computer, which received additional samples of the leaked data from the threat actor and contacted the associated companies. Bleeping Computer reached out to the affected companies. Representatives from these companies, all who agreed to confirm the data under promise of anonymity, confirmed the authenticity of the information. The company stated that the associated LDAP display names, email addresses, given names and other identifying information were all correct and belong to them. The threat actor also shared emails with Bleeping Computer, claiming that it was part of an exchange between them and Oracle. One email shows a threat actor contacting Oracle's security email secalertusracle.com to report that they had hacked Oracle servers. I've dug into your Cloud Dashboard infrastructure and found a massive vulnerability that has handed me full access to info on 6 million users, reads the email seen by Bleeping Computer. Another email thread shared with Bleeping Computer shows an exchange between the threat actor and someone using a Proton email address who claims to be from Aura. Oracle Bleeping Computer has redacted the email address of this other person as we could not verify their identity or the veracity of the email thread. In this email exchange, the threat actor says someone from Oracle using an Proton Me email address told them that, quote, we received your emails. Let's use this email for all communications from now on. Let me know when you get this unquote Cybersecurity firm Cloud SEC has has found has also found an archive.org URL showing that the login.us2.oracle cloud.com server was running Oracle Fusion Middleware 11G as of February 17th of this year 2025. Oracle has since taken this server offline after news of the alleged breach was reported. This version of Oracle software was impacted by a Vulnerability tracked as CVE2021 35587 that allowed unauthenticated attackers to compromise. Oracle Access Manager, the threat actor, claimed that this vulnerability was used in the alleged breach of Oracle's servers. Bleeping Computer has emailed Oracle numerous times about this information but has not received any response. So in the face of this overwhelming evidence, which arguably borders on proof, Oracle has deliberately chosen to remain entirely silent, even though doing so is a clear breach of reporting law. The U.S. securities and Exchange Commission mandates that publicly traded companies adhere to specific reporting requirements following a material cybersecurity incident, such as a database breach affecting US citizens. These requirements, which have been effective since December of 2023, are designed to ensure timely and transparent disclosure of significant cybersecurity events. Specifically, within four business days after discovering that a cybersecurity incident is material, publicly traded companies are required to file a Form 8K disclosure under Item 1.05. That disclosure must include the nature, scope and timing of the incident the material impact or reasonably likely material impact on the company's financial condition and results of operations, and determination of materiality. Companies are required to assess the materiality of an incident without unreasonable delay upon discovery. Oracle knows this. Yet nothing about either of these clearly material major breaches has been publicly disclosed. And I would argue, I mean, you know, Lawrence did a beautiful job of, you know, really pursuing these facts and essentially demonstrating proof of a material breach and the fact that they had a server running known buggy and patched four years ago authentication front end and the attacker said that's the bug they used to get in and now that server is gone. I mean it seems like an open and shut case and Oracle is really misbehaving badly. So for what it's worth, unfortunately, you know, their, their lack of responsibility taking is exposing the, the authentication credentials for 6 million people who trust them. So it's not like this is nothing, this is not good. And those 6 million authentication credentials are now for sale on the dark web and apparently there's a means of decrypting them using information that the attacker also has. So you know, this is not just, you know, Oracle choosing not to say anything because they don't want to affect their, their stock valuation. It's also materially hurting their customers. I mean, this is, you know, a class action lawsuit against them pending. It's hard to see how it wouldn't be. Not that you or I are in favor of that, but, you know, they need to take responsibility. Meanwhile, I wanted to note that nearly two weeks ago, as we mentioned two weeks ago, that Utah law we talked about, which had passed through their legislature, was now signed into law by Utah's Governor, Spencer Cox. Formerly known as the App Store Accountability act, or SB142, the new law mostly takes effect a little over one year from now. So as always, when you know, some new law goes into effect that is going to require a significant change in behavior, then, you know, a period of time, you know, a grace period. That's the word I was looking for. A grace period is part of the law to allow people to get themselves ready. That occurs on May 6th of 2026. Given that the law stays in effect until that time, it's on May 6, 2026, a little over a year from now, that the law's core requirements, including age verification and parental consent mandates, will take effect. So that'll give the app stores, developers, regulators, time to prepare for coming into compliance with these new regulations. And of course, it will give other states time to decide if they want to follow suit. As we discussed, this will require Apple and Google's mobile app stores to verify user ages and require parental permission for those under 18 to use certain apps. The law is the first of its kind in the US and represents a significant shift in how user ages are verified online. The law states that it's the responsibility of mobile app stores to verify ages, which shifts the onus to Apple and Google as those who run the stores and away from the individual apps like Instagram, Snapchat, and X to do the age checks. This does beg the question, though. What about apps that are already downloaded and installed from app stores when May 8th rolls around next year? Are those grandfathered in because they're already there and they're allowed to stay without verification, or will they need to then be reverified? Don't know. Regardless of the passage of this App Store Accountability act, it's expected to trigger something. South Carolina and California have both been rattling their sabers, saying that, you know, they're looking into doing this. One of the bill's sponsoring senators said that the new law is designed to protect children who may not understand app's terms of services and therefore are unable to agree to them meaningfully. Todd Wheeler said, quote, for the past decade or longer, Instagram has rated itself as friendly for 12 year olds. He says it's not so the Utah law is expected to face legal challenges and fights over its validity. But as we know, my own take on that, on this whole thing is that yes, in cyberspace, something needs to be done. If, if we're going to decide that, that children's age matters, then responsibility needs to be taken somehow. And I think that the most recent begrudging proposals that have been made by Apple and Google make the most sense. App Store apps need to carry API readable age appropriate indicators, and the devices being used by minors may need to obtain parental permission before inappropriate applications can be downloaded and or used on age restricted devices. And that solves the problem. The apps don't obtain any information about the ages of their users and the devices are responsible for getting permission if they've been configured to require it. So, you know, Apple and Google have both articulated that solution and I imagine that we're going to see that happen and that'll be good and not a huge loss of privacy. This was an interesting piece. I guess you saw that Leo. It turns out that AI bots are inadvertently DDOSing FOSS, you know, free and open source software repositories in their endless quest for more publicly available content.
[67:59]
Leo Laporte
Yeah, Wikipedia has been complaining about this. It's a real problem for them.
[68:03]
Steve Gibson
Yeah. Oh, Wikipedia has.
[68:05]
Leo Laporte
Yeah, think about.
[68:06]
Steve Gibson
I guess that makes sense.
[68:07]
Leo Laporte
Yeah, Wikipedia is a great resource and.
[68:10]
Steve Gibson
They want to be a public. I mean they want, they want to not restrict themselves to, you know, in any way. They want to be a public resource. Wow. So Ars Technica did a great job of reporting on this worrisome trend that's been developing and worsening through the year. They said software developer Z Ayaso reached a breaking point earlier this year when aggressive AI crawler traffic from Amazon overwhelmed their git repository service, repeatedly causing instability and downtime, despite configuring standard defensive measures, adjusting robots txt blocking known crawler user agents and filtering suspicious traffic. I also found that AI crawlers continued evading all attempts to stop them, spoofing their user agent strings and cycling through residential IP addresses using them as proxies. So, you know, actively working to avoid being blocked. Desperate for a solution, I also eventually resorted to moving their server behind a VPN and creating Anubis, a custom built proof of work challenge system that forces web browsers to solve computational puzzles before accessing the site. Basically proof of work in the browser. Again solve computational puzzles. So so spend time per access per query to validate themselves. We've probably run across this on Cloudflare. Sometimes you'll come to a Cloudflare page where it'll just sort of hold you for a while while something appears to be going on. And that is typically a proof of work requiring some script in your browser to do some heavy lifting which no high rate bot is able to afford. Because every single time the bot tries to access it is hit with this this barrier to entry. Essentially so ours wrote that I also had wrote in a blog post titled A Desperate Cry for Help. He said it's futile to block AI crawler bots because they lie, change their user agent, use residential IP addresses as proxies, and more. I don't want to have to close off my Git t server to the public, but I will if I have to. IASO's story highlights they wrote a broader crisis rapidly spreading across the open source community as what appear to be aggressive AI crawlers increasingly overload community maintained infrastructure, causing what amounts to persistent distributed denial of service attacks on vital public resources. According to a comprehensive recent report from Libre News, some open source projects now see as much get this as 97% of their traffic originating from AI company bots. 97% are just bots trawling dramatically increasing bandwidth costs, service instability, and burdening already stretched thin maintainers. Kevin Fenzee, a member of the of the Fedora Pogger project's sysadmin team, reported on his blog that the project had to block all traffic from Brazil after repeated attempts to mitigate bot traffic failed. Gnome GitLab implemented IASO's Anubis system, requiring browsers to solve computational puzzles before accessing content. GNOME sysadmin Bart Piotrowski shared on Mastodon that only about 3.2% of requests that's 2,690 requests out of 84,056 passed their challenge system, suggesting the vast majority of Traffic was automated. KDE's GitLab infrastructure was temporarily knocked offline by crawler traffic originating from Alibaba IP ranges, according to Libre News, citing a KDE development chat. While Anubis has proven effective at filtering out bot traffic, it comes with drawbacks for legitimate users. Naturally, when many people access the same link simultaneously, such as when a GitLab link is shared in a chat room, site visitors can face significant delays. So something triggers that challenge, like when there's enough repeated access to a link that suddenly switches on the challenge which is not always on there all the time otherwise, so they said. Some mobile users have reported waiting up to up to two minutes for the proof of work challenge to complete, according to the news outlet. The situation isn't exactly new. In December, Dennis Schubert, who maintains infrastructure for the Diaspora social network, described the situation as literally a DDoS on the entire Internet after after discovering that AI companies accounted for 70% of all web requests to their services. The costs are both technical and financial. The Read the Docs project reported that blocking AI crawlers immediately in decreased blocking AI crawlers immediately decreased their traffic by 75%, going from 800 gigabytes per day to 200 gigabytes per day. This change saved the project approximately $1,500 per month in bandwidth costs, according to their blog post, AI crawlers need to be more respectful the situation has created a tough challenge for open source projects, which rely on public collaboration and typically operate with limited resources compared to commercial entities. Many maintainers have reported that AI crawlers deliberately circumvent standard blocking measures, ignoring robots txt directives, spoofing user agent strings, and rotating IP addresses to avoid detection, as Libre News reported. Martin Owens from the Inkscape project noted on Mastodon that their problems weren't just from the usual Chinese DDoS from last year, but from a pile of companies that started ignoring our spider configuration and started spoofing their browser info. Owens added, I now have a prodigious block list. If you happen to work for a big company doing AI, you may not get our website anymore. On Hacker News commenters, meaning a false positive, actually a true positive detect on a large company's ip, you know, address block because they just had to shut down all access to that company to their site because their block list has become so large. On Hacker News commenters and threads about the Libre News post last week and a post on IASO's battles in January expressed deep frustration with what they view as AI companies predatory behavior toward open source infrastructure. While these companies come from forum posts rather than official statements, they represent a common sentiment among developers. As one Hacker News user put it, AI firms are operating from a position that, quote, goodwill is irrelevant, unquote, with their hundred billion dollar pile of capital. The discussions depict a battle between smaller AI startups that have worked collaboratively with affected projects and larger corporations that have been unresponsive despite allegedly forcing thousands of dollars in bandwidth costs on open source project maintainers. Beyond consuming bandwidth, crawlers often hit expensive endpoints like git blame and log pages, placing additional strain on already limited resources and by that they're talking about by an expensive endpoint is some page which requires a lot of database access or backend work in order to produce the page. And so if the robot just hits that continuously, it's very resource expensive in terms terms of of computation and and access resources. Drew Devault, founder of Source Hunt, reported on his blog that the crawlers access every page of every git log and every commit in your repository, making the attacks particularly burdensome for code repositories. The problem extends beyond infrastructure strain. As Libre News points out, some open source projects began receiving AI generated bug reports as early as December 2023. First reported by Daniel Stenberg of the Curl project on his blog in A post from January 2024, these reports appear legitimate at first glance, but contain fabricated vulnerabilities wasting valuable developer time. Right? You know, to track them down and realize this isn't this is what is this. This is not an actual vulnerability. AI companies have a history of taking without asking. Before the mainstream breakout of AI image generators and ChatGPT attracted attention to the practice in 2022, the machine learning field regularly compiled data sets with little regard to ownership. While many AI companies engage in web crawling, the sources suggest varying levels of responsibility and impact. Dennis Schubert's analysis of Diaspora's travel or traffic logs showed that approximately one fourth of its web traffic came from bots with an OpenAI user agent, while Amazon accounted for 15% and anthropic for 4.3%. The crawler's behavior suggests different possible motivations. Some may be collecting training data to build or refine large language models, while others could be executing real time searches when users ask AI assistance for information. The frequency of these crawls is particularly telling. Schubert observed that AI crawlers don't just crawl a page once and then move on. Oh no, they come back every six hours because why not? This pattern suggests ongoing data collection rather than one time training exercises, potentially indicating that companies are using these crawls to keep their models knowledge. Their model knowledge is current. Some companies appear more aggressive than others. KDE sysadmin team reported that crawlers from Alibaba IP ranges were responsible for temporarily knocking their GitLab offline. Meanwhile, IASO's troubles came from Amazon's crawler. A member of KDE's sysadmin team told Libre News that Western LLM operators like OpenAI and Anthropic were at least setting proper user agent strings, which theoretically allows websites to block them. While some Chinese AI companies were reportedly more Deceptive in their approaches. It remains unclear why these companies don't adopt more collaborative approaches and at a minimum rate limit their data harvesting runs so they don't overwhelm source websites. Amazon, OpenAI, Anthropic and Meta did not immediately respond to requests for comment, but we will update this page if they reply. In response to these attacks, new defensive tools have emerged to protect websites from unwanted AI crawlers. As ours reported in January, an anonymous creator identified only as Aaron designed a tool called Nepentis to trap crawlers in endless mazes of fake content. Aaron explicitly describes it as aggressive malware intended to waste AI companies resources and potentially poison their training data. Anytime one of these crawlers pulls from my tar pit its resources they've consumed and will have to pay hard cash for, Aaron explained to ours. Quote, it effectively raises their costs and seeing how none of them have turned a profit yet, that's a big problem for them. On Friday, Cloudflare announced the AI Labyrinth, a similar but more commercially polished approach. Unlike Nepthenti's, which is designed as an offensive weapon against AI companies, Cloudflare positions its tool as a legitimate security feature to protect website owners from unauthorized scraping. Cloudflare explained in its announcement. Quote, when we detect unauthorized crawling, rather than blocking the request, we will link to a series of AI generated pages that are convincing enough to entice a crawler to traverse them. Okay. I'm not quite sure how that's that different from Nepenti's. Cloudflare reported that AI crawlers generate over 50 billion requests. Wow. To their network daily. AI crawlers generate over 50 billion requests to their network daily, accounting for nearly 1% of all web traffic they process. Which says they're handling what, 5,000 billion requests? Yeah, 5,000. So 5 trillion. Yeah, 5 trillion. 5 trillion requests per day. Wow. Cloudflare, the community, has also developing collaborative tools to help protect against these crawlers. The AI Robots Txt project offers an open list of web crawlers associated with AI companies and provides pre made robots Txt files that implement the robots Exclusion protocol.
[83:50]
Leo Laporte
Yeah, they should honor those.
[83:52]
Steve Gibson
That's the key, right? Yeah, yes, exactly. As well as htaccess files that return error pages when detecting AI crawler requests. As it currently stands, both the rapid growth of AI generated content, overwhelming online spaces, and aggressive web crawling practices by AI for firms threaten the sustainability of essential online resources. The current approach taken by some large AI companies extracting vast amounts of data from open source projects without clear consent or compensation, and I would add, and up deliberately ignoring their Their, their clearly established standards for saying please don't risks risk severely damaging the very digital ecosystem on which these AI models depend. And finally, they wrote, responsible data collection may be achievable if AI firms collaborate directly with the affected communities. However, prominent industry players have shown little incentive to adopt more cooperative practices without meaningful regulation or self restraint by AI frame firms. The arms race between data hungry bots and those attempting to defend open source infrastructure seems likely to escalate further, potentially deepening the crisis for the digital ecosystem that underpins the modern Internet.
[85:23]
Leo Laporte
Yeah, yeah. If they don't honor robots text, then anything you do to them is fine, right?
[85:27]
Steve Gibson
If they're, if they're. Exactly. If they're deliberate. That's a very good point, Leo. If, you know, we might say, hey, it's kind of foul play sending them into an AI driven tar pit, but if you first said don't go in here because of what's in the robot.
[85:44]
Leo Laporte
Txt and I presume Cloudflare does do that. Yes, yes. By the way, Nepenthes is funny. So Cloudflare calls it a tar pit. But a Nepenthes is a pitcher plant. It's the plant that traps bugs, right?
[85:59]
Steve Gibson
That, that, that, that light.
[86:01]
Leo Laporte
It's not a Venus fly trap. It's a pitcher has dew in it and the bugs move into it and then of course it eats them. So it's just like a tar pit. But it's a plant.
[86:11]
Steve Gibson
Very nice.
[86:12]
Leo Laporte
From the plant kingdom of a tar pit. I think that's very funny. Yeah. You want to take a break?
[86:20]
Steve Gibson
Yes, it is time.
[86:21]
Leo Laporte
I suspected you. You might.
[86:23]
Steve Gibson
I will wet my whistle.
[86:24]
Leo Laporte
Wet your whistle. While I show people the coolest thing on the Internet today. Our sponsor thinkst creates this. It looks like an external hard drive, doesn't it? With a simple power cable and an Ethernet connection. But no, no. This is the famous THINKST canary. A honey pot. And man, I love this thing. Let me just show you the canary, huh?
[86:52]
Steve Gibson
You love this thinkst?
[86:54]
Leo Laporte
This thinkst, yes. This is a nepenthe of its own, right? It is a honeypot in my case. I've set mine up to look like a Windows 2019 Server Office file share. Right? But you can set it up to be any number of things. Whatever you want, you choose. The personality, everything from IIS to a Linux database, a Mac OS X file share. You can even make it SCADA Devices. Look, I could turn it into a Hirschman RS20 industrial switch or a Rockwell Automation PLC. The idea being it looks like in every aspect, including by the way the Mac address the real thing. But when a bad guy or a malicious insider hits it, you get an alert. And no false alerts, just the alerts that matter. See, of course nowadays, modern security, you've got perimeter protection, but you may not know if somebody has penetrated your network. Right? And the worst thing is it takes on average 91 days before a company that has been breached realizes there's somebody inside the network. Not with a thinks Canary. That honeypot doesn't look vulnerable, it looks valuable. They cannot resist it. So the minute somebody hits your Canary token, those tripwires or your thinks Canary, you will get an alert, the alerts that matter. And you can get any way you want SMS, you can get it by Slack, WhatsApp, there's they support webhooks, they have an API syslog, of course. So you'll always be able to get those alerts in any way that's convenient for you. Just do what I did. Go into your console, choose a profile for your Canary device, you register it for monitoring and notifications and then you sit back, you relax. As long as you hear nothing, you're good. But as soon as an attacker breaches your network or a malicious insider, they'll make themselves known. They can't help themselves by accessing those Canary tokens or that things Canary. I think every business should have at least one. Big banks might have hundreds, medium sized businesses, just a handful. Let me give you a pricing example. Visit Canary Tools slash Twit. That's the website. Canary tools slash twit. 7,500 bucks a year, you're going to get five things canaries. That's nice because you can spread them around. You can infinite number of tokens as well, so you really can lock things down. You'll also get your own hosted console. You get upgrades, you get support, you get maintenance. All for the same price. If you use the code twit in the how to hear about its box, you're going to get 10% off. And not just for your first year subscription, for life, 10% off. Oh, and if there's any concern, if you say well it seems like a good idea but really do it, you can always return your things Canaries. They have a 2 month 60 day money back guarantee for a full refund. I should mention though that during the entire eight years we've been doing these ads and the eight years I've been using my ThinksCanary, not one person has asked for a refund. The guarantee has never been claimed. You know why? You realize once you got them, how did I live without them? Visit Canary Tools Twit don't forget to put Twit in the how did you hear about us? Box. Find out more. Visit Canary Tools Twit and don't forget to put Twit in the how did you hear about us? Box for 10% off or life I love this thing. It's so cool just to have it on my desk. Nobody's ever going to hack my network. Famous last words. But it's just nice to know if they do. They're going to open that employee's information spreadsheet and they're going to announce themselves. I'm going to know they've been in here. All right, back to you, Mr. G.
[90:45]
Steve Gibson
So if you're attempting to install Windows 11 on a machine using only a local account without signing into Microsoft, and you're wondering why doing so appears to become more difficult or obscure, it could be because Microsoft now intends to make that completely impossible. In their recent announcement of Windows 11 Insider Preview build 26,200 5,516 for the Dev channel, toward the end of a long list of tweaks and changes that they've made under the section Other Microsoft wrote, and I love the way they phrase this, we're removing the bypass NRO CMD script from the build to enhance security and user experience of Windows 11. This change ensures that all users exit via all users exit setup with Internet connectivity and a Microsoft account. So, okay, it's unclear to me how forcing either Internet connectivity or being logged into a Microsoft account enhances either a user's security or their convenience or experience. But that's, you know, what will henceforth be required for all users setting up Windows 11. And I don't make me I don't mean to make a bigger deal out of this than it is. I imagine that anyone setting up Windows 11 will have already made whatever adjustments to their thinking and expectations may be required. But it is a change that I wanted to let our listeners know about. Some of the reporting I saw about this phrased it a little differently. They said, quote, Microsoft has been trying to force Windows 11 users to install the OS with a Microsoft account for years, but this marks the first time when the company has made it a public policy in one of its blocks. So anyway, having shared all that, I won't be surprised if there isn't soon a workaround for this. We've seen those before when this has sort of, you know, been there.
[93:06]
Leo Laporte
It's actually a little more it's Simpler than this. And we talked about this on Windows Weekly, which is how I know. Oh, that was a script, a PowerShell script, which actually maybe not even a PowerShell script. It was a shell script that launched a series of commands. Those commands are still there. And so what Microsoft has done is make it so that somebody who is non sophisticated won't have a simple, oh, just click this and it'll run the bypass NRO script. But all of the commands that do bypass the Microsoft login are still there. They have not removed those. So Paul's position on this is you still can set up Windows 11 without a Microsoft account, but you need to be a little more sophisticated than you used to be. And that's Microsoft's intent. Because for instance, if you're using Windows Home, it turns on BitLocker, but only if you turn on your Microsoft account because you need a way to store that certificate. So many people lose their certificates. So Microsoft's erring for the. I think this is, I've always said this is the ideal solution, which is. And Apple does this too.
[94:13]
Steve Gibson
You kind of have a way around it.
[94:14]
Leo Laporte
Yeah, by default you make it more secure but less flexible. But if you're in the know, if you're a sophisticated user, there are ways to disable it.
[94:22]
Steve Gibson
So they took it out of the GUI that, that little skip for now or, or, or, or local account that they used to have.
[94:30]
Leo Laporte
Right. But if you. Paul says, and at least for now, and he believes this will continue, it is absolutely possible to do this. You just don't have that script to do it anymore. Well, if you look in the, if you looked in Bypass NRO cmd, you could see the commands. It was just.
[94:46]
Steve Gibson
Well, and it would seem to me that even if you, they wouldn't remove the ability to have a local account. So even if you had to temporarily create a Microsoft account to get installed, then you add a local account and delete the Microsoft account.
[95:03]
Leo Laporte
That's what Paul's recommended workaround is. You know, you can make a dummy Microsoft account that you don't use, that's.
[95:10]
Steve Gibson
Just temporary, just to get you installed.
[95:12]
Leo Laporte
Exactly.
[95:12]
Steve Gibson
And then. Yeah.
[95:13]
Leo Laporte
And they can't get rid of that as long as there is a local login at some point. Yeah. Right. So I think it's not just as you say, you say that you wouldn't be surprised if there's a workaround. There are, there is, basically. And they're never. They didn't get rid of that yet.
[95:28]
Steve Gibson
Okay. Yeah, well, and again, as I said, I don't mean to make a big deal about it. You know, if it's just annoying to be constantly asked if you want it, you haven't backed up your drive, it's like, hey, I've got my own backup. I, you know, there's no way to tell to shut up.
[95:45]
Leo Laporte
It's not for you, it's for normal users. That's the problem. And it's always been the challenge in technology to make it reliable and safe for normal people, but to give we hardcore users the power that we really want and deserve.
[96:01]
Steve Gibson
Yeah, okay, so I love this. Last week Google announced and unveiled what they called end to end encryption for corporate users of Gmail. But boy is it funky. It does encrypt a message in the sender's web browser where it remains encrypted until it's opened in the recipient's web browser where it's then decrypted. So technically, yeah, end to end, but otherwise Google jumped through some weird hoops to offer this. Okay, now, since the technology is interesting and since it might well be of interest to our listeners whose corporations might find value here, because, I mean, it's not nothing, it's just not really, you know, what we're used to, I want to take us into the details. And for that Ars Technicus Dan Guden did a terrific job of setting this up, creating the appropriate context and explaining what goes on. Rs headline last week about this was Gmail unveils end to end encrypted messages. Only thing is, it's not true end to end. And their tagline was yes, encryption decryption occurs on end user devices. But there's a catch. So Dan opens by saying, when Google announced Tuesday that end to end encrypted messages were coming to Gmail for business users, some people balked, noting that it wasn't true end to end encryption, as the term is known in privacy and security circles. Others wondered precisely how it works under the hood. Here's a description of what the new service does and doesn't do as well as some of the basic security that underpins it. Now, I'm going to interrupt here just for a moment to note that the way the conventional end to end encryption operates is pretty straightforward. So let me set that context first, because he doesn't do that. Each party, as we know, has a public key pair consisting of a public key and a private key, and the public keys are published in some way. So when Alice wishes to send an encrypted message to Bob, she first creates a High entropy secret symmetric key which will be used to encrypt the message and anything she wants. That's the so called bulk encryption key. And that's just randomly, you know, she creates a high entropy random secret symmetric key which she uses to encrypt her stuff. She uses that symmetric key to encrypt everything that she wishes to send to Bob. Next, Alice encrypts that secret key twice, first with her private key, then a second time with Bob's, the recipient's public key. She then packages the encrypted message up along with the result of the double key encryption and sends that package to Bob. Upon receiving Alice's package, Bob first decrypts the double encrypted key using his secret key, which undoes the second encryption that Alice put on which used Bob's private key. And of course, only Bob knows his private key. He then looks up Alice's publicly published public key and uses it to decrypt the result of the first decryption. And the beauty of this is that only if all four of these keys were correct will Bob now have recovered the properly decrypted secret symmetric key, which he can then use to decrypt the package that Alice prepared for him. Now, the elegant beauty of this simple system is that Alice wishes to send something that only Bob can decrypt. And Bob wants to know that whatever he received was truly sent by Alice. Since both parties private keys must be used and only each party knows their own private key, not only do we get strong encryption protection from anyone attempting to intercept that communication, but Alice knows that only Bob can decrypt what she encrypted. And Bob knows that only Alice can have sent what he decrypted as having come from her. So that's true. End to end encryption. That's not what we got from Google in Gmail. Okay, so Dan explains what we did get. He wrote, when Google uses the term end to end encryption in this context, it means that an email is encrypted inside Chrome, Firefox, or just about any other browser the sender chooses. As the message makes its way to its destination, it remains encrypted and cannot be decrypted until it arrives at its final destination when it's decrypted in the recipient's browser. The chief selling point of this new service is that it allows government agencies and the businesses that work with them to comply with a raft of security and privacy regulations, and at the same time eliminates the massive headaches that have traditionally plagued anyone deploying such regulation compliant email systems. So in other words they, they sort of skin the cat here in a different way. They've come up with something that complies with the regulations for end to end encryption, yet made it much easier to deploy. They said up to or Dan said up to now the most common means has been S mime, a standard so complex and painful that only the bravest and most well resourced organizations tend to implement it. S MIME requires each sender and receiver to have an X509 certificate that's been issued by a certificate authority. Obtaining, distributing and managing these certificates in a secure manner takes time, money and coordination. That means that if Bob and Alice have never worked together before and an urgent or unexpected need arises for him to send Alice an encrypted message promptly, they're out of luck until an admin applies for a certificate and sees that it's installed on Alice's machine. So much for flexibility and agility. Google says that end to end encryption Gmail abstracts away this complexity. Instead, Bob drafts an email to Alice, clicks a button that turns on the feature and hits send. Bob's browser encrypts the message and sends it to Alice. The message decrypts only after it arrives in Alice's browser and she authenticates herself. Okay. To make this happen, Bob's organization deploys what Google calls a lightweight key server known as a kacl, short for Key Access Control List. This server, which can be hosted on premises or most cloud services, is where keys are generated and stored. When Bob sends an encrypted message, his browser connects to the key server and obtains an ephemeral symmetric encryption key. Bob's browser encrypts the message and sends it to Alice along with a reference key. Alice's browser uses the reference key to download the symmetric key from the KACL and decrypts the message. The key is then deleted. Thus ephemeral. To prevent Mallory or another adversary in the middle Mallory in the middle from obtaining the key, Alice must first authenticate herself through Octa, Ping or whatever other industry identity provider or IDP Bob's organization uses. So Alice must authenticate herself to Bob's organizations identity provider. And Dan said if this is the first time Alice has received a message from Bob's organization, she'll first have to prove to the IDP that she has control of her email address. If Alice plans to receive encrypted emails from Bob's organization in the future, Alice sets up an account that can be used going forward. Bob's organization can add an additional layer of protection by requiring Alice to already have an account on the IDP and authenticate herself through it. Julian Duplant, a Google Workspace product manager, told ours, quote, the idea is that no matter what, at no time and in no way does Gmail ever have the real key. Never. And we never have the decrypted content. It's only happening on that user's device, unquote. Okay, now I'm going to interrupt here again to note that in no way is any web browser a safe place to decrypt super secure, you know, like national security level or extremely proprietary corporate material. You know, this is like in the same way when we were talking about signal gate as it's now being called, of, you know, national security level secrets being transacted on people's individual smartphones. It's not signal that had a problem because it's true end to end encryption, it's that it's on the smartphone device, it is decrypted after it arrives. So we have the same problem with a web browser, right? You still have JavaScript or WebAssembly running in a web browser which is as authentically secure as we've been able to make them, but they're still being updated to cure serious, often zero day style security vulnerabilities. That's still happening. You know, if you really need to send something securely, my advice would be encrypted offline away from any web browser, then send it in the clear through any email system. Doesn't matter because it's been, you know, it's PI, pre Internet encryption, pre web browser encryption. You know, I'm not intending to take anything away from Google. The system they've created is an interesting hack, but a hack it is. And it also represents a security trade off for convenience since it's running in the largest attack surface, which is today's web browser that any computer system has today. Dan finishes description by writing now as to whether this constitutes true end to end encryption. It likely doesn't, at least under stricter definitions that are commonly used. To purists, end to end encryption means that only the sender and the recipient have the means necessary to encrypt and decrypt the message. That's not the case here since the people inside Bob's organization who deployed and manage the KACL have true custody of the key. In other words, the actual encryption and decryption process occurs on the end user devices, not on the organization server or anywhere else in between. That's the part that Google says is end to end encryption. The keys, however, are managed by Bob's organization. Admins with full access can snoop on the communications at any time. The mechanism making all of this possible is what Google calls cse, short for client side encryption. It provides a simple programming interface that streamlines the process. Until now, CSE worked only with S mime. What's new here is a mechanism for securely sharing a symmetric key between Bob's organization and Alice or anyone else Bob wants to email. The new feature is of potential value to organizations that must comply with onerous regulations mandating end to end encryption. It most definitely is not suitable for consumers or anyone who wants sole control over the messages they send. Privacy advocates take note. So anyway, if anyone was wondering, you know, heard about Google's, you know, end to end encryption, now we have some context. It's certainly better than what they had before. If your organization wants to use it, then, you know, it does keep things encrypted. But you know, if you're using Gmail in your browser, you have an HTTPs connection to Gmail.
[110:42]
Leo Laporte
Right. And anything that goes Gmail to Gmail remains encrypted.
[110:47]
Steve Gibson
It's never been in the clear at any point.
[110:49]
Leo Laporte
Right. So I think this is, this is really for businesses that don't want to give up full encryption. Right. Because they want to make sure that they can monitor your emails. In fact, they may have a regulatory requirement.
[111:01]
Steve Gibson
I think it's an interesting regulatory hack. I think that's it. I think it's a, it's, you know, it's like Google was under some pressure to come up with a way for, for regulations that require end to end encryption to like the letter of the law, that it's encrypted on your device, decrypted on the, on the recipient's device. And Google said, oh yeah, we can do that.
[111:26]
Leo Laporte
Did you ever wonder who Bob and Alice are?
[111:30]
Steve Gibson
I do. And boy, they have some long longevity. They're sometimes talking.
[111:35]
Leo Laporte
There is a Ted and a Carol that gets involved in these conversations. And it all comes from a 1969 movie about wife swapping called Bob and Carol and Ted and Alice. You remember that, right?
[111:46]
Steve Gibson
Yeah, we're older.
[111:47]
Leo Laporte
Us oldsters know where that came from. It's pretty funny. And I imagine people listening who don't know that are going, who are these Bob and Alice that everybody's always talking about when it comes to encryption? I think that's where it came from. It seems like a coincidence if it didn't, must be.
[112:05]
Steve Gibson
And it, it has the advantage of having A, B and C. Alice, Bob and Carol.
[112:10]
Leo Laporte
Yeah, Ted, we just could throw out. We don't.
[112:12]
Steve Gibson
Yeah, Ted, you know he doesn't fit. And then Mallory as Mallory in the middle. Mallory is also the name used for. For your attacker.
[112:22]
Leo Laporte
For man in the mill.
[112:22]
Steve Gibson
For man in the middle.
[112:23]
Leo Laporte
Oh, nice. That's nice. Do you want to pause or do you want to keep going?
[112:29]
Steve Gibson
I got a little bit more and then we got some. Oh yeah, one more and then feedback when we will pause. So but this is important one for anyone who is running Apache Parquet, a CVSS 10.0 which we know is very difficult to achieve. It's like the Olympics of bad, bad vulnerabilities. Apache recently received the much dreaded full CVSS 10.0 with a widely used module known as Apache Parquet. Who's dispelled P A R Q U E T. Apache Parquet is an open source columnar, as in instead of rows it's columns. So columnar storage format designed for more efficient data processing. Unlike row based formats such as CSV, Parquet stores data by columns, which makes it faster and more space efficient for analytical workloads. It's widely adopted across the data engineering and analytics ecosystem, including big data platforms like Hadoop aws, Amazon, Google Azure Cloud Services, data lakes and ETL tools. Some large companies that use Parquet include Netflix, uber, Airbnb and LinkedIn. And now a new low complexity remote code execution vulnerability has been identified in all current versions of the Apache Parquet system.
[114:12]
Leo Laporte
Yeah, how widespread is parquet use?
[114:15]
Steve Gibson
Is it a pretty popular among those who use it? I mean Netflix, Uber, Airbnb, LinkedIn, I mean Hadoop AWS, Amazon, Google Azure Cloud services. So yeah, it's got some wings there. Unfortunately the problem was disclosed on April 1, but since this is no joke and it would be horrible for those affected if they thought it was, I hope no one dismissed it as an April Fool's event. This maximum severity remote code execution problem impacts all versions of Parquet up to and including 1.15.0. The problem stems from the D. Here it is the deserialization. We've talked about deserialization flaws because they're tough of untrusted data. And of course deserialization is also known as interpretation and we know how hard it is to do interpretation correctly. It could allow attackers with specially crafted parquet files to gain total control of target systems, exfiltrate or modify data, disrupt services, or introduce dangerous payloads such as ransomware. The vulnerability is tracked as CVE 2025, 30065 and as I said, carries a CVSS v4 score of 10.0. It was fixed with the release of Apache version 1.15.1. So it is some solace that in order to exploit this flaw, threat actors must convince someone to import a specially crafted parquet file for parquet to then deserialize. But we all know that social engineering attacks remain some of the hardest to defeat, and it might well be that there are other vectors. So anyway, I wanted to put it on everyone's radar. If you happen to know that you're using parquet or know someone that does, the good news is there. It has not been publicly leveraged. It's not known to be used. It was. It was. That's discovered by Amazon AWS security folks. They told Apache because they because AWS uses it, they told Apache Apache's updated it. But we know how that goes. So the bad guys will look at new and old Apache, do a diff of it, see what's changed, reverse engineer the exploit, and then go looking for publicly exposed parquet instances. So if you're using parquet, update immediately because you want to beat the bad guys to it. And now Leo, take a break.
[117:15]
Leo Laporte
Oh, I thought you want me to say butter. Okay, butter.
[117:17]
Steve Gibson
Butter, parquet.
[117:23]
Leo Laporte
I'm just teasing. A little break here. We will get back to the action, don't worry. Our our feedback section is coming up next. But first, a word from Steve. My favorite password manager. Everybody ought to be using it. You're all using. You all use a password manager. Of course you does your business. Does your business use one you like to use? Do your friends and family. They all need to know about Bit Warden, the trusted leader in passwords. Yes, but also secrets. Really handy. Have you ever. Come on, admit it. Tell the truth. Committed a API key to your GitHub? Yes, you have. Who hasn't? You will want to know about Secrets Passkey management too. Bitwarden is absolutely great for passkey. It's what I use for all my passkeys. It's fantastic. With more than 10 million users, over 180 countries, 50,000 business customers worldwide. That kind of surprised me. It's a very popular enterprise solution too. Consistently ranked number one in user satisfaction by G2. Recognized as a leader in software reviews, Data Quadrant. Bitwarden protects businesses worldwide. And by the way, because it's easy to use, it's simple, it's clean, it's efficient, it makes the IT department happy because it's truly secure. Makes users happy because they can use it now you'll love Bit Warden Send It's a tax time, right? If you're sending information to your tax preparer or they're sending your returns back, I hope, I hope you're not just sending an email. I hope you're not using quote end end encrypted Gmail. You need Bit Warden Send Real end to end encryption ensures your forms remain protected. And here's the best part. Your tax preparer doesn't need an account to access it. Just one side of the transaction needs to have a Bit Warden account. So I think that's fantastic, a great way to send private information to anybody. You'll avoid risky email attachments. You'll share confidential documents with password protection. But there's more. There's expiration dates, there's view limits. You get full control over who accesses your sensitive information and how. Let's talk passwords in the enterprise. New findings from Bit warden highlight that 65% of enterprises, much more than half the majority of enterprises, still rely solely on passwords. We know, I mean passwords are fine, but there are better ways. Password management is cited as the top iam challenge for 35% of organizations. Only 21% implement passwordless authentication, which means you're facing ongoing credential security risks. Just the last show I accidentally showed my password on the air, right? But I didn't worry. I didn't worry because I got Bitwarden. Bitwarden offers enterprise essential tools with end to end encryption. We just talked about that MFA secure Password sharing. Don't write a password on a post it and give it to your co worker. Use Bitwarden. It also addresses all the current and many future authentication needs. They just announced their ISO 2700-12-2022 certified. That's the of course internationally recognized standard that assures enterprises, developers and security teams that Bitwarden meets stringent security and compliance requirements. This complements their existing compliance with SOC 2 type 2, GDPR, HIPAA, CA, CCPA. This just really reinforces that Bitwarden is your trusted partner for security and enterprises. And again, it's easy to use because it's no good having a security solution that is too hard for people to use. They'll just go around it. Bitwarden setup only takes a few minutes. They support importing from most password management solutions, so it's an easy move. And of course it's open source, which is great. If you're curious, you can inspect their source code. Anyone can. It's regularly audited by third party experts look, you and your business deserve an effective solution where enhanced online security. And you know what? So do your friends and family members who are still writing things on post it notes or using the same password on multiple sites. What a calamity it would have been had I accidentally revealed a password that I used on many many sites earlier today. No, because I use unique passwords everywhere. All I had to do is fix it on that one site and I'm done. Get started today with Bitwarden's free trial of a teams or enterprise plan. Or if you're an individual or you know an individual who needs Bitwarden, tell them free forever unlimited devices, unlimited passwords, pass keys. Yes. Yuba keys and other hardware keys. Yes, for individual users. Individual users even can store their own vault if they're, you know, they they want really truly trust no one. Bitwarden.com TWIT please use that address so they know you saw it here. Steve converted to it. I converted to it a few years ago. I could not be happier. Bitwarden.com TWIT Great sponsor, great product that almost all of us use. I think at this point it's a great one. All right, back to Steve.
[122:40]
Steve Gibson
So echnoagerist. So this must have been through X where I checked in. He wrote regarding Neil Asher's novels. They may not be on Kindle Unlimited, but I found them at my local library.
[122:58]
Leo Laporte
Nice.
[122:59]
Steve Gibson
That's how I've been reading them. Thanks for the recommendation and I appreciated being able to share a reminder about printed books and that's wrong with them. Yeah, I'm. I'm still enjoying Neil. I'm on book number four of the first five book Agent Cormac series as it's called, and I'm having a great time. The books are long and involved. The style Neil uses for the first three at least was, and I guess it's to a lesser degree now in number four was to create several parallel plot lines that initially don't appear to bear any connection to each other. There's no obvious relationship. So you'd sort of move around between them and you're thinking, okay, why do I care about this person? But as the story progresses they eventually converge and you end up. I remember at one point thinking I'm having a lot of fun with this book. So anyway, thank you for Techno Agorist for your note about books are still available from libraries in print. Amazing. That's certainly a way to go to thunk it. I wouldn't occur to me. Leo, I have to tell you, Eric's sidel said, hey Steve, I just listened to part of your podcast and it was funny that you mentioned something that happened exactly to me as well. In the past couple of days I had Microsoft two Factor Authentication Reset requests show up in my email and then happen to look in my sign in activity and it is a sign in request every minute to my account. It's just insane. Make sure you have your two factor authentication turned on. Holy smokes. And I put in the show notes just a snapshot that he had sent me that does you know, indeed show in fact sign ons like every minute or several times in the same minute. So again, all of this because they.
[125:03]
Leo Laporte
Didn'T have the two FA code.
[125:05]
Steve Gibson
Yeah, the idea that some guy, I mean, or that you know, the bots apparently are just sitting here hammering it, pounding on people's emails without better protection, it is really disturbing. Matthew west said, hi, Love the show. I bought an a used Fitbit with a cracked screen. I forgot that I would need the PIN shown on the screen in order to pair it. I'm trying to pair by constantly changing one time the constantly changing one time code in the hopes it eventually works. In other words, he's guessing. Oh forget about it, he said. This made me wonder what the best strategy is and how many attempts would be needed to reach a 50% chance. Sorry, if this was already answered I should look through the transcripts. Thank you. Well Matthew, we previously discussed this question a few months back when we took a deep dive into the precise operation of hash based one time passwords. That podcast was 1009 and we received an unusual amount of positive feedback from our listeners who enjoyed thinking about the various aspects of a six digit code that was changing randomly every 30 seconds. The answer to the first part of your question, Matthew, what's the best strategy? Is that since the proper PIN code at any given instant is completely random, there can be no best strategy since no guess can by definition be any better than any other. So if patience could be considered a strategy, then patience would be the best strategy because a great deal of that is going to be necessary. So exactly how much? The second part of your question asked how many attempts would be needed to reach a 50% chance? And that is something that's knowable. At the bottom of page 21 of episode 1009 show notes I wrote, the probability of things happening is something that often trips people up. If the probability of something random happening is one in a million, and that is the case, the probability of a correct guess is one in a million since it's, you know, it's from 000000 to 99999, that's a million possible combinations. We might tend to assume that giving that million thing 1 million opportunities to occur, or in our case 1 million guesses, we would probably obtain a collision of six digit values. And that's true, but it's not guaranteed. Probability theory tells us that even given 1 million guesses of a one in a million event, there's a 36 chance of never hitting upon the value we're seeking. But that means that given 1 million guesses there is a 63.21% chance of hitting it. So you know better than 50 50. Okay. For random events it's all about probabilities. And so here's the answer to your question, Matthew 693,147 guesses. So just shy of 700,000 would be required to hit the 5050 point for an even chance of any of those one in a million guesses being correct. So that's why patience will be the best strategy. Maybe getting a different Fitbit would be a better idea. Since you're going to be guessing for, I don't know how fast you can guess, but it's going to take just shy of 900,000 guesses to reach the 50% point. That would try my own patience.
[129:25]
Leo Laporte
Yes.
[129:26]
Steve Gibson
Actually, if you were to walk up a step for every time you made a guess, you would need the Fitbit because you would be fit.
[129:35]
Leo Laporte
There you go. That's clever.
[129:37]
Steve Gibson
Yes.
[129:38]
Leo Laporte
Just, just take the stairs.
[129:41]
Steve Gibson
Jason wrote. Hi Steven Leo, longtime listener and a Happy Club twit member. Thank you Jason. He said. As we all move to delete our 23andMe data, I'm. I have a maybe amusing story. When I signed up for 23andMe years ago, I thought I would attempt to get some privacy by obscurity. I created my 23andMe account with a fake name with a new Gmail for that fake name. My thought was if they were ever hacked as they were, or sold their data as they are, at least my DNA would not be tagged with me by name. So I also made up a fake birthday in keeping with the obscurity strategy. Cut to this week when I went to delete my data and found that birthday is used as a form of authentication. I have no idea what date I gave them and I never thought to record it. I tried permutations of my own birthday until I ran out of guesses and locked myself out. Emails to their support Revealed that the only way to prove my identity was to provide government issued id. I'm not likely to give my ID to someone actively selling all of their assets to the highest bidder anyway, but I certainly can't when no such ID exists. Oh well, guess I'll have to continue to rely on obscurity. Thanks for all you do, Jason. And he put that in air quotes, so I don't think that's even his name.
[131:18]
Leo Laporte
We don't know his name. We don't know his birthday. We know nothing.
[131:22]
Steve Gibson
I love that Jason put his name in quotes, you know, suggesting that he's quite deeply committed to remaining anonymous and obscure, as indeed he is. And given that no one knows whose DNA his is anyway, let alone who he is, I'd say there never was any need to delete it in the first place. But I understand, you know, for the sake of why not, you know, giving it a try anyway. He sort of prevent he locked himself out from being able to do so. An anonymous listener wanted to share some thoughts about leaving Windows. He said hi Steve, please keep my name, company and project private because it would be easy to reverse engineer who my company is. He said, I've been listening for years. Thank you for all you do. I'm a security researcher and developer at really big company X. I mostly maintain a popular open source tool name redacted with respect to moving away from Windows to an open source solution. And again remember really big company X. I know the name of the company and it is really big. He said with respect to moving away from Windows to an open source solution. Much of my company's software which is firmware buildchain is built upon Windows. Microsoft is in the process of relicensing all of our server win OS and Ms. SQL agreements and as a result of our cost will would be as a result our cost will be going from a per compute device license to a per core license.
[133:21]
Leo Laporte
Oh boy.
[133:22]
Steve Gibson
And I don't know about you Leo, but I got 20 core.
[133:26]
Leo Laporte
Yeah, that's a massive increase.
[133:28]
Steve Gibson
He says as such the cost would be going from thousands of dollars to millions of dollars. In response we are simply moving as much of our infrastructure as we can to an open source variant. He said. It seems crazy to me that M and he has then dollar sign for Ms. You know M dollar sign is so arrogant that they think there's no alternative to them or at least that the cost would be too much for us to absorb about that they have miscalculated. Yes it will cost us to move but it'll be so nice once we've done so. Now we just need to move all of our clients from Windows to Linux and I'll be a happy camper. Thanks again for all you do. Anon so this person was actually Leo, just one of many of our listeners who wrote to me in response to last week's EU OS podcast. I heard similar stories over and over and over. Microsoft apparently believes that they will be maximizing their bottom line profit by squeezing more money out of fewer customers. Because the theme I kept hearing playing out over and over was that people were finally and at long last throwing in the towel, giving up and biting the bullet to move to free and open source solutions. Those solutions have been steadily maturing through the years and are finally solid enough to be depended upon. And the message was more so than Microsoft, you know. And the message is, you know, the message was that they will be moving because Microsoft's policies appear to be predatory. Predatory was the word that several of our listeners independently used. And I thought, whoa. And I suppose it makes sense. If Microsoft can increase their profit and reduce the burden of support for all those pesky customers that, you know, they'd rather not have, then fine, go to Linux. People are saying, okay, yeah, TJ Asher said, Steve heard I heard Leo mention Jackpot Junction in that list of companies on the ransomware site.
[136:07]
Leo Laporte
Oh yeah, yeah, they were one of the hacked or ransomware companies.
[136:10]
Steve Gibson
Yeah, he said, that's a casino here in Minnesota. So I went to their website and they have a big notice. It says slot machines and kiosks are currently unavailable. Bingo is canceled until further notes. The special. Oh no, the special. Bing, no, don't take my bingo.
[136:34]
Leo Laporte
No, no, not the bingo.
[136:36]
Steve Gibson
The special Bingo session is postponed until a later date. Continuity is postponed until further notice. Promotional drawings are postponed until further notice. Dakota Dining is closed until further notice. Boy, this really hit them hard.
[136:54]
Leo Laporte
Oh, I feel bad for him.
[136:55]
Steve Gibson
Full deck is open for breakfast from 7am to 11am with regular menu from 11am until close. Table Games and Circle Bar will remain open. Thank you for your patience and understanding. We will provide updates as they are available.
[137:12]
Leo Laporte
They got hacked, all right.
[137:13]
Steve Gibson
And TJ signed off saying, definitely looks like they got hacked. Keep up the awesome work. Regards, tj. So for anyone who's interested, remember, I think it was, what was it, last week's podcast? I think it was GRC SC 1019 was the shortcut that I created to take us over to Ransom List or what it was called. Oh yeah, Ransomlook IO. Yeah, GRC SC 1019 and that's Ransomlook IO and I mean I looked again and it's just, it's hopping over there. Recent posts on on the left is is takes you to the listing and.
[137:54]
Leo Laporte
Yeah, this is today. Yep, this is just today. These are all places that have been.
[138:01]
Steve Gibson
National association for Stock Car Auto racing. They're gone. Third Avenue Management. Gone. Crystal-D.com Gone. Coupe 57 Gone.
[138:12]
Leo Laporte
Royal Saudiair Force.gov SA oh, Liberty Tax.
[138:20]
Steve Gibson
They're going to be paying some tax.
[138:22]
Leo Laporte
Yeah.
[138:23]
Steve Gibson
Cvte.
[138:24]
Leo Laporte
This is the list you don't want to be on.
[138:27]
Steve Gibson
Oh boy. And again, if any of our IT friends listening are having a problem with their CFOs, just say, okay, CFO, just go over here. Not one of these companies wants to be there and they didn't give their CIO enough money.
[138:44]
Leo Laporte
Yeah. Yeah.
[138:46]
Steve Gibson
Wow.
[138:47]
Leo Laporte
Incredible. And it was good to have that confirmation that we saw there.
[138:57]
Steve Gibson
Somebody listed there is Sol.
[139:00]
Leo Laporte
I mean, not a good thing by any means.
[139:03]
Steve Gibson
No bingo for Bongo.
[139:04]
Leo Laporte
No bingo for you.
[139:06]
Steve Gibson
Heinrich Johnson said hello. I just thought I'd clarify something you and Leo said in episode 1019 about Cloudflare hosting 20% of the web. The 20% figure most likely refers to sites behind Cloudflare's WAF. WAF, you know, web application firewall, not actual hosting. Especially since they referred to their free plan, which does not include hosting. That said, when behind a waf, Cloudflare does terminate tls, which means that they are at an intentional man in the middle that can see request information, including login credentials slash Heinrich. So thank you, Heinrich. So a better way to say it would be that Cloudflare is fronting for 20% of the Internet's website properties. Harry Pilgrim said. Steve, you and legal continue to say that you use certificates to log into SSH servers. This is not completely accurate. SSH could be configured to use public private keys.
[140:16]
Leo Laporte
I never say certificates.
[140:17]
Steve Gibson
Okay, then it's I who am saying certificate. But these are not certificates. A certificate is composed of uniquely identifying information. Anyway, blah, blah, blah. He explains that. So thank you, Harry, for correcting us. I certainly stand corrected. But this gives me the opportunity to mention my absolute favorite SSH client and server solution for Windows centric users, which is bitvice B I T V I S e dot com. They're not a new discovery of mine because I would never recommend something like an SSH client and server without first obtaining sufficient experience for any such recommendation. I've now been using their solutions since 2018, so I've gained seven years of experience with their software and their company and I cannot recommend them more highly. If all you need is an incredibly good SSH client for Windows for accessing remote SSH servers, you can use theirs free of charge. The bitfi client is free. If you want a matching terrific SSH server for Windows, you can take theirs out for a 30 day spin for free, after which a one year license is $100. But, but, but access but only the access to upgrades expires after a year that server software will run forever. Mine's expired a few times and they've had some updates and I've thought okay, I should re up because I'm using their server very happily. I've been with them for seven years. I can attest that they are not constantly fixing mistakes. Only very occasionally do they have something that they need to tweak and normally it's for some edge case that doesn't affect me but I want to stay current current with them anyway. I could not be more pleased with them and I cannot imagine ever having a need to switch. So just for the record, bitvice B I T V I S E is my SSH solution for Windows.
[142:35]
Leo Laporte
That's one of the main reasons I'm not a Windows user is I need a command line that I can do things like that or I should say like this and log in to a remote server. I like having a command line.
[142:49]
Steve Gibson
I like it too. It is a good thing.
[142:52]
Leo Laporte
Does but so I always for a long time. I mean I haven't used Windows in a while but I used Cygwin. Is that like all done? Is that old hat? C Y G W I N maybe it is. Device looks pretty nice.
[143:07]
Steve Gibson
It's really nice. I mean it manages. It manages our public and private keys, synthesizes keys. The server tells you it's never seen this key before. It tries multiple styles of authentication in sequence. You're able to maintain a list of previous SSH servers and select it'll bring up a console window for you. So like when I ssh into my FreeBSD Unix I get a console window or when I SSH even into Windows I get an admin prompt window and I'm able to bring up a two pane file copy so I can drag and drop files back and forth. Anyway it's just a great solution.
[143:55]
Leo Laporte
Bitvice free.
[143:56]
Steve Gibson
Highly recommended bitvice David Spicer said Steve, I was listening to podcast episode 1019 and as you talked about Troy Hunt getting fished I couldn't help but wonder how one could help prevent this type of quick acting attack. I know passkeys would solve a lot of this in the first place, but I often see cloud services that support passkeys also allow for username and password as a backup. I personally find it difficult to see how sites that support both options are safer. Of course you're singing my tune, right? I've said as long as you offer a fallback then it's the email continues to be the weakest link in the past in the chain I just logged into Hover a minute ago when you were giving our first advertiser our first sponsor because I wanted to see how much a dot secure domain would cost and I noted that right there under my prompt for a one time authentication was I don't have access to my authenticator. Well okay then, how good is this anyway? He said my online banking site requires a one time password code just to log in once. He said I can view all of my account information normally. However, if I want to perform any money transfers I am prompted for a new one time code before I can do so. That made me think that this method might be useful with other online services that only support one time password multi factor authentication login such as mailchimp. Even after you have signed in if you wanted to perform a security relevant action such as exporting data, which of course Troy got bit by. Which is what made David think about this. Changing authentication methods or review or viewing API keys that would require a new one time password code from your authenticator. This would help prevent attackers who fish a login from you from being able to make changes or steal sensitive information without having to fish for a second one time password code from you. Well, that's just my thought. Anyways, I'm glad I found your pad, but your podcast nearly a decade ago. I love listening to you and Leo every week. Every episode is a good one. Except today is extra good and your tools like spinrite, validrive and the DNS benchmark are amazingly useful. Really looking forward to buying the Pro version of the DNS benchmark when it comes out for my lab environment. Have a great week. Thanks David. So I agree with David completely. Requiring the reuse of a one time password or OTP token before proceeding with any extra sensitive action after being logged in. Makes a ton of sense. And think about it. It's exactly analogous to pretty much any site asking us to resupply our current password as part of the process of changing that password, right? You know why we're obviously already logged in in order for us to even be presented with that opportunity of changing our password. We have to be logged in with our password. The site already knows who we are enough to allow us to be roaming around inside it. So why ask us to reassert our current password before we're able to change it? Obviously because changing our password is seen as a particularly sensitive action. But to David's point, it's interesting that most you know that this reuse of one time passwords does not seem to have filtered down into the operation of most sites beyond login authentication, his bank and others being a common exception. And I think I know why. My presumption is that the reason for this is that most sites are still using some canned oauth login authentication solution and have not bothered to build in one time password re verification. Perhaps in time you know this will change since re prompting for one time passwords I think makes so much sense. It really ought to be done. But his point's a good one. No one's doing it John Rostern said Steve, I've been a long time security now listener and I've always appreciated your insightful commentary and analysis mixed with some humor on all things related to cyber security. I was a bit taken aback, therefore, by your somewhat dismissive comments regarding the security Technical Implementation Guides stigs in episode 1018 the stigs and they are at and Leo, you should go there. Public Cyber mil Stigs, he said, represent an authoritative resource for secure systems deployment. The voluminous. Voluminous.
[149:34]
Leo Laporte
Voluminous.
[149:35]
Steve Gibson
Voluminous. There it is. Voluminous. Thank you. I got started off on the wrong foot.
[149:39]
Leo Laporte
Yeah, you got to start right.
[149:40]
Steve Gibson
The voluminous documentation and it is voluminous and tools are provided free of charge. In the upper right click on Stigs free of charge, including the Security Content Automation Protocol benchmarks. Misconfiguration has been and remains a primary threat actor, and following guidance such as that provided by the STIGS or the CIS benchmarks in the deployment process is a critical preventive control. Your show is a valuable resource for security practitioners that help evaluate the state of the practice across the community. It would be a disservice to minimize the potential value of a resource such as the DISA stakes. Kind regards, John Rostern so thank you John. I stand before you willingly chastened. I did not intend to be dismissive of the Stigs because I was not at all familiar with them, but I'm always wary of just sort of generally of bureaucracy and by extension the trappings of bureaucracy this is why, for example, I've been so pleasantly surprised by the value and effectiveness of cisa. You know, value and effectiveness is never what I expect from government agencies, especially cyber agencies. So thank you for correcting me on the matter of the value of the Stigs. For anyone who's interested in these Security Technical Implementation Guides, I have a link to them which John provided in the show Notes Michael Swanson said, and it appears that many of our listeners have encountered these Stigs. Michael said, hi Steve, In a recent episode, Dan Linder brought Security Technical Implementation Guides Stigs to your attention. I thought a little more info might be useful to your listeners, as Stigs are very useful in hardening systems against threat actors. These Stigs are created and maintained by the U.S. department of Defense in cooperation with the manufacturers and developers of various hardware and software. They are reviewed and updated continuously with a quarterly publishing cycle. Stigs exist for a wide variety of hardware devices, most notably firewalls and network switches. Operating Systems Windows, Mac OS, various Linux, distros, VMware, iOS, Android, etc. Web browsers, Chrome, Firefox, etc. Common applications, Ms. Office, Adobe, et cetera. Even Active Directory, one of the most important if you want to keep attackers from moving laterally in your network. As Dan mentioned, some of the settings are policy and procedure. User accounts are deleted from the system when an employee leaves the organization and so forth, while others are technical. Two Factor authentication is required to access the system. Bottom line these checklists of settings work. Searching for disa disa STIG S T I G will take your listeners to the library. Best regards, Mike Swanson so Mike, thank you. This makes absolute sense. I went over oh, I know where I was Leo. It was at stigviewer.coms-t I G V I E W E R.comstigs and took a look around. There is a lot of interesting security content organized by the name of the hardware or software. That's the topic of each of the many individual Security Technical Implementation guides. You can go to stigviewer.com and then just choose Stigs in the upper that's what I was thinking of. In the upper right corner top of the screen menu to see a huge alphabetically sorted list of very useful security hardening checklists. I will be My next Windows Server will be I think It's Windows Server 2022, which was the latest, the last of the Windows 10 equivalents and they have a long list of things you absolutely positively want to do. I Already stumbled on one that was a little gotcha in iis. Some weird thing that was not blockable that would allow an undocumented protocol to get through. And I thought, whoa. And it worried me, like, what else is in there? So I will definitely be going through the list before I Deploy Windows Server 2022. It looks like a great resource. So thank you listeners for not letting me just blow that off because I didn't know any better. Leo. Yes, let's not blow off our last sleeves. Supporter, sponsor. And then we're going to talk about the Perspective issuance corroboration finally. And why all certificate authorities got to.
[154:54]
Leo Laporte
Have it 10, 20 episodes. We finally got around to it.
[154:59]
Steve Gibson
Well, it didn't exist until last week.
[155:00]
Leo Laporte
But okay, never mind. Our show today. Well, in that case, we're on it. We are on top of it. Oh yeah, breaking news.
[155:10]
Steve Gibson
We got you some of that multi Perspective issuance corroboration. You betcha.
[155:15]
Leo Laporte
It's finally here. Today we are brought to you by Delete Me. And boy, I love Delete me. We use Delete Me at TWIT because we realized that privacy is important. Not just for privacy, it's important for security too, because we got spear phished. And it was clear that the Spearfisher knew a lot about our CEO and our employees and who reported to who and whose phone number was what, because they were able to buy that information online from data brokers. Have you ever searched for your name online? Don't. I don't recommend it. You will not like how much of your personal information is right there in public. And the worst is, they say, you know, for four bucks more, we'll give you the, you know, his prison record or whatever. You know, it's like what this is because this is an unregulated sector that is widespread use. It's the data brokers of the world. They collect information, they buy it and they sell it on. They put together a dossier on you. And it's not just you. Maintaining privacy is really an issue for your company.
[156:28]
Steve Gibson
Delete me.
[156:28]
Leo Laporte
It's for your family too. DeleteMe has personal plans, individual plans, family plans. Yes. You can ensure that everyone in your family feels safe online. Delete me reduces risk from identity theft, from cybersecurity threats, from harassment and more. Once we used a Delete me to protect us from people spear phishing our CEO, we noticed none of her information was online anymore. But you know, it's important, so DeleteMe's experts will go out and find and remove your information. From hundreds of data brokers. That's the first thing they do. It's important, though, to understand they won't stop there. DeleteMe will continue to scan and remove your information regularly. I'm talking addresses, photos, emails, relatives, phone numbers, social media, property value, and a lot more, including, as Steve and I learned, our Social Security numbers. Not illegal to resell those anyway. If you set up the family plan, for instance, you'll have discrete controls for each member of the family because each one might have a different, you know, privacy interest. So you get different settings, easy to use controls, and this just protects you. As long as you're a member, they will continue to delete this stuff. It's really the only way. First of all, there's so many data brokers, you couldn't possibly get to all of them. But second, there's new ones every day, literally every day, because it's a very profitable, highly legal, highly disgusting, but highly legal business. And so more pop up all the time. Very lucrative. Protect yourself, reclaim your privacy. Visit joindeleteme.com TWiT if you use the offer code TWiT, you'll get 20% off. If privacy is important to you, this is a really good way to do it. Joindeleteme.com TWIT use the offer code twit at checkout. It worked for us, Steve. Now, whatever the hell this is, multi perspective issuance corroboration, it's time to dig into it.
[158:34]
Steve Gibson
That's right. Today's main topic was an outgrowth of an interesting change that the famous CA browser, you know, Cab Cab, CA browser forum just ratified. The CA browser forum consists of those people who determine what criteria are needed for web browser certificate issuance, how long various issued certificates will be permitted to live, how browsers will deal with certificates and everything else that's relevant surrounding the increasingly crucial need for clients on the Internet, whether they be people or automated systems, to be assured that the servers they're communicating with at the other end, somewhere else, anywhere else in the world, are really the entity they claim to be. A couple of weeks ago, the CA browser forum agreed to, and this was an anonymous a unanimous agreement agreed to significantly up the ante for all certificate authorities everywhere on one crucial aspect of the mechanism that is relied upon for verifying the ownership and control of the domains for which certificates are being issued. I first learned of this from Google's announcement of this news. Google wrote because of course, Google is an active participant in this, in the CA browser forum, thanks to Chrome and they have their own root program, they said. The crew the Chrome root program led a work team of ecosystem participants which culminated in a CA browser forum ballot to require adoption of MPIC, which is the initials of today's podcast topic via ballot SC067. The ballot received unanimous support from organizations who participated in voting beginning March 15, 2025. So that's, you know, last month, middle of last month. CAS issuing publicly trusted certificates must now rely on MPIC as part of their certificate issuance process, whatever that is. Some of these CAs are relying on the OpenMPIC project to ensure their implementations are robust and consistent with ecosystem expectations okay, so something recently happened in the world of web server certificate issuance. This whole area is a fascinating subject which this podcast has spent time examining through the years. So what exactly is mpic? Here's how Google explained it, and then we're going to digress. So Google said Before issuing a certificate to a website, a certificate authority must verify the requestor legitimately controls the domain whose name will be represented in the certificate. This process is referred to as domain control validation, and there are several well defined methods that can be used. For example, a CA can specify a random value to be placed on a website and then perform a check to verify the value's presence has been published by the certificate requester. Despite the existing domain control validation requirements defined by the CA Browser forum, peer reviewed research authored by the center for Information Technology Policy of Princeton University and others highlighted the risk of border gateway protocol attacks and prefix hijacking resulting in fraudulently issued certificates. This risk was not merely theoretical as it was demonstrated that attackers can successfully oh, I'm sorry, that attackers did successfully exploit this vulnerability on numerous occasions with just one of these attacks, resulting in approximately $2 million of direct losses. Okay, so Multi Perspective Issuance Corroboration, referred to as mpic, enhances existing domain control validation methods by reducing the likelihood that routing attacks can result in fraudulently issued certificates. Rather than performing domain control validation and authorization from a single geographic or routing vantage point which an adversary could influence, as demonstrated by security researchers, MPIC implementations perform the same validation from multiple geographic locations and or Internet Service providers. This has been observed as an effective countermeasure against ethically conducted real world BGP attacks. Okay, so let's clarify this. In order to really understand the problem, we need to first revisit the operation of the Internet at its most fundamental level. It's been a long time since we've done that, so let's first do a quick bit of review about how exactly the Internet works. As we discussed way back in the dawn of this podcast, the brilliant way the Internet works, and the thing that has ultimately been wholly responsible for the Internet's robustness is that it has never tried to be perfect. Its original brilliant design relied only upon a best effort packet routing system. In this system, data to be sent from point A to point B was first packetized by breaking anything larger than a packet, which is around 1500 bytes, into multiple individual packets. Each individual packet indicates where it's from and where it hopes to go. The packets are then dropped one by one onto the Internet. The Internet itself, as we've come to know it, consists of a massive network of so called big iron Internet routers, each of which is connected to a bunch of its neighboring big iron Internet routers. As each of these routers has multiple high bandwidth interfaces, each of which connects to other similarly well connected Internet routers, so the Internet itself is actually nothing more than a huge global quilt of large industrial strength routers, each of which is interconnected to its nearest neighbors in a huge, largely ad hoc array. The Internet's users are individually connected to one of these big local Internet routers by their isp, which then drops their packets onto the big iron router that's run by the isp. So that's the entire structure. That's it. So upon arriving at the first Internet router, that router obtains. So upon a packet arriving at the first Internet router, that router obtains the packet's requested destination, then looks up the destination in its own routing table to determine which of the many other big iron Internet routers it should send that packet to in order to move that packet closer to its requested destination. So the packet is then forwarded to that next router, which moves it closer to its intended recipient. These individual routers have receiving buffers on their interfaces which allow incoming packets to queue up while they're waiting to be forwarded. But it might happen that too many packets arrive from too many different interfaces, all requesting to be forwarded out through the same destination interface. And that might not be physically possible. There's too much incoming, all trying to go out of a narrow pipe outgoing. In that case, the router's incoming packet buffers would overflow with nowhere left to temporarily store any newly arriving packets, and those packets would be dropped and lost forever. At first, this might seem like a very bad thing, like a critical flaw in the fundamental design of the system. But it turns out that this reflects the original brilliance of the Internet's designers. They Said, okay, no, that's not good. So let's make it okay. Let's make it survivable. Let's design the protocols that place these individually potentially lost packets onto the Internet in such a way that a packet loss is okay. So, for example, in the case of the UDP protocol being used for DNS lookup, if an answer to a query for a domain's IP address that was sent out in a UDP packet, just sort of hopefully and blindly, if it's not received within a reasonable amount of time, the query will be retried and often reissued to all the other DNS servers that the client knows about. And this will continue, the retrying will continue until you it finally gives up. But a lost packet will just simply be retried. So, crazy as it might seem at first, every Internet protocol that generates and receives individual Internet packets assumes that its packets may not arrive at the other end and arranges for that possibility. This brilliant design decision takes the pressure off the Internet's packet delivery system, which is simply a massive ad hoc network of loosely interconnected routers. That's all it is, a whole bunch of routers all connected to each other. This allows them to do the best job they can of receiving packets on their various interfaces and sending them along their way toward their destination by routing them out of other interfaces. And if incoming packets buffers overflow? That's not the router's problem. The protocol which originally generated the packet will deal with that. Okay, so what does all this have to do with bgp? This massive network of interconnected routers needs some means of knowing which IP address ranges should be sent out of which of their many interfaces. To answer this question, each router contains a routing table to specify which addresses can eventually be reached through which interface. How are these big routing tables determined and maintained? That's where the Internet's bgp, the border gateway protocol, comes in. BGP is used by the Internet's big iron routers to coordinate, synchronize, and update their understanding of which packets should be sent. Where. An ISP's big iron Internet router uses BGP to advertise the various blocks of IP addresses it has been assigned. It the ISP has been assigned by the Internet's governing bodies and which its customers are busy using. BGP sends this information to all the routers that connect to the ISP's router, so that they in turn know to forward any packets they receive on any of their other interfaces to the interface with which they connect to the ISP's router. After setting up their own routing tables appropriately, each of those routers in turn use BGP to forward their updated routing tables to all of the neighbors that they connect to, and so on and so on and so on, until eventually every big iron router anywhere on the Internet has received the information, the propagated information, information about where to send any packets that are destined for that ISPs big iron Internet router. And believe it or not, this entire system works. And it works with astonishing reliability that we're all spoiled from now when it fails. Failures are generally local and are quickly fixable. The system is not perfect. Through the years we've covered the news of mistakes, innocent mistakes made with the Internet's big routers, which, you know, for a very, for example, a very few hectic minutes, might attempt to route all of the entire Internet's traffic through a bungalow in Myanmar. But you know, perfection is understood to be impossible. So a system that's self healing and resilient in the face of mistakes is what we want and it's what we have today. And also through the years, the original vulnerabilities in these systems have been found, recognized, shored up and improved. So this finally brings us back to the rules change that the CA browser recently enacted. In order for me to obtain a TTLs certificate from DigiCert, my certificate authority for the GRC.com domain, I need to demonstrate that I'm in control of the grc.com domain. So digicert gives me a simple file with a random gibberish name for me to add random gibberish data content for me to place in the root directory of my web server@grc.com Once I've done so, I let Digicert's automation know and it attempts to obtain that file by that name with the proper contents from the root of GRC.com if that can be done, that proves to Digicert that whoever I am, I'm able to affect the content of the website located@grc.com which no one else is supposed to be able to do. And thus I'm allowed to obtain an identity certificate which covers that domain. But here's the problem. When Digicert's automation reaches out to my web server@grc.com it's just sending packets to, you know, it's Digicert is sending packets to its ISP in Utah, which then drops them onto its big iron Internet router for them to then be sent from Utah to my ISP in California and then to GRC's web server. In other words, Digicert in Utah connects to my web server in California which has the IP address of GRC.com and verifies the contents of a specif of a specific file which they created for the purpose. The implicit and crucial assumption is that the packets Digicert caused to be dropped onto the Internet in Utah were actually routed to and received by the web server@grc.com in California. Everything about the legitimacy of the certificate GRC has requested depends and relies upon the truth that Digicert obtained that file from my web server and not from someone else's. A so called BGP prefix attack involves someone arranging to insert the network prefix for a small network into a big iron Internet router, which would then cause it to misroute any packets bound for any IP address within that small network prefix. In other words, the traffic for a specific network would be effectively hijacked. Following further with our example, if this were done to a router near DigiCert through which the packets bound for GRC was traversing, those packets would be sent not to grc, but presumably to an attacker. In doing this, the attacker's, server, not mine, would be hosting the domain control validation file and they would be proving that they, not I, control the grc.com domain and digicert would then, having done their due diligence, issue them a web server TLS identity certificate for my domain GRC.com and here's the crucial point. The only way and reason this BGP router prefix hijack attack works, which as Google's note mentioned, has been shown to be real and effective and has proven to be a true problem, is that a router close to Digicert, through which an attacker was was certain Digicert's packet traffic destined for GRC.com would be flowing, could be compromised. While this compromise was in place and my web server@grc.com was effectively unreachable by Digicert, it would still be reachable by everyone and anyone else located anywhere else through other non compromised routers. And this brings us to the need for MPIC multi perspective issuance corroboration. And now we know what that term means. With the researchers at Princeton University's center for Information Technology Policy having demonstrated the real world feasibility of these BGP prefix hijack attacks, all certificate authorities going forward must perform domain control validation from multiple geographically diverse locations immediately. As of March 15 last month, validation must be made from at least two remote network perspectives. CAs have a year to bring that number up to three. And from at least two distinct regional Internet registry regions, by June 15 of next year, 2026, that number grows to four, also from at least two RIR regions. And by the end of next year, December 2026, at least five remote network perspectives must be used in order to verify domain ownership and validation. 5. Wow. So it's clear that once again, these guys are not taking any chances. It would be so supremely difficult to somehow arrange to simultaneously intercept traffic originating from as many as five different locations that it's safe to say that this makes this mode of validation attack, you know, infeasible and takes it off the table. So that is mpic, multi, multi perspective issuance, corroboration. You know, verifying ownership of a domain from multiple perspectives on the Internet, multiple locations.
[180:13]
Leo Laporte
You could still scroll, screw up the border router, though, right?
[180:17]
Steve Gibson
Yes, Border gateway protocol. I mean, it's, it's, you know, it's meant to be resilient, but it can happen.
[180:24]
Leo Laporte
Yeah.
[180:25]
Steve Gibson
And I also wanted to note, I heard your mention of the, the, the passing of, of the guy who.
[180:32]
Leo Laporte
Buffer bloat, man. Yeah.
[180:34]
Steve Gibson
And we, and we talked about Buffer Bloat on the podcast and explained that it was. It was messing things up because the Internet is designed to drop packets, and consumer router manufacturers thought, oh, we got so much ram, we'll have big buffers and then it'll be great. The packets aren't dropped. Well, it messed everything up. You want to drop them?
[180:58]
Leo Laporte
Yes. He was only 59. He was a young guy. Let me see if I can pull up the story, because we did. We talked about it on this Week in Tech on Sunday Day, and it was, it was, it was a sad story.
[181:10]
Steve Gibson
Do we know how?
[181:12]
Leo Laporte
We don't know what happened. No, the only reason I knew what happened is Eric Raymond, ESR posted something on X eulogizing him. That's why I want to get the story, because I forgotten his name now, but that's kind of the story, in a way, is this, this technology that saved all of us, you know, it was, you know, buffer bloat was discovered and corrected pretty much.
[181:39]
Steve Gibson
Yep.
[181:40]
Leo Laporte
By this one guy. So it's kind of a neat story. Let me see if I can. Oh, shoot. Where is his name? We did so many stories. I'm looking through the show notes and I don't see it. So. But yeah, it was a very.
[182:00]
Steve Gibson
Toward the end.
[182:01]
Leo Laporte
Yeah. Yeah. You'd think that these shownotes would be in order, but his last name was Todd I think T A H T.
[182:10]
Steve Gibson
E. I think it had an E on the end.
[182:12]
Leo Laporte
Maybe it had an E on the end. Oh, now this is going to make me mad because I do think we should bring it up real quickly.
[182:20]
Steve Gibson
How about we just. What if we Google Buffer Bloat?
[182:23]
Leo Laporte
Google Buffer Bloat. Why is it not in the show rundown? That's the strangest thing. I must have accidentally deleted it after the show was over or something.
[182:33]
Steve Gibson
Okay, Wikipedia's got a entry and I'll bet they give him credit.
[182:37]
Leo Laporte
Sure. Dave Todt. T A H T is his name. And here's the eulogy from Eric S. Raymond, who of course is well known open source guy, wrote the Cathedral in the bazaar. He says, Dave Todd, there's an umlaut over the A T A H T died yesterday. One of the unsung heroes of the Internet. He discovered buffer bloat and then went out and basically got router manufacturers to fix it. So it's less of an issue right now. So something to note.
[183:19]
Steve Gibson
Yeah, and it says it gained more widespread. Wikipedia says it was initially described back in 85 and that of course predates this podcast, but it gained more widespread attention starting in 2009. And that's when you and I were together and we said, hey, let's talk about this. It's cool.
[183:38]
Leo Laporte
There's his X account. He lived in Half Moon Bay. There's not much more, except that Eric Raymond lost him too young. Yeah. And I guess he might have been on Floss Weekly back in March because Dave re shared a Floss Weekly link. So, yeah, unexpected, I think, I gather Dave Todd, a guy whose name very few of us know, even. Even those of us who know what Buffer Bloat is. But we do owe him a debt of gratitude. So thank you, Dave, for what you did and thank you, most importantly, Mr. Steve Gibson, for what you do each week on this show. We do security now on a Tuesday right after Mac Break Weekly. That comes out usually around 1:30 Pacific, 4:30 Eastern, 20:30 UTC. And I mention that because you can watch us live if you want. If you want the freshest security. Now, we stream it for our Club Twit members. You know, they have access to everything we do in the Club Twit discord. In fact, we're doing more and more in there because it's such a great place to hang out. So if you're not a member, join Club Twit for seven bucks a month and you get ad free versions of all the shows and you get access to the Club Twit Discord. And a lot of special events going on in the. In the club at all times, including all the animated gifts anyone could ever want. A lot of fun. Anyway, if you are a Club Twit member, you can watch the show. There it is. It's a gif. You can watch the show in the club, Twitter Discord. But. But you can also watch it anywhere you want. I mean, I'm just gonna leave this up for a while because they go crazy when they know they're on camera in the club. You can watch on YouTube there's actually eight different streams the Discord. But there's also YouTube, Twitch, tick tock, X dot com, Facebook, LinkedIn and Kick. So that's when you. That's why you would need the time. You can watch that live, but you can also get it after the fact just by. Just. All right, I have to close it because it's distracting me just by going to the website. Twitter TV sn. Steve has the show on his site, actually. He has unique versions of the show that no one else has. He has a 16 kilobit audio version. It's a little scratchy, but it's small. He has a 64 kilobit audio version, which sounds great. We actually don't distribute that anymore. We do 128 kilobit audio for some technical reasons. He also has show notes, which are really great. And he has the transcripts written by Elaine Ferris, so you can read along as you. As you listen or search through the transcripts and find stuff. We've talked about all of that@grc.com while you're there. It would behoove you if you have mass storage of any kind, and I suspect you do, unless you're watching this show on a camera running Linux. Even then, it wouldn't be a bad thing to get a copy of spinrite, the world's best mass storage maintenance recovery and performance enhancing utility. 6.1 is the current version. It just came out and you can get it@grc.com you can also go to grc.com email to get your email approved so that you can email comments and thoughts to Steve. That's the best way to do that. He also, as you can see, monitors X and other places. But email him. And when you're there, you'll see there's two checkboxes unchecked for the newsletters. One is of course, the weekly mailing of the security now show notes. You'll get them a day ahead of time. You can read ahead. You can look at the picture of the week. You can prepare yourself for the Tuesday extravaganza. You can also, there's a second box, which is a very infrequent mailing. When something big happens in Steve's life, the next one's probably going to be when he ships his DNS benchmark app, the pro version of that, sometime soon. He's working on it right now.
[187:46]
Steve Gibson
Yep, it's working. It's coming along.
[187:48]
Leo Laporte
It's exciting. You'll get the, you know, the first information about it. So go to grc.com that's really my advice. It's a great way to hang. You can also subscribe in your favorite podcast player. We have audio and video available. That way you get it automatically. Your choice. It's a podcast and we appreciate the fact that you come by every week. And listen, I tell you what, I don't want to miss a Tuesday. I hope you won't either. Thank you, Steve. We'll see you next time on Security Now.
[188:14]
Steve Gibson
Thanks, my friend. See you then. Bye.