Security Now 1021: Device Bound Session Credentials

Leo Laporte

It's time for Security now. Steve Gibson is here. We're going to talk about. Well, there's a lot of things. The 100, some fixes in Microsoft's patch Tuesday last week, why it's so difficult for Oracle to fess up, an Apple versus the UK update and the arrival of Thunder Mail. All that and more coming up next on Security Now.

Steve Gibson

Podcasts you love from people you trust.

Leo Laporte

This is Twit. This is Security now with Steve Gibson. Episode 1021, recorded Tuesday, April 15, 2025. Device bound session credentials. It's time for the moment you wait for all week long. Security now the show we cover your security, privacy, your safety online with the king of all of that stuff, Mr. Steve Tiberius Gibson. Hello, Steve.

Steve Gibson

Actually, Leo, what they're waiting for all week long is the next protracted event in their life, typically a five hour commute or a plane flight or something.

Leo Laporte

They can listen to this show.

Steve Gibson

Yes, because now it's in their queue and it's time to spool this into their brain. Think of us, boy, we got a spool for you today.

Leo Laporte

Think of us as a printer driver spooling up all this information.

Steve Gibson

Yes, even the title needed to be spooled because it was a little that it stretched out the screen there down at the bottom.

Leo Laporte

Yeah. What is device Bound session credentials then.

Steve Gibson

For security now, episode 1021 for tax day. And by the way, I heard you saying before you could be listening to the Pod Mac break weekly while doing your taxes. And I thought only if you have a time machine and once they're finished you can go back. Unless you're filing estimated, in which case.

Leo Laporte

You could be listening right now and doing your taxes. You don't have to mail until midnight. You got time.

Steve Gibson

That's true.

Leo Laporte

And maybe it's just me, but I always, I mean, I did mine yesterday. I was way ahead of the game. Okay.

Steve Gibson

That's right. Yeah. Well, that's. You had the day off, no podcasts to do so.

Leo Laporte

You know, it's funny, I actually listened to an old twit while I was doing it. I don't know why, I just. Dan Patterson sent me an email saying the first time he was on Twitter on Sundays. The first time I was on was back in 2009, this episode. And it was a great episode. It had all these great people. I thought I listened to it and it was kind of fun to hear about the beginnings of surveillance capitalism.

Steve Gibson

How was, how was Sunday's big anniversary Twit? I haven't had a chance to Steve.

Leo Laporte

We had so much fun because I had more than 20 videos from listeners and viewers talking about when they first found twit. It was very. It was wonderful to celebrate the audience. You know this because you get the emails and the comments.

Steve Gibson

Yeah, I have a good connection.

Leo Laporte

We love our audience. We really do. And so I thought to celebrate 20 years of TWIT, you're going to be celebrating 20 years of security now in a few months. That'd be fun to. Instead of honoring the hosts or the things we've done, but to hear from the listeners and it was really great. I really enjoyed it. We had a fire eater, we had a guy on a boat. We had not one, but two guys in tractors. I mean it was a very interesting.

Steve Gibson

Oh, I thought you were going to say traction. I was like, whoa.

Leo Laporte

No, nobody was in traction. There was one person incarcerated. However, one prisoner sent us an email.

Steve Gibson

He got good bandwidth connection. Can he. Those steel bars, they tend to block wifi. No, no, that's not.

Leo Laporte

They give him an iPad with podcasts on it. And I don't know if we were ever asked, but apparently security now is on some of them. This one, he only was able to get one of the shows Twid.

Steve Gibson

I don't know if you want security now going into the prison.

Leo Laporte

Maybe that's. Maybe the war.

Steve Gibson

How do I do that hack again? How do I get over to Russia? You know, what do I call a strike?

Leo Laporte

Good point.

Steve Gibson

Anyway, so. Oh boy, this is, this is going to frost your snow cone device bound session credentials. What we finally have after 35 years is a change in the way we manage session cookies. Session cookies being the cookies which our browsers receive which continually identify us to websites that we're logged into. The session being our logged on session. And I'll go back over a little bit of the history of this when we get to it later today, sometime this evening because we have a lot to cover.

Leo Laporte

It's gonna be a long show. Is that what you're telling me today? I better go get lunch. Okay.

Steve Gibson

But yeah, you can maybe plan your vacation.

Leo Laporte

So I'll do my tax 2025.

Steve Gibson

Don't take it yet because yes, you do have to get put a lick the stamp on your taxes.

Leo Laporte

Yes, I do.

Steve Gibson

Anyway, we're gonna talk about the industry tax finally coming up with what looks like the replacement for and far more security connected to maintaining logged on state with browsers. And really we've been asking an awful lot of the loli cookie which was created, as I said back in the mid-90s by some guy named Louis at Netscape. Anyway, his name. Oh yeah, Lou. We're going to have a lot of fun and I'll explain that you do not need to understand at all. On this first pass we're going to be. I'm no doubt we'll be looping back to this a number of times because this is big news. This is a change in the way we like the security of logging on is in terms of the browser identifying it to the server. And it is very cool. I mean like we have so much in our toolbox now with all of the crypto that we're able to bring to bear rather than some little gibberish of ASCII that is like oh, that looks like him. Anyway, we're also good before we get to that because that's just the, you know, the coup de grace. We've got Android believed to be getting a lockdown mode next month. What's new in updates to Chrome and Firefox and there's some cool stuff. Actually that's it was. It was the blurb about Chrome that put me onto this and then I saw that Firefox and Safari were also already working on this. Why did Apple silently re enable automatic Updates? My new iPhone 16 Chinese tariffs and electronics Dynamic hot patching coming to Windows 11 Enterprise and edu cool new tech from Microsoft. Why is it so difficult for Oracle to fess up to what is obvious to everybody else that happened? We have another multi year breach uncovered inside US treasury making it the third of three an Apple versus the UK update a something. I just, I can't get over the name that they've given this Thunder Mail. And can't we get a better name?

Leo Laporte

Thunder Mail.

Steve Gibson

You know it works for a bird.

Leo Laporte

To put Thunder in front of it like Thunder Mail down under.

Steve Gibson

It's just every time I see it I go oh God. I know I'm. I'd be embarrassed to be steve@thundermail.com but anyway, Mozilla's going to do something. We also have the insecurity of programmable logic controllers. Why that matters. Oh, and Leo, turns out that you probably ran across this because you're amazingly up to date and informed. I find when LLMs write code and hallucinate non existent package names, I know the perfect library for this code going to be weaponized.

Leo Laporte

Yes, I guess so. Yes. If you knew ahead of time. Yeah.

Steve Gibson

And it's got the even a worse name than Thunder Mail. It's Slurp something or other. It's like oh My God. Well, anyway, we'll be covering it today. We also have WordPress's core security and PHP had a very important audit funded and the problems they found are barricaded. No one is talking about them because they're so bad.

Leo Laporte

So bad.

Steve Gibson

But they're being fixed. And I think what we're going to end up seeing, as we'll see, is an important retroactive. You know, everybody who still has supported versions of php, now would be a good time to update them. Also, once all that's done, if there's anything left of us, we're going to talk about Device Bound session credentials. And I so much want to hyphenate Device Bound. It's not. And it's like, that's wrong. But, you know, we. We put up with a referrer being misspelled in HTTP headers all our lives. So I suppose we'll leave off the hyphen in Device Bound. And of course we've got a great picture. So maybe, Leo, we actually have a good podcast this week.

Leo Laporte

Maybe.

Steve Gibson

I hope we don't disappoint.

Leo Laporte

No maybe about it, Steve. I guarantee. I guarantee it. Boy, you're a stickler. I didn't even really think about this. But you're right. Device Bound should have it. Hyphen shouldn't it bugs me. Yeah, I never even thought about that. Well, we just have to go with whatever the IETF thinks is right.

Steve Gibson

Maybe somebody at the World Wide Web Consortium is listening to this podcast and thinks he's right.

Leo Laporte

Put it on.

Steve Gibson

That's a typo. It's a typo.

Leo Laporte

Steve Gibson, ladies and gentlemen. We'll get to our hyphenless discussion in just a moment, but first, a word from our sponsor for this segment of security. Now, the great folks at ExpressVPN, the only VPN I trust, the only one I use, I think anybody watching this show knows you need a VPN. I mean, right? Going online without ExpressVPN would be like, I don't know, driving a car without insurance. You could be a great driver, but with all the crazy people on the road these days, why would you take that risk? Everyone needs ExpressVPN. My perfect example, when we flew down to Tucson for the GEM show, we went through SFO San Francisco Airport. And of course, I'm sitting there. We got a couple of hours before the flight. I see it, SFO Free Airport WI Fi. And I'm thinking, I would really like to use that. But yes, exactly, Steve. That was exactly what it was like.

Steve Gibson

But.

Leo Laporte

I could see Steve Gibson over my shoulder saying, mm, mm. Fortunately, I had ExpressVPN on my iPad. I fired it up, joined the network. I was secure. Every time you connect to an unencrypted network, whether it's an airport or a cafe or a hotel, you're taking all kinds of risks. First of all, any hacker on the network can gain access to your computer to steal your personal data to hack you. It doesn't take a lot of technical knowledge to do this. A smart 12 year old could do it. And you know what? There is an incentive. Hackers can make like $1,000 a person selling your personal info on the dark web. So there is incentive for them to do this. ExpressVPN stops those hackers cold. They stop them because they cannot see you. You have an encrypted tunnel between your device and the outside world and the VPN you use. The choice you make is super important. You need to trust ExpressVPN. I love ExpressVPN. And they go the extra mile to make sure your data is absolutely Invisible. Why is ExpressVPN the best? It's super secure. Obviously they're using strong encryption. It would take, you know, a billion years to get past the encryption. It's very easy to use. You know, I'm sitting there on my iPad. I just went to ExpressVPN. There's a big red button that says start it. I fired up the app. You just click one button and now, boom, you are completely private, completely secure, completely protected, even on the free airport WI fi. It works on all devices, on your phones, every phone, laptops, tablets. You can put it on your router. Stay secure not only on the go, but everywhere in your house. ExpressVPN is rated number one by Top Tech reviewers like CNET and the Verge. And I use it. There's another way you can use it. Sometimes when we travel, we don't have our locals. You know, our local. I want to watch a football game and I'm in Mexico. It's a great way to do that too. ExpressVPN, you know, you need a VPN. Use the best secure your online data today. Visit ExpressVPN.com SecurityNow E x p r e s s v p n.com Security now find out how you can get up to four extra months free when you buy a two year package. ExpressVPN.com Security now we thank them so much for their support of the good work, the important work that Steve does here.

Steve Gibson

Well, and you know, if you were entitled to watch the game while you were home.

Leo Laporte

Right.

Steve Gibson

You were traveling.

Leo Laporte

Right.

Steve Gibson

Then it's not like you're doing anything wrong. But still watching.

Leo Laporte

I asked Netflix because I thought, well, should we be promoting this? They said, as long as you have a Netflix account, you can be watching Netflix in any other geographic location. That's fine. So that's, you know, that's what you can use a VPN for too. And it's the only reason, you know, people say, well, you should use tailscale or something local. But I can't do that. Really. That doesn't work as well if I want to be in London, because my house is not in London. So there's an advantage to using Express.

Steve Gibson

More flexibility.

Leo Laporte

More flexibility. All right, let's take the picture of the week.

Steve Gibson

I think we're going to have to not expose what this picture reveals or. Because it would be a spoiler for those who want to encounter it and solve this puzzle themselves. Because this is a puzzle of a puzzle. Yes.

Leo Laporte

All right, I'm going to scroll up, and I, by all means, Neil DeGrasse Tyson.

Steve Gibson

Yep.

Leo Laporte

And I can read it right away.

Steve Gibson

Yep. I see. I knew you would be able to. Yes.

Leo Laporte

But I won't tell you what it says.

Steve Gibson

You cannot tell us what it says.

Leo Laporte

But this is a famous example. I've seen other examples where they don't add numbers for letters, but where they take away letters.

Steve Gibson

Okay. Right.

Leo Laporte

And it shows you how adaptive the human mind is, how able to fill in the gaps we are.

Steve Gibson

Yes, yes. So this picture, I gave out the caption. Here's one to think about. And it's a T shirt that Neil DeGrasse Tyson is holding up, credited to a famous physicist in our midst. And I think everyone will enjoy taking a look at the picture.

Leo Laporte

Do people have a hard time reading this? Do people look at this and go, I don't know what it says?

Steve Gibson

Yes. I've had some feedback saying that they, you know, had to spend some time thinking about it.

Leo Laporte

Interesting.

Steve Gibson

So. And I knew you wouldn't. Leop.

Leo Laporte

It's not leap, exactly. Well, it's pretty close to leap. It's pretty close to leet. So maybe it's. I've spent too many years reading LEET speak.

Steve Gibson

Ah, that's a very good point. It bears a strong resemblance to that. Okay, so nothing's been announced yet, and it's certainly not official, but it would make sense for Android to follow in Apple's footsteps with a higher security mode for their handset, similar to what Apple calls lockdown mode. And with Google's annual I O developer conference happening next month. It might be announced then, which might make it available in kind of the August September timeframe as part of Android 16. It's believed that Google's been quietly working on a new more secure mode for Android that, as I said, it was probably inspired by Apple's iPhone Lockdown mode According to a placeholder documentation page which currently 404s and based on analysis of Android beta images, the new feature would be named the Android Advanced Protection Mode aapm. As with lockdown mode, AAPM would not be intended for regular Android users. It would be of use for, you know, probable targeted individuals who are more likely to face threats from oppressive regimes. You know, advanced spyware, network surveillance attacks and so forth. It's believed to disable older and less secure 2G cellular connections, block users from sideloading apps from unknown sources, presumably prevents them from running apps that have already been side loaded I would imagine, I don't know Enable Memory tagged extension, which is a feature to block the exploitation of memory related exploits and force a reboot of any devices. After more than three days of disuse, that forced reboot feature was spotted by Android Authority as a means of flushing RAM from of any resident malware that may have taken up residence in the device during its owner's absence through whatever means, but then wasn't able to obtain persistence so that it wasn't able to write itself into the file system. Although Google has offered no official confirmation of any such new Android Advanced Protection Mode, a large amount of code to support it is present in Android 16 betas. We've seen instances where something ended up in a further in the future release. Not the most, not not the most current next, you know, forthcoming release. So maybe not 16, maybe not till 17, but this doesn't. It's not like this is rocket science to like turn off things that it already has, so why wait? Anyway it does. The fact that it's in 16 beta suggests that it will probably be official soon. Android Authority found the message that informs users that they may not sideload apps. There's also support I thought this was cool for a new API which allows apps to detect whether the handset mode has this enabled so that they may apply any of their own security enhancing behavior. For example, a web browser might disable its internal jit. It's Just in time compilation mode when it detects that the handset is in this advanced protection mode because we know that the just in time compilers tend to be where a lot of security flaws have been found to reside in the past. Or you know, another example, maybe instant messaging apps might disable their automatic display of multimedia content, since again, we've seen security vulnerabilities often discovered and leveraged in the interpreters that are used to display media. So there are signs that something resembling Apple's lockdown mode may be coming soon to Android. And you know, like lockdown mode, it probably reduces the device's convenient functionality too much to be used by most people. But you know, it would make the smartphone much less fun to use. But the trade off is convenience versus security. And in this case, you know, you would be opting for security if you for some reason didn't have an Apple device. And this allows Apple Android to do that. Also, While I was perusing recent news, I saw that Chrome had recently moved to their release 135 and Firefox was now at 137. Among the changes, as I mentioned in Chrome, was the title of today's podcast, missing its hyphen device bound session credentials, which we'll be getting to here for a very deep technical dive at the end of today's podcast. But nothing else really stood out about Chrome's 135 beyond that. The biggest news for Firefox 137 appears to be tab grouping, although the ability to use Firefox URL field as an ad hoc calculator for quick math actually excites me more, and I'm sure it's going to get much more use by me anyway. Somehow I've broken the habit of having a seemingly near infinite number of tabs serving as placeholders for things I plan to get back to eventually. I remember maybe 10 years ago I had over there to my left a Firefox browser, and if it ever crashed or I lost its tab lineup, it was my knowledge base. I had so many open tabs, I don't do that anymore. I don't know what happened, but I just kind of got out of that, I guess. But I know from our feedback, from feedback from our listeners of this podcast that there are many people who do still organize their life around browser tabs, and this is probably going to be a godsend for them. So the Firefox 137 blog page explains says tab groups begin rolling out today. Stay productive and organized with less effort by grouping related tabs together. One simple way to create a group is to drag a tab onto another, pause until you see a highlight, then drop to create the group. Groups can be named, color coded, and are always saved. You can choose a group and reopen it later. Okay, so I thought, great, let's try it. But no matter what I tried and I was using that, I was using Firefox 137 when I attempted to drag one tab on top of another at some point, presumably once at some center line somewhere was crossed, the underly the underneath fix tab that I was in the process of covering up would suddenly scoot over to fill the gap that was left, you know, from the tab that I was dragging. No matter what I did, I was unable to in any way merge two tabs into a single group. I'm just telling everybody, in case they have the same experience that I did, that it didn't work for me. Then I noticed that the phrase tab groups was highlighted in the blog posting as a link. Clicking that, I discovered the likely cause of my trouble. The more detailed page, after I drilled down said, starting In Firefox version 137, you can use tab groups to manage open tabs in Firefox by grouping them together and labeling them. Okay, right? Except it's not working. Then it said, this feature is experimental and is being introduced. I'm like, how hard is this to do? Why do you have to experiment with it? Anyway, it's being introduced to the Firefox user base through a progressive rollout. It may not yet be available to all users. Number me among them because I just can't get two tabs to merge. So okay. The Mozilla folks seem pretty excited about this, and they also noted that Firefox's new tab grouping system also works for vertical tabs. I long ago satisfied my absolute and utter need for vertical tabs using a pair of Firefox Add Ons Tree style tab, which allows a hierarchy of tabs, and also Tab Session Manager, which allows me to save current sets of tabs as a session and keep them in XML files. Load them, save them, restore them, move them around. Love it. Anyway, together those two things do everything I need. But once support for native tab groups does finally arrive in my Firefox, which I don't yet have, I may look at switching to Firefox's native vertical tabs and using tab groups. Maybe that'll give me the same stuff that I have now.

Leo Laporte

I hate it when they do progressive rollouts like this.

Steve Gibson

Isn't it?

Leo Laporte

You just never know what features you have, right?

Steve Gibson

And Leo, how hard can this be? It's not like, oh, going to upset people or we're going to break.

Leo Laporte

I think it's more that Than is this going to work? I think it's more like people go.

Steve Gibson

Oh my God, what happened? I just. Yet two tabs merged. How do I unmerge them?

Leo Laporte

Wow.

Steve Gibson

Well, anyway, earlier I said that the feature that appealed to me most was the ability to use Firefox's URL field as a quick ad hoc calculator. And even though.

Leo Laporte

Yeah, that puzzles me, tell me how you do that works.

Steve Gibson

You just start tight. You like 35 plus 7.

Leo Laporte

That's a weird feature.

Steve Gibson

Okay, I kind of like it. Anyway, that one was enabled for me and it worked and it couldn't be any easier. Mozilla writes, you can now use the Firefox address bar as a calculator. Simply type an arithmetic expression and you can use parenthetical, you know, prioritizing and so forth and view the result in the address bar dropdown. Clicking on this result will copy it to your clipboard.

Leo Laporte

I wish I had known this when I was doing my taxes yesterday.

Steve Gibson

There you go.

Leo Laporte

Trying to fire up a calculator.

Steve Gibson

Anyway. Yes, and now, you know, I'm often reaching for the calculator that's located next to me at my workspace. In fact, here it is. I've never talked about this. I love this. This is from the Swiss Micros guys.

Leo Laporte

Oh, that's cool. Is that an.

Steve Gibson

It's an HP51 clone or it's an HP35 calculator clone? So it's RPN. Just it's an extremely nice calculator. Took me a little while to get used to it. You can see that it's got next to this, the AB up there, A, B, C, D, E, F. So it's got. It's also hex, so it's multi base calculator. Anyway, just I love this little thing. It took a while to get used to it, but I've got one in each of my locations anyway. So my point is I always have a calculator next to me, but you know, sometimes if I just want to do a quick little bit of math, it's now in the address bar. Also, what I noted was that this integrated calculator appears to be part of a larger address bar refresh and update, even though they sort of listed on its own. Mozilla explains that we now have a unified search button. A new easy to access button in the address bar helps you switch between search engines and search modes with ease. This feature brings the simplicity of mobile Firefox to your desktop experience, they said. So I guess mobile Firefox has already had that and now we're getting it on our desktop. Search term persistence, they said now when you refine a search in the address bar, the original term sticks around, making it easier to adjust your queries and find exactly what you're looking for. They also have a contextual search mode, Fire. This was freaky. Firefox detects if you're on a page that has search capability and offers that option to you directly with the page to search from the pages engine from the address bar. What? Anyway, they said use this option at least two times and Firefox will suggest adding the search engine to your Firefox, which, that was interesting. And then also finally, intuitive search keywords. You can access various address bar search modes with convenient and descriptive keywords. So for example, you start with marks, orbs or actions and the search will then be aimed at or focused on that specific aspect of Firefox. So anyway, that contextual search mode where Firefox is supposedly detecting pages which offer their own searches, to me, that's surprising and seems both aggressive and error prone. So it'll be interesting to see how that all works out. Anyway, beyond all this, Firefox 137 now identifies all links within the PDFs which it's integral PDF viewer displays, turning them into hyperlinks. So it'll do that for you. You don't have to like, you know, copy and paste them and all that. It's also possible to add your own Signature to PDFs without leaving Firefox and signatures can be saved for reuse later. And also Firefox now provides native support for the HEVC media format Codex under Linux. So anyway, it occurs to me that all this further supports my ongoing contention that our web browsers have become incredibly complex and only continued to become more so.

Leo Laporte

A guy who uses a reverse polish notation calculator, ladies and gentlemen, that is true. By the way, I did the search. I found Swiss Micros. Oh, they have a whole bunch of different models.

Steve Gibson

They do now those little credit card size ones have very cheesy keyboards.

Leo Laporte

So. No, I don't want. Oh, you already ordered one. It sounds like.

Steve Gibson

Oh, I own them. I own them all.

Leo Laporte

I want to get the DM42N that's.

Steve Gibson

And it's got, they have nice fonts. They've got, I mean there's just, there's so much in them.

Leo Laporte

These guys connect them to external storage.

Steve Gibson

Yes, yes, they, and, and they, they, they. You're able to upgrade their firmware. They have, they have a USB port along the top this is pretty cool. They, they're, they're neat people.

Leo Laporte

I might have to buy one. I have no use for it. Zero. I still might have to buy one.

Steve Gibson

Well, there's always tax time next year, Leo.

Leo Laporte

That's right. Oh yeah, that's what, that's what I bought it for, honey. It's for taxes. That's it.

Steve Gibson

No, I'm, I'm, I am, you know, often doing things. I'm computing, you know, currents and microamps.

Leo Laporte

And Millions never showed me that before. I don't think.

Steve Gibson

I never have. I've never mentioned it.

Leo Laporte

Very cool.

Steve Gibson

Yeah, they are, they're neat people. I mean it is a beaut there it is a. Well made because. Because you cannot, you can no longer get. Which of just boggles my mind. Any of the good HP scientific calculators. The financial calculator was like the. Is it the 15 or the 12? I don't remember. Not the 12. Anyway, there's the financial calculator the HP still makes, but they've given up. All the scientific ones are now algebraic notation instead of rpn and they've got big screens that do graphics and all this crap no one really needs. They're just gimmicks. And so these people, they're, they're the real deal. So I mean, although we have 42 for our iPhone and so I wonder. I mean that's a gorgeous calculator too.

Leo Laporte

Yeah. So I'll put it next to my slide rule. I should have a.

Steve Gibson

Nice to have clicky buttons. This thing's got beautiful. Really nice, you know, keys. It's pretty cool.

Leo Laporte

I don't know what the price is because it's in Swiss francs and I hate to see what it's a couple.

Steve Gibson

Hundred dollars and it takes a while to get it to you but. And I don't know what tariffs.

Leo Laporte

Tariffs will do.

Steve Gibson

Trump has aimed at Switzerland but, you know, I haven't heard them mentioned so maybe they're just going to get the blanket tariffs. But it's got semiconductors in it. We'll be talking about that a little bit later because I, I was induced to upgrade my phone. Let's take a break. We're half an hour in and we're going to talk about Apple and what they just did with their most recent upgrade, which caught some people by surprise.

Leo Laporte

Yeah, I know. By the way, there was one other reason that you might want this, this reboot thing. After three days, if somebody steals your phone, of course it's great to wipe the memory, but if somebody steals your Phone and they can't, you know, and they don't use it. Or you, or you lose it and they don't use it. It's nice to have it go into the fully locked mode.

Steve Gibson

Yes.

Leo Laporte

After a reboot because then it requires the password and all that stuff. I'm sorry, I'm a little busy right now ordering something from Switzerland. Don't. Oh, he, he would want, he would want to do an ad right now. All right.

Steve Gibson

And take a look at the, all the. For our, for our listeners who are interested. It's Swiss Micros.

Leo Laporte

It's pretty cool.

Steve Gibson

All the documentation is there. I mean, they're engineers. They're Swiss engineers.

Leo Laporte

Oh, yeah. Look at the people who are making your, your Swiss Micro. I mean, this is a serious device here.

Steve Gibson

That's, that's what happens when we give up China. Leo is back to we'll make iPhones.

Leo Laporte

In the U.S. sure we will. Sure we will.

Steve Gibson

Put some wheels on it.

Leo Laporte

Wow. Let me. Yes. Let's talk about the advertiser for this segment of security now. So you can get right back to our device bound.

Steve Gibson

You can get back to ordering your next.

Leo Laporte

I already bought it. It's too late. I got it. You gotta work fast on this show. I bought the 42N. I thought why not just get the grandpa right? No idea what it's gonna cost me. What do I have?

Steve Gibson

I got the DM32, whatever that is.

Leo Laporte

Yeah, they both have RPN. I want to write little software, fully programmable. Yeah.

Steve Gibson

Oh, and yeah, it's cool.

Leo Laporte

We were talking about fourth last week. It's kind of like having a little force calculator in your, in your house. Ladies and gentlemen, our show today, brought to you by Vanta. Okay, this isn't like chocolate for Easter, but it's almost as good. Vanta, you need it. It's compliance that doesn't sock too much. That's a great slogan. I want a T shirt that says that. Vanta is a trust management platform that helps businesses automate security and compliance. This is fantastic. It lets you demonstrate strong security practices, which is very important to your customers, your partners. It lets you scale. Demonstrating trust to customers and prospects is critical to closing deals these days. But it can also be a big time sink. Right. It's time intensive, it's complex, it's expensive. Not Vanta. Vanta turns your GRC programs into growth drivers, all while making it easy to manage your security risks. Vanta makes it easier and faster, by the way, by automating compliance across 35 plus frameworks almost certainly one that you use. The ones that you use they automate up to 90% of the work for in demand frameworks like SoC2, ISO 27001, HIPAA, and on and on and on 35 plus right of them. This gets you audit ready in weeks instead of months. Saves you up to 85% of associated costs. Vanta pays for itself plus Vanta scales with your business, helping you continuously monitor compliance, unify risk management and streamline security reviews. Vanta V A N T A saves your business time by centralizing security processes and helping complete security questionnaires up to five times faster. Using automation and AI, Vanta helps companies save time save money. A recent IDC white paper found get this Vanta customers can achieve $535,000 a year in benefits. The platform pays for itself in three months. 10,000 plus global companies trust Vanta, Atlassian, Quora, Chili Piper factory, they all use Vanta. You should use Vanta for a limited time. Our listeners get $1,000 off Vanta if you go, but you gotta go to this address to vanta.comsecuritynow that's V A N-T A.com security now $1,000 off make your compliance life a lot easier. Vanta.com security now. We thank them so much for their support of security. Now with Mr. Stephen Tiberius Gibson. So this the DHL Delivery alone is 70 Swiss francs, so I may get it someday in the next six months.

Steve Gibson

DHL is a good delivery though.

Leo Laporte

That's oh yeah, for international you kind of have to use dhl. Yeah.

Steve Gibson

Okay, so a posting over in OSX Daily had the headline of a public service announcement. The headline read, PSA automatic update enables itself with macros Sequoia 15.4 and iOS 18.4. Now maybe the guy got up on the wrong side of the bed as they say. I'm going to share his posting there. There's a grain of this that I kind of agree with, but not quite to the extent that, I mean, he's really bent. So he writes, this is important and relevant to most Mac iPhone and iPad users. Colon installing the Latest updates for macOS Sequoia 15.4 for Mac, iOS 18.4 for iPhone and iPadOS 18.4 for iPad will forcibly enable automatic software update for system updates on your device. Okay, now given the fact that updates can again be turned off, his use of the phrase forcibly enable seems maybe a little over the top. That implies that it would no longer be possible to again disable automatic updates, which is indeed possible anyway. The piece continues, some people may already have these auto update features enabled on their devices and not mind this change. Who wouldn't nor nor would they notice a difference. Whereas there may be other people who intentionally disable automatic Update and do not wish to have the auto update feature forced upon their devices. Oh well, he writes. With automatic updates enabled, this means your Mac, iPhone or iPad will automatically download and install system software updates onto your devices. Yeah, no kidding. As they become available without your approval or prompting.

Leo Laporte

Well, that's not true.

Steve Gibson

I know Automatic updates may be problematic for many reasons. For one, he writes, not everyone has the bandwidth available in their brain, apparently to automatically download huge software updates. Additionally, not everyone wants to install the latest software updates when they become available. Many users prefer to wait a little while to see if there are any critical bugs or issues discovered before putting the latest system software on their device, he said. Prince and this is a reasonable caution, though it's not common. Apple has dumped out some bad software updates in the past that had to be pulled due to various issues.

Leo Laporte

That's true.

Steve Gibson

Yeah. And of course many Mac, iPhone and iPad users just simply prefer to manually update and manage their devices on their own without the computer or device doing it for them.

Leo Laporte

I've always had automatic turned on and it always says there's an update. Would you like to proceed? It's just downloading it ahead of time, right?

Steve Gibson

He says. But your personal computing behaviors and your get this Leo. But your personal computing behaviors and your and your opinion is irrelevant as Big Cupertino knows what is best for you, your iPhone, your Mac and your iPad. Right? As we know, for the vast majority of their users, they probably do know what's best, he says. He finishes, apple has decided that you will have automatic updates enabled on your devices and Your installation of iOS 18.4, Mac OS, Sequoia 15.4 or IPADOS 18.4 has apparently used was apparently used as an agreement to that setting change. If you don't like that, you can change it back and disable automatic system software updates. Well, and the rant continues, believe it or not.

Leo Laporte

And by the way, you still can turn it off. I'm just checking right now.

Steve Gibson

Of course you could turn it off.

Leo Laporte

I did too.

Steve Gibson

I did too. I went over and looked and like, okay, there's a big switch. Yeah, he says. Anyway, we don't learn anything more from him beyond the fact that this author really, really dislikes the idea that Apple might feel that having automatic updates enabled for the masses is sufficiently important that it should be done. I can Certainly agree that it would have been polite for Apple to ask before re enabling disabled automatic updates, since if Apple were to find them disabled on a device, it would have had to be deliberate on the part of the device's owner to turn them off. But perhaps there are instances where that could have been malicious. I don't know. Maybe malware gets in and flips that off.

Leo Laporte

Good point.

Steve Gibson

In order to.

Leo Laporte

That's exactly why they do it.

Steve Gibson

Yes, yes.

Leo Laporte

We've seen that kind of behavior in the past.

Steve Gibson

Yes. And there might be something that they have done with this update that they might actually need to emergency rollback. But if automatic updates were off, they wouldn't be able to. So maybe they're saying, look, look, we know we need to just kick this on again. So, you know, for. For safety sake. In any event, since I know there are many listeners of this podcast who do strongly prefer taking and having manual and deliberate control over the updating of anything, I wanted to make sure that everyone knew that the move to These latest Mac OS, iPhone, OS and iPad OS releases will have re enabled. If we believe this guy. I don't know because I leave mine on. My phones are set to automatically update. So it was on after the most recent update and I don't know if it would have turned it off.

Leo Laporte

Turned it off? Yeah, Benito's saying he turns updates off always on all of his devices. I don't know. Did you notice 18.4 turning it back on again? You know, there is something I do get upset about. They turn on Apple intelligence every single update. That's like a 5 or 6 gigabyte download that you should get upset about because there's no security reason for that.

Steve Gibson

Yeah, let's let this guy know because that would be good for another big rant.

Leo Laporte

Yeah, he's got a whole nother link Beatty blog post.

Steve Gibson

Yeah, that's exactly right. Okay, now, I also want to take a moment to note that I'm now the proud owner of a shiny new iPhone 16 Pro.

Leo Laporte

Ooh, fancy.

Steve Gibson

Now, as I've mentioned before, I had been happily using an older iPhone 12 Pro without any problems, but I became concerned last week over the threat of Chinese import tariffs significantly inflating the prices of iPhones. The threat appeared to be real with Apple in a panic, you know, flying iPhones in from India and like, all kinds of, you know, kerfuffle about this. But after poking around Apple's site for a while, like looking at the 16 and okay, and you know, my 12 still working good, I decided that my Older iPhone, which was, as I said, still working just fine, would almost certainly last me through whatever tariff turbulence we were going to be experiencing, even for the next few years. I later mentioned this to my wife, Lori, whose response was, my God, buy yourself a new phone. Yours is old and small.

Leo Laporte

She was talking about the phone.

Steve Gibson

Yes.

Leo Laporte

Now see, this is why we get married. She's absolutely right. I would have said the same thing. You deserve a modern phone, Steve.

Steve Gibson

Right. I was driving a 20 year old BMW when we met and she was a little wonder. She's like, look, that's a little sketchy. Why are you driving? You know, do you have any resources? Do you, you know, am I going to be picking up the tab?

Leo Laporte

Honey, I broke down on the 405. Can you come get me?

Steve Gibson

So last Thursday I returned to the Apple Store and I did that. Now, as we know, I'm not somebody who always needs to have the latest and greatest. My stash of Palm Pilots in the refrigerator is testament to that.

Leo Laporte

Oh, I hope Lori doesn't find those.

Steve Gibson

I'm also a testament to the if it's not broke, don't fix it school of thought. So I usually use electronics until they're worn right down to the nub. But I have to say that the 16 is a lot more responsive than the 12 was. And since I no longer wear a watch, every time I saw Lori's phone displaying the time of day on its dim OLED screen, I thought that was a terrific feature. You know, we purchased hers for her birthday and she lives on that thing way more than I do on mine. She'll. I don't get this. She'll be sitting right next to a booted up desktop computer with a full size screen and a keyboard that actually invites typing rather than actively fighting against your data entry. And she'll be squinting at websites on her phone.

Leo Laporte

That's because she's a modern woman, Steve. She's modern.

Steve Gibson

I don't get it. In any event, last Friday, the day after I purchased the 16, the news broke that imports from China of smartphones and electronics were being exempted from the 154% import tariffs that had formed part of my purchase motivation. But then, over this past weekend, the US commerce secretary, Howard Lutnick, explained during an interview on ABC's this Week Sunday Morning show that in another month or so a new set of tariffs specifically targeting all semiconductor imports would be taking effect and that smartphones would be caught up in that.

Leo Laporte

Sigh.

Steve Gibson

Now, a few months ago, I purchased a new set of servers for GRC that I have not gotten around to deploying yet. But they're here. When the second one of an earlier set of five died a few months ago, I decided that I needed to be ready in case I lost another one. So now wait, wait a minute.

Leo Laporte

You buy five at a time?

Steve Gibson

I had five running.

Leo Laporte

Do you run. Oh, you have five servers all at once?

Steve Gibson

Yes.

Leo Laporte

Are they load balancing?

Steve Gibson

No, a couple are running, I think three are running Windows, two are running Unix and they're in various state. They're, you know me, security. So they're physically isolated. I'm not sharing function between a secure server and a server that's running php.

Leo Laporte

Each does something else.

Steve Gibson

Yes, okay, yes. So they have very like an image server and.

Leo Laporte

Right, okay, yeah.

Steve Gibson

But also security boundaries. As I said, the server that I have that has PHP on it, it's all by its lonesome and it's got its own physical firewall. There are only a few things that it's able to do because php and we're going to get to the audit which demonstrates the wisdom of that. So. And the fact that I myself just had to update PHP because of that CGI vulnerability that my version of PHP had at the time that this was happening. So anyway, so I've got three new, brand new servers and I'm now somewhat more glad that I already have those in hand in case their cost might soon be increasing. You know, they were not inexpensive and it appears that a few months from now they might become more expensive.

Leo Laporte

Can I ask you which company you. You buy from? I mean, just.

Steve Gibson

Yeah, the servers that have been dying were intel motherboard. I know. You know, intel serious. The best I could get servers at the time. And now I've switched to super micro because I do have a Super Micro machine that has been going for about 40 years and it just will not die. So I thought, okay, I'm going to go back to the ones that seem more solid. Thank you.

Leo Laporte

A lot of people would be very interested in your choice, so thank you.

Steve Gibson

I've looked at the intel motherboards and I'm no longer impressed with their build quality. You know, they've got.

Leo Laporte

They used to be the king of the hell, didn't they?

Steve Gibson

I know. And that's why, that's why I thought I'm going to go with the best because, you know, you it. And they end up paying for themselves in the long term. But two out of the five of, of these identical intel servers just stopped working.

Leo Laporte

Do you buy towers or blades or how. What, what form Factory.

Steve Gibson

Do you.

Leo Laporte

They're all.

Steve Gibson

I was Originally I had three 2U intel servers and these are all 1U. The other five are now 1U servers and they're all four 3 1/2 inch across drives in the front, all running RAID 6 with. With. With physical RAID 6 controllers. Because I'm still.

Leo Laporte

And is this in your living room where.

Steve Gibson

Oh, no, this, the, the. These are all in a. Over at level.

Leo Laporte

They're over at level three.

Steve Gibson

Oh, in their data center.

Leo Laporte

Their colo. Okay. Yep.

Steve Gibson

Yeah. Anyway, so thank you for sharing that.

Leo Laporte

Yeah, well, you should have. I made on my website. I use this page. I don't use anything nearly as interesting as you do, but for people who are interested in what microphones we use and stuff, you should make a little. I use this page. I think that'd be interesting.

Steve Gibson

Well, what's really interesting is that I'm. I also found myself purchasing some. Oh shoot, now I'm forgetting. I ended up using a router that we've talked about in the past.

Leo Laporte

Microtik.

Steve Gibson

No, it wasn't Ubiquity. Yeah. Yes, it was ubiquity.

Leo Laporte

Yeah, I love my ubiquitous.

Steve Gibson

There was one particular family of ubiquity routers that allowed me to do the, the static port address translation that I really need to do. I have some other big iron equipment that I was using back in the day and one of them is still alive. Several of them have died and I thought, okay, I need to have this functionality and it's ubiquity is the router that has, you know, and I'm. Boy, am I impressed with that, with their technology. Yeah, yeah, I'm really happy, you know, the. You'll remember this. One of the things, speaking of, you know, what hardware I'm using. The most famous thing I did back in my TechTalk column days on InfoWorld was Steve's dream machine. Where, you know, I chose this motherboard, these drives, this controller, you know, this keyboard, you know, and I basically kitted out. Like if you were going to build the ultimate machine, that was also tricky because it was like, okay, these drives say they're only this big, but they actually have these extra cylinders on them and you can format them to this size and get the maximum size partition and blah, blah, blah. You know, I really spent a lot of time, you know, finding like the best value, not, not the most expensive, but the best value in each different category. And anyway, that was popular then. Anyway, what I want to say is that I have no crystal ball and any rational actor looking at the past month of tariff actions would be foolish to place any large bet, because who knows what's going to be true in the next hour. I'm quite certain that no one really knows what the future holds, but I, you know, I very clearly heard the US Commerce Secretary state that the administration's intention is to use higher import tariffs on all products containing semiconductors to force a shift in semiconductor manufacturing from offshore to the US So, independent of the practicality, feasibility, and sanity of of any of that, we may indeed see the cost of devices containing semiconductors rising. What I would be willing to bet on is that prices are certainly not going to be dropping anytime soon. I don't see any way that happens. So I just wanted to take a moment to talk about this. Since I'm now more glad than I was that I had purchased those new servers a few months back. I would likely be doing that now for strategic savings if I had not already. I certainly don't know any more about what's going to happen than anyone else, and this could all change tomorrow. That's the nature of where we are today. But if any of our listeners were waiting on the purchase of any big ticket items containing semiconductors, it might be worth considering that prices may indeed be higher six months from now than they are today. I would certainly not place any bets on them being lower. So, you know, as for my new iPhone 16 Pro, if Apple ever does get around to deploying some useful AI, I'll be glad to have a device that allows me to experiment with it. My 12 wouldn't have. And in the meantime, it's nice to have a dim, dim clock on the lock screen and to be able to edit text messages that I've already sent. So happy that I, I made that jump.

Leo Laporte

Good.

Steve Gibson

And. And yes, Leo, we both have wives that said. Oh my God.

Leo Laporte

Come on, Steve, you deserve it. You get it.

Steve Gibson

Your phone is old.

Leo Laporte

I mean, I understand the desire to run something into the ground. I mean, still, I mean, you don't want to use the latest Windows either, so I understand that that's commendable. But you deserve a nice phone.

Steve Gibson

I just discovered Yesterday that my iPhone 6, it used to be all pooched out because the battery expanded, but it turns out that goes down over time. So maybe I can bring that back.

Leo Laporte

No, no, no, no. And don't bring it on an airplane either. Oh my God.

Steve Gibson

Okay, so we were just talking about Apple silently enabling updates. Microsoft also recently made some news for Windows 11 Enterprise and Education users. And I'll bet you guys are going to be talking about it tomorrow on Windows weekend. Windows 11 Enterprise and Education users will be getting updates on steroids in the form of the much anticipated no Reboot Required Hot Patching Hallelujah. Yeah. Microsoft will then only require a once per quarter full cold reboot with all of the other interim updates able to be applied directly to Windows running in memory. So in other words, reboots drop from 12 a year to 4 per year. So not over, but you know only one third as often. Microsoft's announcement blog posting about this is titled Hot Patch for Windows Client Now Available where David Callahan, writing for the Windows IT Pro blog says Hot Patch updates for Windows 11 Enterprise version 24H2 for x64 both AMD and Intel CPU devices are now available. With Hot Patch updates you can quickly take measures to help protect your organization from cyber attacks while minimizing user disruptions. Hot Patching represents a significant advancement in our journey to help you and everyone who uses Windows stays secure and productive. So let's talk about the benefits, he writes, how it works, and how you and your organization can take advantage of this advancement as part of your Windows servicing journey. Hot Patching offers numerous enhancements when it comes to keeping Windows Client devices up to date. Immediate Protection Hot Patch updates take effect immediately upon installation, providing rapid protection against vulnerabilities. Consistent security devices receive the same level of security patching as the monthly standard security updates released on the second Tuesday of every month and minimize disruptions. Users can continue their work without interruptions while Hot Patch updates are being installed. Hot Patch updates don't require the PC to restart for the remainder of the quarter, he says. Note OS features, firmware and or application updates may still cause a restart in the quarter is that you'll first create a Hot Patch enabled quality update policy in Windows Autopatch through the Microsoft Intune Console. All eligible Windows 11 Enterprise version 24H2 devices managed by this policy will be offered Hot Patch updates in a quarterly cycle. The Hot patch and one also thinks, leo, that maybe at some point in the future, once hot patches have been proven and seen not to cause any trouble, Microsoft could certainly be pushing them out more frequently than quarterly.

Leo Laporte

That's a good point.

Steve Gibson

Yes, more frequently than monthly. If something bad happens and they want to immediately fix it, it's like, why not? It doesn't require, you know, any big change. So they said the Hot Patch updates follow the same ring deployment schedule as standard updates. Devices receiving the Hot Patch update will see a different knowledge based number Tracking the Hot patch release and a different OS version than devices receiving the standard update that requires a restart. Hot patch updates operate on a quarterly cycle, so cumulative baseline month. So they said in January, April, July and October. So four times per year devices install the monthly fixed security update and restart. This update includes the latest security fixes, cumulative new features and enhancements since the last cumulative baseline. Then subsequent two months devices receive hot patch updates which only include security updates and do not require a restart. These devices will catch up on features and enhancements with the next cumulative baseline month, which is to say quarterly. This cycle that he wrote includes the number of required I'm sorry, this cycle reduces the number of required restarts for Windows updates from 12 to just four per year, thanks to eight planned hot patch updates annually. To enable hot patching for Windows client devices, you'll need a Microsoft subscription that includes Windows 11 Enterprise E3, E5 or F3 Windows 11 Education A3 or A5 or a Windows 365 Enterprise subscription. Devices running Windows 11 Enterprise version 24H2 build 2612033 or later and with the current baseline Update installed an X64 CPU including AMD 64 and Intel. And he said ARM 64 devices are still in public preview but coming. So not available yet, but that'll happen. And finally Microsoft intune to manage deployment of hot patch updates with a hot patch enabled Windows quality update policy. Okay, so we've known for some time that patching Windows on the fly without rebooting is both possible and practical, since this has been an aftermarket feature that the gang over at zero patch have been offering for some time. So you know they do in ram patching of DLLs that are loaded on the fly. So in instances where Microsoft has strategically decided to abandoned Windows security, the ongoing availability of those zero patches may be a godsend. But bringing this to Windows Enterprise and education client machines means that millions more systems will be able to receive the benefits of on the fly hot patching. Microsoft is not yet suggesting that this boot avoidance technology might be available for their latest server platforms, but boy, avoiding unnecessary server reboots would appear to be a nice feature for the future. You know, not having server downtime, I don't have any problem with a brief one once, you know, once a month reboot of any of my workstation workspace workstation machines. You know, that's just not a problem for me. And you know Microsoft has already invested heavily in minimizing the time required to install updates, as we know they no longer require the huge amounts of time they once did. I remember like sitting around like for hours while this, you know, something spun around on the screen or we watch dots chasing each other. You know, it's gotten a lot better. So that for me, the monthly updates aren't causing much trouble. Okay, now a little bit. Just checking back briefly on where we are with Oracle before we take another break. The TLDR on this is they're still lying and denying, which is just, it's like to everyone's amazement, security researcher Kevin Beaumont, who we've followed often because he's very involved in the industry, published on medium from his doublepulsar.com site under the headline Oracle Attempt Oracle. He uses the term Oracle.

Leo Laporte

That's British. Yeah, that's how the British do it. We companies are singular.

Steve Gibson

Yeah.

Leo Laporte

In other countries it's often it's like.

Steve Gibson

You know, data technically is plural, but I never get it right.

Leo Laporte

Exactly.

Steve Gibson

Anyway, so he says Oracle attempt to hide serious cybersecurity incident from customers in Oracle SSAS service. Kevin wrote, being a provider of cloud SASS software as a service solutions requires certain cybersecurity responsibilities, including being transparent and open. The moment where this is tested at Oracle has arrived as they have a serious cybersecurity incident playing out in a service they manage for customers. Back on March 31, Bleeping Computer ran a story about around a threat actor named Rose 87168 claiming to have breached some Oracle services inside star.oraclecloud.com of course our listeners may recall that the fact digging Lawrence Abrams did for Bleeping Computer which we talked about was so thorough as in my appraisal, to cross the line from evidence to proof of Oracle's apparently deliberate obfuscation and misdirection about the incident. So Kevin continues, Oracle told Bleeping Computer and customers quote, there has been no breach of Oracle Cloud period. The published credentials are not for the Oracle cloud, period. No Oracle Cloud customers experienced a breach or lost any data, period. He says the threat actor then posted an archive.org URL and provided it to Bleeping computer, strongly suggesting they had Write access to login.us2.oraclecloud.com a service using Oracle Access Manager. This server is entirely managed by Oracle. Oracle have since requested archive.org take down the proof and the Wayback Machine no longer shows the page. The threat actor then provided a several hour long recording of an internal Oracle meeting complete with Oracle employees talking for two hours. The two hour video includes things like accessing internal Oracle password vaults and customer facing systems. Both Hudson Rock and Bleeping Computer were then able to confirm with Oracle customers that their data, including staff email addresses was in data released by the threat actor. The threat actor Rose 87168 is still active online and releasing more data and threatening to release more. They've also released data to cybersecurity threat intelligence providers in data released to a journalist for validation. It has now become 100% clear to me that there has been cybersecurity incident at Oracle involving systems which processed customer data. For example, the threat actor has publicly provided complete Oracle configuration files current also as one example, they provided Oracle web server configuration files. All the systems impacted are directly managed by Oracle. Some of the data provided to journalists is also current. This is a serious cybersecurity incident which impacts customers in a platform managed by Oracle. Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility. This is not okay. Oracle need to clearly openly and publicly communicate what happened, how it impacts customers and what they're doing about it. This is a matter of trust and responsibility. Step up Oracle or customers should start stepping off. Kevin then provides three updates. An update one he said Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident. Oracle are denying it on Oracle Cloud by using this scope. But it's still Oracle Cloud Services that Oracle Manager. That's part of the wordplay second update. Although Oracle used the archive.org exclusion process to remove evidence of writing to one of the Oracle cloud.com web servers, they forgot to remove a second URL that clearly shows the threat actor Rose 87168 having posted their email address on an Oracle Cloud page. And by the way, I went to that URL and it is still there. And I saw rose 87, 168 proton.

Leo Laporte

Mail posted there on an Oracle hosted page. So that's pretty conclusive.

Steve Gibson

Yes. And then the third and final update. Multiple Oracle Cloud customers have reached out to me to say Oracle have now confirmed get this Leo. Oracle have now confirmed a breach of their services. However, Oracle are only doing so verbally. They will not put anything in writing. So they're setting up meetings with large customers who query this is. He writes this is similar behavior to the breach of medical PII personally identifiable information in the ongoing breach at Oracle Health where they will only provide details verbally and not in writing. Over on Mastodon, Kevin posted and now a class action lawsuit has been filed against Oracle over a data breach at Oracle Health which Oracle has not acknowledged in public. I Have a link if anyone's interested, to the class action breach court document PDF. He said this Oracle thing keeps getting more and more wild. I've never seen a response so bad from a large organization. They're throwing their own security staff under the bus by having them face customers rather than the corporation actually take responsibility. And you know, Oracle's handling of all this could be taught and should be taught as a short course in how not to ever handle a data breach. This whole business of only having verbal conversations and refusing to put anything into writing feels like attorneys being asked how to run a company. I'm not sure that's a formula for success. Through my years as a small businessman, I've had occasion to receive the advice of attorneys. I always thank them and pay them and carefully consider the value of their.

Leo Laporte

Advice and then move on.

Steve Gibson

Yes, but what they would advise often seems to follow reactions to worst case scenarios.

Leo Laporte

They're there to protect you from the worst.

Steve Gibson

Yes, whereas I found that being more open and trusting and optimistic has always worked better for me. One of our listeners, whose name is Keith, wrote from Canada. He said hi Steve, thank you for covering the Oracle cloud breach. In the latest episode highlighting the significance of the breach and the SEC violations. Given the OCI Classic breach as they're dubbing it now, and the separate Oracle Health breach, I'm thoroughly confused on how they haven't had to disclose to the sec. As a Canadian Oracle Health customer, it's very frustrating to me that they seem to be above SEC regulations and still refuse to disclose breaches to us so that we can be proactive in protecting our organizations. I'm a huge fan of you, Leo and the show. Thanks for everything you guys do.

Leo Laporte

Thank you.

Steve Gibson

And I wouldn't know what to tell Keith. You know, regulations only have teeth if they're backed up by the certainty of enforcement. And to say that things are somewhat confused in the US at this particular moment could safely be considered an understatement. Both our DOJ and SEC are currently preoccupied with trying to figure out which end is up and what their priorities should be. So it may be that Oracle lucks out on this one and that it slips by on the government side. But as I noted, US citizens have already filed lawsuits that may force depositions to be taken and place additional facts on the record, which ultimately makes enforcement a, you know, a given. So we'll see. And Leo, before we talk about the problems over at U.S. treasury, we need to take another break since we're now a little more than an hour in Never a dull moment, my friend.

Leo Laporte

Never a dull moment, that's for sure. Well, let me talk a little bit about our sponsor, ThreatLocker, because I think this is something everybody should know about. Threatlocker is zero trust, done right, and it's affordable, it's usable for your business. Look, you don't have to listen to the show to know that ransomware is a massive problem. It's not just businesses, it's schools, it's government, city governments, it's infrastructure they're attacking with phishing, emails, infected downloads, malicious websites, RDPX plus, you name it. You do not want to be on that list. You do not want to be on that list. But fortunately, you don't have to, thanks to Threat Locker and their zero trust platform. Here's the key. It takes a proactive, and this is it. These are the three words. Deny by default, deny by default approach. It blocks every unauthorized action, protecting you from both known threats and completely never seen before. Zero day unknown threats, right? Trusted by global enterprises like JetBlue. And I mentioned infrastructure. It's so important. You know, when the Colonial pipeline went down, people realized this isn't just attacking businesses, this is attacking vital infrastructure. You know else who uses Threat Locker? The Port of Vancouver. Because they're vital infrastructure. Threat Locker shields them from zero day exploits, supply chain attacks, and even better for compliance, provides a complete audit trail. Everything that happened, everybody who had access, when they had access. Threat Locker's innovative ring fencing technology. That's what they call it, Ring fencing. It isolates critical applications from weaponization. It stops ransomware in its tracks and it limits lateral movement within the network. That's really the threat we were talking a few weeks ago about the ransomware gang who got into a system they're finding hard to find an attack surface. Then they found a camera because they were able to move laterally, right? And they were able to access this camera that was running Linux and it had enough storage. They put their ransomware on that and took the whole enterprise down from the camera. See, Threat Locker prevents that. You don't have access to the camera. You can't touch the camera. Threat Locker works across all industries. It supports Mac environments as well as Windows environments. You get 247 support based right here in the US you get complete comprehensive visibility and control. Mark Tolson is the IT Director for the city of Champaign, Illinois. He's in charge of keeping that whole city up and running. Right. How does he do it? He protects him with Threat Locker. He says, quote, threat Locker provides that extra key to Block anomalies that nothing else can do. If bad actors got in and tried to execute something, I take comfort in knowing that Threat Locker will stop that. Wouldn't you like that for your business? Stop worrying about cyber threats. Get unprecedented protection quickly, easily cost effectively. With Threat Locker. And I mean cost effectively. Go check it out. I was blown away. With Threat Locker you get everything you need to protect yourself from ransomware. Visit threatlocker.com TWIT get a free 30 day trial. Not just ransomware, any kind of malware. Learn more how Threat Locker can help mitigate unknown threats and ensure compliance. That's just a nice little extra threatlocker.com twit we thank him so much for supporting the work Steve's doing. What's that?

Steve Gibson

Those are pictures of kids at the Pawnee High School.

Leo Laporte

See, I know that's terrible when that.

Steve Gibson

I know.

Leo Laporte

So these bad guys, they get in there, they. Because they can make lateral movement. They can wander around, they can find anything they want, exfiltrate it. Blackmail, you say? Oh we don't. You don't want that private information to leak out. You don't want that as embarrassing emails to leak out.

Steve Gibson

There's, they're like fifth grader headshots that they posted publicly.

Leo Laporte

Yeah, yeah, yeah, yeah. GRC SC 1019 if you want to see something terrifying. Geez Louise.

Steve Gibson

Okay, so the United States treasury has something known as the Office of the Comptroller of the Currency, OCC for short. A couple of months ago, in January of this year, CISA discovered that the emails for nearly 100 of the OCC's staff had been intercepted since the breach originally occurred. Get this Leo. Back in June of 2023, nearly two years encompassing more than 150,000 pieces of email, someone has been rummaging around in there. None of the nearly 100 staffers at the U.S. treasury's Office of the Comptroller of the Currency have enjoyed any actual email privacy. It's all just been an illusion. And treasury does appear to be either a high priority target or to have less than adequate security. Since the OCC breach is the third treasury office to recently disclose a breach. Before this we had the Office of Foreign Assets Control, OFAC and the Committee on Foreign Investment in the U.S. cFI U.S. for both of those two previous intrusions, the U.S. government has now credited the Chinese backed hacking group Silk Typhoon. Now this news connected with something I heard over the weekend. An Asian analyst was interviewed by Fareed Zakaria during his Sunday morning show on cnn. She made the comment about how at some point, as tensions between the US and China escalated, China might decide to weaponize all of the data they'd been collecting through their pervasive cyber intrusions into the us. That gave me a bit of a chill because unfortunately it really made sense. We've seen a great deal of evidence of Chinese apparently state sponsored actors rummaging around inside US government and industry networks, but nothing overt and obvious has come of it. It might be that an attack as such, and I have that in quotes, would take the form of using all of the information that's been gleaned against US interests. In other words, weaponizing all of that data. We don't know, you know, that this recent and long running U.S. treasury Office of the Comptroller of the Currency email breach was the same as who previously was found to have breached those other two U.S. treasury offices. So far there's been no attribution, but at this point it would almost be surprising if it wasn't this Silk Typhoon group backed by China. So it would be so much better if we could all just get along. That doesn't seem to be happening though, sadly. There's some news on the Apple versus the UK and what Apple will do about the UK's demands to be able to obtain the stored icloud data for anyone in the world they request. Apple Insider's headline was UK iCloud backdoor mandate hearing must be made public eventually, they wrote, after a legal challenge by Apple. The hearing about blowing open Apple's iCloud encryption in the UK for the sake of national security will not be kept secret, but it's not clear when the details will be made public. After the hearing about a mandated backdoor happened behind closed doors, Apple very nearly immediately filed an appeal with the backing of most of the world's government's privacy advocates and journalism organizations. That appeal has been heard and at some point the results of the hearing will be made clear. The Investigatory Powers Tribunal rejected claims from the UK government that national security would be hurt by revealing the results of the hearing or exposing who attended the hearing. In short, the appeal found that there was no reason to restrict what it calls open justice. So the results of the hearing must be made clear in due time. It's not clear when that will happen, as case management orders will be made only after Apple and the UK government have time to consider the ruling and proposed drafts. So at least we're gonna find out what that, you know, is about. Basically we've got bureaucracy. Whatever's gonna happen will apparently grind away slowly. But the fact that the UK government now knows that it will not also be able to conduct everything in secret may hopefully dampen their zeal somewhat and rein them in. What's interesting about this is that there's no middle ground here. There's no gray area. UK users either will or will not have the ability to enable Apple's advanced data protection for their stored icloud data. It seems unlikely in the extreme that the UK's demand to be able to obtain the data belonging to anyone they choose anywhere in the world has any chance of ever happening. But they might. They might well force Apple to disable ADP for citizens in the uk. We'll see. But again, what I the only good thing about this is that it's black and white. That is either you have it or you don't. So hopefully the fact that there's a sharp point on this will will help, you know, a clean decision, a clean and clear decision to come out of all this. Now I missed this news, this next news when it happened 10 days ago, but I felt the need to come back to put it on everyone's radar because what Mozilla is doing with a suite of new cloud service offerings, which they're calling unfortunately, Thunder Mail. Thunder.

Leo Laporte

That'S what you need. Yeah, I've gotta say it right?

Steve Gibson

Oh, thank you. I will need a you again when we're talking about Ross Komnanzor.

Leo Laporte

I'm sorry.

Steve Gibson

Oh yeah. We have Thunder Mail and Thunderbird Pro. I'm sure this will be of interest to many of our listeners for much the same reason we choose to use Mozilla's Firefox. So Mozilla wrote. Today we're pleased to announce what many in our open source contributor community already know. The Thunderbird team is working on an email service called Thunder Mail.

Leo Laporte

Good. Another way to make money. That's good.

Steve Gibson

Yes, yes, exactly, exactly. Leo as well as file sharing, calendar scheduling and other helpful cloud based services that as a bundle we have been calling Thunderbird Pro. First, a point of clarification. Thunderbird, the email app, is and always will be free. We will never place features that can be delivered through the Thunderbird app behind a paywall. If something can be done directly on your device, it should be. However, there are things that cannot be done on your computer or phone that many people have come to expect from their email suites. This is what we're setting out to solve with our cloud based services. All these new services are or soon will be open source software under true open source licenses. That's how Thunderbird does things and we believe it is our superpower. It's also a major reason we exist to create open source communication and productivity software that respects our users. Because you can see how it works, you can know what it's doing and that it's doing the right thing. The why for offering these services is simple. Okay, now the truth is they want to survive, but okay, they wrote. Thunderbird loses users each day to rich ecosystems that are both products and services such as Gmail and Office365. These ecosystems have both hard vendor lock ins, though interoperability issues with through interoperability issues with third party clients, and soft lock ins through convenience and integration between their clients and services. It's our goal to eventually have a similar offering so that a 100% open source freedom respecting alternative ecosystem is available for those who want it. We don't even care if you use our services with Thunderbird apps, go use them with any email client. No lock in, no restrictions, all open standards. That is freedom. So what are the services they have? Thunderbird Appointment Appointment, they wrote, is a scheduling tool that allows you to send a link to someone, allowing them to pick a time on your calendar to meet. The repository for Appointment has been public for a while and has seen pretty remarkable development so far. It's currently in a closed beta and we're letting more users in every day. Appointment has been developed to make meeting with others easier. We weren't happy with the existing tools as they were either proprietary or too bloated, so we started building Appointment. Then there's Send. Send is an end to end encrypted file sharing service that allows you to upload large files to the service and share links to download those files with others. Many Thunderbird users have expressed interest in the ability to share large files in a privacy respecting way, and it was a problem we were eager to solve. Thunderbird Send is the rebirth of Firefox Send. Well, kind of. We've rebuilt much of the project to allow for a more direct method of sharing files from user to user without the need to share a link. We opened up the repo to the public earlier this week, so we encourage encourage everyone interested to go and check it out. Thunderbird Send is currently in alpha testing and will move to a closed beta very soon. Thunderbird Assist Assist is an experiment developed in partnership with Flower AI, a flexible open source framework for scalable privacy preserving federated learning that will enable users to take advantage of AI features. The hope is that processing can be done on Devices that can support the models and for devices that are not powerful enough to run the language models locally. We are making use of Flower Confidential Remote Compute in order to ensure private remote processing. Very similar to Apple's Private Cloud Compute. Given some user sensitivity to this, these types of features will always be optional and something that users will have to opt into. As a reminder, Thunderbird will never train AI with your data. The repo for assist is not public yet, but it will be soon. And then Thunder Mail. Thunder Mail is an email service in search of a better name. No, okay, that's not what it actually says. I just think that Thunder Mail sounds dumb.

Leo Laporte

Well, it's because it's Thunderbird. I guess I.

Steve Gibson

Right. You know, you just can't put Thunder.

Leo Laporte

In front of anything. It's Thunder now.

Steve Gibson

Thunderdome.

Leo Laporte

Steven Thunder Gibson.

Steve Gibson

Oh God. Anyway, it also supports calendars and contacts as well as mail.

Leo Laporte

I'm interested. I mean, I'm a Fast Mail customer which does all the same things, but I'm very interested. I'd like to find out more.

Steve Gibson

They said we want to provide email accounts to those who love Thunderbird and we believe that we're capable of providing a better service than the other providers out there. Email that aligns with our values of privacy, freedom and respect for our users. No ads, no selling, no training AI on your data, just your email. And it is your email with Thunder Mail. It is our goal. My God, please. Something else.

Leo Laporte

You can't resist giggling.

Steve Gibson

It is our goal to create a next generation email experience that is completely 100% open source and built by all of us, our contributors and users. Unlike the other services, there will not be a single repository where this work is done. But we will try and share relevant places to contribute in future posts like this. The email domain for Thunder mail will be thundermail.com thank God or tb.pro. additionally, you will be able. Here it is to bring your own domain on day one of the service.

Leo Laporte

Good, that's.

Steve Gibson

Now that starts being interesting. Yeah. Having mozilla behind a 100% open source privacy respecting email service where we're also able to bring our own domain, presumably by pointing our own domains MX records at Mozilla. That would be cool. So everyone listening can head to thundermail.com you will get. The only thing there@thundermail.com is a simple signup page demonstrating their inherently techie nature. You'll see what I mean when you.

Leo Laporte

See it's command line based.

Steve Gibson

Yes. And that allows you to sign up for their beta wait list which will give you notification as soon as this thing is, you know, as soon as you're able to actually sign up for the service. And I did that immediately.

Leo Laporte

Oh yeah, me too. Yeah, I'm very curious.

Steve Gibson

So they said under final thoughts, don't services cost money to run? And they said, you may be thinking, this all sounds expensive. How will Thunderbird be able to pay for it? And they say, and that's a great question, right? Answering it or asking it of themselves. And they said services such as send are actually quite expensive. Storage is costly. So here's the plan. At the beginning, there will be paid subscription plans at a few different tiers. Once we have a sufficiently strong base of paying users to sustainably support our services, we plan to introduce a limited free tier to the public. You see this with other providers, limitations are standard as free email and file sharing are prone to abuse. Yes. It's also important to highlight again that Thunderbird Pro will be completely separate will be a completely separate offering from the Thunderbird you already use. Or in my case, once used, since I still am happily switched away from Thunderbird to EM client. They said while Thunderbird and the additional services may work together and complement each other, for those who opt in, they will never replace, compromise or interfere with the core features and free availability of Thunderbird. Nothing about your current Thunderbird experience will change unless you choose to opt in and sign up with Thunderbird Pro. None of these features will be automatically integrated into Thunderbird desktop or mobile, or activated without your knowledge. This has been a long time coming and the person who posted this wrote in the first person. It is my conviction that all of this should have been part of the Thunderbird universe a decade ago. But it's better late than never. Just like our Android client has expanded what Thunderbird is, as will our iOS client, so too will these services. Thunderbird is unique in the world. Our focus on open source, open standards, privacy and respect for our users is something that should be expressed in multiple forms. The absence of Thunderbird web services means that our users must make compromises that are often uncomfortable ones. This is how we correct that. In other words, they're going to be providing a complete suite of web services like the other guys do. And he finished writing. I hope that all of you will check out this work and share your thoughts and test these things out. What's exciting is that you can run Send or Appointment today on your own server. I thought that was interesting. You can run Send Thunder this, Thunderbird Send or Thunderbird appointment today on your own server. He said. Everything that we do will be out in the open and you can come and help us build it. Together we can create amazing experiences that enhance how we manage our email, calendars, contacts and beyond. Thank you for being on the journey with us. And so we all want Mozilla to stay alive, if not for Thunder or whatever, then for the sake of Firefox.

Leo Laporte

Yes.

Steve Gibson

So if their addition of cloud based services appeals to people as a reasonable alternative to Office 365 and Gmail, and that creates a revenue stream to support all of Mozilla, then I'm all for it. So again, thundermail.com to sign up for the news. And yay. A quick note. Is that over in the category of age restrictions, Meta has extended teen account Protections the existing teen account security protections, which exist on Instagram, are also being extended to Facebook and Facebook messenger accounts. The feature prevents children under the age of 16 from modifying a series of privacy settings on their accounts without a parent's approval. This includes settings related to who can contact the account and what content they see on the sites. Meta is also expanding these restrictions so that, for example, teens won't be able to live stream on their sites without a parent's approval. So that's good. Leo, we're at an hour and a half in. We got some more stuff to get to before we get to our main topic, but now would be a good time for one more break. I could not our second green last.

Leo Laporte

Yes, and I'm glad to tell you about our sponsor for this segment of security. Now, Legato Security had a great conversation with these guys and I proposed some ways to talk about what they do. If you're a business, of course, you must have. I'm sure you do. We do. You know, firewalls, protective devices, security that is constantly protecting you. But is somebody constantly monitoring it? In other words, if something bad happened on a Christmas Eve or during the weekend, would there be somebody there to see it? That's the important point. You wouldn't set up a burglar alarm and then not have somebody monitoring it, right? That's why burglar Alarm services have 24. 7 monitoring. No business should be their own burglar alarm. When it comes to cybersecurity, how many businesses can have 247 security operations centers operating and monitoring everything? Only the biggest, right? Well, here's a great solution for small and medium sized businesses. Legato Security. They provide the same standard of security controls that the large enterprises have without the cost of building an internal security operations center. You use Legatos it's brilliant and you don't have to give up anything that you're using currently. It doesn't cost any jobs, it's just an adjunct and an assistant so that you can finally go home for the weekend and turn off so that you can have your family with you for Easter Sunday and not worry about what's going on at work. As a recognized leader by CRN and MSSP alert in 2024, Legato Security transforms how businesses approach their cybersecurity. And this is important. They're technology agnostic. MSSP platform, it means that they're not going to install a whole new suite of tools for you. It provides your business with their own custom suite of security solutions that work with your existing solutions. Legato Security integrates seamlessly with all the tools you use existing right now, which means you don't have to do big costly infrastructure overhauls. But you do get this fantastic proprietary security operations platform they call it Ensemble, which takes all of those signals from all the tools you're already using and delivers a consolidated, prioritized, actionable alerts in real time via a single comprehensive pane. So everything you need is right there. Right? But that's not all, because the bad guys don't take holidays. You know, we talked about the fact that a hacking team modified a bunch of extensions I think for Chrome on Christmas Eve because they knew that would give them at least a day or two, if not a whole week to operate freely, right? Hackers don't take holidays. In fact, they love holidays. They start working when you clock off. Fortunately, Legato Security's 100% US based team is there 247 with proactive threat detection, triage, even remediation 365 days a year. They have a purpose built, beautiful SoC. They're keeping an eye on everything so your team can focus elsewhere when it's time to clock out, spend time with your family and not have to worry about what's going on at work. From entrepreneurs to Fortune 100 companies, Legato Security creates custom MDR solutions that protect businesses so leaders can focus on growth. A recent customer said, quote, legato Security is the only supplier that has delivered everything that they said they would. And we didn't have to drive them. They just get it done. I love this. I said, well what happens if I have a problem? They said, look, Legato Security, we're not going to call you to say you have a problem. We're going to call you, say, well you had a problem, we fixed the problem. We just want to let you know, isn't that what you want? It and security professionals. Legato securities MSSP is here to augment your security team, not replace them. They're the professionals that you want on your team to back up your existing cybersecurity forces, to fortify your proactive defenses. 24 7, 365 days each. Security tools alone are not enough. You need the expertise to back it up. See if your defenses are as strong as you think. Actually, I got a great way to do this. Go to Legato's page. They've got Legato Security free risk assessment. It's available right there on their website. You can go through it, or better yet, get your boss to go through it. And then your boss is going to say, you know, we could use these guys. Legato Security.com Discover how they can help you regain control and enjoy your weekends like you used to. Legato security dot com. You're gonna love these guys. Legato security dot com we thank them for supporting Security now. And if they ask you, you tell them, hey, I, I saw it on Security now. Right? That helps us quite a bit. All right, back to you, Steve.

Steve Gibson

Okay, so with our podcast two weeks ago falling on April Fool's Day, that made last week's podcast fall on the earliest possible patch, Tuesday day, April 8th. Looking back at the news of last week, Microsoft patched 126 vulnerabilities. Because, you know, every month. Every month. That's right.

Leo Laporte

I mean, I guess it's good they're patching them.

Steve Gibson

It's better than not. You know me, I wish they just leave it the heck alone and stop messing with it. But no one of those was an actively exploited zero day. It was an elevation of privilege in the Windows common log file system driver, which tends to be a vulnerability magnet for some reason. They've had a lot of problems with that driver over the years. Microsoft security team. I mean, okay, so it's a long file system driver. Probably some summer intern. They said, hey, just go do that. You know, write the logging driver while you're here for the summer. We saw that happen with the color mapping that NT did once and it was a disaster. So anyway, you want to put your good guys on the things that are going to run in the kernel. Microsoft security team indicated that the now patched zero day was being exploited by the Ransom EXX ransomware group. And that makes sense since once you somehow arrange to get your code running on a well locked down Windows machine, that code will likely be running under the account of the user who somehow made a mistake that allowed it to come in and run with deliberately restricted privileges. So even though you may be in as a bad guy, it's still generally necessary to arrange to obtain admin privileges if you're, you know, as in the case with a ransomware intrusion, your goal is to do a lot of damage. You need to get root on the machine to do that. Google also patched a pair of zero days last week with Android. One of the fixes is a patch for a celebrite exploit used by Serbian authorities to unlock the phones of journalists and anti government protesters. The exploit and the hacks were first detailed in an Amnesty International report in February. There are no details on the second zero day other than that it leverages an undisclosed flaw in the Android kernel USB audio driver, but being in the Android kernel suggests that it was likely a powerful root level exploit. This also makes it the third month in a row that Google has fixed zero days in the Android os. And as we know, these things are complicated and it's very difficult to get every little detail right, but that's what security requires. If I wasn't so excited about talking about device bound session credentials today, as we will be shortly, I would be spending our time digging into a 25 page recently published piece of security research which was just so juicy. It examined the status of the security of PLCs, the you know, the critical programmable logic controllers that generally contain just enough computational ability to figure out when to turn off the toilet paper rolling machine to then cut the paper and start on another roll after first painting a little bit of glue onto the cardboard tube so that the new end of the paper sticks to it. You know, that's what these things do. In a very real sense, PLCs are what actually run the world. We've talked about them extensively in the past on this podcast, specifically because they're silent workers that essentially make all of today's infrastructure go In a very real sense, they are today's infrastructure and as a consequence their security is crucial. In the abstract of their 25 page paper, the team of researchers wrote, billions of people rely on essential utility and manufacturing infrastructures such as water treatment plants, energy management and food production, not to mention nuclear reactors. Our dependence on reliable infrastructures makes them valuable targets for cyber attacks. One of the prime targets for adversaries attacking physical infrastructures are programmable logic controllers, because they connect the cyber and the physical worlds. In this study we conduct the first comprehensive systematization of knowledge that explores the security of PLCs we present an in depth analysis of PLC attacks and defenses and discover trends in the security of PLCs from the last 17 years of research. We introduce a novel threat taxonomy for PLCs and industrial control systems. Finally, we identify and point out research gaps that, if left ignored, could lead to new catastrophic attacks against critical infrastructures. Now, as I promised and as I said, I'm not digging into this. I mean, I would love to, but we don't have time. But here's a brief summary of that research written by a security reporter who did dig into it, he wrote. A team of academics has conducted a review of 133 papers, 119 attack methods and 70 defense methods that target PLCs to assess the actual impact of a possible cyber attack targeting these devices. The research found that Even if most PLCs have built in access control features, most of them have been shown to be ineffective. Where encryption has been used, the algorithms are often ineffective. Disabling unused protocols and monitoring is the best way to prevent and detect attacks. So if anyone is interested in more detail, I have a link to their 25 page research analysis in the show Notes. Okay, I've got one that's pretty much guaranteed to make you just shake your head and Leo, I know you already know about this. Six researchers, four from the University of Texas at San Antonio, one from Virginia Tech, and the last one from University of Oklahoma, just published a paper titled we have a package for you. A comprehensive analysis of package Hallucinations by code generating LLMs. You know, large language models in their usage. Just to be clear, by package they mean a reference to some open source code library that would be handy to have and to add to a project in order to provide some missing functionality. So here's what this team of six wrote for their papers Abstract. I have a link to their entire paper in the show Notes. They wrote the reliance of popular programming languages such as Python and JavaScript on Centralized Package repositories and open source software, combined with the emergence of code generating large language models, LLMs has created a new type of threat to the software supply chain package hallucinations. These hallucinations, which arise from fact conflicting errors when generating code using LLMs, enable a novel form of package confusion attack that poses a critical threat to the integrity of the software supply chain. This paper conducts a rigorous and comprehensive evaluation of package hallucinations across different programming languages, settings and parameters, exploring how a diverse set of models and configurations affect the likelihood of generating erroneous package recommendations and identifying the root causes of this phenomenon. Using 16 popular LLMs for code generation and two unique prompt data sets, we generate. Get this 576,000 over half a million 576,000 code samples in two programming languages that we analyze for package hallucinations. Our findings reveal that the average percentage of hallucinated packages is at least 5.2% for commercial large language models and 21.7% for open source large language models, including a staggering 205,474 unique examples of hallucinated package names, further underscoring the severity and pervasiveness of this threat. To overcome this problem, we implement several hallucination mitigation strategies and show that they're able to significantly reduce the number of package hallucinations while maintaining code quality. Our experiments and findings highlight package hallucinations as a persistent and systemic phenomenon while using state of the art large language models for code generation and a significant challenge which deserves the research community's urgent attention. Okay, so that's part one. LLMs are still just making stuff up, including the names of add on packages that it would be nice to have. And just as typo squatting has developed over time into a serious threat, researchers are warning that something which unfortunately is being called AI slop squatting is on the horizon.

Leo Laporte

Let me see what sounds better when I say it this way. No, no, no. Better still bad.

Steve Gibson

Here's what the Risky Business Security newsletter wrote. They said security firms, open source experts and academics are warning about a new supply chain vector they're calling slop squatting. The technique's name is a combination of terms like AI slop and typo squatting. Yeah, it revolves around the increasing use of AI coding tools to generate blocks of source code that may sometimes make their way into production systems. A recent academic paper, and that's the one whose abstract I just shared, analyzed 16 AI coding models and found that these tools generate shoddy code that often includes and loads packages and libraries that don't exist. Dev Sec Ops company Socket Security says that such behavior opens the door to slop squatting, where threat actors study the LLMs and then register package names. Hallucinated or likely to be hallucinated in the future, it turns out that's actually feasible. The attack looks farcical and impractical, but so did type squatting, they write, when it was first described years ago. Yet years later, it is one of the most pervasive and common sources of supply chain issues in the software development industry. It may sound ridiculous, but that developers would not spot a typo in the names of packages they install, but reality has shown that they don't. Does it actually sound that far off? He poses that developers would not spot non existent packages in huge blocks of code they're using when cutting corners.

Leo Laporte

Yeah, see that's the problem, right?

Steve Gibson

Yes, the use of AI coding tools is increasing and the chances that developers may use code blocks generated through these tools is also growing exponentially, allowing along with the chances of a successful slop squatting attack. So that's what Risky Business wrote. This raised my curiosity, so I looked further. The socket security folks further summarize some of the paper's findings, they wrote. The researchers tested 16 leading code generation models, both commercial like GPT4 and GPT 3.5 and open source like Code Llama or, sorry, Code Llama, Deepseek, Wizard, Coder and Mistral, generating a total of 576,000 Python and JavaScript code samples. Their key findings were 19.7% of all recommended packages did not exist. Open source models hallucinated far more frequently, 21.7% on average compared to commercial models at 5.2%. The worst offenders, code LLAMA7B and code LLAMA34B hallucinated in over a third of its outputs. GPT4 Turbo had the best performance, with a hallucination rate of just 3.59% across all models, the researchers observed over 205,000 unique hallucinated package names. These findings point to a systemic and repeatable pattern, not just isolated errors. And here's the key these hallucinations are not just one offs. If they were, they could not be weaponized right. They are persistent and recurrent, the socket security guys explained. They said in follow up experiments, the researchers reran 500 prompts that had previously triggered hallucinations 10 times each. They found an interesting split when analyzing how often hallucinated packages reappeared in repeated code generations when rerunning the same hallucination triggering prompt 10 times, 43% of hallucinated packages were repeated every time, while 39% never repeated at all. This stark contrast suggests a bimodal pattern in model behavior. Hallucinations are either highly stable or entirely unpredictable. Overall, 58% of hallucinated packages were repeated more than once across 10 runs, indicating that a majority of hallucinations are not just random noise, but repeatable artifacts of how the models respond to certain prompts. That repeatability increases their value to attackers, making it easier to identify viable slop squatting targets by observing just a small number of model outputs. The consistency makes slop squatting more viable than one might expect. Attackers don't need to scrape massive prompt logs or brute force potential names. They can simply observe LLM behavior, identify commonly hallucinated names and register them. So just a cautionary tale here about the potential for the weaponization of large language model outputs. We know that bad guys would like nothing more than to get their code included into high profile product offerings. If future coders become too comfortable with directly using LLM created code without scrutinizing it carefully, I would argue line by line, just copying and pasting and testing what the LLM produces. It's no longer far fetched to imagine that the LLMs mistaken output itself might have been weaponized for the purpose of causing the download and inclusion of a malicious library. If we were to take this a step further, imagine arranging to seduce LLMs to train on tasty valid libraries, which they would tend to then invoke into their solutions only to have any retrieval by a non LLM return a malicious version of that package. There's no such thing as a free lunch coders.

Leo Laporte

And how do you test it? Because you can't just say well does this exist? Because it does exist now because of slop, squatting and you know, so you now you have to validate all the libraries to make sure it's doing not doing anything malicious. Yeah, yeah, yeah, what a mess.

Steve Gibson

A real supply chain mess. Basically the LLM has a knowledge that the coder lacks of available packages and is pulling stuff in all in from all over. So the coder either needs to truly educate themselves about the nature of the library that the LLM knows about and has invoked, or just hope for the best. And hoping for the best could really bite you in the what is not the best yes place.

Leo Laporte

Wow.

Steve Gibson

We wind up talking about WordPress because such a large portion of the Internet's websites are running WordPress CMS content management system code. The core WordPress offering has become extremely solid over time, but its very large plugin ecosystem is another matter entirely. That plugin ecosystem is WordPress's primary attraction, but also its primary weakness as a secure platform. Word Fence is an independent WordPress focused security firm. During the previous year, security researchers at Wordfence discovered and disclosed more than 8,000 WordPress site vulnerabilities. 8,000 WordPress site vulnerabilities. But fully one quarter of Those have remained unpatched 2000 unpatched today. Many of the affected plugins are obscure, but many are popular and unmaintained. But as I noted, the WordPress core has grown increasingly solid with only five of those 8,000 known issues disclosed last year impacting the WordPress core and all of them were immediately fixed. So the takeaway here is this. As I've said every time we've previously considered the important WordPress landscape, be very, very careful about what you add to the base WordPress core offering. Only add those features you really need and will really use. And check to see the history of any add on's maintenance to verify that someone is still around to maintain that code or that it really looks like it is sufficiently solid. Because add ons are the WordPress security Achilles heel, not the core offering plugins. Yeah. Yep.

Leo Laporte

But you really could generalize this advice to everything. Don't install apps you don't.

Steve Gibson

Same with your iPhone. Yeah.

Leo Laporte

Don't use libraries you don't know.

Steve Gibson

That really is true.

Leo Laporte

The browser you use is probably secure.

Steve Gibson

And the add ons to the browser. The more crap you add to these things.

Leo Laporte

Yep.

Steve Gibson

The greater the probability that one you add will be bad.

Leo Laporte

Especially nowadays. Holy cow.

Steve Gibson

And there are of course degrees of badness and one could argue that WordPress add ons. The problem is, you know, they're just written by, you know, Johnny in the closet. I mean they're just random.

Leo Laporte

And what are they written in, Steve? They're written in php. They are Johnny in the closet using his personal homepage software.

Steve Gibson

That's right. And that's why the only server I have that is running any PHP has its own port on an isolated router and it doesn't get to talk to any of my other stuff at GRC because I just do not trust it. It could melt down internally, but it can't touch, you know, GRC.com where you know, E commerce and other things live. Because you know, I take my own advice. So speaking of PHP's language interpreter, it just got a much welcome security audit which it turns out was also much needed. You know WordPress like a great many other web facing systems such as I was just talking about GRC's web forums, our email system, our link shortener, all written in php. I love them but they're on an isolated server. So Also in the news was that PHP's language interpreter recently received a security audit. Quark's lab received a commission to really examine the core component of php. Last Thursday they posted their results. They wrote the Open Source Technology Improvement Fund Inc. Thanks to funding provided by the sovereign Tech Fund engaged with QuarksLab to perform a security audit of PHP SRC, the interpreter of the PHP language. The audit aimed to assist PHP's core developers and the community in strengthening the project's security Ahead of the upcoming PHP 8.4 release, the code base was analyzed with a defined scope, which was established and agreed upon by both PHP's core developers and the OSTIF the Open Source Technology Improvement Fund teams. Based on this scope and the allocated timeframe for the audit, an ATTCK model was developed and approved by the PHP team. The assessment was conducted within a set time frame with the primary focus on identifying vulnerabilities and security issues in the code according to the the defined attack model. The following scope of work was defined by PHP foundation and the OSTIF. The key tasks included base tooling, evaluation improvement, SA S T tooling to enhance the existing GitHub CI without extra cost and with low maintenance Build fuzzers compatible with OSS fuzz for potential critical functions that are not currently covered. Cryptographic and manual code review High priority tasks were the PHP FPM Master Node and PHP FPM Worker Glue code. Those are the modules that invoke php for handling web queries. Also fpm pool separation, the MySQL native driver rfc 1867 php header parsing and mime handling pdo emulated prepares JSON parsing with a focus on JSON decode open SSL external functions and its stream layer external open SSL lib sodium integration with ext sodium functionalities related to passwords ext standard password C functionalities related to hashing ext hash and functionalities related to CS PRing the cryptographically secure the pseudo random number generator extrandom cspring C so that was their mission and scope. How did they proceed? They wrote to assess the security of PHP source. Quark's lab team first needed to familiarize themselves with the structure of the project and understand the key tasks outlined in the audit scope. To achieve this, Quartz quarxlab experts gathered and reviewed the available documentation and project resources with a clear understanding of the features to be evaluated. Quarkslab developed an ATTCK model that incorporated all the requested key tasks. This model was then presented to PHP's core developers and once approved, the assessment began. The evaluation employed a combination of dynamic and static analysis. The static analysis focused on scrutinizing the source code to visually identify vulnerabilities related to the implementation and logic of the specified assessment targets. Dynamic analysis was used to complement the static review by speeding up the process through fuzzing and validating or refuting the hypothesis generated during the static analysis. So you know and they're taking this formal approach because they've been contracted essentially to perform this audit and it would be easy to say oh yeah we did, but you know, they're getting paid so they need to say what do you want us to do? Okay, here's how we're going to do it. Okay, okay, now we're going to do it. So what did they find? They wrote during the time frame of the security audit, Quarks Lab has discovered several security issues and vulnerabilities, among which were two security issues considered high severity, six security issues considered medium severity, nine security issues considered low severity, and ten issues considered informative. Most vulnerabilities have been shared, they wrote via Security advisories on the PHP source GitHub repository. Other bugs and issues are provided only in this report. Four CVEs were issued, one for each of the two high severity vulnerabilities and two others for two of the nine low severity vulnerabilities. Okay, so they produced a detailed and oh boy, a very detailed 106 page full audit report and I have a link to it in the show notes for anyone who wants to dig in. However, they also wrote this audit report contains two security issues currently redacted. While PHP maintainers are actively working on the fixes, details will be provided after fixes are applied by PHP maintainers. Fixes are complex and in progress. In other words, two of the 17 security related problems they discovered were too severe to publicly report until they have been fixed. Although it's speculation at this point, this strongly suggests that many earlier releases of PHP are also very likely to be in identical trouble and that depending upon what bad guys could do with it if they knew about it, we may be facing a critically important security update across all still supported release versions of php. So we will certainly be, you know, standing by and staying tuned and and see whether PHP needs an update. They're not talking about what they found, but it is very, very cool that a truly worthwhile audit was done at PHP and really you end up feeling a lot better about PHP 8.4 knowing that it has had this kind of audit. It's like back in the days of Veracrypt or True Crypt that got audited and it's like okay, people really did take a look at it and it came out the other end with no big problems found. So a couple things need to get fixed but once they are yay.

Leo Laporte

And.

Steve Gibson

Leo, let's take our last break and then finally we are going to get to I've been waiting all day for this the unhyphenated device bound session credentials.

Leo Laporte

Well, it's about time.

Steve Gibson

People may be a little glad that what we've done so far has been a little fluffy by comparison, because you're going to need to have conserved your strength for what's coming.

Leo Laporte

I think all my session credentials are device bound, but what do I know? Let's find out.

Steve Gibson

None of them are.

Leo Laporte

None of. No. Well, we'll find out more in just a bit. I'll tell you what's device not device bound is my fabulous Bit Warden password manager. Now that Passkeys is here, I am not going to use my device to store my passkeys. Oh sure, Apple would love you to use your iPhone to store all your passkeys, but why do that when you can use Bit Warden and have your passkeys everywhere? By the way, as more and more sites are using passkeys, I am happy that I've started using Bitwarden for GitHub, for Amazon, for everywhere that uses passkeys. It makes it so fast mail makes it so easy to log in. This episode of Security now brought to you by Bitwarden, the trusted leader in passwords, pass keys and secrets too, by the way. In fact, tax day is a good day to remember that. Bitwarden has more than 10 million users across 180 countries, over 50,000 business customers worldwide. It's consistently ranked number one in user satisfaction by G2, recognized as a leader by Software Reviews, Data Quadrant. Bitwarden protects thousands of businesses worldwide. Now, I mentioned tax day. Your tax preparer has probably sent you back your tax forms. Maybe you sent them your tax information, including your Social Security number. I hope you didn't use email. I hope you didn't use text messaging. Now you can use Bit Warden Send, which end to end encrypts all of your messages, whatever it is, your forms that you're sending, completely protected. And by the way, and I love this, the recipient does not need an account to access them. Stop using risky email attachments. Instead share confidential documents with you get not just password protection, but you get expiration dates. If you didn't read this by April 15th, you're never gonna view limits. You can look at it five times and that's it gives you full control over who accesses your sensitive information. Bitwarden periodically surveys businesses and they just got a new survey back. New findings say that 65% more than half, much more than half of businesses still rely on passwords alone, which is surprising, a little disappointing. I really thought that passwordless was Going to be the next big thing, surely single sign on is. But no, they're still using passwords. And that's even with the fact that password management is cited as the top iam challenge for 35% of organizations. And only 21% implement passwordless authentication. Which means these enterprises are facing ongoing credential security risks. For all we know, the employees are writing the passwords on Post it notes and putting them on the monitor or underneath their blotter. Bitwarden offers enterprises a much better way to do it. End to end encryption, multi factor authentication, secure password sharing. No, we're not passing around Post it notes. It addresses both the current and future authentication needs because Bitwarden is always up to date, always on the cutting edge. They've just announced they have received ISO 270012022 certification. That's a very important thing. It's an internationally recognized standard that assures enterprises, developers and security teams that Bid Warden's doing it right. They meet stringent security and compliance requirements that complements their existing compliance with SoC2, type 2, GDPR, HIPAA, CCPA, and on and on. Look, there's no question Bit Warden is a trusted security partner for enterprises and it's easy to use. They prioritize simplicity, which is very important because if a security tool isn't easy to use, most users aren't going to use it. It's easy to set up Bitwarden. It'll only take a few minutes. Bitwarden supports importing from most password management solutions, so you can move very, you know, easily to the Bit Warden. And of course, and this is really important to me, I hear this in the chat room all the time. We do these Bit Warden ads. Bitwarden's open source. That means anyone can inspect the code, verify it does exactly what it says it does. No more, no less. They also of course have regular audits by third party experts and they publish every word. So you know exactly where you stand with Bitwarden. Look, you and your businesses deserve and effective solution for enhanced online security. Get started today with Bit Warden's free trial of a teams or enterprise plan. And if you're an individual, and I know everybody listening to security now is using a password vault of some kind, but you should know that your friends and family probably aren't. Tell them they can get started for free with Bitwarden. Free forever across all devices. Unlimited passwords, pass keys? Yes. Hardware authenticators. Yes. And individual users can even host their own vaults if they want. Bitwarden.com TWIT it's the only one I use. I'm so happy with it and I tell everybody, BITWARDEN, that's the one. Bitwarden.com TWIT we thank him so much for supporting security now. And you support us when you use that address, so make sure you do Bitwarden all right, what are device bound session credentials with or without their hyphen?

Steve Gibson

So as I said at the top, while I was scanning through recent events, I noted that Chrome had recently moved to 135 and Firefox went to 137. So I scanned through Chrome's mind numbing list of things that had been fixed and added and changed. There were several truly new features added by the W3C, the World Wide Web Consortium, which Firefox and Safari are also echoing. The most interesting of them was something called Device Bound Session credentials, which is the soon to be available feature that named today's podcast. Obviously once I understood what this was about, that it was right and given that this new technology is intended to be an extremely secure replacement for an aspect of session cookies, not entirely as we'll see, but the way that the way you get them essentially I knew we needed to update the record because session cookies would not, as they have been forever, not be long for this world. And that's a big deal that will change everything. As we've as we've had the discussion many times in the past, the entire model of the web is for a user client, typically an interactive web browser, to request some resource from the Internet using a URL which contains the unique address of the requested object. Unique Internet wide It's somewhere there's something the browser says I want that as a result of the browser's connection to it and then supplying the address of the requested object, a web server returns whatever it is that the browser requested and then they may and often do disconnect. When you think about it, it's to me incredible to consider how far we have stretched that simple basic query and reply model. We've created the modern Internet world with it browser ask for something, a server somewhere sends it back, says here you go disconnects. This this original model, the thing that Sir Timothy John Berners Lee first conceived of as the World Wide Web never had any notion of a session, you know, that is there was there was no way originally for anyone to log on to anything, since doing so would require that this logged on state would be saved somewhere. And Tim's original idea was entirely stateless.

Leo Laporte

Interesting the web realize that yes, the.

Steve Gibson

Web was just a mass of pages containing links to other pages, and that was it.

Leo Laporte

But that's very limited.

Steve Gibson

Yeah. Oh, yeah.

Leo Laporte

Because you can't identify yourself.

Steve Gibson

All it was was like a big knowledge base, a big directory. Just like and. And remember back then, Leo, like the original websites were like a list of links. They were just like link lists.

Leo Laporte

It was hypertext. That's hypertext.

Steve Gibson

That would take you. Yeah. To somewhere else.

Leo Laporte

So no memory, nothing. No state, nothing.

Steve Gibson

Yeah, Right. All of that changed in June of 1994 when MCI asked Netscape to come up with some way for the user's browser to retain transaction data so that MCI would not need to retain it at their end.

Leo Laporte

Otherwise you have to log in every time you go to MCI mail.

Steve Gibson

Actually, it's worse than that. Every query.

Leo Laporte

That's right.

Steve Gibson

There isn't. You can't actually log on.

Leo Laporte

Yeah. I don't know who this is.

Steve Gibson

The search server does not remember you ever. It's. There's no memory of a previous query. And that's the way that. Net originally was. So a Netscape engineer by the name of Lou Montuli came up with the idea of a web browser cookie that a web server would give to a visiting web browser. And every time thereafter, if the web browser contained a cookie that matched the domain that the web browser was querying, the browser would voluntarily return that cookie token in all of its queries to the server.

Leo Laporte

So you save state locally on your machine so the server doesn't have to do it, that you re identify yourself. By the way, the original name for this was Persistent Client side State Information. And it to this day irks me. They didn't call them pixies instead of cookies. It should have been a pixie.

Steve Gibson

Oh, that'd be much better.

Leo Laporte

Much better, yeah. Although maybe it sounds a little scary that you have some pixies.

Steve Gibson

Well, and you really can't do that. You can't do pixie in. In that monster voice of yours.

Leo Laporte

Pixies. No, you do it.

Steve Gibson

You do it in this voice. Oh, that's good. Okay. So believe it or not, Leo, even back then, when this was first introduced, it was somewhat controversial.

Leo Laporte

Oh, really?

Steve Gibson

Suddenly meant that not every query from a browser was independently and entirely anonymous as they originally were. But by the same token, if you'll pardon my pun, the web server would usually have the browsing user's IP address. Still, people were aware of this back in the mid-90s that a cookie. Suddenly you lost a little bit of the anonymity that you had previously enjoyed. Now through the years, the cookie specification was formalized and many new features were added. You know, expiration of cookies and other various flags. Many years ago we talked about the Fire Sheep hack where HTTPs was only briefly used during login to a website like Facebook, after which the connections would drop back to less compute intensive plain text HTTP. The trouble was that this exposed the user session cookie, which is how the user was logged in, how, how the user's interaction with the remote Facebook server kept being re identified as being them. That was the only way remote servers had to recognize a user's repeated activities, because all web queries stand alone otherwise. So if a bad guy were to sniff a cookie, they could instantly impersonate that logged in user. And they could, because the traffic was just plain text. Anybody looking at plain text and you know, I remember doing it in, in a, in my local Starbucks. I didn't, I didn't log in as a person, but I saw a whole column down the right hand side of the other people at Starbucks whose authentication tokens my browser had just sniffed. So this obvious flaw was fixed, for example, by switching to always keeping all traffic encrypted using HTTPs as we do now, as we know, virtually the entire Internet has switched to always on HTTPs. But if a browser ever even once made the mistake of issuing an HTTP query to, to a remote server, whatever cookies it might be carrying for that server's domain would still be set in the clear. So the formal cookie specification was again tweaked so that the server who's setting the cookie could set a secure flag with a cookie. This would instruct the browser to never send the cookie over any unencrypted HTTPs query. So today all responsible cookie setting now also uses the secure flag to prevent any cookie leakage. But if you stand back for a moment and consider how much work we're asking these poor old original cookies to do for us, and how much more technology we have readily available to us today than we did 31 years ago back in 1994, especially our lovely crypto technology today, the need to replace these trusty and crusty old cookies, which are just dumb pseudo random bits of gibberish, with something far more powerful, resilient and resistant to abuse. It's hard to resist. And today it's something we can do easily. That session cookie replacement is now on the horizon. It's everything it could be, and it's called Device Bound Session Credentials or DBSC for short. And it actually does a lot more than cookies ever could. Okay, so what are device bound session cookies? The World Wide Web Consortiums, the W3C's public GitHub page, part of which I'm going to share, is quite dense and quite matter of fact. But don't worry if some of this is initially confusing and flies over your head, it'll be flying over most of our heads. This is enough of a change from the way things have always been done for the past 31 years that it will likely take another podcast or two for all of what this means to sink in. We'll all get there together. I'm sure we'll be going back to this multiple times in the future.

Leo Laporte

So this is going to be a cookie replacement. Is this going to be implemented for.

Steve Gibson

Sure or yes, it is already on Safari, Firefox and Chrome are all working on it right now and it is in. Well, Firefox or Safari and Firefox have it and Chrome Got it with 135 with the update that just happened.

Leo Laporte

That's hysterical because what are we going to do about all the cookie banners that we have to click through? Are we going to have DBSC banners?

Steve Gibson

Yeah, it's going to be a mess. Yeah. Okay, so here's what the W3C considers to be their explainer and I'll take a break here because at one point what they're saying becomes more clear, so I'll end up explaining what's going on. So they write Device Bound Session Credentials aims to reduce account hijacking caused by cookie theft. It does so by introducing a protocol and browser infrastructure to maintain improve possession of a cryptographic key. The main challenge with cookies as an authentication mechanism is that they only lend themselves to bearer token schemes. Okay, that meaning where the browser is the bearer of and holder of a token, which is useful, but there's a lot it can't do. So that says they only lend themselves to bearer token schemes. On desktop operating systems, application isolation is lacking and local malware can generally access anything that the browser itself can and the browser must be able to access cookies. On the other hand, authentication with a private key allows the use of system level protection against key exfiltration. In other words, if we, if we think about TPM and we think about having a private key and proving that we have it by signing a challenge and someone verifies our signature with our public key. That is, if we take this to a whole nother level, all of these other mechanisms exist today and we've not been using them for the past 31 years. So they said DBSC offers An API for websites to control the lifetime of such keys behind the abstraction of a session, and a protocol for periodically and automatically proving possession of those keys to the website's servers. Now I, I should explain that as I'm reading this now because I understand what it is doing. This all makes sense to me. The first time I read it I was like what? Okay, so this is the first time everyone's hearing it. So I understand you're having my reactions like what? Anyway, this is going to get clear. So they said there is a separate key for each session and it should not be possible to detect if two different session keys are from one device. That's for privacy sake. One of the key goals is to enable drop in integration with common types of current auth infrastructure, meaning the rest of the world doesn't have to change to incorporate this. By device binding the private key and with appropriate intervals of the proofs, the browser can limit malware's ability to offload its abuse off the user's device, significantly increasing the chance that either the browser or server can detect and mitigate cookie theft. In other words, cookies are going to still exist, but they're going to be short lived and the key is not in the browser, the key is in the device.

Leo Laporte

So this eliminates that whole fire sheep thing of I got into your thing, I stole your Facebook cookie and now I can log on as you on my machine because it's device bound.

Steve Gibson

Correct.

Leo Laporte

That makes sense.

Steve Gibson

Correct.

Leo Laporte

Although we have fixed that with HTTPs.

Steve Gibson

No, all that is is the communication, it isn't the authentication.

Leo Laporte

So prevent somebody from getting in and stealing the cookie. But if they could still get the cookie, it would still be good. Right, Got it.

Steve Gibson

But. But this periodically re authenticates requires that cookies be re authenticated.

Leo Laporte

To the device.

Steve Gibson

Yeah, to the device. So if someone takes them elsewhere, they can't use them for long. Perfect. And if there's any question about them, then a re authentication can be required Anyway, so this says DBSC is bound to a device with cryptographic keys that cannot be exported from the user's device. Under normal circumstances this is called device binding. Unfortunately it's not hyphenated in the rest of this document. DBSC provides an API that servers can use to create a session bound to a device. And this session can periodically be refreshed with an optional cryptographic proof. The session is still bound to the original device, which I didn't understand the first time I read it, but it'll get clear in a minute. At sign in, the API informs the browser that a session starts which triggers the key creation. It then instructs the browser that anytime a request is made while the session is active, the browser should ensure the presence of certain cookies. If these cookies are not present, DBSC will hold network requests while querying and configured the configured endpoint for update cookies. Updated cookies now. Okay, let me stop because now I under. I didn't understand what the heck they were talking about the first time I read that. Now I get it. So we're going to log in to a service. So in with DBSC present the after the user authenticates themselves with a browser on a device, there is now a new API that causes the devices DBSC public key to be sent to the remote server, to the website server. So, so as part of the user default authentication on the device, the DBSC public key is sent to the remote server. That's what it uses then to re authenticate the user whenever necessary. And we also now need to think of not just a web server but but an authentication side of the server that is there sort of an asynchronous separate authenticator on the website that that is running adjacent to the regular website. So, so what happens then is the the website tells the browser you need to give, you need to have session cookies and you're not sending me any session cookies. So the browser then queries this new authenticating portion of the site through an API and says I need updated session cookies, please challenge me. So that authenticating side sends a random blob to the browser. The browser uses the systems tpm, the trusted platform module that maintains a private key that never leaves, that cannot leave to sign that challenge. The blob is the challenge that has never existed before, never exist again and it just be an always increasing random number. Doesn't matter, just has to be unique. And that's a good way to get it unique. It signs it and sends it back signed. So that proves to the authenticating portion, this DBSC authenticating portion that it's still in communication. This browser is on the device that originally logged in because that's the only way that it could sign a challenge using the private key that exists only on that device and having performed that successfully performed that cryptographic challenge, that authenticating portion. The new authenticating portion of the website then sends new fresh but short lived session cookies, old school cookies to the browser which the browser then returns to the regular website saying hey look it's me and I've just reproven who I am. And so the website says oh good, okay, now we can proceed. So and that's where in what I just read it said if these cookies are not present, DBSC will hold network requests, meaning keep them pending, like not answer them, while querying the configured endpoint for updated cookies. So it goes through all that to get the updated cookies, then it's able to provide them and we proceed. So they wrote DBSC's goal is to reduce session theft by offering an alternative to long lived cookie bearer tokens. That's what we've always had up until now that allows session authentication that is bound to the user's device. This makes the Internet safer for users and that it is less likely their identity is abused since malware is forced to act locally and thus becomes easier to detect and mitigate. At the same time, the goal is to disrupt the cookie theft ecosystem and force it to adapt to new protections. DBSC's primary threat model is that of an attacker who can read and tamper with the user agent, such as with a malware compromised browser or like for example bad extensions in your browser in which the malware can read and modify browser memory and secrets stored on disk. In many operating systems, malware may be able to obtain privileged root, kernel, etc. Access. DBSC aims to address this threat by establishing a cryptographic protocol in which secrets can be stored in dedicated systems such as secure enclaves, though DBSC does not specify how implementers should store backup or sync keys, as long as such storage is robust against the described threat. As a secondary consideration, DBSC also mitigates against certain types of network and server compromise, such as network attackers in the middle, where an attacker can read or modify network traffic, or HTTP server log leaks, where a server mistakenly logs full HTTP request and response headers to logs which can be read by unprivileged insiders. And of course, if they had full headers, they would be seeing the cookies that are being transacted. In all of these scenarios, DBSC aims to enforce the specific constraint that temporary read write access to a user agent or network traffic does not enable long lived access to any established DBSC sessions. For example, if an attacker has malware running within a victim browser process, they should be unable to continue to authenticate as the victim browser once that malware has been removed. Note, however, that the definition of long lived depends upon the configuration refresh period. Within that period, attackers may continue to have short lived access to any established sessions. And the reason for that is we're still using cookies. And the reason we're still using cookies is that it's still too expensive to use this crypto all the time. I mean it's important to understand what an insane number of queries our browsers are generating. I mean it's just a flood of queries coming out of our browsers. They cannot be each individually cryptographically authenticated every time. It's still too expensive. So the idea is we're going to compromise. We're going to, we're going to be able to periodically re authenticate short life cookies. And importantly, before something critical is done, like acknowledging a funding transfer or confirming a purchase or something, it's absolutely practical to ask for an updated reconfirmation of the device's authentication. So on an interactive level we certainly have the speed to do that. And so, so a compromise has been necessary. The previous approaches to replace cookies for binding sessions have failed because they were unwilling to make a compromise and it's just too expensive. So this is a nice solution. And the other important aspect of this is that most of the website doesn't need to change. Most of the website, all of the website that is not about dbsc, it just sees session cookies. So it's got everything it's always had. We're only adding a new authentication slice to the overall site. So they said what are the non goals? DBSC will not prevent temporary access to any browser sessions while the attacker has ongoing access to a compromised user agent. Right, because we're still, you know, we're still using cookies but not long an attacker with ongoing access to a compromised user agent or decrypting middlebox etc. Will be able to continuously access fresh DBSC controlled bearer tokens cookies. And an attacker with malware running on a compromised device will on many modern operating systems be able to treat even secure elements as assigning Oracle, meaning able to get it to sign for on their behalf in order to provide proof of possession of the DBSC secret keys. So again they've as, as do all modern security protocols. They clearly outline these are the things we do, these are the things we, we know we don't do and we're not, we're not claiming to be able to do everything. So they said so what makes device bound session credentials different? And they wrote DBSC is not the first proposal towards these goals with a notable one being token binding. This proposal offers two important features that we believe makes it easier to deploy than previous proposals. DBSC provides application level binding and browser initiated refreshes that can make sure devices are still bound to the original device. For websites, device binding is Most useful for securing authenticated sessions for users, DBSC allows websites to closely couple the setup of bound sessions with user sign in mechanisms, makes session and key lifetimes explicit and controllable, and allows servers to design infrastructure that places verification of session credentials close to where user credentials cookies are processed in their infrastructure. Other proposals have explored lower level APIs for websites to create and use protected private keys, for example via web crypto or APIs similar to WebAuthn. While this works in theory, it puts a very large burden on the website to integrate with. In particular, since the cost of using protected keys is high, websites must design some infrastructure for collecting signatures only as often as needed. This means either high touch integrations where the keys are only used to protect sensitive operations like making a purchase, or a general ability to divert arbitrary requests to some endpoint that collects and verifies a signature, then retries the original request. The former doesn't protect the whole session and violates the principle of secure by default, while the latter can be prohibitively expensive for large websites built from current multiple components by multiple teams and may require non trivial rewrites of web and RPC frameworks. Finally, they said DBSC instead allows a website to consolidate the session binding to a few points at sign in it informs the browser that a session starts which triggers the key creation. It then instructs the browser that any time a request is made while that session is active, the browser should ensure the presence of certain cookies. The browser does this by calling a dedicated refresh endpoint specified by the website whenever such cookies are needed, presenting that endpoint with a proof of possession of the private key. That endpoint, in turn, using existing standard set cookie headers, provides the browser with short term cookies needed to make other requests. Okay, so again we there we finally get some sense for what's going on. Many previous efforts, as I said, to replace cookies have been proposed. None have taken hold. This one demonstrates a carefully crafted compromise. Rather than constantly and continually using expensive public key crypto to prove its identity, DBSC sets up a secondary essentially a cookie supplier for a website. The website tells the browser which cookies it needs to be providing. If the browser doesn't have those, or if they're near expiring, then and only then it separately connects to the cookie supplier where it uses rigorous state of the art crypto to authenticate its device. Not its browser, not its user, its device to the hardware. I mean the device's hardware to the website's cookie supplier. Having done so, the cookie supplier returns regular old fashioned cookies which the browser will then use when subsequently transacting with the main website's pages. The explainer continues saying this provides two important benefits. First, session binding logic is consolidated in the sign in mechanism and the new dedicated refresh endpoint point. All other parts of the website continue to see cookies as their only authentication credentials. The only difference is that those cookies are now short lived. This allows deployment on complex existing setups, often with no changes to non auth related endpoints. And second, if a browser is about to make a request where it has been instructed to include such a cookie but doesn't have one, it defers making that request until the refresh is done. While this may add latency to such cases, it also means non auth endpoints do not need to tolerate unauthenticated requests or respond with any kind of retry logic or redirects. This again allows deployment with minimal changes to existing endpoints, they said. Note that the latency introduced by deferring of requests can be mitigated by the browser in other ways, which will be discussed later. And interestingly, under TPM considerations, you know Trusted Platform module, they wrote DBSC depends on user devices having a way of signing challenges while protecting private keys from exfiltration by malware. This usually means the browser needs to have access to a trusted platform module on the device which is not always available. Tpms also have a reputation for having high latency, meaning they're not fast and not being dependable. Having a TPM is a requirement for installing Windows 11 and can be available on previous versions. All our studies are for public key cryptography using Elliptic Curve DSA P256 algorithm. Chrome has done studies to understand TPM availability to understand the feasibility of secure sessions. Current Data shows about 66.0percent and currently growing of Windows users would be offered protections. Studies have also been done on the current populations of TPMs both for latency and predictability. Currently the latency for Signing operations averages 200 milliseconds, so 1/5 of a second with only 5% of signing operations exceedingly 600 milliseconds and the error rate is very low, currently around 0.001% and you if you got an error you just retry. Based on this research, tpms are widely available with a latency and consistency that is acceptable for the proposed usage. And as we know tpms of the future, having some some crypto engine as part of every device is absolutely the future. So the spec is here, we already have 60% coverage and that's Only going to be going up over time. So they ask what about privacy considerations? They said an important high level goal of this protocol is to introduce no additional surface for user tracking. Implementing this API for a browser or enabling it for a website should not entail any significant user privacy trade offs. There are a few obvious considerations to ensure we achieve that goal. Lifetime of a session and key material. This should provide no additional client data storage, for example a pseudo cookie. As such, we require that browsers must clear sessions and keys when clearing other site data like cookies. So like no DBSC residual will will outlive cookie life. Cross site cross origin data leakage. It should be impossible for a site to use this API to circumvent the same origin policy and similar cookie policy. Implementing this API should not meaningful increase the entropy of heuristic device fingerprinting signals. Right? So you're not there. I mean they're, they're, they're designing this very much with the state of the art of privacy in mind. This API, which allows background pings to the refresh endpoint when the user is not directly active, must not enable long term tracking of a user when they've navigated away from the connected site. That's a very good point because there is a new communications protocol set up between the browser and the refresh endpoint to obtain updated cookies. But that only needs to be happening while the user is actively looking at that tab on that site. Each session has a separate new key created and it should not be possible to detect that different sessions are from the same device. So the keys are all isolated. Registration and refresh will only be performed over a secure connection or with localhost for testing, they said. To achieve these goals, we add the following constraints to DBSC requests. Registration and refresh are made in the context of the request that triggered them. For registration, this is the request serving the SEC session registration header. For refresh, this is the request referred deferred due to missing cookies. They said cookie refresh only occurs if the cookie is accessible. DBSC will not attempt to refresh a third party cookie if the third party cookies are blocked. And proactive refreshes must only occur if any tab has a page from the site currently loaded. And then lastly, while DBSC addresses a general problem of session hijacking and can be applicable to any browser consumer, it is possible to expand this protocol to better support enterprise use cases. By adding specifics to key generation, we can provide a more secure environment for enterprise users. This is the goal of DBS ce, which is an extension to dbsc. The high level design of DBS CE is described in the DBS CE overview. DBSCE removes the vulnerability DBS C has where a malware, if already present in the device during the key generation, can potentially take over a session. DBSCE proposes to mitigate this vulnerability by introducing device key chaining okay, so I am fully aware that what we've just done was a lot to digest and we're at the at, you know, at the end of a lengthy podcast with no time to dig further into this, but at least the essence of this new system is probably now clear. Cookies still exist, but they are short lived rather than persisting as they often do these days, essentially forever. I mean, I can't remember the last time I logged into many services that I use every day or two. They are staying current as cookies near what will now be their shorter end of life. The browser will be able to ping a website a newly defined website endpoint, meaning you know, something that is is part of the specification where it'll be, you know, some some.name directory off of the root where there where a specific service newly defined service will always be available. If DBSC is supported, the browser will be able to ping that at any time separately in order to obtain a refresh of the cookies that are that are about to be expiring and at that time re authenticate its device to that remote site. So to do this, that authenticating endpoint will send a cryptographic challenge that the browser must sign and return, and the browser can only do so using an unexportable private key that's buried in the hardware of the device that the browser is running on top of, the only thing that can be done with that key is signing cryptographic challenges to prove that the device has the key. Once the browser returns the challenge properly signed, the cookie provider will refresh the cookies for the domain and the browser will then continue to be able to use the original website without trouble. The cleverness of this solution is that it minimizes the changes that are required for the rest of the website by concentrating the new authentication scheme in one location and by using shorter lifetime old school cookies, it achieves compatibility with existing systems while also using the cookies as a as a shorm as a form of short term identity cash so that the system's far far slower crypto hardware is not overwhelmed and is only needed to occasionally refresh the cookies. Chrome, Firefox and Safari are all have all added support for device bound session credentials to their web browser offerings. So now People, websites, researchers can begin experimenting with this and start bringing this on board. And I'm sure we'll be talking about this more in the future.

Leo Laporte

Is it a done deal? I mean, is this for sure what's going to happen?

Steve Gibson

It requires adoption like anything else. You were saying on Mac Break Weekly that you wish pass keys, or maybe it was on our podcast that, you know, you wish pass keys had more adoption than they do. But recent surveys show less than half of people are using anything other than username and password.

Leo Laporte

Yeah.

Steve Gibson

So, you know, so it has to be in the browser, it has to support a tpm. That's the first step. Then it's up to the web server sites to decide that it wants to adopt it. And so it'll be, it'll be like, you know, you know, all the extra hoops you have to jump through if your financial advisor sends you email and you've got to authenticate or your bank is making you do extra stuff.

Leo Laporte

Right.

Steve Gibson

It'll be places where they really, really care about knowing that you're using a particular device.

Leo Laporte

Right.

Steve Gibson

But what's cool is once you create a binding, as they call them, a binding between the private key in a device and a remote entity like a bank or your domain name supplier, like I would like to have much stronger authentication between the computer I'm sitting@andover.com so we have never had a mechanism to offer that. This offers that when I am setting up my account at Hover, they could query this, get the public key for the private key in my device and that would be part of my hover account. And then anytime in the future they could require me to be sitting at this computer in order to authenticate to.

Leo Laporte

Hover.com or they could say, well, you're at that computer so you don't have to go through the extra multi factor authentication or something. Right?

Steve Gibson

Correct.

Leo Laporte

Because right now with Hover I have to do monthly factor every single time I log on.

Steve Gibson

Exactly.

Leo Laporte

So it kind of makes sense that sites that do have this higher need for security might adopt it first. I'd love it if my bank adopted this. That'd be fantastic, right?

Steve Gibson

Yes. And essentially it would be. It is extremely good for short term re authentication of a device. You are at this device because we just gave you something and your device signed it for us. And only that one device in the galaxy could do so very.

Leo Laporte

I think this sounds like a good idea.

Steve Gibson

We need it.

Leo Laporte

And so, and this is no effort on the user's part, the user might not even Be aware of it.

Steve Gibson

You would never see it. It would be completely transparent.

Leo Laporte

Love it.

Steve Gibson

It might say, you know, we've just authenticated your device. You don't. You're done.

Leo Laporte

You wouldn't need more captchas. You get rid of those captchas, you could reduce the number of MFA logins. You know, Hover could say it once. Put that special cookie or on. On my. On my hard drive and then I wouldn't need to do it again on that device.

Steve Gibson

I think that actually Hover would receive the private. The, the public key for this feature on your device.

Leo Laporte

Right.

Steve Gibson

And that's all they would ever need. It would be part of your account.

Leo Laporte

You still would want them log in. I think they would still want a password and login. But.

Steve Gibson

So that's in order to authenticate that.

Leo Laporte

It was you at on your device, right?

Steve Gibson

Yes, but this allows cryptographic binding of device to remote account.

Leo Laporte

I think this is good. I'm glad they're implementing it.

Steve Gibson

Yeah, yeah.

Leo Laporte

Did this come from the IETF W3C?

Steve Gibson

Was this W3C? It's in all three browsers. It's in Safari, Firefox and Chrome. And now all of our listeners know about it.

Leo Laporte

What it's. I mean and that presumably means it's in all the chromium derivatives like edge engraves.

Steve Gibson

And it's because it was just added to Chrome 135 that we're talking about it today.

Leo Laporte

Yeah, great. You know what? This wasn't so bad. This was great. As always, Steve makes it clear. And I tell you what, that's why you listen to this show. Because it keeps you up to date on these kinds of. Of things. I really appreciate that Steve. I don't think. I doubt there's any other podcast in the world that has spent any time on device bound session credentials at all. We're the first and we'll probably remain that way. This is why we listen every Tuesday, right about 1:30pm Pacific 4:30 Eastern, 20:30 UTC. At least. If you want the freshest version, the live version, we stream it on eight different platforms. Discord for our club members, YouTube, Twitch, TikTok, X.com, facebook, LinkedIn and GIC. I hope you will watch live, but you don't have to. You can always download a copy of the show. Steve has really. It's almost now. There's like a fork in the road. You have your own unique versions. A 16 kilobit audio version and a 64 kilobit audio version version. That's the only place you can get that. He also has the show notes and Elaine Ferris excellent transcriptions. All of those are unique to GRC.com, steve's website. So if you want any of those formats of the show, that's the place to go. While you're there, pick up a copy of Spinrite, the world's best mass storage, performance enhancing recovery and maintenance utility. 6.1, the current version. That's Steve's bread and butter. Go get a copy there. Lots of other free stuff at the website. If you want to email Steve or comment on this on the show or submit maybe a picture of the of the week, the thing to do is to go to grc.com email validate your email, sign up. It's opt in but you can sign up there for a weekly email on the show notes and a very infrequent email about something new that's coming along. The next one will be probably Steve's new DNS. I'm excited about this benchmark utility, the pro version about to come out, so you don't get a lot of emails on that one, but it's worth signing up for those grc.com email once you've validated your address, you can email Steve. We also have 128 kilobit audio because it's a complicated thing but Apple apparently down samples so we wanted to have a higher quality so Apple can down sample it. We also have video. No one else has that at our website. Twitter TV SN. That's where you'll find a link to the YouTube channel for the show. Great way to share clips. I know this show. Of all the shows we do, people are most likely to want to say oh, I've got to send that to my boss or to my friend. And you can do all that on the YouTube channel very easily. And of course you can always subscribe in your favorite podcast player and just get it automatically. Choose audio or video. It's free. What I would like to invite you to do, you can get a very special URL just for you that has no ads in it. If you're a member of Club Twit ad free versions of all the shows are seven bucks a month. You also get access to the Club Twit Discord, which is a great place to hang out. We always have a lot of fun in the Club Twit Discord. We also by the way do a lot of special events in there. At some point I want to get Steve to do a Vitamin D event in our Club Twit Discord but we also have coming up tomorrow, Micah's crafting corner. Micah's making Lego succulents. Now that doesn't mean you need to do Lego. You can do anything you want. Some nice, listen to nice music, chill, Converse. It's a crafting session for all kinds of crafts tomorrow at 6pm he does that every month. I know you're a coffee fan, Steve. Coffee time with Mark Prince. The coffee geek is back on Friday, 1pm Pacific. Our guest will be Liz Happy Beans, one of the big YouTube coffee mavens. I know, isn't that a great name? So we're going to talk coffee, home theater geeks recording. Coming up with Scott Wilkinson. Our AI users group is the fourth Friday of every month. Month. We also have Stacy's book club just around the corner next month. The word for world is Forest is the book. That'll be May 16th. It's a novella so you have plenty of time to read it. But don't wait. Ursula K. Le Guin's award winning science fiction novella. And Micah and I have decided to start doing the keynote commentaries that we've done for so many years on Twitt. Kind of a little bit more privately in the club, only to avoid lawyerly actions on the part of Apple. So the WWDC keynote will be Club only June 9th. You can join us there. The advantage of doing that is the club members will also get to participate add their commentary to it. So that's all coming up in the club. Not a member. Join please. Only seven bucks a month. $84 a year. Yes, we brought back the annual subscriptions. Do subscribe now. If we raise the price, we're contemplating it. As revenue starts to diminish along with the tariffs. We may, we may indeed want to raise the price, but you will be grandfathered in, I can promise you. So if you are already a member, you'll continue to pay that price. Seven bucks a month, $84 a year. Twit TV Club Twit. Steve Gibson, what a pleasure. Thank you so much. Thank Lori for making you buy a new iPhone Phone.

Steve Gibson

I like my new phone.

Leo Laporte

Yeah, see, See, she has some good ideas. And we'll see you next week on Security Now.

Steve Gibson

Thanks buddy. Bye.

Leo Laporte

Security now.

Steve Gibson

Ever notice your dog slowing down and having health issues and wonder what can I do to make him better? Well, my friend, add rough greens to your dog's food for 90 days and I guarantee you'll see changes that will amaze you. Greetings naturopathic doctor Dennis Black, inventor of ruffgreens. Here, and I invite you to give your pup the Ruffgreens 90 Day Challenge. In the first 30 days, you'll see shinier coats and increased energy. By day 60, your dog will have a stronger immune system, less shedding, improved joint function, all due to the live nutrients that you've added to their diet. And at 90 days, better digestion, reduced inflammation, improved heart health, and you may even have reduced their cancer risk. Fetch your dog a free Jumpstart trial bag today.

Leo Laporte

Go to try rough greens.com use promo code. Try rough. That's T R Y R U F F. Go to try rough greens.com use promo code. Try rough.

Steve Gibson

You just cover the shipping. You don't have to change your dog's food to improve your dog's health, just add a scoop of rough greens.