Security Now 1022: The Windows Sandbox - All TWiT.tv Shows (Audio)

Summary6 min read

Security Now 1022: The Windows Sandbox — Detailed Summary

Release Date: April 23, 2025

Hosts: Leo Laporte & Steve Gibson
Podcast: All TWiT.tv Shows (Audio) by TWiT

1. Introduction

Leo Laporte kicks off the episode by teasing a range of security topics, including enabling Firefox tab grouping, updates on MITRE's CVE program, the introduction of short-lived certificates by the CA Browser Forum, and the rediscovery of a valuable Windows feature: the Windows Sandbox.

2. Enabling Firefox Tab Grouping

Timestamp: 17:46

Steve Gibson introduces listeners to the newly enabled Firefox tab grouping feature in Firefox version 137. Although present in the browser, the feature was disabled by default. Steve provides a step-by-step guide on how to activate it:

Accessing about:config:
- Type about:config in the Firefox address bar.
- Search for tab groups.
Enabling the Feature:
- Set BrowserTabsGroupsEnabled to true.
- Similarly, enable BrowserTabsGroupsSmartEnabled.

Notable Quote:

Steve Gibson [18:21]: "It's in the about:config... the code is already there in everybody's Firefox 137 and later."

3. CVE Program Funding Crisis and the Launch of the CVE Foundation

Timestamp: 07:46 - 36:43

Steve discusses a potential shutdown of MITRE's Common Vulnerabilities and Exposures (CVE) program due to funding lapses. The CVE program is critical for tracking and managing cybersecurity vulnerabilities globally. Fortunately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) intervened by securing an 11-month funding extension, averting an immediate crisis.

In response to the uncertainty and to ensure long-term sustainability, CVE Board members established the CVE Foundation. This nonprofit aims to maintain the program's independence from single government funding sources, promoting neutrality and global trust.

Notable Quote:

Steve Gibson [30:37]: "Kent Landfield, an officer of the foundation, said 'CVE is a cornerstone of the global cybersecurity ecosystem. It is too important to be vulnerable itself.'"

4. CA Browser Forum's Approval of Short-Lived Certificates

Timestamp: 36:43 - 103:49

The CA Browser Forum has voted to shorten the maximum lifetime of TLS/SSL certificates from the current ~398 days to 200 days by March 2027, with a final reduction to 47 days thereafter. Steve expresses frustration over this decision, questioning its necessity and the lack of clear benefits compared to existing certificate revocation mechanisms like browser-side certificate revocation lists (CRLs) and bloom filters.

He highlights the increased administrative burden this change imposes, especially for organizations managing numerous certificates manually. Steve anticipates potential fractures in the Public Key Infrastructure (PKI) as some entities might opt to become their own certificate authorities to circumvent these restrictions.

Notable Quote:

Steve Gibson [36:43]: "It's brain dead, but it's what we're going to have."

5. Crosswalk Buttons Hacked in Silicon Valley

Timestamp: 111:35 - 116:37

A curious incident in Silicon Valley involves hackers manipulating audio-enabled crosswalk buttons to imitate the voices of tech giants like Elon Musk and Mark Zuckerberg. The breach exploited default PIN codes (1234), underscoring the vulnerabilities in Internet of Things (IoT) devices when default security settings aren't changed.

Participants speculate that the perpetrator might have neglected to update the default passwords, a common oversight in device security management.

Notable Quote:

Steve Gibson [111:37]: "They have to change the password so they can log into it and set it up. Whoever did that said, 'I'll get around to it later.'"

6. Multi-Factor Authentication Challenges and Rapid7’s Findings

Timestamp: 66:34 - 170:34

Steve delves into the critical role of Multi-Factor Authentication (MFA) in combating security threats like password spray attacks. Referencing a report by Rapid7, he highlights how MFA is essential in preventing unauthorized access:

Password Spray Attacks: Rapid7 observed over a million unauthorized login attempts, primarily targeting accounts without MFA.
Geographical Distribution: 70% of these attacks originated from Brazil, followed by Venezuela, Turkey, Russia, Argentina, and Mexico.
Best Practices: Steve emphasizes implementing conditional access policies, ensuring applications don't store credentials insecurely, and regularly auditing user accounts.

Notable Quote:

Steve Gibson [66:34]: "Pass keys is a... is that absolutely."

7. Oracle Cloud Data Breach and CISA Alerts

Timestamp: 43:03 - 125:47

CISA released guidance on potential credential risks associated with a legacy Oracle Cloud compromise. The advisory cautions organizations about the possible unauthorized access to systems due to exposed credentials, urging immediate actions like password resets and enforcing MFA.

Steve criticizes Oracle for its lack of transparency and questions the company's security culture, suggesting that such oversights could erode trust in critical infrastructure providers.

Notable Quote:

Steve Gibson [43:03]: "CISA's alert, published last Wednesday, was titled 'CISA Releases Guidance on Credential Risks Associated with Potential Legacy Oracle Cloud Compromise.'"

8. Rapid7 on Password Spray Attacks and MFA Importance

Timestamp: 75:48 - 173:06

Building on the MFA discussion, Steve analyzes Rapid7's findings on the increasing sophistication of password spray attacks. He underscores the necessity of robust MFA implementations and intelligent authentication strategies to fend off these pervasive threats.

Notable Quote:

Steve Gibson [75:48]: "Imagine a scenario where your network is under fire from a worryingly high number of brute force attempts... You don't want to be that kind of victim."

9. Windows Sandbox Feature in Windows 10 and 11

Timestamp: 134:28 - 173:22

The highlight of the episode is the introduction and detailed exploration of the Windows Sandbox, a built-in feature in Windows 10 and 11 (excluding Home editions) designed for secure experimentation:

Activation: Enabled via the "Turn Windows features on or off" dialog by checking the "Windows Sandbox" option.
Functionality: Provides an isolated, disposable environment where users can run untrusted applications without impacting the host system. Upon closure, all activities within the Sandbox are permanently discarded.
Efficiency: Utilizes a dynamic base image and integrated scheduler for rapid launch times and minimal resource consumption compared to traditional virtual machines.
Use Cases: Ideal for testing software, exploring suspicious files, and accessing risky web content safely.

Steve praises Microsoft for implementing this feature efficiently, likening it to running a separate instance of Windows as a lightweight application.

Notable Quote:

Steve Gibson [134:28]: "Often ignored or unknown to most users of Windows 10 and 11, but probably of tremendous value... is a ready to use extremely robust virtual machine based full security sandbox inside of which Windows users can perform any experiments they may wish."

10. Ransomware Payments and Insurance Impact

Timestamp: 125:47 - 173:06

A study from the Netherlands reveals that companies insured against cyberattacks tend to pay higher ransoms (2.8 times) compared to uninsured counterparts. Cybercriminals exploit this by targeting insured organizations, knowing they can command larger payouts. The research emphasizes the importance of robust backup systems to mitigate the necessity of paying ransoms.

Notable Quote:

Steve Gibson [125:47]: "Ransomware victims who are insured against the cost of cybercrime incidents pay on average 2.8 times larger ransoms than those who are uninsured because the bad guys know this."

11. Conclusion

Steve wraps up the episode by reiterating the significance of the Windows Sandbox for enhancing security practices. He anticipates future discussions on how malware might exploit such sandbox environments but remains optimistic about the feature's robustness. Leo encourages listeners to explore the Sandbox feature to bolster their system's security.

Notable Quote:

Steve Gibson [169:32]: "We may see some fracturing of the public key infrastructure because it's been made too hard to use because of what amounts to a special interest group...want to have super short life certificates."

Key Takeaways

Firefox Enhancements: Users can now enable advanced tab grouping in Firefox 137 through about:config.
CVE Program's Future: The establishment of the CVE Foundation aims to secure the program's independence amidst funding uncertainties.
Certificate Lifetimes: The CA Browser Forum's decision to shorten certificate lifetimes poses challenges for organizations relying on PKI.
IoT Vulnerabilities: The Silicon Valley crosswalk hack underscores the importance of securing IoT devices beyond default configurations.
MFA is Crucial: Implementing robust MFA is essential in defending against sophisticated credential-based attacks.
Windows Sandbox: An invaluable tool for secure experimentation, offering a lightweight and isolated environment within Windows 10 and 11.
Ransomware Dynamics: Insurance can inadvertently increase ransom demands; robust backups are vital in preventing payments.

This comprehensive summary encapsulates the key discussions, insights, and conclusions from "Security Now" Episode 1022, providing listeners with a clear understanding of the topics covered even if they haven't tuned in.

Loading summary

Transcript277 lines

[00:00]
Leo Laporte
It's time for Security Now. Steve Gibson is here. He's figured out how to enable Firefox tab grouping. He'll share that with you. Good news. Mitre's CVE program is not dead yet, and there are plans to keep it alive forever. And we'll find out about a Windows feature that's been there for a long time, but Steve has just rediscovered it. It's a hidden gem inside all versions of Windows 10 and 11. The Windows sandbox. That and yes, it's time for short lived certs. All of that and more coming up next on Security Now.
[00:37]
Steve Gibson
Podcasts you love from people you trust.
[00:41]
Leo Laporte
This is Twit. This is Security now with Steve Gibson. Episode 1022, recorded Tuesday, April 22, 2025. The Windows Sandbox. It's time for Security now. The show where we talk about your privacy, your security, staying safe online. All of that courtesy of this cat, Mr. Steve Gibson. LiveLong and Prosper gibson@grc.com hi, Steve.
[01:15]
Steve Gibson
I can do it with both hands.
[01:16]
Leo Laporte
I can't. I can't. I have to have my fingers taped. Actually, you know what?
[01:21]
Steve Gibson
And that's a thing, isn't it?
[01:22]
Leo Laporte
You know what? Now that I've been playing the piano.
[01:24]
Steve Gibson
Oh, I. Because they're limber digits.
[01:28]
Leo Laporte
Well, it's one of the things you have to learn with the piano because you got tendons connecting your pinky and your ring finger and you gotta isolate those. You gotta learn to isolate those. So maybe I'm a little better at the.
[01:39]
Steve Gibson
You're the pinky isolator.
[01:41]
Leo Laporte
I am the pinky. You do these exercises and then you do the Hanin things. And there's all these things you have to do to. Hey. Before you get to what's coming up on the day's show, I want to.
[01:51]
Steve Gibson
Show you learn new things.
[01:53]
Leo Laporte
I'm trying to keep my brain aging, Ray.
[01:56]
Steve Gibson
We are all aging.
[01:58]
Leo Laporte
You know what I have to learn now?
[01:59]
Steve Gibson
No.
[02:00]
Leo Laporte
How to program an HP42 in RPN.
[02:04]
Steve Gibson
Oh, isn't it beautiful?
[02:06]
Leo Laporte
I have no need for this at all. In fact, as soon as I got it, I realized there's a $10 software version for the iPhone. But this is really cool. From Swiss Micros. And there was no tariff. I don't know how they did that. I got the DM42N. Yep, you have a 41, I think.
[02:27]
Steve Gibson
And I can see that it's got that cool pyramid on. And as you know, every time you turn it off, you get a different graphic that it leads.
[02:33]
Leo Laporte
This is a fractal. Yeah, so somebody wrote a fractal in. In the thing.
[02:40]
Steve Gibson
And there's your register stack.
[02:42]
Leo Laporte
Oh, there's a QR code. I don't know what that's for. Don't scan that, kids. No, I think it's probably Swiss Micros. Yeah. There's another.
[02:49]
Steve Gibson
Another program grid of weird little 3D squares.
[02:52]
Leo Laporte
I think these are fractals, is my guess. Oh, I got an owl.
[02:56]
Steve Gibson
That's the wise old owl.
[02:57]
Leo Laporte
This is all I know how to do right now, but it is really beautifully made. You. You. You inspired me.
[03:04]
Steve Gibson
It is, yes.
[03:06]
Leo Laporte
And I thought I had. It's a fetish object. I have no use. I have computers, I have spreadsheets. I don't need this, nor do you, unless every once in a while you want to.
[03:15]
Steve Gibson
I pick it up all the time.
[03:17]
Leo Laporte
Do you? For programming?
[03:17]
Steve Gibson
I absolutely do, yes.
[03:19]
Leo Laporte
Converting your hexadecimal to.
[03:21]
Steve Gibson
Yeah, I mean, and like, I've got. How many servers will fit on the edge of a pin or the head of a pin. Things are important when you're. You know.
[03:29]
Leo Laporte
This is basically not very intuitive. I have got to read the manual. I never use one of these.
[03:35]
Steve Gibson
Well, it's daunting, right? I mean, because all the buttons have multiple functions and there's like a programming mode and. Oh, there's also like a configuration mode and all kinds of.
[03:46]
Leo Laporte
I did set the time and date. I was able to do that.
[03:49]
Steve Gibson
That's nice. So it's no longer set to Swiss time. Right.
[03:53]
Leo Laporte
And this one is the newer one with a USB C connector. So it can actually. I think the processor speeds up when you plug it in a little bit.
[04:02]
Steve Gibson
Not that.
[04:02]
Leo Laporte
Oh, I got. You might have a micro. Do you have C?
[04:05]
Steve Gibson
Okay, yeah, I do have C. I.
[04:07]
Leo Laporte
Was really pleased it came within a few days. You talked about this last week and it came in time for the next episode, so. Well.
[04:13]
Steve Gibson
And it slipped under DHL's new $800 minimum. Right.
[04:18]
Leo Laporte
That's what happened because it was delivered by DHL and it's the de minimis exception. Means it was not tariffed. It was under. It's only Lisa said. What did you buy for. From Switzerland for 300 bucks? A calculator, honey.
[04:33]
Steve Gibson
Today. What did you buy from Switzerland Today?
[04:36]
Leo Laporte
Yeah, actually, it was more like today. Anyway, what's coming up? Speaking of today on Security Now.
[04:44]
Steve Gibson
So while researching a interesting piece of security news, which we're actually going to get to next week, I strongly suspect I stumbled upon a feature that we all have. We who have Windows 10 and 11, which is now the majority of the Wii that I thought, you know, we've never talked about this. I had forgotten that it was there. And it is. The more I looked at it, Leo, the more impressed I got. And our listeners know nothing Microsoft does recently really winds me up. I mean, or I'll.
[05:29]
Leo Laporte
No, it's true.
[05:30]
Steve Gibson
It doesn't. I am infatuated with. I am so impressed with the design of this. And everyone's going to know by the end of today's podcast about Windows sandbox windows from 19. Whatever. What was that? 1903. So very early on in Windows 10, Windows 10 acquired a stunning technology which allows for another version, another instance of the Windows OS to be launched. And not like a vm, but like an app. That means they did everything about this, right? It's in our Windows. I'm going to show everybody how to find it and turn it on. Because it's not on by default. That's why nobody knows about it. But it is a true security sandbox that allows you to run code that might be sketchy, download files you're not sure about. You could use Tor in it and surf the. Net. And when you close the sandbox, all trace of what you did is gone and it launches in seconds, as opposed to a VM that has basically bringing up a whole new version of the os. Anyway, I'm excited to share with our listeners all of the features that it has and also some of the why I am in love with this thing. Because, I mean, and I, and I, I mentioned lower it down in the, in the, in the podcast that this is maybe the first time that I've been envious that my other machine is still on Windows 7 and doesn't have this. I mean, I've been like, 10, let's go. It's three digits higher than seven. You know, otherwise, you know, who cares? But it's like, I want this. So anyway, but we're going to get there. We're going to first talk about enabling Firefox's tab grouping recall. The. The recalled recall rerolls out the crucial YouTube. You sent me a text, I think it was maybe Tuesday afternoon, about how the CVE program came very close to dying last week.
[07:46]
Leo Laporte
That would have been a shocker. I mean, that really would have been devastating.
[07:50]
Steve Gibson
Actually, it's not just that it would have been. We wouldn't have had numbers for the podcast. It turns out it's actually crucial to like the whole management of vulnerabilities worldwide. And it almost went away. China has confessed, actually officially said, yeah, that was us hacking the US of course they blame, they blame our stance on Taiwan. So it's really your, your fault for making us do it to you. Yeah, that's right. Sisa says, but Oracle still refuses to. We've got brute force attacks on the. On a very rapid rise. A very worrisome Python package which has a hard time not being a 9.8 CVS score or CVS score CVE.
[08:39]
Leo Laporte
CVS is the drugstore. CVE is. Yes, that's right.
[08:43]
Steve Gibson
Yes. Thank you. Also, the CA browser forum has passed the short life Certificates measure. We're going to revisit that maybe. Well, certainly for the last time until it gets really bad. We have a few years left, but it's certainly not anything that anybody's going to be able to ignore any longer and hope doesn't happen. A wonderful crosswalk hack hit Silicon Valley last week. Android had the strangest announcement about that force restart feature. Anyway, we'll have some fun with that. Also, we're going to look at how the EFF is never happy, but especially now about Florida. Some interesting research into ransomware payouts and for security. Now, 10:22 for not this, not the Last podcast. We squeezed a lot of podcasts into this monthly because we started on the 1st. We started on April Fool's Day, which means we get one more podcast in April before we have to switch over to May. So podcast number 1022, Windows Sandbox. Love it. For the 22nd of April. And we're gonna have a lot of fun in the Next, what about 12 or 13 hours that we'll be doing this.
[10:04]
Leo Laporte
Don't forget the picture of the week also coming up.
[10:07]
Steve Gibson
It's actually a great week and I've.
[10:10]
Leo Laporte
Got our caption of the week on my Swiss micro calculator. Don't panic. It says don't panic.
[10:18]
Steve Gibson
We know where that came from.
[10:19]
Leo Laporte
Yeah. Stay tuned. We'll probably give you reasons to panic. Actually, coming up, our show today brought to you at least this portion by Delete Me. If you've ever wondered how much of your personal data is out there on the Internet for. For anyone to see, don't do the search. You will be shocked more than you think. Your name. Yeah. Your contact info, your Social Security number, your home address, even information about your family members. All of it compiled by data brokers. Legally. Perfectly legally. And sold online. Yes, it's legal for them to sell your Social Security number. Anyone on the web can buy your private details. What can that lead to? Well, your imagination. Right. Identity theft. For sure, doxing harassment. For us, it led to phishing attempts. Our CEO's information was online enough so that the bad guys could piece together not only her phone number, but her direct reports and their phone numbers and was able to send them a phishing text message that they were too smart to fall for. But that's just because we have very smart employees. And that's why we immediately signed Lisa up for Delete Me. You can protect your privacy with Delete Me too. As a person who exists publicly, especially somebody who shares their opinions online, and I think this is true for everybody. Think about safety and security. It's easier than ever to find personal information about people online. That's why I personally recommend and we use Delete Me. It's a subscription service that removes your personal info from hundreds of data brokers sign up, provide Delete Me with exactly the information you want, deleted their experts take it from there. It was really amazing when we signed Lisa up for Delete Me shortly thereafter, Steve and I did that search in the National Public Data Brokers, the database of the information that they were selling. We, Steve and I both found our Social Security numbers. You know whose Social Security number wasn't in that database? You know who's had no information in that database at all? Lisa. Thank you. Delete Me. But Delete Me doesn't just stop with the first deletion. They send you regular personalized privacy reports showing what they found, where they found it, what they removed, and then they continue working for you, constantly monitoring and removing the personal information you don't want on the Internet. Truth is you have to do that because those data brokers will keep populating that information. Plus there's new data brokers all the time who haven't, you know, receive the message. You don't want them to collect your information. You know, the worst thing is they change their names. I think National Public Data actually changed its name and continued to operate. They this is a nasty business. That's why you need DeleteMe. Your privacy matters to you. If you're a business, you absolutely need it for your management. To put it simply, DeleteMe does all the hard work of wiping out your, your family's personal information from all those data broker websites. Take control of your data. Keep your private life private. Sign up for Delete Me. We've got a special discount right now for our listeners. If you go right now to join DeleteMe.com twit and use the promo code Twitter checkout, you'll get 20% off your Delete Me Plan any Delete Me Plan join DeleteMe.com twit the promo code twit at checkout. The only way to get 20% off is to go to that site joinedelete me.com make sure you get the slash twit and use the code Twitter checkout. That helps us because then they know you saw it here. Helps you because you're going to get 20% off. Joindelateme.com TWIT offer code TWIT we thank him so much for supporting the good work Steve does here at Security now.
[14:05]
Steve Gibson
All right, Steve, so you've not seen this picture. We have the caption why we will never have perfect security.
[14:14]
Leo Laporte
Okay, I'm going to scroll up right now and I shall see the picture. Okay, you better describe this. I'm not sure I get it.
[14:27]
Steve Gibson
Okay, so.
[14:29]
Leo Laporte
Oh, the door is open. Is that, is that the joke?
[14:33]
Steve Gibson
And what's even. What puts the perfect punctuation on is the book that was used to hold the door open.
[14:39]
Leo Laporte
Oh, I missed that part. The CISSP exam book.
[14:46]
Steve Gibson
So for those who are not seeing the.
[14:50]
Leo Laporte
I missed that. That's hysterical.
[14:52]
Steve Gibson
So what we have is at an endeavor to create a secure environment in the security operations center of some facility somewhere. They we have a door clearly labeled sock Security Operations center. And underneath it it says please knock because otherwise you ain't getting in.
[15:15]
Leo Laporte
Oh, access is restricted. There's a whole sign that says that that is right.
[15:19]
Steve Gibson
It's over to the left. It's a security operations center. Act is access is pro is restricted to enter. Blah blah key. Yes, yes. There is an automated lock and we have a card reader which is doing that. And you know, you cannot get in. And pardon me, this thing is making noise.
[15:42]
Leo Laporte
And you know what I think is the issue is I think there's no bathroom in the security operations center. And so when you need to go, you need to prop the door open is my guess.
[15:53]
Steve Gibson
That's exactly right. So essentially what happened was. Well, and I did also want to note that there is an electronic card key reader to the side. So I mean, these guys are clearly serious about the security.
[16:08]
Leo Laporte
Oh, yeah.
[16:09]
Steve Gibson
Oh, yeah. What we find, however, is the door has been propped open, which of course completely defeats all of this. The sign, the knock knock, the warnings, the electronic card scanner, you don't need any of that because the door's not latched. And as you noted, the, the, the, the icing on the cake is that the CISSP Security Operations training book, which is clearly well used. It's got you, you got little flag postits. Oh, yeah, yeah. I mean, somebody took some time with this thing and decided, well, what the heck? What book is handy that I can use to prop this open?
[16:55]
Leo Laporte
It's really the, that's the, that's the funniest part of all. That's great.
[16:59]
Steve Gibson
It is great. I think you're right. Benino and I were talking about this just before the podcast, and we agreed that it was probably the case that the guy forgot his badge at home or, you know, dog ate it. There was nobody in there who, he, who would let him back in. So for him to do his knock, knock, knock routine and he had to pee. So it's like, oh, well, and again, why we will never have perfect security. And, you know, the, the, the, the, the larger point here is that this will always happen, right? I mean, it, it is, it is the human factor, which is always going to be the problem. You know, phishing is the way people get in now is they, you know, they send a piece of email that looks completely reasonable. And in fact, it got Troy Hunt, as we talked about a couple weeks ago. I know, I know. Troy got fished.
[17:53]
Leo Laporte
Yeah.
[17:54]
Steve Gibson
Okay. So that was our picture of the week. After hearing last week's note about Firefox tab grouping and how I'd been unable to get a pair of tabs to merge on my Firefox, which was updated to 137, which was the one that was the version that was supposed to have it, a number of our listeners said, steve, it's probably there, but just disabled.
[18:22]
Leo Laporte
It's in the about config.
[18:24]
Steve Gibson
Yes. It's not that I didn't have it. It wasn't enabled for anybody else who wants it because I've got it now and it's nice. About colon config. Then in the address bar search or in the search of about conf search for tabs groups. That will return three entries and the amount of time you must hover and hold the tab before they merge, before Firefox says, oh, this guy wants to do a merge. Then also Browser Tabs Groups enabled. My was set to false. It's now true. And Browser Tabs Groups smart enabled. I don't know what the difference is, but I want my tabs to be smart, so I enable that too.
[19:18]
Leo Laporte
But it's probably disabled by default. I mean, I don't think.
[19:21]
Steve Gibson
Yes, they were both. They were all. So what I believe is that when they talked about it gradually rolling out. What's gradual, what's turning it on? Exactly. So all the code is already there in everybody's Firefox 137 and later. And without you doing anything, they'll, I don't know what, give you a little pop up and say, hey, you can try this now. I don't know how they're going to tell people. Or maybe they'll just start working and people go, oh, look at that. I hovered my tab and they joined instead of, you know, sliding past each other. Anyway, it's there for anybody who's interested. And so I, I disabled my tree style tabs add on, which is what was giving me vertical tabs in a nested hierarchy. I shed a tear for the lack of a tree architecture and I don't really use it that much, but sometimes I'll put stuff under a tab and then close that tab. But Firefox has the same thing. It allows you to assign a group name and you can click that group name in order to collapse all the tabs under that. So I can easily see this solving people's problems. I, I also like a little more density and I poked around a little bit and you could get into a custom CSS style sheet which is used to format the, you know, the so called chrome around the edges of the browser. But I thought I'm just going to see if I get used to, you know, change is hard, right? So I'll just get used to it and you know, see if I get used to it and, and, and work with what's the default. But anyway, so, and I didn't mention that I also am using Firefox's native vertical tabs. So, so I've got vertical tabs and now I've got tab merging that lets me create groups that are named and you can set the color and do different things. So yeah, we got it and it's all there for anybody who wants it. This news would have made it into last week's podcast, except that last week already broke the record, world's record for the longest Security now podcast ever. Which is why I was joking earlier about, you know, this one being maybe 12 or 13 hours. No, there was no room available to talk about this. And just so that everyone knows, because I did get some feedback from people saying, Gibson, three hours. Really? Come on. I recognize that three hours is a lot of everyone's life. And I did, I did hear your pushback. So that was just, you know, it wasn't an intentional marathon. We're not deliberately, you know, extending the length of the podcast. It was just that there was a lot to talk about. So anyway, the original announcement, which as I said I would have gotten to last week of a was of the release of a new Windows 11 to the Release Preview channel, which was made on April 10th. And now that was for build 26100 3902. But that release apparently had had a few issues that cropped up pretty quickly because Microsoft has since updated it to 3909 from 3902 and that was on last Friday the 18th. And after all, quick updates are what you expect. That's the inherent nature of Preview releases. Things are going to be discovered due to wider deployment and then they're going to get fixed for everybody. So anyway, because Microsoft now clearly recognizes that their CoPilot plus recall technology, which created quite a stir when it when they tried to do this a year ago, is a big deal and will does really represent a huge change to the operation of Windows. It was the first new feature that they noted in their preview release notice. Once Recall makes its way into the production releases, I'm sure it'll come up again. There'll be some press coverage about it. We'll probably take another look at it, as will the entire Windows 11 using World. But as Microsoft promised last year, when Recall is initially released, it will be disabled by default. So that's big change number one. And it will, you know, I'm sure they're going to be telling everybody, oh, don't worry about it, it's secure, it's encrypted, you know, your privacy comes first, blah blah blah. But it will be an opt in feature of Windows 11, at least for now. You know, we know that when Window, when Microsoft wants really really really wants you to have something like Xbox for some reason I don't own an Xbox, but I've got it in the menu. Then you're going to have it whether you want it or use it or not. Anyway, it's there. I want to let people know that it's on its way and that what we learned about the what they would be doing with it has turned out to be the case. They have. They understood that it's not something that can be opt in and that everybody gets without question. Also, as I mentioned, Leo sent me a text Tuesday after the podcast last week For a few days last week it appeared that the incredibly important and extremely useful Common Vulnerabilities and Exposures program that's operated by the Mitre Corporation and has and always has been and has always also been funded by DHS, the U.S. department of Homeland Security might become unfunded, and people were talking about it getting shut down. The entire security industry breathed a collective sigh of relief with the news that CISA found some loose change somewhere, enough to keep it going for another 11 months. Last Wednesday, under their headline CISA extends funding to ensure, quote, no lapse in critical CVE Services, Bleeping Computer wrote the following they said, CISA says the US government has extended MITRE's funding to ensure no continuity issues with the Critical Common Vulnerabilities and Exposures program. Cvs not, as Leo corrected me, cvs, which is the pharmacy. That's different. The US Cybersecurity Agency told Bleeping Computer, quote, the CVE program is invaluable to the cyber community and a priority of cisa. Last night, CISA executed the option period on the contract, which I guess was always there, but you know, still we were all, we were all brought to the brink to ensure there will be no lapse in critical CVE services. We appreciate our partners and stakeholders patience. Bleepy Computer, they wrote, has learned that the extension of the contract is for 11 months. The announcement follows a warning from MITRE Vice President Yashri Barsoom that government funding for the CVE and CWE programs was set to expire today, April 16, when this all happened last week, potentially leading to widespread disruption across the cybersecurity industry. Barsoom said, quote, if a break in service were to occur, we anticipate multiple impacts to cve, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations and all manner of critical infrastructure. I mean, this was a big deal. Mitre maintains cve, a widely adopted program that provides accurate accuracy, clarity and shared standards when discussing security vulnerabilities. And you know, it's a staple for this podcast, right? They wrote with funding from U.S. national Cybersecurity Division of the U.S. homeland Department of Security. After publishing our story, wrote Bleeping Computer, MITRE shared the following statement with them with Bleeping Computer, quote, thanks to actions taken by the government, a break in service for the common vulnerabilities and exposures CVE program and the common weakness enumeration CWE program has been avoided. As Of Wednesday morning, April 16, 2025, CISA identified incremental funding to keep the programs operational. We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry and government over the last 24 hours. The government continues to make considerable efforts to support mitre's role in the program and MITRE remains committed to CVE and CWE as global resources.
[28:20]
Leo Laporte
Yeah. Miter does. I don't know what SIS is planning, but. Okay. They've cut them way back.
[28:25]
Steve Gibson
We don't know. I mean, I don't know. I, I don't think anybody knows. To your point, Leo, which is a good one, what CISA is today.
[28:35]
Leo Laporte
Right.
[28:35]
Steve Gibson
We know what CISA was last year.
[28:37]
Leo Laporte
Right.
[28:38]
Steve Gibson
And we've been singing sisa's praises for years and been very impressed with, with sisa. Now, you know, as, as is the case with a lot of what's going on in Washington, we just need to wait and see.
[28:52]
Leo Laporte
Well, not to mention the shameful fact that the President is go. Is in. Has asked the Justice Department to investigate. Chris Krebs.
[29:01]
Steve Gibson
Yes.
[29:02]
Leo Laporte
Former director of CISA for the. For the sin of saying that the election in 2020 was, was the most.
[29:09]
Steve Gibson
Successful or the most secure election we've ever had in the U.S. now, you.
[29:14]
Leo Laporte
Know, in all likelihood that investigation is not going to lead to anything. Right. It's just bs, but it's still kind of terrifying that that can happen.
[29:24]
Steve Gibson
It's the intersection of politics with our technological world. Right.
[29:29]
Leo Laporte
And the problem is security doesn't care about politics. No. You know, the bad guys are going to do what they're going to do and if we don't fund the defense, we got trouble.
[29:40]
Steve Gibson
Yeah. So. Bleeping computer said. Before SIS's announcement, a group of CVE board members announced the launch of the CVE Foundation. So this is part two of this news. A nonprofit organization established to secure the CVE program's independence in light of mitre's warning that this US government might not renew its contract for managing the program. Mitre said in a Wednesday press release, quote, since its inception, the CVE program has operated as a US government funded initiative with oversight and management provided under contract. While this structure has supported the program's growth, it has also raised long standing concerns among the members of the CVE Board about the sustainability and neutrality of a globally relied upon resource being tied to a single government sponsor.
[30:38]
Leo Laporte
That's a very good point.
[30:39]
Steve Gibson
It should be right. And they said over the last year the individuals involved in the launch have been developing a strategy to transition the program to this dedicated foundation, eliminating, quote, a single point of failure in the vulnerability management ecosystem and ensuring, quote, the CVE program remains a globally trusted, community driven initiative.
[31:04]
Leo Laporte
So this was a wake up call.
[31:06]
Steve Gibson
Is what it was. Exactly. It was. And you know, it was a good thing too because we, because we haven't lost continuity, we lost. We get 11 months, which should be plenty of time. So while that and bleeping computer finished saying While the CDE foundation plans to release further information about its transition planning in the coming days, the next steps remain unclear, especially considering CISA has confirmed that funding for mitre's contract has been extended. The European Union Agency for Cybersecurity en Isaac has also launched a European Vulnerability Database, euvd which embrace embraces a multi stakeholder approach by collecting publicly available vulnerability information from multiple sources. Okay, so first of all it is difficult to imagine a world without common uniform system. You know, a you know, some common common uniform system for ranking the dangers and threats of vulnerabilities. You know, Lord knows the US Government probably obtains at least as much value and benefit itself from having this program in place as any other entity. CISA will provide, as we noted, an additional 11 months of federal funding to MITRE, making this a very valuable wake up call for the rest of the industry and giving it time to arrive at a non government funded alternative. Which takes us to the announcement of the CVE Foundation. Good speaking of a non government funded alternative. Also last Wednesday, the industry was treated to a press release from the newly formed CVE Foundation. The press release read for immediate release CVE Foundation Launched to Secure the Future of the CVE Program From Bremerton, Washington they sent the CVE foundation has been formally established to ensure the long term viability, stability and independence of the common vulnerabilities and exposures CVE Program a Critical Pillar for the Global CyberSecurity Infrastructure for 20 for the past 25 years since its inception, the CVE Program has operated as a US Government funded initiative with oversight and management provided under contract. While this structure has supported the program's growth, it has also raised long standing concerns among members of the CVE Board about the sustainability and neutrality of of a globally relied upon resource being tied to a single government sponsor. This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the U S Government does not intend to renew its contract after 25 years for managing the program. While we had hoped this day would not come, we've been preparing for this possibility. In response, a coalition of longtime active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated nonprofit foundation. The new CVE foundation will focus solely on continuing the mission of delivering high quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide. Kent Landfield, an officer of the foundation, said Quote CVE is a cornerstone of the global cybersecurity ecosystem. It is too important to be vulnerable itself. I love that. He said. Cybersecurity professionals around the globe rely on, on CVE identifiers and data as part of their daily work, from security tools and advisories to threat intelligence and response. Without cve, defenders are at a massive disadvantage against global cyber threats. So the formal, the formation of the CVE foundation, they wrote, marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE program remains a globally trusted, community driven initiative. For the international cybersecurity community, this move represents an opportunity to establish governance that reflects the global nature of today's threat landscape. Over the coming days, the foundation will release more information about its structure, transition planning, and opportunities for involvement from the broader community. For updates or inquiries, contact info atthe CVEfoundation.org so that's the URL, the CVEfoundation.org so it exists. And depending upon how things look 11 months from now, and maybe even so, I mean, given, certainly given the current administration's feeling about, you know, waste, fraud and abuse, if there is a foundation willing to take this over, I'm sure it's going to be cut loose.
[36:43]
Leo Laporte
So this is, this mirrors what's been going on with the Internet since its inception. I mean, you remember when it was one guy at ucsd, John Postol, who would assign you your, your, your, your IP addresses. And then it was iana and then IANA became a non governmental organization, ICANN became non governmental. The Commerce Department used to fund it, used to run it, and then released it to the world. That. Because we invented it here. So initially we did it.
[37:11]
Steve Gibson
It was originally under the auspices of darpa, right? The Defense Advanced. Darpa. Advanced Advanced Research Projects Agency. Yes.
[37:21]
Leo Laporte
So I mean, this is just, this is a natural evolution.
[37:24]
Steve Gibson
Yeah.
[37:24]
Leo Laporte
It's good we had this little wake up call. It's good that did not defund it because there would have been an interregnum in which we didn't have any CVEs assigned. That's more than just assigning a number. I mean. Right. It's important.
[37:39]
Steve Gibson
Yeah, yeah, it would be difficult. It's that there is an agreement about where these numbers come from. There are. And if you ever look at the actual NIST database, vulnerability is broken down into a whole bunch, essentially sort of a demographic of the vulnerability, you know that. And there are official designators for each different category that the vulnerability falls into. I mean, it's, it's odd because it's like oxygen. You know, we breathe it in, we've always had it. We take it for granted. And it's like, what would, what would we have if there was no way of saying. Well, and I was going to say to finish that thought of no way of, of, of objectively evaluating how bad a problem was? Because many people, you know, jump on a 9.8. It gets their attention. They know.
[38:43]
Leo Laporte
Right.
[38:43]
Steve Gibson
They have to fix it. Serious. And, and if it's a 4.2, it's like, okay, we'll wait till next month, you know, because you know, my shoe won't fit.
[38:51]
Leo Laporte
And you don't have to have a memory to, to understand what it would be like if there weren't a central naming authority. Because that's how virus names and every security researcher has a different name for viruses. Same thing with threat groups. Right. Everybody fancy bear and it's a mess.
[39:07]
Steve Gibson
Yes.
[39:08]
Leo Laporte
You need a centralized. Somebody that says this is what we're going to call it. We all agree, right? Just makes sense.
[39:14]
Steve Gibson
Yep. Yep. Do you want to make sense? Yes.
[39:18]
Leo Laporte
I knew, I sensed that.
[39:20]
Steve Gibson
Yes.
[39:22]
Leo Laporte
Let's take a little break. We will come back with more of Steve and this fabulous show. We're so glad you listen and I'm so glad Steve continues every week to put, he puts so much work into this. And I'm very grateful, Steve, because it's not only our most listened to show, it is also the most important show.
[39:39]
Steve Gibson
We do well and I know it's my time is being well spent because I get so much feedback from our listeners. I set out. We're now on a high side of 17,000 email subscribers. It was 17,097 last night. Received the advance notice and these notes and a picture of the week and so forth. And I get feedback from people saying, hey, you know, you've already got your tab merging and Firefox and, or you know, whatever. So it's, it's a resource for me and I know it matters to people.
[40:10]
Leo Laporte
Yeah, I've always thought of what Twit does really ultimately is as a user group. You know, there used to be you would go to your user group every month and you'd learn about, you know, your Atari 800 or whatever it was. But now that computing is ubiquitous, there isn't a place people can go to, you know, share this knowledge. And so this is, that's what you are and that's what this is becoming. I think that's very, very important. It's really what the whole network is all about. And so we appreciate your support for. For what we do here.
[40:39]
Steve Gibson
Wouldn't be here if it weren't for you, Leo. So. So there.
[40:42]
Leo Laporte
We're all glad to be here. That's all I can say. And the alternative is much worse. I bemoan my age to Lisa, as I'm sure you do, to Laurie, and she says, well, consider the alternative.
[40:55]
Steve Gibson
Yeah.
[40:55]
Leo Laporte
Yes.
[40:56]
Steve Gibson
Yeah. I have a variation of that. I tell people my plan is to live forever. And so far, it's working.
[41:05]
Leo Laporte
It is. And we're so glad. Our show divisposed portion of security now brought to you by a great sponsor. We love these guys. Drata. D R A T A Drata. If you're leading risk and compliance at your company, you know you got a big job. I know you're likely wearing, I don't know, 10 hats at once. You've got to manage security risks, you've got compliance demands, you've got budget constraints, all while trying not to be seen as the roadblock that slows the business down. Right. You know, everybody's going, go, go, go. But grc. And I'm not talking about the Gibson Research Corporation. GRC isn't just about checking boxes. GRC is a revenue driver that builds trust. It accelerates deals, it strengthens security. It's not something that's a burden, it's something valuable. Governance, risk management, and compliance we all need to pay attention to. That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks so you can focus on your most important job. Reducing risk, proving compliance, scaling your program with Drata. This is such a lifesaver. You can automate those security questionnaires, you can automate evidence collection, and you can automate compliance tracking. You'll stay audit ready with real time monitoring. Simplify security reviews because Drata has this beautiful trust setter and AI powered questionnaire assistance. There's so many reasons you need Drata. Instead of spending hours proving trust, build it faster. With Drata ready To modernize your GRC program, visit drata.com securitynow to learn more. I knew you would get around to this eventually. Let's talk about China hacking us. Oh, you're muted.
[43:01]
Steve Gibson
Muted, sorry.
[43:02]
Leo Laporte
There we go.
[43:03]
Steve Gibson
Yes. So the Wall Street Journal carried the news. Under their headline, in secret meeting, China acknowledged its role in US infrastructure hacks and they gave it the subheading. A senior Chinese official linked in, linked intrusions to escalating US support for Taiwan. Right.
[43:27]
Leo Laporte
There's a lot of other reasons. Right. Tariffs, so forth.
[43:30]
Steve Gibson
Well, but of course, the China hacking has been going on for quite a while. Yeah, it's like, come on folks, really. The Journal story said Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on US Infrastructure, according to people familiar with the matter. Underscoring how hostilities between the two superpowers are continuing to escalate, the Chinese delegation linked years of intrusions into computer networks at U.S. ports, water utilities, airports and other targets to increasing U.S. policy support for Taiwan. The people who declined to be named said. So the attribution of these attacks to state sponsored groups, specifically Volt Typhoon, has been officially substantiated and we have further evidence of what seems to me like a, you know, a bizarrely intertwined and complex relationship between our two countries. You know, we talked last week about the offhand comment that I heard from somebody who was being interviewed on one of the Sunday shows, saying that, well, at some point China might decide to weaponize all the information that they had been, you know, absconding with from the US and it's like, oh, I hadn't thought about that. That would not be good either. So it's like, I just wish we could all get along. But doesn't look like that's going to happen anytime soon. As one security news reporter wrote, CISA has published an alert on the Oracle Cloud data breach before Oracle did, mainly because the company is still busy wordsmithing its way around the issue. CISA's alert, published last Wednesday, was titled CISA Releases Guidance on Credential Risks Associated with Potential Legacy Oracle Cloud Compromise. So, you know, because Oracle hasn't said anything official, CISA is having to tiptoe a little bit, right? I mean, they just can't come out here and blast away at Oracle, so they're being as careful as they could be, they wrote in this announcement last Wednesday. CISA is aware of public reporting regarding regarding potential unauthorized access to a legacy Oracle cloud environment. It doesn't get any more, you know, kid gloves than that. While the scope and impact remains unconfirmed, the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate unaffiliated systems, or embedded, for example, hard coded into scripts, applications, infrastructure templates or automation tools. When credential material is embedded, it's difficult to discover and can enable long term unauthorized access if exposed. The compromise of credential material, including usernames, emails, passwords, authentication tokens and encryption keys, can expose significant risk to enterprise environments. Threat actors routinely harvest and weaponize such credentials to escalate privileges and move laterally within networks to access cloud and identity management systems to conduct phishing credential based or business email compromise campaigns. They may resell or exchange access to stolen credentials on criminal marketplaces and enrich stolen data with prior breach information for resale and or targeted intrusion. CISA recommends the following actions to reduce the risks associated with potential credential compromise and this is, you know, generic at this point they said, you know Reset passwords for any known affected users across enterprise services, particularly where local credentials may not be federated through enterprise identity solutions which would otherwise make them secure. Review source code infrastructure as code templates, automation scripts and configuration files for hard code for hard coded or embedded credentials and replace them with secure authentication methods supported by centralized secrets management. Monitor authentication logs for anomalous activity, especially involving privileged service or federated identity accounts and assess whether additional credentials such as API keys and shared accounts may be associated with any known impacted identities. Enforce phishing resistant multi factor authentication for all user and administrator accounts wherever technically feasible. And finally, for additional information for or on cloud security best practices, please review the following cybersecurity information sheets and they they give them their title. CISA and NSA release cybersecurity information sheets on cloud security best practices and then for users they only have 3 points. Immediately update any potentially affected passwords that may have been reused across other platforms or services. Use strong unique passwords for each account and enable phishing resistant multi factor authentication on services and applications that support it. For more information on using strong passwords, blah blah blah. And finally, remain alert against phishing attempts, you know, referencing login issues, password resets or suspicious activity notifications. Be very skeptical. And then they referenced their phishing guidance called Stopping the Attack Cycle at Phase one. So that advice could hardly have been more generic. That doesn't mean it's not obviously useful advice, but it does mean that in the absence of any confession from Oracle, you know, that's about as definitive as anyone is able to be. CISA felt that they had to say something because Oracle was really being irresponsible. I mean, this has been a sad lesson. You know, while I doubt that Oracle's irresponsible behavior will hurt them in the very short term, no one who's involved in the security industry is likely to forget this. It really should cause everyone to wonder if they will act this way. What else is their internal corporate and security culture likely to do? And so the question is, how can you trust them. And unfortunately these days more than ever, trusting that the suppliers of critical infrastructure is all we really have. And Oracle hasn't indicated it, hasn't demonstrated that they deserve that trust. And speaking of MFA Multi Factor authentication, I wanted to share a recent useful and important and even thought provoking piece from the security firm Rapid7. Their piece was titled Password Spray Attacks Taking Advantage of Lax Multi Factor Authentication. Now, of course, multi factor authentication we've talked about a lot I've recently encountered and this is the reason I wanted to point this out when this popped up again, because I've been count I've been encountering reports for the last few months of significantly increased brute force guessing attacks, you know, known as often credential credential stuffing attacks. Now I recall us taking a close look at some problems that McAfee had a number of years ago. And what stood out was that bad guys were just pounding away at their login pages while McAfee was apparently blissfully unaware that anything was going on outside. And of course, just offering multi factor authentication is not a guarantee of safety itself. We recently looked at Microsoft's misdesigned MFA system, which was allowing massive multi factor authentication brute forcing enough to bypass that million guesses required barrier which you know is presented by any random six digit passcode. But the more factors that can be added without unduly inconveniencing the user, the better. And as we've also seen, being smart about the deployment of MFA or even, you know, the use of a backup email loop for confirmation where, you know, for example, connecting to any previously seen IP or carrying a known browser cookie can be used to shift the security of a login in the direction of increasing the user trust. So instead of like always asking for an additional authentication factor, if the guy, if, if the user has provided a username and password and is connecting from a IP that they've previously authenticated themselves from, then you know, let's cut them a bit of slack. You know, not requiring them to jump through so many hoops, or if they're using a browser that has a secure cookie token that was previously issued under multifactor authentication, then okay, clearly it's the same person coming back. Require some authentication, but don't make it too intrusive. So being smart about multi factor authentication makes sense. So here's part of what Rapid7 wrote. They said in the first quarter of 2025, Rapid7's managed threat hunting team observed a significant volume of brute force password attempts leveraging fast HTTP, a high performance HTTP server and client library written in go to automate unauthorized logins via HTTP requests. This rapid volume of credential spraying was primarily designed to discover and compromise accounts not properly secured by multifactor authentication. Out of just over a million unauthorized login attempts we observed, they wrote that the distribution of originating traffic sources is similar to that previously seen just in January of 2025. So they're saying they, they took a much larger multi month sampling but you know, the, the demographics of the sources of the attempts did not shift. Some of the most prominent nations serving as points of origin for these attempts are Brazil, interestingly at 70%. The the huge majority of tax are Brazil at 70% then it drops immediately. Venezuela at 3, Turkey at 3, Russia at 2%, Argentina Argent Argent Argentina, sorry at 2% and Mexico at 2. So something's going on in Brazil that they've got 70% of all the attacks and then the rest are much more widely distributed. May just be the bots that are, you know, the nature of the routers that are infected and also good Brazilian bandwidth connections for those entities anyway, they wrote. Rapid7 has consistently highlighted multi factor authentication as a primary concern across several threat research reports. By the midpoint of 2023, data for the first half of the year showed that 39% of incidents our managed services team responded to had arisen from lacks or lacking multi factor authentication. Our 2024 Threat Landscape blog highlighted that remote access to systems without multifactor authentication was responsible for more than half 56% of incidents as an initial access vector, the largest driver of incidents. So again, remote access to systems, no multifactor authentication more than half the time, 56% of the time. That's how the bad guys are getting in. The third quarter of 2024, they wrote, saw 67% of incident responses involving abuse of valid accounts and missing or lax enforcement of of multi factor authentication, they wrote. This total sits at 57% for the fourth quarter 2024, in part because of a 22% increase in social engineering. So that's on the rise as we've been seeing and talking about even without pausing to consider user agent centric password spraying. This is a potentially dangerous combination for organizations not making the most of MFA centric protection. If the brute forcing doesn't get you a social engineering campaign might just do the trick is what they said why MFA matters and the consequences of we'll set it up later, they wrote. MFA is a key component of an overall identity access management now abbreviated IAM strategy. If you're not Making use of it. Then your overall defense is weakened against many of the most common threats out there, including phishing. The very best password you can muster is made entirely redundant if your employee hands it over to a phisher, whether via a forged website or a social engineering attack. One way to mitigate against this is to use a password manager, which will only automatically enter your details on a valid website. We were just talking about that recently, Leo, you know, and the benefit of requiring a. An exact domain name match, which, you know. And in fact it was Troy, right, who did not get the domain name match and said, well, you know, I'll.
[58:33]
Leo Laporte
Give the MFA anyway.
[58:35]
Steve Gibson
Yeah, yeah, exactly.
[58:36]
Leo Laporte
That happens.
[58:38]
Steve Gibson
But they wrote, what happens if your password manager's master password is compromised and all the logins contained within are exposed? One of the best ways to address this additional headache is MFA for all your accounts, including your password manager. And there we'll just. I'll just say it's a reason. Yeah, well, and it's a reason not to put MFA in your browser. Again, better to do it than not use it at all. But it is better to use it on a separate device. You know, that's where mine is. It's in my phone, which is always right next to me. Okay, what about malware they wrote? Do you know what malware password stealers and keyloggers love more than anything else? Grabbing all those passwords stored in web browsers or in more serious cases, plain text files on the desktop. People still do that? Probably. And email drafts. Do you know what they don't like? Having all those perilous passwords protected. With an additional layer of security, MFA could make the difference between compromise and data exfiltration versus a last minute save and a security training refresher. And finally, credential stuffing, an unfortunate byproduct of years of data breaches, often with phishing as the launch pad, Roll ups of new and ancient login details published online are a constant threat. It's worth noting that it isn't just your current employees who could be on these lists. Ex employees with still valid credentials are a cause for concern too. So they finish with. Here are some steps you can take now to improve your security posture and mitigate risk from attacks like these, courtesy of Rapid7's experts. Number one, implement multi factor authentication across all account types, including default, local, domain and cloud accounts, to prevent unauthorized access even if credentials are compromised. Use conditional access policies to block logins from non compliant devices or from outside defined organization IP ranges. Conditional access policies meaning something else. Some other block than just login credentials. And I'll have something to say about that in a second, something that I myself do. Third, ensure that applications do not store sensitive data or credentials insecurely. For example plain text credentials in code, published credentials in repositories, or credentials in public cloud storage. Next, audit domain and local accounts, as well as their permission levels routinely to look for situations that could allow an adversary to gain access by obtaining credentials of a privileged account. These audits should include whether default accounts have been enabled or if new local accounts are created that have not been authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. And this is really more important than it gets enough attention. The idea being, you know, an audit isn't something that you have to do, but it is clearly something that you should do. You know, you don't know what you don't know unless you do an audit of accounts. And there are so many instances where employees leave with their credentials and we've covered these, these, these situations on the podcast where they're, they're disgruntled, they wait a week or two, then they log back in and do some damage or get up to some mischief that they wouldn't be able to if their account had been deleted the moment they walked out the door, as should be the case, or maybe even beforehand. Also, regularly audit user accounts for their activity and deactivate or remove any that are no longer needed. It's a good point. You know, look at accounts that you that haven't been used in a long time. I'm sure that all of our more sophisticated users will often, for example, sort a directory by date and look at the really old stuff that hasn't been touched in a long time and say, hey, I don't need this any longer, let's get rid of it. So lack of use is another really useful and easy to detect indicator, they said. Also wherever possible and aligned with business requirements, disable legacy authentication for non service accounts and users relying on it. Legacy authentication, which does not support MFA, should be replaced with modern authentication protocols. And here, you know, Microsoft gets heat for having implemented insecure authentication originally, back when it really wasn't a big deal, back when it was only for local networks because no Internet existed back in the LAN manager days. So security just wasn't an issue. Unfortunately it, it has carried on into today's world with the Internet where security is an issue. And for the sake of backward compatibility they just they, to their credit, they don't break Old stuff. Unfortunately, they don't break old insecure stuff either, so legacy can be a problem. And finally, they said applications may send push notifications to verify a login as a form of multi factor authentication, train users to only accept valid push notifications and to report suspicious ones, and they they conclude saying you cannot go wrong with multi factor authentication. Imagine a scenario they wrote where your network is under fire from a worryingly high number of brute force attempts from across the globe targeting your insecure accounts until just one is compromised. Now imagine that same scenario where everything is blocked by default, regional restrictions are applied, logins from user agents are not allowed, and all your VPNs, your RDP, VDI and SaaS tools are secured with MFA. This may feel like an overreaction to what you may view as an attack that looks like an edge case. However, consider that ransomware groups alongside more commonly found malware actors and publishers will also find you significantly you a significantly harder target to break as a result of these countermeasures being put in place. Please don't end up in the in in the inenviable percentage of organizations compromised due to missing multifactor authentication in our next threat research report. In other words, don't have your name among Rapid7's compromised companies. They said there's no better time than now to think about building out a stronger security posture. And again, it's that we're going to get around to it later attitude. Just, you know, get it done. But all this amounts to is adopting a multilayered security approach. Never assume that any single protection will be sufficient and a username and password is a single layer of protection. If it's possible to practically do more, do more is pass.
[66:34]
Leo Laporte
Pass keys count as doing more.
[66:36]
Steve Gibson
Yeah. Pass keys is a. Is that absolutely.
[66:39]
Leo Laporte
You know, another it feels unmultilayered, right? I mean, it's just one thing.
[66:45]
Steve Gibson
It is, but it is dynamic in as much as it is not subject to credential theft. So nobody can steal anything from the server because very much like sqrl, passkeys give servers no secrets to keep, so if they have no secrets, they're not in danger of losing them. Some of the strongest security protections can be somewhat brittle and troublesome. I know that. Leo, you and I cannot log in remotely to our SSH servers without a client having the proper private key to verify its identity right now, could that cause some inconvenience? Sure it could, but no way am I willing to expose an unmonitored SSH server that's only protected by a username and password, no matter how secure they might be. That's just not safe.
[67:48]
Leo Laporte
Come to think of it, it is kind of like passkeys to use a certificate, you know, public key.
[67:53]
Steve Gibson
Yeah.
[67:54]
Leo Laporte
Instead of passwords. It's, it seems more convenient and easier, but it's more secure.
[67:58]
Steve Gibson
Yeah, it is. It is, yes. It's very secure.
[68:01]
Leo Laporte
Yeah.
[68:02]
Steve Gibson
And as another example, filtering some classes of remote connections by IP will mean that those filters, if you put filters in to only accept some types of remote connections by source ip, that will mean that those filters will break when IP addresses change. I had that happen to me. It was two weeks ago when a cable modem died and I needed to switch to another. My cable provider, Cox was wonderful throughout the process, but I wound up with a never before seen residential IP address that was different from the one my previous cable modem had and a great deal of my network infrastructure fell apart.
[68:55]
Leo Laporte
Oh shoot.
[68:58]
Steve Gibson
But I know I was prepared for that. I had previously made notes of all the many places I had and I was using IP based blocking smart or permission filters that would need updating and I had previously arranged to be able to do that remotely in the event of a residential IP address address change. Now, of course, IP based permissions is only one layer of my security, but I just, I've said it before, I want to make sure everybody understands how awesomely powerful that layer is. So, so, so much so that it is well worth the hassle and, you know, a bit of brittleness where, you know, every three or five years or so my cable modems IP may need to change. It doesn't happen often, but it does happen.
[69:52]
Leo Laporte
Right.
[69:53]
Steve Gibson
So anyway, I think that the ultimate takeaway from Rapid7's posting is to appreciate that there really are extremely determined, anonymous and numerous attackers who are more or less continually pounding away, largely unmonitored outside our gates. You know, we talk about monitoring our network, we don't really spend much time talking about monitoring the other side of our boundary, the other side of that barrier that's keeping the bad guys out. And it is horrifying if you look at like what's going on out there, you know, they couldn't. And it's not about you. That's the other important thing. They could not care less who you are. It's no longer reasonable to say, well, I'm nobody that anyone would want to hack. They don't know that until after they're in. And then once they're in, the least they will do is arrange to establish persistence so they can mine crypto or use your bandwidth to increase their next DDoS attack. So it, you know, I just, I can't stress it strongly enough. You don't want to be that kind of victim. But you do want to be a customer.
[71:14]
Leo Laporte
Oh yes.
[71:15]
Steve Gibson
Twit's next sponsor.
[71:17]
Leo Laporte
A Big id. You were so prescient of you to realize that. Wait a minute. You just went full screen. What happened?
[71:25]
Steve Gibson
You're right, I did.
[71:27]
Leo Laporte
It's magic.
[71:28]
Steve Gibson
I gave it a thumbs up and it went full screen.
[71:32]
Leo Laporte
Well, we're gonna not. I'm not touching anything. Both hands. See? I'm not touching anything. We'll see what happens. This portion of security now brought to you by Big id. You did. You were right. You said it, Steve. Very important next generation AI powered data security and compliance solution. Big ID is the first and only leading data security and compliance solution to uncover dark data through AI classification, to identify and manage risk, to remediate the way you want, to map and monitor access controls, and to scale your data security strategy. Along with unmatched coverage for cloud and on prem data sources. A Big ID also seamlessly integrates with your existing tech stack, which is very nice. It allows you to coordinate security and remediation workflows. You could take action on data risks to protect against breaches. You can. And again, remember I said you can act on it the way you want. You can annotate, delete, quarantine, whatever you want to do, all based on the data, while maintaining an audit trail, which is really handy for compliance. You have a record of everything. Partners include ServiceNow, Palo Alto Networks, Microsoft, Google AWS, pretty much everything that you could possibly be using in your tech stack. With BigID's advanced AI models, you can reduce risk, accelerate time to insight and gain visibility and control over all your data. And to it named it the number one platform for data classification in accuracy, speed and scalability. So you would think, you know, with this great tool that maybe they have some great clients. Well, how about the United States Army? All right. Imagine the amount of dark data the army has. Big id. Equip the US army to illuminate dark data to accelerate cloud migration, minimize redundancy and automate data retention. I've got this great testimonial from the US army training and doctrine command quote the very first big wow moment with BigID came with being able to have that single interface that inventories a variety of data holdings, including structured and unstructured Data across emails, zone zip files, SharePoint databases and more. To see that Mass and to be able to correlate across those. Completely novel. This is again, this is US training and doctrine command. I've never seen a capability that brings us together like bigid does. Wow. You couldn't get a better testimonial from a bigger client. Cnbc recognized Big ID is one of the top 25 startups for the enterprise. They were named to the Inc 5000 and the Deloitte 500 for four years in a row. The publisher of Cyber Defense magazine said Big ID embodies three major features we judges look for to become winners. Understanding tomorrow's threats today, no good. Understanding them tomorrow. Right? You need to know now. Providing a cost effective solution and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach.
[74:44]
Steve Gibson
That's.
[74:45]
Leo Laporte
That's pretty good stuff. Start protecting your sensitive data wherever your data lives@bigid.com/security now. You get a free demo there. It's a really nice site. See how Big ID can help your organization reduce data risk and accelerate the adoption of generative AI. Again, that's big ID. Big ID big ID.com/security now when you get there, you'll also find a free white paper that gives you some great insights for a new framework. AI Trism T R I S M. That's AI Trust, Risk and Security Management. A new framework that'll help you harness the full potential of AI responsibly. And that's the key. Big ID.com security now. Thank you. Big ID free demo. Get that white paper, but make sure you go to that address so they know you saw it here. BigID.com security now. Thank you so much for supporting the important work Steve does here at the program. Steve, on we go.
[75:48]
Steve Gibson
So there's a Python library known as Bento ML B E N T O M L. Yeah, pretty popular. And as with pretty much anything ML, the ML stands for machine learning. Bento. ML is a project over at PYPY which builds itself as, quote, the easiest way to serve AI apps and models. Unfortunately.
[76:18]
Leo Laporte
Oh, there had to be.
[76:20]
Steve Gibson
And unfortunately that's why we're talking about it here. Since it also carries a CV CSSV3 vulnerability and exploitability score of the difficult to attain 9.8 if you're unfortunate enough to be using version 1.3.8 through 1.4.2. It may also be the easiest way to have your AI related service taken over by bad guys, thanks to the presence of a critical remote code execution vulnerability. Bento's documentation page explains that It's a unified inference platform for deploying and scaling AI models with production grade reliability, all without the complexity of managing infrastructure. It enables your developers to build AI systems 10x faster with custom models, scale efficiently in your cloud, and maintain complete control over security and compliance. Sounds great, except that apparently it's the bad guys who get to have the complete control over security. Or lack of any. Since it seems pretty clear that we're on the brink of a new renaissance in AI based security threats and vulnerabilities, I figured it would be worth taking a brief closer look at this one. Here's what the Security Research group Check Marks wrote Check Marks took a close look at Bento ML. They said a critical remote code execution, you know, RCE vulnerability with a CVE. Thank God for CVE's 202527520 with a score a base score of 9.8. Yeah, which is, you know, difficult to get, they said has recently been discovered in Bento ML, an AI service helper Python library found in PyPy. This flaw allows unauthenticated attackers to execute arbitrary code by sending malicious data payloads as requests and potentially take control of the server. While the advisory Specifies versions from 1.3.4 through 1.4.2 as being affected, Checkmark's 0 analysis indicates that this issue affects versions 1.3.8 through 1.4.2. In other words, fewer. It is recommended that affected adopters Upgrade to version 1.4.3 or later to repair the issue, and I'll we'll come back to why or later. Maybe a bit of a question, they wrote. You're potentially affected by this issue if you use Bento ML either directly or indirectly to receive and process machine learning payloads, which they said, which are serialized data structures from untrusted sources. Since this is a primary purpose of Bento ML, in other words, that's what you use it for. The presence of a vulnerable version of this library should be considered a significant indicator of actual risk. In other words, arranging to provide Bento ML with a malicious serialized payload will not be difficult, since that's what Bento ML is designed to take in. Okay, so checkmarks wrote CVE202527520 is a remote code execution vulnerability found in Bento ML, a Python library designed for creating online serving systems that are optimized for AI applications and model inference. The full GHSA advisory describes the vulnerability and exploitation which we summarize here. The flaw that originates from an insecure deserialization enables adversaries to execute arbitrary code on the server by sending a specially crafted HTTP request. This issue exists because the deserialize value function in the serde PY file deserializes input data without proper validation, meaning attackers can inject malicious payloads that trigger execution of arbitrary code when they are deserialized. Okay, by now any of this podcast's long term listeners will perk right up when they encounter the term deserialization. Since we previously encountered so many instances of deserialization gone bad. As we know, serialization is the process of taking a complex data structure and converting it into a stream of bytes, thus serializing it. So deserialization is the reverse process that takes as its input a previously serialized byte stream and hopefully returns the original complex data structure. The reason we keep encountering security related problems with deserialization is that the act of deserializing requires here's another one of our of our problem words requires the interpretation of the meaning of that serialized byte stream, and interpreters are notoriously problematic to get perfect and any imperfection can too often be leveraged to create an exploitable vulnerability. What's even more unfortunate is that this is not and here it comes not the first time the Bento ML has had this 9.8 severity trouble. The NIST already had a listing last year in 2024 for CVE 2024 2912, to which it assigned the rarest of rare Oh, I was wrong. It's not a 9.8, it was a 10.0. And that's not surprising when a vulnerability disclosure describes the problem by writing the Bento ML framework is vulnerable to get this an insecure deserialization issue that can be exploited by sending a single post request to any valid endpoint, meaning to the server. The impact of this remote code execution. The impact of this Sorry, is remote code execution, they wrote. So then Check Marks writes of the newly discovered flaw. This flaw is essentially a reintroduction of CVE 2024 2912, which had been previously fixed in version 1.2.5. Both CVEs deal with the exact same issue. An insecure deserialization vulnerability that can be exploited by sending an HTTP request to any valid endpoint to trigger remote code execution. At this point, this is me speaking. Anyone using Bento ML might reasonably question the wisdom of continuing to rely upon the developers of this package to keep them safe. The Check Marks guys wrote to exploit this vulnerability. The first step is to craft a malicious pickle.
[84:35]
Leo Laporte
Yes, well, that's the thing.
[84:37]
Steve Gibson
Beware the malicious pickle.
[84:39]
Leo Laporte
Pickle.
[84:40]
Steve Gibson
The malicious pickle they said a binary data serialization system commonly used with Python because it's pickled they said this pickled data payload contains Python objects that can contain executable code that gets run when the payload is deserialized for use by the application. Vulnerable versions of Bento ML do not deserialize such payloads in a safe manner, meaning an adversary can send Python code which performs malicious actions, including executing system commands under the authority of the Python application running on the server. In this case, an attacker can can create a custom Python pickle object, for example the evil class and override Python's magic method underscore reduce underscore with a tuple that tells Python to run the OS system function. The reduce method is used to specify how the object should be deserialized or serialized and allows users to override default behavior with other meaningful actions. So this is like, you know, the power of Python being being used against the the the server in by the bad guys as part of the process of taking it over. They said by calling OS system an attacker can trigger system commands during the deserializing operation, such as initiating a reverse shell connection to this machine, as shown in the Provide Approved concept. So they provided the code to do this and all the versions out there which are vulnerable are now known to be vulnerable. Hoping to understand the sequence of events that caused a previously resolved and quite serious 10.0 problem to return now as a 9.8, the researchers reconstructed the timeline of events. They wrote the vulnerability exists in Bento AML versions 138 through 14 2. If you're if you're running a version within this range, you are affected. The advisory reports versions as early as 134 are vulnerable, but Checkmark's zero analysis determined that the vulnerability actually re emerged in version 1.3.8. Looking at commit 045001 Charlie 3, we found that a previous security fix originally introduced to address CVE 20242912 had been removed. Which, you know why. Why was a previous security fix removed? They said this missing code was specifically implemented to prevent this exact deserialization vulnerability, now tracked as CVE 2020 527520, they wrote. So first the the original vulnerability finding was reported as CVE 2024 2912. It was patched in version 1.2.5. The fix was later removed in version 1.3.8. The same issue resurfaced and was reported again as now as CVE 202527 05:20 and it has now been repatched in version 1.4.3. So, as I noted before, without some very clear accounting and accountability for these events, given the potential consequences of this library's direct exposure to the Internet, so that a single HTTP post query is all that's needed to completely take over remotely a system, anyone using or considering the use of this library would be well advised to proceed with extreme caution. On the off chance that any of our listeners might be affected by this, I've included the link to Checkmarks, Posting and Analysis. There isn't anything, you know, really tied to machine learning or AI about this. It just appears to be a very problematic Python library that appears to need better development management. We all know that mistakes can happen, that's the nature of the game. But if they're forgiven, they should be followed by some learned lessons. So let's hope, let's hope that has happened here this time. You know, maybe people came and went different. People are now running. I mean, without getting way closer, without being on the inside, it's impossible to understand how this happened. But I would argue before using this, someone should obtain an understanding of what happened and, and, and some reason to feel assured that it won't happen again. Or maybe use a version you know is not vulnerable and very carefully scrutinize moving forward. Because it was by moving forward in the past that this problem was reintroduced. You don't want to have that happen to your server and get compromised as a result. Okay, Leo, now this is where I need to just take a deep breath.
[90:40]
Leo Laporte
Okay? I'm going to have something that's going to wind you up a little bit right before you do this story. Oh, this. Just released, this just out from Google, their privacy sandbox, they have decided to permanently change their policy. We have made the decision to maintain our current approach to offering users third party Cooker Choice and Chrome and will not be rolling out a new standalone prompt for third party cookies. Remember, they were going to phase out third party cookies. They say after consulting. Remember they put it on hold a few months ago. Now, after consulting publishers, developers, regulators and the ads industry, we decided, yeah, I guess you need third party consulting.
[91:30]
Steve Gibson
In other words, the consulting. The people who pay our bills.
[91:33]
Leo Laporte
Yeah, exactly.
[91:34]
Steve Gibson
The people who allow us to live comfortably in Silicon Valley.
[91:38]
Leo Laporte
Yeah, I guess this was to be expected.
[91:41]
Steve Gibson
Well, and of course, the larger part of this, you're right, I mean the privacy sandbox, we were hoping that the system that Google came up with, which was really you liked. Yeah, well, remember what it did was it transferred the responsibility to the user's browser.
[91:58]
Leo Laporte
Right?
[91:59]
Steve Gibson
The browser became the thing that was selecting ads, so it knew about the its own user's historical browsing and was able to select meaningful ads on behalf of the user. I mean, it was a beautiful solution, but no, we can't have nice things, Leo.
[92:18]
Leo Laporte
But no. All right, now that I've wound you up a little bit, go ahead.
[92:21]
Steve Gibson
Well, yes, thank you.
[92:23]
Leo Laporte
Now you can get wound up a.
[92:24]
Steve Gibson
Little bit more, I guess. I'm prepared. I'm prepared for another disappointment. On April 4, at 12:30, ballot SC081 version 3 was posted and voting began. Sixteen minutes later at 12:46, Chris Clements posted Google votes yes on ballot SC081 version 3. The next day Nick France posted Sectigo Votes yes on ballot SC081V3. That was followed two hours later by Apple's Clint Wilson posting Apple votes yes on ballot SC081V3. The next day, Clinton Corey Bonnell posted Digicert Votes yes on ballot SC81 V3 and the day after that, Ben Wilson chimed in with Mozilla Votes yes on ballot SC0183. When the voting had ended, of the 30 member certificate issuers, 25 had all voted yes and no. 1. Not one voted no, though there were five abstentions. Of the four member certificate consumers, Apple, Google, Microsoft, and Mozilla, all four voted yes. So what was it that just happened? Essentially, unanimously passing this ballot was was the formal adoption of a slightly toned down version of the quite aggressive certificate lifetime shortening proposal first made by Apple's Clint Wilson in October last year. That set my hair on fire. We talked about it at the time as I shook my head in bemusement. I don't understand it, and I probably never will, because the proposal appears to ignore all of the trouble that this will cause, while also conveniently ignoring the fact that 100% privacy enforcing browser side certificate revocation has finally been made to work. We have it. It's been working in in Firefox, it's available to Chrome, it's in the public domain. Yet Clint's proposal just passed, and it did so handily. Clint's position is that nothing can be as certain as never issuing any certificates having long lives that is lifetime being short is impossible to have fail. It's impossible to get around. You don't need to rely on anything else. He's he's right. It's true. You can't disagree with him because factually he's correct. But I've seen no evidence to suggest that such an absolute level of certainty is warranted enough to offset the world of problems that this will cause. Okay, so what just passed current certificate lifetime is a tolerable 398 days. So you know, a month or two more than a year. We used to have 10 years, then we had five years, then we had two years, now we have one year. So you know, what we have now is effectively annual renewal and replacement with a little bit of Slack. This 398 day maximum lifetime will be operable for any certificates issued before next March 15th of 2026. I will be reissuing all of mine the day before that. Because on March 15th of next year, maximum lifetime will be summarily cut in half to 200 days for no apparent reason that I'm able to divine. The year after that, on March 15th of 2027, lifetimes will again be cut in half to just 100 days. So this is essentially quarterly requiring reissuance and renewal four times per year. Right, because 90 days is a quarter. So 90 a quarter plus 10 for some slack. At that point we either automate or we spend our lives fussing with certificates. And finally, in an apparent concession to some reality, the annual march to certificate lifetime extinction receives a two year break since the final drop to just 47 days is deferred until March 15th of 2029. So we get two years for that final halving. But from then on, from March 15th of 2029, no certificate will be issued having a lifetime longer than 47 days. Why? I have no friggin idea.
[98:08]
Leo Laporte
Well that's the question. But what's the need?
[98:11]
Steve Gibson
There is no need. But that's the way it's going to be and everyone has just signed on to that. What's clear is that anyone who is building any sort of device that needs to use public facing certificates trusted by Chrome, Chromium, Firefox and Safari is going to need to add Acme automation to their appliance and they should start thinking about it sooner rather than later. For those running web servers, this shouldn't be any huge problem. You know there's a Win Acme client for Windows servers and there's a. Actually there's about 10 different Windows solutions that I'm sure I'll be able to use. I haven't yet because I haven't minded, you know, going to Digicert once a year and saying hey, let's get me a nice updated certificate. I've got a, I've got a no *.grc.com well you can't issue those from web browsers. You can only issue fully resolved certificates through, through Acme from web browsers, but you can use DNS. So I will have an automated solution that edits GRC's DNS for GRC.com so that I can receive a short, you know, 47 day, eventually certificate lifetime, you know, star.grc.com for GRC's servers and other various domains. So I'm, you know, I'm, I'll solve the problem, right? I don't have a choice. I'm mostly annoyed because no one has made to your point. Leo, any clear case for why everyone needs to be so inconvenienced by this?
[100:05]
Leo Laporte
Is it because certificate revocation is broken?
[100:08]
Steve Gibson
No, it's fixed. We talked about it with Bloom filters. It's working perfect. It's in Firefox. It's working. They've solved the problem. And remember that the issue with ocsp, the online certificate status protocol was that because your browser would reach out to the CA if you're, if the, if a fresh OCSP certificate was not stapled to the TLS certificate that it had received because of that there was some privacy concern, your browser, your IP was, was reaching out to the certificate authority saying is this certificate I've just received still good? So okay, well we will solve that with the Bloom filters which we have. We now have CRL sets, you know, working certificate revocation on the browser side. That is efficient, effective, it allows multiple times per day revocation. It's better than having the certificate last 47 days. It now it'll last a few hours before an updated set gets pushed out to all the browsers that are, that are using browser side. So it's better than 47 day certificates. And again, what happens if a DDoS attack lasts long enough so that when people come back and try to renew their certificates, they're unable to do so. Their certificates will expire and their websites will go offline. This is brain dead, but it's what we're going to have. And I'll just say that the flip side is that Acme is already being widely used to dynamically generate the TLS certificates for 70% of all web servers worldwide. So, you know, it works. It's really only the laggard 30% which, which I'm a part that needs to get with the program and, and right now let's encrypt Certs are renewed within a 90 day window. So you know, not that much changes that let's encrypt will be bringing it down to, to shorter. Remember there was some concern about or some talk of a 10 day window and so let's encrypt the, let's encrypt guys were saying, okay, we're going to gear up to, to you know, like our whole infrastructure so we're able to, to issue certificates, you know, 10 times more often than we do now. It's like, why do you need to like have a bigger budget? I don't, I don't get it. But anyway, for what it's worth, it has happened. The industry said, okay, fine. Remember that Apple actually is the one who forced this by saying Safari would refuse to honor any certificates that had a longer life. That is more time from not valid before to not valid after. Those are the, the, the, the two timestamps in, in certificates. So it's always possible to see how long a certificate could have lived. And Apple just said we're going to a year if you don't stop, if you don't bring your, your search down to, to, to a window that we agree with, they're not going to be valid for any Apple properties. And so the industry said, okay, we don't want to lose Apple.
[103:50]
Leo Laporte
I wish we knew why Apple thought this is important.
[103:53]
Steve Gibson
Well, the guy at Apple who is in charge of this happens to be a friend. Oh. Well, I'm thinking we should have Clint on the podcast.
[104:03]
Leo Laporte
Yeah, you know him?
[104:05]
Steve Gibson
Ask him.
[104:06]
Leo Laporte
Clint, why? I mean these are intelligent, rational people. He must have a good reason.
[104:12]
Steve Gibson
Yeah, I, I don't know what it is, but I think it would make a, he would make a great guest. Okay, so I will, I will make that happen.
[104:22]
Leo Laporte
Send us the contact information, we'll reach out.
[104:24]
Steve Gibson
I'll make that happen.
[104:27]
Leo Laporte
Wow.
[104:28]
Steve Gibson
Crazy. Okay, I'm gonna recover from that and have some coffee.
[104:34]
Leo Laporte
Okay, good idea. You're watching Security now with the, the, the unhappy Steve Gibson. He's, he's not pickled though. I just want to tell you that he's not pickled. He's been mused, he's bewitched, bothered and bewildered. We will continue just a bit but first a word from our sponsor. 1Password. I got this question for you. Do your end users always work? They're so good. They always work on company owned devices and I it approved apps. They never bring their own phone or laptop in, do they? Of course they do. So I don't. Yes, it's a rhetorical question. So how do you keep your company's data safe when they're sitting on all those unmanaged apps? And devices. 1Password has the answer to this question. They call it extended access management. 1Password is extended access Management helps you secure every sign in for every app on every device because it solves the problems traditional IAM and MDM can't touch. Imagine your company security like the quad of a college campus. There are nice brick paths between the buildings. Those are the company owned devices, the IT approved apps, the managed employee identities. And then there are the paths people actually use. The shortcuts worn through the grass. They're the actual straightest line from point A to B. Those are the unmanaged devices, the shadow IT apps, the non employee identities. Like contractors, most security tools only work on those happy brick paths. Many security problems occur on the shortcuts. 1Password Extended Access Management is the first security solution that brings all those unmanaged devices, apps and identities under your control. It ensures that every user credential is strong and protected, every device is known and healthy and every App is visible. 1Password is ISO 27001 certified with regular third party audits. It exceeds the standards set by various authorities and is a leader in security. It's security for the way we work today and it's now generally available to companies with Okta and Microsoft Entra and in beta for Google Workspace customers. Secure every app, device and identity, even the unmanaged ones at 1Password.com SecurityNow that's all lowercase, that's 1Password. The number 1P-A-S-W-O-R-.com SecurityNow was Stephen Gibson who has taken a deep breath and is ready to move on. Well, you know, I mean, honestly, it's good for let's encrypt. Encrypt. Right. I guess not everybody can use let's encrypt though. Extended.
[107:26]
Steve Gibson
Yeah. And so you know, any web browser, as I said, if, if 70% as we know 70 of the Internet is now being secured with Acme automated Let's encrypt certificates. Right. So that tells you that, you know.
[107:43]
Leo Laporte
People don't like those people don't have to worry about it.
[107:46]
Steve Gibson
Yeah, no they don't. Except that they've got 90 day certs and they're going to be cutting that in half. But okay, so what, you know, let's.
[107:55]
Leo Laporte
Encrypt will probably respond to that.
[107:56]
Steve Gibson
Yeah, so yes, it'll. It'll double the amount of traffic because. Because let's encrypt will have to be renewing twice as often. But okay, fine, the 30% are. There's a certain certainly there, there's a chunk that are like me, I can solve the problem. I just haven't needed to. I've had other things to do and so okay fine. I'm certainly not going to be issuing certificates four times a year. I will get my certificate as I said on March 14 of next year. So I get a whole year. Because you can't because on March 15th maximum certificate lifetime drops to 200 days. Okay, big deal. But you know, I'd rather have 400 days actually 398 days. So that, that, that again that puts it off for another year before I have to worry about this. And during that time the ACME tools won't, will mature more. They'll, there'll be better, you know, ways to solve the problem. For, for Windows based systems the concern is things that, that don't easily automate. Like as I mentioned, appliances that do need to be trusted, that have certificates in them that need to be trusted by browsers that may not have had to automate for ACME yet. Those are going to, you're going to have to solve that problem or the other thing that could occur is sort of interesting too because if, if, if there is a portion of the Internet which is using public certs because there, they've been easily available but don't really need public certs. For example, say, say that you had a telephone system and the, and the, the handsets all were in that we're using the pki the, the public key infrastructure and they had standard trust routes in them and the, the equipment that the phone system was talking to was using, you know, certificate authority issued certs. If this becomes too onerous, it would certainly be possible to, for, for the, for the phone equipment supplier to become their own certificate authority. All they have to do is put their own trust route in the handsets and then they issue certificates and, and there's no one to tell them how long they can be. They could issue a 10 year certificate and just, and as soon as they supply the certs their problem is over. So we may see some fracturing of the, the public key infrastructure because it's been made too hard to use because of what amounts to a special interest group of you know, web browsers and servers that for whatever, for unfathomable reasons to me want to have super short life certificates. I just again no one has shown me that we have a problem that we're trying to solve, but it's going to happen. They all just voted for it. Okay, there is some fun News here, Leo. And I was. Think. I don't. I didn't put the link in here, so you can't bring it up. And I don't. Not sure you don't want to get, you know, YouTubed or blacklisted or whatever it is that happened.
[111:27]
Leo Laporte
YouTubed. I like that.
[111:30]
Steve Gibson
Last week, TechCrunch carried the news of a pretty wonderful hack that hit the crosswalks.
[111:36]
Leo Laporte
Oh, we played this. It's okay, I'll play it.
[111:38]
Steve Gibson
Yeah, yeah, okay.
[111:38]
Leo Laporte
I know you're talking about. Yeah.
[111:40]
Steve Gibson
They hit the crosswalks across the Northern California peninsula, commonly referred to as Silicon Valley. TechCrunch's headline was Silicon Valley Crosswalk buttons hacked to imitate Musk and Zuckerberg's voices. They wrote audio enabled traffic control. Crosswalk buttons across Silicon Valley were hacked over the weekend to include audio snippets imitating the voices of Mark Zuckerberg and Elon Musk. Videos taken by locals in Menlo Park, Palo Alto and Redwood City in California show the crosswalk buttons playing AI generated speech designed to sound like the two billionaires.
[112:24]
Leo Laporte
Hi, I'm Jeff Bezos. This crosswalk is sponsored by Amazon prime with an important message. You know, please, please don't tax the rich. Otherwise all the other billionaires will move to Florida too. That's a new one. I hadn't heard the J. Jeff Bezos 1. People left Seattle or got Luigi. Here's another one. Here's another one. There's quite a few. Amazon Prime. Oh, no, we already had that one. Let's see. Here's another one.
[112:51]
Steve Gibson
It is infant.
[112:52]
Leo Laporte
Hi, this is Elon Musk. Welcome to Palo Alto, the home of Tesla Engineering. You know, they say money can't buy happiness, and yeah, okay, I guess that's true. God knows I've tried. But it can buy a cyber truck and that's pretty sick. Right? Right. I had to bloop that one. I think there. Let me see if I can find the Mark Zuckerberg one. There's quite a few. This is on X. I don't know, but do you have the story about how they did it?
[113:28]
Steve Gibson
No.
[113:30]
Leo Laporte
And it turns out the PIN codes to protect these were 1, 2, 3, 4.
[113:39]
Steve Gibson
Yep. Yeah, so what? What? I was assuming. So. So ours or TechCrunch wrote, it's not clear why the sidewalk buttons were hacked or by whom, but signs point.
[113:52]
Leo Laporte
It's a good joke. That's why.
[113:55]
Steve Gibson
Yes, they. They said Palo Alto Online was one of the first outlets to report the hack, citing a Redwood City official saying that the city was, quote, actively working to investigate and resolve the issue as quickly as possible. So TechCrunch finished their reporting by saying audio enabled crosswalk buttons are widely used across the United States to allow those with visual impairments or accessibility needs to hear custom audio messages that play for pedestrians to know when it's safe to cross a street. In a video from last year, physical penetration specialist and security researcher Deviant Olam explains how audio enabled crosswalk buttons can be manipulated, often by way of default set passwords that have not been changed. Polera, the company that makes the audio enabled crosswalk buttons, did not respond to a request for comment when contacted by TechCrunch on Monday.
[114:55]
Leo Laporte
This is the hacker fun with traffic controls and crosswalk buttons from Deviant Olam. He explains the whole thing.
[115:05]
Steve Gibson
Right.
[115:07]
Leo Laporte
These are for blind people, disabled people who can't see the lights, can't see the walk signs. They're audio walk signs, basically.
[115:14]
Steve Gibson
Right.
[115:14]
Leo Laporte
And they're everywhere in California. I don't know about elsewhere in the country, but they're everywhere in California.
[115:20]
Steve Gibson
So anyway, I wrote that's what we need more of a bit of non malicious, good old fashioned techno pranking. Yeah. At the same time, that capability could have just as easily been used to produce extremely offensive audio messages instead of having some fun spoofing Zuck and Musk.
[115:42]
Leo Laporte
Pretty good impressions too. I might.
[115:43]
Steve Gibson
Yeah. And Bezos. Absolutely recognizable voices.
[115:46]
Leo Laporte
Yeah.
[115:47]
Steve Gibson
So anyway, a tip of the hat to the people behind that one, which we will. You know, we also have the benefit as a consequence of this of firmly closing whatever back door had been inadvertently left open. You know, thanks to this benign prank.
[116:04]
Leo Laporte
It's speculation this is from Zeno Kova on X that the default password was 1234 on these. And I bet you, you know, some guy on a construction crew is installing it. He doesn't, you know, he doesn't know to change the password.
[116:20]
Steve Gibson
Yep. Or somebody will do it later. Right. We need to leave. We need to leave the password so they can log into it and set it up. And whoever did that said, I'll get around to it later. And again, they get around to it later. Not a good idea.
[116:34]
Leo Laporte
Get around to it. Everybody needs around to it.
[116:37]
Steve Gibson
Last week I noted that features similar to Apple's lockdown mode were expected to be announced during during next month's Google I O 2025. It appears that one of those forthcoming features could not wait. The features for Google play services, version 25.14, dated last Monday, which was 4:14, April 14, listed under privacy and Security, said The following it wrote enables a future optional security feature which will automatically restart your device if locked for three consecutive days. Now, I'm not 100% clear, Leo, about what it means to enable a future optional security feature. You know, the optional part I get. That's fine. I have no problem with that. But what exactly does it mean to enable a future feature? It's apparently now been enabled, which is why it's been listed. But if so, then how is that a future feature if it's already happened? It sounds like some change was made that we cannot actually use today, but we will be able to optionally in the future. In that case, who the hell cares? Why tell us anything about a future security feature that hasn't actually been enabled yet, even though it says it has been, you know, because we're still back here in the past. I don't know, I'm confused. But whatever it is, it's there, even if it's not really there. It's enabled though. You can't use it until the future.
[118:25]
Leo Laporte
Someday. Someday we'll all be able to use it optionally, right?
[118:29]
Steve Gibson
Okay. I wanted to share a write up by the EFF over their extreme unhappiness over new legislation that's being proposed in Florida. And we'll understand why they're extremely unhappy. It's been my observation of the EFF that they are never happy. I mean, they're not happy about anything. You know, like, I mean, they're just so far out there. But we need them. I'm glad that we have a well funded Electronic Frontier foundation staffed by lawyers who know constitutional law. In this case, I don't know what Florida is thinking. Here's what Florida said and this is what the EFF wrote. They said at least Florida's SB868HB743 called quote, social media used by miners, unquote. Bill isn't beating around the bush when it states that it would require, quote, social media platforms to provide a mechanism to decrypt end to end encryption when law enforcement obtains a subpoena, unquote. They said usually these sorts of sweeping mandates are hidden behind smoke and mirrors, but this time it's out in the open. Florida wants a backdoor into any end to end encrypted social media platforms that allow accounts for minors. This would likely lead to companies not offering end to end encryption to minors at all, making them less safe. Online encryption is the best tool we have to protect our communication online. It's just as important for young people as it is for everyone else. And the idea that Florida can, in air quotes, protect miners by making them less safe is dangerous and dumb. The bill is not only privacy invasive, it's also. It's also asking for the impossible. As breaches like Salt Typhoon demonstrate, you cannot provide a backdoor for just the good guys, and you certainly cannot do do so for just a subset of users under a specific age. After all, minors are likely speaking to their parents and other family members and friends, and they deserve the same sorts of privacy for those conversations as anyone else. Whether social media companies provide, quote, a mechanism to decrypt end to end encryption, unquote or or choose not to provide end to end encryption to minors, there's no way that doesn't harm the privacy of everyone. If this all sounds familiar, that's because we saw a similar attempt from an attorney General in Nevada last year. Then, like now, the reasoning is that law enforcement needs access to these messages during criminal investigations. But this doesn't hold true in practice. In our amicus brief in Nevada, we point out that there are solid arguments that quote content oblivious, unquote. So content oblivious investigation methods like user reporting are considered more useful than monitoring the contents of users communications when it comes to detecting nearly every kind of online abuse. That remains just as true in Florida today. Law enforcement can and does already conduct plenty of investigations involving encrypted messages. And even with end to end encryption, law enforcement can potentially access the contents of most messages on the sender or receiver's devices, particularly when they have access to the physical device. The bill also includes measures prohibiting minors from accessing any. Get this Leo, any sort of ephemeral messaging features, they're taking that away. Features away from miners like View once messages or disappearing messages. But even with those features, users can still report messages or save them. Targeting specific features does nothing to protect the security of miners, but it would potentially harm the privacy of everyone. SB868HB 743 radically expands the scope of Florida's social media law. HB3, which passed last year and itself has not yet been fully implemented as it currently faces lawsuits challenging its constitutionality. The state was immediately sued after the law's passage, with challengers arguing the law is an unconstitutional restriction of protected free speech. Yeah, that lawsuit is ongoing and it should be a warning sign. Florida should stop coming up with bad ideas that cannot be implemented. Weakening encryption to the point of being useless is not an option. Miners as well as those around them deserve the right to speak privately without law enforcement listening. In Florida Lawmakers must reject this bill. Instead of playing politics with kids privacy, they should focus on real workable protections like improving consumer privacy laws to protect young people and adults alike and improving digital literacy in schools. So exactly right, Eff. And I sure hope that the U.S. supreme Court, Leo doesn't mind working and being busy.
[124:34]
Leo Laporte
Lately.
[124:35]
Steve Gibson
Oh my God. I don't recall any time during my life when more important and fundamental issues surrounding the shape of our collective future are being pushed up our legislative hierarchy for their their the Supreme Court's final examination. Hopefully some useful discussion and judgment. And I sure hope they get these things right. They, they really are important. One last piece and then we'll take our final break and then we're going to talk about Windows Sandbox. I found an interesting piece of reporting which I have. It was in Dutch, which I had Firefox translate. After examining more than 500 ransomware incidents occurring between 2019 and 2023, a Dutch researcher found that ransomware victims who are insured against the cost of cybercrime incidents Pay on average 2.8 times larger ransoms than than those who are uninsured because.
[125:47]
Leo Laporte
It costs them nothing.
[125:50]
Steve Gibson
And the bad guys, it turns out, know this. They make a concerted effort to research and determine the cyber insurance status. Oh my. Uh huh. Of all potential targets, the researcher wrote, quote, as soon as they have gained access to a system, they actively look for documents with names such as insurance or policy. This additional information gives cybercriminals a better bargaining position leading to higher ransom payments. The research also found that companies with a well designed backup system pay. Get this everybody, companies with a well designed backup system. And Leo, you're going to want to hold on to this factoid for your your, your backup sponsors pay 27 times less often.
[126:49]
Leo Laporte
Oh, that was a relief. Yes, that of course they do, because.
[126:54]
Steve Gibson
They'Ve got a backup they don't need to pay. Yes, 27 times less often in the event of cyber attacks, the researcher wrote, quote, cybercriminals who are in a victim's network consciously look for backups and remove them. Just having backups is not enough. It is important to have backups that cannot be adjusted by unauthorized persons in your network. Offline backups are the easiest solution for that, he said. But I've also seen cloud solutions coming by meaning, you know, being, being a problem. So. And the researcher also found that most companies have no choice other than to pay. The researcher wrote in only around 5 out of 100 cases and he looked at 500. So at 5% in which payments are made. Victims do have the opportunity to recover in a different way than to pay, but choose to pay anyway, for example, to recover faster or to prevent reputational damage. In other words, they volunte in only five out of the hundred cases they will voluntarily pay the ransom for the ancillary benefits. Aside from the ability to continue being a viable business in the other 95 out of 100 cases, he wrote, there is no other option to recover in those cases. Their entire IT infrastructure is broken and no longer recoverable, making paying a ransom the only option to prevent their bankruptcy.
[128:43]
Leo Laporte
Wow.
[128:44]
Steve Gibson
So I suppose it's not really surprising that 95% of ransomware victims do not have a sufficiently comprehensive or attack proof backup system in place. So they really do have no other choice than to give the extortionists whatever it is they demand. It's either that go out of business or start again from scratch. And we know from our own years of looking at this that the bad guys will also actively look for and work to eliminate any backup systems and servers that they can find. They'll crash those and then, you know, wipe them and then, and then exfiltrate the data and encrypt all, you know, everything that remains. You know, they're also aware of that 95.5rule that 95 out of 100 cases, the company has no choice but to pay and they very much want their victims to have no other recourse than to pay them. Really interesting data.
[129:53]
Leo Laporte
Very interesting.
[129:54]
Steve Gibson
Yeah. All right, last break and then. Oh boy, have I got some neat news for our listeners.
[130:03]
Leo Laporte
I can't wait. I can't wait. You're watching Security now with the wonderful Steve Gibson who is enlightening us all. Brand new sponsor. How often do you think phishing attacks are, you know, complicit in ransomware and other hacks? Probably like most of the time. Our show today brought to you by Material, the multilayered detection and response toolkit for email. Email is the big vector, right? Your cloud office is not just another app. It's the heart of your business. Unfortunately, traditional security tools can leave you vulnerable, treating email and documents as afterthoughts while your most critical assets remain exposed. Well, that's why you need Material. Material transforms cloud workspace protection with a revolutionary approach that goes beyond traditional security paradigms. It's dedicated security for modern workspaces, ensuring purpose built protection specifically designed for Google Workspace. That's what we use here at Twit or Microsoft 365. You know, those are probably, you know, 90% of the people doing this. Right. Complete protection across the security life cycle means defending your organization before, during and after potential incidents. Not just attempting to prevent them, but actually preventing them. Material allows you to scale security without scaling your team. It uses intelligent automation to multiply your security team's impact. Material provides security that respects how people work, eliminating the impossible choice between robust protection and productivity. Material, you gotta remember this name. I actually talked to these guys and I was super impressed because one of the problems I've had in the past with tools like this is that I have to route my mail through them. No, not with Material. Material uses the built in APIs of Google Workspace or Microsoft 365. It's actually super clever. Material delivers comprehensive threat defense through four critical capabilities. You've got phishing protection, of course. Now what that means is using the API, you're going to have AI powered detection that identifies sophisticated attacks. And it doesn't delete the email, it doesn't hide the email, it doesn't. It just kind of defangs the email and puts a border around it so you can see, look, we think this is a phishing attack and you can decide yourself. And if it turns out no, that's a client who just looks like he's doing some phishing, you have that capability. This is why the API approach is so brilliant. You're not sending your email somewhere else. Data loss prevention, intelligent content protection and sensitive data management protects you against data loss. It also gives you posture management, identifying things like misconfigurations, and even identifies risky user behaviors. It's really, really smart. Plus absolute identity protection, comprehensive control over access and verification. Of course, that's very important. You know who uses this? Figma. Figma. The head of security at figma said about Material, it's rare to find modern security tools with a pleasant usable ui. Being at figma, we're obviously attracted to well designed interfaces. That materials interface was just so smooth and slick. From automatic threat investigation automatically to custom detection workflows, Material converts those manual security tasks and of course manual means stuff's going to get by into streamlined intelligent processes. They provide visibility across your entire digital workspace. They allow security professionals to focus on their strategic initiatives instead of endless alert triage. This really works. You're going to love this. I want you to take it out, protect your digital workspace, empower your team and secure your future with Material. Visit Material Security to learn more. It's a beautiful site. They have a great demo. You can find out what's going on. If you use Google Workspace or Microsoft 365, you owe it to yourself to go to Material Security. That's the whole address Material Security. Learn more and book a demo. And do me a favor. If they ask you say hey, I heard it on Security now. That way they know you saw it here. Material Security this is an idea whose time has come. It's brilliant. Thank you Material. And now back to Steve.
[134:29]
Steve Gibson
So okay. Often ignored or unknown to most users of Windows 10 and 11, but probably of tremendous value and interest to the followers of this podcast is that built right into every win 10 and win 1164 bit, pro, enterprise and Education operating system Home is the only edition that doesn't have it is a ready to use extremely robust virtual machine based full security sandbox inside of which Windows users can perform any experiments they may wish, where everything they or their experiments do will deliberately be sandboxed from the enclosing host PC and will therefore be unable to affect or in any way damage the hosting PC. And what's surprising is is that this quite valuable security feature has been right there available and in front of us since 2018 with the release of Windows 10 version 1903. And because it's not enabled or installed by default, mostly we're unaware of it. But wait till you hear about the technology. I mean, as I said at the top of the show, rarely am I impressed. I guess is the best word with with what Microsoft does this thing. I am infatuated with it. Microsoft describes this sandbox built into Windows 10 and 11 by writing Windows Sandbox is a lightweight, isolated desktop environment designed for for safely running applications. It is ideal for testing, debugging, exploring unknown files, and experimenting with tools. Applications installed within the sandbox remain isolated from the host machine using hypervisor based virtualization. As a disposable virtual machine, Windows Sandbox provides quick launch times and a lower memory footpit footprint compared to vms. And wait till you understand why that's not just marketing BS for key features, Microsoft says. Highlights part of Windows Everything required for this feature is included in supported Windows editions like Pro, Enterprise and Education. There's no need to maintain a separate VM installation. Disposable Nothing persists on the device. Everything is discarded when the user closes the application Pristine Every time Windows Sandbox runs, it's as clean as a brand new installation of Windows Secure uses hardware based virtualization for kernel isolation. It relies on the Microsoft Hypervisor to run a separate kernel that isolates Windows Sandbox from the host and Efficient takes A few seconds to launch, supports virtual GPU and has smart memory management that optimizes its memory footprint. So this is clearly a win for anyone who might have any occasion to need a quick, safe, disposable instance of Windows, because that's what you get. You are booting a brand new Windows that's built right in your Windows. On Windows, you know, perhaps you'd like to install something to see what it looks like, but it's, you know, it's a big lumbering thing that's likely to change your icons and create file associations and reconfigure and whack a big portion of your finely tuned desktop. So you haven't installed it because of the hassle of probably later uninstalling it and then maybe recovering your machine from, you know, from, from everything it did to it. It's just not worth the trouble of just for like, just satisfying your curiosity. With Windows Sandbox, there's nothing to install. Just close the instance of Windows running in Windows and then that monstrosity will be gone like it never existed the next time you use the Sandbox. Or perhaps there's a sketchy program you found, you know, somewhere on the Internet, which you know, you'd really like to run but haven't dared to on any machine that might be hurt by it. Or perhaps you need to poke into some particularly dark corners of the Internet, don't want anything to poke you back and don't want to leave no trace, you know, want to leave absolutely no trace of ever having done that. It turns out that every non home edition of Windows has this capability built right in and ready to do all those things. And what's so extra cool about this is that the Windows Sandbox is able to be far more efficient than a traditional Windows full virtual machine setup. It's able to adjust its memory usage according to the demand, and it doesn't require an entire second installation of Windows since it's able to reuse many of the hosts, read only operating system files. It is, it is quite a slick solution. Okay, so first, where is it? And how do you obtain the use of this little forgotten gem on the desktop under the search term, you know, search for put in Windows features. It's the actual. It's actually turn on and off Windows features. So you could probably type in turn on and off and that would be.
[140:44]
Leo Laporte
That's a classic control panel that's still around.
[140:47]
Steve Gibson
Yep, still there. Yeah, that will bring up the, you know, that Windows features panel and you'll see most of the Things there are turned off. They're mostly things that are kind of optional, like most people don't need to run iis, the, you know, Microsoft Internet Server or, you know, there. There are some enterprise Y things. Most of the checkboxes are off. Scroll down near the bottom and I think it's like fourth from the bottom, you will see a checkbox you probably never noticed before or didn't think about it labeled Windows Sandbox. You check, you just check that box to turn the feature on, then click OK to confirm your choices. Windows will spend a minute or two unpacking its bags and will then tell you that you need to reboot to finish things up. Now, there's a chance that you may find that feature grayed out and unselectable. If you hover your mouse over that, Windows will probably inform you that Windows Sandbox cannot be installed because the processor does not have the required virtualization capabilities. If that's the case, you may be able to remedy that by rebooting, getting into your machine's firmware BIOS or UEFI and enabling the various processor virtualization features that are needed. You know, I feel like I'm a fan of VirtualBox and sometimes when I'm setting it up on a new machine, it won't run because I need to go into the BIOS and turn on, you know, VT X in order to, to enable the, the, the virtualization features in the processor which need to be turned on by the firmware at boot time. So the other possibility is that you might be in a VM trying to run Windows in a vm. So if you scroll down to the bottom leo, you will find, see, it's grayed out.
[142:46]
Leo Laporte
But that's because I'm running in virtualization.
[142:48]
Steve Gibson
Ah yes.
[142:49]
Leo Laporte
So you couldn't have a sandbox in a virtual environment.
[142:52]
Steve Gibson
Probably actually you are able to, you are able to turn, but you need to enable virtualization within virtualization, which is a feature of the virtualizing systems.
[143:06]
Leo Laporte
I will go examine that. That's great.
[143:09]
Steve Gibson
You probably are able to do that. So after you reboot, if you scroll down in the main menu down into the W's, you will find listed all there by itself. I mean like with, along with, you know, Windows Applications and or Windows Administration and Windows System down there is in fact it's right above Windows System, which is a folder that expands is Windows Sandbox all by itself. Click it and you will shortly be presented with something you may dimly recall, which is your original Windows system before it was first touched. It is Completely clean, nothing installed. Yes. You'll see it. It looks like a standard Windows window named Windows Sandbox. It's got the Minimize, Maximize, and Close icons in the upper right, as Windows apps do. I noticed that resizing the Virtual Machine window was as smooth as anything I've ever seen.
[144:16]
Leo Laporte
Sure. There's nothing else running in the background.
[144:19]
Steve Gibson
Yes, well, but I mean, even the host system doesn't seem to have any problem hosting what is another running Windows boot? I mean, it booted Windows.
[144:33]
Leo Laporte
It sounds like it's a little bit like Docker. Is it like Docker? Do you know how Docker works?
[144:39]
Steve Gibson
I don't know how Docker works.
[144:40]
Leo Laporte
So one of the nice features of Docker is it doesn't install an entire operating system. It runs another operating system, but it uses the operating system resources already there.
[144:50]
Steve Gibson
That's exactly what this does. I will be explaining that in a second. Yes, that is exactly what it does. So I also noticed that if I maximized the window, it just became my desktop. It completely took over and covered up the underlying hosting desktop, and it showed the Remote Desktop connection bar at the top center. So Remote Desktop is the way the Virtual Machine's desktop is being presented to the user. The Sandbox has a C drive with about three gig shown as being in use, although it actually doesn't take up three gig. We'll get to that in a second. And plenty of empty space. Internet access by default with a generic LAN adapter is present. So you have Internet access from within the Sandbox. It's got the IP address of 172.72. Whatever.
[145:52]
Leo Laporte
A.
[145:52]
Steve Gibson
You know, a. An RFC. What is that? 1913 private network that is set up and it has a single user account named WDAG Utility Account, where WDAG stands for Windows Defender Application Guard. However, Microsoft notes that Windows Defender does not actually run inside the Windows desktop. Again, they're trying to keep it fast and lightweight. And as many people who run who know, Windows Defender can sometimes start up and slow things down for a while while it's scanning through everything. Anyway, Microsoft really appears to have done a nice job of this. I was curious to see what would happen if I attempted to launch a second instance of the Sandbox and I was greeted with a dialogue from Windows Sandbox that said only one running instance of Windows Sandbox is allowed. So okay, I close that. And then out of curiosity, I tried clicking the upper right close X and was when and was told, are you sure you want to close Windows Sandbox? Once Windows Sandbox is closed, all of its content will be discarded and permanently lost. Which of course is exactly what we want. And the second time the Windows Sandbox is launched, its desktop pops right up, though that's somewhat misleading, since Windows is not actually ready and it does still need a bit more time to get itself actually booted. You know, as the old timers among us will recall, at one point Microsoft was receiving so much flack over how long Windows was taking to boot that they deliberately engineered it to display its desktop at the earliest possible moment after it. After like turning the machine on and getting it to start booting, which was well before it was actually able to do anything. I always thought that all that ingenuity would have been better spent actually making it boot faster, but no one asked me. Anyway, before we dig under the covers to take a closer look at the technology that underpins all this, let's take a look at a few more surface details. Windows Sandbox is also available on ARM64 from Windows 11 version 22H2 on so you can get it for ARM and Intel platforms both or AMD 64 of course. Also and starting with Windows 1124H2, the Inbox Store apps like Calculator, Photos, Notepad and Terminal are not available inside Windows Sandbox. They said that the ability to use these apps is going to be coming soon. A so called VGPU, a virtualized GPU is enabled on non ARM64 devices. As I noted, networking is enabled using the Windows Hyper V default switch, since this could potentially expose untrusted applications to the user's internal network. It is possible to launch a sandbox with networking disabled through the use, or to disable it after the fact through the use of a customer.w SB file as in Windows Sandbox configuration file Audio input is enabled with the Sandbox by default having access to the host's microphone input, but video is not. By default, the Sandbox does not share the host's video with or the host does not share its video with it with the Sandbox. Printer redirection is also disabled with the Sandbox not sharing printers with the host but keyboard redirection. I'm sorry, Clipboard redirect Course keyboard is but Clipboard redirection is enabled by default so the host Clipboard is shared with a sandbox, allowing for the cutting and pasting of text and file names, you know, back and forth, which is just a convenience. It's also possible to change all of those defaults and many other aspects of Sandbox's configuration. Windows Sandbox supports as I mentioned that wsb, which is a simple, you know, XML format configuration file which provide a minimal set of customization parameters for for the Sandbox. This feature can be used with Windows 10 build 18, 3, 42 and and later or Windows 11 so that that wasn't quite in, you know, that earlier 1903, but 1842 or later. Windows Sandbox configuration files are formatted, as I mentioned, as XML and are associated with the WSB file extension, a configuration file that little WSB enables the user to control a number of aspects of the sandbox. That virtualized GPU can be disabled to cause the Sandbox to use advanced Windows. Advanced rasterization platform known as Warp Networking can be disabled. Mapped folders can be defined to allow the sandbox to see some controlled aspects of the host file system. If you like, a custom logon command can be executed when the sandbox starts. The audio and video sharing defaults can be changed to either allow or disallow video and audio. Remote Desktop protocols Protected client mode, which is an elevated level of security, can be engaged to place that increased security. Settings on the Remote Desktop Protocol session which is used to access the Sandbox. Printers can be shared, the clipboard sharing can be disabled, and the total amount of memory assigned to the Sandbox can be changed from its default of a hopeful 4 gig, although it will use less if less is available. Okay, so I want to turn the clock back to December at the end of 2018 and look at what Microsoft shared about this terrifically useful innovation back then. The Windows OS platform blog posted under the simple title Windows Sandbox. They said Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation. How many times have you downloaded an executable file but were afraid to run it? Have you ever been in a situation which required a clean installation of Windows but didn't want to set up a virtual machine, or for that matter, even another real machine, they wrote. At Microsoft, we regularly encountered these situations, so we developed Windows Sandbox, an isolated temporary desktop environment where you can run untrusted software without the fear of lasting impact to your PC. Any software installed in Windows Sandbox stays only in the Sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all its files and state are permanently deleted. Since this is the Windows Kernel Internals blog, let's go under the hood. Windows Sandbox builds on the technologies used within Windows Containers, which LEO is presumably like Docker, as you as you said.
[153:52]
Leo Laporte
Yeah, containers, yeah, yeah.
[153:54]
Steve Gibson
Windows Containers were designed to run in the Cloud. We took that technology, added integration with Windows 10, and built features that make it more suitable to run on devices and laptops without requiring the full power of Windows Server. Some of the key elements we have made include a dynamically generated image. At its core, Windows Sandbox is a lightweight virtual machine, so it needs an operating system image to boot. One of the key enhancements we've made for Windows Sandbox is the ability to use a copy of the Windows 10 installed on your computer instead of downloading a new VHD image as you would have to go through with an ordinary virtual machine. We want to always present a clean environment, but the challenge is that some operating system files can change. Our solution is to construct what we refer to as a dynamic base image, an operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host. Again, no duplication of resources. The majority of the files are links, immutable files, and that's why it has such a small size of around 100 megabytes for a full operating system. We call this instance the base image for Windows Sandbox. When Windows Sandbox is not installed, we keep the dynamic base image in a compressed package of around 25 megabytes when installed. So that's what happens when. When you click the. You want to enable Windows Sandbox in the Turn Windows features on and off menu. When installed, the dynamic base package it occupies is expanded to 100 megabytes of disk space. Okay, so what about memory? Memory management is another area where we've integrated with the Windows kernel. Microsoft's hypervisor allows a single physical machine to be carved up into multiple virtual machines which share the same physical hardware. Okay, that's standard VM technology, right? But while that approach works well for traditional server workloads, it isn't as well suited to running devices with more limited resources. We designed Windows Sandbox in such a way that the host can reclaim memory from the sandbox if needed. Additionally, since Windows Sandbox is actually running the same operating system image as the host, we allow Windows Sandbox to use the same physical memory pages as the host for operating system binaries via a technology we refer to as Direct Map. In other words, the same executable pages of ntdll, the kernel, are mapped into the sandbox as on the host. We take care to ensure this is done in a secure manner and no secrets are shared. Okay, so I imagine everybody can detect how utterly infatuated I am with this technology. It is genius. They're reusing all of the Windows OS files. They're reusing all of the Windows kernels memory that's been loaded with static code. So any entirely separate and clean instance of Windows only requires around 100 megabytes of storage, which is essentially a file system full of pointers into the host's file system. And rather than needing to create another virtual machine with its own allocation of 4 gigabytes or more of RAM, it also takes almost no RAM to run because it's able to map most of the hosts actual physical RAM into its own virtual image. It is a win. And there's more they write with ordinary virtual machines. Microsoft's hypervisor controls the scheduling of the virtual processors running in the VMs, but I'll note they don't control the scheduling within the vms, which is the key they wrote. However, for Windows Sandbox we use a new technology called Integrated Scheduler, which allows the host to decide when the sandbox runs. For Windows Sandbox, we employ a unique scheduling policy that allows the virtual processors of the Sandbox to be scheduled in the same way as threads would be scheduled for a process. High priority tasks on the host can preempt less important work in the Sandbox. The benefit of using the Integrated Scheduler is that the host manages Windows Sandbox as a process rather than a virtual machine, which results in a much more responsive host, similar to Linux kvm. The whole goal here is to treat the Sandbox like an app, but with the security guarantees of a virtual machine. And that's the genius of this. It really is running an entirely separate instance of Windows like an app on the underlying host os. When you click it and launch it from the Start menu, it's like you are just running an app. But that app happens to be a completely clean instance of Windows in which nothing has ever been done or installed ready for you to play with. And remember how I mentioned that when I launched the Sandbox a second time, it seemed to snap right up? This blog explains why I experienced that too. It wasn't just my imagination or my infatuation, they wrote. As stated above, Windows Sandbox uses Microsoft's hypervisor. We're essentially running another copy of Windows which needs to be booted, and this can take some time. So rather than paying the full cost of booting the Sandbox operating system every time we start Windows Sandbox, we use two other technologies, Snapshot and Clone. Snapshot allows us to boot the Sandbox environment once and preserve the memory, CPU and and device state to disk. Then we can restore the sandbox environment from disk, loading it directly into the device memory rather than booting it when we need a new instance of Windows Sandbox. This significantly improves the start time of Windows Sandbox essentially there, but the Once Windows finishes booting, the first time they snapshot all of the work that was done to get it booted and then and save that too, so that when you relaunch Windows, it comes up and then it restores that the virtual machine state that from which that snapshot was made and Graphics Virtualization they said hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics intense or media heavy use cases. However, virtual machines are isolated from their hosts and unable to access advanced devices like GPUs. The role of graphics virtualization technologies, therefore, is to bridge this gap and provide hardware acceleration in virtualized environments. More recently, Microsoft has worked with our graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and WDDM, the driver model used by device drivers on Windows graphics components in the Sandbox which have been enlightened. I like that which have been enlightened to support virtualization. Coordinate across the VM boundary with with the host to execute graphics workloads. The host allocates and schedules graphics resources among apps in the VM alongside the apps running natively on the host. So the essentially the boundaries have been softened as much as they possibly could be, so that there is really no difference between apps running in the Windows Sandbox as apps running on the host desktop. They said this enables the Windows Sandbox VM to benefit from hardware accelerated rendering, with Windows dynamically allocating graphics resources where they're needed across the host and guest. The result is improved performance and responsiveness for apps running in Windows Sandbox, as well as improved battery life for graphics heavy use cases. To take advantage of these benefits, you'll need a system with a compatible GPU and graphics drivers WDDM 2.5 or newer. Remember this was written in 2018, so we probably all have that incompatible systems will render apps in Windows Sandbox with Microsoft CPU based rendering technology and finally battery pass through Windows. Sandbox is also aware of the host's battery state which allows it to optimize for for power consumption. This is critical for a technology that will be used on laptops where not wasting battery is important to the user. So I've been spending a lot of time recently using virtual machines. The DNS benchmark that I'm currently working on needs to run under Windows 7, 8, 10, and 11 and those four operating systems span enough time that their behavior is all slightly different from one another. So I am routinely launching and running different oss on different platforms. When I originally built my main old Windows 7 machine, I expected virtualization to be a thing that I would want to have access to, so I deliberately gave it a whopping 128 gigabytes of main system memory. This was specifically so that I could fire up separate Windows virtual machines that would each need large chunks of RAM dedicated for their own use. And my Windows 10 machine has 32 gigabytes, which was the most that that Intel NUC could handle at the time. My point is that I've become quite accustomed to the feeling of virtual machines running on my desktop, and I have never experienced as seamless and smooth an operation of a Windows OS in an OS as is provided by this built in Windows sandbox. I really believe Microsoft has outdone themselves on this one. They've been very clever and they've done everything right. They've essentially figured out how to run an entire separate instance of Windows as an application, and even the applications in that as applications for the host on top of Windows. It's fast and lightweight and does not burn up disk space or ram. Anyway, toward the end of today's show notes, I have a collection of links to additional resources to help anyone get the most out of their built in Windows sandbox, including all the documentation about configuring and tweaking its operation, ram, cross host sharing resources, shared folders, and everything else. Anyway, there are so many really compelling use cases for this slicked technology that I wanted to make sure all the listeners of this podcast who use Windows as their primary desktop knew that this little gem was hidden right there. I mean, just waiting to come out and play. I am, as I mentioned at the top of the show, I'm finally somewhat jealous of Windows 10. Actually, I'm sitting in front of it right now, but I don't have it on my Windows 7 system where, you know, I've not been any in any hurry to Upgrade the Windows 7 machine because everything works just fine. But now I'm thinking maybe I'm going to take a big one final, you know, system image snapshot and then see if Windows 10 is able to upgrade from my old Win7 machine. I dread the downtime required to set up a new Windows 10 machine from scratch and reinstall everything and configure it all. I mean, that's just days of work. But Windows Sandbox has been implemented so beautifully that it's something I would love to have on my, on that other desktop platform. I mean, Leo, it's just, it's. I mean, it's just a. They did a beautiful job. And again, containment. It is a security sandbox. So I would expect it would be of tremendous interest to our listeners. And they already have it. They just, most of them, like, I, I'd forgotten about it. I remember it once upon a time, but I completely forgotten.
[168:14]
Leo Laporte
Right, right. It's been there all along.
[168:16]
Steve Gibson
Yeah.
[168:17]
Leo Laporte
Hiding in plain sight.
[168:18]
Steve Gibson
Many instances where I've downloaded something sketchy. Remember when I was doing all the work on Spinrite 6. One and I needed, I needed networking drivers for long obsoleted network adapters. And I had to like, download things from sketchy sites in order to get the DOS drivers. And I was like, well, I could have unpacked them in this sandbox and then just taken the files themselves safely and not worried that the zip file might have been compromised with some sort of other goo.
[168:51]
Leo Laporte
Super cool.
[168:53]
Steve Gibson
Really, really neat.
[168:54]
Leo Laporte
Super cool.
[168:55]
Steve Gibson
Yeah.
[168:55]
Leo Laporte
Containers are a good thing. I think it's a very exciting area right now.
[169:00]
Steve Gibson
It is the idea of reusing the, the, the, the static footprint of an operating system and its static files. It makes so much sense.
[169:11]
Leo Laporte
Sure. Why, why have duplicates in ram, you.
[169:14]
Steve Gibson
Know, And I think next week I'm going to share how malware has decided to move into Windows sandbox.
[169:24]
Leo Laporte
Yeah. Somebody was saying it's just a matter of time before we have a story about sandbox escapes, but that's a. We'll save that for future.
[169:32]
Steve Gibson
It's actually not an escape because the isolation is extremely good. Although, not to say that there might not be some.
[169:39]
Leo Laporte
Right.
[169:39]
Steve Gibson
But it turns out malware is using the Windows sandbox to hide.
[169:44]
Leo Laporte
Oh, that's a good idea. That makes sense. All right, we'll talk about it next week. You'll be here, right? Right. Of course you will. Not you, them. They'll be here too.
[169:55]
Steve Gibson
All of our wonderful listeners.
[169:57]
Leo Laporte
Yeah, they. Every Tuesday. Tuesday is a. In the twit family. That's the security now day. We do the show every Tuesday about right after Mac break weekly. So that's usually 1:30pm Pacific, 4:30 Eastern, 20:30 UTC. You can watch us live if you want. I mean, you know, there's, there's benefits to both. If you watch live, you can chat live. Now Steve's not watching chat, but I am, so that's, that's good. And we get involved. The live streams. There are eight of them. One, of course, is for the club members in our Club Twit Discord, you are a member.
[170:34]
Steve Gibson
I hope.
[170:35]
Leo Laporte
I would think everybody. It's interesting because you have more people on your newsletter now than our members of Club Twit. So if you subscribe to Steve's newsletter you should be a member of Club Twit. Seven bucks a month A.D. free versions of this show and all the other shows special content in the Club Twit Discord. Access to the Discord which is a great place to hang out. I think that's worth seven bucks a month. Join the club and then you can watch it in Discord or even if you're not a club member on YouTube, Twitch, X.com TikTok, Facebook, LinkedIn and Kik. Eight different ways to watch live after the fact. You can download the show now. Steve has all the unique versions. He's got a 16 kilobit audio version. If you really don't have a lot of bandwidth. He's got a 64 kilobit audio which used to be the standard but now for various technical reasons we ship a higher quality 128 kilobit audio. 64 is fine. He also has the show notes which are great and human curated transcripts by Elaine Ferris so you can read along as you listen or search. Use the transcripts to search. All of that is@grc.com, the Gibson Research Corporation. There are a few other things on GRC.com you should know about. Of course Spinrite. Steve didn't mention it this week, but that is his bread and butter. That's the world's best mass storage maintenance performance enhancer and recovery utility. If you have mass storage you need spinrite. Get that 6.1 is the current version@grc.com there's also a lot of free stuff. It's the place to go if you want to send a message to Steve. You do have to validate your email first, so go to GRC.com email validate your email you can at that point if you want it's off by default but turn on. You can subscribe to the weekly Show Notes newsletter which goes out usually the day or a day before the show. There's also a very low traffic newsletter he sends out for big announcements. Those are both@grc.com email we have 128 kilobit audio and video at our website Twitter TV SN. You can get get it there. There's a YouTube channel dedicated to the video. Great for sharing little clips and of course best way to get it probably to subscribe. That way you get it automatically. You don't have to think about it, you just it'll appear on your phone and you can listen at your leisure. However you listen. We do hope you'll join us next Tuesday and every Tuesday for Security now. Thank you Mr. Gibson.
[173:07]
Steve Gibson
Thank you my friend. I will see see you next week for episode 1023 Security Now.
[173:23]
C
You know when you're really stressed or not feeling so great about your life or about yourself, Talking to someone who understands can really help. But who is that person? How do you find them? Where do you even start? Talkspace Talkspace makes it easy to get the support you need. With Talkspace you can go online, answer a few questions about your preferences, and be matched with a therapist. And because you'll meet your therapist online, you don't have to take time off work or arrange childcare. You'll meet on your schedule wherever you feel most at ease. If you're depressed, stressed, struggling with a relationship, or if you want some counseling for you and your partner or just need a little extra one on one support, Talkspace is here for you. Plus, Talkspace works with most major insurers and most insured members have a $0 copay. No insurance, no problem. Now get $80 off of your first month with promo code space80 when you go to talkspace.com match with a licensed therapist today at talkspace.com save $80 with code space80@talkspace.com.