Security Now 1025: Secure Conversation Records Retention

Leo Laporte

It's time for Security now. Steve Gibson is here. We've got a lot of security news. The state of Virginia passes an age restriction law that Steve says has no chance of surviving a First Amendment challenge. There is a nasty PyPi package that has survived for three years and 11,000 downloads. Isn't anybody paying attention? And then Steve has a solution for government agencies that want to use signal without letting the whole world know what they're talking about. All of that and more coming up next. Security now podcasts you love from people you trust. This is Twit. This is Security now with Steve Gibson. Episode 1025 recorded Tuesday May 13, 2025 Secure Conversation, Records retention. It's time for Security now the show we cover their security, your privacy, your safety online with the guy in charge@grc.com Mr. Steve Gibson. Hello Steve.

Steve Gibson

I have never been accused of talking quietly Leo. Never been anything that has happened. My wife has extremely sensitive ears and she, she talks to in the other room and assumes I can hear her. She can hear me. So it's not reciprocal but you know.

Leo Laporte

This is a, you know this is a generally a couple problem. Lisa will talk to me from two floors away.

Steve Gibson

I glad it's not just me and I, and I can hear. It's like what like something. There's a conversation being had and she doesn't talk to herself so I know it's aimed at but I, I wear.

Leo Laporte

Hearing aids and it still doesn't help so I don't, I don't know.

Steve Gibson

But you have such an excuse. That's great. You know it's like they were all. Or they are.

Leo Laporte

I need a trumpet. I need one of those old timey. So what's coming up this week on.

Steve Gibson

Security now we are here for episode the big episode the first episode past the 2 to the 10 episode 1025 for the 13th of May I got to today's topic through a rather circuitous route because it was originally titled what is end to end encryption. Because I was thinking, I was noticing that it's become a buzzword. It's become like oh, it's what you're supposed to have or oh, it's this oh, don't worry about it. It's end to end encrypted even when you know like it may not be. And of course this hearkens back to the telemessage mess that we talked about and them insecurely archiving signal chat messages signal protocol conversations. But as I looked further and I thought about this problem I, I ended up sort of the. The podcast morphed into today's topic, which is conversation records retention. Because that's really sort of the issue and the question. And the question is true, end to end encryption possible when records are being retained.

Leo Laporte

Yeah. Because records have to be kept in the clear. Right. Or at least, well, records have to.

Steve Gibson

Be accessible if you are subpoenaed.

Leo Laporte

Right.

Steve Gibson

For. And like I remember being appalled when my little. What I heard, like my little company that's sort of doing nothing big over in the corner, you know, might have to produce email records. If someone were ever to sue us for something, it's like, what, it's our email. No, it's, you know, it's corporate, you know, records responsibility and there's all kinds of like record keeping acts now. And, and in fact, since I sent this email, the email of this show with the show notes to. I think it was. Now we're up to 17,363 of our listeners. Several people wrote back and said that they were their enterprises, their companies were telemessage customers and that they're now needing to find an alternative solution because this actually is a problem. There is a need that companies have for their executives, dialogues and conversations and transactions to be retained for legal purposes.

Leo Laporte

Yeah, there's regulations in almost all industries.

Steve Gibson

About that anyway, so we're going to get around to that and I think have an interesting exploration of the issue and the problem and believe it or not, Leo, I have a solution which I didn't have it when I started. It was as a consequence of sort of brainstorming during the podcast production and putting it all down. And I hope it happens. I imagine it will because, you know, the podcast has some reach and if it hasn't occurred, maybe it's occurred to other people, but I've not seen it anywhere.

Leo Laporte

So I love this.

Steve Gibson

We'll talk about that. First we're going to talk about the state of Virginia passing an age restriction law that as I wrote, has no chance. It's like, what are, what are you. Why are you even bothering to put, you know, waste the ink on this, you idiots. Also, New Zealand also tries something similar, citing the lead that they're taking from Australia. We have a nasty Python package for that's actually is aimed at discord developers which was only found after three years and more than 11,000 downloads. Which tells us the story of, well, we can't count on all the security firms always finding all of the malicious, you know, repository junk that's out there. Also, what's in WhatsApp. Turns out that finding out was neither easy nor certain. And there's a story there. Also, the UK's Cyber center says that AI promises to make things much worse. Oh, joy. We've got a bunch of great feedback from our listeners which we're going to spend some time on and also use those as talking points. And then look at this question of what does it mean to need to retain records of what originally was a secure end to end encrypted conversation and how could that be done? And of course, the picture of the week also generated feedback from our listeners. Benito and I were talking about this beforehand as Mac Break Weekly was wrapping up. I learned something I didn't know, which is interesting from our listeners, which Benito also told me. But the picture is interesting, so we'll have to look at it.

Leo Laporte

I haven't looked at it. As always, I like to save it for the show security now it's underway. But before we get to going, Steve, let me stop you for a moment for a word from our sponsor. And it's a sponsor I really like talking about because they implement zero trust affordably, easily, and I'm a big believer in this. Zero trust is obviously the way to go in many circumstances. We're talking about Threat Locker. I don't need to tell you, if you listen to the show, you know that ransomware is running rampant through businesses worldwide. They get in in a variety of ways. Phishing emails, infected downloads, malicious websites, even RDP exploits. But the key term there is they get in, right? Somehow they get into your network and once they're in, they can do a lot of damage. Don't be the next victim. You need ThreatLocker's Zero Trust platform. It takes a proactive, and this is the key deny by default approach. That's what zero trust means. It blocks every action unless it's explicitly authorized. And it's great because it protects you both from known and unknown threats. It can be a zero day. We're not actually, you know, looking at the threat to see what it is. We're just saying, no, you can't do it. And that's why it's so important, especially for city governments, schools. Infrastructure plays JetBlue. Big businesses like JetBlue, they use threat Locker to, to make sure that a bad guy, if they get in, still can't do any harm. Talk about infrastructure. The Port of Vancouver uses Threat Locker. ThreatLocker shields you from zero day exploits and supply chain attacks. And this is a really nice side effect, provides complete audit trails for compliance so it really is a handy tool. ThreatLocker's innovative ring fencing technology, that's what they call it isolates critical applications from weaponization. It means it stops ransomware cold. And it also limits lateral movement within your network. Threat Locker works in every industry. It supports Macintosh as well as Windows. So a heterogeneous network, that's fine. Plus you get 24.7us based support and you get comprehensive visibility and control. Let me give you an example. Mark Tolson, he is the IT Director for the city of Champaign, Illinois. You know, bad guys go after city governments like crazy because they figure ah, they won't be well defended. Plus they probably have insurance. It's an easy buck. Well, don't go after Champaign, Illinois. Mark says Threat Locker provides that extra key to block anomalies that nothing else can do. If bad actors got in and tried to execute something, I take comfort in knowing Threat Locker will stop it. Stop worrying about cyber threats. Get unprecedented protection quickly, easily and cost effectively with Threat Locker. Visit threatlocker.com to get a free 30 day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance at the same time. That's threatlocker.com twit. We thank him so much for supporting security now and the very important work Steve does here. I'm ready to scroll up. I have been very good. You know, it's hard for me. I have them right in front of me.

Steve Gibson

We appreciate having your candidate first look as they say. So I gave this picture, the caption a joke. Serious. Deliberately setting a high bar or maybe missing the point of deliberately posting a WI FI password.

Leo Laporte

That is the most annoying password I've ever seen.

Steve Gibson

Okay, so we're not seeing this. First. We have a guy who enjoyed our person, I don't know who, you know, what their sex was. A person who had a lot of fun with fonts. This, this is a framed, looks like 8 and a half by 11 gray sheet. And actually it's a true photo. You can barely see the reflection of the person's smartphone that, that, that, that bounced off the glass who was taking a picture of this because they're like what the heck? Anyway, this says welcome in a nice big scrolly font. Then it says be our guest in San Serif ital font. Then they went to great trouble to find the very familiar WI FI icon. You know, the dot with the three radiating semicircles coming off of it. So you know that this is about the WI fi and so they're saying, you know, you know, by all means, connect. Well, now then we hit the problem here. The network ID for a reason that's not clear. Is Tim T I m in all caps hyphen 924-94870 instead of.

Leo Laporte

Does that mean. Wait a minute, that must mean there are 92 million other Tims. Is that.

Steve Gibson

You know, it could just be Barney or something. I mean, what is it doesn't matter. 924-94870 following Tim any. That's not the worst, Leo.

Leo Laporte

No, because the password. Oh, yeah.

Steve Gibson

Is 9, capital F, lowercase Z, capital H, capital A, lowercase F, lowercase C, capital A, lowercase T, Lowercase C, capital Z5 capital R, lowercase B, 6 capital R, lowercase U, capital S, capital E3 capital Y, capital E3, capital G. Nicely done.

Leo Laporte

Very nice.

Steve Gibson

And okay, so, and so here's of course, my point. It's like, what? Be our guest. You know, you. First of all, there's no chance that you could type this into any kind of a touchscreen, you know, in your phone. Now, the email that I received, as I mentioned, after people saw this, they said, well, you know, Steve, the nice thing about today's smartphones is you can just aim the camera at that.

Leo Laporte

Oh, that's true.

Steve Gibson

Take a picture of it.

Leo Laporte

But, you know, you could even. I'll do you one better. I have a QR code on my wall, so visitors can. And they just scan the QR code and it joins the WI fi. You don't have to type anything in at all.

Steve Gibson

Again. So. Okay, now, so here's a joke, especially.

Leo Laporte

Because at the bottom it says, please enter the characters of the letters as they are written. That's a joke.

Steve Gibson

Maybe they're just very. He's ocd. I don't know.

Leo Laporte

He's teasing people, I think.

Steve Gibson

And so that's my question. Exactly. So maybe. And so, you know, welcome. Be our guest. Here's your typing test.

Leo Laporte

Yeah, that's crazy.

Steve Gibson

Anyway, I do enjoy the picture and you know, looking at this, I'm. I don't have it in front of me, but I, I found the most perfect perspective correction app for Windows. The. The photo that was sent to me was taken way off axis in both. Both directions. So it was a skewed trapezoid from hell. And I found this app some time ago which works exactly the way you would want it to, but nobody else seems to figure this out. It gives you a four point rubber banded rectangle where you simply drag the four corners of the rectangle to four corners, which should be rectangular on the image and then it fixes it. And so what we're looking at in this perfectly looks like it's exactly square on image was originally really skewed. Anyway, I'll get the name of it for next week because it's just the best thing. And it seems to be Apple has all this weird like, you know, you swing it up and down and back and forth and try to negotiate with it, but when you know that what you want is something square, just drag a square over it. Anyway, I don't know why nobody else has done that. I've never found it on on a Windows app. And of course now 25 of our listeners will say, Steve, here's the one that I use. It's like, okay, thank you. Okay, so my title for this first piece of news was Virginia's Folly. And I wasn't sure whether to file this under Things that will Never happen or good luck with that because the event was so obviously fraught and there was a ton of coverage about it because, I mean, like when I did a little bit of Googling, it was widely covered, probably because everyone recognizes this, this is really an issue, and we've talked about this a lot. But I found a very clear and concise blog posting among all the other newsy stuff from a law firm, Hunton Andrews Kurth, who specialize in privacy and cybersecurity law. So they're watching these sorts of things happen from their perspective as a group of attorneys. The headline title of their posting was Virginia Governor Signs Into Law Bill Restricting Minors Use of Social Media. And then they explain On May 2, 2025, Virginia Governor Glenn Youngkin signed into law a bill that amends the Virginia Consumer Data Protection act, the vcdpa, to impose significant and oh, restrictions on minors use of social media. The bill comes on the heels of recent children's privacy amendments to the VCDPA that took effect on January 1, 2025. So beginning of this year, they wrote, the bill amends the VCDPA to require social media platform operators to to first use commercially reasonable methods such as a neutral age screen to determine whether a user is a minor under the age of 16 and second, limit a minor's use of the social media platform to one hour per day unless a parent consents to increase the daily limit. The bill prohibits social media platform operators from using the information collected to determine a user's age for any other purpose. Notably, the bill also requires controllers and processors to treat a user as a minor under 16 if the user's device quote communicates or signals that the user is or shall be treated as a minor, including through quote unquote a browser plugin or privacy setting, device setting or other mechanism. Unquote. The bill also prohibits social media platforms from altering the quality or price of any social media service due to the law's time use restrictions. The bill defines social media platform as a public or semi public Internet based service or application with users in Virginia that connects users in order to allow users to interact socially with each other within such service or application and allows users to do all of the following and there's three Construct a public or semi public profile for purposes of signing into and using such service or application second, populate a public list of of other users with whom such user shares a social connection within such service or application and finally, create or post content viewable by other users, including content on message boards, in chat rooms, or through a landing page or main feed that presents the user with content generated by other users. The bill exempts from the definition of social media platform a service or application that first exclusively provides email or direct messaging services or 2 consists primarily of news, sports, entertainment, e commerce or content pre selected by the provider and not generated by users and for which any chat, comments or interactive functionality is incidental to, directly related to or dependent on the provision of such content. The Virginia Legislature declined to adopt recommendations by the Governor that would have strengthened the bill's children's privacy protections. These amendments to the VCDPA take effect on January 1st of next year, 2026. So the last changes to the VCDPA took effect on January 1st this year. This is setting things up for the beginning of next year. Now this legislation won't get off the ground before it is enjoined by multiple lawsuits. Arguing with some strong rationale and probably merit, that the imposition of these restrictions flies directly in the face of the freedom of speech rights enshrined by the First Amendment to the US Constitution. I mean the these things are always immediately sued and then they go into the courts. And it was for that reason that I recently mentioned that I was hoping that the nine justices on our Supreme Court enjoy working since the what we're seeing is the upper echelons of the US Legal system are being put to much more use than than they've seen in quite a while. You know, how many times have we recently heard, quote, this will eventually need to be decided by the Supreme Court. We're no longer talking about whether party A defrauded party B. Those are easy things to decide relatively. Now we're asking where exactly the line can be drawn when a state wishes to restrict what can reasonably be described as the free speech rights of a group of individuals. Consequently, many fundamental questions surrounding proposed laws and their precise relationship to the US Constitution are now being asked and they will eventually be tried. So, wow. I mean, the system is being stressed, but we need to see, you know, what the answers are that come out the other end. So anyway, one more point on this. In New Zealand, the New Zealand press writes the National Party wants to ban 16 year olds. Now I think that Virginia said under 16. So now New Zealand has 16 and under. So again, this is why, in my opinion, Apple trying to create zones of age, I don't know why, to maybe make it less obvious when someone's birthday is, you know, okay, but the problem is there's no alignment of any of these laws, not even among states, let alone among nations. So, you know, I just think, you know, giving the phone an API that lets the app say, you know, is the person above or below a given age is what we're going to end up with anyway. The National Party wants to ban 16 year olds from accessing social media by apparently all by forcing companies to use age verification measures. So this is the go. The country of New Zealand national MP Katherine Wedding, with the backing of leader Christopher Luxon has put forward a members bill which would follow Australia's lead on cracking down on social media giants. The Prime Minister said he wanted to explore picking it up as a quote, broader government bill, which is actually a term that means something within their, within their legal framework, which would mean it could become law more quickly. Right now the legislation does not have government endorsement which mean it would be debated only if it was drawn from the ballot at random, which seems bizarre, but okay. Catherine Wed said the bill would put the onus on social media companies to verify someone is over the age of 16, over the age of 16 before they access social media platforms and has modeled off Australian legislation. Wed said, quote, currently there are no legally enforceable age verification measures for social media platforms in New Zealand. She said she'd heard from parents, teachers and principals that there wasn't enough protections in place. I'm sorry, there, yeah, wasn't enough protection in place. Quote, my social media age appropriate users bill is about protecting young people from bullying, inappropriate content and social media addiction by restricting access for under 16. Now she says under 16 year olds. So okay, but before it was over the age of 16. So even they're not sure the bill would require social media platforms to take, quote, all reasonable steps to prevent under 16s from creating accounts. It would also introduce penalties for non compliance, including financial ones. So here's another piece. You know, this bit of news now from New Zealand reminds us that Australia has recently been exploring similar legislation. So stepping back from this, I would say that it should be very clear to anyone that who's watching everything that's going on that sooner or later, and apparently sooner, we're going to be seeing age based restrictions on access to social media which have until now been completely uncontrolled. So you know, and we know that, that the likes of Meta don't want it to be their responsibility. They're saying it should be the vendor, the platform producer's responsibility. So it's a mess. And you know, we're seeing legislation being put in place. It's being, it's being fought back against by those who don't want it to be done that way. We have seen Apple make some steps forward, we've seen Google make some steps forward. So we need.

Leo Laporte

I think you made an excellent point though. Apple could solve this right away just by putting that feature in that you suggested, which is, you know, the parent says this kid is such and such age and that would be the best way to do it, make it the parent's choice. And Apple just needs to give, and Google need to give them that facility, that capability.

Steve Gibson

Yeah, all you have to do is surface an API and that would mean that the World Wide Web Consortium would define a new JavaScript verb which allowed the browser to, to query the platform for its user's age.

Leo Laporte

You also, legislators also have to realize you can't keep kids away from all.

Steve Gibson

That's just the other, that's the other point is like nice to have a law.

Leo Laporte

Right. But there's neighbors. Hey, I used to go down a local drugstore and read the Playboys on the shelf. I mean there's no way you can keep them safe with a law.

Steve Gibson

Yeah, yeah. I'm continually seeing reports of malicious supply chain attacks where this security company discovers 52 malicious Python libraries or that security company finds 46 malicious JavaScript libraries. And I mean, I don't talk about them every week because I see them every week and it's like, okay, okay. You know, I mean, so I feel like I share them enough with our listeners to keep them on, to keep everybody, you know, aware of the issue, to keep it in mind, to always bring some caution to going into a repository and saying, oh look, this is just the thing that, this is just the library that I was looking for. I'm so glad someone created this because, you know, the bad guys have figured out that that's what people do and they figured out that they can use the inherent openness of this ecosystem that we've created to hurt people, to get into people's computers, to infect somebody who's in an enterprise, then pivot from their PC when it's connected to the enterprise network, into the enterprise's network, and before you know it, they're listed in that ransomware listing site and there's trouble. So again, I guess I want to make, make I, I want to make it clear that it's not like that only happens when I mention it. It's, it's very much like the, the ransomware attacks there I, I see 12 of them every single week. This company, that company, it's like, okay, well that's just boring now because there it's, it is, it's, it's in the background, it's constant noise happening. So is all of the repository and infection. And the security companies, bless their hearts, that are taking their time. You know, it must just be PR for them, right? They're like, well, we found 52 malicious Python libraries. Woohoo, pay attention to us. Oh, but our customers weren't affected because our scanners, you know, nipped those in the bud. So it's a way of saying, and if you were one of our customers, you know, you'd have our scanner in your PC too, and those 52 nasties would have never had a chance to get going. But the troubling question is, do they find them all? And what would not finding some look like? And that's the reason that Socket Research's reporting of a very malicious and sophisticated Python Trojan which had remained unfound hidden for more than three years, was troubling. Their research posting was titled Malicious PyPi Package Targets Discord developers with a remote Access Trojan. And their subtitle was the Socket Research team investigates a malicious Python package disguised as as a Discord error logger that executes remote commands and exfiltrates data via a covert command and control channel. So I'll just share the start of their long report. They wrote on 3-21-2022. Thus the more than three years ago part. 3-21-2022, a python package discord py debug all one word discord p Y D E B U G was uploaded to the python package index PyPy under the name Discord pypy error logger at first glance, it appeared to be a simple utility aimed at developers working on Discord bots. Using the Discord PY library, however, the package concealed a fully functional remote access Trojan. Over time, the package received over 11,000 downloads, placing thousands of developer systems at risk. The package targeted developers who build or maintain Discord bots, typically indie developers or automation engineers or small teams who might install such tools without extensive scrutiny. Since PYPI doesn't enforce deep security audits of uploaded packages, attackers often take advantage of this by using misleading descriptions, legitimate sounding names, or even copying code from popular projects to appear trustworthy. In this case, the goal was to lure unsuspecting developers into installing a backdoor disguised as a debugging aid. Discord's developer ecosystem is both massive and tightly knit. With over 200 million monthly active users, more than 25% of whom interact with third party apps, Discord has rapidly evolved into a platform where developers not only build, but also live, test, share and iterate on new ideas directly with their users. Public and private servers dedicated to development topics foster an informal, highly social culture where tips, tools and code snippets are shared freely and often used with little scrutiny. It's within these trusted peer to peer spaces that threat actors can exploit social engineering tactics, positioning themselves as helpful community members and promoting tools like Discord PI debug under the guise of debugging utilities that they're familiar with. The fact that this package was downloaded over 11,000 times despite having no readme or documentation highlights how quickly trust can be weaponized in these environments. Whether spread via casual recommendation, targeted DMS or Discord server threads, such packages can gain traction before ever being formally vetted. So the link to the rest of their extensive research is in the show notes for anyone who's interested. They, they talk about it at great length, but my, my intent here was to just, you know, without wanting to shut down the value that can be obtained, to, to really put a point on the fact that, you know, as they say, there's no such thing as a free lunch. You know, I mean this, this ecosystem that has been created is, is so neat. I mean it's so cool to be able to, to have access to other people's freely shared work like this. But unfortunately there are other people we don't know and they can be other people who are trying to hurt us, trying to, you know, again, typically not us as individuals, but we're the now, you know. Discord developers may well be working with an enterprise and using Discord in an enterprise environment. The bad guys want to get in there. And so end users are no longer the targets that we once were. As soon as cryptocurrency happened and the concept of ransomware happened and encrypting servers and exfiltrating proprietary data and threatening in, in return for money happened, suddenly all the attention went to how do we get in? And that's through phishing and that's through contaminating repositories and, and, and using those as the back doors into more valuable networks. So it, I mean it is really happening. And this thing sat there for three years without being found.

Leo Laporte

Do they know how many people downloaded it?

Steve Gibson

More than 11,000.

Leo Laporte

Wow, that's terrible. Yeah, it's funny because they weren't. I mean, I guess it was indirectly targeting Discord because they were going after the developers. Right, But I guess once you compromise a developer, you can then compromise their code.

Steve Gibson

Well, yes, yes, it's the developer. The profile of a developer is one who is looking in the Python libraries for things that will help their work. And so a Discord debugger would be something that a Discord bot developer would say, hey, that's great, I want help debugging my Discord app. And so it's on a developer machine who then works for an enterprise. Or maybe he's doing that on his own in the evening on his laptop and then brings it into the office, plugs it into the network and then, and now this thing is able to move laterally into their employer's network, which is what they really want and what, you know, Leo, what our listeners really want.

Leo Laporte

I know they don't, but I'm going to do it anyway.

Steve Gibson

Yeah, I think what I really want is a little bit of coffee, a.

Leo Laporte

Little caffeine while I talk about our sponsor for this section on security now. And that of course is US Cloud, the, the number one Microsoft Unified support replacement. We've been talking about US Cloud for some months now. They are the global leader in third party Microsoft support for enterprises now supporting 50 of the Fortune 500. There's a reason 50 big companies switched to US Cloud. US Cloud could save your business 30 to 50% over Microsoft unified and Premier support. But it wouldn't be any good if we're just less expensive. It has to be better, right? Yes, it's better. It's faster for one thing. Twice as fast in its average time to resolution versus Microsoft. That's a good improvement. Plus the smartest engineers in the business. So you're getting people really know what they're talking about. And I think US Cloud is willing to tell you stuff that Microsoft's not. For instance, US Cloud now offers an Azure cost optimization service. Microsoft may not want you to optimize your Azure costs, but really, seriously, when was the last time you evaluated your Azure usage? I think everybody understands, you know, we probably are spending more on Azure than we really need to. Everybody has a little Azure sprawl, if you will. Spend creep that's going on. But good news, you don't have to be in the dark about it. Saving on Azure is easier than you think. With US Cloud they offer an eight week Azure engagement. It's powered by VBox. It will identify key opportunities to reduce costs across your entire Azure environment. And you're not doing it on your own. You're getting expert guidance from US Cloud senior engineers. These are the best in the business. An average of over 16 years with Microsoft products. At the end of the eight week engagement, your interactive dashboard will identify, rebuild and downscale opportunities, unused resources, allowing you to reallocate those precious IT dollars towards needed resources. Or I got a thought. Keep the savings going by investing your Azure savings in US Cloud's Microsoft support. That's what a few other US Cloud customers have done to completely eliminate your unified spend and that's a real savings. Ask Sam. He's the technical operations manager at a company called Bed Gaming B E D E Gaming. He gave us Cloud 5 stars. His review said, quote we found some things that had been running for three years which no one was checking. These VMs were, I don't know, 10 grand a month. Not a massive chunk in the grand scheme of how much we spent on Azure. But you know, once you get to 40,000 or $50,000 a month, it really starts to add up. Uh huh. It's simple. Stop overpaying for Azure, identify and eliminate Azure creep and boost your performance and do it all in eight weeks with US Cloud. Visit uscloud.com and book a call today. Find out how much your team can save. That's uscloud.com to book a call today. Get faster than better Microsoft Support for less uscloud.com thank you so much for supporting Steve Gibson and Security. Now you support us. When you mention if they ask you when you get to US Cloud, you say yes. Steve told me all about it. What is that little thing you got there? That is cool. That's like an E ink I found up.

Steve Gibson

It was on some podcast of twits and it's called Terminal One of your. Oh yeah, one of Your hosts mentioned it.

Leo Laporte

Yes. So you have your Google Analytics for your website on there.

Steve Gibson

Yeah.

Leo Laporte

That's so cool.

Steve Gibson

Yeah. And you can see on April, what is that 28th, I think somebody mentioned Validrive. And so we had a big spike then. But it is, it's battery powered. It runs for three months because it uses E Ink and it updates occasionally. They have a whole bunch of little widgets that you're able to drag. You can compose the screen that you want and it sits running on batteries, as I said, about three or four months and it updates occasionally. And there's also the reason I was interested is that they have a developer kit that allows you to basically have it display a webpage. And so at some point I'm going to have it monitoring, you know, internal server stuff.

Leo Laporte

Well, as long as we're celebrating, I might as well show you that you were a TikTok star last week. What you did, you talked about Microsoft's bold pass key move, you know, getting rid of passwords, and must have made it to the. For your page on TikTok because you see here, 193,000 views. 2,864 likes. 322 comments. That is very. Those are good numbers, those for TikTok. That's incredible.

Steve Gibson

Interesting.

Leo Laporte

Yeah. So congratulations.

Steve Gibson

Thank you for reposting that.

Leo Laporte

You can now say, yeah, I'm a TikTok star. Along with everything. Everything else you tell your neighbors. Yeah, that's. Yeah, that's me.

Steve Gibson

Yeah. I don't tell them that. They, like, look at me.

Leo Laporte

There you go.

Steve Gibson

Our neighbors have no idea what either Lori or I do. They just know we're nice people. But Lori starts talking about neurofeedback and modifying brain waves and they're like, what?

Leo Laporte

Oh, that's all the rage nowadays, though. That's a hot topic. All right, my mouse is stuck. Oh, there we go. I finally got rid of the screen. Go ahead, my friend, go ahead.

Steve Gibson

So once upon a time, it may have been difficult to toss a perfectly good consumer router into the trash bin. And while it's still probably not easy or reflective, Last Wednesday, the U.S. federal Bureau of Investigation, our FBI posted one of their PSAs, a public service announcement, which was titled Cybercriminal Proxy Services Exploiting End of Life Routers. Here's what the FBI wrote. They said the Federal Bureau of Investigation, FBI, yes. Is issuing this announcement to inform individuals and businesses about proxy services taking advantage of end of life routers that are susceptible to vulnerabilities. And then they explain when A hardware device is end of life. The manufacturer no longer sells the product and is not actively supporting the hardware, which also means they're no longer releasing software updates or security patches for the device. Routers dated 2010 or earlier likely no longer receive software updates issued by the manufacturer and could be compromised by cyber actors exploiting known vulnerabilities. End of life routers were breached by cyber actors using variants of the Moon malware botnet. Recently, some routers at end of life with remote administration turned on were identified as compromised by a new variant of the Moon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cybercrimes anonymously. A proxy server is a system or router that provides a gateway between users and the Internet. It is an intermediary between end users and the web pages they visit online. A proxy is a service that relays users Internet traffic while hiding the link between users and their activity. Cyber actors use proxy services to hide their identities and location. When actors use a proxy service to visit a website to conduct criminal activity like stealing cryptocurrency or contracting illegal services, the website does not register their real IP address and instead registers the proxy ip. The Moon malware was first discovered on compromised routers in 2014 and has since gone through several campaigns. The Moon does not require a password to infect routers. It scans for open ports and sends a command to a vulnerable script. The malware contacts the command and control Server, and the C2 server responds with instructions, which may include instructing the infected machine to scan for other vulnerable routers to spread the infection and expand the network. Tips to protect yourself they wrote. Commonly identified signs of malware infections on routers include overheated devices like when it's mining cryptocurrency with abandon, problems with connectivity same, and changes to settings the administrator does not recognize. The FBI recommends Individuals and companies take the following precautions. They list five if the router is at end of life, replace the device with an updated model if possible. Second, immediately apply any available security patches and or firmware updates for your devices. Third, log in online to the router settings and disable remote management, remote administration, save the change and reboot the router. Fourth, use strong passwords that are unique and random and contain at least 16 but no more than 64 characters. Avoid reusing passwords and disable password hints. And finally, if you believe there's suspicious activity on any device, apply any necessary security and firmware updates, change your password and reboot the router. So you know, this is good but not surprising advice for anyone listening to this podcast. Still, it's not anything that most non cybersecurity aware users would ever think to consider. So it's a good thing that these sorts of reminders and advisory, you know, public service announcements are being made by an entity that the public would trust, like the FBI. So that's good. Three UK researchers, three from King's College and the third from Royal Holloway University of London, decided to tear WhatsApp apart to figure out how it solves the challenges of multi device group messaging and to see whether they may have left any rough edges in there. Here's how they described their work in their resulting papers Abstract which was short. The abstract was short, the paper was not. They wrote WhatsApp provides end to end encrypted messaging to over 2 billion users. However, due to a lack of public documentation and source code public, the specific security guarantees it provides are unclear. Seeking to rectify this situation, we combine the limited public documentation with information we gather through reverse engineering its implementation to provide a formal description of the subset of WhatsApp that provides multi device group messaging. We utilize this description to state and prove the security guarantees that this subset of WhatsApp provides. Our analysis is performed within a variant of the device oriented group messaging model, which we extend to support device revocation. We discuss how to interpret these results, including the security WhatsApp provides as well as its limitations. Okay, now that was their abstract. What followed was a quite daunting 115 page paper. And remember, you know, we typically encounter page, you know, papers like this that are 16 to 29 or 30 pages. This is a monster. And they start off by explaining Group messaging in WhatsApp is based on the Signal 2 party protocol and the Senderkeys multiparty extension. To date in the academic literature, the ground truth for answering the question of how these building blocks are composed precisely is established by the WhatsApp security white paper or unofficial third party protocol implementations. Now I'm not going to go into 115 pages because I mean this is really hair curling stuff and but it put me in mind of how spoiled I guess I am. I know Leo, you are. And many of our listeners are by Unix and Linux and Signal and other open source security systems and operating systems. The idea that these researchers were forced to reverse engineer and divine the operating protocol of a critical encrypted communications applications such as WhatsApp, which is in use, as they said, by more than 2 billion people, seems really Wrong. You know, it's true that my own sqrl client for Windows was not open source, but every single detail about the protocols it implemented and how it did them was scrupulously detailed for the specific purpose of facilitating independent implementations. And all I was doing was creating an implementation of SQRL's specification that was in the public domain from the first moment I disclosed its operation here on the podcast. And we know that the specification was correct because a number of other people created their own fully working SQRL implementations and everything interoperated perfectly. That's the way these sorts of things should be done. Now, the details of the security protocols that in the case of WhatsApp, as I said, billions of people depend upon that should not be considered proprietary. It just. That's old thinking. It's like outlawing the export of ciphers using more than 40 bits, you know, it's not the crypto way. While I was following the references in this paper, I got a kick out of noticing that they were sorted alphabetically, which brought all of the people's names together. And at the EMS, we have reference number 50, Marlinspike M, private group messaging dated May 2014, and a link.

Leo Laporte

That's the signal protocol. Yeah.

Steve Gibson

Yep. Message 51, Marlinspike M, the double ratchet algorithm, November 2016 and a link to the full specification, revision 1. Reference 52, Marlin Spike M, the X3DH key agreement protocol, November 2016, and a link to the full specificationation, revision 1 and reference 53, Marlinspike M, the Sesame Algorithm, Session Management for Asynchronous Message encryption, April of 2017, and a link to the full specification, reference revision 2. Our listeners who've been with us from the early days may recognize every one of those specifications and protocols. And I heard you recognizing them, Leo.

Leo Laporte

Oh, yeah.

Steve Gibson

Because we have examined each of them over the years as we followed Moxie Marlinspike's work from the start. And this is the point I wanted to make. The fact that Moxie and Signal have been sharing all of the details of their work all along demonstrates a fully mature understanding of security. That's the only way they can know what what they have done is secure is by publishing it for other academic researchers to examine. By comparison, the fact that Meta's WhatsApp has taken advantage of all the good parts of that work for free, while refusing to disclose the very important workings of their own proprietary. And I have that in quotes. Extensions of that work is what I have a difficult time excusing after slogging through the 115 pages of the researcher's work and remember, that's their output, that they had to do the work in order to produce 115 pages of detailed results. They summarize their findings mostly by explaining that they were unable to find anything big that seemed to be amiss. But since they didn't have access to any source code or even to complete algorithm descriptions, we couldn't find anything. Is not the same. As we looked at everything that matters and it all looks fine. You know, there were a number of edge cases that they were unable to explore due to lack of information and some others that they found that were not hugely concerning. But okay, like revoking the keys from a device when it's coming out of a group chat is a problem. And it's not exactly clear that WhatsApp has done that in a very solid fashion. So these intrepid academics, you know, did achieve something for their efforts, Though what is so annoying is their task could and should have been so much easier. And nothing is gained by meta hiding what they've done and considering it. Oh, these are, you know, secret sauce. No, it's, you know, 2 billion people are depending upon it, not you not having made a mistake. And what, what we know is mistakes happen and, you know, they need to be aired in order to get fixed. Leo, you're going to Love this. The UK's big national cybersecurity center, the NCSC, which is roughly their equivalent of our CISA, just issued a report looking at the probable effect AI is expected to have upon cybersecurity over the next two years from now until 2027. Now, I have to say I was somewhat relieved to see that that was their time frame, to see that they clipped this to a relatively short term window since AI arguably is advancing so rapidly that any attempt to say anything meaningful about, you know, for example, the next 10 years would be little more than a flight of fancy. No one has any remote clue what the AI of 2037 is going to look like, or 2035 for that matter. Okay, so they open this report by explaining who they are and what they used as the source of their various assessments. And they capitalize the A of assessment. So they said NCSC assessment, which they abbreviate. NCSC A is the authoritative voice on the cyber threat to the uk. We combine source information from classified intelligence, industry knowledge, academic material, and open source to provide independent key judgments that inform policy decision making and improve UK cybersecurity. We work closely with government, industry and international partners to to expert for expert in expert input into our assessments. NCSA is part of the Professional Heads of of Intelligence Assessment. We have another acronym that's the phia the Professional Heads of Intelligence Assessment. The FIA PHIA leads the development of the profession through analytical tradecraft, professional standards and building and sustaining a cross government community. This report uses formal this is the part I love. Formal probabilistic language. Then they say See the yardstick from NCSCA product to inform readers about the near term impact on the cyber threat from AI. To find out more about ncsca, please contact the NCSC directly. Okay, now the probabilistic language is what's so wonderful. Here we have a chart. I've got it in the show notes for anyone who is curious. The chart is labeled Likelihood of events or developments occurring. And so this is a spectrum and on the far left we have 0% likelihood of events or developments occurring all the way to the far right where we have 100% chance. But we need to apparently precisely define our probabilistic language. So they then ask themselves the question how likely is a realistic possibility? What does that mean? And.

Leo Laporte

They wasted a lot of time on this. I can imagine the debates back and.

Steve Gibson

Forth and we got shades of blue and yeah, at first this whole effort appears to go right off the rails since as I said, they present their so called yardstick which firmly establishes the meaning of with specific percentage ranges of probability of the various terms their report will use if they ever actually get to reporting.

Leo Laporte

It's like debating the shape of the table at the conference.

Steve Gibson

That's right. And wait, wait a minute. Who gets to sit where? Okay, while I'm certainly no lover of bureaucracy and my first instinct was to balk at this entire thing as make work, I can see the need to define what almost certain means.

Leo Laporte

I'm going to save some time just by putting a percentage in the actual.

Steve Gibson

They really could have prediction. What fun would that be, Leo? You know, so how almost certain are they? And what about highly likely? How likely would that really be? And what's a realistic possibility? Those questions are all, you know, nearly answered using the handy yardstick that they provide, which shows essentially, as I said, a spectrum of likelihoods ranging from remote to to almost certain.

Leo Laporte

Except it's probably a meter stick, not a yardstick. But other than that, that's a good point.

Steve Gibson

Although they actually did use the term yardstick. So maybe they westernized it or they sneak in Anglo ized it or something. Anyway, so they go for they go. They have remote, highly unlikely, unlikely, realistic possibility, likely or probably Highly likely and almost certain. Now, that's the range, right?

Leo Laporte

Somebody's saying in the discord, they're missing the snowball's chance in hell. Where does that fit in?

Steve Gibson

So now that we have those, we'll all know what they're talking about when they make the following judgments based upon all of that data that they've gathered from all of their many primary sources. So here they are. We've got six judgments. Artificial intelligence, AI will almost certainly continue to make elements of cyber intrusion operations more effective and efficient. Yes. Leading to an increase in frequency and intensity of cyber threats, by the way.

Leo Laporte

Since four out of six of their conclusions are almost certainly. Yeah, they wasted a lot of time on those other colors.

Steve Gibson

Yeah, but, Leo, you have to know where you're coming from.

Leo Laporte

Oh, my God.

Steve Gibson

You have to know your roots or you wouldn't know how almost certain they were. There will almost certainly be a digital divide between systems keeping pace with AI enabled threats and a large proportion that are more vulnerable, making cybersecurity as scale increasingly important to 2027. And beyond that. I'm sorry, cybersecurity at scale, meaning. Let's get serious, folks.

Leo Laporte

This contains no information, this sentence. This is the. Yes, there will be some systems that are vulnerable, and there will be some that aren't, so we better pay attention.

Steve Gibson

That's right. Right. But now, number three, assume they get paid for this. Yes. By the word, apparently. Assuming a lag or no change to cybersecurity mitigations, there is a realistic possibility. Thanks to our chart. I got to check the chart.

Leo Laporte

Where is that?

Steve Gibson

Where does that fall?

Leo Laporte

It's kind of in the middle. Okay, that's 40 to 50%.

Steve Gibson

Now, Leo, should I. Should I note that the chart has weird gaps? That is. Yeah.

Leo Laporte

What is. Like this.

Steve Gibson

Notice there's nothing between 35% and 40.

Leo Laporte

Yeah, nothing is 37% likely.

Steve Gibson

Yeah. So in between it being unlikely and a realistic possibility, what happens if something falls in there? I guess that's called falling through the crack. It's literally a crack in the chart.

Leo Laporte

That's called putting too many numbers after the decimal point is what that is. This is. You cannot measure this that accurately, but.

Steve Gibson

Okay, fine, go ahead. Precision versus resolution. The two are not the same.

Leo Laporte

No.

Steve Gibson

Assuming a lag they wrote or no change to cybersecurity mitigations, there is a realistic possibility of critical systems becoming more vulnerable to advanced threat actors by just two years from now. 2027, keeping pace with Frontier AI. Oh, and by the way, Leo, I left off the glossary at the end, where they clearly define what do we mean when we say frontier AI, where exactly on the frontier would that fall anyway? Keeping pace with frontier AI capabilities will almost certainly be critical to cyber resilience for the decade to come, even though they're only looking two years ahead.

Leo Laporte

Yeah. There's a realistic possibility.

Steve Gibson

That's right. Oh, no, that's been defined, Leo, as a realistic possibility.

Leo Laporte

I'm sorry, I have to check the averages again.

Steve Gibson

Semi. What is that? That's sort of a blue.

Leo Laporte

Oh, that's still in the middle. That's only 40 to 50.

Steve Gibson

More of a green. Green. Yeah.

Leo Laporte

I'd say it's a higher than realistic possibility.

Steve Gibson

I would.

Leo Laporte

I would say it's almost certain.

Steve Gibson

I would agree. That is a debatable point. They should go back to their primary sources.

Leo Laporte

Yeah.

Steve Gibson

And see if they don't think that.

Leo Laporte

Will critical systems become more vulnerable to advanced threat to actors in two years. Yeah.

Steve Gibson

Huh.

Leo Laporte

Okay.

Steve Gibson

So there it is. In other words, in the estimation of the United Kingdom's National Cybersecurity center that apparently has like, maybe some excess time on their hands.

Leo Laporte

Time on their hands.

Steve Gibson

It appears to be highly likely that the bad guys are going to be quicker to exploit the many possible nefarious benefits offered by AI, then the good guys are going to be able to use that same AI, probably hampered by all of the restrictions we're going to put on it to make sure it doesn't escape, to quickly make today's systems more secure. Now, if that wasn't gloomy enough, they added quote, this report builds on NCSC assessment of near term impact of AI on cyber threat. Published in January 2024, it highlights the assessment of the most significant impacts on cyber threat from AI developments between now and 2027. It focuses on the use of AI in cyber intrusion. It does not cover wider threat enabled by AI such as influence operations. AI and its application to cyber operations is changing fast. Technical surprise is likely. And of course, technical surprise from one's adversaries is never what we want. So overall it appears almost certain that it would be a good idea to buckle up, folks.

Leo Laporte

Oh, yes.

Steve Gibson

Interesting times ahead for the industry. And we'll be right here taking a look at everything every week on this podcast as it happens.

Leo Laporte

Yes, almost certainly, but not definitely almost.

Steve Gibson

It's a high reliability.

Leo Laporte

Yes.

Steve Gibson

Because after all, we have never missed a week. So it's a realistic possibility. I think what we should do, Leo, before we start in our listener feedback.

Leo Laporte

Yes.

Steve Gibson

Is remind our listeners.

Leo Laporte

I think there's a high likelihood that there's an. Is that what you're saying? There's a reasonable certainty? Oh, you know, sometimes government's just good for one thing. A comedy relief. Our show today, brought to you by Hawks Hunt. Oh, actually this is great. If you are at all concerned perhaps that you will be attacked in the near future by a spear phishing attack, you need to know about Hawks Hunt. If you're a security leader, you get paid to protect your company against cyber attacks, right? But it's getting harder and I don't need any UK chart to tell me that. More cyber attacks than ever. Phishing emails generated with AI. No longer can you just say, well, the grammar is bad on that one. It must be a fake. I mean, these things are indistinguishable, almost indistinguishable from the real thing. So you gotta train your employees. But legacy, one size fits all awareness programs, they really don't stand a chance against today's new attacks. They send at most 4 very generic trainings a year. Most employees ignore them. In fact, I, I'll go a step further. Find them annoying, not helpful, and then when somebody actually clicks, right, they're forced into embarrassing, tedious training programs that feel more like punishment than information. Well, there is a better way. More and more organizations are trying Hox Hunt. This is a brilliant solution out of Finland. This is a great company. Hawkshunt goes beyond security awareness. They gamify it. Basically, they change your employees behaviors by rewarding good clicks and coaching away the bad. So you get an email. Your employees look at the email. Whenever they suspect an email might be a scam, they just look at. Hawkshunt will tell them instantly, saying, yeah, you're right. Providing a dopamine rush that gets your people to click, learn and protect your company. It's a proven fact. Gamifying stuff makes it better, makes it a better learning environment, right? It's more fun and you learn better. Now, as an admin for you, Hogshunt makes it easy to automatically deliver phishing simulations across any platform. You use email, Slack teams, whatever you're using. And by the way, you're also using AI to mimic the latest real world attacks. So don't worry, you don't have to do a lot of, you know, creative thinking. You just, you know, your phishing attacks will look real because they're using the same tools. This is great too. Simulations are personalized to each employee based on department location and more. They're not generic, they are targeted. You know, and instant micro trainings solidify understanding. Micro Training means you don't spend hours sitting and watching a flash slideshow. No, they're they, they're quick, they're enjoyable, and they solidify understanding and they drive, they truly do drive lasting, safe behaviors. You can trigger gamified security awareness training that awards employees with stars and badges, boosting completion rates, ensuring compliance. You get a huge library of customizable training packages and you get tools that make it easy to generate your own with AI. Hacson has everything you need to run effective security training in one platform, meaning it's easy to measurably reduce your human cyber risk at scale. But you don't have to take my word for it. There are over 3,000 user reviews on G2. They make Hawks Hunt H o X Hunt. By the way, HOX Hunt, the top rated security training platform for enterprise. They got easiest to use, they got best results. It's also recognized as a customer's choice by Gartner. Thousands of companies use it, including names you know, like Qualcomm, AES and Nokia. It's Hawks Hunt is being used to train millions of employees all over the globe. And I talked to the Hawks Hunt folks and I'll tell you one other thing that I thought was great. Your employees will actually ask for more fake phishing emails they like. It's so much fun. It's so gratifying. The rewards are so great. They'll say that's I want more. Keep them coming. It's fun. And you know what? When something is fun, it works. Visit hoxhunt.com securitynow today to learn why modern secure companies are making the switch to Hox Hunt. That's Hoxhunt.com Security Now. H O X H-U-N-T.com Security Now. You know, when you make it fun to learn, people really learn and you make it unpleasant and hard to learn, it ain't going to work. You need Hawkshunt hoxhunt.com security now. If you want Steve, I can have them send you some phishing emails for just. It lights up. It's so cool. It's really, really cool. Anyway, you would probably catch them all.

Steve Gibson

I'm sure you would. Okay, Jim Reed said. Dear Steve, in SN 1024, you quoted an email from Alex regarding speed test providers online and he quotes me. There are dozens and dozens of them. Even white label versions of the most infamous the Ookla speed test is that I've never really trusted the results because most of these are all about ads and the like. Jim says as A former ISP executive, I spent a good deal of my time in speed test discussion. So he's an ISP executive on the other side of all this, he said. Until 2023, the Ookla service was operated on behalf of the Measuring Broadband America program of the fcc. Using these servers would help provide some accountability back to the isp, he says. My ISP maintained a relationship to see aggregated data to help understand how we were doing. So that's kind of cool. They were looking at what their own users were seeing out at the subscriber end in order to get that feedback, he said. Here's a big secret you should know more times than not it's not the ISP that has the network problem causing slowdowns. It's people with a TV on the patio on the edge of their WI FI coverage going why can't we see the game? It's someone speed testing a gigabit connection with 100 base T Ethernet on their machine. It's an 8 year old iPad that has old generations of Wi Fi. I could go on, but you understand the issue. I'm not exempting the ISP from the discussion because things happen on networks. It only takes a few people to decide they need to Download or all 700 plus episodes of the Simpsons now to cause in network impacts. The ISP needs to manage for those potentials and sometimes they just can't see things coming. Everyone starting to work from home during COVID is an example. If I had to give advice on speed testing, here's what I would suggest. If you're concerned you're getting what you're paying for, test from a wired connection on your best device. If that doesn't meet expectations, talk to your ISP support team, he said. Steve, I've been out of the ISP game for five years now, but I always feel like going back to the basics is a good way to start troubleshooting. Since my retirement, I get the latest episode of Security now every Wednesday morning and start listening on my walk. Thanks for continuing my computing education far past retirement. Best Jim Reed and then he says psych 73 to W6TWT from N4BFR.

Leo Laporte

That's me, W6TWT.

Steve Gibson

I knew the twitch. That's great.

Leo Laporte

Yeah.

Steve Gibson

So anyway, yeah, Jim's experience and his observations, you know, matches my own. I've always found that any interruption in my cable modems connection is due to something on my end rather than something at Cox's end. I'm sure they occasionally need to rearrange things at their end, and when nothing seems to have changed on my end, it would seem obvious that the other guy must be to blame. But almost invariably when I mess with connections, even those that have been, you know, problem free for years, or I reboot something that appears to be running just fine, the problem will be resolved. And it's always a big relief for me since I have far more control over my end than I have over Cox's end. So, you know, I'm happy if it's my end because I can fix my end. Simon Griffiths wrote hi Steve. First, thanks for the podcast. I've been listening since the first episode and it's really helped me in my career and my understanding of it in general. I control a bunch of different Web servers on AWS, AliCloud and others, so I was interested in your discussion of changing the SSH port, which I have done on one server. On AWS and Alicloud you can configure the ports you can use to connect to the server or disable them entirely. What are your thoughts on disabling them completely, then logging in to AWS to re enable them before ussh in or use AWS built in console, he says. I don't actively monitor SSH connection attempts, mostly because I know it would be a bit scary. But your comment on reducing traffic to the site really would be an advantage for almost all web servers. Cheers Simon. And I think Simon's approach makes a lot of sense. You know what we're hoping to eliminate by moving a port out of the main traffic pattern is its overall exposure. So if the option exists to only enable remote access during those times it's needed. By all means, take that option. A closed port is, you know, is even better than an open port that's been relocated to some backwater location. John Borgan wrote Hey Steve, I just got done hearing you talk about Cloudflare's speed test and why. Wow, it sure is good. I want to share my favorite utility though, because it's unique in a few ways. It's testmy.net so t m y.net he said. What it does that I haven't seen anyone else do is actually upload and download chunks of random data, giving you a much more accurate view of of your bandwidth instead of just a theoretical throughput. You can also schedule a speed test to happen every 15 minutes or hourly if you leave the tab open so you can get a better understanding of your bandwidth throughout the day. And it runs natively in any browser, including phones and pads. Anyway. I just wanted to share it because it's my favorite. Thanks for all. Thanks for all you and Leo do. Okay, so I just went over to test my net and I saw that you had Leo also. And yes it looks nice. You know it's certainly a consumer friendly site with some pretty graphics and the domain testmy.net is convenient and easy to remember. The only thing I'll mention is that what all of these bandwidth testing sites are doing is uploading and downloading chunks of data. They don't have any choice, that's the way they work. I can't say for certain whether that data is random and in truth whether the bits are all zeros or all ones or alternating ones and zeros or random makes absolutely no difference to the outcome. Just for the sake of argument and illustration, if some form of on the fly compression and decompression is existed in generic Internet connections, then the content of the data that was being sent and received would matter since as we know anything encrypted is by definition absolutely uncompressible. But typical data you know is not being compressed end to end. We don't have compression on by default on Internet links. So anyway, I'm happy to put testmy.net on everyone's radar. It looks like another useful speed test Steve Main said hi Steve, I wanted to share with you just how wrong ChatGPT can be using the paid version of Chat GPT4O. It is such a great tool and it's still useful, but you have to be very careful as it can be so confident in its answer even if asked. Are you sure? It took me proving it with a screenshot before it would admit it was 100% wrong and never once double checked its own work while it told me to double check my work. I wanted to share this as I really think that this is an important point to drive home to people to be very careful using LLMs, he said. This is why I do not think they will be replacing anything anytime soon and they're just next generation search engines. I use it for coding PHP and JavaScript and it is amazing how much it fails so many times. It's great for generating code fast, but it's so buggy and it just hallucinates functions that don't exist. Again, still faster, but I've now had about 50 screw ups with it over two months with it on a coding project. So anyway, I know that Steve Maine's experiences, findings and you know what he's related echoes many others and mine as well. I thought it was notable that he referred to using AI as a next generation Internet search engine since as I mentioned several months ago, that's how I've sort of found myself using it. And I know I just heard you, Leo and Alex talking about that on Mac Break Weekly, that you know it. It arguably has impacted some of Google's direct use because you can, you know, you can get good search answers out of Chat GPT which is now able to also look at the web where I guess initially it wasn't. So anyway, just another bit of feedback on yes, it's not like we, like we yet have the perfect Oracle that's going to give us perfect code every time. I still hold that if anyone actually has an interest in creating a perfect coding AI and I think there's big bucks in doing that, it really ought to be possible and it's probably not going to be a generalist that you can also ask it how to tie your shoes. Lou Wolfgang wrote. Hi Steve, in regard to your recent explanation of SSD data retention issues, the thought occurred that it would be nice if just reading from all cells would refresh their charges. I'm reminded of reading from core memory where the cores have have to be flipped to read their polarity if I remember correctly. And he says yes, I've used Core ram. And while Lou, I don't know if you know, you probably do know that I've used it too. I recall that we talked.

Leo Laporte

You've seen it. You've actually used it. That's amazing.

Steve Gibson

I've seen it, I've used it, I've held it in my hands and in fact I forgot this was going to happen. I could hold up a. I have it. I own Core.

Leo Laporte

Oh yeah, I have some too. I have some framed core memory.

Steve Gibson

Yep.

Leo Laporte

Yeah but I never. And I remember having used it. When did you use it? Didn't they have solid state by the time you were.

Steve Gibson

No, no, no, no, no. The though those PDP8E were. And Leo, they had 4K of core. I mean 4K words 4000, 409612 bit words because those are 12 bit mini computers. And that was where I learned my first assembly language was programming the, the PDP 8E when I was. I think I was a sophomore in high school and, and then afterwards I, after Berkeley I, I worked for a company called Mini Computer Technology. We had Nova and Data General machines and those were all core. So I mean core was, was around through the 70s and early 80s because while while there were semiconductor memories, they were still 4,096 bits and they were like a thousand dollars for 4,000, you know, so. So you needed a bunch of those to create words or bytes. And it was just so expensive back then. And the density was still so low.

Leo Laporte

You'D think more expensive. Somebody had to wire all that stuff. But yeah, okay.

Steve Gibson

Yeah.

Leo Laporte

Wow.

Steve Gibson

So Lou is correct. Core memory used a technology known as destructive read, because the process of reading a memory location inherently destroyed what was originally stored there. The way it worked was that the reason it was called core memory is that these little, as they called them, cores were circular ferromagnetic rings that had wires threaded through them. And being a closed ring, the ring could be magnetized in either a clockwise or counterclockwise direction. And a sense wire, as it was called, would run through the center of the ring. It was able to sense when a beautiful picture, when a ring switched its direction of magnetization, since this switching event would induce a pulse in this so called sense wire running through the ring. And that pulse would be picked up by a sense amp. So the process of reading out a location of data from core memory required all of the rings representing the bits of that memory location be written in the zero direction, that is be pulsed. So they all switched to the zero direction. Now, when that happened, only those rings that were originally set in the one direction would be reversed to the zero direction, and that reversal event would produce a pulse on their respective bit sense lines. This allowed the computer to determine what had been stored in that location. Now, and Leo, so what you're seeing is that red wire, that red wire which loops back and forth over and over. Yeah, yeah, that is the sense line for that little chunk of memory. And you can see that it's actually a continuous loop. Two wires come out from the left and then that wire zips back and forth, passing through each ring exactly once, and then goes back out to the left.

Leo Laporte

By the way, they never were able to manufacture these with machines.

Steve Gibson

People actually threaded them, hand, hand threaded them, those cores. And boy, they got very, very tiny over time. Yeah, because, you know, again, density always wants to go up.

Leo Laporte

This is a 128 byte core memory. This is from Wikipedia.

Steve Gibson

Very, very cool.

Leo Laporte

Yeah, yeah.

Steve Gibson

So anyway, the, in order to determine what, what was in there, you had to write, you wrote all the cores of one location to zero. So any of the cores that had been set to a one direction were forced to reverse direction and that it was that direction reversal that induced a pulse in the sense line that then was able to be picked up. So now you know what was stored in the memory, but unfortunately you've just erased it, you've just set it to all zeros and in the process. So if the instruction you were executing was, for example, a load loading what's in memory into a register, then you would need to immediately rewrite what was read from it back into it. And so it would be a read write cycle. But what was really cool is what if we wished to increment a binary value stored in a memory location like that to add one to it. So the clever computer designers of the era realized that this could be accomplished at the same time as that necessary rewrite of the original data for that location. It was known as a read, modify, write cycle, where after reading a value from core memory, the value that had just been read would be passed through an adder to add or maybe subtract a 1 from it if you wanted to decrement the value in memory. And that modified value would be what was rewritten into the core memory instead of replacing the location's original value. So a core memory's cycle time, which was the time it took to read and rewrite, or read, modify and write, that was it turned out that was the slow part of computers of that era, the electronical part, they could do really fast. Compared to the actual physics of ramping up the current, giving the core time to, to switch its field, and then ramping the current back down, capturing those pulses, seeing whether they exceeded a minimum peak value, deciding that it was a one, all of that took time. So it was the memory cycle time that determined the rate at which instructions could be executed. So anyway, lose point was a good one. If reading from SSDs could refresh the charges stored in their cells, then a simple read pass could be used to keep the bits firmly written. Unfortunately, as we know, that's not the way today's NAND style flash memories operate. And frankly, given that memory is in general read by much more frequently than it's written, if we had to choose which process, reading or writing, would cause cell fatigue, it's way better the way it is, where the least frequently performed operation, which is to say writing, is the one that takes a lot more time and then also produces the wear on the cells.

Leo Laporte

I wonder what the proportion of reading to writing is. On average, it's probably 10 to 1 at least.

Steve Gibson

Oh, I would guess it's more like 100 to 1. Yeah, I think it's, it's very high.

Leo Laporte

You don't change data that often.

Steve Gibson

No, no. And that's why we see it slowing down. Is that it just it. It's the. The cells are never or almost never being rewritten unless there's some reason to do that, right? Chris said, Hey, I was just listening to this episode and the listener story about Verizon. Oh no, it was about Horizon. Horizon, yes, about Horizon was interesting. He said, about six months ago I wanted to try their wireless gateway. I went to a local store and they would not sell me anything until I unfroze my credit and let them run a credit check.

Leo Laporte

That's normal.

Steve Gibson

Yeah, exactly. He said. I'm not sure if that listener had done that or somehow the bad guy weaseled around it, but I tell anyone who will listen that they're crazy not to freeze their credit given the protections it gives you in the real world too. Enjoy the show, Chris. So I figured I'd just share Chris's experience for the sake of another viewpoint. You know, given that the criminal purchaser presumably walked out of the store with a brand new multi thousand dollar smartphone and that their credit worthiness would seem to be a huge factor in that. It is indeed puzzling how this happened to the person who wrote to me before. Perhaps it was just vendor error at the Horizon store.

Leo Laporte

Yeah, or remember, customer service reps try to be friendly and nice if you can persuade them to bypass their normal protections. You know, and a lot of packers.

Steve Gibson

And they probably get, I'm sure they get credit for selling an expensive phone.

Leo Laporte

That's true too.

Steve Gibson

I wonder if they get dinged when it doesn't get. When it doesn't get paid for. Lee McKinnell said, I decided to pull the plug on my Microsoft password and I already had pass keys. Oh, as I already had passkeys set up. He said, Microsoft makes you jump through some bizarre hoops. First, install the Microsoft Authenticator totp, you know, you know, authenticator time based authenticator app on my device. He said it lets you use other password apps for TOTP code verification. So I set it up in Bitwarden. But you need their app to turn off passwords. He said, we'll get to that soon. Second, verify you have the TOTP app installed by providing a generated code as verification. Turn on Passwordless login for Microsoft.com and then fourth, you are then prompted to open Microsoft's Authenticator app to verify you want to disable passwords on your account. Then he said, yay, I am now passwordless. He says, now logging in passwordless. First, enter your email address. Second, you're prompted to verify login with the Microsoft Authenticator app asked to select the matching two digit code in the app. That was interesting. I don't know what that meant. I'm just reading what he shared. He says at this point I selected other ways to sign in because I have pass keys. And he says shouldn't this be the default? Then three, the first option is now use your face, fingerprint, pin or security key. And then fourth, the passkey process is then started so I can log in. And then he said he finished. At this point I'm unable to remove the TOTP login option from my account or set pass keys as my default login option. So it sounds a little screwy to me. I haven't tried doing any of this myself yet, so I'm now as confused as Lee sounds. I don't dare mess up my original Microsoft account since it's tied to my access to developer tools and downloads. So what I may do is just create a new account, a separate account for testing, but I have not done so yet. I imagine I'll hear from other listeners who'll help us figure out what's going on. Assuming that Lee is correct, it's annoying that Microsoft appears to force the use of their own Authenticator app. Though I'm not that surprised since all time, as we know, all time based one time password apps should be equal and in fact allowing the user to use the one they prefer to use makes the most sense. You know, it makes much more sense than forcing them to use, you know, a specific app. That's certainly not in keeping with the way we would expect it to work.

Leo Laporte

I think it's, what it's doing is different from the. I don't want to show this. It's an eight digit number. I took off. I just, I did disable my password in Microsoft. I did not find it difficult. But I also use, I don't use it, the Microsoft Authenticator for anything but Microsoft, but I've been using that for a long time to log into my Microsoft account. You know, it says on your computer a two digit number and then you have to confirm the two digit number in the authenticator. You've done that, right?

Steve Gibson

I've not used Microsoft's authenticator.

Leo Laporte

Well, I'm not surprised that it, I mean I had, since I use it, it was a very simple thing to disable a password. I had some, you know, I was a little nervous about it, but you told me it's better not to have anything.

Steve Gibson

It is better not to. So you were able to delete your password?

Leo Laporte

Yeah. In fact, it says right now I don't want. Again, I don't want to show you, but it says this account does not have a password.

Steve Gibson

Nice.

Leo Laporte

You can use this device to sign in instead.

Steve Gibson

Nice. Okay, so this is not just a TOTP then it is a.

Leo Laporte

It's a passkey kind of password.

Steve Gibson

It is a passkey. Authentic authenticator.

Leo Laporte

Single sign on.

Steve Gibson

Okay.

Leo Laporte

Yeah, so it's not. It's not a six digit totp. It's.

Steve Gibson

It's that actually. That resolves our confusion.

Leo Laporte

Yeah, yeah, yeah. But it works great. I'm very happy with it.

Steve Gibson

Nice.

Leo Laporte

Yeah, yeah.

Steve Gibson

Bienvenido del Rosario said. Hey. He said. Dear Steve, I'm a longtime listener and Club Twit member from the Dominican Republic.

Leo Laporte

Yay.

Steve Gibson

I want to share my Yes, I wanted to share my experience with an open SSH port on my home server. After hearing your recount of the many authentication attempts Galen was receiving on the SecurityNow podcast episode 1023. I was using public private keys. Good. Best way from my own login. Get this Leo. But I had between 70,000 and 80,000 880,000 daily failed authentication attempts after install.

Leo Laporte

Somebody hammering you.

Steve Gibson

Wow. Yeah. After installing and configuring failed to ban the attempts, went down to around 20,000 per day. Even though it was a big reduction in failed attempts, I still was feeling very concerned. I started reading posts about how to mitigate even more of the failed attempts and landed on a very simple solution. Change the SSH port from the default of 22 to any other number in the user port range from 1024 to 49.151 and voila. All failed attempts. Seized range ceased right away. Since then I resorted to just closing the open custom port and I use tailscale to access my home lab and I've been very happy ever since. I hope you find this information helpful. Best regards, Bienvenido del Rosario so this is corrected.

Leo Laporte

I'm going to change the port.

Steve Gibson

Yep, makes sense to get it out of the main trajectory. All the incoming missiles are aimed at Port 22. Scott Schaeble said hi. The recent discussions about the use of non standard ports for services that don't need discovery validates my use of the practice for years. So thanks. The latest Security now discussion got me wondering. What about a non standard port on an IPv6 address? I can't imagine how it would be easy to scan and find it again. Not for security, but for why not? He said. I still have IPv6 turned off on my network, but I'm wondering if I should start working to turn it on. Thanks Scott. So it's true that moving to IPv6 would dramatically increase the address space the bad guys would need to scan. Although only a fraction of the total 128bit IPv6 space has been allocated to the world's ISPs, it's still true that the world's ISPs now have vast IP space for their customers. And like Scott, I had also been routinely disabling IPv6 on my networks since being old school, I saw no need for it. But my work on the IPv6 capable DNS benchmark code required that I have IPv6 IPs and IPv6 protocol up and running and it's been working without any trouble both here in front of on my win 7 box and on my win 10 box in my other location. That said, among those who have been testing the the early pre release benchmark code, there are many whose ISPs are not offering IPv6 and appear to have no plans to do so. So I've needed to have the benchmark accommodate its users who do not have access to IPv6. They'll still have IPv4, DNS over TLS and DNS over HTTPs, just not IPv6. And after the benchmark verifies that they need to skip IPv6, it won't bother them about it. But until they do, it says hey, you don't have IPv6 working. Do you know that? Do you want to? Should you? Anyway? So yes, you could certainly play with IPv6. It works. And I've got a a great note from a a contributor and friend online named Greg Bell. Leo, let's take a break and then I'm going to share what someone who calls themselves self Ferrix on the in our groups has to share.

Leo Laporte

I think I'm familiar with Ferrix. This episode of Security now is brought to you by Thinkst Canary. I want to show you something. I don't know if you're familiar with this. This little device looks like that is a USB external USB drive. Except you might notice there's an ethernet connection on there. That, my friends, is my Thinks Canary honeypot. It might, if you were snooping around my network, look like a Synology NAS to you, or a Windows Server or a Linux box. Might even look like a SCADA device. Because this little box is a honeypot. A thin canary. A honeypot that is easy to deploy, easy to configure. And if someone a bad guy who's penetrated my network tries to access that little device there or the LOR files I've created with that device. Little phony Excel spreadsheets that say employee identities. Or you can put them on Google Drive too. I have one on Google Drive. I know it works because a couple of months ago I was testing and I made a. A fake PDF that said something like employee information and put it on my Google Drive. And Russell, our IT guy said somebody just accessed that file. I said, yeah, me. It's the real thing. It works. It's so cool. You will get if somebody tries to access your fake Synology NAS or your SSH server or your SCADA device or those Lore files, you will get an alert immediately from your things to Canary and and you'll get it any way you want. Email, texts, sms, Slack, syslog. Of course there's an API. You could write your own code, it supports webhooks and on and on and on. Basically any way you want to get alerted. Or all of them. Thing is, you're not going to get alerts. There's no false alerts unless there's somebody in your network attacking your Think scenario or those Lore files. Choose a profile for your Think Scanner device. You register with a hosted console, you get monitoring, you get notifications and then, you know, you just sit back. Attackers who breach your network or malicious insiders and other adversaries, they can't help but make themselves known because they look at that thing's Canary and they don't think it's a honeypot. They think it's something juicy and delicious and they can't wait to get their hands on it. And then you will know they're in your network. Visit Canary Tools tool. I'll give you an example. You know how many you have really depends on the size of your network. The you know how many different nodes you have and things like that. But let's say you're a small business. You want five things Canaries, $7,500 a year. You get your own hosted console, you get upgrades, you get support, you get maintenance. Oh, and if you use the code twit in the how did you hear about us? Box, you'll get 10% off the price for life. Not just for the first year, for as long as you have your Thinks canaries. Now if that weren't enough, I'm going to give you one more thing that's very important. This is a no risk offer because you can always return your Thinks canaries with their two month money back guarantee. And you get a 100% full refund. I should mention that in all the years we've been doing these ads, I think eight of them now, that refund has never been claimed. Once you get a Thinks Canary or two in your network, you you'll say, how did I live without it? Visit Canary Tools Twit Enter the code twit in the how did you hear about us? Box C A N A R Y dot Tools slash twit the Thinkst Canary this is genius and it really works. And it's so cute. The Thinkstone Ken Harry Give it a try today we thank him so much for supporting Steve. They really understand how important the work is here that Steve's doing, so we appreciate that support. All right, back to security now.

Steve Gibson

So Greg said hi Steve, Greg Parens Ferrix here under a different email due to the mailing list regarding Windows 11 vertical taskbar, I thought you might enjoy knowing there's a bit of a story on this one matching your intuition. There are some tools that give you back the Windows 10 taskbar or something like it on Windows 11. Some work by turning back on code that Ms. Has disabled and may at a time delete, or by being shell replacements. Stardock and Start All Back are examples, he said. I wasn't satisfied with that because I'm accustomed to my taskbar behaving precisely how I want it to. Since Windows 7 through 10, I've run the famously useful 7+ taskbar tweaker utility. He said it improves all kinds of dumb behavior and limitations in the Windows Taskbar management experience without replacing the Taskbar or Explorer. Over a year ago, when I determined that Ms. Would not support the only sensible vertical taskbar in Windows 11, I looked to Michael, the author of the above Taskbar Tweaker tool. He's been improving my taskbar experience ever since Windows 7. Could he re oh, could he vertify the Windows 11 taskbar? I learned that Michael now makes a generalized system called Windhawk W I n d H a w K to inject various user selected changes into the Windows UI experience. Instead of a monolith with a million checkbox features like the old tool, this is more of a framework that runs only the plugins, AKA mods that each user wants. It doesn't replace Explorer or any other process, but instead just insert clever little hooks here and there to make Windows do its bidding. Michael looked into the vertical taskbar issue and despaired. Windows 11 Taskbar is an almost complete rewrite. Turning on verticality in the new bar cannot simply be done since it was never implemented by Ms. In the first place, it would take at least weeks, if not a couple months of development to build such a feature into the Windhawk system, if it was even possible at all, and more time than Michael could afford to spend on such a hobby project. So it's where he left it. But my company small development staff, including mostly my me, rely on on a Vertical taskbar and it would be a massive efficiency hit to lose it. So we contracted with Michael to build the feature for us, and although we paid for the initial development, we don't own it. We agreed that the feature should be freely available to everyone, just like Windhawk itself. He says in parens not for nothing having a bunch of other users running this also provides feedback to to make it better over time, a concept I know you're well familiar with with your own product development strategy. In any case, I present Vertical taskbar for Windows 11 and I've got a link in the show Notes and he said and a somewhat dated Reddit thread about it. And I have a link there too. He said I don't get anything. Yes, Leo, look at that. He said. I don't get anything for touting this tool. And and I know the idea of running such an extension may not be universally appealing, but I thought at least you'd find it an interesting tale. I think you, Michael and I share a certain perspective. We don't write operating systems or build the SSDs, Windows didn't plan on Winhawk being there. Active Directory didn't understand Yubikeys on its own, which by the way, is what Greg added. Hard drives aren't built to expect spin, write or read speed coming along, but with a little leverage in the right place, we can make other people's systems work better than their original design parameters. And there's I'm sorry, go ahead. I didn't mean to interrupt and there's no feeling quite like it.

Leo Laporte

This is an amazing tool.

Steve Gibson

It is, Leo.

Leo Laporte

Holy kamole. And it's free.

Steve Gibson

Yes, it is an amazing piece of work. So I perked up when I I when I saw email from Greg in the first place. I know him quite well from his many years of involvement and contributions to GRCs, various online forums. And this Windhawk system which he brings to our attention, is truly amazing. So go to Windhawk W I n d h a w k.net wind windhawk.net Then at the top of the page, click Browse for mods, which is what Leo did. Or go to windhawk.net mods by default, the page is sorted from the most popular, most installed to least, with the Most having nearly 143,000 users and the least having two. And oh my God, I have no idea how many mods there are overall, but the mod list page scrolls and scrolls and scrolls nearly without end. It's got to be hundreds and hundreds. And they are very specific mod tweaks.

Leo Laporte

It's not just taskbar, it's everything. And I mean, wow.

Steve Gibson

So for so for example, reading from the Most popular Windows 11 Start menu Styler is a mod Customize the Start menu with themes contributed by others or create your own. Then we have the Windows 11 Taskbar Styler. Customize the taskbar with themes contributed by others or create your own. The Taskbar height and icon size Control the taskbar height and icon size Improve icon quality for Windows 11 only. Or by the way, all this is Windows 10 unless it said Windows 11 Windows 11. Oh, and probably Windows 7 too. Windows 11 Notification Center Styler Customize the Notification center with themes contributed by others or create your own taskbar Volume control Control the system volume by scrolling over the taskbar. Better file sizes in Explorer Details Optional improvements Show folder sizes Use MB and GB for large files rather than always being stuck on kb. And also, if you want, use the IEC terms k lowercase I uppercase b instead of kb. We have Taskbar Clock Customization Customize the Taskbar clock Define a custom date time format, Add a newsfeed, Customize fonts and colors and more slick window arrangement make window arrangement more slick and pleasant with a sliding animation and snapping. Taskbar labels for Windows 11 Customize text labels Well, I could go on and on because there's literally hundreds of these little tiny mods.

Leo Laporte

How does it do this?

Steve Gibson

And Leo, did I fail to mention that all of the source code is provided? Oh, if you click on the details for any mod, the tabs are details, source code, and Change log. So as Greg said, these are all going to compile down to very tiny modules because you can click on source code and look at the source code of these modules to see how they work the mods.

Leo Laporte

See, that's interesting, huh?

Steve Gibson

The mods page can be sorted many ways, and it has an incredibly fast and responsive incremental search. Since I was curious about the vertical taskbar Greg's company commissioned, I entered V E R T and was looking at Vertical taskbar for Windows 11, which describes itself as finally, the missing Vertical Taskbar option for Windows 11. And I put a picture of it in the show notes. I mean, it looks like exactly what you want. Yep, there it is.

Leo Laporte

So this, you used to be able to drag the taskbar around. They turned that off for Windows 11.

Steve Gibson

You never had that in Windows 11. It's always been in all previous Windows and Windows 11. They just unilaterally decided, nope, you're going to have it in the. We're going to. And what you can do now is at least you can have it float over to the left. So left alignment, they have condescended to. But no, but not verticality. There's none of that. So now we have it and you.

Leo Laporte

Still use Windows, huh.

Steve Gibson

Leo, that's where everybody is.

Leo Laporte

I know you have.

Steve Gibson

I write apps for the majority desktop and it's all Windows.

Leo Laporte

Yeah. Wow. It's really interesting that you can write code that will modify the operating system this dramatically. I find that fascinating.

Steve Gibson

Yeah. Modify the ui.

Leo Laporte

Yeah.

Steve Gibson

Yeah.

Leo Laporte

Well, good.

Steve Gibson

So, Greg, thank you very much. And I have no doubt that windhawk.net is going to get some traffic from people saying, oh, I want to see what I can do, and then doing it.

Leo Laporte

There's a lot of stuff.

Steve Gibson

And doing a really nice job of it. I love the idea of it being just a little framework and then you just, you know, know little individual modules that do the things you want them to.

Leo Laporte

Hey, before we talk about secure conversation records retention and your invention, which I'm very excited to talk about, Steve has solved the problem and he will tell you his solution. So everybody listen.

Steve Gibson

I think I probably do have it, and I'm hoping that it gets. I mean, now I know from our listeners that a bunch of people want this too, and it's not a hard. It's not a hard solution. So I hope people get on it.

Leo Laporte

Awesome. Before we do that, I do want to give a little plug and a thank you to our Club Twit members because they make such a difference to all of us here. Yes, we have ads. Ads support about 75% of the network. The other 25% comes from listeners. Truthfully, if it were up to me, I'd make it 100%, but we're not quite there yet. Maybe if you join Club Twit, we can get a little bit closer to that goal. It's only seven bucks a month. You get ad free versions of all of the shows. Because I'm not one of those people who wants to show you ads and charge you money. I think it's. It's one of the other. I like having ads in the sense that it means Twitter will always be free. By the way, this is, this is one of the things you get as a benefit when you join the club. You get access to, to the club Twit Discord, which is a lovely social network, a great hang and there are people in there who do some wild things. Pretty fly for cis. Guy has made a AI generated picture of you should have got. You went the wrong way though. You made me look older, not younger. Looking at the. Oh, it is an old playboy in a liquor store. That is AI, my friends. But this is the kind of thing that you get to participate in the club. Twitter Discord is a wonderful place to talk about the shows while they're on. But even when they're not on, there's stuff to talk about. Tomorrow, Micah's crafting corner at 6 o' clock. It's a cozy time when you can craft along with Micah, whatever your craft might be. We've got Stacy's Book Club coming up next week. This show is going to be a little later, Steve, than maybe an hour later than normal because we will be covering Google Options IO at 10am on Tuesday, May 20 and they say it's a two hour keynote. So Mac Break weekly will start at noon. I'm going to make a short Mac Break Weekly so we can get you in here by 2 o' clock. I think we can do that.

Steve Gibson

Cool.

Leo Laporte

Yeah. But just a word of warning. The other more important warning is because we have received takedown notices for what, you know, we like to. What we like to do is do the keynotes and at the same time as we're doing the keynotes, comment on. On it. But we've been getting takedowns from Apple, particularly on YouTube and Twitch and we just, we can't afford to be taken off YouTube. So we have decided that unfortunately we won't do these keynote streams in public. We'll do them in the club. Only that way we don't have to worry about Apple, but you do have to be a member if you want to watch our coverage. It's going to start Monday of next week with Microsoft's Build conference, the IO keynote Tuesday. On Friday, by the way, Dick DiBartolo and I are going to do a memory lane episode which should be a lot of fun. And then WWDC is coming up on the 20. No, I'm sorry, the 9th of June. There's other things going on. The AI user group, which is now every first Friday of the month where we show you how we use AI. Last week, last Time was Anthony Nielsen. Amazing. Amazing. AI genius. There's a lot. In other words, it's a club that you want to be in talking about the stuffs you care about. So you get ad free versions of the show. You get the Club Twit Discord. A whole social network just for geeks like us. You get special shows and events that occur only in the club. You don't have to be there live. By the way, we do put them in the special feed. There's a Twit plus feed just for club members. I can go on. But the most important benefit really is that you are supporting us and you're keeping us going in the face of tough economic times. I know it's tough for you, so you know, if you can't afford it, that's fine. We still offer the ad free versions of almost everything we do. But if you can, I'd love to get you in the Club Twit TV Club Twit. We should also mention, once you join the club, sign up for the newsletter. It's not automatic. TWiT TV newsletter. The newsletter is free and it will keep you up to date on club events so you don't have to be in the Discord to see what's going on. The newsletter is a great way to follow what's happening with TWiT TV Club TWiT to join the Club TWiT TV newsletter to subscribe to our Club Twit newsletter and thank you everybody. Thank you for being such great supporters of this week in tech. 20 years we've been doing this.

Steve Gibson

Ryan Reynolds here from Mint Mobile. I don't know if you knew this, but anyone can get the same premium wireless for 15amonth plan that I've been enjoying. It's not just for celebrities. So do like I did and have one of your assistant's assistants switch you to Mint Mobile today. I'm told it's super easy to do@mintmobile.com Switch upfront payment of $45 for 3 month plus plan equivalent to 15 per month required intro rate first 3 months only, then full price plan options available, taxes and fees, extra fee, full terms@mintmobile.com.

Leo Laporte

All right, Steve, I am just dying to hear your solution to all of this.

Steve Gibson

Okay, so what is end to end encryption and what does it mean in environments with requirements for the long term retention of records? As civil disputes have arisen in an information age, attorneys have sought to obtain records of prior events that may not have been retained. The result of this has been a growing requirement for records retention articulated by laws such as the Federal Records act, the Freedom of Information act, the US Presidential Records act, and the Federal Rules of Civil Procedure. And we've encountered many instances where private companies are required by law to to retain their own records in the event of litigation. The recent events surrounding signal and telemessage and members of the US Government's use of end to end encryption with telemessages mission to archive conversations raises many questions about the intersection of secure communications and the need for long term records retention. Okay, but I'm getting a little bit ahead of myself. I settled upon this topic, as I said at the top of the show during this week's podcast, only after catching up with the news of an event that was the topic of last week's podcast. Because it was not my original intention to give this whole telemessage signal gate story much more air. I originally had this as a news item near the top of the podcast. But we've learned some more in the past week and the news legitimately and ultimately led me to pose the question that became today's topic. So let's all catch up on what transpired over the past week under the summary line. Three US Departments Ban Telemessage the Risky Business Security newsletter wrote. According to Bloomberg. Three U.S. government departments have told employees to stop using the telemessage service. The service allows companies to log and archive conversations taking place in secure messengers such as Signal, WhatsApp and others. Two separate hackers two breached telemessages back end last week after it was revealed that White House officials used the service. Now Wired had the headline Customs and Border Protection confirms its use of Hacked Signal Clone Telemessage with the subhead CBP says it has disabled its use of telemessage following reports that the app, which has not, which has not cleared US Government's risk assessment program, was hacked. Rather than share the entire article, which is padded with a bunch of stuff that we already know, I'll extract things we didn't already have on the record. 1. The United States Customs and Border Protection Agency so this is Wired Reg reporting confirmed on Wednesday that it uses at least one communication app made by the service Tele Message, which creates clones of popular apps like signal and WhatsApp with the addition of an archiving mechanism for compliance with records retention rules, the CBP spokesperson Rhonda Lawson told Wired, quote, following the detection of a cyber incident, CBP immediately disabled telemessage as a precautionary measure. The investigation into the scope of the breach is Ongoing, unquote. Okay, so we have confirmation of the belief, which arose from the hack data that was anonymously shared, which we talked about last week with 404 Media, that the CBP was indeed using the Telemessage app. Also says Wired. In the days since the photo was published, Telemessage has reportedly suffered a series of breaches that illustrate concerning security flaws. Analysis of the app's Android source code also appears to indicate fundamental flaws in the service's security scheme. As these findings emerged, Telemessage, an Israeli company that completed an acquisition last year by the US Based company Smarsh, imposed a service pause on its products pending investigation. A Smarsh spokesperson told Wired in a statement, quote, telemessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cyber how can you have a potential incident which you contained either Anyway, engaged an external cybersecurity firm to support our investigation out of an abundance of caution, all Telemessage services have been temporarily suspended. All other Smarsh products and services remain fully operational, unquote and quote, quote There is still no complete public accounting of U.S. government officials and agencies that have used the software, so we're flying a little bit blind on that side. Jumping to the bottom of other reporting by NBC News, we find, quote, but archives of sensitive information inherently make targets for hackers. On Sunday evening, a hacker credibly claimed to NBC News to have broken into a centralized Telemessage server and downloaded a large cache of files. As evidence, the hacker provided a screenshot of Telemessage's contact list of employees at the cryptocurrency broker Coinbase, which uses a message. A Coinbase spokesperson confirmed to NBC News that the screen grab was authentic, but stressed that Coinbase had not been hacked and that none of its customers data had been affected. The Coinbase spokesperson said, quote, at this time, there's no evidence any sensitive Coinbase customer information was accessed or that any customer accounts are at risk. Since Coinbase does not use this tool to share passwords, seed phrases, or other data needed to access accounts, unquote. The hacker told NBC News they've not fully sifted through the hacked files yet, and it is unclear if they include sensitive conversations from the US Government. Several government agencies, including the Department of Homeland Security, the Department of Health and Human Services, the Treasury Department, and the U.S. international Development Finance Corp. Appear to have active contracts with Telemessage or other companies to use Telemessage's services, according to government records reviewed by NBC News. Separately, a different hacker told the tech news publication 404 Media that they also hacked Telemessage and provided significant evidence NBC News has not interacted with that hacker. Okay, so confirmation of more apparent departments inside the US Government using Tele Message and lots of hacking of Tele message. Multiple confirmations from different sources and directions. Last week security researcher Micah Lee blogged under the headline, despite misleading marketing, Israeli company Telemessage used by Trump officials can access plain text chat logs. Micah wrote in this post I will give a high level overview of how the Telemessage fake signal app and I would use the word clone but these is being using some strong language here signal app called TM Signal. Because I mean it's not fake. No one believes it's Signal. It calls itself TM Signal. Right SGNL how it works and why it's so insecure. Then I give a thorough analysis of the source code for TM Signals Android app and what led me to conclude that Telemessage can access plain text chat logs. Finally, I back up my analysis with as yet unpublished details about the hack of Telemessage. Okay, so among other things, Micah created a clear and simple diagram that depicts the flow of information for anyone using Telemessages modified signal app. The modified app does what it claims to do, but since the archived messages are themselves stored and forwarded in the clear, that does also serve to verify that Telemessage themselves would indeed be privy to the content of the message flow of any of their customers. That's pretty much sure to be a permanent deal breaker for many of the more security sensitive users of this system.

Leo Laporte

Isn't Telemessage an Israeli company?

Steve Gibson

Yes.

Leo Laporte

Okay, just checking. Yep. So good. Our US government is basically passing all of their messages to the Israeli government.

Steve Gibson

That's correct.

Leo Laporte

Israeli company anyway, that's correct.

Steve Gibson

Any and and they are users of Telemessage and But wait, Leo, it gets worse.

Leo Laporte

Oh good.

Steve Gibson

There's something I haven't read or seen anywhere. This would be totally obvious to anyone with any operational cybersecurity understanding at all. So let me repeat this. The Telemessage system is depositing the full plain text transcripts of all conversations conducted with the Signal protocol whenever using this app. My point is, the entire design of this system is so transparently insecure that any claim to security would be utterly laughable. Micah starts out saying, despite misleading marketing. Misleading marketing, it's sending everything you sent and received to Microsoft Outlook or any SMTP email account in the clear. That's what it does it emails? Yes, in the clear? Yes, it uses email. So there's nothing about this that is secure.

Leo Laporte

Why bother using signal if you're going to use this?

Steve Gibson

Yeah, there's nothing about this that's secure for the content of these messages. Nothing. One of our listeners responding to my reporting of this last week, apparently feeling the need to defend the current administration, claimed that Telemessages use had been approved by the Biden administration. At the time I knew nothing either way. Now I do. I presume this listener picked up this politically partisan fiction somewhere and and wanted to believe it, but it was never true. And these sorts of statements expressed as fact tend to spread and they're not helpful. The Biden administration may have well done stupid things, but this was not among them. Telemessages federal use has never been approved for use by anyone within the federal government. Part of the reporting about this in the past week noted that while the telemessage company is itself a federal contractor, the consumer apps it offers are not approved for use under the U.S. government's Federal Risk and Authorization Management Program, known as FedRAMP. That's the approval that would be required. And that's actually a relief, that is that it has never been approved because Telemessages apps, which send, as I said, conversation plain text to any email servers specified by their users, could never have possibly been considered safe or secure to use. This would have to be so blatantly obvious to anyone with with even the slightest cybersecurity training that I would be quite worried if these apps could have ever been approved for use under the Fedramp program. So the use of these communications applications by federal government officials was entirely illicit. So we can put that one to rest. Micah's blog posting Dig deeply into the entrails of Telemessages Android app, which is open source. I scanned through Micah's detailed posting and his reverse engineering and did not find anything that merited further deep discussion, but I've included its link in the show notes for anyone who might be interested in looking for more. It's all there and it's long and detailed. There's really nothing anyone with any training needs to know. Once it's understood that Telemessage is emailing its users conversation logs to external email servers, from that point on it's simply game over. And it must have made those within the NSA and CIA and other security aware agencies who know how much our adversaries would love to to get their hands on these conversations. Just, you know, just green well, guess what?

Leo Laporte

They already do.

Steve Gibson

Yeah. This brings us to the first part of the meat of today's topic. When we use the term secure conversation and where telemessage quite clearly failed, what really is end to end encryption? And by that I mean, what do we mean when we say that something is end to end encrypted? How is, you know, how is that some sort of special type of encryption or a special type of encrypted system? And the bigger point is, how is that term increasingly being used, misused, and in some cases abused? The difficulty. And, and we should say that Telemsage absolutely touted their technology as endtoend encrypted. That's what they said in all of their marketing. And apparently no one looked any further. No, nobody who was going to use it thought to ask somebody with any cybersecurity awareness would this be safe for me to use? Because any of our listeners would go, oh my God, no. Okay, so the difficulty is that the terms common use appears to be diverging from its original technical meaning and has become a buzzword term like everybody wants to have, oh, full end to end encryption. So it's being tossed around now by the marketing types because it feels good and fancy to say it. Okay, so let's first turn to the Internet's encyclopedia to see what those who have spent time working to craft a clear and concise definition of the term have come up with of end to end encryption. Wikipedia writes, end to end encryption. E2EE is a method of implementing a secure communication system where only communicating users can participate. No one else, including the system provider, telecom providers, Internet providers, or malicious actors, can access the cryptographic keys needed to read or send messages. End to end encryption prevents data from being read or secretly modified except by the true sender and intended recipients. Frequently, the messages are relayed from the sender to the recipients by a service provider. However, messages are encrypted by the sender and no third party, including the service provider, has the means to decrypt them. The recipients retrieve the encrypted messages and decrypt them independently. Since third parties cannot decrypt the data being communicated or stored. Services that provide end to end encryption are better at protecting user data when they are affected by data breaches. Such services are also unable to share user data with government authorities, domestic or international. Okay, so I'd say that's a beautifully crafted definition of what is currently meant by the proper use of the term. And obviously telemessage completely fails in that regard. So by way of comparison to non end to end encrypted systems, the Wikipedia article actually says in many non end to end encrypted messaging systems, including email and many chat networks, messages pass through intermediaries and are stored by a third party service provider from which they are retrieved by the recipient. Even if the message are encrypted, they're only encrypted in transit and are thus accessible by the service provider. Server side disk encryption is also distinct from end to end encryption because it does not prevent the service provider from viewing the information as they have the encryption keys and can simply decrypt it. The lack of end to end encryption can allow service providers to easily provide search and other features, or to scan for illegal or unacceptable content. However, it also means that content can be read by anyone who has access to the data stored by the service provider by design or via a backdoor. This can be a concern in many systems where privacy is important, such as in governmental and military communications, financial transactions, and when sensitive information such as health and biometric data are sent. If this content were shared without end to end encryption, a malicious actor or adversarial government could obtain it through unauthorized access or subpoenas targeted at the service provider. Finally, end to end encryption alone does not guarantee privacy or security. For example, data may be held unencrypted on the user's own device or be accessible via their own app if their login is compromised. Okay, so one of this podcast's early terms and acronyms was tno, which stood for Trust no one. We used it when talking about storing our data in the cloud well before anything was being called the cloud. The simple idea was that client side encryption and decryption would be employed on the user's PC, so that the only thing we were asking remote services to store was big blobs of data that were indistinguishable from to them from completely pseudo random data, which is exactly what good encryption produces pseudorandom data. Later the term was used interchangeably with PI pie, which we which is another term we use, which stood for pre Internet encryption. So what emerges here is a very clear understanding of of what the proper use of the term would be. In practical terms, it means that the providers of the service and any intermediaries that they that they may engage never under any circumstances have any access to the unencrypted content of the messages or data or whatever it is they're conveying or storing on behalf of their users. For this assertion to hold any of the user data that A provider of end to end encrypted services ever comes under into contact with must be encrypted, and the provider must never at any time have access to the cryptographic keys that would be capable of decrypting that data. By that definition, and the set of requirements that flow from it, it's clear that the messaging archiving services Telemessage was offering could never literally by definition, have ever been considered to be end to end encrypted. That term could never be accurately applied. By comparison, we've previously explored at length the protocols that the likes of Apple and Signal have gone to in order to truly meet and live up to the definition of end to end encrypted communications and storage. This entire battle that Apple is presently engaged in with the UK over the provisioning of their advanced data protection amounts to exactly this. The switch on the user's UI on the phone is labeled Enable Advanced Data Protection, but it could just as accurately be labeled Enable endtoend Encryption. It might next be instructive to ask is there any hope for tele message? Is there any way for a potentially useful service such as this to be saved or phrased another way? Could message archiving of a true end to end encryption system such as Signal, WhatsApp or Telegram remain end to end encrypted? And the answer to that is yes, there's definitely a way to do this securely. But tell a message never bothered to. They opted for the user convenience of forwarding the user's plain text conversation logs to email and in doing so they probably put themselves out of business forever. I doubt anyone would ever consider trusting Telemessage again. So when someone does produce a true end to end encrypted messaging system with end to end encrypted long term archiving, it won't be these guys. Okay, so how could what Telemessage wanted to do be accomplished securely? The most obvious solution is to simply modify a cloned signal app for long term local archival storage so it would offer local storage search and retrieval on the client side device itself. After all, the plain text data is already there. It's been shown to its user right there on the screen. So the app simply needs to hold onto it. Right? Problem solved. The behavior everyone is objecting to is having these modified telemessage signal clients emailing their conversation logs to its user's insecure email. So remove that feature from the app and replace it with long term archival storage of everything that app sends and receives. And to be a responsible archiving signal clone. Any such clone which has been configured for long term message archiving should periodically inject a notice to all other members of any archiving conversation that that its user member X is permanently archiving their conversation. That might be expected to alter the behavior of the people in the group, causing it to be a little bit less boisterous and flippant, but that would probably be a good thing too. And if nothing else, these periodically injected archiving reminders would cause its recipients to ask the archivist why they were keeping the conversation and if that had not been disclosed. But now we have a new problem. The problem is that high level government or other individuals who are using an archiving system, you know, an archiving secure messaging clone whose entire messaging history exists inside that device, wind up carrying around something in their pocket that might well be worth a great deal to the right parties. No one in their right mind would want to have it known that they're walking around town, riding in cabs and dining in restaurants with months or years of top secret records retained in their smartphones. So that's not a practical solution either. And even if walking around with this conversation archive was not a bit problematic in itself, the presumption is that aside from having the convenience of searching for and retrieving past conversation details, there is also some significant need for government records to be retained or other executive compliance requirements in the corporate world to be met. If a device were to be lost or stolen, and even if it could not be unlocked and used, the loss of those records could be a huge problem. This brings us to the inescapable conclusion that the app's local conversation memory should be kept short and non archival, and that some secure means of removing the data from the device or while retaining it permanently should be found. The solution I've come up with that completely solves all of these various problems. Providing truly secure records retention for users of Signal and using only the official unadulterated signal app to deliver full, true end to end encrypted conversation security would be for these individuals to add a secure government signal bot to their conversations. This signal bot would be running deep inside a secure NSA facility. It would auto accept all conversation invitations from known government staffers, and it would passively receive and permanently archive all dialogue from everyone else who is participating in the conversations. It would function as a silent observer and would appear as a participant named something like Federal records retention in the list of conversation members, so that everyone participating would be informed and reminded that their conversation was subject to legally required retention while at the same time being assured that their conversation was being retained and that they were thereby abiding by their oaths of office and the law while participating in these conversations. Being a Signal bot, all of the standard end to end encryption guarantees are offered by the Signal protocol would apply. The only possible points of vulnerability would be at the individual device endpoints. But that's inherently an issue that's inherent in the use of any messaging application. Since Signal is open source and desktop clients already exist, the creation of various secure message archiving bots would be a simple matter for the likes of the nsa, CIA, CISA or whomever. Or better yet, perhaps a successor company to Telemessage will arise from the ashes of Telemessage's clearly useful and important concept to create a commercial implementation of this solution for those who need Signal message archiving, I would imagine that many enterprises would welcome the ability to automatically have their executives and other important individuals secure Signal conversations securely archived on premises without creating the sort of serious security weakness we've all just witnessed from Telemessage. In retrospect, this seems like such an obvious solution for the secure archiving of secure messaging that I'm surprised such a service doesn't already exist. Let's hope someone creates such a system soon. It should not take that much effort or time and it should definitely remain open source, since it's all about first understanding and then trusting the implementation.

Leo Laporte

Well, actually, so there is a protocol for this in the federal government when you're doing classified communications, you're supposed to do it in a scif and the SCIF has logging and recording and it stays in the skiff, it stays in a secure environment. So it's very similar to what you just described. And you're not. And you're not supposed to do classified conversations outside of skiff at all. So. Yeah, but yeah, I think what you propose makes sense or even maybe that if you're going to do this, you're actually logged into a server inside the Pentagon and interacting only within that server. Right. And then it's preserved there. The National Records act does require clear text versions of the records. You obviously they won't let you store it encrypted.

Steve Gibson

But what we've seen is that many gov. Many agencies in the US Government were Telemessage clients.

Leo Laporte

Right.

Steve Gibson

And I frugal and I. And I've. It is. But they were nonetheless. And I've heard from many of our listeners whose corporations were Telemessage clients and are now looking for an alternative.

Leo Laporte

Obviously they didn't do the vetting they should have done of that clear.

Steve Gibson

So it's certainly not illegal to use signal yet it would be very convenient to be able to have a secure archive of signal conversations.

Leo Laporte

I think the thing is that the federal government does have a protocol for this and the protocol wasn't followed. And really this is the real issue in general is humans that the breaching breaches often occur because humans don't follow correct procedure. Right.

Steve Gibson

And this came to light because a very insecure system was in use. And the good news is we have listeners whose companies did not, you know, were not sufficiently aware that just saying, oh, sprinkle some end to end encryption dust on it.

Leo Laporte

Yeah. Telemessage. It was invented by the Israeli Defense Force. What could possibly go wrong? It's just amazing.

Steve Gibson

Actually the founder was ex Israeli Defense.

Leo Laporte

Yeah, I know. It's my guess that this was always a honeypot from the Israelis.

Steve Gibson

Well, it, the, the, the, the really cool solution is just to create signal bots and have a, have them curious conversation.

Leo Laporte

They're inside the Pentagon, they're in a secure environment, they record it and then it's done. Job done. Instead they sent it to the Atlantic magazine editor, Jeffrey Goldberg. He was their signal punishment. You know, it's funny, he was more careful with the information than they were. That was the irony of the whole thing. Yeah. I think I like your idea. I think that's a great idea. For all we know, they are implementing something similar. I mean I would expect that it's.

Steve Gibson

Open source and there are desktop versions. You could take the desktop version and turn it into an archiver. I, I, I, I looked around and I didn't find anything. Maybe our listeners will, will, will, will find.

Leo Laporte

Yeah, the program probably has and offers something like that or the GSA or somebody offers that. But you know, you have to get people to use it. That's the part.

Steve Gibson

Well, and it still doesn't dispel the problem of having that kind of a conversation on consumer smartphones because we do.

Leo Laporte

Know that phones are compromised.

Steve Gibson

Other aspects of Israeli services that we've talked about in the past are prying into consumer smartphones.

Leo Laporte

Yeah, Steve, as always, great stuff and I love your clear thinking. You always come up with great solutions. They seem obvious after you say them. If you enjoy this show, I do hope you will come back next week. We do security now every Tuesday right after Mac break weekly. We're getting pretty close now to 1:30pm Pacific, 4:30 Eastern, 20:30 UTC. We stream it on eight different channels because you Know what? We're not trying to keep it a secret, by the way, so don't you. You tell your friends if you're in the club, it's on Discord. Otherwise, YouTube, Twitch, TikTok, X.com, linkedIn, Facebook and Kick. Watch where you want, chat with us wherever you want. I see all the chats in my display here after the fact. On demand versions of the show available at Steve's site. He actually has completely unique versions of the show, so we have it and he has it. If you want a 16 kilobit version, 16 kilobit audio or a 64 kilobit audio version, he's got those. He also has the Show Notes. He also has human written transcription, really good transcriptions from Elaine Ferris available at his site, GRC.com while you're there, I'll give you a little extra to do some extra credit. Of course. Pick up a copy of Spinrite, Steve's bread and butter and the world's best mass storage maintenance recovery and Performance Utility 6.1 is the current version. If you don't have that yet, but you already bought Spinrite, get your upgrade for free. If not, buy it today because it is a must have for anybody with mass storage. You should also go to GRC.comemail and register your email with Steve. He doesn't do anything with it except whitelist it so that you can email him after that. And that way, if you have a suggestion, a picture of the week you want to send him criticism Ding. What do they call them? Brick bats or bouquets? You send it to Steve directly, but only once you've registered your email at security. Sorry. GRC.com email at the bottom. When you're doing that, you'll see two unchecked checkboxes, but you can check them if you want and sign up for Steve's weekly Security Now Show Notes newsletter. He sends that out before the show, sometimes the day before the show, every week so you can comment on that. And also very rarely he'll send out an email about a new product or something he wants you to know about. Grc. We have his show at our website. Our unique versions are a for reasons that are too complicated to explain on this show, 128 kilobit audio version yes, it's mono. I don't know why. Well, I do know why, but I'm not going to tell you why it's 128 kilobit has to do with Apple. It's a complicated thing. We also have video, which Steve refuses. After all, these years to post on his site because he says no one needs video, but if you want it, you can get it twit tv sn where you're there you see a link to the YouTube channel. Another way to get the video or share clips. I know a lot of people like to say, oh gosh, that I got to send this thing to my boss. You can do that. It's a great way to spread the word about security now. You can also of course subscribe in your favorite podcast player. If you do that. Please leave us a good review. Leave us a five star rating wherever the highest number of stars is. Help spread the word about security now because frankly, I think everybody in and out of government should be listening to this show every week. Absolutely. Subscribe to our newsletter if you don't already get it. Steve's got a newsletter. We do too. It's free, it's weekly, it's Twitt TV newsletter that'll keep you up to date on what's coming up on future shows, especially for the club members because it's. If you're not in the discord you may not know about it. Special events we've got planned. Those are all in the newsletter. Steve. Have a great week. Enjoy the remodel will do. And I'll see you next week.

Steve Gibson

And it will try be starting around 2 o' clock you think next week A little later.

Leo Laporte

Yeah. Let's remind everybody because of the Google I O keynote which should go ten to noon, we're going to make Mac break weekly two hours. So we should be getting to security hour at 2pM that's my goal. Thank you, Steve.

Steve Gibson

Sounds good. See you next week, buddy.

Leo Laporte

Bye bye. Security now.