Steve Gibson (2:56)

Going to find out about that. Exactly. That when I commercialize the DNS benchmark.

Leo Laporte (3:01)

That's right.

Steve Gibson (3:03)

I have no calibration on how many people would be willing to pay 10 bucks for a dramatically improved. I mean, this thing, the thing we just did. And this is. Oh, God, I can't wait to talk about this. At some point, we. I did a statistical analysis that demonstrated that there is so much uncertainty in DNS timing, not due to the resolvers at the other end, but due to the Internet, which is in between.

Leo Laporte (3:31)

Yeah.

Steve Gibson (3:32)

That to actually get statistically significant results requires many more tests than the benchmark has ever been performing. That's why every time you run, you ran the benchmark, you kind of got the same answers, but they differed. Not because the resolvers were of any different speed, but it turns out that, you know, statistics is weird.

Leo Laporte (3:57)

You.

Steve Gibson (3:58)

You. If you tossed a coin.

Leo Laporte (4:01)

That should be the title of this show. I'm just gonna say right now, statistics is weird.

Steve Gibson (4:05)

If you tossed a coin three times.

Leo Laporte (4:07)

Yeah.

Steve Gibson (4:08)

There's a 1 in 8 chance, actually 1 in 4 chance there. You know, 25% chance you get all heads or all tails.

Leo Laporte (4:16)

Yes.

Steve Gibson (4:17)

So a three. A three toss coin. Three coin toss, whatever. You know what I mean? You might be led to believe that there were heads on both sides or tails on both sides, that it was a bogus coin. That wasn't actually 50. 50, because in three tosses, 25% of the time, you're going to get all the same outcome. So what we've learned, and this was only just recently, I've added the ability to dramatically increase the number of samples which the benchmark takes. And we're getting far better results that, I mean, like consistent reports now where all of the resolvers from the same provider end up grouping together on the chart, which you'd kind of expect, but it actually happens now, but only when you take many more samples. Anyway, the point is that the. The what I'm going to be offering soon for 10 bucks blows away the free one. But again, I don't have any idea how. I mean, free is free. Right. And asking someone to pay anything is. Is a heavy lift. I get it.

Leo Laporte (5:29)

But I have to think that you are a unique case that people will pay for something even if they were getting it for free before, just because they want to support you. I really think this is true of you, Steve.

Steve Gibson (5:43)

I hope that's the case because I need the support in order to keep doing all this.

Leo Laporte (5:49)

I even think they just, they just feel good about you and they just, you know, they're not, they're not looking for anything out of it. They just want to support you is my guess.

Steve Gibson (5:57)

Which is I really appreciate it makes all this possible. It makes possible podcast number 1048 titled Mike Emouse, obviously a play on Mighty Mouse.

Leo Laporte (6:11)

And I had to ask, is it Mick Emouse or. And you said, no, this is a mic we're talking about.

Steve Gibson (6:16)

We're going to answer the question, could your PC's mouse have much bigger ears than you know?

Leo Laporte (6:23)

Oh, no. Oh, now I'm scared. Oh boy.

Steve Gibson (6:28)

You thought that bag of chips laying on the table might give away the conversation in the house? Turns out it's worse than that. We're going to look at the long awaited lawsuit to block Texas SB2420, which happened last week, just after last week's podcast. When I mentioned that is it's kind of odd that there's been no legal challenge to this very worrisome law that takes effect on January 1st. And also take a look at how it's going to affect Google Play and their plans. We looked at Apple in detail last week. Oh my God, Leo. At long last, NIST has formally modernized their password policy and they fixed it.

Leo Laporte (7:16)

You mean I don't have to change my password every three months?

Steve Gibson (7:19)

Isn't that insane? No, you no longer do. And we'll have something that all of our listeners can wave in the face of their employers IT people and say, okay, fix this. This has always been dumb. Now it's officially dumb. Also, it turns out we now have much better proof that Scattered Lapsis Hunters group that their demise that I reported wrongly, it turns out a couple weeks ago, was indeed exaggerated. Finally, China is claiming that the NSA has been hacking them.

Leo Laporte (7:55)

Yay.

Steve Gibson (7:56)

We'll explain that.

Leo Laporte (7:58)

It turns out they've been hacking us. It's only turnabout is fair play.

Steve Gibson (8:03)

Yes. Come on. So it turns out also half of all geosynchronous satellite traffic is unencrypted.

Leo Laporte (8:13)

Who knew?

Steve Gibson (8:14)

Amazing. Yes. Also, we'll touch on yesterday's AWS outage, which I agree with the take that the Guardian had. It highlights the rising risk of. Of something you and I have talked about relative to browsers often, which is any kind of an Internet monoculture. You know, all the eggs in one basket. Go. Better not drop that basket. And we got a collect a terrific collection of listener feedback. And then we're going to look at, you know, another new side channel attack. Who would have ever imagined that People's mice could actually be picking up the audio of conversations around them.

Leo Laporte (8:58)

Wow.

Steve Gibson (8:59)

And guess what made it possible?

Leo Laporte (9:01)

I'm gonna. I gotta guess. Is it rattling balls?

Steve Gibson (9:05)

It's. Well, you wanna know? I don't think a rattling ball. The balls. The balls never had the resolution of a good old optical sensor, so.

Leo Laporte (9:17)

Oh, yeah, that's right.

Steve Gibson (9:20)

Did you ever roll them around your hands? They were neat. They were rubber. Yeah.

Leo Laporte (9:23)

They were heavy. They were metal with rubber coatings on them. Yeah.

Steve Gibson (9:25)

Yeah. I like those.

Leo Laporte (9:28)

Excellent transducers for a microphone. But I guess since we don't have those, we'll find something else to rattle, if you will.

Steve Gibson (9:37)

Let's.

Leo Laporte (9:38)

Let's move on, shall we? We're going to get to that in just a moment. But first, and the picture of the week, which looks pretty funny. I haven't seen it. I haven't seen it. I like to preserve my virgin eyeballs.

Steve Gibson (9:52)

This will take a little bit of visual parsing, but you'll get.

Leo Laporte (9:54)

Yeah, okay.

Steve Gibson (9:55)

Everyone's.

Leo Laporte (9:55)

We'll see it together, see the caption, but I don't scroll up, so. Okay. First though, a word from our sponsor, Melissa. We love Melissa. They've been, you know, Melissa's been around since 1985. The trusted data quality expert. That's a long time. 40 years of experience and domain expertise. And Melissa puts every one of those years into every verified address worldwide. They are the best. I'll give you an example. Burbank, California, the city of Burbank. It's known as the media capital of the world. Located in the LA area, the city has increased their address accuracy. This is important because they use it for citizen services, for census data, for collaboration with the state and federal governments. The city's GIS manager loves Melissa. Had this to say. Quote, Melissa's address formatting was in line with our existing data and GIS location accuracy matched 99.9% of the time. Far better than competitive solutions compared in testing. Melissa's address keys were precisely located on top of buildings. While alternatives, they wouldn't even land on the building or even register the correct street. You better believe Burbank uses Melissa. We. While address verification was of course Melissa's foundation. Their bread and butter for 40 years. They are data scientists. So Melissa's data enrichment services go far beyond simple address validation. Organizations build a more comprehensive, accurate view of their business processes by using Melissa as part of their data management strategy. I'll give you an example. HealthLink Dimensions. They provide healthcare database products for the pharmacy, healthcare, medical device and insurance Industries. They help them efficiently target their primary markets and so forth. HealthLink, it's a big operation. They have demographic files totaling over 2.3 million physicians and allied health professionals. That's pretty much all of them. To manage this complex data, HealthLink's director of database services needed the Melissa Data Quality Suite's flexibility and ease of integration. This is the quote. This is from HealthLink. The main strength is Melissa's ability to easily integrate with our custom. NET applications and SQL procedures. We've written several internal applications and services that use each of the objects of the Melissa Data Quality Suite. Actually, with both of those quotes, the important bit is it works with the stuff you already have, the data you already have, the processes you already have. And of course, you never have to worry about your data. With Melissa, your data is safe with them compliant and secure. Melissa's services and solutions are GDPR and CCPA compliant. They're ISO 27001 certified. They meet SOC2 and HIPAA high trust standards for information security management. Melissa's the best. Get started today with 1000 records cleaned for free at melissa.com twit that's melissa.com/twitter. We thank Melissa so much for supporting Steve and security. Now. All right, let me see here. Do I have. I don't. Do I have my extra camera? Yes, I do. All right, I'm ready to, to scroll up whenever you want to talk about it here.

Steve Gibson (13:21)

Our listeners had a lot of fun with this. Those who subscribed to the email and saw this yesterday. I gave this picture the title when an Interlock Must be Very clear and Must Absolutely, Definitely Never Fail.

Leo Laporte (13:38)

Okay. All right. I don't, I don't even.

Steve Gibson (13:40)

We have.

Leo Laporte (13:45)

That looks dangerous. Man. I hope that handles ice is. Is somehow insulated.

Steve Gibson (13:52)

Well, I don't think it needs to be.

Leo Laporte (13:53)

It's not electrical.

Steve Gibson (13:56)

For those who, who don't see the picture, we've got, we have a pair of apparently very high current toggle switches, like, you know, like light switches. Where is. Yeah, up is on and down is off. And for whatever reason it. You'd absolutely never want them both to be on at the same time or apparently like there would be fire and explosions.

Leo Laporte (14:29)

I get it. I get it now. Wow.

Steve Gibson (14:32)

So. So somebody. And I don't know if this was an off the shelf, I doubt it handle, but it's.

Leo Laporte (14:41)

Oh yeah. I mean it's like you got at the hardware store.

Steve Gibson (14:43)

For sure it would be. Or like, you know, you talk about the horses escaping for after the barn doors.

Leo Laporte (14:49)

Yeah. Or your Fence would have this. Your fence could have.

Steve Gibson (14:52)

Yeah, some, some heavy duty fence has this thing where a handle is used to slide a bar back and forth. Well, this has been jury rigged in between these two big switches.

Leo Laporte (15:05)

And it's totally intentional because the switches are positioned on the wall. Exactly. Precisely. So that the interlock fits right in that gap there.

Steve Gibson (15:15)

Yes, exactly. Yes.

Leo Laporte (15:16)

This is an intentional design.

Steve Gibson (15:19)

Yes.

Leo Laporte (15:20)

Wow.

Steve Gibson (15:20)

Yes. Somebody said. We, we. There is no provision for absolutely making sure that these cannot both be on at the same time. Presumably, you know, who knows? They're. They're feeding to the. I think maybe I'm seeing like a loop at the bottom. I didn't really look at it, but to me looks like maybe the bottoms of these are connected together. You sort, sort of, sort of see it. It on, on, on the lower. On the left unit. The bottom right wire looks like it bends and then goes over to the other unit. So I'll bet you that these are two different feeds into the go to the same place. And if you turn them both on, they would short those two feeds and again, funny, something would explode. So somebody said, okay, we need to be able to choose A or B. But we don't have an A or B choosing switch. We only have two on off switches. So how could we solve that?

Leo Laporte (16:23)

Said Mo. Larry and Curly.

Steve Gibson (16:25)

Exactly. Using a lock from a barn door from the 1920s.

Leo Laporte (16:34)

That's hysterical.

Steve Gibson (16:36)

Yeah.

Leo Laporte (16:37)

Thanks again to our listeners. Says it looks like something Burke might have designed.

Steve Gibson (16:44)

Burke, your solutions work. And it works, too.

Leo Laporte (16:47)

It works.

Steve Gibson (16:48)

Okay, so our coverage of the pending enactment of that new Texas SB2420 legislation galvanized our listeners and generated quite a bit of feedback because, I mean, this is a mess.

Leo Laporte (17:02)

Insane.

Steve Gibson (17:03)

I mentioned last Tuesday that there was still no sign of any legal challenge to that legislation. But then last Friday, to no one's surprise, that situation changed. Ars Technica's headline read, big Tech Sues Texas says age verification law is, quote, broad censorship regime. Ours gave it the teaser line texas Applaw compared to checking IDs at bookstores and shopping malls. So here's what they wrote to get a sense for the the flavor of the attack. And this, by the way. Well, in fact, they said Texas, they wrote, is being sued by a big tech lobby group over the state's new law that will require app stores to verify users ages and impose restrictions on users under 18. The lawsuit brought by the Consumer and Communications Industry association, the ccia, alleges, quote, the Texas App Store Accountability act imposes a broad censorship regime on the entire universe of mobile apps. In a misguided attempt to protect minors, Texas has decided to require proof of age before anyone with a smartphone or tablet can download an app. Anyone under 18 must obtain parental consent for every app and in app purchase they try to download. From ebooks to email to entertainment, unquote. Ours wrote the CCIA said in a press release that the law violates the First Amendment by imposing Boy, we're getting a lot of use out of our First Amendment. Leo violates the First Amendment by imposing, quote, a sweeping age verification, parental consent and compelled speech regime on both app stores and app developers. Unquote. When app stores determine that a user is under age 18, quote, the law prohibits them from downloading virtually all apps and software programs and from making any in app purchases unless their parent consents and is given control over the minor's account, unquote. The CCIA said, quote miners who are unable to link their accounts with a parents or guardians or who do not receive permission would be prohibited from accessing App Store content. Unquote. Okay, so yes, as as we understand it, that's all completely true and it's moreover exactly the law's intent. It's not like the law was, you know, written in an over broad fashion. No they this is what they want in Texas. Ours continued saying the group said the law requires app developers, quote, to age rate their content into several subcategories and explain their decision in detail and quote, notify app stores in writing every time they improve or modify the functions, features or user experience of their apps. Unquote. The lawsuit says the age rating system relies on vague and unworkable set of age restrictions. The lawsuit claims, quote so here's the argument against the lawsuit, which reads our Constitution forbids this. None of our laws require businesses to card people before they can enter bookstores and shopping malls. The First Amendment prohibits such oppressive laws as much in cyberspace as it does in the physical world. Unquote R said. The lawsuit was filed in the US District Court for the Western District of Texas. CCIA members include Apple, Apple and Google, which have both said the law would reduce privacy for app users. The companies recently described their plans to comply, saying they would take steps to minify to minimize the privacy risks. The Texas App Store Accountability act is similar to laws enacted by Utah and Louisiana. The Texas law is scheduled to take effect on January 1, 2026, while the Utah and Louisiana laws are set to be enforced starting in May and July respectively. So we're only talking about Texas now because it's like 70 days away from today. And you know, Utah and Louisiana will hopefully fall under the same umbrella depending upon how this all happens. And there is something new and interesting ours also wrote the the Texas law is also being challenged in a different lawsuit filed by a student advocacy group and two Texas minors. Attorney Ambika Kumar of Davis Wright Tremaine LLP said in an announcement of the lawsuit, quote, the First Amendment does not permit the government to require teenagers to get their parents permission or before accessing information except in discrete categories like obscenity. The Constitution also forbids restricting adults access to speech in the name of protecting children. This law imposes a system of prior restraint on protected expression that is presumptively unconstitutional. Now that's interesting, but that argument was also tried in the argument against Texas HB 1181 as we covered previously. Here are a few choice and chilling tidbits from those proceedings. The Supreme Court said the First Amendment leaves undisturbed states traditional power to prevent children from accessing speech that is obscene from from their perspective. Because no person, adult or child has a First Amendment right to avoid age verification, the statute requires only what's known as intermediate scrutiny. And from the Supreme Court's further opinion they wrote, submitting to age verification is a burden on the exercise of adults right. But adults have no First Amendment right to avoid age verification and the statute can readily be understood as an effort to restrict minors access. In other words, the Supreme Court is agreeing with what Texas is doing and has said so in their formal opinion on HB 1181. And that sure does seem to cover what the Senate then the Texas senate did with SB 2420. So this is really going to be interesting ours said. Davis Wright Tremaine LLP said the law, quote extends far beyond social media to mainstream educational news and creative applications including Wikipedia, search apps and Internet browsers, messaging services like WhatsApp and Slack, content libraries like Audible, Kindle, Netflix, Spotify and YouTube, educational platforms like Cord Academy and Duolingo news apps from the New York Times, the Wall Street Journal, ESPN and the Atlantic and publish books like Substack, Medium and Cap Cut. So you know, sounds like there's some good counter argument and and and pushback here and I'm sure they're correct, although unfortunately this is exactly the law's intent. It's it's a feature, not a bug, they wrote. Both lawsuits against Texas argue that the law is preempted by The Supreme Court's 2011 decision in Brown vs Entertainment Merchants association, which struck down a California law restricting the sale of violent video games to children. The Supreme Court said in Brown that a state's power to protect children from harm does not include a free floating power to restrict the ideas to which children may be exposed. So the tech industry has sued Texas over multiple laws relating to content moderation. Ours wrote. In 2022, the Supreme Court blocked a Texas law that prohibits large social media companies from moderating posts based on a user's viewpoint. Litigation in that case is ongoing. In a separate case decided in June of 2025, and this is the one that that the House 1181 law, they said the Supreme Court upheld a Texas law that requires age verification on porn sites. So it may be that the way this ends up cutting is that, is that SB2420, because it attempts to encompass all downloads of anything, is what will end up being ruled as too broad and that it'll get pulled back so that it's only age restricted content that needs to get parental approval. I, you know, that looks like that may be the way this thing survives.

Leo Laporte (27:01)

You're acting like this is all rational and that the courts are acting rationally. Look at what Australia is doing at December 10th. If you're under 16, you will not be allowed to use social media in Australia. And they have made no provision for how that gets solved.

Steve Gibson (27:18)

We've just seen that with Mississippi. That is the current law in Mississippi. Same thing. No, it's all social media for a minor. No, I.

Leo Laporte (27:29)

Seems like I know it would fail.

Steve Gibson (27:31)

I'm, I'm not, I'm not taking a position or suggesting this is rational or not. Leo. I'm just looking, I'm just reporting like this is what's happening. You know, we were shocked, we were shocked when the Supreme Court said of the Texas pornography law. Yeah, everybody, sorry, adults, you, you need to prove that you're an adult. And if that requires that you turn over your identity, then that's not an undue burden. That's insane. Of course it is.

Leo Laporte (28:04)

Yeah. Because it means basically every, everybody, not just children, but everybody, has to offer federal or state id some sort of government id.

Steve Gibson (28:14)

Adults need to prove they're not children, which. And there's no privacy enforcing way to do that today.

Leo Laporte (28:20)

Right, Right.

Steve Gibson (28:23)

So As I said, January 1st happens to be exactly to the day, 70 days away from today, 10 weeks. So not a lot of time for this to get resolved. But with any luck, it will be that time that will, you know, bring this to the court's attention. It'll run through appellate court and then probably get turned back over to the justices again with the Supreme Court. And last time they said, no, sorry, adults, you need to prove that you are an adult if you want to watch pornography. And so instead the porn sites just left Texas.

Leo Laporte (29:04)

Yeah, the Supreme Court decision with Texas said adults have no First Amendment right to avoid age verification.

Steve Gibson (29:12)

Exactly.

Leo Laporte (29:14)

Okay. Wow.

Steve Gibson (29:17)

Yeah. Okay. So Google Play, they're going to be impacted by this in 10 weeks, in 70 days. We know that Apple has informed their developers that new APIs would be available, quote, later this year, even though there's not much left of this year to be later than. Okay. But you know, these are not hard problems to solve in code. I'm sure Apple has this stuff commented out of their code. They just have to remove the comments. Meanwhile, Google just posted something similar for their Play Store app developers under their headline changes to Google Play for upcoming App Store Bills, meaning legislation for users in applicable US States, they wrote. A few US States currently Texas, Utah and Louisiana have recently passed verification laws requiring app stores to verify users ages, obtain parental approval and provide users age information to developers. These laws also create new obligations for developers. And that's the other thing LEO is look at the all the apps that are out there that are impacted by this. Again, legislation without any apparent concern for the consequences to the ecosystem that exists. These laws, they wrote, also create new obligations for developers who distribute their apps through app stores in these states. The effective dates for these laws, applicable for both developers and Google Play, are quickly approaching and present short implementation timelines across the ecosystem. While we have user privacy and trust concerns with these new verification laws, Google play is designing APIs systems and tools to help you meet your obligations. Given the significant implications of these changes across the ecosystem, we're working to keep Play a trusted experience for everyone while also providing you information to support your preparations. Our plan to support you is the first App Store bill to take effect is Texas SB 2420 on 1January 2026. We understand that significant work may be needed for you to make changes to your apps to help you. We plan to provide and they have three things. A new Play API for users in these states. Your app will be able to receive users age verification supervision, status, age ranges and other applicable signals. Okay. Of course something upstream has to make that possible, right? So this is an API that apps will be able to call upon to obtain information which the phone has, which the phone has to have obtained somehow. So Google will be, you know, sourcing this, this information downstream to the apps running on its platform. Second Play Console Features, you will have the ability to notify Google Play of a significant change in Play Console without publishing a new version of your app. Additionally, you'll also get a report in Play Console showing when a parent revokes approval for your app because that's also something that the law allows is, you know, after the fact approval if a parent changes their mind. And third, trust and safety requirements, they said to protect users, your use of this new API must comply with Google Play's requirements governing how data from the API must be handled. They said more details because all this is a moving target happening rapidly. More details on these features and requirements will be shared in the coming weeks. Planned dates and next steps subject to change. And so they said October 2025, sometime here requirements and a detailed integration guide with example code for the new Play API will be published for you to get started. And then the 1st of January 2026 the new play API will be live for applicable users in Texas when the Texas SB2420 bill takes effect, they said. If you'd like to learn more or have any additional questions, please contact our support team.

Leo Laporte (34:10)

You know, this points out the real issue with having these app stores as the only place you can get an app for your device because now they're a choke point the government can use to enforce this. You can't do this on a computer because any you know how are you going to go look at all is the government, is the state going to go look at a million apps and see if they do it? They can't. It's not practicable. It's only possible because Apple and Google have these choke points which are their app stores. This is just another reason why those choke points are a bad idea and.

Steve Gibson (34:47)

Another example of a monoculture of, of, you know, where too much is dependent upon a single point of failure.

Leo Laporte (34:54)

Yeah, it's Apple and Google. Right? And, and by the way, you can make sure you can enforce this law because there's only two companies you have to penalize.

Steve Gibson (35:05)

Right?

Leo Laporte (35:05)

It's very simple.

Steve Gibson (35:06)

Right?

Leo Laporte (35:07)

So easy.

Steve Gibson (35:08)

I'm not an attorney. We all know that. But no one needs legal training to get a definite sinking feeling from reading the opinion of the Supreme Court in that previous very similar challenge to, to the, the previous Texas HB 1181 legislation. The court explicitly supported the requirement that anyone wishing to view age restricted content could reasonably be asked to prove their age, even if doing so required them to reveal their identity and would certainly have the effect of limiting access to content in even among those whose Age would make such success and. And access legal doesn't matter. It's like, I don't want to tell you who I am. It's none of your business. You know, I've only got any hair left and it's gray. The Supreme Court said adults have no First Amendment right to avoid age verification. Wow.

Leo Laporte (36:13)

That's really it.

Steve Gibson (36:16)

It is. And that was Justice Thomas who reports were. Enjoyed some of that. Yeah. Kind of content.

Leo Laporte (36:24)

That's right. Long tong silver.

Steve Gibson (36:26)

I remember. That's right, yeah. So all that said though, you know, with the law is a complex instrument and there could well be other factors in play with SB 2420. We won't know until we do, but we'll certainly be letting everyone know what happens as it. As it transpires.

Leo Laporte (36:44)

I mean, it's true that desktop computers are a huge loophole in all this. You cannot age gate something doesn't have a locked in app store.

Steve Gibson (36:56)

Right.

Leo Laporte (36:56)

And try. But there's just.

Steve Gibson (36:57)

I looked at the legislation and it does. It is explicit. It is expressly and explicitly. I think this comes up in one of our feedback questions today. It is only aimed at mobile devices. Right. Tablets, phones and tablets.

Leo Laporte (37:12)

Kids don't use computers.

Steve Gibson (37:15)

Exactly. It's like nothing else exists. You know, gaming platforms are excluded. TVs, PCs. It's targeted only at that which is really like, okay, then kids are going to use their laptop.

Leo Laporte (37:31)

Right. This is why open computing is so important. And, and look, I don't want kids to be able to access pornography. That's not what we're talking about here. We're talking about it.

Steve Gibson (37:42)

No one should get confused about that.

Leo Laporte (37:43)

No, we don't want government to be able to say this is what you can and cannot do. It starts with pornography, but there's. Then it goes to social networks, then it goes to, I don't know, news sources or. I mean, there's a lot of things government would like to restrict and if there is a single point of failure that they can put pressure on, they can do it, but they can't do it on a general purpose open computing platform. No. That's very sad. I suppose we're going to have to see this tied into biometrics as well. Right. This is more than just, here's a picture of my photo id. How do we. How do. Right.

Steve Gibson (38:26)

Yeah. So that's what I was always wondering is through the months our listeners have heard me saying, if we're going to have any kind of effective age verification, it needs to have a biometric tie, which was why it was so odd to me that the, the, the system. Was it Italy? I can't remember now. I talked about a country a couple weeks ago, Spain. Yes.

Leo Laporte (38:49)

They have a national ID system.

Steve Gibson (38:51)

Yes. And it's all you need is a, is a, a pin in order to, in order to verify your identity. It's like, what.

Leo Laporte (39:02)

But unfortunately, there's no way that teenagers can distribute things like pins on the Internet.

Steve Gibson (39:08)

Never been heard of. You would never find a PIN written on the inside of a restroom wall. No, no, no. But there is a, there is a requirement in the Texas legislation. The, the, the HB 1181 of that. It defines a session during which you're authenticated of no more than 60 minutes. So you are required continual authenticate re.

Leo Laporte (39:34)

Authentication.

Steve Gibson (39:36)

Yes.

Leo Laporte (39:36)

This is nuts.

Steve Gibson (39:38)

And they would have done it every 10 minutes if it was feasible. But right, even that, even they thought, well, we can't ask that.

Leo Laporte (39:43)

Yep.

Steve Gibson (39:45)

Okay, we're going to talk about NIST finally catching up with their password policy and who among us might have been a little ahead of the curve after we take a sponsor break, can you.

Leo Laporte (39:58)

Say, hey, Stacks, if you've been listening to this show, you know that we have sensible password concepts, but NIST for some reason. Well, you know the whole thing about. Well, we'll talk about it in a bit. It's a favorite topic of mine. Our show today, brought to you by Hawks Hunt. As a security leader, you get paid to protect your company. Get cyber attacks, right? That's job one these days. But it's getting harder and harder. More cyber attacks than ever. And of course, phishing emails are perfect now. They're generated with AI. No grammatical errors, nothing wrong. It looks exactly like the real deal. This is why your legacy one size fits all awareness program doesn't really stand a chance. At most, they send four generic trainings a year. Most employees ignore them. And if somebody actually clicks, then, you know, clicks one of the phishing emails, then they're forced to do embarrassing training programs that feel more like punishment. Nobody learns from something that feels like punishment. That's why more and more organizations are trying. Hoxon Hacsan actually makes it fun to learn. They go beyond security awareness. They actually change behavior. And they do it in a time honored fashion by rewarding good clicks and coaching away the bad clicks. This really works. Whenever an employee suspects an email might be a scam, click that button. Hox Hunt will tell them instantly. And you know, you get like a gold star. It's like, oh, you get a dopamine rush. This incense your people to click to learn, to protect your company. They're actually having fun. That's the way to learn and you'll love it. As an admin, Hox Hunt makes it easy to automatically deliver phishing simulations in every way possible. Email Slack teams. You can even use Hawkshunt's built in AI to mimic the latest real world attacks. So it's different every time, right? It's fun actually for both sides. It's a little game you're playing. Simulations are actually personalized to each employee based on department location and more. So they're really effective. And then instead of like some burdensome flash slideshow that somebody has to go through to twice a year to learn, you've got instant micro trainings that are fun, they're fast, they solidify understanding, they drive lasting, safe behaviors. Hawks Hunt really works. You could trigger gamified security awareness training that awards employees with stars and badges. I know it sounds silly, but that really works. It boosts completion rates, it ensures compliance, and Hawkshunt has a huge library of customizable training packages. You can even use their AI to generate your own. It's very flexible. Hox Hunt H O X Hunt. It has everything you need to run effective security training in one platform, meaning it's easy to measurably reduce your human cyber risk at scale. You don't have to take my word for it. Over 3,000 user reviews on G2 make Hoxhunt the top rated security training platform for the enterprise, including easiest to use and best results. It's also recognized as a customer's choice by Gartner, and thousands of companies like Qualcomm, AES and Nokia use it to train millions of employees all over the globe. It's tried and true. It's tested. Visit hoxhunt.com securitynow today to learn why modern secure companies are making the switch to Hawkshunt. That's Hoxhunt.com Security Now. H O X H U N T.com Security Now. Thank you Hawks Hunt for the job you're doing. Very important. And for supporting the job Steve's doing. Also Very important on security now. Okay Steve, let's show everyone how you knew you were right from the very beginning.

Steve Gibson (44:02)

That's all of our longtime listeners will recall about 13 years ago. Back in 2012, after spending some time on the podcast examining and sharing the details of what was then modern password cracking using high speed hardware assisted hashing systems, I hit upon the idea that a password's length was far more important to its provision of cracking resistance than its complexity. The idea was that if some hashing system was going to be trying every possible password of a certain minimum assumed length, and then increase its guest length by one after exhausting all possible passwords of that initial length, and so on until it succeeded, then the easiest means of preventing this form of password cracking would simply be to use longer passwords so that anyone attempting to brute force crack the password would give up long before they reached a password of the length you had chosen. The essential revelation was that if all possible passwords were going to be checked, it made no difference what characters those passwords contained, since they would all be checked eventually anyway. The only thing that mattered was the password's length. This could be summed up in the time honored way Size Does Matter. Searching for a name for this concept, someone in GRC's newsgroups suggested the proverbial needle in the haystack, which I loved. And of course we coined that password Haystacks on the web page that I created. That page has helped people appreciate the power of the math behind the idea that longer passwords will take much longer to crack. And that was 9.3 million visits ago. So that page has been quite popular and hundreds of people visited every day. I'm mentioning this today because although it took 13 years for NIST, the US National Institute of Standards and Technology, to catch up with this idea, they finally have Friday before last, Malwarebytes picked up on this news with their headline, your passwords don't need so many Fiddly characters, NIST says Malwarebytes wrote, it's once again time to change your passwords. But if one government agency has its way, this might be the very last time you do it. Nearly four Years of Work to update and modernize its Guidance for how Talk about Bureaucracy after nearly four years of work to update and modernize its guidance for how companies, organizations, and businesses should protect their systems and their employees, the US National Institute of Standards and Technology has released its latest guidelines for password creation, and it comes with some serious changes. Gone, they write, are the days of resetting your and your employees passwords, and every month or so. And no longer should you or your small business worry about requiring special characters, numbers, and capital letters when creating those passwords. Further password hints and basic security questions are no longer suitable means of password recovery, and password length, above all other factors, they write, is the most meaningful measure of strength. The newly published rules will not only change the security best practices at government agencies, they will also influence the many industries that are subject to regulatory compliance, as several data protection laws require that organizations employ modern security standards on an evolving basis. In short, here's what NIST has included in its updated guidelines. They have six points, six bullet points Password Complexity Special characters Numbers is out. Password length is in as it has been for for years, they said. Regularly scheduled password resets are out. Password resets used strictly as a response to a security breach are in. Yes, basic. Yes, basic Security questions and hints for password recovery are out. Password recovery links and authentication codes are in. They said the guidelines are not mandatory for everyday businesses and and so there's no deadline to work against. But small businesses should heed the guidelines as probably the strongest and simplest best practices they can quickly adopt to protect themselves and their employees from hackers, thieves and online scammers. In fact, according to Verizon's 2025 data breach investigations Report, credential abuse, which includes theft and brute force attacks against passwords, is still the most common vector in small business breaches. And I wonder if that includes phishing, because technically you know, you get somebody's credential through phishing them. But anyway, Malwarebytes then went on into some additional detail which I'm going to share because it was interesting and relevant. So they said here's what some of NIST's guidelines mean from for password security and management, just to be clear. So first, the longer the password, the stronger the defense, they wrote. Password length is a primary factor in characterizing password strength, which of course is the point that the passwords haystack page has been making for 13 years, they wrote, NIST said in its new guidance. But exactly how long a password should should be will depend on its use. If a password can be used as the only form of authentication, meaning that an employee doesn't need to also send a one time passcode or to confirm their login through a separate app on a smartphone, then those passwords should be at a minimum 15 characters in length. If a password is just one piece of a multi factor authentication setup, then passwords can be as few as eight characters. Also, employees should be able to create passwords as long as, wait for it, 64 characters. Yikes. Number two less emphasis on complexity requiring employees to use special characters Ampersand, tilde, percent sign, number sign, so forth numbers and capital letters does not lead to increased security, NIST said. Instead, it just leads to predictable bad passwords. Quote A user who might have chosen password as their password would be relatively likely to choose password and followed by the numeral 1 if required to include an uppercase character oh, lowercase, uppercase p password and a1 on the end if required to include an uppercase letter and a number or uppercase P password1exclamation point if a symbol is also required, the agency said. Since users password choices are often predictable, attackers are likely to guess passwords that have previously proven successful. In response, organizations should change any rules that required password complexity and instead set up rules that favor password length. Third, no more regularly scheduled password resets, they wrote. In the mid 2010s it wasn't unusual to learn about an office that that changed its WI Fi password. Oh gosh, every week now. Yeah, right. You know, go to the, you know, coffee room or the water cooler to get today's, you know, corporate password written above on the chalkboard.

Leo Laporte (53:19)

Yeah, right.

Steve Gibson (53:20)

Wow, they said. Now this extreme rotation is coming to a stop. According to NIST's latest guidance, passwords should only be reset after they have been compromised. Yes, here NIST was also firm in its recommendation a compromised password must lead to a password reset by an organization or business. So definitely if it's compromised, duh. But otherwise never just make it really strong. Fourth, no more password hints or security questions Decades ago, they wrote, users could set up little password hints to, you know, like what was your first grade, your favorite first grade teacher name? Or that kind of crap to jog their memory if they forgot a password. And they could even set up answers to biographical questions to access a forgotten password. But these types of questions, like what street did you grow up on? And what is your mother's maiden name? Are easy enough to fraudulently answer in today's data breached world. In other words, it's easy to do some research on a person to get the actual answers of where they grew up and who their mother's maiden name was. Password recovery, they wrote, should instead be deployed through recovery codes or links sent to a user through email, text, voice, or even the postal service in Extreme tank. And I think that actually the our credit bureaus often use postal mail in order to do that. And fifth and final password block lists should be used, they said. Just because a password fits a list of requirements doesn't make it strong. To protect against this, NIST recommended that organizations should have a password block list, a set of words and phrases that will be rejected if an employee tries to use them. When creating a password quote, this list should include passwords from previous breach corpuses, dictionary words used as passwords, and specific words. For example, the name of the service itself that users are likely to choose, unquote, said nist. So this qualifies as big news. What NIST says paradoxically matters, since it drives official corporate and government policy. Although NIST has slowly been coming around for some time through the years, we've heard from so many of our listeners whose employers have been enforcing NIST's earliest arguably crazy guidelines, which required, for example, passwords to be changed regularly every 60 to 90 days, that we know it's widespread. I've obviously invested a great deal of time thinking about this stuff and Leo, I have never understood what problem this periodic enforced password change was ever supposed to solve and why it would have ever had any effect other than reducing security.

Leo Laporte (56:45)

It was created, as I remember, by a guy about 40 years ago writing password recommendations for NIST. And when somebody asked him about it, he said, yeah, I just thought it was a good idea. It was never, it was never justified in any way by any logic or reason.

Steve Gibson (57:06)

It's, you know, it's not as if passwords are osmotically seeping out of the storage location that held them so that a new password should be put into effect before the entire previous password has had time to finish fully seeping out of its storage. You know, none of it ever made any sense.

Leo Laporte (57:26)

So his name was Bill Burr. B U R R the He. There's a story from the BBC here. I'll, I'll show it to you. Let me. Oh, I've got to turn on my camera again. That's right. I, I left and came back. There's a story. This is a few years ago, but I remember in 2017 reading this and it stuck with me. This is so, by the way, 2017, eight years ago, this guy who wrote it, he had advised users to change your password every 90 days into muddle up words by adding capital letters, numbers and symbols. The problem is the theory came unstuck in practice. This was in 2003. He now says I was barking up the wrong tree. It was the original device was distributed by NIST.

Steve Gibson (58:19)

And it became Hacker Speak. Right. Like, like, yeah. Example, Late speak.

Leo Laporte (58:23)

Yeah. Which every, by the way, hack password cracking tool immediately tries.

Steve Gibson (58:29)

Yep. Turn the O into 0, turn the E into 3 and so forth.

Leo Laporte (58:34)

Yeah, yeah. He, he even knew this was a mistake in 2017, but took NIST all his time.

Steve Gibson (58:48)

So, you know, things are now significantly more sane. As of now, we have new official NIST guidelines that can be, as I said earlier, waved around in front of the IT department of anyone.

Leo Laporte (59:03)

That's the problem is that the IT department doesn't they're not reading these updates. No, they changed their policy back in the day and they ain't going to fix it. Right.

Steve Gibson (59:12)

So I made this today. Today's GRC shortcut of the week.

Leo Laporte (59:16)

Good.

Steve Gibson (59:17)

So anyone can get the new NIST guidelines by going to GRC SC 1048. GRC 1048. That will take you to the browser page of the NIST website for special publication 863B as in Baker. And I've also got the full link in the show notes. Anyway, thank goodness and you know if any of our listeners are being, are being driven nuts by being under this 60 to 90 day password chain, I mean we've heard like there are, there are like so much resources gone into this, right? Like you can't, oh, you can't use any password of the last five and so we've had people who because they're so annoyed by this, they will make 5 password changes in a row and then immediately go back to their original password, flush the mru, the most recently used password list out of the system so that they can just stay with the password that they want. I mean it just, this is the kind of crazy workaround behavior that bad policy begets. So, so nice that this is over officially. So now we just have to flush it out of the rest of the system. We know that won't take like it won't be overnight but again, GRC SC 1048, that'll get you the new guidelines. It'll get your IT department the new guidelines and tell them okay, kill this. I mean they can just turn that off. That's got to be easy to do, right? Just not like they have to implement anything new. Just turn off the timer on the, on the password reset enforcement. So as I mentioned, news of Scattered Lapsus Hunters demise was greatly was greatly exaggerated. A couple weeks back I reported that the group Scattered Lapses Hunters, which we know is the amalgam of several other prominent groups, had declared its officially declared itself done and disbanding that. But then some of just last week's news brought that claim into question and now we have pretty clear evidence that the group remains a going concern. Last Thursday Joseph Cox with a highly respected 404 Media Group published a short piece with the headline Hackers Docs. Hundreds of dhs, ice, FBI and DOJ Officials. And the subhead was Scattered Lapses Hunters. One of the latest amalgamations of typically young, reckless and English speaking hackers posted the apparent phone numbers and addresses of hundreds of government officials, including nearly 700 from DHS, the Department of Homeland Security in the U.S. so not much more is known at about that at this time. But I did want to formally take back any suggestion that scattered lapses hunters had in fact disbanded. All of the evidence since we saw that claim suggests they just threw that out for shits and giggles. Who knows why? Just, you know, it's just not at all true.

Leo Laporte (62:44)

Okay.

Steve Gibson (62:45)

Now, did the NSA hack into China? As our listeners know, I've often bemoaned the lack of any news of offensive US cyber operations being carried out by the US and aimed at our cyber adversaries, of which we have a few. Just to be clear, I would much prefer that no one was attacking anyone else. Let's just not have any of this. But since we've been buried in reports of Russian, North Korean and especially China's state sponsored cyber attacks against the West, I'll admit that it was not unwelcome to encounter the Associated Press headline quote China accuses U S of cyber attack on National Time Center. That's kind of welcome news though it, you know, might have been more useful if it's both true and if the U S had not been caught. Because you want this to be happening but not to get caught at it. So here's what the Associated Press reported out of Beijing day before yesterday. They said China on Sunday accused the U.S. national Security Agency of carrying out cyber attacks on its National Time center following an investigation saying any damage to related facilities could have disrupted network communications, financial systems and the supply of power. The Ministry of State Security alleged in a WeChat post because that's the way we do things now I guess in a WeChat post that the US agency had exploited vulnerabilities in the messaging services of a foreign mobile phone brand to steal sensitive information from devices of the National Time Service center staff in 2022. So three years ago and so this sounds like apps insecure apps in some mobile phone was used to infiltrate the the devices of staff at the National Time Service center probably obtained their authentication credentials and then began to have some fun the there was no specification as to the phone brand they wrote the US agency also uses I I love this 42 types of special cyber attack weapons that's good. You know we got it. We got a few to target the center's multiple Internet internal network systems and attempted to infiltrate a key timing system between 2023 and 2024 it said it said it had evidence but did not provide it in the post on WeChat it said the time center is responsible for generating and distributing China's standard time. As you would expect, maybe a time center would. In addition to providing timing services to industries such as communications, finance, power transport and defense, it had provided guidance to the center to eliminate the risks. Meaning the. The Ministry of Security provided guidance to the time setter. It said, quote, the U. S. Is accusing others of what it does itself. Yay. Repeatedly hyping up claims about Chinese cyber threats. While they don't seem very hyped up, they seem quite real. You know, we were talking about the consequences of them all the time. Western governments in recent years, they wrote, have alleged hackers linked to the Chinese government have targeted officials, journalists, corporations and others. The ministry's statement could fuel tensions between Washington and Beijing on top of trade, technology and Taiwan issues. The US Embassy, for its part, did not immediately comment. So, as we know, it's certainly true that the west has been moaning about Chinese state sponsored attacks for a long time. So I'm not unhappy to finally hear Chinese authorities complaining that the NSA has similarly been crawling around inside their networks for many years. As it turns out, it would be better to have, you know, peace maintained for reasons other than mutually assured destruction. But if that's the only way we can have peace in a world with mutually aggressive governments, then at least we should have some peace, even though it might be somewhat less stable than it could be. So I again, as I've often said, it would be nice to know that we're giving as much as we're getting. And maybe we are. So if I had a dream job, Leo, patriotic as I am, I, I, you know, hacking legally, boy, what fun would that be? So we're at an hour in, let's take a break and then we're going to look at an instance of security through obscurity. And you're muted.

Leo Laporte (68:22)

How about that?

Steve Gibson (68:23)

There you are.

Leo Laporte (68:25)

Sorry about that. Yes, let's take a break and then we will talk about your. What did you say? Security through obscurity?

Steve Gibson (68:35)

What? Why would satellites bother encrypting everything that they're that's raining down in the sky?

Leo Laporte (68:42)

Nobody ever looks up there.

Steve Gibson (68:43)

I can't see them. I looked up there. I didn't see.

Leo Laporte (68:45)

Invisible.

Steve Gibson (68:46)

No.

Leo Laporte (68:46)

Our show brought to you by Threat locker. If you're in business, you're not invisible to hackers. They're out there, man. They're going after you. Ransomware is rampant, you know that, right? Harming businesses worldwide. How are they doing it? Well, every way possible. Phishing, emails, infected downloads, malicious websites, malvertizing RDP exploits. Look, don't be the next victim. Threat Lockers Zero Trust platform that should, by the way, as soon as I say zero touch, you should get a little chill down your back. Like yes, the gold standard Threat Locker Zero Trust platform takes a proactive and these are the three key words here. Deny by default. Love that they take a proactive deny by default approach that blocks. It just blocks every action unless you explicitly authorize it. Every unauthorized action blocked. Protecting you from both known and unknown threats. That's why companies that can't afford to be down for even one minute trust threat locker global enterprises like JetBlue, the Port of Vancouver. You don't want the Port of Vancouver shut down by ransomware. They don't either. That's why they use Threat Locker. Threat Locker shields them and can shield you from zero day exploits and supply chain attacks while providing complete audit trails for compliance. ThreatLocker's innovative ring fencing technology isolates critical applications from weaponization. See, we've just assumed if somebody's in the network, oh, they must be one of us. Let them have it. No, no. That's why Zero Trust is so effective. Applications are shielded. This completely stops ransomware. It limits lateral movement within your network. Threat Locker works in every industry. It supports PCs and Macs. It provides 24. 7 support from the US and they enable comprehensive visibility and control, which is great for your compliance. Ask Mark Tolson. He's the IT Director for the city of Champaign, Illinois. He knows city governments are often the target of ransomware attacks. That's why he chose ThreatLocker. He says, quote, Threat Locker provides that extra key to block anomalies that nothing else can do. If bad actors got in and tried to execute something, I take comfort in knowing Threat Locker will stop that. That's the key. Stop worrying about cyber threats. Get unprepared precedented protection quickly, easily and cost effectively. With threat locker. Visit threatlocker.com TWIT get a free 30 day trial. Learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's threatlocker.com TWIT we thank them so much for their support of security. Now we love Zero Trust and this is the easiest, most effective, cost effective way to do it. Threatlocker.com/twitch Steve so when I heard the.

Steve Gibson (71:46)

News of this next story, my first thought was that it was a classic example of security through obscurity. Our listeners know that I've sometimes decried the pronouncements of online tech weenies whose soul chant Issued to anyone who hides anything is security through obscurity is no security. You know, it's as if after being exposed to that one concept, they feel like now they're a security expert every time they echo it. And you know, such flippant remarks are annoying because actual security mechanisms are not so simple. Right. For example, the gold standard of flexible encryption is public key crypto. Its power is that one of its two keys is made public by design. But then we go to extreme lengths to keep their matching private keys secret. So is that security through obscurity? No, it's security through secrecy. Since all security inherently depends somewhere upon secrecy and secrets, the actual security provided by any security system depends upon our ability to keep those dependent secrets a secret. So I started off saying that when I heard the news of the story, I was put in mind of security through obscurity because in contrast to the misuse, misuse of that phrase which I see all the time, there are certainly some instances where a system was just assumed to be secure only because no one had even ever bothered to check to see if anyone had locked the door. Boy. Researchers from the universities of San Diego and Maryland thought to aim a commercial off the shelf satellite dish upward, which, you know, being an antenna dish for talking to satellites in the sky is sort of the obvious direction to point it. But what they discovered is perhaps the best definition of, of security through obscurity imaginable. Talk about not locking the door. Apparently, because most people do not have their own satellite dishes aimed at the sky. And even when they do, it's hooked to some box that's selecting only what it should out of what's available. An astonishing amount of important data turns out not to be encrypted and is in no way protected. Obscure, kinda secure, not even a little bit. Details of what they discovered were recently announced by the universities whose, whose members perform the research. The summary of their findings reads, quote, we pointed a commercial off the shelf satellite dish at the sky and carried out the most comprehensive public study to date of geostationary. They and they abbreviate that geo. Geo. Geostationary satellite communication. This is them saying a shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens, voice calls and sms, and consumer Internet traffic from in flight, wi fi and mobile networks. This data can be passively observed by anyone with a few hundred dollars of consumer grade hardware. There are thousands of geostationary satellite transponders globally and data from a single transponder may be visible from an area as large as 40% of the surface of the earth. So these are not just beams going down, they're just a widespread spray of, of radio unencrypted in the clear. Data being blindly and widely beam down onto us from above, including critical infrastructure, internal corporate and government communications, private citizens, voice calls and sms, consumer Internet traffic and more. And all apparently happening because no one ever thought to look up. So under their topic what type of network traffic was exposed, they broke it down into six categories. We've got cellular backhaul, they said. We observed unencrypted cellular backhaul data sent from the core network of multiple telecom providers and destined for specific cell towers in remote areas. This traffic included unencrypted calls, SMS and end user Internet traffic, hardware IDs, you know, the M, the, the IMSI numbers and cellular, get this, cellular communication encryption keys, all for the taking. Also we have military and government, they said we observed unencrypted VoIP and Internet traffic and encrypted internal and internal communications from ships. Unencrypted military traffic traffic for military systems with detailed tracking data for coastal vessel surveillance and operations of a police force. Then there was inflight WI fi. We observed unprotected passenger Internet traffic destined for inflight WI FI users on airplanes. Visible traffic included passenger web browsing, DNS lookups and HTTPs traffic. Encrypted pilot flight information systems and in Flight Entertainment, VoIP. Multiple VoIP providers were using unencrypted satellite backhaul, exposing unencrypted call, audio and metadata from end users. Internal commercial networks. Retail, financial and banking companies, Retail, financial and banking companies, they wrote, all used unencrypted satellite communication for their internal networks. We observed unencrypted login credentials, corporate emails, inventory records and atmosphere networking information. And you know, as I'm reading this, I'm thinking maybe China should be the least of our worries because we're, we're just, we're not even protecting ourselves. You don't have to do anything, spy on us.

Leo Laporte (79:06)

They just buy a $750 device and listen.

Steve Gibson (79:09)

Yeah, you know, with today's new SDR software defined radios and the, and the, and the inexpensive availability of, of, of satellite dish antennas. I think it would be kind of a fun pastime. Some people have like high power telescopes, optical telescopes. Get yourself a dish and see what lands.

Leo Laporte (79:33)

By the way, Steve Wozniak, very famously I remember him talking about sitting in his living room listening to unencrypted phone conversations. Back in the earliest days of cell.

Steve Gibson (79:43)

Phone communications and it's only gotten juicier since.

Leo Laporte (79:47)

Yeah, he loved it.

Steve Gibson (79:50)

I think it would be fun. Anyway, Finally, Critical infrastructure Power utility companies and oil and gas pipelines use GEO satellite links to support remotely operated SCADA infrastructure and power grid repair. Tickets all there for the viewing. So the researchers paper, which will be published in the proceedings of the 32nd ACM Conference on Computer and Communications Security, or lack thereof, which will be held in Taipei, Taiwan, is titled don't look up. There are sensitive internal links in the clear on GEO satellites, so I've included a link to their full paper in the show notes. But just to give everyone a bit of additional feel of flavor for the content of the the data that constantly pouring down over all of our heads, here's what the paper's abstract explains. It says geosynchronous satellite links provide IP backhaul to remote critical infrastructure for utilities, telecom, government, military and commercial users. So just to clarify, so they're saying that in in isolated areas where you can't run fiber or any kind of electrical, you know, communications lines like, you know, the boonies, what is often done is a satellite dish is stuck there aimed up at a geosynchronous satellite which is used to connect this out of the way backwater zone into a larger network. And unfortunately, because that whatever it is, that device is used to being connected to a private network, the even though this is now being bounced through the sky in order to reach it, the network is still treated as if it were private, meaning unencrypted. So you get to see what's on this private network, they wrote. To date, academic studies of GEO infrastructure have focused on a handful of satellites and specific use cases. We perform the first broad scan of IP traffic on 39 GEO satellites across 25 distinct longitudes with 411 transponders using consumer grade equipment. Nothing fancy. Here we overcome the poor signal quality plaguing prior work and build the first general parser that can handle the diverse protocols in use by heterogeneous endpoints. We found 50% 5, 0% half of geo links, meaning data links, contained clear text IP traffic. While link layer encryption has been standard practice in satellite TV for decades, IP links typically lacked encryption at both the link and the network layers. This gives us a unique view into the internal network security practices of these organizations, which is a kind way of putting they didn't bother. We observed unencrypted cellular backhaul traffic from several providers, including cleartext, call and text contents exactly like you were saying, Leo. W listening to people talking on the phone. Job scheduling and industrial control systems for utility infrastructure, military asset tracking, inventory management for global retail stores and in flight, WI fi. So in other words, no one really took the trouble before now to look closely at what was going on. These guys did, and what they discovered was a profound lack of security. Satellite television has always been encrypted because that was always part of its business model. Pirating early satellite TV was a cottage industry. But what we see of the ip, the Internet protocol traffic is the same thing we see of the Internet itself. As we know the Internet's networking just like internal corporate networking at the link layer, that is the physical layer is still today and always has been entirely unencrypted. Encryption was added as an afterthought only where it was deemed necessary and, and only at the application layer. It still doesn't exist at the link layer. So what appears to have happened is that satellite links have been used as simple network extenders, extending the reach of existing industrial, corporate, major retail. Actually it was Walmart it turns out in the paper it's made clear. And even military networks through satellite links, where those links themselves have never been and to this day remain completely in the clear and unencrypted. So they have an 18 page paper and I cannot recommend or that our listeners look at this thing. It is chock full of really interesting tidbits. It's fantastic work and I could easily spend several podcasts just detailing all of the nuances and motivations that they discovered in, in, in this paper. But there's much more that needs our attention. So they. For, for what it's worth the reset, the researchers acted responsibly and they worked to notify all of the affected parties that they encountered and there were many. If shining a very bright light on this doesn't get it fixed, then nothing will. And it appears to that to me that nothing will. Anyway, there is a link to their full paper. It's a PDF, 18 pages on near the top of page 11 of the show notes. Again, I had a hard time not spending more time on this because there's so much cool stuff in this 18 page paper and, and seriously I. What's the law, Leo? If something is being broadcast to our home and we have an antenna, I think it's legal. You can pick it up to it.

Leo Laporte (86:46)

Absolutely.

Steve Gibson (86:47)

Yeah. Yeah. So what a fun. I, I think what a, what a fun project for maybe a, a mom or I mean a mom, maybe a techie mom. But I think of it, I guess, you know, like, you know, for a youngster who's precocious and set up a antenna there.

Leo Laporte (87:05)

Yeah, yeah. Get the kid involved. Yeah, it's good.

Steve Gibson (87:08)

Aim a dish at the sky stem. Yeah, exactly.

Leo Laporte (87:12)

Well, you know, when you were a kid, I'm sure you did this. I did this. I had a shortwave radio and it was so much fun at night to tune up and down the dial and get radio stations from all over the world. Now kids can listen to, you know, important corporate phone calls. Just tune down.

Steve Gibson (87:28)

And I definitely had a radio at one point later when I was a young adult which could receive cell phone frequencies.

Leo Laporte (87:38)

Oh.

Steve Gibson (87:38)

And what was interesting was that you only heard one half of the conversation.

Leo Laporte (87:43)

That's what wise would say. But you could infer the other half.

Steve Gibson (87:46)

Well, yes, and I. I heard clear evidence of. Of men giving their wives excuses for why they weren't coming right home. It was, you know, odd, the conversations in the afternoon.

Leo Laporte (88:00)

You learn a lot. See kids, you can learn a lot. You don't need that social network account on your phone. Just get a satellite listening device.

Steve Gibson (88:08)

Old school, baby. Old school had something going for it.

Leo Laporte (88:14)

It's only 750 bucks worth of equipment. Anyone can do it.

Steve Gibson (88:18)

And I'll bet you.

Leo Laporte (88:19)

You should do it, Steve. You should do it.

Steve Gibson (88:22)

If I had the time, I got other priorities.

Leo Laporte (88:24)

But what would you need that would be. That would be fun for retirement? Yeah. Yeah.

Steve Gibson (88:28)

You just need an SDR and a satellite dish. I think you could probably do it for a couple hundred bucks.

Leo Laporte (88:33)

Probably could, yeah. A software defined radio, so. And most ham radios are software defined these days. And you certainly there's software out there that you can use to do that. So. Yeah, great little hobby.

Steve Gibson (88:44)

All the documentation is. Is in the public. All of this, all the protocols, all the frequencies. You probably just ask Claude or something, write me some code and what are the frequencies that I need to scan and you know, you'll get it.

Leo Laporte (88:58)

What would you listen to? Sellback Hall. Military Vessel Tracker. Telecom, Retail.

Steve Gibson (89:05)

Corporate. Internal corporate email. That would probably be interesting.

Leo Laporte (89:08)

Fun. Yeah, Be fun. Aviation. Yeah.

Steve Gibson (89:14)

Yeah.

Leo Laporte (89:14)

A lot of these stuff. Unencrypted radio traffic on the radio waves, right?

Steve Gibson (89:21)

Yeah. Maybe you'll find like random numbers being beamed down from the skies. Like what are these?

Leo Laporte (89:26)

What? Why? Num. The numbers stations. If you ever find out what that's about, I hope you will share that with us. This I'd like to know myself.

Steve Gibson (89:34)

Okay, so we've often commented that security and other risks accrue anytime Everyone is using the same solution. You were just talking about the, the, the fact that the government can clamp down on app downloads because they only come from two stores. So this is generically, generically referred to as a dependence upon a monoculture. Diversity brings huge benefits. We've worried about, you know, for example, the world becoming chromium browser centric, where all web browsers are essentially based on a single code base. So far, Safari and Firefox have been maintaining their own. So that's good. And one of the most powerful design benefits of the Internet's autonomous packet routing architecture has been its resilience in the face of trouble. If links to one router go down, packets can route around the trouble, taking different paths to still reach their destination. That was part of the original design. Problems can arise when this massively decentralized and inherently resilient design is eschewed in the pursuit of market dominance. Much as I love Cloudflare and so much of the work they do, I'm always made a bit nervous by the outsized power they inherently wield by virtue of their size and the percentage of the world that's being serviced by a single organization, any single organization.

Leo Laporte (91:14)

You could say the same thing for Google. It's always bugged me that Google's enforcing these. Admittedly, you know, HTTPs everywhere is a good idea, but Google shouldn't have so much power that they can do that. Right?

Steve Gibson (91:26)

Yeah, yeah. And of course this, the, the, the, you know, Google might have our interests, you know, in mind, although, as does.

Leo Laporte (91:37)

Right.

Steve Gibson (91:37)

I loved what you're talking about, or I guess you and the guys over on MacBreak Weekly talking about how unfortunately Alexa is just a consumer sewer.

Leo Laporte (91:50)

You know, it's an, it's an ash.

Steve Gibson (91:51)

I just said the A word. Sorry.

Leo Laporte (91:52)

But that's okay.

Steve Gibson (91:54)

Yeah, it is. It's all about selling you stuff. And you know, I was thinking that maybe I would use that to, for my, for my own home automation, but no way am I going to, you know, put up with.

Leo Laporte (92:06)

I have a zero for being used, an iPhone. So I think, yeah, you will be there. I think that's going to be the way to go once it gets more sophisticated, I guess.

Steve Gibson (92:15)

And Apple indicates they're really going to put a go for a push for it.

Leo Laporte (92:19)

So I hope they do that. Yeah.

Steve Gibson (92:21)

So anyway, problems can arise when, when there's too much of this centralization. What Cloudflare and others have grown into, however, is not the Internet way. That's every bit as true for Amazon's AWS services as it is for Cloudflare. And just yesterday the entire Internet learned exactly what can happen. Yes, when the aggregated services offered by a single provider are inadvertently withdrawn from the world. The Verge's headline yesterday was Major AWS Outage Took down Fortnite, Alexa, Snapchat and more with the subhead. The cause of the AWS outage is currently unclear. Okay, so now the first trouble I experienced, and you know, many people did yesterday morning when I attempted. What was when I attempted to get to the IMDb website and received a 503bad Gateway error. It's like, what. Not, you know. But it was the Guardian's coverage of this and their take on yesterday's serious outage that really resonated the most for me. The Guardian's headline was Amazon Web Services Outage shows Internet users at mercy of Too few providers. Experts warn with a subhead crash that hit apps and websites around the world demonstrates urgent need for diversification in cloud computing. Okay, I just want to mention that since this. I've. Several of our listeners who got yesterday's show notes early have sent me some feedback. A couple of them noting there was actually a. A computerized bed somewhere that. Where it's you. You stopped being able to raise and lower the bed because of the AWS outage. Believe it or not, the user, like the. But the buttons that the user pressed had to go out on the Internet.

Leo Laporte (94:43)

Yikes.

Steve Gibson (94:44)

In order for the, for the signal to come back to the bed in order to lift or lower the, the, the foot rest or the back of it or something. I mean, so at some point you also have to accuse, you know, designers of doing a bad job of design because the idea of your bed requiring Internet connectivity strikes me as a little extreme.

Leo Laporte (95:08)

But yeah, okay, a lot of it. I bet there's a lot of it.

Steve Gibson (95:12)

Like. Yeah, yeah, I mean, I would imagine outlet plugs and lights and things, you know, that, that are, that are on timers. Yes, so the Guardian wrote. Experts have warned of the perils of relying on a small number of companies for operating the global Internet after a glitch at Amazon's cloud computing service brought down apps and websites around the world. And I should mention not the first glitch there was there. There have been a few through the years and we just all come rushing back, they wrote. The affected platforms include Snapchat, Roblox, Signal and Duolingo, as well as a host of Amazon owned operations, including its main retail site Ouch. And the Ring Doorbell company. More than 1,000 companies worldwide were affected. According to Down Detector, a site that monitors Internet outages with 6.5 million reports of problems from users, including more than 1 million reports in the US, 400,000 in the UK and 200,000 in Australia. In the UK, Lloyd's bank was affected, as well as its subsidiaries Halifax and Bank of Scotland, while there were also problems accessing the HM Revenue and Customs website. On Monday morning, also in the uk, Ring users complained on social media that their doorbells were not working. In the UK alone, reports of problems on individual apps ran into the tens of thousands for each platform. Tens of thousands. Other affected platforms around the world included Wordle, Coinbase, Duolingo, Slack, Pokemon GO, Epic Games, PlayStation Network and Peloton.

Leo Laporte (97:03)

Not Pokemon Go. No, I know.

Steve Gibson (97:06)

What are you gonna do? No. By 10:30am UK time, Amazon was reporting that the problem, which first emerged at about 8am was being resolved as AWS was, quote, seeking or seeing significant signs of recovery. Referring to the U.S. east coast region, at 11:00am it added, quote, we can confirm global services and features that rely on US Hyphen east one, that's the designation for the for that chunk of AWS have also recovered, although actually I can confirm that recovery was actually quite slow, they said. Experts said the outage underlined the dangers of the Internet's reliance on a small number of tech companies, with Amazon, Microsoft and Google playing a key role in the cloud market. Dr. Corinne Cath Step, the head of digital and at human rights organization Article 19, said the outage underlined the dangers of placing too much digital infrastructure in a small number of hands. She said, quote, we urgently need diversification and cloud computing. The infrastructure underpinning democratic discourse, independent journalism and secure communications cannot be dependent on a handful of companies. Corey Kreider, the executive director of the Future of Technology Institute, a think tank that supports a sovereign technology framework for Europe, said, quote, the UK cannot keep leaving its critical infrastructure at the mercy of US tech giants. With Amazon Web services down, we've seen the lights go out across the modern economy from banking to communications. Madeline Carr, professor of Digital politics, I'm sorry Global Politics and Cybersecurity at University College London, said it was hard to disagree with warnings about the over reliance of the global Internet on a small number of companies. The counter argument is that it's these large hyper scaling companies that have the financial resources to provide a secure global and and resilient service. But most people outside those companies would argue that this is a risky position for the world to be in. Amazon reported that the problem originated in the east coast of the US At Amazon Web Services, a unit that provides vital web infrastructure for a host of companies which rent out space on Amazon servers. AWS is the world's largest cloud computing platform. Shortly after midnight Pacific Daylight time in the US 08:00am BST, Amazon confirmed increased error rates and latencies for AWS services in a region on the east coast of the US the ripple effect appeared to hit services around the world, with Down Detector reporting problems with the same sites on multiple continents. Cisco's Thousand Eyes service that tracks Internet outages also reported a surge in problems on Monday morning, with many of them located in Virginia, the location of Amazon's US east region, where AWS said the problems began and where AWS has a number of data centers. Rafe Piling, the director of threat Intelligence at the security firm Sophos, said the outage appeared to be an IT issue rather than a cyber attack. And we, we know that's the case now. It messed it, it was a DNS problem that was really bad and that affected access to a critical database that Amazon, that AWS runs. They said AWS Online Health dashboard referred to DynamoDB, that's it, its database system where AWS customers store their data. He said when anything like this happens, the, the concern is that it's a cyber incident and that's understandable. AWS has a far reaching and intricate footprint, so any issue can cause a major upset. In this case, it looks like it's an IT issue on the database side and they'll be working to remedy it as an absolute priority. The UK government has said it's in contact with Amazon over Monday's Internet outage. A government spokesman said, quote, we're aware of an incident affecting Amazon Web Services and several online services which rely on their infrastructure. Through our established incident response arrangements, we are in contact with the company who are working to restore services as quickly as possible. So, okay, when I hear these people saying, oh, you know, it's really a problem that there's this over reliance, it's like no one's forcing you to use aws, Right. I mean, there are a lot of alternatives. There are a lot of smaller outfits, there are a lot of, you know, big other ways you could go.

Leo Laporte (102:10)

There's many choices when it comes to cloud.

Steve Gibson (102:13)

Yeah, right.

Leo Laporte (102:14)

And so AWS is just the default, isn't it? It's just.

Steve Gibson (102:17)

Yes, it's like, it's like IBM in the old days. Exactly. No one ever got fired for choosing IBM was the, what was the saying back then? Yeah, and for the most part it's it's up, it's reliable, it's strong. I'm sure the price is right, which is why everyone uses them, unfortunately. The flip side is everybody goes down. It takes everybody down.

Leo Laporte (102:41)

Yeah, that's pretty amazing. Wow. And it was so. It was an IT error. It wasn't gateway protocol or something. It was just some misconfigured DNS.

Steve Gibson (102:52)

It was a misconfigured DNS and it propagated and then disconnected their DynamoDB that everything depends upon and everything just kind of. It was a. It was funny. There was in the AWS announcement that I saw. They saw. They listed the various systems that were affected and then the specific AWS systems. And it was like it went on and on and on. And. And then I saw the total. It was 143 different AWS systems, which essentially is just all of them just basically cascading failure. We're gone. We're off the net.

Leo Laporte (103:30)

Yeah.

Steve Gibson (103:32)

Okay, Leo, it's feedback time. After we take a break. And then. Oh, boy. This first bit of feedback is one that many of our listeners picked up on that I missed last week.

Leo Laporte (103:46)

I. Apparently I did, too. I didn't. Okay. I thought you. I thought last week's show was absolutely letter perfect. Not one single problem. Wow, I'm shocked. We are.

Steve Gibson (103:57)

We are human. And maybe there's a little bit of senile dementia creeping in.

Leo Laporte (104:01)

Maybe. Okay.

Steve Gibson (104:03)

Because.

Leo Laporte (104:03)

Okay.

Steve Gibson (104:03)

Stuck on the same floor.

Leo Laporte (104:05)

Yeah.

Steve Gibson (104:07)

Okay, well.

Leo Laporte (104:08)

Well, we'll get to the feedback section in just a moment. But first, I got some feedback for you, our sponsor. If you've. Delete me. If you've ever looked on the Internet for your name, don't. Okay? Don't. But if you've ever wondered how much personal data is out there on the Internet, I can tell you more than you think. Your name, your contact info, your Social Security number. Yes. Your home address, even information about your family members. And the thing is, this is just kind of randomly showing up on the Internet. This is being compiled by hundreds of companies, they're called data brokers, who collect this information about you and then sell it online to the highest bidder. And that can be anybody from a neighbor who just wants to know how much money you make to law enforcement who wants to figure out what you've been up to, to foreign governments. You know, we talk about China spying on us. They don't need to. They can just buy it on the Internet. Anyone anywhere on the web can buy your private details. And you can imagine the consequences. Everything from identity theft to Phishing attempts. You ever wonder why you at your phone number keep getting, you know, text messages from people who say they know you doxxing harassment. Well, now you can protect your privacy with our sponsor, Delete Me. Look, I am in the public. I tell people what I think all the time. Our company is a public company. Right. And our executives are, as a result, somewhat in the public. This all came home to us when we got phishing text messages purporting to be from Lisa to her direct report saying, hey, I'm in a meeting, go buy some Amazon gift cards and mail it to this address for a client. And fortunately, we have a very smart staff. But that was a very compelling text message because it had her name, it had her phone number, her phone number, their phone number. It had a lot of information. That's what you know. These phishing folks, the more they know about you, the easier it is to hack you. That's when we decided to subscribe to Delete Me. And it really works. It is so easy to find personal information about people online. So I recommend we use Delete Me. Delete Me is a subscription service that removes that personal information from hundreds of data brokers. It is not illegal to be a data broker. Surprisingly, it's not even illegal to sell somebody's Social Security number. You should, that should be illegal. But there is one little loophole. There is a law that requires data brokers to have a removal page somewhere, hidden somewhere on their site. The problem is it's in a different place everywhere. If you find it good, now you've got that data broker. Now there's only several hundred more to visit and find and delete. And then there's even more problems because guess what? Those data brokers just don't go, oh, yeah, you're right, I'll never do that again. No, they start collecting the information all over again. Plus there's new data brokers every day. It's such a profitable business. So here's what you need to do. You need to sign up with Delete Me. You give them some information that the stuff that you want deleted. Their experts take it from there. They know where to go for each and every data broker and they will get it taken down. And then they will continue to monitor and continue to take it down. You'll get regular personalized privacy reports from Delete Me showing what they found, where they found it, what they removed. So you know, they're at work. And again, it's not a one time service and it shouldn't be. It needs to be a kind of continual process. And Delete me is always doing that. They're always working for you, constantly monitoring and removing the personal information that you don't want on the Internet. By the way, that's important. Just the stuff you say no to. So you have a lot of control over what they're, what they're taking down. To put it simply, Deleteme does all the hard work of wiping you and your family's personal information from data broker websites and they keep it doing it again and again and again to make sure your privacy is protected. Take control of your data and keep your private life private by signing up for DeleteMe. We've got a special discount for our listeners today. Get 20% off your Delete Me plan when you go to JoinDeleteMe.com TWiT and use the promo code twit at checkout. The only way to get 20% off is to visit joindeleteme.com twd and use the code twitter checkout join deleteme.com twit offer code twit don't google deleteme or go to delete me.com There's a European company at that address. It's not the same thing. You gotta go to the right address. And I found this out because somebody said, you know, I went to deleteme.com they don't do what you said that they do. That's a different company and because it's in Europe, I guess nothing we could do about it. So make sure you do the right address. Join Deleteme all1word joindeleteme.com Twitter code twit these are the guys that will remove your information from data brokers and they'll keep on doing it. Join DeleteMe.com Twitter code Twitter Twit for 20% off all individual privacy plans. All right, all right. Now back to Steve Gibson, the error prone. No.

Steve Gibson (109:40)

I was tempted to title today's podcast you forgot to press Star after reading one of our listeners humorous bits of feedback. Huh?

Leo Laporte (109:53)

Brilliant. They're right.

Steve Gibson (109:57)

Yes, they are. Several less senile and more sharp eyed listeners than we posted to GRC's Security now news group. And many listeners sent feedback email about something I missed last week. And I do hope this is not a sign of our early onset dementia.

Leo Laporte (110:16)

Oh, you know what? No, no, no, no. I went right along with it too. I think that makes sense.

Steve Gibson (110:21)

I know I saw that the first word of each of the first four lines of our picture of the week last week was, you know, if you know, for access to elevator, one must ask the desk to get the new code seven times to remember. And then it said, starry blue skies ahead. And I remember thinking, okay, well, that's kind of odd, but I figured it was just thrown in there to make the rest of it seem a little less obvious. No, the keypad has a star and a pound key. Of course, I have a feeling that you and I would be stuck on that floor.

Leo Laporte (111:00)

He's saying, where's my starry skies? I don't see any starry blue skies.

Steve Gibson (111:04)

Why didn't the elevator.

Leo Laporte (111:05)

Four digits.

Steve Gibson (111:06)

Yeah, why didn't the elevator come? I don't know. Anyway, thank you, listeners. Yes, you were on the ball. You noted that we didn't read the last line of the Secret.

Leo Laporte (111:17)

Well, we read it, we just didn't understand it. Fooled us. So if we're ever on the memory care ward, we're going to be stuck there. I hate to tell you, Steve, I'm.

Steve Gibson (111:25)

Going to try to remember to do the last line, too.

Leo Laporte (111:28)

I know there's something I'm forgetting.

Steve Gibson (111:31)

Stephen Palm said it seems like this was inappropriately focused on Apple products and specifically iPhones. He said it should be noted that Google, Microsoft and some Linux distributors. Oh, he's talking about Texas SB 2420. He must have had that in the subject line. He said, Google, Microsoft, some Linux distributions, Amazon, Docker, Synology, Netgear routers, game consoles, modern digital cameras like Sony, HP printers, smart TVs, and a lot more. He forgot the garage door opener. Have a marketplace where you can shop and pay for an app or expansion or upgrade of some sort. Even some cars. He said the legislation is doomed. Okay, so we now know that the legislation's constitutionality has been challenged, even though, as I noted earlier, my guess is that it's. It may be survivable in some state, although maybe get trimmed down and survive, much as HB 1181 did before it. But Stephen's note about, like all of these other things made me curious about what SB2420's legal definition of an app store was. And indeed, it's frighteningly broad. The legislation reads, quote, and this is from clause 2 of the Actual legislation, which I tracked down. App Store means a publicly available Internet website, software application or other electronic service that distributes software applications from the owner or developer of a software application to the user of a mobile device. Okay, so at least we have mobile device as a. As a parameter there. But still Internet website, software application or other electronic service that distributes Software applications from the owner or developer of a software application. So that is a broad definition. This means that it is at least constrained to platforms that distribute software applications to mobile devices. And we know that what the legislation's intent is is it's squarely aimed at the major app stores, as Leo, as you said, for Apple, iPhones and Android smartphones. Thus Google Play. So it's probably less dire than Stephen was suggesting in. In his note. And on the receiving end of this download, the legislation defines mobile device. That's their paragraph 4 at the top of the legislation, which reads mobile device means a portable wireless electronic device, including a tablet or smartphone, capable of transmitting, receiving, processing and storing information wirelessly, that runs an operating system designed to manage hardware resources and perform common services for software applications on handheld electronic devices. Okay, so that's also pretty tightly specified. And it means that, as Stephen enumerated, Synology, nas, Netgear, routers, game consoles, modern digital cameras, printers and smart TVs would not be swept up by SB2420. It's only.

Leo Laporte (115:06)

But that's just that law. Because California has an ID law that says any operating system.

Steve Gibson (115:15)

Yeah.

Leo Laporte (115:16)

Oh, it really depends how the law is written. Right.

Steve Gibson (115:19)

Yeah, it's a mess. Well, and where. Right, because that, because even, even with all this, it's only currently Texas in Texas and then eventually Utah and.

Leo Laporte (115:29)

Right.

Steve Gibson (115:29)

And Louisiana or somewhere, wherever it was. So, I mean, this is a mess. And of course, federally, there's nothing happening that, I mean in more ways than one with any of this. So it's being all left up to the states, which just creates a mess. So, you know, with all kind. Well, and, and like we have Mississippi, where it's just blanket social media. And so blue sky had to go dark in Mississippi. Wow. I mean, we're going through a tough time.

Leo Laporte (115:58)

Yeah.

Steve Gibson (116:00)

Jason Sch said. Hi, Steve and Leo first, thank you for 20 great years of security. Now, I've been a listener since the very beginning. I just finished listening to SN 1047. So that's last week. And I'm confused about something. F Droid is worried about Google's changes to the Play Store, but they seem very quiet about SB2420. Wouldn't SB2420 be even more more detrimental to F Droid than the changes to the Play Store? Thanks, Jason. And I would say yes. The home page of the F Droid site asks the question, what is F Droid? And then answers it, writing, F Droid is an installable catalog of FOSS free and open source software applications for the Android platform. The client makes it easy to browse, install and keep track of updates on your device. But this raises an intriguing loophole question, right the F Droid app itself would first need to be obtained from the Google Play Store under the new restrictions, and for that any and every minor aged person would need a parent's approval. But the F Droid app itself offers an installable catalog of FOSS applications for Android. So technically it's an application which accesses a repository, it's not a store. So the letter of the law doesn't quite encompass the F Droid case. But to Jason's point, I would not want to be in F Droid's shoes here because one thing Texas SB2420 does clearly state is that each and every software download and installation must receive parental consent. The F Droid app, once installed and obtained, allows for unrestricted application use from F Droid repository. So it could be a lawsuit waiting to happen. And you would think that F Droid would probably need to incorporate the API which Google Play will be making available to to apps, and then that would allow F Droid to then gate the access of its sort of sub apps, you know, the, the, the FOSS apps that it's allowing the download of through the, the forthcoming Play Store API. So doesn't seem like it would be a horrible thing to have happen, but it's going to require them to, to at least take a look at it and, and basically protect their app download in the same way that the Play Store is doing so. For the, for the primary F Droid app, Fleming Hansen in Denmark wrote EU chat control would be useless. He said, in my view, it would be relatively straightforward to bypass the proposed EU chat control measures, which of course we now know failed for in a vote which never even happened because it was known that the vote would not pass, he said an individual could encrypt an illicit image on a desktop computer, transmit the encrypted file via an app subject to chat control, and the recipient could then decrypt it on a computer to restore the original image. Kind regards. And of course he's absolutely right, you know, not nearly as convenient, but clearly true that would work. It's a variation on the old theme of if the use of encryption is criminalized, only criminals will use encryption. In this case, of course, it's the use of a smartphone to converse that is at issue. So I, I certainly he's right. It would be, I, I would, I would not argue that it would be useless. It's a good thing it didn't happen, but it could certainly be bypassed. Ray Nomer wrote. Thought I'd let you know. Oh, this is the guy I mentioned before. I just purchased 6.1. Meaning of course, Spin right. He said I've owned previous versions for many years and it saved my my butt. And he said parens data many, many times. I realized I could take advantage of the upgrade path, but I would rather support your work and the effort that goes into your weekly podcast. So I bought six 1. Keep up the great work please.

Leo Laporte (120:44)

Ray that's true. It's worth it.

Steve Gibson (120:47)

Yeah, well, depending upon what's at risk. And also for even for the the performance enhancement that that6.1 has now proven to offer. But I chose to show that not because I expect anyone else to do the same, but because I wanted to give Ray's generosity some wider recognition because apparently he's a listener. While I appreciate his extra purchase, my plan is to give everyone new stuff to purchase which and stuff that they want which will hopefully benefit their lives as much as spin right has been able to for the past 36 years. To that end, as I mentioned, I'm working every day to get the DNS benchmark wrapped up. I am very excited about it, what it what it has evolved into. So after nearly 10 months of work on it, I'm very close. So again, thank you Ray. I appreciate that. Duncan said. Hi Steven Leo, longtime listener, propeller head and Spin Right user. He says Lorenz, which paid for itself a hundredfold by restoring my daughter's crashed MacBook hard drive weeks before her final school exams. Oh boy, duncan said. I've been listening with interest to your coverage of the age verification topic alongside developments in the imminent Australian social media restrictions planned for December 2025. While I'm sure your listeners want to protect the innocence and mental health of our children, they also appreciate the technological challenges involved and the fact that any solution will require all adults to verify to verify their age, not just minors, right, because adults have to prove they're not minors, he said. My reason for writing is to make a point that seems to have been overlooked in this whole debate. The Older Brother loophole Existing laws around the globe were drawn up in a physical world where it is possible to physically identify someone entering an adult pub, club or movie theater, or purchasing alcohol, cigarettes, magazines or other restricted activities. However, in the physical world, there was nothing to stop an older brother or friend from purchasing alcohol, cigarettes, movies or magazines and sharing those with minors after purchase. We all know this happens in real life, away from the point of sale. There's nothing that could be done about this apart from vigilant parenting or Big Brother policing in your own home. The technological world is no different. You can put all the electronic age restrictions you want on minors themselves, but you can't stop them watching or reading information on their older brother's or friend's phone, computer or tv or the unlocked iPad sitting in the family room. People often talk about savvy kids using VPNs to override national or regional restrictions. But there will be endless other ways for older brothers and friends to lend their age verification credentials or device to a minor that makes the whole exercise futile from the start with the obvious cost and risk to everyone else's privacy. I can't envision, he says, a feasible technological solution to this problem until our devices are constantly surveilling their viewers, eyeballs or brains to ensure no minors are watching their screens at any point in time. I look forward to you covering this Big Brother world in episode 1984, he said. Hopefully this brings another angle to your ongoing analysis of this interesting challenge. Keep up the great work. Regards, Duncan and Sydney, Australia. And of course, Duncan's note about the need for continual surveillance in the cyber world reminded me, as I mentioned, of that, that clause in the, the Protecting Tennessee Miners act, which does require constant RE authentication. They, they define a session as 60 minutes and you must re authenticate within a 60 minute window in order to stay within the, the letter of the law. So yeah, 1984. Indeed it might. I mean you could imagine Leo like something like the camera looking at you constantly doing a retina verification.

Leo Laporte (125:30)

It's inevitable. This is the end game. This is, you know, remember 1984, the TVs watched you. Right. Yeah. And you had to have them on at all times. And I, I really think we're headed in that direction. It's just, it's just. Well, and it's. And by the way, he's got a good point. It's forget Big Brother, it's unenforceable. Your Harper Reed was on Twitt on the Sunday. He's kind of a bit of a hacker himself. He said this is great. Australia is going to breed a whole generation of kids to who know how to hack stuff. This is going to be the best thing. Seriously. He's right. Yeah. This is how it starts.

Steve Gibson (126:06)

They won't take it for granted. They will, they will get their engineering hats on and figure a way around.

Leo Laporte (126:13)

And there are multiple ways around it and they Will find them.

Steve Gibson (126:16)

Yeah, yeah. Matt Storms wrote, is it possible that Discord needed to keep the age verification data as proof of verification? He said Perenz, in case of audit or lawsuit or proof of compliance with regulations, which is a great question. Looking at the recent legislation regarding age gated access to Internet content, there is very clear and explicit language stating that any and all personally identifying information you know now called pii, including image or data derived from images, must be deleted immediately after it has been used for age verification. And even Discord's own support information says, quote, discord and K hyphen id, which is the organization they use, do not permanently store personal identity documents or your video selfies. The image of your identity document and the ID face match selfie are deleted directly after your age group is confirmed. And the video selfie used for facial age estimation never leaves your device. Okay? Now, unfortunately for Those more than 70,000 users whose identity documents Discord acknowledged were leaked, this doesn't appear to be true. And given how sensitive people understandably are about having their identity documents leaked onto the Internet, coupled with how litigious the world has become, this might be a mistake that gets Discord's provider to in some very hot water. Because you can imagine lawsuits will be flowing after the any of these 70,000 users learned that the provider, whoever Discord used, the actual provider in this instance, seemed to be somebody else, not this kid group. So I don't understand. You know, maybe kid uses a third party themselves. Anyway, one way or another, this stuff wasn't deleted after it was used. It was kept around and the. The hackers got a hold of it. So one wonders also if the fine print of whatever agreement the age verifier might have had its users click on might provide some legal loophole and maneuvering room for them. I don't know. So what little good news there is amid all of this recent age gated legislation, at least the legal verbiage stipulates that whatever information is used for the determination must be immediately deleted. The legislators got that right. At least. Now, of course, the techies have to abide by that law, and I would imagine they really need to because they'll be upset people who are saying, hey, you said you deleted this. How did the bad guys get it?

Leo Laporte (129:29)

Well, how did they?

Steve Gibson (129:31)

Huh?

Leo Laporte (129:32)

Right. I guess they weren't.

Steve Gibson (129:34)

Oh, we forgot to empty our. Our trash can.

Leo Laporte (129:37)

Oh, that's it. We put it in the recycling bin.

Steve Gibson (129:39)

That's right. It's in the recycling bin. What are you gonna do? Brian Orm wrote Steve I'm listening to 1047 right now and had to pause it to send you a note. I'm a father of three kids. My youngest is a teenager and my older two are now adults. While this new Texas law is at least a step, it won't help much. I'm hopeful that an age validation standard will be established that's secure and simple. This is a hard problem since it hits the center bullseye of the definition of personally identifiable information. He's certainly right about that, he said raising my older two There is one obvious fact and this is to your point Leo. Our children are not like us who grew up without the Internet. Kids grew up with the Internet like we grew up with electricity. They live it, eat it and breathe it. They can get around everything. They buy reloadable credit cards at Dollar General to appear as adults. My 18 year old son told me he simply used my birthday whenever he registered for a service to get around all the filters. Same last name right? On that note, the problem with this new law is that they are locking the gate on the two foot tall fence while neglecting to lock the house doors. Once kids have a child friendly app installed, the problem is what happens inside the app and developers neglect of monitoring their own services. This is especially true when developers incorporate the app with some ability for users to communicate among themselves. It was recently discovered that a friend's son was being groomed via Pinterest chat by a woman halfway across the United States. I'm thankful for his mother's perception who noticed behavior changes and took action. But who would have ever thought when their child asked permission to install Pinterest that this age appropriate app would have the ability to cause such harm. The same obviously goes for Microsoft Roblox, I'm sorry, Minecraft, Roblox and many, many other apps. The age requirement in this and most cases is truly useless. Require all the age verification you want. It will not help the issue except for a small fraction of extreme apps and websites. The complexity for parents to set up child accounts thus far is so frustrating that even myself, a certified security professional, just gave up A case in point. While auditing my subscriptions recently, I realized that I was paying for three separate Spotify family accounts. I don't have answers, just some parental observations trying to raise kids in this digital world. These new requirements will be ineffective until developers and store owners and he has three points. First, make it stupid simple for parents to create and manage family accounts. Second, enable parents visibility and proactive notifications into what's actually happening inside the apps and three force developers to either shut down or actively monitor and be held accountable for their in app communication services. Of course no app, no no developers want to have any responsibility for what is transacted. You know inter app. That would be a huge burden. And he. He finishes. Until these things happen, this age verification service will only be an annoying speed bump. Thank. Thank you for all you and Leo do each week. Signed Brian. So I thought, you know, the points Brian made were very good ones. I'll be interested to see how you know, Internet savvy miners arrange to circumvent these new restrictions. But Brian's point about the social networking content carried within otherwise innocuous apps is clearly important. It's unclear how that will eventually be addressed, but it seems that it would need be. We know that apps such as Facebook or X do not in and of themselves have any age specific rating. It's the content they communicate that these Texas legislation folks appear to be completely naive about. As we know the state of Mississippi, you know, dealt with this simply by saying no to all social media stuff. And I want to finish before our last break and we talk about Mikey Mouse just by noting that Leo, you and I are are both huge fans of a Netflix series, the Diplomat.

Leo Laporte (134:55)

Oh yeah.

Steve Gibson (134:56)

So much so that I'm sure we've mentioned it in you know, on the podcast previously. I just wanted to make sure that anyone who loves it as much as we do is aware that last Thursday Netflix released the entire eight episode third season. I've already ingested it. Lori and I binged on it.

Leo Laporte (135:16)

You watched the whole thing already.

Steve Gibson (135:18)

Yeah, I get it that it's not for everyone but if you loved the first season, I wanted to make sure that everybody knew that the third season is out and it's just as good as the previous two and has been. Is already been a fourth season has already been commissioned. So there will be really good. There will be a fourth season. It is. I. I just. It's everything I want in a.

Leo Laporte (135:44)

The way the second season ended. I just loved. I just. It was just everything I like in the world and it was so good and I just can't wait to see where it goes after that.

Steve Gibson (135:53)

It's. It's number three is really good, Leo. So you have a lot. You have a big treat in store for you and I want to make sure that our listeners knew that they do too. And if you. If again I get it. You know, there's something for everyone. This may not be for. For you but if, but if you Have a Netflix subscription. You never even saw it. Give the first episode a try. If it doesn't grab you in one or two, then, you know, you'll know that. But, yeah, a lot of fun. Yeah.

Leo Laporte (136:19)

It's not every. Everybody. Yeah, everybody has different.

Steve Gibson (136:21)

We're all different.

Leo Laporte (136:22)

Yeah.

Steve Gibson (136:23)

I mean, there's so much comedy that I just. That just. I look at and I go, that's not even funny. Like, you know, so.

Leo Laporte (136:32)

Hey, I like Jim Carrey. Don't you be knocking Jim Carrey. How did I know you're talking about Jim Carrey? All right, one last break and then we will get to the Mikey. Whatever. Mikey Mouse, whatever that is.

Steve Gibson (136:48)

Look at that picture that I have. It's the one the AI generated from a. From a simple query that generated the. The. The.

Leo Laporte (136:55)

Are we going to get in trouble with the. The Disney Corporation here?

Steve Gibson (136:58)

As a result, didn't they just lose their rights or that was just to.

Leo Laporte (137:03)

No, just his very first one, Steamboat Willie, I think. Yeah. Let me just look at it because. Yeah, that, you know, you can generate a lot of. Oh, that's funny. You did that?

Steve Gibson (137:16)

No, no, no, no, they did.

Leo Laporte (137:17)

Oh, they did. It's definitely AI.

Steve Gibson (137:20)

Yeah.

Leo Laporte (137:20)

But somebody. Oh, yeah, yeah. Very cool. Our show today, brought to you by a sponsor that you know and I know and we love. And it's, of course, bit worse. The trusted leader in password, pass key and secrets management. I always mention that. I mean, Bit Warden is a password manager, of course, but it's really more than that. It is an encrypted store that you can put anything in and trust. And so I put my passport in it, in it, the image of it, my driver's license, my Social Security numbers, because it's, It's. It's strong encrypted and it's. And it's private and it's a great place to store stuff. And because it's on every device I have, I have all those secrets with me. Bit Warden recently added SSH keys. It will generate private and public SSH keys and let you upload the SSH public key to your SSH server and handle it for you. With the logins and everything, it's just like, oh, you guys are geeks. You guys know what we want. Bitwarden is consistently ranked number one in user satisfaction. Not just geeks, but everybody. By G2 and software reviews more than 10 million users across 180 countries. 50,000 businesses, too. Now, if you use AI, you're going to really like this. If you've used this new agentic AI and you probably immediately, when you say launch an agentic browser or your own AI to go out and do stuff for you on the web, you immediately see the problem with credential management, right? If that AI is going to log into your GitHub, is it going to transmit your GitHub password privately? Actually I use passkeys, so I don't have to worry about that. But now Bitwarden has made this much simpler with an MCP server, a credential MCP server that's available on the Bitwarden GitHub. It enables secure integration between AI agents and credential workflows so you don't have to send that password out over the public airwaves. Expanded documentation distribution are coming. We wanted to tell you about it now so you can go check it out if something you need and it is if you're using agentic AI, it's a secure, standardized way for agents to communicate with Bit Warden. Now your benefit's obvious. You get a local first architecture, which means it's more secure. The Bitwarden MCP server runs on your local machine, keeping all client interactions within the local environment and minimizing exploitation to our external threats. Oh, and I love this. It integrates with the Bitwarden command line interface. I'm a CLI guy and I just love that about Bitwarden. Users can also opt for self hosted deployments. If you are an individual and you want to host your vault, you don't want to put your vault in the Bitwarden cloud. You can do that. In fact, because Bitwarden is open source, they're even really good a third party vault software that's compatible with Bitwarden. I mean there's of course the Bit Warden official distribution flexibility. That's what's built into open source, right? You have greater control over system configuration and data residency. So let's talk again about the, about the new MCP server. MCP is an open protocol for AI assistance. You probably know this. The servers let your AI system interact with with commonly used applications and that can include content repositories like GitHub and GitLab and Sourceforge and so on. It also includes business platforms, developer environments. It gives you a consistent open interface. It drives secure integration with agentic AI. The Bitwarden MCP server represents a foundational step towards secure agentic AI adoption. And why am I not surprised that Bitwarden was the first to do it? Of course they were. Of course they were. They're the best. If you're thinking about getting Bitwarden in your enterprise and I strongly encourage that. You might want to read InfoTech Research Group's new paper Streamline Security and Protect yout Organization. It's a report that highlights how enterprises in the Forbes Global 2000 are actually turning to Bit Warden to secure identity and access at scale. The report talks about the growing security complexity we're facing. You've got globally distributed teams, you've got fragmented infrastructure, cloud and on prem and so forth. You've got credentials dispersed across teams, contractors, devices. So enterprise need to handle credential management gaps and strengthen their security posture. Best way to do it invest in scalable enterprise grade solutions and I might add open source solutions like Bitwarden. Bitwarden setup is easy. It's so simple to move to Bitwarden. Steve and I both did it. It was, you know, a few minutes work. It's Bitwarden supports it's actually easier now. They have built in import now for most password management solutions, the Bitwarden open source code and again I want to emphasize this GPL open source. It's regularly audited by third party experts. Bitwarden meets SoC2 type 2 GDPR HIPAA CCPA compliant. That's ISO 270012002 certified. It's just the best for passkeys, for secrets, for passwords, for anything you want to keep encrypted and private. Get started today with Bitwarden's free trial of a teams or enterprise plan or get started for free across all devices. It is an individual user@bitwarden.com TWiT that's bitwarden.com TWiT I am really proud to support Bit Warden because it's exactly the way a password manager should be. Easy to use. Open source, absolutely secure. Bitwarden.com twit okay Steve, I've got the mickey. Very nice.

Steve Gibson (143:12)

So through the years of this podcast we've had a lot of fun examining a range of bizarre and often surprising side channel attacks that have been able to exfiltrate a surprising amount of information from the surrounding environment. It turns out that not only can you bounce a laser interferometry beam off a vibrating window, as spies are known to do to recover the spoken audio on the other side of the glass inside a room a long ways away, but a laser can also be and has been bounced off a large plant leaf, a balloon, a bag of chips and even an exposed light bulb innocuously hanging in the room. We've seen keyboard keystrokes recovered with the aid of an inconspicuous, conspicuously placed nearby smartphone. We've even seen the reflections of WI fi radio signals used to locate people moving around inside a room on the other side of a solid wall. We've seen the power supply's fan speeds controlled to change its sound to transmit low bandwidth information, and the sounds made by its switching power supply, similarly modulated for the COVID transmission of information. So perhaps we should not be overly surprised to learn that today's contemporary desktop mouse, thanks to the ever growing demands of high speed gaming, has become so sensitive to its surroundings that it too is able to detect, pick up and transmit the sounds of ambient conversations. Now, it's not a microphone, it's far from it. But a team of five researchers in the Department of Electrical Engineering at just. I can see it from my. From my balcony. The University of California at Irvine have worked to create Mike E mouse, a mouse turned into a microphone of sorts, of thanks to its ability to perceive a room's vibrations. Now, I say of sorts because what these guys had to go through to make this work was some serious gymnastics. Before I go any further, for the sake of strict scientific accuracy, I feel that I should note, just for the record, that this is not actually the first time we've seen someone speaking into a mouse. Leo 39 years ago in 1986, the movie star Trek the Voyage Home.

Leo Laporte (146:08)

I would play it if I could, but they'll take us down.

Steve Gibson (146:11)

The Enterprise's chief engineer, Montgomery Scott, first pick up and spoke into the mouse of an Apple Macintosh PC. See? Naturally, assuming it to be a microphone and that the computer would be able to take his verbal instructions to show the molecular. The molecular design of transparent aluminum. Of course, at the time that was just science fiction, right? And it was meant to be humorous and was. But as we also so often see, what was once a flight of science fiction fancy has now become all too real. The researchers feel that the threat potential from COVID eavesdropping and spying through mice is today all too real. The abstract of their paper explains. Writing Modern optical mouse sensors, with their advanced precision and high responsiveness, possess an often overlooked vulnerability. They can be exploited for side channel attacks. This paper introduces Mike Emouse, the first ever side channel attack that targets high performance optical mouse sensors to covertly eavesdrop on users. We demonstrate that audio signals can induce subtle surface vibrations detectable by a mouse's optical sensor. Remarkably, user space software on operating systems can collect and broadcast this sensitive side channel, granting attackers access to raw mouse data without requiring direct system Level permissions. Initially, the vibration signals extracted from mouse data are of poor quality due to non uniform sampling, a nonlinear frequency response and significant quantization quantum quantization. Now of course it's not designed as a microphone, so it is, to coin a term, a crappy microphone, they wrote. To overcome these limitations, Mikey Mouse employs a sophisticated end to end data filtering pipeline that combines wiener filtering, resampling corrections and an innovative encoder only spectrogram neural filtering technique. In other words, AI, they wrote. We evaluate the attack's efficiency across diverse conditions including speaking volume, mouse polling rate and dpi, surface materials, speaker languages and environmental noise. In controlled environments, Mikey Mouse improves the signal to noise ratio by up to 19dB for speech reconstruction. Furthermore, our results demonstrate a speech recognition accuracy of roughly 42 to 61% on the audio MNIST and VCTK datasets. All our code is and data sets are publicly accessible on the Mike Emouse website and that's sites.google.com view mike m I c hyphen e-m o u s E okay, so so in other words, modern optical mice will respond to to the surface vibrations of the surface they're resting on. And any standard app running within that machine can monitor the mouse closely enough.

Leo Laporte (150:11)

Wow.

Steve Gibson (150:11)

To capture and exfiltrate that raw and rough vibration data to an outside eavesdropper. From there, although this is just the beginning, you know, bringing the power of today's massive data processing to bear what the mouse has heard to cause it to report, the vibrations that it that it transmitted can then be determined. Now, I am reminded as I'm reading this of some of the different data reconstruction research we've covered. Where the up remember that where the upshot was that visually blurring the text in order to obscure it was no longer considered safe. Yeah, because although the text's image could not be algorithmically unblurred, I.e. there's no way to bring back the information that the blurring lost. If the text from font were known, which is often not difficult, the and the amount of blur could be determined and modeled. At that point, a brute force attack could be launched by rapidly trying all possible underlying characters one at a time from left to right, looking for a match until yes, until you got an exact blur match and eventually the entire message could be deblurred. Similarly, even if a mouse's vibrations are nowhere near audio quality and they are really not mapping the audio that would have resulted in those vibrations solves the same problem.

Leo Laporte (152:09)

Is this an example of a use of AI yes.

Steve Gibson (152:13)

Yes. They trained OpenAI's whisper model in order, in order to solve this problem. So to put some meat on these bones, here's what the researchers explained. They said the proliferation of low cost, high fidelity sensors in consumer devices has greatly improved user experience in common computing tasks, from lower response times to more adaptive workflows. These devices have been oh my God and Leo. The technology in a, in a mouse today is just astonishing. I mean, it's like doing so much digital signal processing, you know, DSP computation using image, the images, high resolution images from today's sensors. It's just, it's incredible what, what we just take for granted that we just, you know, shoop around on the desk under our hands.

Leo Laporte (153:07)

They said 61% is amazing. I mean, that's really good.

Steve Gibson (153:11)

Yes.

Leo Laporte (153:12)

Holy cow.

Steve Gibson (153:13)

They said. The lion's share of these improvements is found in the category of user input devices, including Styli mice and monitors. More specifically, improvements in mouse sensor technologies have allowed commercial offerings to operate with a sample rate of 4kHz. With a growing selection of products that also support 8kHz, consumer grade mice with high fidelity sensors are already available for under US$50. As improvements in process technology and sensor development continue, it's reasonable to expect future price declines. Furthermore, mouse sensors resolution and tracking accuracy also follow the same pattern, with steady improvements each year. Ultimately, as lower performance mice leave the consumer space, these developments lead to increased usage of vulnerable mice by consumers, vulnerable meeting higher precision by consumers, companies and government entities, expanding the attack surface of potential vulnerabilities in these advanced sensor technologies. The rise in work from home policies has led to the widespread adoption of new technologies and practices, making them more difficult for employers and government institutions to control the physical operating environments of their workforces. Meanwhile, these arrangements often boost employee sentiment and productivity. The security implications of work from home policies are still being understood. Specifically, attacks exploiting personal peripherals on work computers such as keyboards, microphones, styli, earphones, mechanical hard drives and even USB devices have become increasingly common, even in relatively secure office environments. The threat posed by these exploits is still significant, especially for unknown or poorly understood attack vectors. We posit that the seemingly innocuous computer mouse is the source of yet another vulnerability. Importantly, we claim that recent advancements in mouse sensor resolution can be sufficient to enable a side channel attack capable of extracting user speech through our mike emouse pipeline. Vibrations detected by the mouse on the victim's user's desk are transformed into comprehensive audio, allowing an attacker to eavesdrop on confidential conversations. This process is stealthy since the vibration signals collection is invisible to the victim user and does not require high privileges on the attacker's side. Right? Whoever thought that that tightly watching mouse position could be a security vulnerability? They said potential adversaries can collect user space mouse signals and remotely use the Mikey mouse pipeline to convert raw data packets into audio. Okay, now I'm going to interrupt here just to observe that websites are also able to obtain mouse coordinates in real time. So it might be that just visiting a site which innocently downloads and runs some high performance web SEM code might now be sufficient to collect sufficient mouse vibration data while you're visiting the site to later reverse engineer the speech that was taking place during that visit. You know, you would assume that having your microphone disconnected or muted would be sufficient, but perhaps not, the researchers continue. Modern optical mice employ various methods to provide precise movement tracking under different sensitivity settings over the past two decades, optical mice leveraging a high performance CMOS camera with an onboard digital signal processor have become the preferred design choice. Generally, optical sensors enhance reliability and fidelity through the use of self illumination, typically from an independent diode or or an integrated laser. By taking thousands of snapshots of the illuminated surface under the mouse. The DSP can then compare each successive image in order to determine the direction of movement. The rate at which this process happens is determined by the sensor's frame rate, measured in frames per second. Each frame is processed via an on chip correlation algorithm to provide a two dimensional display displacement to the host computer. The described process can be broken down into two key elements, the imaging sensors and the image processing and movement detection algorithm. Rather than relying on extensive charge coupled device CCD sensors, the sensor in an optical mouse is typically a CMOS complementary metal oxide semiconductor image sensor collecting up to 30 by 30 pixels worth of data per frame, where each pixel represents the intensity of the reflected light at that point. This basic mini camera is a critical component of implementing speckle pattern detection. Some sensor models, such as the Pixart PMW3552 capture data using an 18x18 pixel grid, while others can record up to 30 by 30 pixels depending upon the manufacturer's specifications. For visualization purposes, we destructively studied a Pixart PMW3552 sensor in our institutional lab. This sensor features an 18x18 CMOS pixel grid and is designed to interface directly via USB. Speckle patterns are random granular intensity patterns produced when coherent light, such as laser light, is scattered by a rough surface. When an optical mouse is moved over a surface, the speckled pattern on the surface changes smoothly and reliably. That's how mice are now able to scan over glass. The CMOS sensor captures these changes in the speckle pattern frame by frame and processes them to detect movement. These movement detection algorithms allow for the translation of data into corresponding coordinate deltas. So the researchers go into an extreme level of detail, which should satisfy anyone wishing to deeply understand their work. Anyone listening who wants more than I'm going to share here on the podcast is invited to follow the links at the end of the show notes, which points to all of their research, including all of the code they developed to pull this off. It's all in the public domain. The important point I wanted to make, however, is that none of this would have even been remotely possible without what we now know of as AI. A crucial aspect of their system's success was that that so called mike E mouse signal processing chain was their ability to retrain an an existing OpenAI whisper model using the x and Y movement outputs from actual mice. Whisper is OpenAI's open source speech recognition system. It's specifically designed to take input material representing spoken audio and convert it into text. This team was able to cleverly retrain and repurpose Whisper to accept incredibly low quality audio. I mean, you really have a hard time, you're calling it audio, barely recognizable as anything, and obtain up to 65% word recognition accuracy. So, bottom line is, we may need to be careful about what secrets we utter around our mice. You may not want to repeat, you know, important passwords out loud. Your mouse might indeed have very big ears.

Leo Laporte (161:51)

You know, it's funny, I often, how can I say this without giving away? I often use passwords. Oh, let's not show that there. I often use passwords that are lyrics from songs or soliloquies from Shakespeare plays, that kind of thing. And so I'll frequently sing it out loud as I'm saying it, I'm gonna have to stop doing. I always get nervous, like, is anybody listening? So I try to under my breath, wow. And I do. You know, I often buy these gaming mice that have very high resolution rates.

Steve Gibson (162:31)

We know, Leo, you had the highest frame rate, highest resolution gaming mouse available, moment to moment.

Leo Laporte (162:39)

Only the best.

Steve Gibson (162:40)

Only the best.

Leo Laporte (162:42)

Now, to be clear, they'd have to get software on your system. Like, they'd have to have a compromise.

Steve Gibson (162:48)

Yes, but a browser can do it. Oh yes.

Leo Laporte (162:53)

It could be a plug in, you mean?

Steve Gibson (162:54)

Or no. Oh no, A website you visit. Because now we all download them. Yeah, and that's got all the power that it needs in order to do a high speed extraction and exfiltration of the movement data.

Leo Laporte (163:08)

Webassemb Webassem. Wow, we really made these browsers way too powerful. If you could do that. That's. Yeah, that's scary. That's really scary. Steve, you've done it again, my friend. As always, you're just the best. We do security now. Tuesday, right after Mac break weekly. We try to get in here about 1:30pm Pacific. That's 4:30 Eastern. That's 22.

Steve Gibson (163:35)

Sometimes you need a little time to get your Dungeons and Dragons stuff set up.

Leo Laporte (163:38)

You saw that, did you? Yeah, I'm working on my character for Friday. We're going to have a lot of fun. By the way, if you're not a Club Twit member and you want to watch our Club Twit DND game on Friday, 2pm Pacific, 5pm Eastern, 2100 UTC, you got to be a club member. Go to Twitter TV Club Twit. That's not the real reason to join. It's a good reason, but the real reason is to support the work Steve does here, as I mentioned, and all the things we do, get access to the Discord, add free versions of the shows. And really your support makes all the difference in keeping these shows on the air. So we really would love to have you join if you're one of those 4,000 people who subscribe to Steve's newsletter. But don't join the Club, please. Twitter TV Club TWiT. Now let's talk about where you can get the show. I did mention we stream it live. That's why I told you the lifetimes. It's in the club. Twitter Discord, of course. But many people prefer because Discord's not great on live video to watch on YouTube. So we stream it there. Twitch, we stream on X.com, facebook, LinkedIn and Kik. So you know, and you can chat with us in all of those places. I'm watching the chat and we always have a very active, especially in this show, very active chats going on on all of those platforms. You don't have to watch live though. That's just if you want to be participating in the latest, you know, version of the show. We make it, make it available online. Steve has copies of the show. Hundred. He has three unique copies. A 16 kilobit audio version which is a little scratchy, but it has the merit of being very small. A much bigger but much higher quality 64 kilobit audio that sounds even better than if it were Recorded on a mouse. It's the 16 bit. Might sound a little bit like a mouse recording. He also has the show notes, which are great. You can read along. He's got lots of links. The show notes. It's the best show notes I've ever seen for any show, bar none. And you know, you can get that, download those and download Elaine's transcriptions. Lane Ferris does very nice transcriptions of every show. All of those at Steve's site, GRC.com if you go to GRC.com email you can get your email whitelisted. Just put it in there and that way you can send him suggestions for pictures of the week. I think that's where he gets a lot of them. You can comment to Steve and so forth. GRC.comemail and you'll see right below it when you've entered in your email, there's two checkboxes. One for the newsletter that's the show notes every week, that's a weekly newsletter. The other might be important these days. It's his announcement email. He's only sent out one in his entire life, but I think another is imminent. The minute the DNS benchmark Pro comes out, he's going to email all of you. So sign up for that GRC.com email. But of course, because it's Steve, neither is checked by default, you have to explicitly sign up for those newsletters. While you're there, you might as well pick up a copy of Spinrite, the world's best mass storage, maintenance, recovery and performance enhancing utility. Even if you paid for it before, do like our listener did and pay for it again. It's well worth it. Steve's bread and butter. And it'll save your bacon like it did that father whose kid had lost her hard drive right before the exams.

Steve Gibson (166:59)

Yikes.

Leo Laporte (167:01)

GRC.com we have copies of the show. Our own unique flavor, 128 kilobit audio, which I admit is audio overkill. Sounds much better than a mouse recording. We also have video at our website, Twitter TV SN. There's a YouTube channel dedicated to security now. And that we do really for one main reason. You can easily clip and share parts of the show from YouTube. And since everybody you know, even your grandma, knows how to use YouTube, that's a great way to tell people, you know, stuff that we talk about. For instance, if your IT department sends you an email saying it's it's time to change your password every 90 days, you might want to send them that.

Steve Gibson (167:44)

Little bit of the show explaining it's not necessary.

Leo Laporte (167:48)

It's a bad idea. Bad idea. So use YouTube for that. And of course, if you really care about the show, you'll probably want every episode, right? There's only 1048. Start your collection now by subscribing your favorite podcast client, and that way you'll get it automatically as soon as it's ready. And in fact, if your podcast catcher has a review section, leave us a nice review. Will you tell the world about the best darn show? I think this podcast is a must listen for anybody who wants to keep safe and secure online. Steve, have a wonderful week. I'd suggest you watch the Diplomat, but you've already finished it.

Steve Gibson (168:26)

I did. And now I can't wait for the next one.

Leo Laporte (168:29)

I will go watch it. I can't wait. It's a. It's an alternate universe in which the government works. It's a remarkable thing. And actually committed, intelligent civil servants are working on our behalf. It's an amazing thing.

Steve Gibson (168:45)

I love the way. Pretty frustrated with it, though.

Leo Laporte (168:48)

Yeah. But I like the new president. I like. I mean, I don't know what happened after the last. Oh, boy.

Steve Gibson (168:54)

Yeah.

Leo Laporte (168:55)

There's more. Okay. The guy from Spinal Tap had a heart attack. I'll just. I'll leave you with that. That makes no sense if you don't know what I'm talking about. Thank you, everybody, for joining us. Have a wonderful week. We'll see you next time on Security Now.

Steve Gibson (169:13)

Bye.

Leo Laporte (169:15)

What. What was his name? In Spinal Tap, he was the President and the Diplomat, which cracks me up.

Steve Gibson (169:20)

Yeah.

Leo Laporte (169:21)

Michael McKean. I can't remember his Spinal time.

Steve Gibson (169:23)

Good memory.

Leo Laporte (169:24)

Yeah. All right, Steve.

Steve Gibson (169:26)

Okay, buddy.

Leo Laporte (169:27)

Enjoy.

Steve Gibson (169:28)

See you next week for the. On the October 28th as we Halloween.

Leo Laporte (169:32)

Are you gonna wear a costume for us? Why don't you wear a hoodie and be a wily hacker?

Steve Gibson (169:38)

I could change your voice.

Leo Laporte (169:43)

Maybe I'll do that. I'll wear my twin hoodie and talk like this the whole time. I can't tell you what I look for. All right, thank you, Steve. Take care. Bye. Bye. Security now. Morning, Zoe. Got donuts.

Steve Gibson (170:07)

Jeff Bridges, why are you still living above our garage? Well, I dig the mattress and I.

Leo Laporte (170:13)

Want to be in a T Mobile commercial like you. Teach me. So, Dana.

Steve Gibson (170:17)

Oh, no. I'm not really prepared. I couldn't possibly at T Mobile get the new iPhone 17 Pro on them. It's designed to be the most powerful iPhone yet and has the ultimate pro camera system. Wow, impressive.

Leo Laporte (170:30)

Let me try. T Mobile is the best place to get iPhone 17 Pro because they've got the best network.

Steve Gibson (170:36)

Nice Jeff, you heard them. T Mobile is the best place to get the new iPhone 17 Pro on us with eligible traded in any condition.

Leo Laporte (170:45)

So what are we having for lunch?

Steve Gibson (170:47)

Dude, my work here is done.

Leo Laporte (170:49)

The 24 month bill credits on experience.

Steve Gibson (170:50)

Beyond for well qualified customers plus tax.

Leo Laporte (170:51)

And 35 device connection charge credit send and balance due if you pay off earlier. Cancel Finance Agreement. IPhone 17 Pro 256 gigs $1,099.99 and.

Steve Gibson (170:57)

New line minimum 100 plus a month.

Leo Laporte (170:59)

Plan with auto PayPal taxes and fees required. Best mobile network in the US based on analysis by Oaklove Speed Test Intelligence.

Steve Gibson (171:03)

Data 182025 visit t mobile.com.