Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
It's time for security now. Steve Gibson is here.
0:02
Have you ever been owned? Well,
0:04
here's a way to know and whether
0:06
you should worry about it. What
0:10
certificate authority just lost their TLS server
0:12
business. I'll talk about that at the
0:14
end of ICQ and Microsoft's
0:16
new recall feature that's coming to
0:19
all Copilot plus PCs. Steve
0:21
explains why it is not as secure
0:23
as Microsoft has said, why it's in
0:25
fact a real danger. He also has
0:28
a theory, and I agree with it
0:30
100% of why Microsoft is doing
0:32
this. It's a very interesting
0:35
play for your information. Next security.
0:41
Podcasts you love from
0:43
people you trust. This
0:46
is great. This
0:51
is security now with Steve Gibson, episode
0:53
977 recorded Tuesday, June 4th, 2024. A
0:59
large language model in every
1:01
pot. It's time
1:04
for security now. Yes, adjust your spectacles and
1:06
put your beanie on straight because this guy,
1:08
Steve Gibson is going to challenge you. He's
1:10
going to excite you. He's going to thrill
1:12
you. He's going to make you a geek
1:16
just by proximity. Hello, Steve
1:19
Gibson. I think if you've survived
1:22
more than a couple of these podcasts,
1:24
your geek status has been
1:27
already established. You haven't gone
1:29
running for the Hill. I
1:34
got a piece of mail from one
1:36
listener who said, okay, so I
1:39
think I understand about
1:41
5% of what you're talking about.
1:44
You're doing well. But
1:46
I do come away with something useful
1:48
every week. So I keep coming back
1:50
for more abuse. No, for more edification.
1:53
Well, so it's like lifting
1:56
a heifer. Like when a cow
1:58
is baby cows first born, you can lift it. If
2:00
you lift it every day, you'll be able to
2:02
lift a full-grown cow. So just
2:04
keep the analogy you've come up with. Keep
2:07
lifting. Keep lifting cows. Keep
2:09
listening every week. All right. In
2:11
a year or two, you'll be able to lift a cow. How
2:14
about that? Maybe you'll be able to
2:16
throw a honeypot. There you go. We'll
2:18
see. Oh, actually, there's a really
2:21
interesting piece that Microsoft just
2:23
revealed the details
2:26
of a honeypot they had been running
2:28
for a long
2:30
time. Anyway, I may be talking about
2:32
that next week if nothing more interesting
2:35
comes along. But speaking of POPS, today's
2:37
title is A Large
2:39
Language Model in Every Pot.
2:44
And we're going to go back and
2:46
talk about recall again. Well,
2:49
okay, I'm stepping on my own sequence
2:52
here. So we've got a lot of things
2:54
to talk about. When
2:56
is a simpler application better than
2:59
something complex? How
3:01
did the first week of GRC's new email
3:03
system turn out? Have
3:05
you been pwned? And if
3:08
so, how worry should you be? What's
3:10
the latest new supply chain
3:13
attack vector? What
3:15
certificate authority just lost all
3:17
their TLS server business? Oops.
3:21
Yikes. Early messaging service
3:23
ICQ, whatever became of
3:25
it. Finally, after
3:27
I share a tip about what
3:29
I consider to be a perfect
3:32
science fiction movie, two
3:35
pieces of listener feedback, and
3:38
one user's happiness over Spinrite,
3:40
we're going to look at
3:42
what a prominent security researcher
3:44
learned after using Microsoft's
3:47
recall for 10 days. And
3:51
why I think Microsoft is willing
3:53
to bet the farm and risk
3:55
the dire warnings of the entire
3:58
security community Over this. On
4:00
asked for capability move. I think
4:02
I know where they're headed. And.
4:06
Is. Very exciting! If.
4:08
I'm right. It. It's also
4:10
very troubling and it's really a
4:13
shame. That. They did
4:15
screw around with windows. Adding
4:17
features nobody wanted instead of
4:19
making a more secure because.
4:22
They really can't do what they
4:24
want to do. Oh so. This
4:27
this we're going to have fun today. Very
4:29
and unlike. Unlike. All of the
4:31
other Nine Hundred and Seventy Six podcast water
4:33
in before. oh boring know and we're going
4:35
to have fun today or prom and we
4:37
do have a great picture of the week.
4:40
Up still haven't read it. I
4:42
just though the Caf our own
4:44
security now is brought to you
4:46
by our friends at a See
4:48
I learning the provider behind I
4:50
T Pro binge where the Video
4:52
on Demand I T and Cyber
4:54
Security training in a long time
4:56
sponsor of this show with I'd
4:58
See Pro you get certification ready
5:00
with access to their full video
5:02
library. It is getting bigger by
5:04
the day. Now. More than
5:06
seven thousand, two hundred fifty hours
5:08
of training. And more out
5:11
of every week they've got all their
5:13
studios run a money to frame that
5:15
if I was if is eight of
5:17
them because the test changed, the questions
5:19
change, the certifications changed software. Chase is
5:22
a world a change isn't it nightie?
5:24
but they will always have the freshest
5:26
content for they. also in their premium
5:28
training plans include practice tests which I
5:30
absolutely believe is the best way to
5:33
prepare for an exam. Take the test
5:35
before he actually pay for it so
5:37
you know you have the conference you
5:39
go. Insane. I know exactly when they
5:41
the facing I am prepared. I know my
5:44
material. It's just a great way
5:46
to take an exam. Plus virtual labs which
5:48
will facilitate hands on training, set up a
5:50
Windows server and clients without even having a
5:52
Windows machine. and as Peace love it because
5:55
they can use it to configure and set
5:57
up software and try before they buy. This
6:00
is a great program. I t Pro
6:02
from a Cia learning they make training
6:04
fun. All training videos are produced an
6:07
engaging talk show format. you could actually
6:09
sat along with them if you want
6:11
or and one of the reasons that
6:13
works is they picked the best trainers.
6:16
People were experts I mean working professionals
6:18
in the field but who also have
6:20
a real passion. For. The
6:22
subject. And. That passing communicate sets what
6:24
makes it engaging. That's what makes it easier
6:26
to learn. Take your I D or cyber
6:29
career to the next level. Be bold. And.
6:31
Train smart with a C I.
6:34
Learned. Is. A Goat or
6:36
a Cia Outcomes Less Twitter: Do you
6:38
see Africa Twin thirty at checkout to
6:40
save thirty percent on your first month.
6:42
Or. First year of eyes he
6:45
pro training for individuals to visit
6:47
Go.a see I learning.com/to it individuals
6:49
easier for go to at thirty
6:51
Go dot Ac are learning dot
6:54
com/to had offered code twitter three.
6:56
Zero. Or. I I
6:58
am ready for the picture of the week
7:01
Mr. Gibbs. So.
7:03
I gave this picture the title.
7:06
But. Officer. Okay,
7:11
Dude. Is is it Need no explanation. It
7:13
really doesn't arrive. Once you
7:16
see the picture is can take me
7:18
a minute to I get it up
7:20
on this computer. her it comes or
7:22
I am prepared. Are you ready I'm
7:24
in a scroll up We shall enjoy
7:26
it together. But Officer. There's.
7:29
A one way street sign, a stop
7:31
sign up for a time. It's. Posted
7:36
Oh you know Leo, You just
7:39
have to wonder like. What
7:42
say that I know. Okay so
7:44
for people who aren't seeing this
7:46
we have a a picture where
7:49
as as as eight at a
7:51
public street has come up to
7:53
a T intersection so you have
7:56
to turn left or right. Well.
7:58
There's. a stop sign So you certainly
8:00
need to consider your options, thus
8:03
stopping. The problem is
8:05
that the street that
8:08
you are intersecting with has
8:11
been labeled as one way where
8:14
all the traffic is moving from left to right.
8:17
But below the stop sign is
8:19
a, it's also very clearly marked
8:22
that you must not turn right. There's
8:24
a, you know, the right turn arrow with a big
8:26
red slash through it. So, I don't
8:30
know, do you back up?
8:33
You know, backing up would be
8:35
the only thing you could do. Oh, you can
8:37
do, but notice there's no outlet. You're in a
8:39
cul-de-sac, so you're really dead in the water. So
8:42
you're right. Is that what the yellow
8:44
sign says? There's no outlet. I thought, yep, I
8:46
thought so. So now that's
8:49
something that would be seen by people
8:51
going down the street waving at you
8:53
because you're stuck and you can't go
8:56
anywhere. You know, you're one
8:58
of a... This is a prank being
9:01
played on self-driving cars. Whoever
9:04
lives on this street added
9:06
that sign knowing that
9:08
a self-driving vehicle would then be
9:10
completely stuck. It would just
9:13
explode, Leo. I can't do
9:15
anything. It would just
9:17
say, okay, I quit. I
9:19
can't do anything. I'm stuck. Oh
9:22
my God, that's hysterical. Welcome to
9:24
America. Okay,
9:27
so I
9:29
wanted to thank all of our
9:31
listeners who correctly recalled that the
9:33
Random Notes DOS app we were
9:35
trying to remember last week was
9:38
Tornado Notes. I
9:40
don't even remember that one, so I wouldn't have gotten
9:43
it. Yeah, it was not. Well, Leo, it was DOS,
9:45
but you used DOS back in the day. Oh, I
9:47
used iGIC. I used a lot
9:49
of T-ray. Yeah, yeah, yeah. So it was
9:51
not Phil Katz of PK Zip fame. It
9:54
was a guy named Jim Lewis
9:56
of Micrologic Corporation. And
9:58
when I first encountered Tornado Notes,
10:00
NATO notes from a company named
10:03
Micrologic Corporation of Hackensack, New Jersey,
10:05
I wondered why is
10:07
that name so familiar? It turned
10:09
out it was because the same
10:11
guy had created one
10:14
of the most useful sets
10:16
of eight and a half
10:18
by eleven double sided plastic
10:20
sheet processor instruction
10:23
reference cards the
10:25
world had ever encountered. I
10:29
have a picture of them in the
10:31
show notes. Now upon
10:34
the event of my death my
10:37
plan is for cremation after
10:40
first having whatever organs may still
10:42
be functioning and useful to anyone
10:44
removed but if my
10:46
plan were burial I
10:48
would want these processor instruction reference
10:51
card buried alongside
10:53
me. This is a 6502, a Z80 and an 8086. It's
10:55
all in there. And there is a 68,000
11:01
as well. I cannot
11:04
begin to express how
11:06
important they were back when I
11:08
was writing assembly code first for
11:10
Apple's and later Atari's 6502 based
11:13
machines and
11:15
Leo I've got links on the
11:17
next page to the PDFs of
11:20
them. I mean these things were
11:22
significant to so many people. I
11:25
ran across someone over on reddit who commented that
11:27
it was a good thing these were 100% plastic
11:29
or he would
11:32
have worn his out. They
11:35
were indispensable and I
11:37
don't know where mine are. I'm sure
11:40
they're here somewhere because I would have
11:42
never thrown them out. They
11:44
were just perfect. Now you're having
11:47
the screen now the 6502 card
11:50
and notice all the blank boxes.
11:53
Those are missing
11:55
opcodes. So that was important.
11:57
You had to know what. It
12:00
was available and what wasn't and one
12:02
of the reasons the Sixty Five O
12:04
Two microprocessor was so. What?
12:07
Was so well used. Apple chose that
12:09
Atari your chosen Commodore chose. It was
12:11
because it was so inexpensive and the
12:14
reason it was it expensive to sued
12:16
steadily. Success as I do. But exactly
12:18
it. Zero Ft transferred all the burden
12:20
to the programmers and like most of
12:23
those, most of those up codes are
12:25
empty in there. But it did just
12:27
enough in order to get the job
12:30
done. But this was just it was
12:32
so so. This guy named Jim Lewis
12:34
who later davis Tornado Notes for Dos.
12:37
Or is a a T S
12:39
R. L. He's. The
12:41
I did the reason I knew his name
12:43
when when tornado notes came along as like
12:45
wait a minute I've got these it's structure
12:48
reference cards that I've been using for ever
12:50
have any or so. Tornado.
12:52
Notes for dos. Of
12:55
was. Utterly unique. Quinn.
12:58
Windows, Happened. Jim.
13:00
Tried to recreate the successor Tornado
13:03
Notes with a product he named
13:05
Info Select, but In Or Select
13:07
was the victim of it's own
13:10
seat. You're right us. The sublime
13:12
beauty of Tornado Notes was that
13:15
it was so simple it did
13:17
exactly. And. Only one saying
13:20
perfectly and and this was
13:22
the other thing instantaneously is
13:24
it began as a massively
13:27
overwhelming, disorganized pile of rectangular
13:29
notes. didn't measure you, just
13:32
put anything that just random
13:34
text in didn't matter what
13:36
shape or size they were.
13:39
But then as you typed,
13:41
successive characters have a string.
13:44
All. Those notes. That.
13:46
Did not contain the sub
13:49
string. That. Had been entered
13:51
thus far would instantly disappear.
13:54
So you got is
13:56
very satisfying. almost animated
13:58
real time. Winner! Weighing
14:00
of your entire pile until
14:02
you could see the note
14:04
you knew was there somewhere,
14:07
and noticed that you also
14:09
saw all the notes that
14:11
contained that same sub string,
14:13
which was often surprisingly useful
14:15
at times. Unfortunately, Gym.
14:19
For all his. Brilliance.
14:22
Did not understand that
14:24
tornado notes succeeded due
14:27
to the constraints. Imposed.
14:29
Upon it by it's Dos
14:31
environment. So when he created
14:34
his successor which was Info
14:36
Select for Windows, he gave
14:38
it hierarchies and categories and
14:40
menus and for mattered pretty
14:42
and everything else you can
14:44
imagine that Windows made possible.
14:47
I think there is even a kitchen
14:49
sink tucked in there somewhere. And. You
14:51
know, We. Won't have the same thing
14:54
for windows that we had for Dos.
14:56
But. What we got was a
14:59
monstrosity that required all manner
15:01
of configuration and thought. Hill
15:04
Yes, it could do so much
15:06
more than Tornado Knows could. But
15:08
the very thing that was so
15:10
beautiful about Tornado Knows was everything
15:12
it did not do. So.
15:16
As it turned out, in retrospect, it all.
15:19
The things that if that means
15:21
is being so minimal was what
15:23
made us so compelling and useful.
15:25
And I mention this. Because
15:27
there's a larger less here. One.
15:30
Of the things the original
15:32
did designers of Unix. Got.
15:34
It also got exactly
15:36
what. Was. The idea
15:39
of creating many simple
15:41
commands that took some
15:43
input. Did. Something to us.
15:46
And then produce some output. And
15:49
then to that you add
15:51
the simple ability to interconnect
15:53
these individual small building blocks
15:55
into a chain by piping
15:57
the output of one is.
16:00
The input of another. And.
16:02
You're able to interactively create
16:04
and assemble a much more
16:06
complex ad hoc function. And
16:09
Leo. While. I'm not a
16:11
lisp programmer. I have the
16:13
sense that the same sort
16:15
of approach can be used
16:17
there were you kind of
16:19
incrementally build up actually much
16:21
more complex solution. That
16:24
assembled from many smaller pieces
16:26
interacting they called Composer Bull.
16:28
Because. You compose a larger program
16:30
over to pieces of smaller programs. It
16:33
to my mind that makes it so
16:35
much easier because you can bite off
16:37
a little bite, figure out how it
16:39
works and because the up basically functional
16:41
he you know it's it you know
16:44
always going to be the same result
16:46
with the same and puts you could
16:48
slowly plug, put those together and a
16:50
build something out of it is sealed
16:52
at me like woodworking, almost like assembling
16:54
a machine and scranton lot like like
16:57
crafting a revolution. exactly. Yes, Down
16:59
and so north the that. The
17:01
point I hope to make here
17:03
is that more is not always
17:05
better. And in all, for
17:08
example, this is a lesson that the
17:10
people who design the remote controls for
17:12
a the equipment appear to have never
17:14
learned. Oh. My goodness,
17:16
I mean it's it's a it's a
17:19
joke that those things are so crazy
17:21
and I didn't notice that. You
17:24
when I when I was thinking about this
17:26
that my free were. All. Just
17:28
does one thing. In. All I
17:30
create a little program. It just does
17:32
one thing if you want that. One
17:35
thing about the program you use, it
17:37
stood out. Twenty three. Take it, does
17:39
it's job, and then you're done. And
17:41
actually through the years people have been
17:44
asking for many, many more features from
17:46
Spin Right and I just said no
17:48
else. Spin Right does what it's supposed
17:51
to do and. That's.
17:53
What it's for, so anyway, I just I
17:55
want to thank all of our listeners who
17:57
said, "I think you guys were thinking about
17:59
Tornado notes" Sure enough and I
18:01
I wouldn't be surprised ya media, there
18:03
are Das Boxes around the Dick run
18:05
tornado notes. I haven't run across a
18:07
copy of it, but I probably have
18:09
one on a hard disk around here
18:11
somewhere anyway. I also wanted a follow
18:14
up on last week's announcement of Grc
18:16
new email system, which has been a
18:18
resounding success. If you
18:20
missed last week's episode, that is.
18:22
If you don't listen to the
18:25
mall or and don't know about
18:27
it yet, yeah, you could go
18:29
to ouroldgrc.com splash feedback page which
18:32
we've been talking about for twenty
18:34
years which explains a bit about
18:37
the nature of web forum spam
18:39
which unfortunately is a thing as
18:41
it contains a pointer over to
18:44
our new page grc.com/mail. And
18:47
away the only post announcement
18:49
glitch we encountered was. From.
18:51
Users mostly. using.
18:54
G Mail but also a
18:56
few other I S P's
18:58
I think of Virgin Media
19:00
was was one who are
19:03
who they they use their
19:05
own domains backed by those
19:07
services like G Mail. But.
19:09
Since the email they
19:11
send. Comes. From that
19:14
underlying service. Like. G Male.
19:16
Rather, Than from their domain
19:18
alias. And and since
19:21
the incoming filter that's in
19:23
front of the security now
19:25
edgy or see.com mail box
19:27
looks to see whether the
19:29
sender is known to us.
19:32
Listers. Need to register
19:34
their underlying G email
19:36
account. At. Grc not there
19:38
alias account which is the one
19:41
that you know shown in the
19:43
emails from header of of their
19:45
email. So some people were were
19:48
going over to the that that
19:50
year see.com/male page and putting in.
19:53
Their the of their account
19:55
name and their own domain
19:57
even though. it's a front for
19:59
g mail It turns out that the
20:01
mail that they send actually
20:04
comes from Gmail, so
20:07
that was not an account that we'd ever
20:09
seen before, and so their mail was bouncing.
20:11
As soon as I understood what was going
20:13
on, I added a little comment on
20:16
the form just to say for
20:19
Gmail people that was by far
20:21
the majority of
20:24
users who were having a bounce
20:26
problem, that was what
20:28
they had to do, and that problem went away, so people
20:30
are paying attention to that. Also,
20:34
anyone using an anonymizing
20:36
email service will
20:38
have a problem. I received
20:40
an email from a listener
20:42
who was using the simple
20:44
login email anonymizing service by
20:46
Proton, which by the way appears
20:49
to be a very nice service. When
20:52
that listener sent email
20:54
to GRC, the sender's
20:56
email was this bizarre
20:58
long, one-time, 54-character random
21:00
account name in front
21:03
of the as simple
21:05
login.com domain name. So
21:07
again, GRC's filter had never seen that
21:10
before, probably will never see it again, and
21:13
it bounced that mail back.
21:15
So, we're not compatible, our
21:17
approach is not compatible with
21:20
email anonymizing services. I
21:23
didn't mention it last week,
21:25
but I actually have at
21:27
the grc.com/mail page what I
21:29
called the prime directive, which
21:31
is nobody will ever get mail from
21:34
us that they don't want.
21:36
I mean, and I'm serious about that.
21:39
We will also never divulge anyone's
21:41
email address. Sending
21:44
email is a pain, please unsubscribe
21:46
if you're ever not happy and
21:49
so forth. Anyway, to make a
21:51
long story short, our listeners love
21:53
this simple solution. You
21:56
just register one time, you
21:59
optionally subscribe. to whatever announcement
22:01
lists, if any, you may wish.
22:03
And then from then on, you
22:06
can simply send email to securitynowatgrc.com.
22:09
I have been overwhelmed with notes
22:11
of thanks and congratulations from
22:14
listeners. And people I've
22:16
never heard from before who were never
22:18
going to sign up to
22:20
Twitter just to maybe send me
22:22
a note. You know, and in
22:24
fairness, Twitter is about so much more
22:26
than that, you know. It's about building
22:28
a community and a following and
22:31
following people and networking. I
22:34
had been just using it as
22:37
a point to point instant messaging
22:39
service, which after all is exactly
22:41
what email is. So
22:44
anyway, needless to say, as I said,
22:46
I will never share anyone's email address.
22:49
Oh, and I did want to say, if
22:51
somebody writes to me, I
22:53
will never share your email
22:56
address when I share
22:58
your feedback. And anyone requesting
23:00
anonymity for their name, of course,
23:03
I will honor that. Now,
23:06
I should mention, and Leo, I
23:08
remember you mentioning this too when
23:10
we first talked about it, one
23:12
of the nice things about GRC's
23:15
now retired web form was that
23:18
it solicited our listeners' location.
23:21
And it was nice being able
23:23
to include that when sharing feedback.
23:26
You know, since it made the email feel
23:28
a little bit more personal, so if you
23:30
happen to think of it, let me know
23:33
where you're writing from when you send me
23:35
a note, and I'll just sort of toss
23:37
that in when I share your feedback. I'm
23:39
wondering, you said it has to have the
23:41
same domain as the server, but
23:44
you're smart. So most email clients
23:46
will let you choose a personality
23:49
that says, so for instance, I might be
23:51
running on Gmail, but my email is, I
23:53
would like it to be leoatleovel.com. I can
23:56
choose leoatleovel.com as my personality
23:58
in Gmail. though it's
24:00
originating from the Gmail server,
24:18
it should look to you, to your server
24:20
like Leo at Leoville. You don't look at
24:22
the underlying outbound server, do you? Or maybe
24:24
you do. I'm not sure if it's spoofable.
24:26
I wanted something that is a little less
24:28
spoofable. I have a thread that I've not
24:30
yet caught up in over in the news
24:33
groups to do some brainstorming about
24:35
whether I ought to change that. Because
24:37
it would be easier if I just
24:39
use the from address. And I'm not
24:41
sure that it really matters. Because any
24:43
spammer could certainly be spoofing
24:45
the receipt to address
24:47
as well. So I
24:50
may rethink that and change that just
24:52
to make it a little bit easier
24:55
for people. That's a good advisory.
24:57
You have to use the email
24:59
address that your server provides as
25:02
opposed to any personality, any identity
25:04
that you use. Correct. And we
25:06
ran across that with Gmail people
25:08
and also, as I
25:11
mentioned, simple login people who
25:13
is an anonymizing service from
25:15
Proton. They also had
25:17
to do that. But really, after I
25:19
explained it, we stopped having any more
25:21
problems with signups.
25:24
So my current work this
25:27
moment, this evening,
25:30
is to finish up automating and
25:33
catching real-time email bounces
25:35
so I can immediately inform
25:38
someone when GRC is able
25:40
to detect that it was
25:42
unable to successfully deliver their
25:44
authentication loop email. Once
25:47
that's in place, I'll stick my toe
25:49
in the water to begin actually sending
25:51
email in today's
25:54
spam conscious climate. You've got to
25:56
be careful. And so we'll ramp
25:58
up from there. I wanted
26:00
to thank everybody for their support. Everyone's
26:04
interest is the reason I
26:06
became convinced that we need to keep this going
26:08
past 999. Here
26:11
we are already at 977 with our 20th birthday
26:14
coming up in August. While
26:24
I was writing the note above yesterday,
26:27
I received an email
26:29
alert from Troy Hunt's Have
26:31
I Been Pwned Email Breach
26:34
Monitoring Service. The
26:36
email subject was 16 emails
26:40
on grc.com have been
26:42
pwned in the
26:45
Telegram Combo Lists data
26:47
breach. The
26:49
breach occurred one week ago on May 28.
26:53
In the breached data, get this
26:55
Leo, 361,468,099 email accounts were found. And
27:07
HIBP, Have I Been Pwned,
27:10
sent this email because 16 of
27:12
those 361 million plus belonged to
27:18
grc.com. The
27:20
description of the breach that Troy included said,
27:23
In May 2024, 2 billion rows of data
27:31
with 361 million
27:33
unique email addresses were
27:36
collated from malicious Telegram
27:38
channels. The
27:40
data contained 122 gigabytes across
27:42
1700 files with email addresses,
27:44
usernames, passwords and
27:51
in many cases the website they
27:53
were entered into. The data
27:55
appeared. Does Troy email every one of those addresses?
28:00
at that? He must, right? Or you sign up
28:02
for something? No, no. Yes. So
28:04
I subscribed to a
28:06
domain wide free.
28:09
It doesn't cost anybody. So I
28:11
would recommend this. It's
28:13
domain wide. So you would,
28:15
you know, do leoville.com and
28:17
twit.tv. And so,
28:20
and then you have to prove ownership of
28:22
the domain. And once you do,
28:24
any time Troy gets
28:27
a hold of any new
28:29
breach data, he'll scan the
28:32
email addresses in the breach
28:34
content and then notify
28:37
you of any hits which
28:40
may be one of
28:42
your active email addresses having
28:44
just been disclosed. Okay.
28:47
So he said, in this case,
28:49
the data contained from
28:51
this telegram combo lists data breach,
28:56
122 gigabytes across 1700 files
28:58
with email addresses, usernames, passwords, and in
29:00
many cases the website they were entered
29:02
into. He said the data
29:05
appears to have been sourced from
29:07
a combination of existing combo lists
29:09
and info-stealer malware. And we'll be
29:12
hearing a little bit more about
29:14
info-stealer malware because that comes up
29:16
when we're talking about recall again.
29:18
Okay. So naturally I went
29:21
over after I received this email from him
29:23
to see whether any of those 16 addresses
29:27
which HIBP reported
29:29
were of concern. Okay.
29:32
The short version is none were. The
29:35
longer version is the only
29:37
two that were ever valid
29:40
were greg at grc.com
29:43
and offices at
29:45
grc.com, neither of
29:48
which we have used for decades.
29:51
I once watched a
29:53
spammers server connect
29:56
to grc's email server
29:58
and just run down the down a list
30:01
of first names, just
30:04
Abigail at grc.com, amanthe
30:08
at grc.com and so forth,
30:10
A through Z, hoping to
30:12
get lucky. Immediately
30:14
after that, we retired
30:16
our original and oh so
30:19
very innocent use
30:21
of our first names for
30:23
email. That just became impractical.
30:28
The wonderful open source
30:30
email server I've been using
30:32
for years is known
30:34
as H-mail server. Anyone
30:37
looking for an
30:39
utterly solid feature-packed,
30:42
no-nonsense, free Windows
30:44
hosted email server should look no
30:46
further. There really is nothing
30:49
comparable. I know lots of people
30:51
run send mail and post fix
30:53
and so forth over on Linux.
30:55
I get that. Those are certainly
30:57
mature platforms too. For
30:59
Windows, H-mail server. It's
31:02
another of those rare
31:04
software creations that has no
31:07
bugs. Just
31:09
like John Dvorak gets no
31:11
spam, this thing has
31:13
no bugs. The
31:15
only time it's been updated
31:17
for years is to
31:20
keep up with improvements in the
31:22
Open SSL library, which it uses
31:25
to make its TLS client and
31:28
server connections. In fact,
31:30
I updated it just last week after
31:33
many years of trouble-free service
31:35
only to obtain support for
31:37
TLS 1.3, which I did
31:39
not have in my previous
31:41
instance. And remember, 1.2 appears
31:43
to be fine. You
31:47
know, that 1.3 exists. It's
31:51
real. People should support it.
31:53
But 1.2 ain't going away anytime
31:56
soon because it's still,
31:58
what is it, 86? percent of
32:00
connections or something like that. Anyway,
32:03
HTML server has a dynamic
32:05
block list feature that
32:08
will block for a configurable period of
32:10
time any remote server
32:13
by IP address that
32:15
attempts to deliver email
32:17
to any non-existent address,
32:20
in my case at GRC. I just
32:23
checked the server when I was writing this
32:25
yesterday. I currently have
32:27
the block list expiration set for
32:29
two hours and
32:31
at the moment I checked 473 individual
32:34
IP addresses were currently being blocked.
32:42
So within the previous two
32:44
hours 473 different spamming SMTP servers had
32:51
connected to GRC and attempted
32:53
to send spam not
32:56
to actually you know not even
32:58
to any valid email address but
33:00
just to throw crap at the
33:02
wall hoping to get
33:04
lucky. Now GRC has been
33:06
around a long time the domain
33:08
is well known but we're certainly
33:11
not particularly high-profile and
33:14
it's so saddens me Leo to
33:16
see sadly I
33:19
mean really what a sewer our
33:21
beloved internet has become. I know
33:25
I'm unsure what it teaches
33:27
us about humanity but I'm
33:29
pretty sure I don't want to know. I
33:32
think it reflects humanity that's the problem. Yeah,
33:34
as we go along it's more and more
33:36
like people who make it. Yes, the
33:40
trifecta of the
33:42
internet being anonymous, global
33:45
and free. Those three
33:47
things enables
33:50
every last miscreant on
33:52
earth to attempt to
33:54
have their way with everyone else. Fortunately
33:57
the rest of us are far from power.
34:00
And we have this podcast to help us
34:02
stay ahead of the tidal wave of incoming
34:05
crap that's out there pounding on the door
34:07
trying to get in. We're
34:09
not going to let any of that in. No. Okay.
34:13
Okay. So I
34:15
want to talk about a new supply
34:17
chain attack vector, but let's
34:19
take a break first and
34:22
then we will get into some
34:24
security news of the week. All right.
34:27
I think you should write a manifesto, Steve. We're
34:31
mad as hell and we're not going to take
34:33
it anymore. Well, we're going
34:35
to stand behind. We're going to hide behind our
34:37
NAT routers and hope that all that junk out
34:39
there. I mean, come on, 473 servers just hook
34:41
it up to GRC in the course of two
34:43
hours. It's
34:49
mind-boggling, isn't it? It's
34:53
just amazing. Yeah. It's really
34:55
sad. Yeah. What about the world
34:57
we live in? I'm sorry to say. Well,
35:01
you know what? One good thing about doing this
35:03
show is we, because you focus on all this
35:05
stuff, we have the best sponsors when
35:07
it comes to security, right?
35:10
They flock to us. In fact, we talk to people all
35:12
the time and say, hey, can I be on
35:14
security now? And most of the time I'm
35:16
happy to say we have to say, no,
35:18
it's sold out for the next quarter. This
35:21
portion of the show brought to you by
35:23
Collide. Now if you use Okta,
35:26
and I hope you do because it's a really
35:28
good authentication technology, you ought
35:30
to know about Collide. Collide is for
35:32
companies that use Okta, and it does
35:34
the second half of the authentication process.
35:36
Okta ensures that the person is
35:39
who they say they are, right? You know,
35:41
your DevOps engineer. Collide piggybacks
35:43
on it and makes sure that
35:45
that guy or gal's devices
35:48
and software are secure too,
35:50
right? Just letting
35:52
this person in, willy-nilly, without checking
35:54
their devices is just heading for
35:57
trouble. about
36:00
Collide before. I hope you've thought about it.
36:02
You might have also heard the latest news
36:04
that Collide was just acquired by
36:07
one password. Now that's a good partnership.
36:09
Both companies are
36:12
focused on leading the industry in
36:14
creating security solutions that are user-first.
36:18
That's really important. For
36:21
over a year Collide Device Trust has helped
36:23
companies with Okta ensure that only known and
36:25
secure devices can access their data.
36:28
It has used users as
36:30
part of your security team to help you
36:32
make sure that your stuff is safe. They're
36:34
still doing all of that. Now
36:36
they're just part of one password. That
36:38
means more resources and an even greater
36:40
focus on the job at hand. So if
36:43
you've got Okta and you've been
36:45
meaning to check out Collide, this would be
36:47
an excellent time. Don't be put off that
36:49
it might be hard to set up. In
36:52
fact, it's very easy. It comes with a
36:54
library of pre-built device posture checks. All
36:56
the stuff you're going to want, you know,
36:59
up-to-date operating system, up-to-date browser. All
37:01
the obvious things. But then it's very
37:03
easy for you to write your own
37:05
custom checks for specifics to
37:07
your business or to your users.
37:10
Anything you could think of really. Oh, here's
37:12
another great thing about Collide. It doesn't require
37:14
MDM. So
37:16
that means you can use it on your Linux fleet, your
37:19
contractor devices, and just about every
37:21
BYOD phone and laptop in your
37:23
company. You don't want to leave
37:25
any gaps, right? Now that Collide's part
37:28
of one password, it's just going to get better.
37:30
This is the time to check it out. As
37:33
Steve said, the Internet is full of crap. And
37:36
Collide will keep it off your internet.
37:39
Collide, kolide.com/security now. Go there, learn more,
37:41
watch the demo today. They still call
37:43
it an intranet. Is that an old-fashioned?
37:45
Yeah. I mean, you know, now a
37:48
lot of the enterprise stuff I see,
37:50
they talk about your apps, your data.
37:52
Because of the cloud, it's not just
37:54
inside the walls of your business anymore.
37:57
It's everywhere. You need Collide.
37:59
kolide.com/security now. Thank
38:03
you, Colide, for being such great supporters
38:06
of Steve's all this time. All
38:08
right, Mr. G, on we go with the show. And
38:12
speaking of what a sad mess the
38:15
greater internet has become, and
38:18
of not letting any of that mess into
38:21
our lives, one of our listeners, Terrence Kam,
38:23
pointed me to a recent piece in
38:26
Bleeping Computer titled, Cybercriminals
38:28
pose as helpful in
38:30
air quotes, stack
38:33
overflow users to push
38:35
malware. Okay, now,
38:37
for those who have never encountered
38:39
it, stack overflow is a forum
38:41
community of developers
38:44
of widely ranging skill. It's
38:47
essentially a place where coders can help
38:49
one another. When I've
38:51
been struggling with a programming problem,
38:53
such as when I was working to
38:55
get server side on the fly
38:57
code signing to work remotely with a
39:00
certificate stored in an HSM, which
39:02
as far as I know, no one
39:04
has ever done before, the stack overflow
39:07
site would often be listed among Google's
39:09
search results. And I'm a
39:11
member there, since I've enjoyed answering
39:13
questions and giving back when I can.
39:16
So Bleeping Computer writes,
39:19
cybercriminals are abusing
39:21
stack overflow in an
39:24
interesting approach to spreading malware,
39:27
answering users questions
39:30
by promoting a malicious
39:32
PyPy package that installs
39:34
Windows information stealing malware.
39:39
Sonotype researcher Axe Sharma, who's
39:41
also a writer at Bleeping
39:43
Computer, discovered this new PyPy
39:45
package is part of a
39:47
previously known cool package campaign
39:49
named after a string in
39:51
the package's metadata that
39:54
targeted Windows users last year. This
39:57
PyPy package is named toilor
40:01
and was uploaded by threat actors
40:03
to the PyPy repository over the
40:05
weekend. Claiming to
40:08
be an API management tool, malicious
40:13
packages like this, they write,
40:15
are usually promoted using names similar
40:17
to other popular packages, a
40:20
process we've talked about before known
40:22
as typosquatting. However, with this
40:24
package, the threat actors took a
40:26
more novel approach by
40:28
answering questions on
40:30
Stack Overflow and promoting the
40:33
package as a solution. Stack
40:36
Overflow, I believe the computer
40:39
writes, is a widely used platform
40:41
for developers of all skill sets
40:43
to ask and answer questions. It
40:46
provides a perfect environment to
40:48
spread malware disguised as programming
40:51
interfaces and libraries. Monotypes
40:53
Ax Sharma said in their
40:55
report, we
41:00
further noticed that a Stack
41:02
Overflow account that had a
41:04
nonsense name of ESTAYA G
41:08
created roughly two days ago is now
41:12
exploiting the platform's community
41:14
members who are seeking
41:16
debugging. It's directing
41:18
them to install this malicious
41:20
package as a solution, again
41:22
in air quotes, to
41:25
their issue even though
41:27
the solution is unrelated to
41:30
the questions being posed by
41:32
developers. In this
41:34
case, the PyToyler package
41:37
contains a setup.py Python
41:39
file that pads a base
41:42
64 encoded
41:46
command which
41:49
executes with
41:51
spaces so that unless
41:54
you enable word wrapping in
41:56
your IDE, your Integrated
41:58
Development, The or
42:00
text file editor this this
42:02
be sixty four blobs will
42:04
be pushed all the way
42:06
out past the right margin
42:08
and off screen so you'll
42:11
never see it. When.
42:13
Without blob, obese, Sixty
42:16
Four is d Obfuscated
42:18
The command will download
42:20
an executable dame run
42:22
time.fc from a remote
42:24
site. And run it. They.
42:27
Write This executable is a
42:29
Python program converted into and
42:32
axes that acts as an
42:34
information stealing malware to harvest
42:36
cookies, passwords, browser history, credit
42:38
cards, and other data from
42:41
the user's web browsers. It
42:43
also appears to search through
42:45
documents for specific phrases and
42:47
his found steals the data
42:50
in them as well. All.
42:52
This information is then sent back
42:55
to the attacker who can sell
42:57
it on the dark web markets
42:59
or use it to breach further
43:02
accounts that are owned by the
43:04
victim. They said, while malicious pie
43:06
packages and information steelers are nothing
43:08
new, the cyber strategy now to
43:11
pose as helpful contributors on stack
43:13
overflow is an interesting new approach
43:15
as it allows them to exploit
43:18
the sites trust and authority within
43:20
the computer coding community. Disapproved
43:23
serves as a reminder of
43:25
the constantly changing tactics of
43:27
cyber criminals, and unfortunately illustrates
43:30
why you could never blindly
43:32
trust that some will what
43:35
someone shares online. Instead.
43:38
Developers. must verify the source
43:40
of all packages they add to
43:42
their projects and even if it
43:45
feels trustworthy check the code has
43:47
and they said with word rap
43:49
enabled for unusual or obfuscated commands
43:52
which will be executed i have
43:54
a picture of in the show
43:56
notes of of the window and
43:59
you can see where there
44:01
is a Python class
44:03
named InstallCommand and then
44:06
a definition of run
44:08
which is going to
44:14
print something and then
44:17
you can see a big bunch
44:19
of white space. Well, that's all
44:21
spaces that will push this
44:24
huge green blob of
44:26
base64 encoded code far
44:29
off to the right so
44:31
that if someone did not have Word
44:33
Wrap enabled they'd never see this. They
44:36
would look at it and go, huh, well,
44:38
okay, I don't quite get what it's doing
44:40
but looks fine,
44:42
nothing bad there when in fact
44:44
there is a big blob of
44:46
badness which the
44:49
exec function
44:52
will deobfuscate and then run.
44:56
So anyway, I'll just note that
45:00
before the end of today's podcast the
45:03
security researcher Kevin Beaumont is going
45:05
to show us despite
45:08
Microsoft's claims to the contrary
45:10
that the database underlying
45:12
Microsoft's new recall system
45:15
can in fact be
45:17
exfiltrated remotely, it does
45:19
not require system privilege
45:22
and can be accessed by any other
45:24
user on the same machine. That
45:27
means that recall's SQLite database is
45:29
100% vulnerable
45:31
to exactly this sort
45:34
of info stealing malware.
45:37
So it's not like Microsoft has
45:39
created some miracle that is
45:42
going to protect this database and
45:45
we'll be talking about more of that in
45:47
a minute. So in
45:50
other news we have another
45:52
certificate authority in the doghouse. Google
45:55
has announced that it will
45:57
be removing its trust Of
45:59
all... All new Tls
46:02
certificates issued by the
46:04
Austrian Certificate Authority Global
46:07
Trust. Rather, Than
46:09
all yanking Global Trusts root
46:11
Certificate which would invalidate all
46:13
previously issued Global trust certs.
46:16
Google will be using a
46:18
really really added new feature.
46:21
That allows it to manage
46:23
certificate trust based on certificate
46:26
issue dates, so Chrome will
46:28
not be trusting any news
46:30
certificates issued by Global Trust
46:33
after the end of this
46:35
month. June Thirtieth.
46:38
Now. Through the nearly
46:40
twenty years of this podcast, we've
46:42
seen. And disgust a
46:45
range of misbehavior on the
46:47
part of those who have
46:49
been given the privilege of
46:51
essentially printing money. Certificate
46:53
authorities charge their customers
46:55
hundreds of dollars in
46:58
return for encrypting a
47:00
hash. Of a small
47:02
block of bits that the customer
47:04
presents. But. In return
47:06
for this money printing privilege,
47:09
the Cia must abide by
47:11
a significant code of conduct
47:13
when that code is broken,
47:16
and only after bending over
47:18
backwards with more than ample
47:20
warnings, the industry tan and
47:23
has summarily withdrawn it's trust
47:25
from the signatures of those.
47:27
see. A is on the
47:30
grounds that if the Cia
47:32
cannot be trusted. Neither.
47:34
To anything they have something. In
47:37
this case, Global. Trust has
47:40
established a multi well established
47:42
as a such interesting choice
47:44
of my words, a multi
47:47
year history of misconduct. And
47:50
they've lost the trust of the industry.
47:53
google. will be enforcing
47:55
a ban retroactively on
47:57
all chrome versions down
48:00
to 124. So
48:03
lots of previous Chrome versions. I don't
48:05
know who would not be keeping their
48:07
version of Chrome up to date, but
48:09
okay. And
48:12
the other browser makers have not yet
48:14
announced a similar decision, although Mozilla appears
48:16
to be aware of the problems with
48:19
global trust and is concerned. On
48:22
the other hand, since no customer
48:24
would purchase a certificate for a
48:27
web server, which anyone
48:29
visiting with Chrome would
48:31
be unable to connect to securely,
48:33
this immediately puts
48:35
global trust out of the
48:38
business of selling web
48:40
server certificates. In other words, whether
48:42
or not Apple and Mozilla should
48:45
choose to follow, global
48:47
trust is done for now,
48:49
at least on the TLS
48:51
web server certificate business. They may
48:53
be selling lots of
48:56
certificates for other purposes, but not
48:58
for any Chrome browsers in the future. Those
49:03
of us who have been around since
49:07
the dawn of the internet
49:09
will likely remember the first
49:11
successful instant messaging app known
49:13
as ICQ. It was
49:16
meant to be short for I
49:19
seek you. The
49:21
system was originally developed back
49:23
in 1996 by an
49:26
Israeli company named
49:28
Mirabilious. Two
49:31
years after it was created, ICQ
49:49
was created by AOL in 1998 and then by
49:51
the Russian mail.ru group in 2019. 2010.
50:00
It had a
50:02
neat kind of funky flower petal
50:04
logo and I've sort of thought
50:06
of it like through the years
50:08
wondering whatever became of it. At
50:11
its peak around 2001 it had more than 100 million accounts
50:15
registered and nine years later
50:17
when AOL sold it to
50:19
mail.ru it had around 42
50:22
million daily users
50:25
and it has been a puttering along in
50:27
the background ever since. Two years
50:30
ago it had dropped to around
50:32
11 million monthly users and
50:34
finally the reason the
50:36
subject came up is that a
50:38
week and a half ago on
50:40
May 24th the website of icq.com
50:43
announced that the service would be shut down
50:45
about three weeks from now on June 26th
50:48
2024. So it had a pretty good 28
50:50
year run for an instant messaging
50:55
service that was largely passed by
50:57
you know when smartphones and other
50:59
major social media service got into
51:02
the game but it
51:04
was there from the beginning and kind
51:06
of cool. Okay
51:10
now completely off topic but this
51:12
has been something that I've been wanting to just
51:16
make sure everybody knew about for a while.
51:19
My wife
51:21
recently agreed to join me in
51:27
watching one of my favorite science
51:29
fiction movies of all time. We know I'm
51:31
a pushover for science fiction but
51:33
unfortunately far more horrible science fiction movies have
51:35
been made than
51:41
good ones and even more
51:43
rare is the perfect
51:45
science fiction movie. So
51:48
we settle down to watch Deja Vu which stars Ben
51:50
Del Wash I've seen it before. You
51:52
probably have Leo it's not new. And
51:56
yes I
52:00
get your okay. Just check it Actually,
52:03
I don't feel like I've ever seen it. I I
52:06
don't you know kidding Val Kilmer and
52:08
then no Washington is being sci-fi stalwarts.
52:10
Oh Leo okay,
52:12
so all right, so listen, okay
52:15
So Denzel Washington Val Kilmer
52:18
and some other recognizable actors
52:20
from Hollywood's inventory as
52:22
I was watching it for maybe the fourth
52:24
time I
52:26
kept thinking over and over And
52:31
you know it is as I
52:34
was watching this perfectly and
52:36
off often leisurely paced two-hour
52:38
movie unfold scene by
52:40
scene and Everything
52:42
was happening exactly the way it should
52:45
that I was sitting
52:47
here watching one of the
52:49
all too rare perfect
52:51
movies this
52:54
movie offers convincing acting that's
52:56
not distracting a brand
52:58
new and perfect concept
53:01
a perfect script and
53:03
a plot that's both surprising and
53:06
where what happens is better than
53:10
Than someone steeped in science
53:12
could have ever hoped for
53:15
the writers Enlisted the help
53:18
of Brian Greene a Cornell
53:20
and Columbia University physicist
53:24
to get the science right and Boy,
53:26
did they you know that's part
53:28
of what's so gratifying about this movie now
53:30
as I said, it's not a new movie
53:32
It was released 18 years ago back in
53:34
2006 But
53:38
it stands up and it feels 100% Contemporary
53:42
I realized that since this
53:45
podcast Is
53:47
closing in on its 20th birthday? Every
53:51
time I've seen this movie I've
53:53
done this podcast a few days later
53:56
yet Somehow I've never thought
53:58
to mention it searched
54:00
our transcripts and there was no mention of
54:02
it. So you know that's my
54:04
bad and that's fixed now. I
54:07
know quite well that not everyone's taste is
54:09
the same, not everyone will feel as I
54:12
do about this. But if you don't already
54:14
know this movie and Leo
54:16
I guess you don't. Lisa said
54:18
she's seen it so it'll be deja vu for
54:20
her but it'll be whatever
54:22
it is premier view for me. It
54:26
is just so good. I
54:29
just I I oh my goodness.
54:31
I'm watching it tonight. I need something to watch.
54:34
It is wonderful sci-fi. I love that now.
54:37
Of course. And yes I do
54:39
too and it's it will not
54:41
disappoint you. Okay
54:44
thank you. Finally something
54:47
to watch tonight. Let's take
54:49
another break because we've got
54:51
two left and I want to do one
54:53
before we start talking about recall. First word
54:55
from our sponsor the fine folks at
54:58
Zscaler, the leader in cloud
55:01
security. You I'm sure know the
55:03
name Zscaler. The Z is
55:06
for zero trust. It's no surprise that cyber
55:08
attackers these days are now using AI
55:11
in creative way. If you
55:13
think about that stack overflow hack you just talked
55:15
about, imagine that we know that
55:17
AI has ingested a bunch of stuff from
55:20
stack overflow. So a lot of people who
55:22
are using AI to help them code might
55:25
well get that that attack in
55:27
their AI. Bad guys
55:29
are using it to compromise users
55:31
and breach organizations from
55:33
high precision phishing emails and
55:36
you've also seen this. This is this is torn
55:38
from the headlines. Deep fakes of
55:41
both video and voice. You
55:44
saw the the poor
55:46
financial guy who thought he was
55:48
at a zoom meeting with the CFO and
55:50
the CEO of his company looked and sounded
55:52
just like them. They said cut us a
55:54
check for 25 million, send it
55:57
to this address. He did. It was
55:59
a of a deep fake. He was
56:02
completely fooled. In
56:04
a world where employees are working
56:06
everywhere, where apps are
56:08
everywhere, data is everywhere, firewalls
56:11
and VPNs, you know, the way we
56:13
used to log into the company network
56:15
is through the VPN. It's just not
56:17
working anymore. It's not protecting you. In
56:19
fact, because they weren't designed
56:22
for the distributed environments and
56:24
these modern AI powered attacks,
56:27
firewalls and VPNs have often become the attack surface
56:29
we talk about on the show right here. In
56:33
a security landscape where you have
56:35
to fight fire with fire, fight
56:37
AI with AI, the best AI
56:39
protection comes from having the best
56:41
data. Get this, Zscaler has
56:43
extended its zero trust architecture with
56:45
powerful AI engines that are trained
56:48
and tuned by 500 trillion
56:50
signals every day. 500 trillion signals
56:53
every day. That
56:58
means they are, their finger is on the
57:01
pulse of what's happening in the world right
57:03
now. In a security landscape where
57:05
you are being constantly bombarded by new
57:07
attacks no one's ever heard of, that's
57:09
vital. Zscaler and
57:11
Zero Trust Plus AI helps
57:14
defeat attacks from AI
57:16
and others today by enabling you
57:18
to automatically detect and block advanced
57:20
threats. Even before
57:23
anybody's ever heard of them, right?
57:25
Discover and classify sensitive data, your
57:27
data everywhere. Generate user to
57:29
app segmentation to limit
57:32
lateral threat movement. Quantify
57:35
risk, prioritize remediation
57:37
and it's handy,
57:39
you need it. Generate board ready
57:41
reports so you can explain what's
57:43
going on. Learn more about Zscaler
57:45
Zero Trust Plus AI to prevent
57:47
ransomware and other AI attacks while
57:49
gaining the agility of the cloud.
57:52
Experience your world
57:54
secured. Visit zscaler.com
57:57
slash Zero Trust AI. zscaler.com
58:02
slash zero trust AI.
58:04
We thank you so much for supporting
58:06
security now and the
58:09
good work that Steve is doing right
58:11
here. Steve on the show, on with the
58:13
show. Okay. Yes. So
58:16
our listener, Jeff Price, he wrote
58:18
and said, Leo touched on this,
58:21
but fast mail allows you to
58:23
create these unique random email addresses.
58:25
What most people forget is Apple
58:28
lets you create these as well. They
58:30
call it hide my email. So
58:33
I just wanted to share just note, since I have
58:35
the feeling email aliasing services
58:37
are going to become increasingly
58:39
popular as websites turn to
58:41
collecting and sharing whatever they
58:43
can about their visitors as
58:45
a means of increasing their
58:47
advertising revenue, you know,
58:49
as third party cookies and as Google
58:53
tries to promote their
58:55
sandbox anti-tracking technologies.
58:58
Kirk Sexton wrote, hi Steve, great work on
59:01
the new email system. I never miss a
59:03
show. I listen on my morning
59:05
runs and in the car on my way to work.
59:08
Sometimes I have to run a little
59:10
further or sit in my
59:12
car for a few minutes longer after
59:14
arriving. So I don't interrupt a point
59:16
before hitting pause. I
59:18
may have missed this point, but
59:20
I don't recall hearing anything about
59:23
those users who sync their
59:25
accounts on Microsoft OneDrive
59:28
or for that matter use other
59:30
cloud-based backup services. Backing,
59:32
and he's talking about recall. He
59:34
says backing up files is one thing.
59:37
It would be expected that anything
59:39
committed to local storage will be
59:42
backed up to the subscribed cloud
59:44
storage. However, temporary information
59:46
that is used just for the
59:48
moment will now be stored locally.
59:51
Think passwords, credit cards or other
59:53
sensitive information within the screen grabs.
59:56
Microsoft has said it will only
59:58
be stored locally. What
1:00:00
about cloud syncing with OneDrive
1:00:02
or other services? I
1:00:05
see it as the problem just
1:00:07
mushrooming into multiple attack vectors. Am
1:00:09
I missing something? And he
1:00:11
finished to 999 and beyond all the best, Kirk
1:00:14
Sexton. So Kirk
1:00:16
raised a great point, I think. We're
1:00:19
about to spend the rest of the podcast
1:00:21
looking at what one
1:00:23
security researcher found and
1:00:26
also about what
1:00:28
may be Microsoft's
1:00:30
significantly greater plan
1:00:33
beyond what they've announced. But
1:00:36
everything we now know suggests
1:00:39
that the recalled data are
1:00:41
just SQLite files
1:00:43
stored under the user's
1:00:45
app data directory in
1:00:48
a new folder called
1:00:50
Core AI Platform. Microsoft
1:00:53
has indicated that BitLocker will be used
1:00:55
to encrypt the data at rest. But
1:00:58
online backups are made of
1:01:01
live unencrypted data so
1:01:03
that they can later be retrieved.
1:01:05
And there's nothing we know so
1:01:07
far that would prevent anything that
1:01:10
was backing up a user's machine from
1:01:12
also backing up their machine's
1:01:15
recall history. So
1:01:18
there
1:01:20
just seems to be so many things
1:01:22
that have not been well thought through
1:01:25
here. OK,
1:01:27
and then just one piece of feedback. I'm
1:01:33
way far behind, just so everybody knows.
1:01:37
The first week of listener feedback email
1:01:40
was intense. With many
1:01:42
listeners wanting to say hi, to
1:01:44
express their happiness, there's now a way to
1:01:46
send me thoughts without engaging in social media.
1:01:49
So yeah, as I said, I'm way
1:01:51
behind. But I figured I'd share one
1:01:54
piece of feedback that's primarily about a
1:01:56
Spinrite owner's experience, first with Spinrite 6,
1:01:59
or by comparison. with Spinrite 6 and then
1:02:01
with 6.1. Our listener
1:02:04
Mark Jones sent email with
1:02:06
the subject, Wow, Spinrite
1:02:08
6.1 is amazing. He
1:02:10
wrote, Dear Steve, Longtime Listener,
1:02:12
Occasional Source of Feedback. He
1:02:14
says, Parenz, I was at
1:02:17
MJPhD on Twitter. I'm
1:02:19
so happy to be using email.
1:02:21
I only kept my X account
1:02:23
for SecurityNow feedback. Is
1:02:26
that I've listened to you discuss both the
1:02:28
speed of 6.1 and the
1:02:30
magic it does on an SSD. Ever
1:02:33
the experimentalist, I thought I
1:02:35
would put it through its paces. I
1:02:37
have two drives, a 1 TB
1:02:39
spinner and a 250 GB
1:02:42
SSD that seemed to have
1:02:44
slowed. The results
1:02:46
are nothing short of remarkable on
1:02:49
both drives. In only
1:02:51
4 hours, the 1 TB
1:02:54
was rejuvenated. That would
1:02:56
have taken days using Spinrite 6. The
1:02:59
boot into Windows 10 is
1:03:01
now seconds instead of
1:03:04
minutes and the random
1:03:06
slowdowns that were plaguing the system
1:03:08
are gone. The real
1:03:10
miracle was on the SSD. The
1:03:13
new drive test showed I was
1:03:15
at 19 MB at the
1:03:18
front and middle and
1:03:20
80 MB per second and 80 MB per
1:03:22
second at
1:03:25
the end. So 19 front and middle, 80
1:03:28
MB at the end. The whole
1:03:30
drive is now over 546 MB
1:03:32
per second after
1:03:36
a level 3 scan. Saying
1:03:39
computer performance has returned
1:03:41
feels inadequate. It's
1:03:44
mind-blowingly fast compared to
1:03:46
yesterday. Truly amazing. Thanks
1:03:48
for the great work and I'm happy
1:03:50
there will be a future past 999.
1:03:53
Regards Mark Jones. Okay,
1:03:57
so let's talk about
1:04:00
Recall again because we have
1:04:02
additional information and
1:04:05
Leo I find a
1:04:07
point to pause here for our
1:04:09
final. Okay so
1:04:14
I think that a
1:04:16
data driven theory about
1:04:18
Microsoft's future plans for
1:04:21
this technology emerged after
1:04:24
I read a recent posting by
1:04:26
a well-known and well-informed security
1:04:28
researcher feature named Kevin Beaumont. Since
1:04:32
last week's episode, which I titled as
1:04:34
we know the 50 gigabyte
1:04:36
privacy bomb, Kevin whom
1:04:39
we often quote and refer to has
1:04:41
again weighed in on
1:04:43
Microsoft's new recall facility. His
1:04:46
first posting on the subject,
1:04:48
which he made on May
1:04:51
21st, immediately following Microsoft's announcement
1:04:53
was titled how
1:04:55
the new Microsoft Recall
1:04:58
feature fundamentally undermines Windows
1:05:00
security. As
1:05:02
a mature, seasoned and
1:05:04
experienced security researcher, his
1:05:06
immediate what could possibly
1:05:09
go wrong reaction to the
1:05:11
idea of having Windows continually
1:05:13
recording and storing our PC's
1:05:15
screens echoes my own. It's
1:05:19
immediately obvious to anyone who's been around
1:05:21
the block a few times that this
1:05:24
is indeed a 50 gigabyte
1:05:26
privacy bomb. What
1:05:29
wasn't clear to me until
1:05:31
just yesterday was why
1:05:33
Microsoft may be doing this and
1:05:36
what they probably have planned for the
1:05:39
future. We'll
1:05:41
get to that. Ever since
1:05:43
his immediate posting and reaction to
1:05:45
the announcement of Recall, Kevin
1:05:47
has been playing with it.
1:05:50
After reading what Kevin wrote, a
1:05:53
light bulb went off for me. So I'm
1:05:55
first going to share Kevin's follow-up
1:05:58
piece which further describes Recall. in
1:06:00
much more detail. Then I'll
1:06:03
share what I think it really means.
1:06:05
Kevin titled his follow-up piece which he
1:06:08
posted four days ago after
1:06:10
spending a week and a half with
1:06:12
Recall, quote, stealing
1:06:14
everything you've ever typed
1:06:16
or viewed on your
1:06:20
own Windows PC is
1:06:22
now possible with two lines of
1:06:24
code inside
1:06:27
the CoPilot Plus
1:06:29
Recall Disaster, unquote.
1:06:33
Okay, now before switching into Q&A mode, which
1:06:35
he does later, Kevin began
1:06:37
his newly informed discussions
1:06:39
of Recall by writing
1:06:41
this. He said, I wrote
1:06:44
a piece recently about CoPilot
1:06:46
Plus Recall, a new
1:06:48
Microsoft Windows 11 feature which in
1:06:51
the words of Microsoft CEO
1:06:54
Sachin Nadella takes screenshots
1:06:56
of your PC constantly
1:06:59
and makes it into an
1:07:01
instantly searchable database of everything
1:07:03
you've ever seen. As
1:07:05
he says, it is a
1:07:07
photographic memory of your PC life.
1:07:11
I got hold of the
1:07:13
CoPilot Plus software and
1:07:16
got it working on a system
1:07:18
without an NPU
1:07:21
about a week ago and
1:07:23
I've been exploring how this thing works in
1:07:26
practice so we'll have a look
1:07:28
into that shortly. First, I
1:07:30
want to look at how this feature
1:07:32
was received as I think it is
1:07:34
important to understand the context. The
1:07:37
overwhelmingly negative reaction
1:07:40
has probably taken Microsoft
1:07:42
leadership by surprise. For
1:07:44
almost everyone else, it wouldn't have.
1:07:47
This was like watching Microsoft become
1:07:50
an Apple Mac marketing department. At
1:07:53
a surface level, it
1:07:55
is great if you're a manager at
1:07:57
a company with much to do. and
1:08:00
too little time as you can instantly
1:08:02
search what you were doing about a
1:08:05
subject a month ago. In
1:08:08
practice, that audience's needs
1:08:11
are a very small, tiny,
1:08:13
in fact, portion of
1:08:15
Windows' overall user
1:08:17
base, and frankly, talking
1:08:20
about screen-shotting the things people
1:08:22
in the real world,
1:08:25
not executive world, are doing
1:08:28
is basically like punching customers in
1:08:30
the face. The echo
1:08:32
chamber effect inside Microsoft is
1:08:34
real here, and oh boy,
1:08:37
just oh boy, it's a
1:08:40
rare misfire, I think, Kevin
1:08:43
wrote. He said, I think
1:08:46
recall is an interesting, entirely
1:08:49
optional feature with a niche,
1:08:52
initial user base
1:08:54
that would require
1:08:56
incredibly careful communication,
1:08:59
cybersecurity, engineering, and
1:09:01
implementation. Co-pilot
1:09:04
plus recall does
1:09:06
not have any of these.
1:09:10
The work has clearly not been
1:09:12
done to properly package
1:09:14
it together. A
1:09:17
lot of Windows users just want their
1:09:19
PCs so they can play games, watch
1:09:22
porn, and live their lives as
1:09:24
human beings who make mistakes that
1:09:26
they don't always want to remember.
1:09:29
The idea other
1:09:31
people with access to the device
1:09:33
could see a photographic
1:09:36
memory is very scary to
1:09:40
a great many people on a deeply personal
1:09:42
level. This
1:09:44
is a personal experience. This
1:09:48
shatters that belief. Okay,
1:09:50
now I thought Kevin's take on this was interesting.
1:09:53
His observation that Microsoft appears to
1:09:55
be oblivious to the fact that
1:09:58
not all users of PCs are
1:10:00
even close to being the same, that
1:10:03
a manager in a corporate environment
1:10:06
might indeed find it useful
1:10:08
to be able to look a month
1:10:10
back for some specific work subject, but
1:10:13
that for the common user, the rest
1:10:15
of us, the idea
1:10:17
that our machines are watching and
1:10:19
recording everything we do, even
1:10:22
if it would only be for our
1:10:24
own later access, is mostly just creepy.
1:10:27
You know, we don't know the future. We
1:10:29
don't know what's going to happen a
1:10:31
month or two from now, but recall
1:10:33
we make what's happening on our machines
1:10:36
now available to
1:10:38
that unknown future. Anyway,
1:10:41
Kevin finishes his lead-in by writing,
1:10:45
I think they're probably going to
1:10:47
set fire to the entire co-pilot
1:10:49
brand due to how poorly
1:10:51
this has been implemented and rolled out. It's
1:10:54
an act of self-harm at
1:10:56
Microsoft in the name of
1:10:58
AI and by proxy,
1:11:01
real customer harm. More
1:11:03
importantly, as I pointed out
1:11:05
at the time, this fundamentally
1:11:07
breaks the promise of security
1:11:09
in Windows. I'd
1:11:12
like to now detail why.
1:11:15
He said, strap in, this
1:11:17
is crazy. I'm going
1:11:19
to structure this as a Q&A
1:11:21
with myself now, sourced from comments
1:11:24
I've seen online, as it's really
1:11:26
interesting seeing how some people hand-wave
1:11:28
the issues away. Okay,
1:11:31
so now Kevin switches into
1:11:33
Q&A format. He asks himself a
1:11:35
question. So
1:11:38
the question is, someone's saying, well, the
1:11:41
data is processed entirely locally
1:11:43
on your laptop, right? Answer,
1:11:46
yes. They made some smart
1:11:48
decisions here. There's a
1:11:50
whole subsystem of Azure
1:11:52
AI, etc., code that processes
1:11:54
on the device. Okay,
1:11:57
question, cool. So, attackers...
1:12:00
malware can't access it, right?
1:12:03
And he says, no, they
1:12:05
can. But
1:12:08
it's encrypted. When
1:12:10
you're logged into a PC and
1:12:12
run software, things are decrypted for
1:12:14
you. Encryption at rest
1:12:17
only helps if someone comes to
1:12:19
your house and physically steals your
1:12:21
laptop. That's not what criminal hackers
1:12:23
do. For example, info-stealer
1:12:26
Trojans, which automatically steal usernames
1:12:28
and passwords have been a
1:12:31
major problem for well over
1:12:33
a decade. Now
1:12:35
these can be easily
1:12:37
modified to support recall.
1:12:41
But the BBC said data
1:12:43
cannot be accessed remotely by
1:12:45
hackers. They
1:12:48
were quoting Microsoft, but this
1:12:50
is wrong. Data can
1:12:52
be accessed remotely. This
1:12:55
is what the journalist was told
1:12:57
for some reason. And then he
1:12:59
has a snippet from the journalist
1:13:01
that says, that's
1:13:03
what Microsoft told me, that attackers
1:13:05
would not have to get, would,
1:13:08
that attackers would have to get
1:13:10
physical access to your laptop and
1:13:13
sign into it to get hold
1:13:15
of the screenshots. Seven
1:13:17
says, not true. The
1:13:21
questioner says, Microsoft say that,
1:13:25
say only that user can access the data. Kevin,
1:13:27
that is not true. I can demonstrate another
1:13:34
user account on the same device
1:13:37
accessing the database. Okay,
1:13:40
the question. So how does this work? Kevin
1:13:43
answers every few seconds, screenshots
1:13:46
are taken. These are automatically
1:13:49
OCR'd by Azure AI
1:13:52
running on your device and
1:13:54
written into a SQLite database
1:13:56
in the users folder. file
1:14:00
has a record of everything you've
1:14:02
ever viewed on your PC in
1:14:04
plain text. OCR is
1:14:07
a process of looking at an image
1:14:09
and extracting the letters. Question.
1:14:12
What does the database look like? And
1:14:14
Kevin shows some screenshots like those that
1:14:16
we saw last week. Just looking like,
1:14:19
you know, a SQLite database with rows
1:14:21
and columns, recognizable file name. Question.
1:14:24
How do you obtain the database
1:14:26
files? Answer. They're just
1:14:28
files in app data in
1:14:30
the new core AI platform
1:14:33
folder. But
1:14:35
it's highly encrypted and nobody can
1:14:37
access them, right? Here's
1:14:40
a few seconds of video of
1:14:43
two Microsoft engineers accessing the folder.
1:14:46
And then Kevin quotes an earlier
1:14:48
Mastodon post of his at cyberplace.social
1:14:51
where he notes that the
1:14:53
risky business episode on recall
1:14:55
is good, but with one
1:14:57
small correction. Recall
1:14:59
does not need system rights.
1:15:02
He notes that since it's just
1:15:04
a SQLite database, it is trivial
1:15:07
to access. And
1:15:09
he finishes by saying, I'm
1:15:11
not being hyperbolic. When
1:15:14
I say this is the
1:15:16
dumbest cybersecurity move in a
1:15:18
decade. Good luck
1:15:20
to my parents safely using their
1:15:23
PC. Questioner
1:15:26
but normal users don't run
1:15:28
as admins. Answer
1:15:30
according to Microsoft's own website in
1:15:32
their recall roll out page. They
1:15:35
do. And then he has
1:15:37
a snippet where it from
1:15:39
microsoft.com where it says making
1:15:41
admin users more secure. Most
1:15:45
people says Microsoft run as
1:15:47
full admins on their devices,
1:15:49
which means dot dot dot.
1:15:52
So Kevin says, in fact, you
1:15:54
don't even need to be an
1:15:56
admin to read the database more
1:15:59
on that in a second. later blog. Question,
1:16:02
but a UAC prompt appeared
1:16:04
in that video. That's
1:16:06
a security boundary. Kevin
1:16:09
replies, according to Microsoft's
1:16:11
own website and MSRC,
1:16:14
UAC is not a
1:16:16
security boundary. And
1:16:18
he quotes Microsoft showing, saying
1:16:21
more important, same desktop
1:16:23
elevation in UAC
1:16:25
is not a security
1:16:28
boundary. Microsoft can be
1:16:30
hijacked by unprivileged software that runs
1:16:32
on the same desktop. Same
1:16:35
desktop elevation should be considered
1:16:38
a convenience feature. So
1:16:40
now Microsoft is saying, oh, well, you
1:16:42
know, that's just for convenience. So
1:16:45
the questioner asks, so where's
1:16:48
the security here? Answer,
1:16:51
they've tried to do a bunch of things,
1:16:53
but none of it actually works properly. In
1:16:56
the real world, due to gaps, you
1:16:58
can fly a plane through. Question,
1:17:02
does it automatically not
1:17:04
screenshot and OCR things
1:17:06
like financial information? No.
1:17:10
We know that it does. How large is
1:17:12
the database? Kevin says,
1:17:14
and here was one of the first
1:17:16
ahas that hit me. Kevin
1:17:18
says, it compresses well. Several
1:17:22
days working is
1:17:25
around 90 KB,
1:17:27
nine zero kilobytes for
1:17:30
several days of work. He
1:17:33
said, you can exfiltrate several months
1:17:35
of documents and key presses in
1:17:37
the space of a few seconds
1:17:40
with an average broadband connection. Question
1:17:44
how fast is search? He says,
1:17:46
on device is really fast. And
1:17:49
have you exfiltrated your own recall
1:17:51
database? Yes. I
1:17:54
have automated exfiltration and
1:17:57
made a website where you can upload a
1:17:59
database at instantly search it. I
1:18:02
am deliberately holding back technical
1:18:04
details until Microsoft ship the
1:18:07
feature as I want to give them time
1:18:09
to do something." He
1:18:11
said, I actually have a whole bunch of things to
1:18:13
show and I think the wider
1:18:16
cyber community will have so much
1:18:18
fun with this once it's generally
1:18:20
available. But I also
1:18:22
think that's really sad as
1:18:24
real world harm will ensue. So
1:18:28
question is what kind of things are in the database?
1:18:32
Everything a user has ever seen,
1:18:35
organized by application, every
1:18:38
bit of text the user has seen.
1:18:40
With some minor exceptions, he says
1:18:43
for example Microsoft Edge in private
1:18:45
mode is excluded but Google Chrome
1:18:47
isn't. He said
1:18:49
every user interaction and for
1:18:51
example minimizing a window, there
1:18:53
is an API for user
1:18:56
activity and third party apps
1:18:58
can plug in to enrich
1:19:00
data and also view stored
1:19:02
data. Well that's news
1:19:04
and interesting. He
1:19:06
says it also stores all websites
1:19:09
you visit even if third
1:19:11
party. Question
1:19:13
if I delete an email,
1:19:16
WhatsApp, Signal, Teams message is
1:19:18
it deleted from recall? Nope,
1:19:21
it stays in the database indefinitely.
1:19:25
Question are auto deleting messages and messaging
1:19:27
apps removed from recall? Nope,
1:19:30
they are scraped by recall and
1:19:32
available. But if a
1:19:35
hacker gains access to run code on your
1:19:37
PC, it's already game over. Kevin
1:19:41
says if you run something like an info
1:19:43
stealer, at present they
1:19:45
will automatically scrape things like
1:19:47
credential stores. At
1:19:49
scale, hackers scrape rather than touch
1:19:52
every victim because there are so
1:19:54
many and resell
1:19:56
them in online marketplaces.
1:20:00
enables threat actors to automate
1:20:02
scraping everything you've ever
1:20:04
looked at within seconds. While
1:20:07
testing this with an
1:20:09
off-the-shelf info-stealer, he said,
1:20:12
I used Microsoft Defender for
1:20:15
Endpoint, which detected the
1:20:17
off-the-shelf info-stealer. But
1:20:20
by the time the automated remediation
1:20:23
kicked in, which took over 10
1:20:25
minutes, he notes, my
1:20:27
recall data was already long
1:20:29
gone. Question,
1:20:32
does this enable mass data
1:20:34
breaches of website? Yes.
1:20:37
The next time you see a major
1:20:39
data breach where a customer data
1:20:41
is clearly visible in the breach,
1:20:44
you're going to presume the company who
1:20:46
processes the data is at fault, right?
1:20:49
But if people have used a
1:20:51
Windows device with recall to
1:20:54
access the service app, whatever,
1:20:57
hackers can see everything that
1:21:03
the people offering
1:21:05
the service have seen, he said,
1:21:07
and assemble data dumps without the
1:21:10
company who runs the service even
1:21:12
being aware. The
1:21:14
data is already consistently structured
1:21:17
in the recall database for
1:21:19
attackers. So prepare
1:21:22
for AI-powered super breaches.
1:21:25
Currently, credential marketplaces exist where
1:21:27
you can buy stolen passwords.
1:21:30
Soon, you will be able to
1:21:32
buy stolen customer data from insurance
1:21:34
companies, et cetera, because
1:21:36
all code required to do this
1:21:39
has been pre-installed and enabled on
1:21:41
Windows by Microsoft. So
1:21:45
did Microsoft mislead the BBC
1:21:48
about the security of Copilot? Yes.
1:21:52
Have Microsoft misled customers about
1:21:54
the security of Copilot? Yes.
1:21:58
For example, he says, they describe
1:22:00
it as an optional experience, but
1:22:03
it is enabled by default,
1:22:06
and people can optionally disable
1:22:08
it. That's, Kevin
1:22:11
says, wordsmithing. Microsoft
1:22:13
CEO referred to screenshots in
1:22:16
an interview about the product,
1:22:18
but the product itself only
1:22:20
refers to snapshots. A
1:22:22
snapshot is actually a screenshot. It's
1:22:25
again, wordsmithing for whatever reason.
1:22:28
Microsoft just need to be super clear
1:22:30
about what this is so customers
1:22:33
can make an informed choice.
1:22:35
Of course, I need
1:22:37
to note here that the tyranny
1:22:39
of the default will be at work. We
1:22:42
know that whatever is the default
1:22:44
setting is what 99.99% of
1:22:46
all Windows users will leave active. I don't know
1:22:53
if any of you have seen people
1:22:55
using Windows computers, but for some reason
1:22:57
they always leave those stickers all over
1:22:59
the keyboard. I can't
1:23:02
believe it. It's like you realize the computer
1:23:04
will still work if you peel those stickers
1:23:06
off the keyboard. You don't need to be
1:23:09
advertising the crap that
1:23:11
came from the manufacturer. Anyway, the tyranny of
1:23:13
the default. So,
1:23:15
question. Recall only applies
1:23:18
to one hardware device. Kevin
1:23:21
replies that's not true. There are
1:23:23
currently 10 copilot
1:23:25
plus devices available to
1:23:27
order right now from
1:23:29
every major manufacturer. Additionally,
1:23:32
Microsoft's website says they're working
1:23:34
on support for AMD and
1:23:37
Intel chipsets. Recall
1:23:39
is coming to Windows
1:23:41
11. How
1:23:43
do I disable Recall? An
1:23:46
initial device setup for compatible copilot
1:23:48
plus devices out of the box,
1:23:51
you have to click through options
1:23:53
to disable Recall. In enterprise, you
1:23:56
have to turn off Recall as
1:23:58
it is enabling the default. What are
1:24:02
the privacy implications? Isn't this
1:24:04
against GDPR? Kevin
1:24:07
replies, I'm not a privacy person
1:24:09
or a legal person. I
1:24:11
will say that privacy people I
1:24:13
have talked to are extremely worried
1:24:16
about the impacts on households in
1:24:18
domestic abuse situations and such. Obviously,
1:24:21
from a corporate point of view,
1:24:24
organizations should absolutely consider the
1:24:26
risk of processing customer data
1:24:28
like this. Microsoft
1:24:30
won't be held responsible as the
1:24:33
data processor as it is done
1:24:35
at the edge on your devices.
1:24:38
You are responsible here. The
1:24:42
question, are Microsoft a big evil
1:24:44
company? Kevin, no.
1:24:46
Hell, yes. That's insane. That's
1:24:50
insanely reductive. He says they
1:24:53
are super smart people and
1:24:55
sometimes super smart people make
1:24:57
mistakes. What matters is
1:24:59
what they do with knowledge of
1:25:01
mistakes. So the
1:25:04
question, aren't you the former employee
1:25:06
who hates Microsoft? Kevin
1:25:08
says no. I just wrote a
1:25:10
blog this month praising them. It
1:25:13
was breaking down Microsoft's pivot
1:25:15
to placing cybersecurity as a
1:25:17
top priority. My thoughts
1:25:20
on Microsoft's last chance saloon
1:25:22
moment on security. So
1:25:26
we have a couple, just two more.
1:25:29
Question, is this really as
1:25:32
harmful as you think? Answer,
1:25:35
go to your parent's house, your
1:25:37
grandparent's house, etc. And
1:25:39
look at their Windows PC. Look
1:25:41
at the installed software in the past
1:25:44
year. Try to use
1:25:46
their device. In some
1:25:48
AV scans, there's no
1:25:50
way this implementation does not
1:25:53
end in tears. There's
1:25:56
a reason there's a trillion dollar
1:25:58
security industry. that
1:26:00
most problems revolve around malware
1:26:02
and endpoints. What
1:26:05
should Microsoft do? Answer, in
1:26:09
my opinion, they should recall,
1:26:11
recall, and rework it
1:26:14
to be the feature it deserves to
1:26:16
be, delivered at a later date.
1:26:19
They also need to review
1:26:21
the internal decision-making that led
1:26:23
to this situation. He
1:26:26
says this kind of thing should not happen.
1:26:29
Earlier this month, Microsoft CEO
1:26:32
emailed all their staff saying,
1:26:35
if you're faced with the
1:26:38
trade-off between security and another
1:26:40
priority, your answer is
1:26:42
clear, do security.
1:26:45
He said we will find out if he
1:26:48
was serious about that email. They
1:26:50
need to eat some humble pie and
1:26:52
just take the hit now, or
1:26:55
risk customer trust in their
1:26:57
co-pilot and security brands. Frankly,
1:27:00
few, if any,
1:27:03
customers are going to
1:27:05
cry about recall not being
1:27:07
immediately available, but they
1:27:10
are absolutely going to be
1:27:12
seriously concerned if Microsoft's reaction
1:27:14
is to do nothing. They
1:27:17
should ship the product slightly, tinker,
1:27:19
or try to wordsmith around the
1:27:21
problem in the media. It's
1:27:25
like a great piece. I read it and
1:27:27
I was very impressed. He
1:27:30
makes a strong case. The one thing
1:27:32
that's a question mark, a lot of the things he
1:27:34
described sounded like you had to be on the physical
1:27:36
PC, but he says you don't. Malware
1:27:39
would be able to escalate
1:27:41
the UAC and do
1:27:43
all those things, look across accounts, all that
1:27:45
stuff. The real
1:27:47
issue is if malware gets in your system, they've
1:27:51
got access to everything you've done. There
1:27:54
is now much more that it has
1:27:56
access to. Let's take our final
1:27:58
break and then I'm going to talk about it. what
1:28:00
I think is really going on. Why
1:28:03
would Microsoft do all this? Yep.
1:28:06
What's the plan here? I think
1:28:09
there is one. Well first let's
1:28:11
talk about our sponsor Melissa then we'll get to
1:28:13
the plan. The final
1:28:15
piece of the puzzle is gonna
1:28:17
fall into place with Inspector Gibson
1:28:19
in just a bit. But first
1:28:21
a word from Melissa, the data
1:28:23
quality experts. They've been doing this since
1:28:25
1985. That's a long time. In that
1:28:31
time Melissa has helped over 10,000 businesses
1:28:33
worldwide harness accurate
1:28:35
data with their industry-leading
1:28:38
solutions. They've processed over 1
1:28:40
trillion address, email, name
1:28:42
and phone records. And the chances are you've
1:28:44
probably used Melissa as an end-user on
1:28:46
many sites. And that's
1:28:48
a good thing. Melissa eliminates
1:28:51
mistakes in email and addresses
1:28:53
and phone numbers because of
1:28:55
fumble-fingered data entry by the
1:28:57
end-user or by your customer
1:28:59
service rep. They can enhance
1:29:01
the data you already have to give you
1:29:03
valuable additional information. And now
1:29:06
Melissa has introduced the Melissa
1:29:08
Marketplace. A great place
1:29:10
to explore a revolutionary data
1:29:12
ecosystem. Everything Melissa offers premium
1:29:14
tools and services for technology
1:29:16
and business users alike. The
1:29:19
apps and services include business mailing
1:29:21
lists and sales leads where you
1:29:23
can maximize your direct marketing, telemarketing
1:29:25
and email outreach efforts with
1:29:28
quality business email lists, mailing
1:29:30
lists and sales. Global address
1:29:33
database that contains accurate and
1:29:35
detailed information on every address.
1:29:39
Zipp Star data this is saves you
1:29:41
time and improves data entry by instantly
1:29:43
verifying a five digit zip code at
1:29:45
the point of entry. That's
1:29:47
just the beginning. There's many tools in
1:29:49
this Melissa Marketplace. Their Global
1:29:51
Bureau services are ideal for enterprise
1:29:54
businesses looking for a trusted data
1:29:56
service provider. Melissa will help
1:29:58
you clean and verify existing customer rep. That's
1:30:00
a big deal. They go bad rapidly over
1:30:03
time. People move, phone numbers change,
1:30:06
emails change. Melissa can clean
1:30:08
and verify it. They'll eliminate duplicate
1:30:10
customer records. That's great for a
1:30:12
single customer view, eliminating duplicate mailings,
1:30:15
helping you focus on the one
1:30:17
and only true customer. You
1:30:19
can run Melissa any way you want it on-prem,
1:30:21
in the cloud, as a SaaS app. There's an
1:30:24
API you can add to your own apps. They
1:30:26
even have that great lookups app on
1:30:28
iOS and Android. It's free to let you
1:30:31
play with Melissa. It's not
1:30:33
fully playful. I mean you can actually use
1:30:35
it to validate phone numbers and email addresses
1:30:37
and all of that. Melissa's got
1:30:39
99.99% uptime. You can add rooftop geocodes,
1:30:44
country codes, demographics, really
1:30:47
enhance the existing contact
1:30:50
point. Melissa's services, of
1:30:52
course, make sure your data is
1:30:54
completely safe. They use file secure
1:30:57
encryption for all file transfers and
1:30:59
an information ecosystem built on the ISO
1:31:02
27001 framework. They also adhere
1:31:04
to GDPR policies and they
1:31:06
maintain SOC 2.0 compliance. I
1:31:09
mean I can go on and on. You
1:31:11
need this. You got to have it. If
1:31:13
you're in business, you've got address records, you've
1:31:15
got customer databases, supplier databases, you need to
1:31:17
make sure they're up-to-date with Melissa. You
1:31:19
can get started today. 1000 records clean
1:31:22
for free. melissa.com/twit.
1:31:24
That's M-E-L-I-S-S-A.
1:31:27
melissa.com slash
1:31:30
twit. Alright, Steve,
1:31:32
you've set us up well. Obviously, this is
1:31:34
a bad idea, but
1:31:38
Microsoft is going full speed ahead
1:31:40
with it. Why? Okay, so we
1:31:43
now know that Microsoft
1:31:45
currently plans to enable this
1:31:47
whole PC history
1:31:49
recording by default. They
1:31:52
also know that unless Windows ships with it
1:31:55
enabled and running, no one will use it.
1:31:58
So they want to blow everyone mind
1:32:01
by AI enabling Windows
1:32:03
PC somehow. And
1:32:05
this is what they've come up with. I doubt
1:32:08
there's an informed security-minded
1:32:10
technologist anywhere who doesn't
1:32:13
think this is a very bad idea yet
1:32:15
until we learn otherwise this is
1:32:17
exactly what Microsoft intends to do.
1:32:20
Now I have to say I have
1:32:23
some personal experience with
1:32:25
endeavoring and failing to get
1:32:28
Microsoft to change its plans.
1:32:30
Can anybody say raw sockets?
1:32:36
Before their release of Windows XP
1:32:38
which grew out of Windows 2000,
1:32:41
I tried to keep Microsoft
1:32:43
from shipping XP with the
1:32:46
totally unnecessary access to raw
1:32:48
sockets available to the operating
1:32:51
systems client software. They
1:32:53
ignored me until the MS
1:32:56
Blast worm would have taken them
1:32:58
off the internet had
1:33:00
it not been targeted at the wrong
1:33:02
domain. After that near
1:33:05
death brush with being attacked by
1:33:07
an entirely unnecessary feature
1:33:09
of their own operating system, XP's
1:33:12
service pack 3 removed unprivileged
1:33:16
access to raw sockets and
1:33:18
no one cared. The fact
1:33:21
that no one cared demonstrated that
1:33:23
the unnecessary feature should have never
1:33:25
been present in a consumer OS.
1:33:28
Raw sockets never came back because
1:33:31
they just begged to be abused.
1:33:33
Okay now I learned my experience from that
1:33:36
or I learned my lesson from that experience. I have
1:33:39
no interest in lobbying Microsoft to
1:33:41
change its behavior. You know Microsoft
1:33:43
is like Godzilla. It does whatever
1:33:45
it wants to do all anyone
1:33:47
can do is stay out of
1:33:49
its way. But what's
1:33:52
so odd about this moment where we
1:33:54
find ourselves is that they
1:33:56
have just made all this noise
1:33:58
about how secure Security is
1:34:01
now job number one, and
1:34:04
Kevin quoted Sacha Nadella saying, if you're
1:34:06
faced with a trade-off between security
1:34:09
and another priority, your answer
1:34:11
is clear. Do security.
1:34:15
Except they're not. The
1:34:18
entire security industry is
1:34:20
jumping up and down, waving
1:34:22
their arms, saying, don't do it,
1:34:25
exactly as I once did
1:34:28
before with XP, yet Microsoft
1:34:30
is certain that they know
1:34:32
better. Now, it's
1:34:35
interesting that Kevin believes
1:34:37
that the screen is being OCR'd. I
1:34:40
strongly doubt that's actually the case,
1:34:43
at least not unless an
1:34:46
actual JPEG or PNG style
1:34:48
graphic image is being displayed,
1:34:51
in which case OCR-ing the image would be
1:34:53
the only choice. As I
1:34:55
noted last week, hooking into
1:34:57
the Windows API that
1:34:59
paints text onto the screen would
1:35:02
be far more efficient. Behind
1:35:06
every character glyph, what we
1:35:08
see on the screen is
1:35:10
a 16-bit Unicode character
1:35:12
which was rendered through a
1:35:15
chosen font and turned into
1:35:17
clear-type, colorized pixel text. There's
1:35:21
just no reason to look at
1:35:23
the pixels of a screen that
1:35:25
was just rendered from Unicode and
1:35:27
try to determine which characters they
1:35:30
are. So my assumption
1:35:32
would be that the
1:35:34
textual output graphic
1:35:37
API is being
1:35:39
hooked and intercepted by recall.
1:35:43
It was also very interesting to learn
1:35:46
how economical recall's
1:35:48
storage is. This
1:35:51
makes sense if it's
1:35:53
storing and compressing text, since
1:35:56
we know how much redundancy
1:35:58
exists in linguistic text. But
1:36:01
Kevin said that several
1:36:03
days worth of work
1:36:05
compresses to around 90
1:36:07
kilobytes of database storage.
1:36:11
If we take Kevin's several
1:36:13
days to mean two, then
1:36:16
that's around 45K
1:36:19
of storage required
1:36:21
per day. That
1:36:24
means that 50 gigabytes of storage
1:36:26
allocation consumed at the rate of
1:36:28
45K per day would yield
1:36:31
3042 years worth of storage. I'm
1:36:38
sure we'll learn more going forward,
1:36:40
but I don't think Recall will
1:36:42
be storing the past 90
1:36:45
days of a PC's use. It
1:36:48
appears that it will always be recording
1:36:50
the PC's entire life of use. That's
1:36:57
why the title of Kevin's second post makes
1:36:59
far more sense. His title
1:37:01
began stealing everything you've
1:37:03
ever typed or viewed
1:37:06
on your own Windows PC. And
1:37:09
I think that's exactly what Microsoft is
1:37:11
actually planning to do. If
1:37:14
they're able to capture and compress all
1:37:16
the text displayed on Windows 11 screens
1:37:19
and given the explosion in
1:37:22
local mass storage capacity and
1:37:25
the efficiency of text compression, they
1:37:28
clearly have the storage capacity
1:37:30
to capture everything
1:37:33
for all time. And
1:37:36
this brings us to the title I
1:37:38
gave today's podcast, A
1:37:40
Large Language Model in Every Part.
1:37:44
Why would Microsoft want
1:37:46
to be capturing every
1:37:48
single thing a user types
1:37:50
and views on their own
1:37:53
PC throughout its entire lifetime
1:37:55
of use? I
1:37:58
have a theory. Microsoft
1:38:00
wants to make a big splash in
1:38:02
AI. So
1:38:05
how about using all of
1:38:07
that data to train an
1:38:10
entirely personal, local,
1:38:14
large language model? What
1:38:17
if a future, local, large
1:38:19
language model was not
1:38:22
just used to index and search
1:38:24
your PC's history timeline, but
1:38:27
was continually being trained
1:38:29
across your entire corpus
1:38:31
of personal data so
1:38:34
that it would be possible
1:38:36
to conversationally interact with your
1:38:39
own personal AI that has
1:38:41
grown to know you intimately
1:38:44
because it's been watching and learning
1:38:47
everything you've been doing for years. It
1:38:51
would know, and I have no in air
1:38:53
quotes, everything you had
1:38:55
ever entered into
1:38:57
its keyboard and displayed on
1:38:59
its screen. The
1:39:01
entire history of that machine's
1:39:04
use would become an
1:39:06
ever-growing corpus that is continually
1:39:08
training the model. That
1:39:12
would completely and profoundly
1:39:15
forever alter a user's
1:39:18
interactive experience with their
1:39:20
PC. It would
1:39:22
be a true game changer. It
1:39:25
would be transformative of the
1:39:27
PC experience. And
1:39:29
if Microsoft has that up its sleeve,
1:39:32
I can see how and why
1:39:34
they would be super excited about
1:39:37
recall, even though recall
1:39:39
would be just the beginning. Even
1:39:43
if the local, large
1:39:46
language model technology is not
1:39:48
yet ready for delivery, the
1:39:51
time to begin capturing all
1:39:54
of a user's use of their machine
1:39:56
is as soon as
1:39:58
possible. That begins
1:40:00
creating the corpus that will be
1:40:03
used to train a future
1:40:05
personal, local, large
1:40:08
language model. If
1:40:10
this view of the future is correct, there
1:40:13
is one large and glaring
1:40:15
problem with this, which Kevin
1:40:17
highlights and which Microsoft is
1:40:19
conveniently ignoring, because they have
1:40:22
no choice but to ignore it. What
1:40:25
Microsoft must ignore is
1:40:28
that the actual security of
1:40:31
today's windows is a
1:40:33
catastrophe. Microsoft
1:40:35
has not been paying more
1:40:38
than begrudging and passing attention
1:40:40
to security while they have
1:40:42
been busily adding trivial new feature
1:40:44
after new feature and never getting
1:40:47
ahead of the game. Last
1:40:50
month's Patch Tuesday saw Microsoft
1:40:52
patching 61 newly
1:40:55
recognized vulnerabilities, 47
1:40:58
of them in Windows and
1:41:00
another 25 for anyone paying
1:41:02
for extended security updates. 44%
1:41:05
of those were remote code execution, 11% were information
1:41:07
disclosure and 28% were elevation or
1:41:14
privilege, none of which
1:41:16
suggests that Windows would be a
1:41:18
safe place to store the data
1:41:21
that will be used to drive
1:41:23
an entity that can be queried
1:41:25
about nearly any aspect of you
1:41:28
and your life which it has
1:41:30
observed throughout the entire history of
1:41:32
your use of that machine. If
1:41:36
this is indeed what Microsoft is
1:41:38
planning, and having voiced
1:41:40
it now, it's difficult to imagine
1:41:42
that it's not exactly what they
1:41:44
are planning, then this really is
1:41:46
a double-edged sword. The
1:41:49
world stumbled upon the startling
1:41:51
power of large language models,
1:41:54
which Microsoft just so happens to own a
1:41:56
big chunk of, and someone
1:41:58
inside Microsoft really utilized, that
1:42:01
by leveraging the power of
1:42:04
next-generation neural processing units,
1:42:07
it would be possible to
1:42:09
train a local model on
1:42:11
the user's entire usage history
1:42:13
of their computer, and
1:42:16
that would create a personal
1:42:18
assistant of unprecedented scope and
1:42:20
power. I would
1:42:23
wager that today, the smarter
1:42:25
people within Microsoft are
1:42:27
wishing that more than anything
1:42:30
else, that instead
1:42:32
of screwing around with
1:42:34
endless unnecessary features and
1:42:37
new unwanted versions of Windows,
1:42:40
they had been taking the security
1:42:42
of their existing system seriously, because
1:42:45
if they had, they would
1:42:47
own a secure foundation and
1:42:51
would stand a far greater
1:42:53
chance of successfully protecting the
1:42:55
crown jewels of a user's
1:42:58
computer usage legacy. Instead,
1:43:01
what they have today is a Swiss
1:43:03
cheese operating system that is secure
1:43:05
only so long as
1:43:10
no one really cares what
1:43:12
its user has stored. Depending
1:43:15
upon who the user is, the data
1:43:18
that will be accumulated by
1:43:20
recall will represent a treasure
1:43:23
that is certain to dramatically
1:43:25
increase the pressure to penetrate
1:43:27
Windows. The entire professional
1:43:30
security community understands this,
1:43:33
which is why it's
1:43:35
going batshit over recall,
1:43:38
while Microsoft has no choice
1:43:40
other than to deny the
1:43:42
problem because they're desperate to
1:43:44
begin the data aggregation of
1:43:47
their users so that it
1:43:49
can be used to train
1:43:51
tomorrow's personal PC assistant AIs.
1:43:55
So Microsoft will declare, as they
1:43:58
always do, that Windows
1:44:00
is more secure than
1:44:02
it's ever been, even
1:44:04
though history always shows
1:44:07
us afterward that's never
1:44:09
been true. Microsoft
1:44:11
is going to have recall installed, running
1:44:14
and collecting its users' data
1:44:16
in all forthcoming qualifying co-pilot
1:44:18
plus Windows 11 PCs. And
1:44:22
don't get me wrong, the idea
1:44:24
of being able
1:44:26
to ask a built-in
1:44:28
autonomous personal AI
1:44:31
assistant about absolutely
1:44:33
anything we've ever
1:44:35
typed into or seen on our
1:44:37
computer is intoxicatingly
1:44:40
powerful. For
1:44:42
many of us who live much
1:44:44
of our lives through our computers,
1:44:46
it would be like having a
1:44:48
neural link extension of our brain
1:44:50
with flawless perfect recall. But
1:44:53
it also represents a security
1:44:55
and privacy threat the likes
1:44:57
of which has never existed
1:44:59
before. When you
1:45:02
consider the amount of digital storage
1:45:04
that anyone can now easily own,
1:45:07
it seems pretty obvious that
1:45:09
this is going to happen sooner
1:45:11
or later. Unfortunately,
1:45:13
Microsoft has not proven itself
1:45:16
to be a trustworthy caretaker
1:45:19
of such information. Wow,
1:45:24
I think you're exactly right. That's almost
1:45:26
what they're proposing anyway, is you can
1:45:28
always query the machine about everything you've
1:45:31
done. Well, they're saying timeline. Yeah. You
1:45:33
can query a timeline. But
1:45:36
if this thing, if they're capturing text from the
1:45:38
screen, and Kevin saw 90 K bytes was stored
1:45:43
after several days of use, that means
1:45:45
that 50 gig that they would
1:45:47
want to set aside, this is
1:45:49
not a 90 day rolling window, which
1:45:51
I thought last week, they're going to
1:45:54
store everything you ever do for your
1:45:56
entire life of your use of that
1:45:58
machine. In fact, you're
1:46:01
going to want that to be portable to
1:46:03
the next machine you move to, so that
1:46:06
you're able to take
1:46:08
that accrued data with you from
1:46:13
three years from now when you need to
1:46:15
buy a new Windows 13 machine.
1:46:19
It could be secured, right? You
1:46:21
could do this right, couldn't you? Yes.
1:46:25
And what they're doing, I
1:46:27
think you could. I mean,
1:46:29
you would need new hardware
1:46:31
because you need some sort
1:46:33
of the equivalent of an
1:46:36
HSM. Basically, you'd want this
1:46:38
super-jeeves to be in its
1:46:40
own enclave that
1:46:43
could not be exfiltrated
1:46:45
from where data goes
1:46:47
in and nothing comes
1:46:49
out. But
1:46:52
imagine that, Leo. It would be compelling
1:46:54
to be able to
1:46:56
ask your computer anything
1:46:58
that you ever did with it. I'm well
1:47:00
aware of that. That's perfect
1:47:02
recall. Yeah, the end game
1:47:05
for all of this. I've even
1:47:07
referred back. And you've been talking
1:47:09
about your own local smaller corpuses
1:47:11
or corpi and how useful that
1:47:13
is. Right. And
1:47:15
I've talked about the founder of a deck, not
1:47:18
the founder, one of the designers of deck who
1:47:20
just passed away recently, Gordon Bell, who had the
1:47:22
same idea. He had a camera around his neck.
1:47:24
He wanted to record everything he
1:47:26
ever did. This is even before
1:47:28
we had these powerful LLMs. And
1:47:31
the storage capacity to record our
1:47:33
life. Right. Well,
1:47:35
the issue always was. And with Gordon's database, he
1:47:37
says, well, okay, I got it. What do I
1:47:40
do with it? I can't, in any reasonable way,
1:47:42
parse it. Well, now we can. And
1:47:45
so I'm very interested. I ordered
1:47:48
the limitless pin, which records all our conversations.
1:47:50
The idea of the same thing being
1:47:53
to allow you to query that. You know, what did I
1:47:55
say to Steve? I
1:47:58
think this is the single most useful. persuasive
1:48:01
use of of AI as an
1:48:03
assistant that knows everything about you.
1:48:05
But boy that process is some big
1:48:07
problems. It's almost as if we need an
1:48:09
initiative to create a way.
1:48:12
It also solves other problems because data privacy
1:48:14
is a huge issue. We need a way
1:48:16
to something that you can...
1:48:20
Stacy Higginbotham used to call it the blob.
1:48:22
A place where you could securely secure on
1:48:24
life store all your data for your own
1:48:27
personal use. Not so that other
1:48:29
people could invade your privacy but for your own
1:48:31
personal use and this is the best possible use.
1:48:33
So I think we're on the right
1:48:35
track. I think this Microsoft implementation could kill it
1:48:37
in its tracks. It could
1:48:39
actually have it... this is what worries me is people
1:48:42
are moving so fast with so little
1:48:44
regard for safety that they could have
1:48:47
the opposite effect. They could get people
1:48:49
so scared about their security and privacy
1:48:51
that they give up entirely on AI.
1:48:54
And they're frankly lying about
1:48:56
the security. They're misrepresenting it,
1:48:58
yes. Yes, I mean all
1:49:00
this is is some files
1:49:02
under the user's app directory.
1:49:04
This is not some hocus
1:49:06
pocus and so everybody knows
1:49:08
how to exfiltrate files. Kevin
1:49:10
did it. There's now a
1:49:12
GitHub project that is able
1:49:15
to display all your recall data.
1:49:17
Well I'm glad that he published this paper.
1:49:19
I'm glad you did this show because up
1:49:22
to now the press not knowing any better
1:49:25
and I include myself. We've prepared Microsoft's assertions
1:49:27
that well it's all on device, it's all
1:49:29
local, it's all safe, it's encrypted, it's only
1:49:31
available to you. I always
1:49:34
I have pointed out in the past that
1:49:36
it's only encrypted as long as you don't
1:49:38
log in. This is the second part of
1:49:40
that. Once you're logged in it's decrypted and
1:49:42
then available to any malware on your system.
1:49:45
Yeah, I think people will... I hope the
1:49:48
press will start to come around and say hey wait a
1:49:50
minute this isn't as secure as you said it was. Well
1:49:52
our listeners are preemptively
1:49:54
protected, right? I mean they're
1:49:57
gonna turn this off. Like
1:49:59
that. Unfortunately... there's no
1:50:01
reach. Well, there's minimal reach, but
1:50:03
there's a bazillion Windows 10 or
1:50:05
Windows 11 users, and
1:50:07
they're going to think, hey, this is cool. I get,
1:50:10
you know, I can scroll back in history.
1:50:13
And this is Microsoft getting ready
1:50:15
for something that comes next. Yeah,
1:50:18
I agree. You know, Apple has a
1:50:21
solution called Timeline. It's a backup
1:50:23
solution that keeps everything you do
1:50:25
in a Timeline database of vault
1:50:27
hard links to every version of
1:50:29
every document. So they're kind
1:50:32
of doing something similar. Nobody's
1:50:35
ever questioned the usefulness or
1:50:38
the security of it. I
1:50:41
don't know how different it is, but, you know,
1:50:44
this is a problem. This really is a problem. Steve's
1:50:47
done it again, hasn't he, kids? This is why
1:50:49
we wait for Tuesday with bated breath. Steve
1:50:52
is the man in charge of
1:50:54
grc.com, the Gibson Research
1:50:57
corporation.com, and
1:50:59
it is the place you can email him. Now, what should
1:51:01
they do again? They email? So
1:51:06
first, you need to register. Otherwise,
1:51:08
your email will not get through.
1:51:10
Right. So just go to grc.com/mail.
1:51:12
OK, there you go. And there's
1:51:14
a form there. You
1:51:16
put the email address from which your
1:51:18
mail is sent, which, you
1:51:20
know, for people who are fronted by Gmail,
1:51:23
it's actually their real Gmail address,
1:51:26
even though people see a domain
1:51:29
alias. Right. But so you
1:51:31
enter that. I send you
1:51:33
a confirmation link, which
1:51:36
you then click on or copy and paste
1:51:38
into your browser. And that takes
1:51:40
you to a subscription page. And that's all there
1:51:42
is to it. You don't even need to subscribe.
1:51:44
You can leave everything blank and just say, you
1:51:47
know, update. And
1:51:49
then then that email address
1:51:51
is registered. So email been
1:51:53
written to security now at
1:51:55
grc.com flows right to me.
1:51:58
Perfect. While
1:52:01
you're there, you can pick up a copy
1:52:04
of Spinrite, the world's best mass storage performance
1:52:06
maintenance and recovery utility. 6.1 is
1:52:08
current. Get it. You
1:52:11
need it. If you've got mass storage, whether it's a
1:52:13
spinning hard drive or a solid-state drive, Spinrite
1:52:15
is the tool you have been waiting for.
1:52:18
You should also go there to get a copy
1:52:21
of the podcast. Steve has two unique versions. He's,
1:52:23
of course, got the 64-kilobit audio. We both have
1:52:25
that. He has, unique
1:52:27
to his version, the 16-kilobit
1:52:30
audio for bandwidth-impaired folks. He
1:52:32
also has transcripts written by
1:52:34
Elaine Ferris. They're human-written, no
1:52:36
AI in this. They're
1:52:38
good. They're useful, good for
1:52:41
searching, good for reading along as
1:52:43
you listen, grc.com. At
1:52:45
twit.tv slash SN, we have
1:52:47
both audio and 64-kilobit audio
1:52:50
and video, I should say, so
1:52:52
you can watch or listen, your choice. All
1:52:55
the shows are there going all the way back to 977 episodes. That's
1:53:00
at twit.tv slash SN. There's
1:53:02
also a YouTube channel with video from all
1:53:04
of our more recent shows. By
1:53:07
recent, I mean the last 10, 20 years, something
1:53:09
like that. Or
1:53:11
you can subscribe in your favorite podcast
1:53:14
player and start adding to
1:53:16
your collection today. Just
1:53:18
subscribe to Security Now. Every podcast
1:53:20
player should have it. We've been
1:53:22
around forever. Audio
1:53:24
or video, your choice. If you
1:53:26
want to watch us do it live, get the very
1:53:28
freshest version, you can. We stream it
1:53:30
live on YouTube, youtube.com/twit
1:53:33
slash live.
1:53:36
We start it the minute we turn on the show,
1:53:38
not the cameras, but the show, and end
1:53:40
it the minute we end the show. If
1:53:43
you want to watch what's happening before and after in
1:53:46
our little chit chat and so forth for all the
1:53:48
shows, join the club. That's one
1:53:50
of the many benefits, ad-free versions. You
1:53:53
get the discord where you can chat
1:53:55
with other intelligent, interesting people in the
1:53:57
club, 12,000 strong. You
1:54:00
can also watch
1:54:03
some shows that you can only listen to
1:54:05
in public. Things like Hands on Macintosh, Hands
1:54:07
on Windows, the untitled Linux show, Scott
1:54:12
Wilkinson's home theater geeks. We
1:54:14
have special events. On June
1:54:16
19th, Micah kicks off his
1:54:19
crafting corner every third
1:54:21
Wednesday of the month. He's
1:54:24
going to get together and do some crafts and
1:54:26
you can talk to him. I'm going to do
1:54:28
some stuff club only too. We've got the book
1:54:30
club. We've got a lot of great things going
1:54:32
on. The club is
1:54:34
a way to keep this on the
1:54:36
air. And that's just being frank. Without
1:54:38
your support, there is no security now.
1:54:40
There is no twit. You
1:54:43
would have to find something else
1:54:45
to listen to on a Tuesday
1:54:47
afternoon. So go to twintottv.club.twit and
1:54:49
join the club. Your support is
1:54:51
absolutely vital for us to
1:54:53
continue. It's a simple
1:54:55
set. Steve, have a great week.
1:54:58
We'll see you next time right here on Security Now. Thank
1:55:02
you, my friend. Until then, and
1:55:04
that'll be past Tuesday. I
1:55:08
had a fabulous picture set up for that and I couldn't
1:55:10
find it. I see if I can... Talk
1:55:14
to you next week. Take
1:55:17
care.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More