Not So Fast - GPS Vulnerabilites, VPN Flaw
Not So Fast - GPS Vulnerabilites, VPN Flaw
Not So Fast - GPS Vulnerabilites, VPN Flaw
Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
It's time for security now. Steve
0:02
Gibson is here. You'll talk about
0:04
Gps, fussing, how it works, what
0:06
one can do to avoid it.
0:09
You've all heard about that Vpn
0:11
flaw that Ars Technica says makes
0:13
all Vpn useless. Not so fast.
0:15
Steve explains why it is not
0:17
anything to panic about and then
0:19
speaking, I'm not so fast. Google
0:21
has stopped progress on abandoning third
0:24
party cookies. Steve now knows why.
0:26
He will explain all that a
0:28
whole lot more coming up. Next
0:30
Security Nasty. Room
0:33
I guess you love
0:35
from people you trust.
0:39
Was his tweet. This.
0:45
Is Security Now is Steve Gibson
0:47
episode Nine Hundred Seventy Three Recorded
0:49
Tuesday, May seventh. Twenty Twenty Four.
0:52
Not so fast. It's time for
0:54
Security. Now the show. We cover
0:56
the latest security and computer news
0:59
and privacy news. And of course
1:01
it was. I find Tv thrown
1:03
in with this guy right here.
1:06
Steve Gibson, the arbiter of all
1:08
that is good and kind L
1:10
as well. Go for that. Yeah,
1:13
Elo Leo. Although here yard the
1:15
beginning. Of May. And.
1:19
As I promised. I. Did have
1:21
some time. To. Dig into.
1:24
The. Issue that came up
1:26
actually two weeks ago. When.
1:29
In the middle of the show you said
1:31
hey, Google just. Change
1:35
their plans on third party cookies and I
1:37
said. But. Ah, Anyway,
1:39
so. We're going
1:42
to talk about that. The
1:44
today's episode is titled Not
1:46
So Fast. Which. You
1:48
know, As if that expression
1:50
not so fast there. which
1:54
is what the uk as they do google
1:57
but we're going to first look at what
1:59
danger is bruce presented by the world's current
2:02
and growing dependence upon GPS,
2:05
and why is that any concern, has
2:09
the sky fallen on all VPN
2:11
systems as the tech press has
2:13
been reporting since yesterday when a
2:16
blog post really went a little out
2:18
of control. I was really hoping, and
2:20
I wanted you to explain option 102
2:22
or whatever. Option 121. Yes,
2:26
I really want to move on. We'll know all about
2:28
that by the time we're done today. Thank you. Also,
2:31
a couple
2:33
questions more from our listeners, still
2:37
bogged down in what is arguably
2:39
a quagmire of network authentication options.
2:41
So I'm going to spend a
2:44
little more, continuing to come into
2:46
CRISPR focus for me, so I
2:48
figured let's spend a little more
2:50
time on what's going on there. Also
2:53
we may have an answer to what
2:55
Apple was doing with the iCloud
2:57
keychain deleting and what was going
2:59
on, something that absolutely makes sense,
3:02
so we're going to cover that.
3:05
And also, finally, as I
3:07
said, I invested
3:10
no little bit of time. You'll
3:14
hear the term bureaucracy used
3:18
more times probably than any large word
3:20
in this podcast
3:22
because, boy, I guess
3:26
any kingdom that's been around as long
3:28
as the United Kingdom has
3:31
continued to survive has also developed
3:34
quite a system of bureaucrats, and
3:36
they all want
3:38
to weigh in on Google's plans. So anyway,
3:40
I think another great podcast for our listeners
3:43
and a picture
3:46
of the week that's kind of a hoot too.
3:48
Oh, good. Always enjoy the pictures of the week.
3:51
Well, SecurityNow is ready to get underway. I
3:53
hope you are as well, boys and girls,
3:55
cats and kittens, club
3:57
members, and others. Now,
4:00
you club members, you don't have to hear this because
4:02
it's time for a commercial. Our
4:04
show today brought to you by, you
4:07
know the name, Melissa, the data quality
4:09
experts. Since 1985,
4:13
did you know Melissa's global
4:15
address verification and validation service,
4:18
I mean when they say global, they mean it, works
4:20
in 240, 240 plus countries and territories. I
4:24
didn't even know there were that many. Now,
4:27
why is that important? Well, no matter where
4:29
your business is located, now you can improve
4:31
deliverability worldwide, reduce costly
4:33
errors, you can boost your
4:35
address data accuracy everywhere, increase
4:38
delivery speed, boost ROI.
4:40
It is ultimately all about the return
4:42
on investment. That's why Melissa offer free
4:45
trials, sample codes, flexible
4:47
pricing. They know your bottom
4:49
line is important to you. They also
4:52
know your data is important to you.
4:54
And Melissa secures your data with the
4:56
highest quality standards. They are FedRAMP authorized.
4:59
Now, that's a huge deal. Of course, it doesn't
5:01
matter if you're not a government agency, but everybody
5:03
benefits from that security level. It's the best you
5:05
can get. All
5:08
Melissa users benefit from that also,
5:10
of course. Melissa's solutions and
5:12
services are GDPR and CCPA compliant.
5:14
They mean SOC 2 and HIPAA
5:16
high trust standards. So your information
5:18
is absolutely secure with Melissa. But
5:20
they can do so much with
5:22
it to really improve your
5:24
customer data. And better
5:27
customer data means a better bottom
5:29
line. Download the free Melissa
5:31
Lookups apps if you want to try it.
5:33
They're on iOS and Android. They're absolutely free.
5:35
Melissa Lookups with an S. You
5:38
don't even have to sign up. You can validate
5:40
addresses and personal identities in the US or Canada.
5:43
You can check global phone numbers, global IP
5:45
address information and more. It's really a handy
5:47
little tool. Get started today. 1000
5:50
Records Clean for free. Just to give you
5:52
a sample of what Melissa can do on-prem
5:54
in the cloud as a SaaS application. They
5:56
have an API so you can build it
5:58
in your own software. Go to
6:00
melissa.com/twit to know more.
6:04
Melissa, melissa.com/
6:08
twit. And we thank them so much for
6:10
the support of the good work, the important work
6:12
that Steve's doing right here at
6:14
Security Now. Well, the
6:16
important work will be appearing
6:19
shortly. Hey, this is
6:21
important work. Do not knock this work. Now
6:25
we have a picture, our picture of the
6:27
week, from somewhere looks like in the U.S.
6:31
Southwest. There's
6:33
no signs of any telephone poles
6:36
or structures, so we're kind of
6:38
out in the desert somewhere. And
6:42
so one of the things that people want
6:45
is they want their cell phones to
6:47
work out in the middle
6:49
of nowhere. And actually this is a problem
6:52
I have with many movies these days which
6:54
seem to forget that it's necessary to have
6:56
a cell tower not too
6:58
far away from where your
7:01
cellular device is in order
7:03
for it to get any connection. We
7:05
see people wandering out in the middle
7:08
of literally nowhere and they're on the
7:10
phone, unless the writers don't want
7:12
them to be, in which case they're holding the phone up,
7:15
scanning around, trying to find a signal. Well,
7:19
the way we solve the problem
7:21
of people wanting cell phone
7:23
coverage wherever they are, yet
7:25
nobody wanting to despoil the
7:27
landscape as a means of
7:29
providing it, is we come
7:31
up with stealth cell
7:34
phone towers. And
7:36
I'm not sure how truly
7:38
stealthful this is because it looks
7:41
a little square to be a
7:44
cactus. But I gave
7:46
this picture, they captioned, oh don't
7:49
mind us, we're just putting the lid
7:51
back on the cactus. Because
7:54
this is clearly a cell phone
7:56
tower cactus Which is meant
7:59
to... Don't read it
8:01
actually. if ya, it's got a little
8:03
extra. I wouldn't call
8:05
it arm off the side of the
8:07
cactus. Good looking, a little more to
8:10
make of whole thing, looking for more
8:12
tact the slightest As as said so
8:14
and actually you could see some cat
8:16
died in the neighborhood that look decidedly
8:18
less mechanical. They're not stay this way
8:20
all over Mexico, the city so are
8:22
of cactuses and I guess the southwest
8:25
as well. So be it are you
8:27
see it with a hundred others you
8:29
probably wouldn't look twice. Sexy.
8:31
However with sir it's certainly not Bruno
8:33
an eyesore looking like this thing would
8:35
look like at with the lid off
8:38
would I can see or because they
8:40
did it was a success at it.
8:42
At a crazy either billet is often
8:44
the crane is has is lifted the
8:46
yeah the lid off the cactus Anyway
8:49
I just got a kick out of
8:51
this just as and I I've seen
8:53
fake palm trees and I know that
8:55
here in on on the so called
8:57
the Sword now the famous four or
8:59
five in Southern California. Are
9:01
there are. Power. Lines
9:04
that run alongside the freeway
9:06
and. And. Every
9:08
like very often, there's a
9:11
big cluster of of of
9:13
cells. Equipment on these power
9:15
lines because it's a perfect place for
9:18
them to be. You know it's over,
9:20
there's already or I have a right
9:22
away there's saw ability to to to
9:24
run a service vehicle along the back
9:26
and and so forth and I many
9:28
many many moons ago it's back in
9:30
the spin Right actually was actress been
9:32
right to because I remember I was
9:34
working on Spin Right Three I built
9:36
a building. When. A lease.
9:39
So the a whole and I go
9:41
to a corporate headquarters. or twenty thousand
9:43
square feet, two stories and one point
9:45
so more my acres of land. That
9:47
so for now anyway. Ah, the cell.
9:50
Companies. came to me and
9:52
said hey ah this building is like
9:55
up on a point on a bluff
9:57
look at out over this valley you
10:00
can make some extra money by
10:03
letting us put some self things
10:06
along you know I'd like ringing along the edge
10:08
of your roof well you
10:10
know what my answer was you said
10:12
no answer you know this is a
10:14
beautiful building I'm not gonna have it
10:17
you know warts of self
10:19
crap all over that they're there now
10:22
Steve they are I
10:25
mentioned that because I drove by
10:28
not long ago you know looking
10:30
wistfully up at the building and
10:32
there it was just I don't
10:34
know I don't think you could
10:36
you could get more cell tower
10:38
crap around the perimeter of
10:40
this roof than there is there now
10:42
but not while I was in
10:44
control but immediately after I left
10:47
here anyway such
10:49
as the world you know and that's why I also have
10:51
no ads on my site I've Mark Thompson
10:53
made a case of what point he
10:55
said Steve there's something wrong
10:57
now with a website that doesn't have
11:00
a yeah what's wrong with you yeah
11:02
no thank you
11:06
anyway I wanted to
11:08
start off this week by sharing an important
11:12
piece of interesting news that's not
11:14
internet security related but is
11:16
nevertheless potentially quite a
11:18
big and serious issue in the
11:20
real world last
11:23
Thursday's headline and wired was
11:26
the dangerous rise in
11:28
GPS attacks with the
11:30
subhead thousands of planes and
11:32
ships are facing GPS jamming
11:34
and spoofing experts
11:37
are warning these attacks
11:39
could potentially impact critical
11:41
infrastructure communication networks and
11:44
more okay so I thought
11:46
that was interesting got my attention they
11:49
said the disruption to GPS services
11:51
started getting worse on Christmas
11:53
Day meaning at the end of 2023 planes and
11:55
ships moving around southern Sweden.
12:00
And Poland loss connectivity.
12:02
As. The radio signals were interfered with.
12:05
Since. Then the region
12:07
around the Baltic Sea,
12:09
including neighboring Germany, Finland,
12:12
Estonia, Latvia, and Lithuania
12:14
has faced persistent attacks
12:16
against Gps systems. Tens
12:19
of thousands of planes flying
12:21
in the region of reported
12:23
problems with their navigation systems
12:25
in recent months amid widespread
12:27
giant jamming attacks which make
12:29
Gps inoperable as the attacks
12:31
have grown. No. Surprise
12:34
to anyone. Russia. Has
12:36
increasingly been blamed with
12:38
open source researchers tracking
12:40
the source to Russian
12:42
regions such as Kaliningrad,
12:44
In. One instance, signals were
12:47
disrupted for forty seven hours
12:49
continuously. On. Monday murky
12:51
one of the most serious
12:53
incidents yet airlines thin Air
12:55
council it's flights to Tart
12:57
to Estonia for a month.
13:00
After Gps interference forced to have
13:02
it's planes to abort their landings
13:04
at the airport and turn around.
13:06
Part. About dependence on Gps apparently
13:09
uses can't land anymore without it.
13:12
The jamming in the Baltic region they
13:14
wrote which was first spotted an early
13:16
Twenty Twenty Two is just the tip
13:18
of the iceberg. In. Recent years,
13:20
there's been a rapid uptick
13:22
in attacks against Gps signals
13:24
and wider satellite navigation systems
13:27
known as G and Ss
13:29
as jill generic satellite navigation
13:31
including those of Europe, China,
13:33
and Russia. The attacks could
13:35
jam signals, essentially forcing them
13:37
off line or spoof the
13:39
signals, making aircraft and ships
13:42
appear as false locations on
13:44
maps, which you can imagine
13:46
my be even more damaging
13:48
than just jamming outright. Beyond
13:51
the Baltics war zone areas around
13:53
Ukraine and the Middle East have
13:55
also seen sharp rises and Gps
13:57
disruptions including signal blocking then to
13:59
disrupt airborne attacks which actually as
14:01
will see lil bit later the
14:04
I think is is the did.
14:06
The. Actual goal of this? because of
14:08
that the degree to which drones
14:10
are now using Gps. Wired.
14:13
Wrote now government's tell com
14:15
and airline safety experts are
14:17
increasingly sounding the alarm about
14:20
the disruption have the potential
14:22
for major disasters. Foreign ministers
14:24
in Estonia, Latvia, and Lithuania
14:26
of all blamed Russia. For.
14:29
Gps issues in the Baltics this
14:31
week and said the threat should
14:33
be taken seriously. Jamie. Adamson,
14:35
the Chief of public affairs for
14:37
the Swedish Navy, told Wired quotes
14:39
It cannot be ruled out that
14:41
this jamming as a form of
14:43
a hybrid warfare. With. The
14:45
aim of creating uncertainty and
14:47
unrest. Of course, there
14:49
are concerns mostly for civilian
14:51
shipping and aviation that an
14:54
accident will occur, creating an
14:56
environmental disaster. There's. Also a
14:58
risk that ships and aircraft will
15:00
suspend their traffic to this area
15:03
and thereby effect global trade. Your.
15:05
Wagner. A spokesperson from Germany's
15:07
Federal Officer Information Security told
15:10
Wired a growing threat situation
15:12
must be expected in connection
15:14
with Gps jamming. Wagner.
15:17
Said there are technical ways to
15:19
reduce its impact. Officials and villain
15:21
say they've also seen an increase
15:24
in airline disruptions in and around
15:26
the country. And a spokesperson for
15:28
the International Telecommunication Union, a United
15:31
Nations agency, told Wired that the
15:33
number of jamming and spoofing incidents
15:35
have increased significantly. Over. The
15:37
past four years. And. Interfering with
15:40
radio signals is prohibited under the
15:42
I to Use rules. g. using.
15:45
Russia has slowed down by
15:47
a Nato agency the International
15:50
Telecommunication Union saying well, you
15:52
should be doing math. right?
15:55
Attacks against Gps and the
15:58
wider Gnss category. In
16:00
two forms. First, Gps jamming
16:02
overwhelms a radio signals that
16:04
make up Cbs and make
16:07
the systems unusable. Second, spoofing
16:09
attacks, which actually are far
16:11
more sophisticated. Ten replaced the
16:13
original signal with a new
16:15
location Spoofed ships can, for
16:18
example, appear on maps as
16:20
if they're at inland airports,
16:22
and actually, that did happen
16:24
recently. Both types of interference
16:27
have increased in frequency disruptions
16:29
at least. At this stage
16:31
mostly impact planes flying at high
16:33
altitudes and ships. They can be
16:35
an open water not people's individual
16:38
Phones are other systems that rely
16:40
on Gps within the Baltic region.
16:43
Forty. Six thousand aircraft
16:45
showed potential signs of
16:47
jamming between August Twenty
16:49
Twenty Three and March
16:51
this year. According to
16:53
reports and data from
16:55
tracking service, Gps jam
16:57
Ben was Seagate. And.
16:59
An academic at the Zurich University
17:02
of Applied Sciences who also runs
17:04
alive Gps spoofing map there is
17:06
such a thing says there had
17:08
been an additional forty four thousand
17:11
spoofing incidents logged since the start
17:13
of this year. Earlier.
17:15
This month, more than fifteen
17:17
thousand planes earlier this month.
17:20
More. Than fifteen thousand planes
17:22
had their locations spoofed to
17:25
be rude Airport. According.
17:27
To data that Sergei shared
17:29
with Wired, more than ten
17:31
thousand were spoof to the
17:34
Cairo Airport, while more than
17:36
two thousand had their locations
17:38
showing in Yarrow Slavic Russia.
17:40
The data shows. Separate.
17:43
Analysis from Geospatial Intelligence Company
17:45
Geo Collect shared with Wired
17:48
showed that on April sixteenth,
17:50
around fifty five ships. Broadcasts.
17:53
Their location as being or
17:55
hover the main runway. At.
17:59
Us. Semper
18:02
All Paul International Airport in Crimea,
18:04
Ukraine. The airport is around ninety
18:06
miles inland from the Black Sea.
18:09
Words Believe the ships were actually
18:11
located. So yeah, it's no longer
18:13
possible to the believe what Gps
18:15
is showing you. You need to
18:18
look out the window and see
18:20
where you actually are. Zoc
18:23
Clements, a graduate research assistant at
18:26
the University of Texas here in
18:28
Austin, said the biggest change in
18:30
the past six months is definitely
18:33
the amount of spoofing. As I
18:35
said, spoofing as far more sophisticated
18:38
and difficult than just jamming and
18:40
potentially far more dangerous. He said
18:42
for the first time, we're seeing
18:45
widespread disruptions in civil aviation, especially
18:47
in the Eastern Mediterranean, the Baltics
18:50
and the Middle East in prior
18:52
years. There were reports of spoofing
18:54
impact the marine vessels. But. Not
18:57
aviation. Clemens. Says there
18:59
appear to be three spoofers that can
19:01
be traced back to Russia. One.
19:03
Open Source Intelligence L is going
19:06
by the pseudonym Marcus Johnson has
19:08
located jamming in the Baltics. At
19:11
which and that which impacted the
19:13
finish airline this week. So that
19:16
was the one that that was
19:18
the causing them troubled to Kaliningrad
19:20
of and other Russian locations. Research
19:23
group has suggested disruption near Poland
19:25
impacted Russia's own Gnss system less
19:27
than others. Not surprisingly, Russia doesn't
19:30
want to hurt themselves. That is
19:32
one of. A. Disturb everybody
19:34
else. And. Russia
19:36
has a long history of interfering
19:39
with Gps signals are both was
19:41
in Us borders and internationally Russia's
19:43
embassy, not surprisingly, in the Uk.
19:46
Did. Not respond to a request for
19:48
comment. The. disruptions can
19:50
cause uncertainty and potential safety
19:53
issues for airline pilots and
19:55
their passengers doubt no kidding
19:57
a spokesperson for euro control
20:00
European Aviation Organization with more than
20:02
40 countries as members
20:04
says its analysis shows disruptions
20:07
are happening in the eastern
20:09
Mediterranean areas around Ukraine
20:11
and the Black Sea as well as the
20:13
Baltic states during one week in
20:15
March four
20:18
thousand three hundred and eighty
20:20
seven aircraft reported issues the
20:23
euro control spokesman says for the same
20:25
time last week there were 2646 flights
20:29
reporting problems the
20:32
euro control spokesman says planes
20:34
can fly safely without GNSS
20:37
but interference quote puts
20:39
a higher workload on pilots and
20:41
air traffic control a safety
20:44
note is issued by the UK Civil Aviation
20:47
Authority this month says loss
20:49
of GNSS which is
20:51
just you know general satellite based navigation
20:54
can result in serious
20:57
navigation issues incorrect emergency terrain
20:59
warnings that the plane is
21:01
too low to the ground
21:03
and failure to various other
21:06
systems and
21:08
finally in a NASA report
21:10
detailing GPS instance there was also
21:12
published this month one pilot said
21:14
I have flown with
21:17
crew members who were not fully
21:19
aware of this problem other
21:21
pilots said they'd received false terrain
21:23
warnings that caused them to pull
21:26
up and the pilot
21:28
yes and the pilot should have
21:30
a thorough review of jamming effects
21:32
on the different aircraft systems as
21:34
part of their training and then
21:36
here's the problem of course because
21:39
this is a relatively new phenomenon
21:41
relative to when the pilots were
21:43
trained it may
21:47
just be the fact that the pilots are
21:49
trusting their avionics and no
21:51
not being sufficiently skeptical
21:54
so it does look
21:56
like these GPS
21:58
disruptions are coinciding with
22:00
Russia's full-scale war in Ukraine
22:03
and also it looks like
22:06
Israel's attacks in Gaza have
22:09
also been tied into
22:11
this. As we know,
22:13
disrupting GPS as part of
22:15
electronic warfare has become
22:18
common on Russia and
22:20
Ukraine's battlefield as a way to try
22:22
to limit the operation of drones. And
22:25
while Iran launched a barrage of missiles
22:27
and drones against Israel last
22:29
month on the 13th, Israeli GPS
22:32
disruption designed to limit the impact
22:34
of the attack also impacted mapping
22:36
and taxi services as well as
22:39
food delivery. So here was
22:41
an instance of Israel
22:43
doing some GPS jamming
22:45
which was somewhat
22:47
indiscriminate and the mapping
22:49
and taxi services as well as food
22:52
delivery within their own country took
22:54
a hit as a consequence. Kevin
22:57
Henke writes Wired, the founder
22:59
of cybersecurity company Hensec whose
23:01
work includes detecting GPS disruption
23:04
says jamming and spoofing technology
23:06
has become cheaper and
23:08
smaller over the years to the extent
23:11
that individuals can install them in their
23:13
cars to hide their own movements. That
23:15
is, you know, you're blocking your own
23:17
GPS receiver so your car doesn't know
23:20
where it is. However,
23:22
Henke says more sophisticated attacks use
23:24
equipment that can cost huge sums.
23:26
Yes, anything you anytime you're doing
23:28
spoofing as I said spoofing is
23:30
is a whole other level than
23:32
than just blanket jamming. He
23:35
said in conflict zones in military
23:37
terms and in professional terms this
23:39
spoofing is very sophisticated and it
23:41
always goes hand in hand with
23:44
jamming. Okay,
23:46
so since both
23:48
the jamming and the location spoofing
23:51
disruptions are enabled through the
23:53
use of very powerful
23:55
Local radio transmitters which over
23:57
help which overwhelm the reception.
24:00
The of the authentic signals
24:02
being beamed down from the
24:04
Gps satellites systems in orbit.
24:07
So. long as you're not in the
24:09
region, Of. The Baltics,
24:11
And all were Russia appears to have
24:14
taken it off. Serious.
24:16
Action To create Major disruptions.
24:19
The good news is these
24:21
attacks are inherently local in
24:23
nature and I'll. Hear the
24:25
U S. Were. Not being
24:27
affected by it at all,
24:29
as as most of Europe,
24:31
they are inherently very local.
24:33
But the problem for those
24:35
who are in the region
24:37
is it Gps and the
24:39
wider Gnss which again global
24:41
Navigation satellite system have always
24:44
been. Incredibly. Reliable
24:46
sources and not just of
24:48
of location but also of
24:51
time they they are masters
24:53
sources of of especially time
24:56
of day and as we
24:58
know when something is both.
25:01
Very. Useful. And. Has earned
25:03
a reputation for also being very reliable.
25:06
I mean, you know these things are
25:08
up in the sky beaming down at
25:10
us? Did. They. End up
25:12
creating a strong dependence. We
25:14
end up becoming very dependent
25:16
upon them. So many. Modern
25:19
non military commercial systems
25:21
have become so reliant
25:23
upon Gps that the
25:25
deliberate disruption of that
25:27
service for military purposes
25:29
such as Russia, as
25:31
has likely been perpetrating,
25:33
can cause dramatic collateral
25:35
damage. The.
25:38
us that day the gps system
25:40
which is i put out
25:42
by the u was conceived quite
25:44
a while ago a little over
25:47
fifty years ago back in
25:49
nineteen seventy three it took five
25:51
years to package this in the
25:54
first satellite that began launching at
25:56
that time and today we have
25:58
twenty four satellites in up
26:01
in the GPS constellation. They've
26:03
been up and operating since 1993. And
26:08
talk about depending upon something that's more
26:10
fragile than we might want. Our
26:13
phones and automobiles today only know
26:15
where they are largely thanks to
26:17
GPS signals coming from space. We've
26:19
talked about the mind. I only
26:21
know where I am thanks to
26:23
GPS signals. Yeah. Forget the car.
26:27
Yeah. I can't drive without GPS.
26:29
And I'm sure sports
26:32
wristwatch, health tracking wristwatches
26:35
are doing the same thing. We
26:39
have recently been talking about the
26:41
militarization of space and
26:44
the idea that having satellites attacking
26:46
one another up there
26:48
is not a
26:50
worry of James Bond science fiction.
26:53
You know, it's actually happening.
26:56
In some cases, robot
26:58
satellites are there in order to
27:00
repair others. But the same robot
27:02
that can function, you know, to
27:04
fix a broken antenna can also
27:06
go over and break one off
27:08
of some other satellite. So,
27:11
you know, unfortunately, they also have
27:13
multiple purposes. And
27:15
unfortunately, as global political tensions increase, we
27:17
can hope and we need to hope
27:20
that no major powers having
27:23
space based military capabilities, nor
27:25
the ability to kill satellites
27:27
from the ground, believe
27:29
that denying the entire world these benefits
27:32
would create an advantage for them. Because
27:35
it's difficult now to conceive
27:37
of a world where, you
27:39
know, GPS was just shut
27:42
down. It was like
27:44
destroyed deliberately by a power
27:47
hostile to, you know,
27:50
it wouldn't even necessarily have
27:52
to be hostile to the US. It
27:54
could be, you Know, because everyone's
27:57
using GPS, killing it for.
28:00
For Air Air, everyone also succeed
28:02
in killing it for a specific
28:04
targeted country. Before.
28:06
Gps. The. Only way
28:09
for something you know where it was.
28:11
Was. Through a system of
28:13
inertial navigation, Inertial.
28:15
Navigation, like his name suggests,
28:18
is a closed system. Which.
28:21
Relies upon the systems
28:23
precise measurement of it's
28:25
own linear and angular
28:28
accelerations. It integrates
28:30
those over time to
28:32
determine it's velocities. And.
28:34
That integrates those overtime to
28:37
determine his position. Even.
28:39
Though inertial navigation systems are
28:41
still in use due to
28:43
the nearly instantaneous position and
28:46
especially angular feedback that they
28:48
provide, The. Errors that tend
28:50
to creep in overtime can only
28:53
be eliminated with the use of
28:55
slower but far more accurate input
28:57
from the global Gps system. I
29:01
suspect Russia's primary concern is
29:03
with the use of autonomous
29:05
military drones which may rely
29:08
upon Gps to determine their
29:10
in location. But since the
29:12
risks presented by Gps jamming.
29:15
Although. They have been prevalent
29:17
at it has a been
29:19
a big concern for airline
29:22
pilots until recently Oscars they
29:24
are operating over there. The
29:26
East in the Baltic areas
29:28
says jamming has been a
29:30
possibility for some time. I
29:32
suspect that the latest technologies
29:34
are much more immune to
29:36
Gps outages than those in
29:39
Russia might wish. Vivid all
29:41
of the advantages and the
29:43
advantage of the advances made
29:45
in vision. and in
29:47
real time recognition i would
29:49
be surprised if the latest
29:51
autonomous technologies were not able
29:54
to fly nearly as well
29:56
by sight as they can
29:58
these days by gps They
30:00
might well use GPS as a first
30:03
choice, but use vision
30:05
to detect location spoofing while
30:08
also being able to switch to
30:10
pure vision if GPS should fail
30:12
completely. And another likely
30:14
strategy, which again you don't worry about
30:17
or deal with until it becomes a
30:19
problem, is that
30:21
since GPS signals will
30:23
always be originating from
30:25
above, would be to shield any
30:27
GPS receiver and its antennas. Oh, from
30:29
below. Yes. Because
30:32
the jammers are on the ground. Exactly.
30:35
That's clever. Yeah. So
30:37
planes can do that because they're
30:39
well above ground. Unfortunately, it's probably
30:41
not practical for ships at sea.
30:45
Yeah. I mean, when you listen to ground
30:47
air traffic control, talking to an airplane, which I
30:49
used to always do on United Channel 9, I
30:52
used to love to do that. They
30:54
often have visual markers.
30:57
They say turn right at
30:59
the big rock candy
31:01
mountain and things like that. I
31:04
don't know if they still do that. I haven't
31:06
listened in a while, but I bet they do.
31:10
You always want redundancy in any
31:12
system like that, right? Yeah.
31:15
And of course, the problem is that we all...
31:20
Okay. I remember,
31:23
Leo, when I guess this must
31:25
have been in driver ed. We were
31:27
supposed to go out
31:30
and walk around our car to
31:32
check all four tires. Yeah. We
31:34
don't do that anymore. No. Do
31:37
you do that? When was the last time
31:39
anybody did that? Pilots do that. Commercial
31:41
jet pilots do that. And I thank goodness that
31:43
they do. I think that's really great. But
31:46
no, I haven't done that to my car in a while. I figure if
31:48
it's flat, I'll know. Right?
31:51
It'll go from... That's right. From...
31:53
That's right. But I do remember
31:55
being told that's what we're supposed to do. So
31:58
here we have a problem where... G
32:02
been so reliable and
32:04
relied on that that
32:06
I'm just hoping I mean the
32:09
in this NASA report last week where one
32:11
of the guys said you know I've
32:13
been with flight crews that
32:15
just assumed that the GPS was telling
32:18
the truth even though they were
32:20
suddenly being told to pull up because you're about
32:22
to hit the rock candy mountain that
32:24
would not be good. Pull
32:28
up, pull up. Take another break
32:30
and then we're going to talk about
32:32
whether the sky is falling on all
32:34
VPN systems. Yeah. As the tech press
32:37
seems to believe. I was counting on
32:39
you to cover this because I read
32:41
the stories. Thank God
32:43
you're covering it before I actually did
32:45
the stories. Keep me out
32:47
of trouble. Please. We
32:49
are very proud to say that our show this
32:52
portion of the show brought to you by
32:54
collide. We're going to meet with collide tomorrow
32:56
at RSA. Great people with a great product.
33:00
In fact I was so happy when I heard
33:02
and maybe you heard too that collide was just
33:04
purchased by one password. That's
33:06
really good news. Two
33:08
companies leading the industry
33:10
in creating security solutions that put
33:12
users first. They belong together. For
33:14
over a year we've been telling
33:16
you about collide device trust helping
33:18
companies that use Okta make sure
33:20
that only known and secured devices
33:23
can access the data.
33:26
Okta authenticates the human.
33:30
Collide authenticates the hardware. That's
33:32
a big deal and
33:34
they're going to still doing that as part of one
33:36
password. In fact they're going to even be better at
33:38
this. If you've got Okta and you've been meaning to
33:40
check out collide this is the
33:42
time. Absolutely collide is easy to get
33:44
started with. They come with a pre-built
33:46
library, a pre-built device posture check so
33:48
you can get up and running right
33:50
away all the basic stuff you would
33:52
want. But if you have some specific
33:54
devices or software or situations you'd like
33:56
to check for it's very easy to
33:58
write your own custom. checks for just
34:01
about anything you can think of. Another point
34:03
I really like, you
34:05
can use Collide on devices without MDM.
34:08
That means your Linux fleet or your
34:10
contractor devices, you can't tell them, put
34:12
our MDM on your device and
34:15
of course every BYOD phone and laptop
34:17
that sneaks into the company, all
34:19
of them can be protected by Collide. Now
34:22
that Collide is part of OnePassword,
34:24
it's only going to get better.
34:27
This is the time to check
34:29
it out. collide.com/security now. Learn more,
34:31
watch the demo today. k-o-l-i-d-e.com/security now
34:33
and if you're at RSA go
34:36
visit them. They're at us
34:38
RSA too. Starting, I think it starts
34:40
tomorrow in San Francisco. Collide.
34:42
Thank you Collide for supporting
34:44
Steve and his very important
34:47
mission. Now what's all
34:49
this about VPN Steve? Okay,
34:52
so yesterday
34:55
ours Technica got a little carried away
34:57
in their reporting of
35:00
what amounts to a clever hack that
35:02
a Seattle Washington based pen and
35:05
pen testing firm known
35:07
as the Leviathan security
35:09
group posted in their
35:11
blog and of course the rest
35:13
of the tech press picked up on it quickly too.
35:16
The blog posting carried the
35:18
headline how attackers
35:21
can decloak routing based
35:23
VPNs for a total
35:25
VPN leak and
35:27
what I found curious
35:29
was that they assigned, they meaning
35:32
the Leviathan security group, assigned a
35:34
CVE number to their discovery
35:36
even though nothing about
35:39
this is a bug or a
35:41
flaw. Oh. It's just a clever
35:43
local exploit of a little used
35:45
feature of DHCP servers. Unfortunately,
35:48
ours Technica's
35:51
headline for their story was novel
35:54
headlined novel attack
35:56
against virtually all VPN
35:59
apps neuters their
36:01
entire purpose. Ahhh!
36:05
Run away! Okay,
36:08
which of course makes this sound more like
36:10
the end of VPNs as we've known them.
36:13
It isn't. Here's what's going on. Okay,
36:16
so I'm going to do a bunch
36:19
of propeller head cool stuff in order
36:21
to get a real grip
36:23
on this. Our PCs
36:26
all interact with both
36:28
internal and external networks
36:30
through network interfaces. Most
36:33
systems typically have a single physical network
36:35
interface or NIC, but it's
36:37
possible for a machine to have
36:39
more than one physical network interface
36:41
with each interface connected to a
36:44
different physical network. In
36:46
that case, it's important for
36:48
outgoing network traffic to
36:51
know which physical interface any
36:54
given packet should be routed out through.
36:58
To answer that question, our machines
37:00
contain a routing table. The
37:03
routing table performs a
37:05
most specific match function
37:07
based upon the destination IP address.
37:10
And in years past we talked
37:12
about internet routing tables and
37:14
all of this, so we've covered this
37:16
in detail, but the key here is
37:19
most specific match and that
37:21
all of our PCs, every one of them,
37:24
pads, phones, you name it,
37:26
anything that's networked using internet
37:28
protocol, IP protocol has a
37:30
routing table. Under
37:35
Windows, for example, opening a
37:37
command prompt and entering
37:39
the command route space
37:41
print will display a
37:44
list of the system's
37:46
interfaces followed by the
37:48
IPv4 and IPv6 routing
37:51
tables respectively. And
37:53
they're interesting and you can get a
37:55
sense for the fact that there's a
37:57
lot going on under the covers. that
38:00
we don't appreciate, we normally don't even
38:02
see. Okay, so
38:05
this set of network communication,
38:08
that is IP-based network communication,
38:10
comes in so handy that
38:13
in addition to true physical
38:15
interfaces, many of
38:17
our machines will have one or
38:19
more virtual network interfaces. In fact,
38:22
the so-called local host,
38:25
127.0.0.1, that's
38:28
a virtual network interface that
38:30
all stacks have. And
38:33
for example, the use of virtual
38:35
machines has become very popular and
38:37
they create their own virtual network
38:39
interfaces to talk to their host
38:41
machine as well as to the
38:44
outside world. Okay,
38:47
so here's the main point. Many
38:50
VPNs, like OpenVPN
38:52
for example, operate
38:56
by creating their own virtual
38:58
interface in the hosting machine.
39:01
It looks like and operates
39:04
like any other network interface.
39:07
But being a VPN, a virtual
39:09
private network, which is used to
39:11
transact privately with encryption,
39:14
any packets sent out of
39:17
that virtual interface are
39:19
first encrypted, then rerouted
39:22
out of an actual
39:24
physical interface to be
39:26
sent to the VPN's matching endpoint.
39:29
Since the typical VPN user, while
39:32
using a VPN, wants all of their
39:34
machines' traffic to be tunneled through
39:37
the VPN, when
39:39
the VPN tunnel is brought up, the
39:42
VPN software dynamically
39:44
edits the system's
39:46
global routing table in
39:49
such a way that instead of
39:51
the system's traffic by
39:54
default being routed out
39:56
through its normal actual
39:58
physical interface, All
40:00
of its traffic is instead routed
40:03
to the VPN's software-created
40:05
virtual network interface. This
40:08
is the way that deep down inside the
40:10
guts of our machines, all of
40:13
the traffic that is normally unencrypted
40:15
suddenly becomes encrypted when we
40:18
activate our VPN. Essentially,
40:20
it's like a man in the middle.
40:22
It sticks a shim into our network
40:24
so that all of the traffic that
40:26
would normally just go straight out the
40:29
physical interface instead is routed
40:32
to the VPN. And that's done,
40:34
as I said, by making just
40:37
a slight change to the routing
40:39
table so that all of
40:41
the traffic instead of going out the physical
40:43
interface goes to the VPN. We
40:46
need one other piece of information just to be
40:48
certain that everyone's on the same page. DHCP
40:53
stands for Dynamic Host
40:55
Configuration Protocol. By
40:57
default, when any networked
40:59
machine boots up and gets itself
41:02
going, it needs to be
41:04
using an IP address for itself on
41:06
its local network that's unique for
41:08
that network. And it
41:10
needs to know the IP address to which
41:13
it should address packets bound for the outside
41:15
world. In other words, the
41:17
network's gateway IP. It
41:19
may also want to know the IP
41:21
addresses of some DNS servers that will
41:24
honor its requests for domain
41:26
name lookup. It's
41:29
the network's inward-facing
41:32
DHCP server that
41:34
answers all these needs. When
41:37
any networked machine starts up, by
41:39
default, it will emit a broadcast
41:41
packet onto the network, announcing its
41:44
presence and asking for
41:46
any listening DHCP server to please
41:48
provide it with all the information
41:50
it requires to become a well-behaving
41:52
citizen on the local network and
41:55
to connect to the rest of
41:57
the global internet. DHCP
42:01
cleanly organizes the various types
42:03
of information it can supply
42:05
into like to the clients
42:09
who are requesting it by
42:11
number. Each
42:14
one of these is known as an option where
42:17
the option number is a single byte,
42:20
thus having a value from 0 to 255. 0
42:24
is a null option and it can be used for
42:26
padding. 255
42:28
is the marker for the end of the
42:30
list of options. So the
42:33
options are provided as a list
42:35
of information terminated by option
42:37
255, which of course you
42:40
know is a byte of all 1s. So
42:43
for example, option 1
42:45
provides the network's subnet mask
42:48
to the requesting client. Option
42:51
2 specifies the offset of
42:53
the client's subnet in
42:56
seconds, that is in real
42:58
time, from UTC,
43:01
Coordinated Universal Time. Option
43:04
3 specifies a list of
43:06
the IP addresses of routers
43:08
on the client's subnet, what we know
43:10
as the gateway IP. Option
43:13
4 specifies a list of time servers
43:15
which are available to the client. Option
43:18
6 provides a list of DNS servers
43:20
for the client's use. And
43:23
there's a bunch of them, all
43:26
kinds of different things that have been added
43:28
through the years and there are even some
43:30
surprises. For example, options 69 and
43:33
70 provide the IP addresses
43:35
of SMTP and POP3 email
43:38
servers, which I thought was
43:40
kind of cool. We're
43:42
all used to specifying those ourselves, but back in
43:44
1997 when this was first created, that
43:49
information was available via
43:51
DHCP. Something
43:54
else that DHCP was able
43:56
to provide is the
43:58
source of today's webinar. trouble.
44:01
The RFC's definition for
44:04
option 33 defines
44:07
it as the static
44:09
route option and
44:11
says quote this option
44:14
specifies a list of static
44:16
routes that the client should
44:18
install in its routing
44:21
cache. Okay now everybody
44:23
who's been paying attention and
44:25
you know enjoys networking stuff
44:28
just went aha and knows
44:30
what the problem is. This
44:33
thing continues if multiple routes to
44:35
the same destination are specified they're
44:37
listed in descending order of priority.
44:40
The routes consist of a list
44:42
of IP address pairs. The first
44:44
address is the destination address and
44:46
the second address is the router
44:49
for the destination. Again
44:51
if some of you just said oh crap
44:54
that would be the correct reaction.
44:57
What this means and
44:59
it would mean you're paying attention good job.
45:01
That's right that's right. What
45:04
this means is that the
45:06
response from a DHCP server
45:09
can be used to mess
45:11
with a machine's routing table
45:15
and as we noted earlier a machine's traffic
45:18
is routed to the
45:20
VPN's virtual interface through
45:22
a dynamic modification of
45:25
the machine's routing table. Now
45:28
as it happens option 33 is not really the problem
45:32
because it was defined back in 1997 when IP networks
45:35
were all class A, B, or
45:41
C. That meant that
45:43
networks were defined to always have
45:45
exactly one, two, or
45:48
three bytes of host
45:50
machine addresses. As
45:52
we know this was extremely
45:54
wasteful of IP addresses for
45:56
networks falling into intermediate sizes.
45:59
So something known as CIDR,
46:01
which stood for classless
46:07
inter-domain routing was adopted. That's what we
46:09
have today where the network mask can
46:11
have any number of contiguous bits set,
46:13
thus allowing scaling of networks by factors
46:16
of two all the way
46:18
from one machine, well technically up
46:20
to 4.3 billion, but no one
46:22
network has that except the internet
46:24
itself. Okay,
46:27
so the adoption of
46:29
CIDR obsoleted option
46:31
33 forcing its replacement five
46:33
years later in 2002 under
46:38
the guidance of RFC 3442 which introduced
46:40
option 121 which allows for exactly
46:47
the same thing but for
46:50
the but under the specification of
46:52
classless static routes. Now
46:56
I mentioned that I was
46:59
surprised that these LaVaya LaVaya
47:01
Thonsor security group guys had
47:03
arranged to get a CVE
47:06
assigned for this since technically
47:08
this is a feature not a
47:10
bug and all the way back in
47:12
1997 the
47:15
fundamental vulnerability of
47:18
DHCP was quite well
47:20
understood. Again 1997 section
47:24
7 of the original RFC
47:26
2131 dated March of 1997 is titled if it
47:28
was section
47:32
number 7 security considerations
47:35
it says DHCP
47:37
is built directly
47:39
on UDP and
47:41
IP which
47:43
are as yet inherently
47:46
insecure. Furthermore
47:48
DHCP is generally
47:50
intended to make maintenance of
47:53
remote and or diskless
47:55
hosts easier. While perhaps
47:57
not impossible configuring such
48:00
hosts with passwords or keys may
48:02
be difficult and inconvenient. Therefore,
48:05
DHCP in its
48:08
current form, which by the way is the
48:10
form it has today in 2024 because,
48:13
you know, if it's not broke, in
48:16
its current form is
48:18
quite insecure, says
48:20
the RFC from 1997. They
48:24
said unauthorized DHCP servers may
48:26
be easily set up. Such
48:29
servers can then send false
48:32
and potentially disruptive information to
48:34
clients such as incorrect or
48:36
duplicate IP addresses, incorrect
48:39
routing information, including
48:42
spoofing routers, etc.,
48:44
incorrect domain name server addresses
48:47
to spoof name servers,
48:49
and so on. Apparently
48:51
they wrote, once this seed
48:53
information is in place, an
48:55
attacker can further compromise affected
48:57
systems. Okay,
49:01
so here's how the
49:03
Leviathan folks described the
49:05
attack they've devised by
49:07
abusing option They
49:11
said, our
49:13
technique is to run
49:15
a DHCP server on
49:18
the same network as a targeted
49:20
VPN user and to
49:22
also set our DHCP configuration to
49:24
use itself as a gateway. When
49:28
the traffic hits our gateway, we
49:30
use traffic forwarding rules on the
49:33
DHCP server to pass traffic through
49:35
to a legitimate gateway while we
49:37
snoop on it. We
49:41
use DHCP option 121
49:44
to set a route on
49:46
the VPN user's routing table. The
49:49
route we set is arbitrary and
49:52
we can also set multiple routes if needed
49:55
by pushing routes that are more
49:57
specific than a slash zero signup.
50:00
range that most VPNs use,
50:03
we can make routing rules that have
50:05
a higher priority than
50:07
the routes for the virtual
50:10
interface the VPN creates. As
50:13
we know, because that
50:16
means it's a more specific
50:18
route, so the routing system
50:21
will always route a
50:23
more, will always take the
50:25
most specific route available. So
50:27
by doing something creating
50:30
a network smaller than the slash zero,
50:33
which is the everything, the
50:36
routing table ends up routing
50:38
to the intercepting
50:40
DHCP server rather than
50:43
to the users VPN.
50:46
They said we can set multiple
50:48
slash one routes to recreate the
50:50
zero dot zero dot zero slash
50:52
zero all traffic rule
50:55
set by most VPNs. Pushing
50:58
a route, they wrote, also means
51:00
that the network traffic will be
51:02
sent over the same interface as
51:04
the DHCP server instead
51:06
of the virtual network interface. This
51:09
is intended functionality that is
51:11
not clearly stated in the
51:13
RFC. Therefore, for
51:16
the routes we push, it
51:18
is never encrypted by
51:20
the VPNs virtual interface but
51:22
instead transmitted by the network
51:24
interface that is talking to
51:26
the DHCP server. As
51:29
an attacker, we can select which
51:31
IP addresses go over the tunnel
51:33
and which addresses go over the
51:35
network interface talking to our VPN
51:37
or our DHCP server. So in
51:39
other words, they're able to literally
51:42
select by destination IP.
51:44
If they don't want
51:46
everything, they can say, ah, just give
51:49
us this chunk of your traffic. You
51:51
think it's going through your VPN, but
51:53
it's not. They said
51:55
we now have traffic being
51:58
transmitted outside the VPN. encrypted
52:00
tunnel. This technique can
52:03
also be used against an
52:05
already established VPN connection once
52:07
the VPN users host needs
52:09
to renew a lease from
52:11
our DHCP server. We
52:14
can artificially create that scenario by setting
52:16
a short lease time in the
52:18
DHCP lease so the user updates
52:21
their routing table more frequently. In
52:23
addition the VPN control
52:25
channel is still intact
52:27
because it already uses
52:30
the physical interface for its
52:32
communication. That is you
52:34
know the control channel meaning the
52:37
channel to the remote end that is outside of
52:39
the tunnel. They said in
52:41
our testing the VPN always
52:44
continued to report as
52:47
connected and the kill switch
52:49
was never engaged to drop our
52:51
VPN connection meaning there was never
52:53
a panic that the VPN was
52:56
concerned that it was being intercepted
52:58
and so shut things down. So
53:02
then to their credit they raised
53:04
the question that we've
53:06
had all along by asking
53:08
is tunnel vision a vulnerability
53:11
and I appreciated their answer
53:13
they wrote this is debatable.
53:17
We're calling it a technique because
53:20
tunnel vision doesn't rely
53:22
on violating any security
53:24
properties of the underlying
53:26
technologies. From our perspective
53:28
tunnel vision is how
53:31
DHCP routing tables and
53:33
VPNs are intended to work.
53:36
However it contradicts
53:38
VPN providers assurances
53:42
that are commonly referenced
53:44
in marketing materials. In
53:46
our opinion tunnel vision becomes
53:48
a vulnerability when a VPN
53:51
provider makes assurances that their
53:53
product secures a customer from
53:55
an attacker on
53:57
an untrusted network. big
54:00
difference between protecting your data
54:02
in transit and protecting against
54:04
all LAN attacks. VPNs
54:07
were not designed to mitigate
54:09
LAN attacks on the physical
54:11
network and to promise otherwise
54:14
is dangerous. In
54:16
our technique, we have not
54:18
broken the VPN's cryptographically secured
54:20
protocol and the VPN is
54:22
still fully functional. An
54:24
attacker is instead forcing a
54:27
target user to not use
54:29
their VPN tunnel. Regardless
54:31
of whether we classify this as
54:34
a technique, VPN users are affected
54:36
when they rely on assurances that
54:38
a VPN can secure them from
54:41
attackers on their local
54:43
network. Hmm, interesting. Finally,
54:46
That is one of the primary uses, isn't it,
54:48
for a coffee shop and other open Wi-Fi networks?
54:51
Exactly. But that's been
54:54
around forever. Yes,
54:56
exactly. And
54:58
they finished. As for what systems are
55:01
affected, the short version is everything
55:03
except Android. That's funny.
55:08
Android doesn't support option 121, so
55:10
it's completely excluded from these attacks.
55:13
They wrote, In our
55:15
testing, we observed that any
55:18
operating system that implements a
55:20
DHCP client according to its
55:22
RFC specification and has support
55:24
for DHCP option 121 routes is affected. This
55:30
includes Winix, Windows,
55:34
Linux, iOS, and Mac OS. Notably,
55:41
they wrote, it does not affect
55:43
Android as they do not have
55:45
support for DHCP option I
55:49
wonder why not. Which really is interesting. I
55:52
do too because I did some
55:54
digging and there have actually been
55:56
instances where Android's lack of option
55:59
121 support has
56:01
caused problems for Android users
56:03
because it turns out this
56:05
is not obscure Leo
56:08
this is the first time we've ever talked
56:10
about it on the podcast because it's just
56:12
never come up you know we've covered DHCP
56:14
in depth in the past okay
56:16
so just to be clear about the
56:19
scope of the danger presented
56:21
by the potential abuse of
56:24
DHCPs option 121 this
56:26
is strictly a local
56:29
landside attack but Leo as you
56:32
correctly point out you know we
56:34
do operate in essentially
56:37
land networks
56:39
where we're assuming a VPN
56:41
is going to trust us
56:43
where untrusted peers
56:47
are on the same land we
56:49
are so that's
56:51
a thing the
56:57
attacker needs some means
56:59
of defeating the network's
57:01
actual DHCP server since
57:04
DHCP clients will and
57:06
do accept
57:09
the first reply to their
57:11
query simply being
57:13
a faster to reply is
57:16
typically all that's needed and you
57:18
know as we know most routers
57:20
use the slowest chip that the
57:22
manufacturer was able to get away
57:24
with boy I tell
57:26
you those web interfaces on routers it's
57:28
like okay I click the button hello
57:30
hello did
57:32
you you know try click it again or just wait
57:34
no so the point is it's not going to be
57:37
quick to fire off a
57:39
DHCP reply because it doesn't need
57:41
to write that's going to be
57:43
way down the priority queue of
57:45
traffic that it needs to deal
57:47
with so an attacker probably doesn't
57:50
have any choice have much difficulty
57:52
being able to respond with DHCP
57:54
queries faster so it's
57:56
definitely conceivable also
57:59
in an
58:01
enterprise environment that if
58:05
you had somebody untrusted on
58:07
an enterprise network that
58:10
would be a problem. And it also
58:12
turns out that option 121 is not the
58:15
least bit obscure in the enterprise.
58:17
It turns out it's under heavy
58:19
use. I found two little samples
58:22
through a quick search. A posting
58:24
over on Stack Exchange says, I'm
58:27
running OpenVPN on a
58:29
CentOS 7 server. The
58:32
DHCP server on the LAN
58:34
uses option 121 to tell
58:37
other devices to use
58:39
this CentOS server if they
58:42
want to get to the VPN
58:44
subnets the OpenVPN servers
58:46
connected to. This works
58:48
great. The problem is that
58:51
this CentOS server is getting these
58:53
same routes from the DHCP server
58:55
which breaks things. And then he
58:57
goes on to talk about how
58:59
he can manually remove the static
59:02
routes that the CentOS server is
59:04
receiving from DHCP. But my point
59:06
is here's an example of
59:09
where option 121 is being
59:12
used to inform
59:16
machines on the LAN
59:19
where to route the traffic they
59:21
want to go through the
59:24
CentOS 7 servers
59:27
VPN subnets. So
59:30
it's very useful for that. And
59:32
also just as recently as last
59:34
Tuesday someone posted to the what
59:37
I have to categorize as
59:40
the embarrassingly useless Microsoft
59:42
answers forum. I don't
59:45
know if anybody has ever seen any
59:47
of the crap that is there.
59:51
But you know if Microsoft
59:53
really wants to lead in AI
59:55
they should remove whatever
59:57
you whatever poor humans they have.
1:00:00
that are being forced to respond
1:00:02
to forum postings there and put
1:00:04
chat GPT 12 or
1:00:06
something in there instead it is I mean
1:00:08
it is it is excruciatingly
1:00:12
bad anyway Someone
1:00:14
posted and news will say they
1:00:16
got no useful answer when connected
1:00:18
to my office network It's
1:00:21
DHCP server meaning
1:00:23
his offices Network DHCP
1:00:26
server will use option
1:00:29
121 to assign three different networks
1:00:31
to be reached using a router
1:00:33
which is not the default gateway
1:00:37
This works absolutely the networks
1:00:39
appear in my routing table
1:00:41
in active routes everything works
1:00:43
Networks are reachable anyway So he
1:00:46
wrote that and I just grabbed that as a little
1:00:48
snippet of another example of like you know Option
1:00:50
121 is really out there and it
1:00:53
turns out has you know Really
1:00:56
been useful as I said he goes
1:00:58
on to explain in some length He's
1:01:00
complaining that when he boots his PC
1:01:02
without any network connectivity Then
1:01:05
it has a problem Yeah,
1:01:09
that would be a problem. So
1:01:11
anyway, I wanted to
1:01:13
point this out again that this
1:01:15
this this DHCP option is
1:01:19
In heavy use within more
1:01:21
complex corporate networks What
1:01:23
that means is that simply like? Blacklisting
1:01:26
option 121 is not viable in My
1:01:32
opinion it would be extremely unlikely
1:01:35
for anyone at home to ever
1:01:38
have anything You know to
1:01:40
worry about Though
1:01:42
it's still instructive to paint a picture the
1:01:45
way I can see this might occur
1:01:47
to somebody at home Would
1:01:49
be if some malicious device were
1:01:51
connected to a residential
1:01:53
network and wish to
1:01:55
capture all of the users Traffic whether
1:01:58
tunneled through a VPN or not By
1:02:00
being the first device to respond
1:02:04
to any DHCP query, such
1:02:06
a malicious device could establish
1:02:08
itself as the network's
1:02:11
gateway to receive, inspect, and
1:02:13
forward all traffic from
1:02:15
the network's many machines. And
1:02:18
then, by additionally using option
1:02:21
121, such a device could
1:02:23
use that to also insert
1:02:25
entries into the user's routing
1:02:27
table to prevent their VPN,
1:02:30
if any, from tunneling
1:02:32
the user's traffic. Even
1:02:34
though the VPN would show that
1:02:37
everything was working and the user's
1:02:39
traffic was protected, none
1:02:41
of it would be. The VPN tunnel
1:02:43
would be up and established, but it
1:02:45
would not be carrying any of the
1:02:48
user's traffic. Since there
1:02:50
are many environments where option 121 is not
1:02:52
needed and is never used, like probably
1:02:57
most of ours at home, I think
1:03:00
it would be nice for our operating
1:03:02
systems to provide the option to hard
1:03:07
disable it, but I
1:03:09
dug around that I couldn't find any
1:03:11
indication that that's being done. I
1:03:14
would imagine the Windows firewall could be
1:03:16
configured to
1:03:19
look for any incoming DHCP
1:03:21
port. What is it? It's
1:03:24
been so long. Is it 163? No
1:03:26
idea. The DHCP? I don't
1:03:29
remember now. The port number. The
1:03:32
best mitigation would be turn off option
1:03:35
121, but that's not an option for
1:03:37
us now. Can
1:03:40
VPN software be updated to have that as
1:03:42
a feature? The
1:03:46
problem is this gets in underneath
1:03:48
the VPN software. I
1:03:53
suppose it could be updated
1:03:55
to monitor the routing table
1:03:58
and proactive. determine
1:04:01
whether or not it's been
1:04:04
rerouted. So that's
1:04:06
certainly something that could be done.
1:04:08
Right now, when you bring up
1:04:10
the VPN title, it
1:04:12
inserts a new default route
1:04:15
for everything and
1:04:17
points it at its virtual interface
1:04:20
so that it receives everything. What
1:04:23
it would need to do would be to send itself a
1:04:25
test ping from an IP in the user's IP
1:04:39
space and verify that its
1:04:42
virtual interface receives that
1:04:44
ping. If
1:04:46
it doesn't receive the ping, that
1:04:49
tells it something has interfered with
1:04:51
the routing between the user's
1:04:54
local host IP and its
1:04:56
own interface. So
1:05:00
yeah, that would be a cool
1:05:02
feature for a VPN to add. Meanwhile,
1:05:04
there's not really a mitigation, is there? No.
1:05:08
No. And I
1:05:10
think your use case is exactly
1:05:12
the right one, Leo, because where
1:05:14
do people deliberately bring up a
1:05:16
VPN? It's
1:05:18
when they're in a hotel, in a
1:05:20
cafe, in any untrusted environment, and they
1:05:22
don't want
1:05:27
to be sharing their traffic with everybody else. Yeah.
1:05:31
I wonder if commonly used hacking
1:05:33
tools like Wi-Fi, Pineapples and stuff are able
1:05:35
to do this. They
1:05:38
probably are. I mean, it's been around for 30 years.
1:05:41
Yeah, but well, so you mean
1:05:43
whether they're able to perform the hack. Yeah. I
1:05:47
bet that the intercepting ... That
1:05:49
seems like something you build in. Well,
1:05:51
and intercepting DHCP is such a juicy
1:05:53
target. Yeah. I mean,
1:05:55
I'll bet you that hacking tools have
1:05:57
a ... have
1:06:01
DHCP server spoofing
1:06:04
and are able to get a
1:06:06
response out immediately. Interesting. Wow,
1:06:11
this is good stuff. Thank you. Because this
1:06:13
has been everywhere, this story, and I was
1:06:15
really curious what you thought of it.
1:06:18
Yeah, so it's a problem. Again, what are
1:06:20
you going to do with the CVE? Hello?
1:06:24
Okay, I mean
1:06:26
maybe that gets it more attention. Yeah,
1:06:30
unfortunately some, apparently GPT something is
1:06:32
able to read the CVE and
1:06:34
immediately design a hack that
1:06:36
the scriptkitties could then use. So great.
1:06:41
Would you like to take a break? Is that what you're looking at
1:06:43
me like that for? I
1:06:47
know that look. We
1:06:50
will have more with Mr. Gibson in just a
1:06:52
little bit. Every
1:06:54
week there's a story or two that in
1:06:57
my mind, and I bet your mind too, you go,
1:06:59
I wonder what Steve has to say about that. That's
1:07:02
why we love you, Steve, and that's why we listen to
1:07:04
the show. We're so glad to carry the show. Today
1:07:08
our sponsor for this segment, Lookout.
1:07:11
This is kind of timely. Every company
1:07:13
today is a data company, right? We all have data
1:07:15
and we're all out in the cloud. We're all out
1:07:17
and about. Every company's at
1:07:19
risk with cyber threats,
1:07:21
breaches, leaks. This
1:07:24
is all the new normal. And
1:07:27
cyber criminals, they're getting better and more sophisticated by
1:07:29
the minute, especially with the help of
1:07:31
AI. At a time when boundaries no
1:07:34
longer exist to work, what
1:07:36
it means for your data to be secure
1:07:38
has really fundamentally changed, which
1:07:40
is why you need Lookout. From the
1:07:42
first phishing text to the final
1:07:45
data grab, Lookout stops
1:07:47
modern breaches as swiftly as they
1:07:49
unfold, whether on a device in
1:07:52
the cloud, across networks, even
1:07:54
working remotely at the local coffee shop,
1:07:57
which now we know is a little
1:07:59
hazardous. Lookout gives
1:08:01
you clear visibility into all your
1:08:03
data at rest and
1:08:06
in motion. You'll monitor, assess, and
1:08:08
protect without sacrificing productivity and employee
1:08:11
happiness for security. With
1:08:13
a single unified cloud platform,
1:08:15
Lookout simplifies and strengthens for
1:08:18
me imagining security for the
1:08:20
world that will be today.
1:08:22
Visit lookout.com today to learn
1:08:24
how to safeguard data, secure
1:08:26
hybrid work, and reduce IT
1:08:29
complexity. That's lookout.com. Thank you, Lookout,
1:08:31
for supporting Steve and
1:08:33
the work he does here. And thanks also
1:08:36
to all of our Club Twit members whose
1:08:38
donations make this show possible. You know, if
1:08:40
you find this valuable and you're not yet
1:08:43
a Club Twit member, it's just seven bucks
1:08:45
a month. We have corporate memberships too. Get your
1:08:47
whole company involved. Probably everybody in your IT department
1:08:49
should be listening to this show every darn week.
1:08:52
Go to twit.tv slash Club Twit to find
1:08:54
out more. And to those
1:08:56
of you who are already members, thank you. We
1:08:58
appreciate you supporting. On we go with
1:09:01
Mr. G. Okay, so a bit
1:09:03
of feedback. Dave Brenton tweeted,
1:09:05
Mr. Gibson, quickly may
1:09:08
I say as a machine language coder, I
1:09:10
admire your work in that area. I'm
1:09:12
a spin-right owner user and long-time fan
1:09:15
since near the beginning of security now.
1:09:17
My question is about security keys. I
1:09:19
hope this is not too long a question. And
1:09:21
it wasn't. He says I'm about to
1:09:23
make the transition to YubaKey. And
1:09:26
so I intend to purchase two to
1:09:29
have a safe fallback in case of loss.
1:09:32
I'm also planning to convert the wife
1:09:35
over to the Passkey world. My
1:09:37
question is, can the Passkeys
1:09:40
be paired across two user accounts,
1:09:43
thereby ensuring recovery in case
1:09:45
of loss with only three
1:09:47
keys. My mental model says
1:09:50
it made sense, but I do not know for
1:09:52
sure. One, can the same
1:09:54
key be applied to two different people?
1:09:57
Two, To assure full backup
1:09:59
protection? Than in all three keys
1:10:02
be coded into both users. May
1:10:05
be a silly notion but it could
1:10:07
work but could it work or should
1:10:09
I just by Four Keys to begin
1:10:11
with: Thank you for all your good
1:10:13
work and propeller had installments on to
1:10:15
Nine, Nine Nine and beyond. Yes Days
1:10:17
Zazzle I set of the beginning of
1:10:19
the show out on episode nine seven
1:10:21
three we are close it at all
1:10:23
Nine Nine we be yet we're no
1:10:25
longer fearful of that is fatal number
1:10:27
of be so sad a before you
1:10:29
get to the answer I just one
1:10:31
as well actually do the answer and
1:10:33
them. And when asked about. Missing
1:10:35
language and assembly. I have since.
1:10:39
Oh Crap. Oh okay, so I
1:10:41
chose to share Daves question. Because.
1:10:43
It's so perfectly demonstrates the
1:10:46
near total mess of the
1:10:48
user authentication world has fallen
1:10:51
into. today. It's it is
1:10:53
just a catastrophe. I'm hopeful
1:10:56
this may just be a
1:10:58
transition phase, but truth be
1:11:00
told, All. of
1:11:03
our collective experience also
1:11:05
leaves me feeling somewhat
1:11:07
skeptical. I. Worry that
1:11:09
all we have done. By.
1:11:11
Adding the Fido groups. Of
1:11:14
of I'm sorry by having
1:11:16
the Fido group lower the
1:11:18
bar for entry. From.
1:11:20
Requiring physical t dongles
1:11:23
to allowing pretty much
1:11:25
anything else Smartphones and
1:11:27
Pcs running simple software
1:11:29
pesky clients is. To.
1:11:32
Expand upon the number
1:11:34
of available options with
1:11:36
an additional and. Difficult
1:11:39
as it is to believe in this
1:11:41
day and age. Not very well thought
1:11:43
out system. A We've
1:11:46
added this new and not
1:11:48
well thought out system without
1:11:50
removing. Any of the
1:11:52
previous options. Have. Traditional
1:11:54
user name and passwords been
1:11:56
replaced. Know. are
1:11:59
they ever going to be Not in
1:12:01
this lifetime. Have the
1:12:03
I forgot my password links gone
1:12:05
away? No. Are they
1:12:07
ever going to? No. What
1:12:10
about those time-based one-time passcodes? Are
1:12:12
they going away? No. Any
1:12:14
plan for that? No. What about
1:12:17
OAuth, which brings us the log
1:12:19
on with your Google or Facebook
1:12:21
or some other account? Have those
1:12:23
been obsolete and removed? Nope.
1:12:26
Can they be? Well, not easily,
1:12:28
since many sites only know
1:12:30
their users thanks to their
1:12:33
redirection through another web services
1:12:35
authentication. And so,
1:12:37
through this pile of
1:12:39
existing half-baked remote
1:12:41
network authentication solutions,
1:12:44
we're now adding passkeys, a
1:12:47
mysterious new solution that its
1:12:49
designers all say is amazing,
1:12:52
and far more secure, which works
1:12:54
sort of like magic, right
1:12:57
up until it doesn't work at all. And
1:12:59
when that happens, what do we do? Well,
1:13:02
we fall back to send me
1:13:04
an email. What
1:13:07
we've wound up with is
1:13:09
the well-known and often observed
1:13:11
phenomenon of solution spread. We
1:13:15
invent a better idea than
1:13:17
what we had before. Perhaps
1:13:19
it's because the times have changed,
1:13:21
and the older solutions are no
1:13:23
longer adequate. Or perhaps we
1:13:26
have more technology and available processing
1:13:28
power than we had before, so
1:13:30
new solutions are available than were
1:13:32
previously. But the problem is, we
1:13:35
rarely are able to kill
1:13:37
off the things that came
1:13:39
before. Why? Because
1:13:41
by the time we can do something
1:13:43
more, too many people have
1:13:46
come to depend upon the previous solution,
1:13:49
and the one before that, and the one
1:13:51
before it. And
1:13:53
this solution spread doesn't just
1:13:55
apply to the authentication domain.
1:13:58
Just look at Windows. without
1:14:00
getting bogged down into the details,
1:14:03
every few years Microsoft comes up
1:14:05
with a new and much improved
1:14:07
way of writing applications for their
1:14:10
Windows OS. And they
1:14:12
promote the hell out of it, explaining
1:14:14
how and why it's so much better
1:14:16
than everything that came before. And
1:14:19
do they then kill off the previous
1:14:21
ways of programming Windows? No, of course
1:14:23
not. They can't. They were
1:14:26
once promoting the hell out of those
1:14:28
previous solutions and they got lots of
1:14:30
people on board using them then. So
1:14:32
even though they no longer love them
1:14:34
and are urging everyone to use the
1:14:36
new system, that never happens. I've
1:14:39
heard Paul over on Windows Weekly saying
1:14:42
that the original Windows API, Win32, should
1:14:45
have died off long ago. That's
1:14:48
what all of my Windows are written in.
1:14:51
And not just mine, a gazillion others
1:14:53
as well. And that's gazillion with a
1:14:56
g. I
1:14:58
am certain Paul knows that
1:15:00
Microsoft will never abandon Win32.
1:15:03
They can't anymore than websites
1:15:05
will ever be able to
1:15:07
stop offering username and passwords
1:15:10
with an I forgot how email
1:15:13
link. So just
1:15:15
to be clear, the industry has
1:15:17
added a bright and shiny additional
1:15:22
way for people to log
1:15:24
into their accounts. But
1:15:26
none of the existing ways are
1:15:29
or will be removed.
1:15:33
Remember that today in
1:15:35
2024, only one out of
1:15:38
every three internet users is
1:15:40
using any form of
1:15:42
password manager. I
1:15:45
really don't know what the rest are doing. These
1:15:47
are people whose iOS and Android
1:15:50
support for Passkeys is mostly aimed
1:15:52
at. These
1:15:54
people don't know, don't understand,
1:15:56
and don't care about their online
1:15:59
identity. So, when Apple or Google
1:16:01
comes along and asks, how would
1:16:03
you like to log in instantly
1:16:06
with Passkeys and never worry about
1:16:08
another password? Well, that sounds
1:16:10
great. But that's
1:16:12
not Dave. Our
1:16:14
listener whose questions launched me into first
1:16:16
taking a bit of a rant into
1:16:19
a wider view of where we stand
1:16:21
today. So, let's look at
1:16:23
Dave's situation. Dave says he's
1:16:26
planning to convert his wife over
1:16:28
to Passkeys. I'm sure
1:16:30
he means that he would like
1:16:32
to have his wife begin to
1:16:35
use Passkeys since it's not possible
1:16:37
to convert over to Passkeys
1:16:39
in any meaningful way when
1:16:42
so few websites offer the
1:16:44
option at all. The
1:16:47
caution there, since we do
1:16:49
not yet have Passkey transportability,
1:16:52
is to be careful about which
1:16:54
app is holding a site's Passkeys.
1:16:56
As I mentioned last week, iOS,
1:16:59
Windows, Android, and now an
1:17:01
increasing number of traditional password
1:17:04
managers will all be vying
1:17:06
to be the app
1:17:09
that generates the Passkey to
1:17:12
be provided to a website. Since
1:17:15
only that app will
1:17:17
then be able to authenticate the user
1:17:19
to that site with a Passkey, the
1:17:22
only sound strategy will
1:17:24
be to only and
1:17:26
always use a single
1:17:28
platform for Passkeys. This
1:17:33
issue and Dave's other questions
1:17:35
require a quick bit of
1:17:38
foundation about the operation of
1:17:40
Passkeys. When
1:17:43
an application prompts its user
1:17:45
about whether the user wishes to
1:17:48
have it create a Passkey, that's
1:17:51
exactly what's happening. The
1:17:53
application generates a
1:17:55
cryptographically strong secret and
1:17:58
private key which
1:18:00
never leaves the application
1:18:03
and which the application guards carefully.
1:18:05
And in this case, I'm using
1:18:08
key and application interchangeably. From
1:18:10
that closely held private key,
1:18:13
it then generates a public key.
1:18:16
And only the public key is
1:18:18
sent to and retained by the
1:18:21
website. In the
1:18:23
future, that website will use
1:18:25
the public key it
1:18:27
holds to verify the signature
1:18:29
of a challenge that it sends to
1:18:31
the user's past key authenticator. So
1:18:34
my point here is that
1:18:36
today there is no
1:18:38
provision for these private
1:18:40
keys which were
1:18:43
generated internally and have
1:18:45
ever since been guarded by the
1:18:47
application to ever leave
1:18:49
that application's control. And
1:18:51
a security conscious organization like
1:18:54
Apple can make the
1:18:56
defensible claim that since
1:18:58
all of the past key's security
1:19:01
derives from the secretness of
1:19:04
these private keys, which
1:19:06
is crucial, no
1:19:09
other application, including its
1:19:11
user, can or
1:19:13
should be entrusted with
1:19:15
their stewardship, with the stewardship
1:19:17
of the past key's private
1:19:20
key. Since this
1:19:22
represents a powerful platform
1:19:24
lock-in, it's not at all
1:19:26
clear to me that Apple will ever allow
1:19:28
for past key's export. That
1:19:30
being the case, I
1:19:33
think that a very strong case can be
1:19:35
made for only ever
1:19:38
storing past keys in a third party
1:19:40
past key's client, such as a browser
1:19:42
extension. In theory, it ought to
1:19:44
be possible for a website to allow
1:19:47
its user to replace one past
1:19:49
key with another, so if
1:19:51
Apple or Android were to inadvertently become
1:19:53
the generator and holder of a past
1:19:56
key, if a
1:19:58
website supported past key replacement,
1:20:01
it should be possible to migrate
1:20:03
away from one passkey application to
1:20:05
another. And if, and I was thinking
1:20:07
about this, if a
1:20:09
website doesn't explicitly allow you to
1:20:12
migrate between passkeys, hopefully it allows
1:20:14
you to delete a passkey, in
1:20:16
which case your account would not
1:20:18
be associated with one, and then
1:20:20
you could re-associate it with a
1:20:22
passkey from the provider that you're
1:20:24
wanting to switch over to. So,
1:20:29
so the, the,
1:20:32
the real point here is that it
1:20:36
is the application that generates the
1:20:38
passkey. It is never something that
1:20:40
we're able to supply from the
1:20:42
outside. So, just
1:20:45
to put a bit of frosting
1:20:47
on this discussion before we talk
1:20:49
about the platforms with hardware, with
1:20:51
hardware authentication doggles, I
1:20:53
wanted to share a few points from
1:20:56
Google's Chrome FAQ.
1:20:59
This is Google's Chrome browser
1:21:01
FAQ about passkeys. They
1:21:04
start off, of course, with all the
1:21:06
glowing bits. Under manage
1:21:08
passkeys in Chrome, they say
1:21:11
you can use a passkey to
1:21:13
sign in easily and securely with
1:21:16
just a fingerprint, face scan, or
1:21:18
screen lock. Passkeys
1:21:20
are a simple and secure way to sign in
1:21:22
to both your Google account
1:21:24
and all these sites and apps you
1:21:27
care about without a password. You
1:21:29
may be asked to sign in to
1:21:32
a website with a passkey or create
1:21:34
one to improve your account's security. Then
1:21:36
they have a little tip. Passkeys are
1:21:39
built on industry standards, so
1:21:41
you can use them across
1:21:43
many platforms. I love those
1:21:45
industry standards. Oh,
1:21:47
Leo, that's the happy news. That
1:21:50
all sounds terrific. And of course,
1:21:52
we ask, what here? What could
1:21:54
possibly go wrong? Well, here's what
1:21:56
Google had to say about that.
1:22:00
under store pass keys in
1:22:02
Windows. They said if
1:22:04
you have Windows 10 or up you
1:22:06
can use pass keys. To
1:22:09
store pass keys you must set up
1:22:11
Windows Hello. Windows Hello
1:22:13
does not currently support synchronization
1:22:15
or backup. So pass keys
1:22:17
are only saved to your
1:22:19
computer. If your computer is
1:22:21
lost or the operating system is reinstalled,
1:22:24
you cannot recover your pass keys. Oops.
1:22:28
Or store pass keys in Mac
1:22:30
OS. You can save pass keys
1:22:32
in your Chrome profile where
1:22:35
they're protected by a Mac
1:22:37
OS keychain. Then under important they
1:22:39
said Chrome cannot save or
1:22:41
use pass keys stored in iCloud
1:22:44
keychain. If your computer is
1:22:46
lost or your Chrome profile is
1:22:48
deleted, you cannot recover your
1:22:50
pass keys. And third,
1:22:53
you can use a security key to
1:22:55
store your pass keys. Important, pass
1:22:57
keys stored on security keys are
1:22:59
not backed up. If you lose
1:23:02
or reset the security key, you
1:23:04
cannot recover your pass keys. What
1:23:07
a wonderful system. This clearly
1:23:09
represents a huge leap
1:23:12
forward. Psi. Wow.
1:23:15
It's clear that unfortunately what
1:23:17
we have at the moment
1:23:19
is an extremely fragile system.
1:23:23
The problem is the extreme
1:23:25
secrecy surrounding the private
1:23:27
keys which create the
1:23:29
pass keys. It's true that they
1:23:31
do not... I'm sorry.
1:23:34
I'm sorry. It's true that they do need to
1:23:36
be guarded. Unfortunately at the
1:23:38
moment they're being jealously guarded. How
1:23:42
Microsoft could possibly
1:23:44
imagine that it's practical
1:23:46
to have all of a user's
1:23:48
pass keys locked up in a
1:23:51
single machine unable to
1:23:53
synchronize with any of a
1:23:55
user's other's devices is beyond
1:23:57
me. But we're
1:23:59
ready. Ready to entertain the second part of Dave's
1:24:02
question where he asked, can the
1:24:04
past keys be paired across two user
1:24:06
accounts, thereby ensuring recovery in case of
1:24:08
loss with only three keys? He
1:24:11
says, my mental model said it made sense, but I
1:24:13
do not know for sure. Can
1:24:15
the same key be applied to two different
1:24:17
people to assure full backup protection? Can all
1:24:20
three keys be coded into both users? The
1:24:24
answer is that
1:24:26
not one of
1:24:28
those operations Dave
1:24:31
is asking for is
1:24:33
available, not one. And
1:24:36
what's more, I just double
1:24:38
checked. As we learned last
1:24:40
week, YubaCo's YubaKeys have the
1:24:42
most ample storage for past
1:24:45
keys of any hardware
1:24:47
past key dongle in the
1:24:50
industry. And even it
1:24:53
is limited to a total of only 25.
1:24:57
And they are utterly and absolutely
1:25:00
non-exportable. A
1:25:03
YubaKey is at its heart
1:25:05
an HSM, a hardware security
1:25:07
module. The internal
1:25:09
YubaKey dongle hardware contains
1:25:12
a very high entropy
1:25:14
random number generator that's
1:25:16
used to synthesize a unique private
1:25:18
key. That
1:25:21
private key never leaves the
1:25:23
device. There is no way
1:25:25
to export it. The exportation
1:25:27
does not exist. There's
1:25:31
no way to put a past key
1:25:33
in and no way to take a past key
1:25:35
out. This would not be
1:25:37
a problem if sites were to allow multiple
1:25:39
past keys to be registered
1:25:41
for a single account. And
1:25:44
there's no reason that would not be possible,
1:25:47
but how many sites today
1:25:49
support the use and management
1:25:51
of multiple passwords for a
1:25:54
single account? I've
1:25:56
never seen one. So it's
1:25:58
unclear why so many people are using a past key. Support for
1:26:00
multiple pass keys would ever
1:26:03
be created even though nothing
1:26:05
prevents it. With
1:26:07
Yuba keys having a 25 pass
1:26:09
key limit other than
1:26:12
for experimentation, they seem
1:26:14
most practical for higher-end
1:26:17
enterprise-grade security applications and
1:26:20
perhaps for eventually signing into
1:26:22
only a few of the
1:26:25
most secure sites where the
1:26:27
inconvenience of having an absolute
1:26:29
hardware lock is warranted by
1:26:32
its ultimate level of hardware-level
1:26:34
security. And as we noted
1:26:36
last week, a Yuba key might be used
1:26:38
to unlock a password manager, which is
1:26:41
where we would all have
1:26:43
to conclude all of a
1:26:45
user's pass keys should probably be stored.
1:26:48
The only sane conclusion we can
1:26:50
draw is
1:26:53
that while this is all
1:26:55
very interesting, none of this is
1:26:57
yet ready for prime time. Poke
1:27:00
at it, experiment with
1:27:02
it, but wait until
1:27:04
Bitwarden's pass key supporting
1:27:06
mobile clients emerge from
1:27:08
their current beta testing
1:27:10
state, at which point
1:27:12
it will be practical
1:27:14
to start depending upon
1:27:16
pass keys because they
1:27:18
will be in a
1:27:20
single sane multi-platform client.
1:27:23
And Bitwarden, which is, we should say, a
1:27:26
sponsor of the Twit network, will
1:27:28
likely be offering backup
1:27:31
and support and
1:27:34
exportation of those once
1:27:36
the security protocol for doing
1:27:38
that, which is reportedly underway
1:27:41
within the FIDO group, is
1:27:44
concluded. So Bitwarden
1:27:47
will then generate and
1:27:49
hold our pass keys even when
1:27:51
other pass key clients on iOS or
1:27:54
Android might be trying to. And then
1:27:56
of course, as we said last week,
1:27:58
the challenge is... making sure
1:28:01
that your chosen
1:28:04
PASCE authenticator is universally used
1:28:06
even in an environment where
1:28:08
multiple authenticators are all vying
1:28:11
for attention. I
1:28:14
have to say, the reasonable
1:28:17
things that people would want to
1:28:19
do are not available.
1:28:22
They cannot be done. Wow. Yeah.
1:28:26
Yeah. I
1:28:29
saw there was a Hacker News story about,
1:28:31
somebody wrote about why it's 100 times harder
1:28:34
to implement PASCEs on your website than you might
1:28:36
imagine. I think this is going to be,
1:28:38
I feel like people
1:28:41
are going to throw up their hands and say, okay,
1:28:43
fine, never mind. And
1:28:45
that's depressing. Right. Right.
1:28:48
And as we said last week, if it doesn't
1:28:50
achieve critical math, then it'll just
1:28:53
be, exactly as one
1:28:55
of our listeners said, or no,
1:28:57
no, it was the
1:28:59
guy who did the Rust
1:29:01
web-authent client. He said, I
1:29:04
feel that this will, you know, it'll
1:29:06
be like ad blockers. A small percentage
1:29:08
of people take the trouble to do
1:29:10
it, but it's sort of a niche
1:29:12
and it never really becomes a problem
1:29:14
for ad companies. And in this
1:29:16
case, it just never takes hold.
1:29:20
So speaking of- It is a mess. It is
1:29:22
a mess. And it's not getting any better.
1:29:24
Rust did not solve it. We've been
1:29:26
trying, I mean, I remember when Microsoft tried the
1:29:28
single sign-on thing 20 years
1:29:30
ago. We've been trying to solve it. And
1:29:32
they had something called Passport. That's what I was talking about.
1:29:35
Passport, exactly. It was a single sign-on. And
1:29:37
it didn't get adopted and that's that. And-
1:29:41
Yep. Oh, well. Oh,
1:29:43
well. So one last
1:29:45
piece of feedback from Will you stop? Before you
1:29:47
do that, can I answer you a question? Yeah.
1:29:49
About assembly language. Yeah. I was talking
1:29:51
the other day about how one debugs
1:29:53
in a higher level language. You'll write a print
1:29:56
statement, for instance, and it'll tell you
1:29:58
all your stuff. You must have some- macros you've
1:30:00
written over the years to help you debug
1:30:02
assembly or do you? No.
1:30:07
I knew it. You
1:30:11
just write it right the first time. Well,
1:30:14
so for not for debugging,
1:30:16
but for example, one
1:30:20
of the reasons it would be
1:30:22
difficult for me to share my assembler
1:30:24
is that I have built up a
1:30:27
macro archive of things I do.
1:30:30
For example, I use a macro
1:30:32
called zero and
1:30:34
it takes a
1:30:37
register name. Well,
1:30:39
it simply expands to XOR register comma
1:30:41
register. Right, to zero it out. Because
1:30:44
you know when you XOR something, exactly,
1:30:46
when you XOR something with a self
1:30:48
you get zeros and it's very fast
1:30:51
because it doesn't depend upon a memory
1:30:53
fetch or the previous data
1:30:56
or the previous contents of the
1:30:58
register. The
1:31:00
point is if I wrote XOR
1:31:03
something comma something, I would
1:31:06
have to look at it and say
1:31:08
okay XOR and then look at what
1:31:10
am I doing and then realize oh,
1:31:13
I'm wanting to zero that. Well, it's much
1:31:15
better if I just say zero and then
1:31:17
the thing. Anyway,
1:31:21
and you cannot do that for
1:31:24
variables. That is the
1:31:26
Intel architecture will not allow you
1:31:28
to XOR memory
1:31:30
with another memory. You can only
1:31:33
XOR register with a register or register
1:31:35
with memory, but not memory with memory.
1:31:38
I have a variable, I use the
1:31:40
macro reset which moves
1:31:43
a zero into it. But you don't
1:31:45
have any macros for kind of displaying
1:31:47
the contents of the stack purely
1:31:50
for debugging. You don't have anything like that. You just
1:31:52
look at the code and figure out what's going on.
1:31:55
Oh, no, no. So, I definitely have a
1:31:57
debugger. Oh, God. Oh, yeah, yeah.
1:32:00
Yeah, yeah. So... Masm comes with
1:32:02
a debugger, right? Or no? So,
1:32:04
Masm doesn't, but there were back in
1:32:06
the day a bunch of third party
1:32:08
debuggers. I use something called Periscope, which
1:32:11
was written by a guy named Brett Salter
1:32:13
years ago. I don't remember that yet. He
1:32:15
passed away a few years ago. There was
1:32:17
also something called Softus, which
1:32:20
was an ice stands for
1:32:22
in-circuit emulator. And in
1:32:25
the really old days, you would
1:32:27
pull the processor off the motherboard
1:32:29
and plug in this paddle that
1:32:32
then had a cable running through a
1:32:34
bunch of things that emulated the processor
1:32:36
that allowed you essentially to get inside
1:32:39
the processor. Wow. That's
1:32:41
wild. So that was called an ice,
1:32:43
an in-circuit emulator. And so Softice was
1:32:45
essentially using protected mode to
1:32:47
do all the same sorts of
1:32:49
things. So there have absolutely always
1:32:51
been debuggers. And one of the,
1:32:54
one of the banes of
1:32:56
developing for Spinrite was that
1:32:58
I'm, you know,
1:33:00
DOS and 16 bits. And
1:33:04
it was very difficult to create
1:33:06
an environment where I was
1:33:08
able to have networking in order for
1:33:11
my code to get down into the
1:33:13
target machine and debugging at the same
1:33:15
time. So one of
1:33:17
the things I'm really looking forward to as I move
1:33:20
to my own environment is,
1:33:23
for example, this RTOS32
1:33:25
that will be the home for
1:33:28
Spinrite 7, it works
1:33:30
with Visual Studio transparently. So
1:33:33
I get to just live in
1:33:35
a really nice, gooey IDE and
1:33:37
do all of my debugging. And
1:33:40
what's really cool, Leo, I bought so
1:33:42
many motherboards and so many random hard
1:33:44
drives through eBay when our
1:33:47
testers were reporting that on my
1:33:49
Gymcrack 27Z, it does such and
1:33:53
such. And I was like, oh
1:33:55
my God. So I'd have to go look, I'd go
1:33:57
to eBay, search for Gymcrack 27Z. and
1:34:04
I would buy one and so my amazing
1:34:07
wife put up with having motherboards everywhere.
1:34:09
Oh, for the dining room table, I'm
1:34:11
sure. So what's very
1:34:13
cool about RTOS32 is
1:34:16
it allows internet, trans-internet
1:34:18
debugging. Oh, nice. So
1:34:21
if something is happening
1:34:23
on that guy's JimKrak27Z,
1:34:26
I'll be able to actually have him
1:34:28
contact me and debug it on
1:34:31
his machine. Oh, that's really cool.
1:34:34
Wow. Yeah. Very
1:34:36
neat. Oh, okay. So you have some pretty
1:34:38
good tools, it sounds like. Oh, yeah. And in
1:34:40
fact, one of the
1:34:43
things that I've learned is invest
1:34:45
in your tooling infrastructure before
1:34:47
you do anything. It
1:34:49
is so nice to have a
1:34:52
convenient debugging environment. Absolutely.
1:34:56
On we go. I'm sorry, I didn't mean to
1:34:58
interrupt. I was just curious. I was debugging the other night
1:35:00
and I was thinking, I wonder how Steve does this. Now
1:35:02
I know. Yeah, you absolutely have to
1:35:05
have a good deal. It allows you
1:35:07
to see the stack and the contents of the
1:35:09
registers and what's in
1:35:11
memory and what your local
1:35:13
variables are. All of that is
1:35:15
made really very nice with Visual
1:35:18
Studio. Nice. Okay.
1:35:20
Willie Scott. He says, okay,
1:35:23
he has some feedback and advice
1:35:26
about the operation of the iCloud
1:35:28
Keychain and I bet you
1:35:31
he knows what's going on or at least
1:35:33
gave us enough of a clue. He said,
1:35:35
hi, Steve. In regards
1:35:37
to your discussion of pass keys
1:35:40
on last week's show, the part
1:35:42
about the author's partner losing her
1:35:45
iCloud Keychain passwords intrigued
1:35:48
me. After the
1:35:50
last pass hack, I decided to
1:35:53
switch to using iCloud Keychain for
1:35:55
my passwords because I'm in the
1:35:57
Apple ecosystem and wanted to start
1:35:59
using using pass keys instead
1:36:01
of passwords wherever possible. I'm
1:36:04
writing to mention that I
1:36:06
too have had
1:36:08
passwords and two-factor authentication
1:36:10
codes wiped from my
1:36:13
iCloud keychain. Although
1:36:18
my keychain has never been
1:36:20
fully wiped like the poor
1:36:22
partner's keychain did. As
1:36:24
near as I can tell, I believe I
1:36:26
know the culprit of why it may
1:36:29
be wiping credentials from iCloud keychain and
1:36:31
wanted to pass this along to anyone
1:36:33
who might still be using iCloud keychain
1:36:35
to store their passwords or
1:36:37
who knows somebody who may. When
1:36:41
I started changing all my passwords and
1:36:43
adding accounts into iCloud keychain, I
1:36:46
noticed that an old
1:36:48
Amazon password that I don't
1:36:50
use anymore was already stored
1:36:52
in there, probably
1:36:55
from when the Amazon app asked, Do
1:36:57
you want me to remember your password?
1:37:00
It was an old password that I don't use
1:37:02
anymore so I deleted it. However,
1:37:04
a couple of days later, I noticed
1:37:07
that even though I deleted that
1:37:09
password, or so I thought, it
1:37:12
had somehow reappeared in
1:37:14
my iCloud keychain. Not
1:37:16
only that, but I also noticed that
1:37:19
one or two accounts that I had
1:37:21
recently added to the keychain were missing
1:37:24
and this process repeated itself a
1:37:26
few more times. So
1:37:29
that's when I started investigating. While
1:37:31
digging through the settings, I
1:37:33
went through my Apple ID account
1:37:35
settings and that's when I realized
1:37:38
that my old iPhone
1:37:41
6S Plus, which
1:37:44
was running an old version of
1:37:46
iOS, iOS 14
1:37:48
to be exact, was still
1:37:50
signed into my iCloud account
1:37:53
and had iCloud keychain turned
1:37:55
on. I
1:37:57
removed that old iPhone from my iCloud account.
1:38:00
out account and ever since I
1:38:02
did that no passwords
1:38:04
have been wiped. If
1:38:07
you are in an Apple ecosystem it
1:38:09
is always a good idea to keep
1:38:11
your devices up to date but it
1:38:13
might also be a good idea to
1:38:15
do some spring cleaning and remove old
1:38:17
Apple devices from your iCloud that you
1:38:19
don't use anymore. Having
1:38:22
said all that I sadly was
1:38:24
agreeing with a lot of the points
1:38:26
you were making about Passkeys
1:38:29
and I think I've decided
1:38:31
that I will probably switch over
1:38:33
to Bitwarden once Passkeys become officially
1:38:36
supported in Bitwarden using
1:38:38
and he says https://bitwarden.com. Thank
1:38:42
you. Of course. Yes
1:38:44
sir. Special sponsor link. Which
1:38:47
I think we are about to talk about. Yes we are actually.
1:38:50
Thank you for a great show. I look
1:38:52
forward to it each week. I'm also a
1:38:54
proud Spinrite owner and can't wait to start
1:38:56
using 6.1 on my SSDs and a troubled
1:38:58
hard drive. So this
1:39:02
mysterious iCloud credential
1:39:04
removal has all
1:39:07
the feel of
1:39:09
something Apple would be
1:39:11
deliberately doing out of
1:39:13
their typical abundance of
1:39:15
caution. I'll bet there's
1:39:18
a security model behind it. For
1:39:21
example while an older
1:39:23
iPhone is also
1:39:25
signed into an accounts
1:39:28
iCloud keychain Apple might
1:39:30
be deliberately limiting what
1:39:32
they're willing to save
1:39:34
into that shared keychain
1:39:36
while an older and
1:39:39
presumably lower security device
1:39:41
also shares access. In
1:39:43
other words it's a feature not
1:39:46
a bug. I
1:39:50
guess it could be that. I
1:39:52
don't like that kind of unexplained behavior
1:39:54
however. It sounds like
1:39:57
Apple though to say oh we're
1:39:59
not going to let you hurt yourself, you
1:40:01
know, we're gonna delete your, you know,
1:40:05
the keys you've just saved because
1:40:07
otherwise one of your insecure devices
1:40:09
might get them. Ay yay yay.
1:40:12
Yeah, I'll make sure that you always should
1:40:14
remove old devices. That's maybe why I've never
1:40:16
run into this. I always remove the old
1:40:18
devices. So hmm. Yep.
1:40:21
Very interesting. I do happen to
1:40:23
have an iPhone 6 right here.
1:40:25
Wow, look at that. That doesn't
1:40:28
work anymore. Look at that
1:40:30
home button and think fondly on it
1:40:32
because Apple has, as of today, discontinued
1:40:34
all the devices that had
1:40:36
home buttons. The last one
1:40:38
you could buy was the iPad base model
1:40:41
and that's now been superseded. So the
1:40:43
home button is officially a thing of
1:40:45
the past, as is the
1:40:48
headphone jack, I think. I
1:40:50
think with it all, facial recognition?
1:40:52
Yeah. It's all Face
1:40:54
ID now. Yep, makes sense.
1:40:58
Let's talk about it, Warden, and then I
1:41:00
want to talk about your subject matter for
1:41:02
the day. Indeed. What's
1:41:05
going on with Google in the UK? What
1:41:07
is happening here? Why are
1:41:09
they putting off the third party cookie?
1:41:12
Not so fast. What's the deal, man?
1:41:15
This portion of the show brought to you by Bit Warden.
1:41:17
The password manager I use, the password manager
1:41:19
Steve uses, and pretty much everybody I know
1:41:21
uses. We were talking Mac Break Weekly. There's
1:41:24
something that happens in the geek community where we, without
1:41:27
coordinating with one another,
1:41:29
converge on the best solution.
1:41:32
Neelai Patel, the laser printer that
1:41:35
everybody uses but nobody mentions, the
1:41:38
screen cleaner we all use but nobody mentions.
1:41:41
I would say Bit Warden has
1:41:43
become like that. The password manager
1:41:45
of choice for anybody who's
1:41:47
really paying attention. Now,
1:41:49
there's a good reason for this. It's open
1:41:51
source. It's
1:41:53
feature rich. It is
1:41:56
great for home, great for office. They have
1:41:58
a Teams and an enterprise. account.
1:42:02
They support Yuba keys and now good
1:42:04
news they just announced they officially support
1:42:07
Pascis. They've supported it for a while but now
1:42:09
they support on the browser extensions and
1:42:11
mobile devices. So it's a really
1:42:13
good solution if you're saying I don't want
1:42:15
to have my Pascis tied to a physical
1:42:17
device use Bitwarden for your
1:42:19
Pascis. I've been doing this for a while and now
1:42:22
everywhere you go on Android
1:42:25
iOS Mac Windows Linux you've got
1:42:27
your Pascis. Pascis
1:42:29
on mobile are available on iOS open beta
1:42:31
going on right now on Android. We'll talk
1:42:33
more about it as time goes
1:42:35
by. But that's
1:42:38
what happens when you have an open
1:42:40
source product. It's how Argon 2 got
1:42:42
in there as a replacement for PBKDF2
1:42:44
which is you know not memory hard
1:42:46
and has some issues. I
1:42:48
use Argon 2 now and that's because one of our
1:42:50
listeners Quax and wrote an Argon
1:42:52
2 implementation submitted it
1:42:55
to Bitwarden on their github account. Bitwarden
1:42:58
analyzed it assessed it and said yeah we're
1:43:00
gonna adopt this this is good and
1:43:03
now we all have it. I love that.
1:43:07
I love that and this is
1:43:09
the one more reason why I know you use a password
1:43:11
manager but you know you've got friends and family and you
1:43:13
know they are in that
1:43:15
75% of people who just you
1:43:17
know I use the same password over and over again.
1:43:20
Get them to use Bitwarden and when they say well
1:43:22
I don't want to pay for a password manager tell
1:43:24
them it's free forever. Open source
1:43:27
free for personal use unlimited
1:43:30
passwords Yubikey, Pascis everything.
1:43:34
World Password Day we didn't really mark it but
1:43:36
it was May 2nd was five days ago. For
1:43:39
in honor of World Password Day
1:43:41
Bitwarden surveyed 2,400 individuals from the
1:43:43
US, UK, Australia, France, Germany, and
1:43:45
Japan. Just to learn a little
1:43:47
bit about current password practices we're talking about that a little
1:43:50
bit earlier. 31% of US respondents
1:43:53
almost a third reuse passwords across
1:43:56
sites. They're lying it's probably
1:43:58
more like 50 to 60. 60
1:44:00
to 70 percent, but okay. 31
1:44:03
percent admit to it. That's maybe the better way to put
1:44:05
it. Now, to get this, 42 percent
1:44:08
incorporate personal information. They're
1:44:11
using their middle name and their birth date,
1:44:13
their dog's name, their mother's maiden name, that
1:44:15
kind of thing, which really raises concerns about
1:44:17
the password, strength, and security. It'd
1:44:19
be one thing if you reused a completely random password,
1:44:22
but they're not doing that. 58
1:44:25
percent of respondents continue to use
1:44:27
memory. Get
1:44:29
your password manager. I get it all
1:44:32
up here. Good luck with
1:44:34
that. And 34 percent continue to use pen
1:44:36
and paper for password management.
1:44:39
Now, that wouldn't be so bad at home, but we're talking
1:44:41
about work. They've
1:44:43
got something in their desk drawer, probably more likely
1:44:46
a post-it note under the blotter with
1:44:49
all the passwords there. Nearly a quarter
1:44:51
of respondents view their workplace security habits
1:44:53
as risky. They even know it. 45
1:44:57
percent storing passwords
1:44:59
insecurely. 44
1:45:01
percent using weak credentials. I
1:45:05
love it, Bitwarden kind of understates this. They say
1:45:07
these findings suggest areas for
1:45:09
improvement in organizational
1:45:13
cybersecurity practices. You
1:45:15
need Bitwarden. Let's face it. They
1:45:18
empower enterprises, developers, individuals to store
1:45:20
and share sensitive data, not just
1:45:22
passwords, all sensitive data safely. It's
1:45:25
transparent because it's open source. It's
1:45:27
the right way to do it. You can even
1:45:29
self-host. If you say, oh, I don't want to
1:45:31
give anybody my passwords, fine, run your own server.
1:45:33
But I honestly think I don't run my
1:45:35
own server. Bitwarden is going to do a
1:45:38
better job securing it than I ever am. And with all that
1:45:40
encryption and Argon 2 password hardening
1:45:42
and all of that, I'm
1:45:44
not worried. I think my passwords are as safe
1:45:46
as it could possibly be. A lot safer
1:45:48
than they'd be up here in the
1:45:50
brain. Bitwarden makes it easy for
1:45:53
you and all its users to extend robust
1:45:55
security practices to all of your online experiences.
1:45:57
And if you are an employer, you should
1:45:59
be looking forward to it. listening because people
1:46:01
are doing bad things down the hall at
1:46:04
your job. Get going.
1:46:06
Get started with Bitwarden's free trial of
1:46:08
a team or enterprise plan or
1:46:11
of course as an individual get started
1:46:13
for free across all devices at bitwarden.com/twit.
1:46:17
You can see he used
1:46:19
the right address bitwarden.com slash
1:46:22
twit. This is almost a public service
1:46:24
announcement. I mean it's an ad but
1:46:26
really start using
1:46:28
it folks and get your friends and family to
1:46:31
do the same. Bitwarden.
1:46:34
Okay, Steve. I think
1:46:37
that it's the second
1:46:40
order effect for our listeners. I
1:46:42
can't imagine we have a single listener. I
1:46:44
mean I know not everyone
1:46:46
is using Bitwarden, right? I'm
1:46:48
sure every single person is
1:46:51
using something. I hope so. I
1:46:54
can't conceive of it today. So tell
1:46:56
your friends, family, your boss, your
1:46:58
employees. Today's
1:47:00
podcast is titled Not So Fast
1:47:03
because that's the absolutely best way to
1:47:06
characterize what's going on in the United
1:47:08
Kingdom with Google. As we
1:47:10
know during our podcast two weeks ago,
1:47:12
Leo dropped the news that
1:47:14
Google's third-party cookie deprecation would
1:47:17
not be happening as had
1:47:19
been long planned for this
1:47:21
summer. And of course
1:47:23
I was getting all excited about that
1:47:25
because I've been on this third-party cookie
1:47:27
thing for a long time. I think
1:47:29
it was in 2008 I
1:47:33
created that whole cookie forensics
1:47:35
facility. GRC understands
1:47:40
which types of assets carry cookies and
1:47:42
which ones are first party and third
1:47:44
party and everything. And there were back
1:47:46
then browsers were not handling cookies correctly.
1:47:48
When you turn them off sometimes they
1:47:51
didn't get turned off or turning
1:47:54
them off would keep new ones from
1:47:56
being stored but would not cause old
1:47:58
ones to start getting blocked. and there
1:48:00
was just all kinds of screwy things that were going on.
1:48:02
So, you know, this has been a hobby
1:48:05
horse of mine for decades. So
1:48:11
it is the case that the
1:48:14
abandonment and deliberate blocking of all
1:48:16
third-party cookies and other web tracking
1:48:18
hacks represents such a dramatic
1:48:21
sea change for the web
1:48:23
that, I get it, many
1:48:26
understandably skeptical observers doubt it
1:48:28
can or ever will actually
1:48:30
come to pass. And
1:48:32
you know, we've been abused for so long,
1:48:35
it's difficult to imagine that could ever end.
1:48:37
So, self-confessed technology
1:48:40
fanboy that I am,
1:48:42
I wanted to determine what was
1:48:45
going on. Were some
1:48:47
stuffed-shirt bureaucrats somewhere going to screw
1:48:49
this all up? When
1:48:52
I went to take a look at that
1:48:54
for last week's podcast, I quickly became lost
1:48:56
in a paper shuffle. I decided
1:48:58
that whatever was going on was worthy
1:49:00
of understanding since I consider this single
1:49:03
forthcoming change that, you
1:49:06
know, the largest browser maker
1:49:08
in the world by far wants
1:49:11
to make to be
1:49:13
one of the most important things that's going
1:49:15
on today. And the question
1:49:17
about, you know, are we going to
1:49:19
keep our conversations encrypted in
1:49:21
messaging apps which the EU seems
1:49:24
determined to say no to? As
1:49:27
I previously said, this represents a
1:49:29
complete, what Google is doing
1:49:31
represents a complete reconceptualization of
1:49:33
the way the Internet will
1:49:36
finance itself going forward. And
1:49:39
we could have it soon. So
1:49:42
the news that Leo had picked up on
1:49:44
came in the form of an announcement that
1:49:47
left actually more questions
1:49:49
than it answered on the 23rd of
1:49:51
last month, which was, you know, Tuesday
1:49:53
before last, on their
1:49:56
privacysandbox.com site. Google
1:49:58
posted under the headline, Update on
1:50:01
the plan for phase out
1:50:03
of third party cookies on
1:50:05
Chrome. That's. Very clear.
1:50:07
Their brief introduction said
1:50:09
the U K's Competition
1:50:12
and Markets Authority. Known.
1:50:14
As the see I may and will be using
1:50:16
that acronym a lot here. Are.
1:50:18
Abbreviation of. And
1:50:21
google. Publish. Quarterly Reports
1:50:23
To update the ecosystem on
1:50:25
the latest status of privacy
1:50:27
sandbox for the web As
1:50:29
part of Googles First Quarter
1:50:31
Twenty Twenty Four report, we
1:50:33
will include the following update
1:50:35
that is in the report.
1:50:38
About the timeline for phasing out
1:50:40
third party cookies in chrome in
1:50:43
the April Twenty Sixth Report: Okay,
1:50:45
so the update very short. It.
1:50:47
Simply reads: We're. Providing
1:50:50
an update on the plan for
1:50:52
third party cookie deprecation on Chrome.
1:50:55
They. Said, We recognize that
1:50:57
there are ongoing challenges related
1:51:00
to reconciling divergent seat back
1:51:02
from the industry regulators and
1:51:04
developers, and will continue to
1:51:07
engage closely with the entire
1:51:09
ecosystem. It's also critical, but
1:51:12
the See I May has
1:51:14
sufficient time to review all
1:51:17
the evidence, including results from
1:51:19
industry tests which the See:
1:51:22
Ebay has asked market participants
1:51:24
to provide. By the end of
1:51:26
June. Okay, Now that
1:51:28
means essentially. June as one
1:51:30
third party cookies were supposed to be ending
1:51:33
but. They. Are there things
1:51:35
are taking longer than expected?
1:51:37
given both. Of. These
1:51:40
significant considerations we will
1:51:42
not a complete third
1:51:44
party cookie deprecation until.
1:51:47
Upside. Deprecation during the second
1:51:49
half of queue for. We.
1:51:52
Remain committed to engage in closely
1:51:55
with the see a May and
1:51:57
I see. Oh and we hope
1:51:59
to conclude that process this you
1:52:01
you're assuming we can reach an
1:52:03
agreement. We envision proceeding with third
1:52:05
party cookie deprecating starting early. Next
1:52:08
year. So. Early. Twenty
1:52:10
Twenty Five. Glued.
1:52:12
By noting, once published, you'll be
1:52:15
able to view both Google and
1:52:17
the Cms full report. Those reports
1:52:19
republish three days later. On.
1:52:22
April twenty six. So this is on
1:52:24
the twenty third. They said this surprise
1:52:27
the industry. Three. Days later,
1:52:29
on the twenty six, we got the whole story. So
1:52:32
the entire issue is best
1:52:35
described by the following statement.
1:52:38
On. Jan on seven
1:52:40
January. Twenty. Twenty
1:52:42
One. Okay, So. Little
1:52:45
over three years ago, a
1:52:47
January seventh, Twenty Twenty One,
1:52:49
the see I May commenced
1:52:51
at investigation under Section Twenty
1:52:54
Five of the act some
1:52:56
it All Uk. Not.
1:52:58
Yell the equivalent of. Of.
1:53:03
Legislation to prevent of and I'm
1:53:05
monopoly misbehavior you know as he
1:53:07
trusts We have your the Us.
1:53:11
In relation to Googles
1:53:13
privacy sandbox proposals, The
1:53:15
See I'm A subsequently
1:53:17
informed Google that the
1:53:19
See Ebay was concerned
1:53:21
that Google proposals, if
1:53:23
implemented without regulatory scrutiny
1:53:25
and oversight, would be
1:53:27
likely to amount to
1:53:29
an abuse of a
1:53:31
dominant position. So.
1:53:33
Basically. Little. Over
1:53:36
three years ago, Google says we're going
1:53:38
to change the way the internet is
1:53:40
financed. Ah, And among
1:53:42
those things were going to kill
1:53:45
off third party cookies. There's no
1:53:47
question that people in the Uk
1:53:49
whose income. And livelihoods
1:53:51
depend upon tracking like get
1:53:53
out there of their data
1:53:55
resellers. They. Said
1:53:57
whoa whoa whoa whoa. One
1:54:00
third party cookies to go away.
1:54:02
We like third party cookies. so
1:54:04
uk. Bureaucrats, Please
1:54:07
tell Google no. Please. Tell
1:54:09
Google We need those cookies. Okay,
1:54:12
so. I.
1:54:14
Don't know that for a fact. it's
1:54:16
unclear and is frankly not really important.
1:54:18
Know the genesis of the inquiry, but
1:54:21
it's probably something like that since we're
1:54:23
talking about the elimination of all third
1:54:25
party cookies and the curtailment of what
1:54:27
had become the widespread practice of tracking
1:54:29
internet users around the web as a
1:54:32
means of determining their interests. It.
1:54:34
May well have been the advertising
1:54:36
technology companies based in the Uk.
1:54:39
Which. Were crying foul behind the scenes
1:54:41
and see what is more suited?
1:54:43
Really? Yes. Yes! Yes, What?
1:54:46
Ensued was about what
1:54:48
you'd expect from any
1:54:50
healthy and well established
1:54:52
bureaucracy. as old and
1:54:54
wise and as the
1:54:56
United Kingdom experts were.
1:55:00
Experts in i am me that even
1:55:02
the name united Kingdom sort of suggest
1:55:04
so. What
1:55:09
exactly is this? Experts
1:55:12
were found a neutral
1:55:14
third party monitors were
1:55:16
enlisted. And Google created
1:55:18
a document describing the and
1:55:20
boy are you could hear
1:55:22
this word, The Commitments. It
1:55:25
was prepared to make with
1:55:27
a capital C. Minute Sounds
1:55:30
religious. Almost. These are our
1:55:32
commitments. A document titled investigation
1:55:35
into Google Privacy sandbox browser
1:55:37
changes opens with the assertion
1:55:40
that quotes the see I
1:55:42
May has accepted commitments. Offered.
1:55:45
By Google that address
1:55:47
the see a competition
1:55:49
concerns resulting from investigating
1:55:51
Googles proposals to remove
1:55:53
third party cookies and
1:55:56
other functionalities from it's
1:55:58
Chrome browser. Period. Which.
1:56:00
Begs the question, what
1:56:03
exactly are. These. Commitments
1:56:05
that the see I may
1:56:07
has accepted. I
1:56:09
found the points of concern
1:56:12
in the description of the
1:56:14
roles of the appointed technical
1:56:16
experts that will be supporting
1:56:18
the monitoring agents. The documents
1:56:21
states on the twenty sixth
1:56:23
of September, twenty Twenty two
1:56:25
the see I may approve
1:56:28
the appointment of S. Siphon
1:56:30
are M Intelligence and Risk
1:56:32
Consulting limited by the Monitoring
1:56:35
Trustee which is the I
1:56:37
N G Bank and. Dot
1:56:39
V as an independent
1:56:41
technical experts to support
1:56:44
both monitoring trustee in
1:56:46
monitoring compliance with a
1:56:48
following provisions of the
1:56:50
binding commitments accepted by
1:56:52
as the Cia on
1:56:54
February Eleven. Twenty. To
1:56:57
prove okay Abed The good news
1:56:59
is this deck July the short
1:57:01
Google use of data. Paragraphs,
1:57:04
Twenty Five. Through. Twenty
1:57:07
Seven. Nondiscrimination.
1:57:10
Paragraphs: Thirty And Thirty
1:57:12
One. And. With
1:57:14
respect to those provisions anti
1:57:16
Circumvention Paragraph Thirty three, the
1:57:19
role of the technical expert
1:57:21
is to provide specialized knowledge
1:57:23
to support the monitoring trustee,
1:57:25
particularly in relation to monitoring
1:57:28
data flows and understanding the
1:57:30
possible impacts of the privacy
1:57:32
sandbox changes on ad tech
1:57:35
markets. Okay so we
1:57:37
have the I N G
1:57:39
Bank serving as the neutral
1:57:41
monitor and this monitor has
1:57:44
a point is another from
1:57:46
with the required technical expertise
1:57:48
and everything is focused upon.
1:57:51
His. In a small handful
1:57:53
of paragraphs somewhere. I.
1:57:56
Found out where they are
1:57:58
in Appendix One A. Are
1:58:00
the latest version of the
1:58:03
Googles final commitments document. The
1:58:05
first set of paragraphs twenty
1:58:07
five to twenty seven basically
1:58:10
amount to Google promising not
1:58:12
to use any personal data
1:58:15
from a user's past Chrome
1:58:17
browsing. History. A
1:58:20
customers Google Analytics account or
1:58:22
to in any way track
1:58:24
users. So.
1:58:27
That's all. Pretty much what
1:58:29
Google has explained to be
1:58:31
it's intentions and goals. So.
1:58:33
It appears that the see amaze
1:58:36
just wanted that very clearly and
1:58:38
says simply spelled out. The
1:58:40
Non discrimination. That's Paragraphs Thirty
1:58:43
and thirty One states that
1:58:45
Google promises to click to
1:58:47
create a totally level playing
1:58:50
field. Having. Examined explored
1:58:52
and shared on his Podcast
1:58:54
the operation of Googles cookie
1:58:56
replacement technologies as they've evolved
1:58:59
through the through the years.
1:59:01
This was still. It was
1:59:03
always clear to me and
1:59:05
those who understood this that.
1:59:08
This was inherently level. The
1:59:10
playing field was. That. Is
1:59:12
very they don't Google was
1:59:14
getting a very proscribed about
1:59:16
of information at everybody was.
1:59:19
Your equally had he had
1:59:21
equal access to it. Is
1:59:24
implicit throughout Googles design.
1:59:27
Though. I have to
1:59:29
as agreed that the Googles design
1:59:31
has grown to be much better
1:59:33
thanks to all of feedback and
1:59:36
criticism the various pieces have received
1:59:38
through the years. So yes, it's
1:59:40
a good thing we did not
1:59:42
get stuck with Googles first idea.
1:59:44
what we've got is something far
1:59:46
better than what we would have
1:59:48
had if you know if this
1:59:50
if there was sufficient scrutiny done
1:59:52
and there was so. I
1:59:57
didn't understand how bureaucrats who
1:59:59
will never or understand how
2:00:01
Google topics a P I
2:00:03
functions need a simple okay
2:00:05
but. But but. What does
2:00:08
it mean? Spelled. Out in
2:00:10
English since this is crucial to the
2:00:12
except as of Googles technology are just
2:00:14
a vessel a co op as I
2:00:16
two paragraphs limit or share them. Paragraph
2:00:18
Thirty says. google. Will design,
2:00:21
develop and implement the privacy
2:00:23
sandbox proposals in a manner
2:00:25
that is consistent with the
2:00:27
purpose of the commitments and
2:00:30
take account of the development
2:00:32
and implementation criteria. Google will
2:00:34
ensure that does not distort
2:00:36
competition by discriminating against rivals.
2:00:38
In favor of Googles advertising
2:00:41
products and services, in particular,
2:00:43
Google will not a We
2:00:45
have three things. Design.
2:00:48
And develop the privacy sandbox.
2:00:50
Proposals are ways that will
2:00:52
distort competition by cells preference
2:00:54
sing Googles advertising products and
2:00:56
services. Also. Will not
2:00:59
implement the privacy sandbox in
2:01:01
ways that will distort competition
2:01:03
by self preferences Googles advertising
2:01:06
products and services, and finally,
2:01:08
also will Not use competitively
2:01:10
sensitive information provided by an
2:01:13
ad tech provider or publisher
2:01:15
to Chrome for a purpose
2:01:17
other than that for which
2:01:20
it was provided. That.
2:01:22
As as for the avoidance
2:01:24
of doubt privacy sandbox proposals
2:01:27
the deprecate Chrome functionality. You
2:01:29
will remove such functionality for
2:01:31
Googles own advertising products and
2:01:33
services, as well as for
2:01:36
those of other market participants.
2:01:39
That. Was paragraph thirty and. Just.
2:01:41
I mean, that's that's exactly what Google
2:01:43
has said. There have been a do.
2:01:46
But. Essentially, what has
2:01:48
happened is a legally
2:01:51
binding contract. Has. Been
2:01:53
created. That Google. That's
2:01:55
what these commitments are. Which Google
2:01:57
the saying. They're going to honor.
2:02:00
And. Paragraph Thirty Just says
2:02:02
Google will Not change its
2:02:04
policies for customers of Google
2:02:07
Ad Manager Campaign Manager Three
2:02:09
Sixty Display and Video Three
2:02:12
Sixty or sir, sad, Three
2:02:14
Sixty to introduce new provisions
2:02:16
restricting our customers use of
2:02:19
non Google technologies both for
2:02:21
the removal of third party
2:02:23
cookies and less exceptional circumstances.
2:02:27
Such circumstances to be discussed by with
2:02:29
a Cama or as required by law.
2:02:33
For the duration. Of
2:02:35
the commitments Google will inform the
2:02:37
see I may I head of
2:02:39
any such change These policies. And.
2:02:44
This leaves us. With. The
2:02:46
final anti. Circumvention.
2:02:49
Paragraph Thirty Three, which is just
2:02:51
a blessedly single line. Which.
2:02:54
Reads: Alphabet, Inc,
2:02:56
Google Uk Limited, and
2:02:59
Google L. L C
2:03:01
will not in any
2:03:03
way, whether by acts
2:03:05
or omissions, directly or
2:03:07
indirectly circumvent any of
2:03:10
the commitments. Now.
2:03:13
That. Sort of language will be
2:03:15
familiar to any businessman or
2:03:17
anyone has been involved in
2:03:20
any contractual agreements were attorneys
2:03:22
are engaged else boilerplate, right?
2:03:24
And it's important to understand
2:03:26
that both the United Kingdom
2:03:28
government and Googles various corporations
2:03:30
recognize those provisions to be
2:03:33
now. Contractually. And
2:03:35
legally binding. So.
2:03:38
It has been upon those
2:03:41
representations which are enumerated as
2:03:43
commitments with a capital see
2:03:45
that. The Uk then proceeded
2:03:47
to carefully examined Googles proposal.
2:03:49
So now he returned to
2:03:51
the timeline for phasing out
2:03:53
third party cookies. That work
2:03:55
appears in a document titled
2:03:57
see I'm a Quarter One.
2:04:00
The Twenty Four Update report on
2:04:02
implementation of the privacy sandbox commitment
2:04:04
data last month. April Twenty Fourth.
2:04:06
I mean Eight or eight. April
2:04:08
Twenty Twenty Fourth as he was
2:04:10
able to. My sixth. Of
2:04:13
the documents summary. Lays.
2:04:16
Out the entire story and it's interesting enough
2:04:19
and short enough to share. They
2:04:21
said this report. says. Out
2:04:23
the see Amaze! updated views
2:04:26
on the issues we identified
2:04:28
in our January Twenty Twenty
2:04:30
Four Repaired. So. January
2:04:32
was the previous report now, so
2:04:34
it's if basically quarterly, right? So
2:04:36
this is the result of the
2:04:38
queue up as of the first
2:04:41
quarter to this is from January
2:04:43
Twenty Twenty Four, where are we
2:04:45
now? Words in in April? So
2:04:47
we've had the first Quarter go
2:04:49
by our analysis based on the
2:04:51
framework for assessment set out in
2:04:53
the legally binding commitments that Google
2:04:55
made in February Twenty Twenty Two
2:04:57
to address competition concerns relating to
2:04:59
his proposals to remove third party
2:05:01
cookies from. Chrome. So in other
2:05:03
words, the F: This is a
2:05:05
big deal for the entire internet.
2:05:08
It's a big deal. The January
2:05:10
Twenty Twenty Four report said out
2:05:12
our provisional views on the impact
2:05:15
of the privacy sandbox on competition,
2:05:17
publishers and advertisers, and user experience.
2:05:19
We outline Googles response to the
2:05:21
concerns we identified in that report,
2:05:24
the January reports, and the steps
2:05:26
it has taken to resolve pending
2:05:28
issues. We've also consider the see
2:05:30
back received from market. Participants on
2:05:33
these points. We've included a summary
2:05:35
of this feedback in the below.
2:05:37
This report also incorporates the preliminary
2:05:40
assessment of the at the I
2:05:42
see Oh is the Information Commissioner's
2:05:45
Office. On the
2:05:47
privacy and data protections impacts of the
2:05:49
privacy sandbox. Having consulted with the I
2:05:51
See Oh, we set out our current
2:05:54
views on these concerns for each of
2:05:56
the A P eyes, although there are
2:05:58
a number of concerned. The work
2:06:00
through based on the available evidence
2:06:02
we consider that are in the
2:06:04
first of January, twenty twenty Four
2:06:06
through the Thirty First of March,
2:06:09
Twenty Two A for the relevant
2:06:11
reporting period. google. Has
2:06:13
complied with the commitments,
2:06:16
This. Means that in our view,
2:06:18
Google has followed the required process
2:06:20
set out on the commitments as
2:06:22
engaging with us and the I
2:06:25
see Oh to resolve our remaining
2:06:27
concerns ahead of third party cookie
2:06:29
deprecation. However, further progress is needed
2:06:32
by ghouls resolve our competition concerns
2:06:34
ahead of deprecation. We. Will
2:06:36
continue to work with Google to
2:06:38
resolve our concerns. Between now and
2:06:40
the point at which Google triggers
2:06:43
the standstill period, We will provide
2:06:45
an update on progress in our
2:06:47
next update report. Testing of the
2:06:49
Privacy sandbox tools is also currently
2:06:51
underway. The test results will form
2:06:54
part of a wider evidence base
2:06:56
that we will use to assess
2:06:58
the effectiveness of the privacy sandbox.
2:07:00
The test period runs until the
2:07:02
end of June this year. And.
2:07:05
And as I said before, because this
2:07:07
is running through June, that's what kept
2:07:10
the cookies from being. It off
2:07:12
for for them to for the beginning
2:07:14
of a deprecation to to start. Off.
2:07:16
As the end of June. They.
2:07:19
Said given time be the time
2:07:21
needed to resolve outstanding issues and
2:07:24
take account of testing results. We've
2:07:26
agreed with Google that there should
2:07:28
be a limited delay to third
2:07:30
party cookie deprecation subs to resolving
2:07:33
of remaining competition concerns. Google as
2:07:35
now aiming to proceed with third
2:07:37
party Cause You deprecation starting in
2:07:40
early Twenty Twenty Five Under the
2:07:42
commitments it is for Google to
2:07:44
decide when the standstill period is
2:07:46
triggered. We. Encourage market
2:07:49
participants taking part in testing
2:07:51
to submit their results directly
2:07:53
to Us by the end
2:07:55
of June deadline. We. Also,
2:07:57
rec welcome any additional feedback.
2:08:00
Stakeholders in the concerts identified in
2:08:02
this report or contact deals are
2:08:04
included. The report. Okay, so
2:08:06
one last thing, this made
2:08:08
reference to a standstill period
2:08:10
several times, so I tracked
2:08:12
that down in the earlier
2:08:14
Commitments documents. On. It
2:08:17
appears to be just more
2:08:19
bureaucracy for it's own sake.
2:08:21
It says not on know
2:08:23
Paragraph nineteen: Google will not
2:08:25
implement the removal of third
2:08:27
party cookies before the expiration
2:08:29
of a standstill period of
2:08:31
no less than sixty days
2:08:33
After Google notifies the see
2:08:35
I may have it's intention
2:08:37
to implement their removal. Google
2:08:39
may increase the length of
2:08:42
such a standstill period at
2:08:44
any time, giving between a
2:08:46
tie. Between getting such notice and
2:08:48
the periods expiration. At
2:08:50
the see amazed request, Google will increase
2:08:52
the length of the standstill period by
2:08:55
a further sixty days to a total
2:08:57
of one hundred twenty days. Okay,
2:09:01
so. What? Follows
2:09:03
all of that. Is.
2:09:05
Ah, That. Was the
2:09:07
documents summary. There are ninety
2:09:09
seven pages. Of. Interesting,
2:09:12
but ultimately mind
2:09:15
numbing. Back. And
2:09:17
forth detail as every
2:09:19
conceivable facet of this
2:09:22
big change. From.
2:09:24
Will be implementing. Is.
2:09:27
Examined under a bureaucratic
2:09:29
microscope. The. Real concern
2:09:31
is over Googles size
2:09:33
and whether the changes
2:09:35
is making will disadvantage
2:09:37
smaller ad tech players.
2:09:39
But what becomes clear
2:09:41
after reading at least
2:09:43
some. And that's what I did.
2:09:45
I could not go through ninety seven pages. As
2:09:47
I did my i started to cross and I
2:09:49
could see. It
2:09:52
is very clear that the
2:09:54
Uk is moving clearly and
2:09:56
Googles direction. Of.
2:10:00
Both parties are truly negotiating
2:10:02
in good faith that that's
2:10:04
one thing that also is
2:10:06
very clear: this is not
2:10:08
the Uk stonewalling and in
2:10:10
all being unreasonable of today,
2:10:12
it really is. As as
2:10:14
Leo portrayed in L A
2:10:16
A. A bureaucratic walrus
2:10:19
that is episode absolutely has If
2:10:21
you know doesn't have any idea
2:10:23
what is going on people are
2:10:26
are are are are nipping at
2:10:28
it saying this is bad You
2:10:30
can't let Google do this. So
2:10:32
Google is saying this is not
2:10:35
bad This has to happen. We
2:10:37
want to stop tracking on the
2:10:39
internet. People who make their living
2:10:42
from tracking are saying there but
2:10:44
we like tracking. Yes. Yes,
2:10:47
And so the Uk sort of stuck
2:10:49
in the middle google being reasonable they
2:10:51
are I mean I i i them
2:10:54
there must be like be. A
2:10:56
division of Google. Where.
2:11:00
They are intoxicated in a hot tubs
2:11:02
somewhere just in order to maintain their
2:11:04
sanity. That there's no way that the
2:11:06
developers are dealing with any of this
2:11:08
dogs as big as a mean. Ultimately,
2:11:11
that's what it is, but it's but
2:11:13
the Uk needs to be. Placate.
2:11:16
It. Through having this
2:11:18
explained in of what exactly
2:11:20
this is and does. So.
2:11:23
That's. What's Happening? Again,
2:11:26
it's. A Progress. Is
2:11:28
being made in the January Report
2:11:30
for example. There was and there
2:11:33
are. There was an instance where
2:11:35
death The ad tech companies were
2:11:37
trying to claim that because of
2:11:40
their sorta reads they were being
2:11:42
disadvantaged. The expert looked at it
2:11:44
under the watchful eye of the
2:11:47
monitor. And now in the eight
2:11:49
April report. Their. Conclusion
2:11:51
is no, that is
2:11:53
not the case. There
2:11:55
is no disadvantageous and
2:11:58
that is disadvantageous. I'm
2:12:00
handling based on size of
2:12:02
advertiser we see no evidence
2:12:05
of that will understand the
2:12:07
technology. That's not the case
2:12:09
so. Ah, It does
2:12:11
not appear to me that Googles
2:12:13
privacy sandbox technology is in any
2:12:16
trouble at all. The truth is
2:12:18
it. As I said, it represents
2:12:20
a massive change to the way
2:12:23
the internet pays for itself and
2:12:25
is gonna find itself in the
2:12:27
future. And is also true that
2:12:30
many companies whose revenue has been
2:12:32
entirely derived from the oh so
2:12:34
slimy practice of tracking users and
2:12:37
aggregating their data without our knowledge
2:12:39
or permission. for the purpose of
2:12:41
selling that dated anybody with a wallet. Will.
2:12:44
Be. Their income will
2:12:46
be impacted and not a good
2:12:48
way. So having read through the
2:12:50
documents I can understand that the
2:12:52
process is taking place and as
2:12:55
taking aim at. In retrospect, jan
2:12:57
although I would have never expected
2:12:59
this would happen, it is me.
2:13:01
It is at least understandable and
2:13:03
it appears the world will indeed,
2:13:06
Soon. Be. Receiving this
2:13:08
dramatic change and way internet based
2:13:10
advertising has carried out, it is
2:13:12
it off. Clearly far superior to
2:13:14
the status quo where we would.
2:13:16
We can't keep going on the
2:13:18
way we have been odds. and
2:13:20
it takes something no less large
2:13:22
than Google to just simply make
2:13:24
it an ultimatum we're at. We
2:13:26
are going to do this. So.
2:13:29
I understand they've gotta satisfy the
2:13:31
walruses of the world. Ill.
2:13:34
They. Are it looks like that process is close
2:13:36
to being done? I. Hope
2:13:38
so if course advertisers don't like
2:13:40
it. That's. Where we like it.
2:13:44
And I see Google. Obviously, we're trying to
2:13:46
balance the interests of both parties. Because they
2:13:48
are. They sell ads. They. Buy
2:13:50
ads. This their
2:13:52
businesses, their revenue. But.
2:13:55
They also understand that consumers are not happy and
2:13:57
I think they need to know I'm aware and
2:13:59
Leo. I'm. I'm. I'm
2:14:02
impressed by. The.
2:14:04
Them. Them minimization.
2:14:07
Of. The information that
2:14:09
google themselves. Are. Willing.
2:14:12
To. Obtain. I. Mean
2:14:14
it's as we've seen. Topics is not
2:14:17
invasive. they are that you have. No
2:14:19
one could be identified from their topics.
2:14:21
they are chosen at random. I mean
2:14:24
this. this. The system has incredible checks
2:14:26
and balances built in which we've talked
2:14:28
about on the podcast will be explained
2:14:31
it and I think will probably due
2:14:33
for a real explanation What it actually
2:14:35
goes into effect because you know it's
2:14:38
the way the world's going to work
2:14:40
and. And. I love the
2:14:42
comment about the reason my my machines
2:14:44
fans were spitting up was that my
2:14:47
Chrome browser or what I was reading
2:14:49
chrome web was busy holding auctions with
2:14:51
all of the world's ad agency. well
2:14:53
that's coming maybe? Anyway was the only
2:14:55
way. The only way to do this
2:14:58
is to make it user side. You
2:15:00
move it to the suit to the
2:15:02
user and then the the user's browser
2:15:04
chooses what they're gonna see. It's it's
2:15:06
brilliant. A. I'm
2:15:10
I'm going to tease next week's
2:15:12
topic. I believe I think next
2:15:14
week's topic will be Z T
2:15:16
Dns. Which. Stands
2:15:18
for Zero Trust Dns
2:15:21
last Thursday. Microsoft.
2:15:23
Published a preview of a
2:15:25
forthcoming security solution they call
2:15:27
Zero Trust Dns. It's been
2:15:29
clear for a long time,
2:15:31
the Dns represents as we
2:15:33
know both and achilles' heel
2:15:35
of network security and a
2:15:38
point where it's also very
2:15:40
possible if you're clever to
2:15:42
introduce a significant new level
2:15:44
of security. For. My
2:15:46
brief scan of the technology
2:15:48
microsoft as outlined It appears
2:15:50
that any of our listeners
2:15:52
who may have followed up
2:15:54
on my discovery a few
2:15:57
months back of Adam Networks
2:15:59
Dns solution. Which they call
2:16:01
don't talk to strangers. May.
2:16:03
Already be enjoying the benefits
2:16:05
of dramatically improved security thanks
2:16:08
to leveraging the power of
2:16:10
Dns. But.
2:16:13
I needed more time to dig into what
2:16:15
Microsoft is doing. So for now we're next
2:16:17
week's podcast. I plan to take a deep
2:16:19
look into what Microsoft has announced. Now.
2:16:21
One thing I should say
2:16:23
that immediately stood out was
2:16:25
that Microsoft might be attempting
2:16:27
to use this as a
2:16:29
way of driving Enterprises to
2:16:31
Windows. Eleven says enterprises don't
2:16:34
want Windows Eleven as we've
2:16:36
heard Paul Throttle mention many
2:16:38
times. know you'll know Been
2:16:40
really does have. And
2:16:42
in Microsofts diagrams which I
2:16:44
briefly scanned their explicitly labeling
2:16:46
the clients as Windows Eleven
2:16:48
Machines That might be Microsoft.
2:16:50
You know, because when As
2:16:53
Eleven is what. They're. All
2:16:55
using know to Zola actually
2:16:57
wants Windows Eleven says Windows
2:16:59
Ten. Still success, Says Windows
2:17:01
Ten still commands more than
2:17:03
twice the number of desk
2:17:05
tops as Windows Eleven and
2:17:07
a much greater percentage where
2:17:09
the Enterprise. Because most Israel
2:17:12
new computers com with Windows
2:17:14
Eleven, but it's oil, Enterprise
2:17:16
machines have been running for
2:17:18
ten years don't and since
2:17:20
a huge installed base of
2:17:22
machines won't even run Windows
2:17:24
Eleven. If. What
2:17:26
Microsoft is planning to do
2:17:28
is truly a Windows Eleven
2:17:31
only solution then the client
2:17:33
agnostics system that the Adam
2:17:36
Networks guys already have Working
2:17:38
and well proven. Seems.
2:17:40
Like a far more practical when to me. but
2:17:42
in any event by the end of next week's
2:17:45
podcast will know. Exactly what's going
2:17:47
on and l It's good thing that
2:17:49
Microsoft is stepping up here and will
2:17:51
and looking to improve Dns Security as
2:17:54
we all know it needs it. But
2:17:57
it seems. To be there's already a salute.
2:18:00
The Campaign. But. Not for Microsoft
2:18:02
and so when the big he does it
2:18:04
you know I remember Leo. It was fantastic.
2:18:07
Brad. Silverberg and Brad Chase came
2:18:09
down from Redmond and took me
2:18:11
out to lunch. And
2:18:14
said steve. We're
2:18:16
going to be announcing da six
2:18:18
pretty soon, you know and I said
2:18:21
her and they said were a little
2:18:23
self conscious about this. But.
2:18:27
Ah, We're adding something called
2:18:29
scan disk. Oh. Now.
2:18:33
I have them to warn you. Don't
2:18:36
worry, It
2:18:38
won't learned well as I do know
2:18:40
is it doesn't do what spinner I
2:18:42
just. And. I said
2:18:44
ah As great as
2:18:46
as jazz as a
2:18:48
wonderful was at. A
2:18:52
later than relying on risk because
2:18:54
there was a risk. Yes for
2:18:57
yes for the rest of our
2:18:59
existence we are answering question the
2:19:01
question. Well, I. Already have scanned
2:19:04
is what am I need? Spin right
2:19:06
for right? Anyway, the
2:19:08
point is, it matters when the giant. Ah,
2:19:11
It offers the best. oh it does
2:19:13
have I I've I've been there first
2:19:16
hand the I like Silverberg a lot
2:19:18
I didn't there, never was fond of
2:19:20
bread Chase you weren't to Sherlock's those
2:19:23
the the mack people call so that
2:19:25
for goodness snow nor did that he
2:19:27
says I tried. These
2:19:29
are gonna lurk. More copies of this
2:19:31
Doctor than he sold as the Spin
2:19:34
Room. Probably. Well
2:19:37
what he did. Was
2:19:39
when I refused to sell. started
2:19:41
right to Peter he said a
2:19:43
developer home with a copy of
2:19:45
it oh and said oh yeah
2:19:47
and we we know that because
2:19:50
one of my guys looked inside
2:19:52
and saw code is that. That.
2:19:54
Was our code? I mean that that there were
2:19:57
like there was a place where I needed to
2:19:59
see whether the. I was handled a
2:20:01
certain A P I call so
2:20:03
I put some specific random data
2:20:05
in the registers why I made
2:20:07
the call to see whether they
2:20:09
got changed. Of. As Good
2:20:11
or a Smoking Gun, their clone of Spin
2:20:13
or I to do same same values, the
2:20:15
same data because they didn't know what. I
2:20:17
didn't know what exactly is of a We
2:20:20
better do it this way cause we don't
2:20:22
know for those something of that up. The
2:20:25
good news is since they didn't
2:20:27
actually create of over the cold
2:20:29
or calibrate the world was there
2:20:31
clone says it and created. Their.
2:20:34
When when their customers called for
2:20:36
support they said well we're not
2:20:38
sure called Guinness and research. I'm
2:20:41
not kidding We gotta we gotta calls
2:20:43
from our support bills I was Norton
2:20:45
said to ask you about celebrate with
2:20:48
a while when you buy a copy
2:20:50
Spirit we will have it Has her
2:20:52
and that were real Dahlia Steve is
2:20:54
and at Jersey and still selling spin
2:20:56
right now. Version Six Point One many
2:20:58
moons later and it's even better than
2:21:01
ever and Sector now at speeds of
2:21:03
doing as a D doing really well
2:21:05
I go to her really congratulations Ah
2:21:07
if you go to Jersey that can
2:21:09
pick up a copy. Don't already
2:21:12
have one of the world's
2:21:14
best mass storage maintenance recovery?
2:21:16
And. Performance her form
2:21:19
and enhancing utility. We.
2:21:21
Have their their performance as a new feature.
2:21:24
A kind of serendipitous features. Pretty
2:21:26
great that. You can
2:21:28
also find a copy the show Their Steve
2:21:30
has the canonical sixty four kilobits. Stereo.
2:21:33
Audio Access: Mano audio the Us as
2:21:35
sixteen kilobit version for the bandwidth in
2:21:37
pairs and he has excellent transcripts written
2:21:40
by an actual human being. Know ai
2:21:42
involved lay first as a great job
2:21:44
on drc.com he's at Stg or see
2:21:46
on Twitter. few on a Dm him
2:21:49
said i'm a picture of the week
2:21:51
or whatever his sir his D Ems
2:21:53
are open. We have the sixty four
2:21:56
bit canonical version of it the audio
2:21:58
version of our website. The Tv
2:22:00
flash S N but you can also
2:22:02
find video there are. There is a
2:22:05
video channel on Youtube dedicated to security
2:22:07
now and of course you can subscribe
2:22:09
with his favorite podcast player in that
2:22:11
way of gives automatically. You could even
2:22:14
watch if you're really in a hurry.
2:22:16
If you like, you can't wait. You
2:22:18
can watch over Tuesday afternoon while we
2:22:20
do it because we stream the recordings
2:22:22
of all of our big shows on
2:22:25
you tube you to.com/twit This one's right
2:22:27
after Mack Weekly so times are very
2:22:29
one thirty. To two pm Pacific
2:22:31
five Pm Eastern Twenty one hundred.
2:22:34
You. T C. At the you
2:22:36
tube that com sliced. Ah
2:22:40
Club members thank you for your support
2:22:42
if you're not a club member. May.
2:22:45
I beg of you please join. Seven bucks
2:22:47
a month gets yeah free versions of all
2:22:49
the shows. It's a lot of extra stuff.
2:22:51
We're going to do a I watch party
2:22:53
on Thursday which to be a lot of
2:22:56
some the whole staff and more Port living
2:22:58
room watching a silent movie which is good
2:23:00
because we can make this they can make
2:23:02
the sounds for you or that will be
2:23:04
this Thursday. Club members look in the events
2:23:06
tab for more information was devoting. I'm Stacey
2:23:08
His book Club pick of the week couple
2:23:11
more days to. That's the best thing about
2:23:13
Com To It is the people. It's.
2:23:15
A community of really great people he
2:23:17
would like to know. If you're looking
2:23:19
for a great community line that safe.
2:23:21
That's. Friendly that smarts,
2:23:24
Twitter. Tv slice of. Twits.
2:23:28
Ah okay. Steve.
2:23:30
I'm gonna let you go. I'm a
2:23:33
take your ankle bracelet off and bush
2:23:35
soothsayer. Well, until next week, my friend.
2:23:39
Anybody see of our podcast?
2:23:41
Nine Seventy Four. Day
2:23:44
Yeah, we would be. We
2:23:46
would be right now going
2:23:48
oh no, there's only twenty
2:23:50
five Last, Oh no. Ah
2:23:54
okay thank you Steve. Have a great
2:23:56
wisdom of our listeners that sets as
2:23:58
of them that I'm. My okay
2:24:00
I'll stay now I'm traveling years I
2:24:02
have a year revised. Out
2:24:05
is gonna retire when you did
2:24:07
an Ama jim they cease to
2:24:09
exist in my. Watch
2:24:22
the total solar eclipse at Seneca
2:24:25
Resorts and Casinos. Join us on
2:24:27
Monday, April 8th for events filled
2:24:29
with food, drinks, DJs, viewing glasses,
2:24:32
and more. Family friendly at Seneca
2:24:34
Niagara and Seneca Elegany. 21
2:24:37
and up at Seneca Buffalo Creek. The first 200
2:24:39
guests at each property receive a
2:24:41
commemorative t-shirt. Book your overnight stay
2:24:43
now so you don't miss it.
2:24:45
Get all the details at senecacasinos.com.
2:24:48
Seneca Resorts and Casinos. Nothing else
2:24:51
comes close.
From The Podcast
Security Now (Audio)
Cybersecurity guru Steve Gibson joins Leo Laporte every Tuesday. Steve and Leo break down the latest cybercrime and hacking stories, offering a deep understanding of what's happening and how to protect yourself and your business. Security Now is a must listen for security professionals every week.Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific / 20:30 UTC.Join Podchaser to...
- Rate podcasts and episodes
- Follow podcasts and creators
- Create podcast and episode lists
- & much more
Episode Tags
Claim and edit this page to your liking.
Unlock more with Podchaser Pro
- Audience Insights
- Contact Information
- Demographics
- Charts
- Sponsor History
- and More!
- Account
- Register
- Log In
- Find Friends
- Resources
- Help Center
- Blog
- API
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More
- © 2024 Podchaser, Inc.
- Privacy Policy
- Terms of Service
- Contact Us