Unforeseen Consequences - CISA's "Secure by Design" Initiative, Fastly's BoringSSL
Unforeseen Consequences - CISA's "Secure by Design" Initiative, Fastly's BoringSSL
Unforeseen Consequences - CISA's "Secure by Design" Initiative, Fastly's BoringSSL
Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
It's time for security now Steve Gibson is
0:02
ready. He's got some great stuff to talk
0:04
about including the
0:06
new sissa Recommendations
0:09
for home routers. I hope they're adopted
0:12
Some a massive flaw that Willie
0:14
affects every version of Linux It's
0:16
being patched or has been patched,
0:19
but you should know about it
0:21
post quantum crypto Added
0:23
to our favorite browser and then an
0:26
unforeseen consequence of
0:28
Google's new anti tracking changes That's all coming
0:30
up next on security now Podcasts
0:35
you love from people you
0:37
trust This
0:45
is security now with Steve Gibson episode 960
0:49
recorded Tuesday February 6th unforeseen
0:54
consequences Security
0:57
now is brought to you
1:00
by Melissa the data quality
1:02
experts all
1:04
data expires about 25% per
1:06
year Including
1:09
the data in your customer database
1:11
your supplier database your address records
1:13
for over 38 years Melissa
1:16
has helped companies Harness the
1:18
value of their customer data
1:21
to drive insight to maintain
1:23
data quality and support global
1:25
intelligence Melissa's flexible to fit
1:27
into any business model Melissa verifies addresses
1:29
for more than 240 countries on Prem
1:33
in the cloud as a sass app. There's
1:35
even an API so you can ensure you're
1:37
only Putting valid billing
1:39
and shipping addresses into your system You
1:42
can focus your spending where matters the most Melissa
1:45
offers free trials Sample codes
1:47
and flexible pricing and an
1:49
ROI guarantee plus unlimited
1:51
technical support to customers all around
1:53
the world You can even
1:55
try it on your phone download the Melissa app.
1:57
It's free on Google Play or
1:59
the iOS app store, no signups
2:02
required. Melissa has achieved
2:04
the highest level of security status
2:06
available by gaining FedRAMP authorization. That's
2:09
kind of peace of mind
2:11
for anybody using Melissa. Their solutions
2:13
and services are GDPR and CCPA
2:15
compliant. They make SOC 2 and
2:18
HIPAA high trust standards for information
2:20
security management. Your data is secure
2:23
at Melissa. Bottom line, make
2:25
sure your customer contact data is up to date.
2:27
It started today, 1000 records
2:29
cleaned for free at melissa.com.
2:34
That's melissa.com. It's
2:38
time for security now. Steve,
2:40
there he is. Or was
2:42
that one of the sounds that goes off
2:44
when something happens? One of the alerts. I
2:47
can't wait. And speaking of sounds, all of
2:49
our listeners will be glad to know that
2:51
little annoying beep in the
2:53
background finally died.
2:56
You couldn't find the smoke
2:58
detector, right? But you couldn't figure it out. Actually
3:02
it was a water alarm
3:04
which I had installed because
3:07
my air conditioning condenser was
3:09
backing up and overflowing so I
3:11
needed to be alerted if that
3:13
was happening. But I
3:15
replaced the whole AC system
3:18
a couple years ago with a
3:20
brand new one that has all that built in.
3:23
So I removed the water sensor
3:25
and just stuck it aside and
3:27
as happens here where we need
3:30
to have archaeological digs to find things.
3:32
Oh, it was in a pile somewhere.
3:35
Yes, it was just buried. Literally
3:39
buried. It was in a wooden heap
3:41
somewhere south of your living room. Okay.
3:44
And then at some point it began going beep. Very
3:48
briefly, very high pitch and
3:51
not often. And
3:53
some of our listeners began saying, Steve,
3:56
you've got to check the batteries in your
3:58
smoke detector because it's very... Apparently there's
4:00
a problem there. Well, no. And
4:02
I could not find it. And it had been
4:04
going on, I don't know, a couple years maybe? But
4:08
I stopped hearing it. I haven't
4:10
heard it recently. Has it still
4:12
been going? It
4:15
was going last week during last week's podcast. If
4:17
you play the podcast every so often, go
4:19
here. Anyway, so... And
4:21
that's kind of dry because we have a lot of
4:24
OCD listeners. I mean, people who really can't
4:26
handle that kind of thing. I
4:30
stopped hearing it. I had adapted to
4:32
my environment and I saw it's like,
4:34
you know, I step over things that
4:37
are in the way. Oh
4:39
my God! So when I came
4:41
in yesterday morning, I heard... Eeeeeeeeeeee!
4:48
So I thought, oh, thank God!
4:51
I knew at some point the
4:53
battery would actually finally
4:55
die so they couldn't even make
4:57
these beats. And
5:00
I was like, eeeeeeeeeeeeeeeeee! And
5:03
I went right to it!
5:06
Just directly, I just like,
5:08
I pulled some things out of the way, there
5:10
it was. That's indeed what it
5:12
was. Did you stamp on it? I
5:17
mean, even moving it around, it was just on
5:19
it's last volt. Oh
5:24
my God! Oh! Well
5:26
anyway... Silence? Was
5:28
somebody, Chickenhead21 in our chatroom, our
5:30
Discord wants to know, was Elaine
5:33
actually typing beep when it went
5:35
off in the transcripts? Bless
5:37
her heart, I wouldn't be surprised
5:39
if she had a little parenthetical
5:41
beep-beep! I
5:45
haven't heard it in months, I knew about it,
5:47
people have written in about it and I thought
5:49
you fixed it last year. I
5:52
just wasn't hearing it, maybe like you, I'd either grown
5:54
attuned to it or I'm so deep now that I
5:56
can't hear that frequency. Wow! Well
5:59
thank you! Thank you for fixing that. Thank
6:03
you for thanking me for my patience. It
6:06
is now finally gone. I
6:08
told you about that avenue. I remember when we
6:11
talked about this last, I told you about that
6:13
avenue 5 episode. I don't know if you ever
6:15
watched Avenue 5 after we talked about it, but
6:19
they're on the spaceship, right? And
6:21
there was a beep. Nobody could
6:23
figure out where it was. It
6:26
was keeping people up. It was the whole thing. So
6:29
this is not an unusual phenomenon. You
6:31
maybe should make a variation of
6:34
the portable dog killer that is
6:36
the portable beep locator. Believe
6:39
me, when this began, I gave it
6:41
some serious thought. It was impossible for
6:43
me to find it. So I considered
6:46
putting two microphones, some distance apart. Tranquilizing
6:48
it. Exactly. And locking
6:50
onto that sucker. But then I
6:52
thought, well, we really do want
6:54
Spinrite 61 eventually. Won't
6:58
you be glad when you retire that you can devote your
7:00
time to things like that, I think. Retire?
7:04
What? Never. Never.
7:07
Oh no. I've got to move Spinrite 7 onto the Vision
7:09
Pro. So yes. We
7:11
have that during Mac Break Weekly that you would
7:13
make a version for the
7:16
Vision Pro. Not a problem. Yes.
7:18
Imagine walking through the bits of
7:21
your mass storage, looking around, and
7:23
say, oh, look at that bad
7:25
spot there. Fluck that out. Oh
7:28
gosh. Yes. So what is
7:30
coming today on Security Now? Oh
7:32
boy. Business Security
7:34
Now 960 as we begin February. This
7:40
podcast is titled Unforeseen
7:42
Consequences, which sort of
7:44
crept up on me when I stumbled
7:46
upon an odd
7:49
reference to a piece in the
7:51
Financial Times. Now the Financial Times
7:54
has one of the strongest paywalls
7:56
you can find. I mean, they're
7:58
not screwing around. hey, you know,
8:01
we're just going to tease you with the headline. You're
8:04
not going any further. Except they also allow
8:06
themselves, like I just googled the
8:08
headline and there it was. So it's like, okay,
8:11
well, you're not that worried about, I mean, you
8:13
know, they want to bring people to their paywall
8:15
so you can decide if you want it.
8:18
Anyway, they had a really
8:20
interesting piece that is,
8:22
that talks about some, some
8:25
consequences we've never considered
8:28
that are like the dark side
8:31
of Google's killing
8:33
third party cookies. So
8:35
it's going to be really interesting.
8:38
I think this is going to be
8:40
a riveting episode, but first we're going
8:42
to talk about what move Sisa has
8:44
just made that affects our home routers.
8:47
What serious flaw was discovered
8:50
in a core C library
8:52
used everywhere by Linux? Does
8:55
open SSL still have
8:57
a future? And
9:00
what's Ross Komnonzor done
9:02
now? How can
9:04
a password manager become proactive with
9:07
passkey adoption? Which favorite
9:09
browser has just added post
9:11
quantum crypto? What prevents
9:13
spoofing of the images
9:15
taken by digital signing cameras,
9:17
if anything, and
9:19
why are those insecure PLC
9:22
devices, you know, the programmable
9:24
logic controllers, which run process
9:26
automation everywhere, ever
9:28
being attached to the internet? And
9:32
what may be an undesirable
9:35
and unforeseen consequence
9:38
of Google's anti tracking chain?
9:42
Yeah, it's going to be a great episode.
9:44
And oh, Leo, we do have a picture
9:46
of the week. I only see the caption.
9:48
I haven't scrolled up. But
9:51
I can tell from the caption, it's going to be a good.
9:54
Yes, it is. It may explain
9:56
the power outages you've been having.
9:58
Holy cow. Yeah. We
10:01
were in the middle of Twitter on Sunday. Fortunately,
10:03
we were not on the, we were actually
10:05
within minutes of ending it. And
10:07
everything just went dark. And I had to go home
10:09
and finish the show at home because there
10:11
was no power here. And then of course,
10:13
as you noticed, I come in the
10:15
studio and everything is all messed up because they
10:18
don't survive power outages very well. I had to
10:20
play with a bunch of things. Anyway, we got it
10:22
all working. We will get to the
10:24
show in a moment, but first, a
10:27
word from Delete Me, our sponsor. Have
10:29
you ever searched? Don't do this, but
10:32
I know you will because I'm going to say it. Have
10:34
you ever searched for your name online? It
10:37
is a terrifying experience. You won't
10:39
believe how much of your personal
10:41
information is available. The
10:44
next step should immediately be visit
10:47
joindeleteme.com/twit and sign up for
10:49
Delete Me. Delete Me helps
10:52
reduce risk and there are lots
10:54
of them associated with having all
10:56
that stuff online. Money theft, credit
10:58
card fraud, robocalls,
11:01
cyber security threats, harassment,
11:04
unwanted communications overall. We
11:06
started using Delete Me a couple of years
11:08
ago when a text went out from our
11:10
CEO's phone to her
11:12
direct report saying, I'm in a meeting, but
11:14
I need to get these Amazon gift cards
11:16
out to our hosts. Go
11:19
buy me some. Now thank
11:22
goodness our employees listen to
11:24
our shows and they're well trained and
11:26
they immediately smelled something suspicious. But honestly,
11:28
it came from her phone number. It
11:31
came to their phone number. In every
11:33
respect, it looked legit. Where
11:35
did they get all that information? How
11:38
did they know who our direct reports are? That
11:41
information is online. Data brokers
11:43
have it all. We sign up
11:45
immediately for Delete Me. And by
11:47
the way, it has been a huge boon. It
11:50
is a cyber security threat to your business.
11:52
If your executives, if your managers
11:55
are not, if their information is online, who
11:57
they boss around.
12:00
All that stuff is just meat
12:02
for these bad guys, these hackers. So
12:05
here's what you do. You go to
12:07
joindeleteme.com/twit. First step, you sign up. You
12:10
give them some basic personal information, information they're going to be
12:13
looking for. That's how they figure out it's yours, right? So
12:15
you have to tell them some stuff and
12:17
this is the stuff I want removed. Delete
12:20
me's experts and they do this, humans do
12:22
this, which is really important. You cannot do
12:24
this well automatedly. Humans go
12:27
out, they find your personal information. They
12:29
have lists of literally hundreds of data
12:32
brokers. New data brokers are added every
12:34
day. There is no regulation on these
12:36
guys. It's like the wild west. But
12:39
delete me knows who they are. They will go
12:41
there. They will reduce your online footprint. They will
12:43
keep you and your family and your business safe.
12:46
But then, and this is really important, they
12:49
will continue to scan and continue to remove
12:51
personal information regularly because there's a loophole. These
12:53
data brokers have to have a place where
12:55
you can say, I don't want you to
12:58
keep my data information. They'll delete
13:00
it and say, we deleted it. But then they
13:02
still gather information. If you should have happened somehow
13:05
to show up in that information, well,
13:08
they recreate your whole profile,
13:10
the whole thing's back. I'm
13:12
talking addresses, photos, emails,
13:15
relatives, phone numbers, social
13:17
media, your net worth,
13:19
your property value and more. Now
13:22
these expose, everybody's got a different threat
13:24
model, right? For instance, the privacy exposures
13:26
in these incidents would affect everybody differently.
13:29
Delete Me has real privacy
13:31
advisors you can talk to to help
13:33
you make sure that you're getting the support you
13:35
need and to help you understand what they're doing
13:38
and what you need to do. They're
13:40
very good. Protect yourself. Reclaim
13:42
your privacy. The website
13:44
again, joindeleteme.com/twit. The code is twit
13:47
for 20% off. So
13:49
it's a good price. Thank
13:52
you, deleteme.com/ twit.
13:54
Promo code twit at checkout. Thank
13:57
you, deleteme, for the job you did for Lisa and...
14:00
And for all of our listeners, join
14:02
the lead me.com/twit. Steve.
14:05
Now, Leo, you may scroll
14:07
up and reveal,
14:10
huh? And reveal the
14:12
cause of the power outages at
14:15
Twitch studios. But this is
14:17
the caption, but this is where
14:19
you said you wanted the dangerous
14:21
high voltage terminal box. Oh,
14:24
just sitting right out there, right
14:26
out there in the public. I bet you there's a
14:28
playground right next to it. Well, look
14:30
what's on it or aimed at it. Oh,
14:33
you scroll down a little further. Oh, I missed that
14:35
part. There
14:39
is a sprinkler sprinkling
14:41
it. So for
14:43
those who are listening, I hope it's weather
14:45
sealed. Holy cow. Out
14:48
in the middle of something is
14:50
this, you know, scary looking high
14:52
voltage box. Oh,
14:56
my box. It says
14:58
attention, attention with a with
15:01
the lightning bolts saying, you know,
15:03
high voltage. There's
15:05
a sprinkler, you know, one of
15:07
those like those things that shoes
15:09
out a beam of water that's
15:11
supposed to go about a thousand
15:14
yards, which, you know, slowly rotates
15:16
to water the entire park. Well,
15:18
this box is about three feet
15:20
away from it, receiving the full
15:22
force of this water blast right
15:24
in its face. You know,
15:26
it's surprising there aren't sparks flying out of
15:28
this thing. Oh, my God. Anyway, yeah, you
15:30
know, you want to step cautiously on the
15:32
wet lawn that surrounds this
15:36
electrical box. That's a great
15:38
picture. You could probably charge your Tesla just by parking on
15:40
the lawn next to it. Yeah,
15:42
great. Wow. It's
15:45
liquid cooled. Yes. Mashed potatoes
15:47
in our Discord. You said what? It's
15:50
liquid cooled. Liquid cooled, right? Yes. Never
15:53
gets hot. Okay,
15:56
so under the headline, CISA
15:58
and FBI. Release
16:00
secure by design alert
16:04
urging manufacturers to eliminate defects
16:06
in SOHO routers. And I
16:09
think everyone knows SOHO, small
16:13
office home office is what
16:15
that abbreviation is. So last
16:17
Wednesday, CISA and
16:19
the FBI published guidance. This is
16:21
the third such release of theirs.
16:23
They've kind of, and this is the
16:26
first aimed at down at the
16:28
consumer. Previously they were talking
16:30
at the enterprise level. So
16:32
they published guidance on
16:35
security design improvements
16:38
for SOHO device manufacturers, which
16:40
is part of their new
16:42
secure by design alert series,
16:45
which focuses on how
16:48
manufacturers should shift the
16:50
burden of security, thank God,
16:53
away from the customers who, you know,
16:55
they just want this stuff to work,
16:57
plug it in, set it and forget
16:59
it, by integrating security
17:02
into the product design and
17:04
its development. So
17:07
this third publication in
17:09
CISA's series examines how
17:11
manufacturers can eliminate what
17:13
they call the path
17:15
threat actors, the
17:21
path threat, I'm sorry, which actors are
17:24
taking to compromise small
17:26
office and home office routers.
17:29
Now they were specifically
17:31
referring to a recent
17:33
initiative. There is a group
17:35
out of China known as
17:38
the Volt Typhoon Group, which
17:41
the FBI just, somewhat
17:45
controversially took down by
17:49
patching these routers. And
17:51
it was my intention initially to
17:53
talk about that as our main
17:55
topic this week, but I ran
17:57
out of space actually on that.
17:59
the podcast at time and
18:02
I really needed to talk about the
18:05
consequences of what I realized was going
18:08
to be happening as a consequence of
18:10
stumbling upon this Financial Times piece. So
18:14
I have that queued up
18:16
for next week. But
18:18
there was something that caught
18:21
my attention in this which
18:23
was unsuspected or unanticipated. They
18:27
said, Sisa did in
18:30
this joint FBI release,
18:33
that they wanted
18:35
manufacturers to do three things.
18:39
Automate update capabilities,
18:42
remove web management from the
18:44
WAN interface and
18:47
require a manual override to
18:50
remove security settings. Okay,
18:53
so all of these podcast
18:55
listeners have probably grown tired of hearing
18:57
me talk about those first two points.
19:00
Automate updates and remove all
19:03
device management from the public
19:05
facing interface, the WAN
19:07
interface, right? You
19:10
just don't need to use
19:13
a web interface aimed
19:16
at the internet so that you can
19:18
access your
19:20
device across the internet. What
19:25
we keep learning is that we don't
19:27
know how to do that safely
19:29
because everyone keeps making mistakes. And
19:32
you don't have to expose it to
19:34
the public because there are plenty of
19:36
ways to get over onto the private
19:38
LAN from the public internet and
19:40
then access the device from the LAN side. That's
19:48
the way we should do it. The
19:51
third one was
19:53
really interesting. I think it's brilliant.
19:56
They say require a manual
19:59
override. to remove
20:01
security settings. In other words, routers
20:04
should not accept remote
20:07
or any even local over-the-wire
20:10
instructions which
20:12
reduce their security in
20:15
the absence of a
20:17
manual physical local
20:20
confirmation of some kind.
20:23
There's no substitute for the
20:26
affirmation of one's physical presence
20:28
at a router's location. Pressing
20:32
a I want to
20:34
change my router's configuration button
20:37
is the one thing no remote
20:40
attacker in Beijing
20:43
is able to do from the
20:45
comfort of their cyber warfare bunker.
20:47
I think
20:49
that the best way to do this
20:52
would be to require a button to
20:54
be pressed in order to place
20:56
the router into configuration
20:59
change mode. So if a user
21:01
logs into their router, you know,
21:03
they're welcome to do that. They're welcome
21:06
to poke around and look at the
21:08
router's various settings. But
21:10
the moment the user attempts
21:12
to change something which
21:15
is important to the security of the
21:17
system, the router's UI will
21:19
pop up a little box and
21:21
say, please press
21:24
the enable configuration
21:26
changes button on your
21:30
router to proceed. And
21:33
it'll just wait. Once
21:35
the button is pressed, the router
21:37
will take down that little message
21:39
and will allow the user to
21:41
change its configuration until the user
21:43
either logs out of the interface
21:46
or after some period of inactivity because
21:48
most people just leave their login cookie
21:50
present and logged in so they can
21:52
get back to it easily if they
21:54
need to. So would
21:57
this be potentially a pain in the butt?
22:00
Yeah, especially if the router is in
22:02
the attic. But, you
22:04
know, it's a classic trade-off
22:06
between security and convenience. Requiring
22:08
a one-time password is certainly
22:10
not as convenient as not
22:12
using one. But, you
22:14
know, that requirement is clearly much more
22:17
secure. So the
22:19
problem being addressed is,
22:21
you know, in this case is
22:23
very real. You know, we are
22:26
populating the world with
22:28
insecure, yet increasingly
22:31
powerful consumer routers, which
22:33
are actually being taken over
22:36
by malign remote forces that
22:39
wish to exploit our traditional lack
22:41
of focus on security. So once
22:44
again, I give big props
22:46
to Sisa for leading this truly
22:48
necessary change. I think this makes
22:50
so much sense. You know, yes,
22:53
again, it will be a
22:56
bit of an annoyance to have to
22:58
go to physically go to the router
23:01
and press the button saying,
23:03
I want to enable configuration
23:05
changes. But it's
23:08
a brilliant requirement. And I do hope that we
23:10
see this. And really, we're not doing this all
23:12
the time. And if you are, don't put your
23:15
router in the attic. Put it somewhere a little
23:17
more accessible. And that'll just become,
23:19
you know, the way we do things
23:21
in the future. I think this makes so
23:23
much sense. While
23:28
we were recording last
23:30
week's podcast, the
23:33
QALIS Threat Research Unit, they call
23:35
it the TRU, which is kind
23:37
of a cool abbreviation, was
23:40
informing the world that
23:42
they had recently unearthed
23:45
four significant vulnerabilities in
23:48
the GNU C library,
23:50
which forms a cornerstone
23:53
for countless applications in
23:55
the Unix, I'm sorry,
23:57
in the Linux. Well, probably Unix too. Well, not
23:59
Unix. not GNU, but in
24:02
the Linux environment, one of these
24:04
four, which they found, is
24:07
a severe vulnerability tracked as
24:09
CVE-2023, notice it's late last
24:11
year, 6246. This vulnerability affects
24:19
major distros, like, well,
24:23
every version of Linux, I think
24:25
it's safe to say, but of
24:27
course, including Debian, Fedora, Red Hat,
24:29
and Ubuntu. It's C-lib, right? Yes,
24:31
it's G-lib C. Yeah,
24:34
G-lib. Yeah, yeah, yeah, yeah, yeah, that's everywhere.
24:36
That's the core C library that C depends
24:41
upon. It's basic standard functions.
24:43
Yeah. Yes, it's linked into
24:45
everything. Yep. So the
24:47
bug impacts versions going back
24:49
to August of 2022, which
24:52
is when the bug was introduced. It
24:55
is an elevation of privilege flaw
24:57
that can allow local
25:00
attackers with access to
25:02
a system to obtain
25:04
root privilege access. So, you
25:06
know, we dodged a big
25:08
bullet here, folks, because if
25:10
this had allowed remote attackers
25:13
to get root. Oh, then we'd
25:15
have trouble. Yeah. Oh,
25:19
baby. So here's what Qualys
25:21
explained about their discoveries. They started
25:23
by saying, before diving into the
25:25
specific details of the vulnerabilities, it's
25:28
crucial to understand these
25:31
findings, broader impact and importance.
25:34
The GNU C library, or
25:36
G-lib C, is
25:38
an essential component of
25:40
virtually every Linux-based system
25:43
serving as the core interface
25:45
between applications and the Linux
25:48
kernel. The recent discovery
25:50
of these vulnerabilities is not just
25:52
a technical concern, but
25:55
a matter of widespread
25:57
security implications. And Actually,
26:01
more about the bullet that
26:03
flew by and we
26:05
dodged. We'll get to more of that in a
26:07
second. In other words, it
26:10
was more than a little bit
26:12
shocking to Qualys to
26:14
discover serious exploitable
26:17
vulnerabilities in a core
26:19
component of a system
26:22
that is this widespread. Needless
26:24
to say, Linux is everywhere, including
26:26
in every one of those Soho
26:29
routers we were just talking about.
26:31
We all need to keep
26:33
in mind that fixing it
26:35
today doesn't automatically fix it
26:38
yesterday, which is
26:40
another strong argument for allowing
26:42
autonomous updating of unattended and
26:44
unmanaged IoT devices. Anyway,
26:47
Qualys continues writing, the
26:50
vulnerabilities identified in Glib-C's
26:53
syslog and QSort
26:55
functions highlight a critical
26:57
aspect of software security. Even
27:00
the most foundational and trusted
27:02
components are not immune to
27:04
flaws. The ramifications
27:06
of these vulnerabilities extend far
27:08
beyond individual systems, they write,
27:11
affecting many applications and
27:13
potentially millions of users
27:15
worldwide. This article aims
27:18
to shed light on the specific
27:20
nature of these vulnerabilities, their potential
27:22
impacts and the steps taken to
27:24
mitigate them. The first
27:26
vulnerability, CVE-2023-6246, a significant security
27:28
flaw, has been identified in
27:36
the GNU C libraries v-syslog
27:39
internal function affecting
27:42
syslog and v-syslog.
27:45
This heap-based buffer overflow vulnerability
27:47
was inadvertently introduced in Glib-C
27:50
version 2.37 in August of
27:52
2022 and subsequently backported to
27:54
Glib-C-2. version
28:01
2.36, an earlier one,
28:04
while addressing a different, less
28:06
severe vulnerability. So oops, it
28:09
actually went, you know, the
28:14
flaw was introduced in 3.3.7 and then they
28:16
thought they
28:19
were fixing an earlier vulnerability in
28:21
3.3.6 so they moved
28:23
that code back into, I'm sorry, into
28:27
2.36 and broke it as well.
28:31
They write major Linux distributions like Debian, that
28:33
would be 12 and 13, Ubuntu, 23.04 and
28:35
23.10 and Fedora, 37, 38 and 39 are
28:37
confirmed to
28:47
all be vulnerable. This
28:50
flaw allows local privilege
28:52
escalation, enabling an
28:54
unprivileged user to gain full
28:57
root access as demonstrated in
28:59
Fedora 38. So again, somebody
29:01
standing in
29:04
front of a machine where
29:07
you are relying on them
29:09
not having root and
29:11
only being able to log in and
29:14
do things as a non-root user, that
29:17
reliance broke completely.
29:21
They said in our analysis, the
29:23
same function affected by CV 2023, 6246, this
29:25
one, they said we identified two
29:31
additional, albeit less
29:33
severe vulnerabilities. One is off
29:36
by one heat-based buffer overflow,
29:38
also in the V syslog internal
29:41
function and an integer overflow issue
29:43
also in the same function, but
29:45
not nearly as worrisome as this
29:47
main one. They said based on
29:50
our assessment, triggering those
29:52
vulnerabilities appears more
29:54
challenging than 6246, you know, the primary
29:59
problem. Additionally, they said exploiting them
30:01
effectively is likely to be more complex. As
30:04
for the last of the four
30:07
vulnerabilities, a memory corruption issue was
30:09
found in the GNU C libraries
30:12
Q sort function caused by a
30:14
missing bounds check. This
30:16
vulnerability could be triggered when
30:19
Q sort is used with
30:21
a non-transitive comparison just
30:23
such as a simple comparison of A and
30:26
B which returns A minus
30:29
B and
30:31
using a large number of elements
30:33
controlled by an attacker potentially
30:35
leading to a memory allocation failure.
30:39
Okay, so what
30:42
are the implications? Qualis writes,
30:44
the discovery of vulnerabilities in the
30:47
GNU C libraries syslog and Q
30:49
sort functions raises major security concerns
30:51
and these are sort of hypothetical
30:56
concerns but still worth noting.
30:59
They said the syslog vulnerability,
31:01
a heap-based buffer overflow, can
31:03
allow local users to gain
31:06
full root access impacting major
31:08
Linux distributions. Similarly, the Q
31:10
sort vulnerability stemming from a
31:13
missing bounds check can lead
31:15
to memory corruption and
31:17
get this, has affected all
31:20
G libc versions since
31:23
1992. Yeah,
31:28
in other words all G
31:30
libc versions effectively. Yeah, Linux
31:32
is only, yeah, definitely that's all of
31:35
them. They
31:37
said these flaws highlight the
31:39
critical need for strict security
31:41
measures in software
31:45
development especially for core
31:47
libraries widely used across
31:49
many systems and applications.
31:53
So yeah, no kidding. Now,
31:56
what happens or the way this is
31:58
managed behind the scenes is all always
32:00
interesting. So here's a quick
32:03
blow-by-blow timeline from the discovery
32:05
through the coordinated release one
32:07
week ago today. So
32:11
this began in on
32:13
early November, November 7th of last
32:16
year, 2023. So the
32:18
end of last year, November 7th, they said
32:20
we sent a preliminary draft
32:22
of our advisory, that is,
32:24
you know, a disclosure of
32:26
their discovery, to Red Hat
32:28
Product Security. Eight
32:32
days later on the 15th, Red
32:34
Hat Product Security acknowledged receipt
32:36
of their email. The
32:38
following day on the 16th of
32:41
November, Red Hat Product Security asked
32:43
us if we could share our
32:45
exploit with them. The following
32:47
day on the 17th, they sent the
32:50
exploit to Red Hat Product Security. Four
32:54
days later on the 21st, Red
32:57
Hat Product Security, they said,
32:59
confirmed that our exploit worked
33:02
and assigned CVE 2023 6246 to this heap-based buffer
33:08
overflow in vSYS log
33:10
internal. Okay,
33:12
so that is November 21st.
33:15
Now we go to December, we're
33:17
on December, the next month on
33:19
the 5th, Red Hat
33:21
Product Security sent us a patch for
33:25
this vulnerability 6246 written
33:28
by the G-LIB-C
33:30
developers and
33:32
asked us for our feedback. Two
33:35
days later, December 7th, they said
33:37
while reviewing this patch, we
33:39
discovered two more minor
33:42
vulnerabilities in the same function.
33:44
That's where that off-by-one buffer
33:46
overflow and the other integer
33:49
overflow surfaced. They
33:51
said we immediately sent an analysis,
33:54
proof of concept, and patch proposal
33:56
back to Red Hat Product Security
33:59
and suggested that we directly
34:01
involve the G-LIB-C security team. That
34:03
was on December 7th. The next
34:05
day on the 8th, Red Hat
34:07
Product Security acknowledged receipt of our
34:09
email and agreed that we should
34:11
directly involve the G-LIB-C security team.
34:14
We contacted them on the same
34:16
day and they immediately replied with
34:18
very constructive comments. Of course, they
34:20
were already looped into this because
34:22
Red Hat had previously forwarded this
34:24
to them and then received the
34:26
the patch back from them which
34:28
then they sent back to QALIS. Three
34:33
days later, December 11th, the
34:35
G-LIB-C security team suggested that
34:38
we postpone the coordinated disclosure
34:40
of all three vulnerabilities until
34:42
January 2024. Okay, so
34:44
we were at December 11th at
34:46
this point. They said because of
34:49
the upcoming holiday season, meaning
34:52
people on vacation, people not
34:54
around, people less available to
34:57
respond immediately as this
35:00
would require to the public,
35:03
you know, coordinated disclosure of this. So
35:05
they said, yep, good, let's let the
35:08
holidays pass and we'll deal
35:10
with this immediately afterwards. So,
35:13
December 13th, still last year
35:15
before Christmas, Red Hat Product
35:17
Security assigned the
35:19
two additional CVEs to the other two
35:21
things that have been found. On
35:24
January 4th, this year, they
35:27
said we suggested either January 23rd
35:30
or January 30th for
35:32
the coordinated release. G-LIB-C
35:35
developers agreed on January
35:37
30th. That was last
35:39
Tuesday. So, now we're
35:41
at January
35:44
12th, the G-LIB-C developers
35:47
sent us an updated version of the patches for these
35:50
vulnerabilities. The next day, we reviewed these patches
35:52
and sent our feedback to the G-LIB-C developers.
35:56
Two days later, on the 15th, the G-LIB-C
35:58
developers sent us a report. the final
36:00
version of the patches for these
36:03
vulnerabilities. The following day, Qalas says,
36:06
we sent these patches and a
36:08
draft of our advisory to the
36:10
Linux distros at open
36:12
wall list. They immediately acknowledged
36:15
receipt of our email and
36:18
on the 30th, last
36:20
Tuesday, coordinated release
36:22
of this occurred. So,
36:24
you know, that's how this actually, you
36:27
know, like that there's
36:29
an example of, of
36:31
everybody being responsible, everybody responding to
36:33
email. No one's sitting on this
36:35
for, you know, months, the way
36:37
we've seen Microsoft do so often,
36:39
you know, this is the way
36:41
it's supposed to happen. Problem is
36:43
found if the
36:46
right people are looped in, it's
36:48
reviewed, it's verified, patches are created,
36:50
patches are verified, some more tweaks
36:52
are made, everybody agrees about like,
36:54
looks at the calendar, when would
36:56
be a good time to let
36:59
everybody know. And that's
37:01
what the way it happens. So, you know, a
37:04
great look at how this happened. And,
37:06
you know, all the distros have been
37:08
updated. Now, everybody who's in a situation
37:11
where you that where this, it might
37:13
be a problem if a
37:15
Linux system from the last two
37:17
years has, you
37:20
know, is relying upon its protected
37:23
root privilege. Well, it's not as protected
37:25
as we were hoping. But at least
37:27
somebody, you want an attacker needs to
37:29
be physically on your system. Yes, thank
37:31
you. That's a relief. Goodness. Yeah. By
37:33
the way, goodness, I bet you you
37:35
could look at a quick, any quick
37:37
sort and immediately know if there's a
37:39
buffer overflow. This is not a hard
37:41
thing to write. Everybody wrote it
37:43
and, you know, comp
37:46
sci 101. I
37:49
could see how you'd get a buffer overflow, but that seems like a
37:52
pretty bone. Well, so Q, you're
37:55
able to pass a function to
37:57
Q. So, oh, Yeah,
38:00
because that's the function that determines
38:02
what's lesser or greater, right? Yes,
38:04
exactly. So it's the sorting determiner
38:06
function which is where the problem
38:08
actually is. That might be a
38:10
little harder to trace, I guess.
38:13
Yeah. I mean, usually
38:15
you just pass it less than or greater than,
38:17
but okay. If you did
38:19
something really elaborate, maybe you get something weird. Interesting.
38:23
Okay, so speaking of libraries,
38:26
OpenSSL has lost
38:28
another big user. The
38:31
CDN Fastly, you know, one
38:33
of the biggies, announced that
38:35
they've decided to switch from
38:38
OpenSSL, which they've been using to
38:40
date, to the
38:42
name you just got to love, because this is what
38:45
you want from your SSL, boring
38:47
SSL. You
38:49
know, you want a boring SSL
38:51
library. In their announcement,
38:54
they explained, they said OpenSSL
38:56
has a long history of
38:58
high severity vulnerabilities, including the
39:00
notorious heart bleed bug. In
39:03
addition to the risk of
39:05
exploitation, there is a significant
39:07
operational cost incurred to rapidly
39:09
test and deploy patches. And,
39:11
you know, we're talking about,
39:14
so I
39:16
don't think they say this anywhere, but this
39:18
is on all of their edge system
39:21
instances. So all of their
39:24
edge routing, edge proxies, where
39:26
the CDN's network is
39:29
interacting with
39:31
the internet, this is where this goes.
39:34
So, yeah, if some
39:37
high severity vulnerability is
39:39
found in OpenSSL, they,
39:41
like every one of those
39:43
instances needs to be fixed
39:46
immediately, and that's a big
39:48
pain in the butt. So
39:50
they said, there's a significant operational
39:52
cost incurred to rapidly test
39:54
and deploy patches whenever a
39:56
new vulnerability is announced. Our
39:59
primary goal in
40:01
replacing OpenSSL with
40:03
BoringSSL was to
40:06
reduce the frequency and
40:08
impact of CVEs and
40:10
improve the security of our
40:12
TLS termination system for our
40:15
customers. BoringSSL
40:17
is a fork of OpenSSL
40:19
that was created and maintained
40:21
by Google. It is
40:24
widely considered to be
40:26
fundamentally more secure than
40:28
OpenSSL because it is
40:30
less complex. OpenSSL
40:32
remains the Swiss Army knife
40:34
of SSL libraries and a
40:36
bunch of great work has
40:38
been done over the years
40:40
to improve it but we
40:43
are convinced the BoringSSL provides
40:45
better protection for our customers.
40:48
They added our work began about
40:50
a year ago with the
40:52
ambitious idea of replacing
40:54
OpenSSL on our edge
40:57
for all incoming connections.
40:59
We considered a few alternatives
41:02
but stuck with our original
41:04
vision of migrating to BoringSSL
41:06
to gain the following benefits.
41:10
Smaller, more modern code base.
41:13
A safer API. BoringSSL
41:16
is an OpenSSL derivative
41:19
and is mostly source
41:21
compatible making our
41:23
migration less challenging. Extensive
41:27
fuzzing used
41:29
by big players and
41:31
maintained by Google and
41:34
similar performance to OpenSSL.
41:36
They said in summary the
41:38
consensus was that BoringSSL offers
41:41
a more focused code base one
41:44
without OpenSSL's myriad of
41:46
legacy code which makes
41:48
it intrinsically more secure. I didn't
41:53
have it here just because it would take up a
41:55
lot of space but they showed
41:57
that the breakdown of code for
42:00
an open SSL and
42:02
boring SSL, the
42:05
boring SSL code source
42:08
code base is less than
42:10
half the size of open SSL.
42:13
So you know it just makes sense as
42:15
a technology is maturing
42:18
that it's also going to be getting a
42:20
bit old and creaky along the way. In
42:23
the case of open SSL it
42:25
spans decades. Having started in 1998
42:30
so that makes it 26
42:32
years old and as we
42:35
know SSL has evolved itself
42:37
as a protocol dramatically during
42:39
those 26 years. So
42:42
Google created boring SSL and we
42:44
know for example that Amazon's AWS
42:47
service is running on their own
42:49
very small homegrown
42:52
TLS stack. I'm
42:54
sure that open SSL will remain the bedrock
42:58
that it always has been
43:00
for experimentation and testing. Now
43:03
that's always where you know
43:05
new protocol stuff is worked
43:07
out you know and for
43:09
being as fastly said the
43:11
Swiss Army knife of SSL
43:14
libraries but its deployment in
43:16
critical new applications has probably
43:18
seen its day. And
43:21
you know as I was reading this and
43:24
thinking about it we've
43:27
been using GitLab to
43:30
like manage all of the
43:32
issues during the ending phase
43:34
of spin rights development. We
43:38
were just using you know news
43:40
group threads initially but one
43:43
of our participants well
43:46
known to all of the people in our
43:48
news groups Colby he
43:51
was suggesting GitLab and I
43:54
looked at it and I thought okay let's you know
43:56
I'll give it a try. So I brought it up
43:58
on its own server And
44:01
it's very nice. The
44:03
problem is it has way
44:07
more features than we are
44:09
using, just as OpenSSL has
44:11
way more features
44:14
than Fastly is using.
44:18
And they won't leave it alone.
44:21
And it's so big and complex,
44:23
it's constantly having bugs and problems
44:25
that are critical. So the analogy
44:28
is perfect. And as
44:30
a consequence, I am seriously
44:32
considering moving to a
44:35
much more modest, better
44:38
fit for us like
44:41
issue tracking system. There's something called
44:43
Red Mine, which looks like it
44:46
is exactly what I want, mostly
44:48
because they haven't touched it in
44:50
a long time. And
44:53
I don't want to spend all my
44:55
time maintaining a tool which
44:58
is supposed to be helping us to
45:00
manage a project. I just want it to
45:02
manage the project and not require its own
45:05
maintenance staff. So I
45:08
could fully understand the
45:10
trade-off that Fastly is
45:13
looking to make and has made. And
45:15
Leo, I think we should
45:17
tell our listeners about a trade-off they won't have
45:19
to make. Oh
45:22
no, this is not a trade-off. This
45:24
is choosing the perfect product
45:27
for your particular
45:29
use. In this case, if you want to become
45:31
an IT professional or you
45:34
want your team to be more
45:37
adept at securing your business, at
45:40
keeping you safe, at doing the job they
45:42
do, you need to know about it. Our
45:44
friends at ITProTV, you almost certainly know about
45:47
them, but maybe you forgot that they
45:49
are now ACI learning. That's
45:51
the main point. Now ITProTV is ACI
45:54
learning. You already know ITProTV. They have
45:56
been with us really
45:58
since inception. They started
46:00
advertising on security now. Well, as
46:03
a part of ACI learning now, ITPro has
46:05
expanded the things it can do, providing
46:07
so much more for you as
46:10
an individual, as an IT
46:12
learner, but also for IT teams. For
46:15
your team, ACI learning covers all you
46:17
need with audit, with cybersecurity, and
46:19
with IT training. I mean, it does it
46:21
all. You
46:24
get a personal account manager, so you
46:26
make sure you're not doing redundant
46:28
training, you're not wasting people's time. People
46:31
hate it when they were asked to
46:33
learn something they already know, for one thing. But
46:35
also, maybe you don't need training
46:38
in a certain area. In
46:40
that case, they'll help you tune your training
46:42
to be exactly what you need. Your
46:45
team only focuses on the skills that
46:47
make a difference in your organization, and you
46:50
can leave unnecessary training behind. Of
46:52
course, ACI learning has kept all the fun,
46:54
all the personality, all the informativeness of ITPro
46:56
TV. They're famous for it. While
46:58
amplifying their robust solutions for all your training
47:01
needs. Let your team be
47:03
entertained while they train, and
47:05
they love it too, with short form content, over
47:08
7,200 hours to choose from. You
47:11
might say, oh, it's got to be old. No, that's
47:13
brand new, up to date, because
47:15
they're always recording in their eight studios every
47:17
day of the week, so you're getting the
47:19
most up to date training. Visit
47:22
go.acillearning.com/twit for teams
47:26
that fill out the form. You get a free
47:28
trial and up to 65% off
47:30
an ITPro Enterprise Solution plan. Fill
47:33
out that form and find out how much you're going to save
47:35
at go.acillearning.com
47:39
slash twit. We love these guys. They've
47:42
been such a great sponsor for more than a decade,
47:45
I think. It seems like they started in 2013. I
47:48
think they did. So, just keep up
47:50
the good work, and thank you, ACI
47:52
Learning. Now, back to Steve
47:54
Gibson, who is going to show us how to write a
47:56
proper quick sort. No, he's
47:59
not. going to do? No.
48:01
Although I would take that class Steve,
48:03
I would. I'd
48:06
sanitize your inputs. So
48:10
recall that last December 1st
48:13
Russia put a new
48:16
communications law into effect which
48:18
required all hosting providers of
48:21
Russian websites to
48:24
register with none other
48:26
than Ross
48:28
Komnansor. This
48:32
law requires all cloud and
48:35
web hosting providers to register with
48:37
the Ross Komnansor agency which is
48:39
of course Russia's
48:42
telecommunications watchdog. So
48:45
far 266
48:48
web hosting providers have
48:50
registered with Ross Komnansor
48:53
and all our local
48:55
companies. Not a
48:58
single external provider has
49:00
registered. And those providers
49:03
are responsible, those providers,
49:05
the external providers, I'm sorry,
49:07
the external providers are responsible
49:10
for about one third of
49:13
all Russian websites. Now
49:16
I don't know what's up but this does
49:18
seem a little suspicious that not
49:20
a single external
49:23
provider has registered. So
49:26
it makes me wonder whether this is
49:28
actually like a
49:31
backhanded Russian way of forcing
49:34
the remaining one third of
49:37
Russian sites which are
49:39
currently being hosted
49:42
by external providers, none
49:45
of which suspiciously have registered and
49:47
all of which, and here's the
49:50
point, are subject to being cut
49:52
off at some point in
49:54
the future. If this is in
49:56
some way of forcing all the Russian
49:58
sites into mother
50:01
Russia's hosted services rather
50:03
than continuing to use you
50:06
know those non-russian territorial
50:08
providers. We'll see how
50:11
this goes but if Ross Komnonsor
50:13
has made it clear that at
50:15
some point non-registered
50:18
providers will be cut off
50:20
from access to Russian
50:22
territory. So again
50:27
don't know what that means but we'll see. Also
50:31
last Tuesday Google's security
50:34
blog announced a very
50:36
nice sounding new feature
50:38
for Android's password manager.
50:42
The blog's title is effortlessly
50:44
upgrade to pass keys
50:47
on pixel phones with
50:49
Google's password manager. Okay
50:52
so turns out this is less Google
50:55
specific than they're making it sound. Well
50:57
I'll explain that in a second. Here's
50:59
what Google said. They said Google is
51:01
working to accelerate passkey
51:04
adoption. That's good for everybody.
51:07
They said we've launched support for pass
51:09
keys on Google platforms such as Android
51:11
and Chrome and recently
51:13
we announced that we're making pass keys
51:15
a default option across
51:18
personal Google accounts. We're
51:21
also working with our partners across the industry
51:23
to make pass keys available on
51:25
more websites and apps which
51:27
as we know is what's required
51:29
for this to make any sense at all. Recently
51:32
they said we took things a step further. As
51:35
part of last December's pixel
51:37
feature drop we introduced
51:40
a new feature to Google password
51:42
manager passkey upgrades.
51:45
With this new feature Google password
51:47
manager will let you discover which
51:50
of your accounts
51:53
support pass keys and
51:55
help you upgrade with just a few
51:57
taps. key
52:00
upgrade experience is now available on
52:02
pixel phones starting with a pixel
52:05
5a as well as
52:07
pixel tablet. Google password manager
52:09
will incorporate these updates for other platforms
52:11
in the future. Best
52:14
of all they wrote today we're
52:16
happy to announce that we've teamed
52:18
up with Adobe Best
52:20
Buy DocuSign eBay
52:22
kayak money forward
52:24
Nintendo PayPal uber
52:26
Yahoo Japan and
52:29
soon TikTok to
52:31
help you bring to help
52:33
bring you this easy
52:35
passkey upgrade experience and
52:37
usher you into the
52:40
passwordless future. They said
52:42
if you have an account with one
52:44
of these early launch partners Google
52:46
password manager on pixel will
52:49
helpfully guide you to the
52:51
exact location on the
52:53
partners website or app where
52:56
you can upgrade to a passkey.
52:58
There's no need to manually hunt for
53:01
the option in account settings and
53:03
because the technology that makes this
53:06
possible is open and otherwise yes
53:08
it's actually not Google's any
53:11
website or app as well as
53:13
any other password manager can
53:16
leverage it to help their
53:18
users upgrade to passkeys for
53:20
supported accounts. It's all
53:22
part of Google's commitment they said to help
53:25
making signing in easier and safer.
53:28
Okay so
53:32
they're saying that at launch this
53:34
initially works with Adobe Best Buy and
53:36
so forth but why them
53:38
and not everyone? You
53:41
know it's just that
53:43
this group is first to adopt
53:45
a new standard. We've
53:48
all seen how our password managers
53:50
are able to perform a security
53:53
checkup right like to notify
53:55
us when we may
53:58
have reused a password some somewhere
54:00
where we're using the same password for
54:02
two different accounts. So
54:05
this is our password
54:08
managers being proactive about
54:10
our security. Well, it
54:12
turns out that there's an
54:14
open standard means by
54:17
which any website that supports
54:20
pass keys is able
54:22
to advertise the fact
54:25
that it supports pass keys
54:27
in a way that any
54:29
password manager is able
54:31
to check for and similarly
54:34
advise. I
54:36
did a bit of digging and I
54:38
found the page where Google describes this.
54:41
It's titled Promote Pass
54:44
Key Upgrades in Google
54:46
Password Manager. Of course, this
54:49
actually applies to any password
54:51
manager that does this. There's
54:53
nothing Google password manager specific
54:56
about this. Anyway,
55:00
they wrote there,
55:02
this is
55:05
aimed at web
55:08
app and website developers. So
55:11
that's the portion of the site where this
55:13
was found. So talking to
55:15
website developers, they said integrating
55:18
pass keys into your app
55:20
or website is just the
55:22
beginning of your pass key journey. After
55:25
your initial deployment, one of the
55:27
challenges you will likely encounter is
55:29
making sure your users understand
55:31
what pass keys are and how
55:33
to create them. You
55:36
should suggest creating a pass
55:38
key immediately after the
55:40
user signs in using
55:42
their password and verifying with
55:44
a second factor. Remembering
55:47
passwords and entering one-time passwords
55:49
while switching between different apps
55:51
and tools can be frustrating
55:53
for users. Recommending the
55:55
creation of a pass key at this
55:57
moment is an opportune time.
56:00
time, as users are likely
56:02
feeling this frustration. In
56:05
addition to the self-managed
56:07
promotions, Google Password Manager
56:09
can now suggest creating a
56:11
new passkey on behalf of
56:13
your website or app. Okay,
56:16
so under
56:18
the user's experience, they say on Pixel
56:22
devices, Google Password
56:24
Manager discovers that
56:27
your website or app
56:29
supports passkeys, suggests
56:32
users to create a new passkey
56:34
and directs them to your passkey
56:36
creation page. Okay, so leaving
56:40
Google out of this, what
56:42
this is about is
56:44
a very welcome, standardized,
56:47
and uniform way for
56:49
any passkey-supporting site to
56:51
declare its support in
56:54
a machine-readable way. So
56:57
this is, as I said, more broadly than just
56:59
Google. This
57:02
means that any password manager
57:05
on any platform, are
57:08
you listening, Bitwarden? And
57:11
examine the entire inventory
57:14
of its users' saved
57:16
passwords, and use
57:19
this standardized protocol to
57:21
proactively check the web
57:23
domain of each password
57:26
for its support of
57:29
passkeys. And
57:31
if an available passkey had not
57:33
yet been configured on that account,
57:36
the password manager could
57:38
take the user directly to that
57:40
site's passkey setup page. The
57:44
standard used is, we've talked about
57:46
before, it's the forward
57:48
slash dot well hyphen
57:51
known web directory,
57:53
which is located at the root
57:55
of a domain. And
57:58
there's a passkey-supporting page. hyphen
58:01
endpoints, JSON formatted
58:03
file there under
58:06
that well-known directory that
58:08
contains two URLs, one
58:11
to enroll a new passkey and
58:13
another to manage existing passkeys. So
58:16
again, any passkey
58:19
supporting site should
58:21
take every opportunity to enroll its
58:23
users the next time they're logging
58:25
into the site and
58:28
that the site sees that
58:30
they're using a password-supporting client,
58:32
a passkey-supporting client. That's
58:35
the primary way we can expect
58:37
passkeys to become adopted. But
58:39
it will also be cool for
58:41
them to be able to come
58:43
at this from the direction of
58:46
the passkey-enabled password manager to have
58:48
them reveal the sites to which
58:50
we could enroll and switch over
58:53
to passkey logon M authentication. I
58:55
agree. So very cool. Now
58:58
that Bitwarden supports passkeys, I find myself
59:01
much more likely to use it because
59:03
it's cross-platform because I work
59:05
on all platforms. So yeah, Apple, I
59:07
have my passkeys for some
59:09
things in my iPhone, but if it's not
59:11
everywhere, it's not useful. So I
59:13
really like it that Bitwarden supports it. And I've used it
59:15
a number of times now to log into Google and stuff,
59:17
and it's like, wow, that was easy.
59:21
That is good. I wish we'd done squirrel,
59:23
but hey, next best thing. We got what?
59:25
Well, if we just were fishes or something.
59:28
So okay. And
59:30
just a quick note that Mozilla has
59:32
added support for Mozilla
59:35
for post-quantum cryptography
59:38
to its developer Firefox
59:41
Nightly builds. So
59:43
we'll all be seeing it once the release
59:45
build is published on the main channel. It
59:48
can be enabled as Soon
59:50
as it's available by
59:52
going to About Colon
59:55
Config and then looking
59:57
for security.tls.enable underscore Kyber.
1:00:00
Hey why be are As the good
1:00:02
news is that for Firefox a search
1:00:04
A in that about configure Been rember
1:00:07
How long that bao bao configures? I
1:00:09
mean it's ridiculous This the scroll bar
1:00:11
just disappears on screen. There's so many
1:00:14
things that you you can tune and
1:00:16
tweak. So you're able to do a
1:00:18
sub string search so you be so
1:00:20
he you could just put in T
1:00:23
y B r and a would immediately
1:00:25
bring you to to that interests I
1:00:27
know I just built a nice it
1:00:29
forward move. For Firefox of and
1:00:32
I got some feedback to
1:00:34
share before we. Get
1:00:37
to the main goody here, just Zealand
1:00:39
he said Steve I've been a listener
1:00:41
to security now for quite some time
1:00:43
and I've really enjoyed and gotten a
1:00:46
lot out of your Christ what he
1:00:48
calls the Correspondence School the weekend Doctor
1:00:50
every argument he said. I wanted to
1:00:52
let you know there is a way
1:00:55
to get your T O T P
1:00:57
tokens. Out of Last
1:00:59
Pass. Oh it's a little
1:01:01
Python script that rebuild the
1:01:03
Qr codes for you. It
1:01:06
also allows you to print them
1:01:08
off in case you didn't know
1:01:10
about the quote Steve Gibson all
1:01:12
slide back up and storage technique
1:01:14
which of course. Is. Bill.
1:01:17
Printing all if err. I have
1:01:19
printed out every Qr code for
1:01:21
every one of my one time
1:01:23
passwords and stable them together in
1:01:25
a suit and of and Air
1:01:27
in a drawer. And
1:01:29
it's come in handy a couple times.
1:01:31
your no I didn't have an what
1:01:33
what I what would I do your
1:01:35
due to to bring up a new
1:01:37
device. So anyway just wrote later to
1:01:39
say I didn't write this. I didn't
1:01:41
mean to say that I wrote this
1:01:43
anyway I got a link to it.
1:01:45
It is is is if you just
1:01:47
it's own did hub if you search
1:01:49
for last pass authenticator exports. You'll.
1:01:52
Find it. Ah, I checked it out
1:01:54
and it looks nifty. is
1:01:58
a does his own allows you to regenerate
1:02:01
your original QR codes
1:02:03
which you may have
1:02:05
fed to LastPass and
1:02:07
if so display
1:02:09
them, capture them by
1:02:11
a device that may be starved for them
1:02:14
or print them out. So anyway just a
1:02:16
cool note I wanted to make sure that
1:02:18
our listeners knew that was available. Thank you
1:02:20
Jeff. Brentie
1:02:23
said, RE, oddly
1:02:26
inflated app data. He
1:02:28
said if you look in
1:02:30
iPad or our iOS settings
1:02:33
general iPhone, iPad storage, wait
1:02:36
for the list to load and then select an
1:02:38
app you'll see that the
1:02:40
size of the app itself is
1:02:42
listed separately from its documents and
1:02:44
data. He said, and this
1:02:47
is referring to a question that came
1:02:49
up last week, he said when trying
1:02:51
to free up some storage space previously
1:02:53
I found a few apps whose documents
1:02:55
and data appeared to be
1:02:58
way more than seemed reasonable. Remember
1:03:00
it was that some
1:03:03
credit, credit karma was occupying
1:03:05
a gig of
1:03:08
space in some guy's phone and he's
1:03:10
like, what? So Brentie says
1:03:12
that he deleted
1:03:17
the app, reinstalled it
1:03:19
and it was and it was now at
1:03:22
one tenth of the size it had been
1:03:24
previously. And you know he
1:03:26
said so my theory is that
1:03:28
some maybe many, maybe
1:03:30
most have logging, caching and likely
1:03:33
other unnecessary stale data that builds
1:03:35
up over time which they simply
1:03:37
don't bother to clean up on
1:03:40
their own. So yes deleting
1:03:42
and reinstalling you know
1:03:45
will likely save you a lot of space. Of
1:03:47
course I've always found the same is true with
1:03:49
setting up a new version of Windows. He's like,
1:03:51
oh well let's just start over again. Someone
1:03:55
whose handle is mental
1:03:57
calm today, he says The.
1:04:00
Greeting. Steve long time Sn
1:04:02
students. Put. Club member spinner
1:04:05
I use or yes he says
1:04:07
so excited that you have Six
1:04:09
Point one ready for prime time.
1:04:11
I'm reaching out to say thanks
1:04:13
for your mention of Learn D
1:04:15
Mark yesterday so he was tweeting
1:04:17
on Wednesday he said is really
1:04:19
helpful. Ari. A confusing
1:04:22
protocol s so I'm a decision
1:04:24
to serves as a reminder to
1:04:26
me to mention sped Learn D
1:04:28
Mark website that we mentioned: A
1:04:30
Nest L E A R N
1:04:32
D M A R C. Dot
1:04:34
Com. We. Measured and
1:04:37
took a look at last week,
1:04:39
it was a huge hit among
1:04:41
our listeners. From all the feedback
1:04:43
that I've seen, one person says
1:04:45
that the site was off line
1:04:47
and suggested maybe that it was
1:04:49
because we mentioned it. Well, That's.
1:04:51
Would be flattering accepted the nature
1:04:54
of a podcast is it these
1:04:56
the listening as well distributed in
1:04:58
time so it's not like a
1:05:00
to ago a purely live event
1:05:02
work. in all we bring website
1:05:04
down by talking about it but
1:05:07
it all of. And
1:05:09
I guess what if you if we used
1:05:11
to do that on a bad back in
1:05:13
the tech air date on he has a
1:05:15
hold of/starting a site as is his last.
1:05:17
Right Right, Right. Right. Hour. Hour and a
1:05:19
while. Since. We've done that in
1:05:21
red Eye, more robots and frankly
1:05:23
having downloads distributed as a good
1:05:25
thing because his job is is
1:05:27
better for everybody. Ron tweeted hi
1:05:29
Steve this is in regards to
1:05:31
sink I message them after your
1:05:33
item on security now us and
1:05:35
this is what I received. He.
1:05:38
Said be and then he quoted
1:05:40
me what sink responded saying hi
1:05:42
there Rod Old Bailey from Sink
1:05:44
here. Thanks. for reaching
1:05:46
out there was a bug identified
1:05:48
with in the sink mobile app
1:05:51
regarding the i was files app
1:05:53
integration which prevented folks from navigating
1:05:55
within the sink folders files and
1:05:57
vault via the app the files
1:05:59
app Users were still able
1:06:01
to navigate within the Sync mobile app.
1:06:04
This files app integration bug has now
1:06:06
been resolved. There's a link to it.
1:06:08
Let us know if you have any
1:06:10
suggestions, any further suggestions.
1:06:12
Thanks again, writes Bailey from Sync. So
1:06:15
anyway, just a follow up to
1:06:18
that previous listener who
1:06:21
was feeling a little despondent because
1:06:23
the reply he got from Sync
1:06:25
suggested that, well, yeah, so
1:06:29
don't do that. You know, we'll
1:06:31
get around to it someday. You
1:06:34
know, that put us all off of Sync a
1:06:36
little bit. It was like, what? But apparently that
1:06:38
was a red herring. Sync
1:06:41
did get on it quickly and fixed it
1:06:43
and it's back up and running. So thank
1:06:45
you, everybody. Jonathan
1:06:48
Rouse said, hello, Mr.
1:06:50
Gibson, exclamation point. Firstly,
1:06:53
you have been a role model for me all
1:06:56
throughout high school, college, and now
1:06:58
as I redirect my career into
1:07:00
education. Nice. Thank you for the
1:07:02
hours of laughs and education, as
1:07:05
well as Leo and the rest
1:07:07
of the twit team. I
1:07:09
figured you might want to see the response
1:07:12
Windows Defender gave, and then
1:07:14
he cites the version of
1:07:16
Windows Defender, when downloading the
1:07:19
Spinrite 6.1 prerelease. After
1:07:22
manually allowing the program, it went along
1:07:24
perfectly in creating a USB
1:07:26
boot drive, but regardless, I wanted
1:07:29
to show you what I encountered.
1:07:31
I'm hoping the new and improved
1:07:33
ISO created will work with Ventoy
1:07:35
bootable drives as well, and I
1:07:38
can't wait to try it out. Thanks
1:07:40
again for all the years of dedication, and
1:07:42
I hope to be half the teacher you
1:07:44
seem to be in your sleep. So
1:07:47
first of all, Jonathan. You're not sleeping. I want to
1:07:49
point out. I can only say, and I
1:07:52
know that you, Leo, feel similarly, that
1:07:54
I am so pleased that this podcast
1:07:57
and twit have been so useful to
1:07:59
you. You bet. You bet. Yeah. The
1:08:02
good news is that since you're just starting
1:08:04
out, you have a lifetime
1:08:06
of teaching ahead of you. So
1:08:09
I do wish you all the best as you
1:08:11
launch into your career. As
1:08:13
for Windows Defender's reactions to Spinrite,
1:08:16
yes, it continues to be an
1:08:18
annoyance, but I
1:08:20
noted that he sent his tweet last
1:08:22
Tuesday and things may have become better
1:08:24
since. Most recent
1:08:27
experimentation suggests that Windows Defender
1:08:29
is happier. And as
1:08:31
for Ventoy, you will likely
1:08:33
have discovered that Spinrite 6.1 and
1:08:36
Ventoy are not getting along currently, but
1:08:38
that will be resolved shortly. I'll have
1:08:40
more to say about Ventoy in a
1:08:42
minute when I update everybody about Spinrite.
1:08:44
Yeah, huge fan of Ventoy. I really
1:08:46
like that. I use it all the
1:08:48
time. Thank you. Good. Good. Very
1:08:50
nice. Yeah.
1:08:53
Another Thomas is his
1:08:55
handle. He said at
1:08:58
SGGRC about cryptosigning
1:09:00
camera. He said, it
1:09:02
can work if the private
1:09:04
key is in a removable
1:09:06
HSM assigned to the photographer.
1:09:10
He slash, or she slash he
1:09:12
will then be able to prove
1:09:14
that she slash he is the
1:09:16
author. Now, okay,
1:09:19
that is some nice thinking outside the
1:09:21
box, or in this case, outside the
1:09:23
camera. If
1:09:26
this were done, it would
1:09:28
make the private key about
1:09:31
the owner of
1:09:33
the key not about
1:09:35
the camera. Right. And
1:09:37
the key is presumably more easily
1:09:39
protected by them than having the
1:09:41
key locked inside the camera. You
1:09:44
know, you still have to protect the
1:09:46
key, but owners would have the incentive
1:09:48
to do that since their photographic reputation
1:09:50
is on the line. So
1:09:53
Anyway, I haven't heard anyone talk about
1:09:55
that. I Think that's a very neat
1:09:57
idea. It's not the problem that they're
1:09:59
trying to solve. the other trying to
1:10:01
solve the problem of are sent to
1:10:03
abby of the as the photo. Andrew
1:10:06
and I just I ever been
1:10:08
playing with his. Contents.
1:10:11
That. You call it what is it was name for
1:10:13
it. Can. Try said at the
1:10:15
content production. Yeah stuff. Yeah and I
1:10:18
have a turned on on my camera
1:10:20
right now. And
1:10:22
eight associates the serial number I guess
1:10:24
with the name i don't you know
1:10:27
it. Now you can remove it. You
1:10:29
absolutely can remove it because you can
1:10:31
remove any excess information. In
1:10:33
a photo. By
1:10:35
just j pegging it and you know same. Don't
1:10:37
save the Ecb. There's lots of ways to strip
1:10:40
off excess, but I guess the point is. That.
1:10:43
This is gonna be used by news organizations
1:10:45
where they though they can. They. Aren't
1:10:47
going remove it and they can provable probably
1:10:49
say this is created by the Scott Camera.
1:10:52
At this time and that can't be
1:10:54
can be modified sir. right? I
1:10:57
you know if I had my ideas that this is
1:10:59
this photo is not a fake. Is
1:11:01
if you know. and here's a chain of
1:11:03
custody. it even shows. And this information. you
1:11:05
know how I edited it. And
1:11:07
and so forth. Know what? What? Program
1:11:09
was used as I think it shows that. Somewhere
1:11:11
maybe not on this. One, But it does
1:11:13
that. I know that the I know that
1:11:16
the as if you're using Adobe's tools yeah
1:11:18
of which are the only ones that are
1:11:20
authorized do This guy does absolutely. Ah
1:11:22
you know create basically as a
1:11:25
as a chain of custody throughout
1:11:27
he editing yes yes and and
1:11:29
and you make really good point
1:11:31
because it's. If.
1:11:34
It's not trying to authenticate
1:11:36
the reputation. Of the
1:11:39
not as not tried to
1:11:41
authenticate the reputation of the
1:11:43
person who took the picture.
1:11:45
Your is it The reputation
1:11:47
is assumed like you know
1:11:49
it as a job, as
1:11:51
a as an accredited. Oh.
1:11:54
Well, no news agency. Which brings
1:11:56
us to the next question. The
1:11:58
Dell Anderson Nasty. The Grateful:
1:12:00
you're going past Nine Nine Nine
1:12:03
can't help but ask a basic
1:12:05
question about digital camera authentication. What
1:12:07
would prevent a very low tech
1:12:10
work around? Where. The digital
1:12:12
camera light the nikon
1:12:14
like, etc takes a
1:12:16
perfectly authenticated photograph. Of.
1:12:18
A digitally manipulated him.
1:12:21
it. Ah. The. Excellent
1:12:24
point and analog look at all. Yep,
1:12:27
How would this fancy Nikon camera
1:12:29
know what it was photographing a
1:12:31
high resolution to d image or
1:12:33
rather than reality? Yup, And
1:12:36
so I replied to Dell that I
1:12:38
had the same thought as I imagine
1:12:41
many of us have. The problem is
1:12:43
that the authentication. And
1:12:45
I have that in quotes
1:12:47
does not and cannot it
1:12:49
stand out to the actual
1:12:52
landscape or subject that's being
1:12:54
photographed. Designing. Technologies
1:12:56
intended to prevent the
1:12:59
manipulation of it images
1:13:01
Digital recording after. It's.
1:13:03
Been captured optically. But.
1:13:06
This. Bill. But doesn't this
1:13:08
big? the question? What's to prevent
1:13:10
someone from presenting a fake seen
1:13:12
to the camera to capture and
1:13:14
then sign? The. Now I
1:13:16
understand that this is a
1:13:19
different problem. This is not
1:13:21
the problem this camera was
1:13:24
designed to prevent. This camera
1:13:26
was designed to prevent undetected
1:13:28
post image capture manipulation. And
1:13:31
what it was designed to prevent is
1:13:33
a significant problem. Know so
1:13:35
it away. I think that you
1:13:38
know. What we
1:13:40
have to keep in mind is the
1:13:42
threat model. And. What
1:13:44
it is we're trying to say
1:13:46
we're. Are. The able to say
1:13:48
it all Leo's you instantly got.
1:13:51
Were. Unable to say. That. what
1:13:53
they hope that the seen that the camera
1:13:55
took a picture of was authentic what we
1:13:58
are able to say is to the best
1:14:00
of our ability after the
1:14:02
camera took the picture, we know
1:14:04
exactly what was done to
1:14:08
it in a verifiable fashion. So
1:14:10
again, and what's
1:14:12
cool about this is we talk about
1:14:14
threat models and what we can and
1:14:16
cannot assert in
1:14:19
the realm of security. So here's a
1:14:22
perfect example of what we can and
1:14:24
cannot assert and what we can and
1:14:26
cannot protect. Which
1:14:29
by the way, and I want to thank you,
1:14:31
gave me an excuse to buy a new camera.
1:14:33
So I appreciate that, Steve. Oh Leo, for that
1:14:35
research, you had to have that. I had to
1:14:37
do it. Absolutely. Exactly. And
1:14:40
if the IRS ever audits you and
1:14:42
says, I'll give them this, give
1:14:44
them, give you exactly if you don't,
1:14:46
absolutely important that you were able to
1:14:49
demonstrate that. Slardy
1:14:52
Bartfest. I love the name. You
1:14:54
know where that's from. We know where it came
1:14:56
from. Yeah, yeah, yeah. Right. I
1:14:59
wonder if Google needs native iOS engine
1:15:01
to make the new
1:15:03
ad auction stuff work. And
1:15:06
the answer is absolutely and
1:15:08
without question. The
1:15:11
entire Privacy Sandbox API
1:15:13
is a collection of new
1:15:16
web browser features intrinsic
1:15:18
to the web
1:15:20
browser that requires a bunch of
1:15:23
data storage locally. I'm
1:15:25
sure this is why
1:15:27
they've been working on
1:15:29
a native implementation for
1:15:31
iOS even though it isn't
1:15:33
clear to the outside world how they might
1:15:35
get it into iOS. There
1:15:39
is so much that we don't know yet about
1:15:42
how we're going to get to where we
1:15:44
are today. Google
1:15:49
wants to move the entire world
1:15:51
and moving the world is no
1:15:53
exaggeration. Given that
1:15:55
advertising supports the Internet, the
1:15:58
required size of this change
1:16:00
would be difficult to understate.
1:16:03
Like everything needs to
1:16:05
change. Google already has
1:16:07
control of nearly all desktops and
1:16:09
Android which are the majority of
1:16:12
smartphones. So I guess my questions
1:16:14
are, what are
1:16:16
Mozilla and Apple thinking about
1:16:18
this? You know, what conversations
1:16:21
may be going on among
1:16:23
them because this is
1:16:26
big stuff and actually this is the,
1:16:29
this is what we're gonna be talking about here as we
1:16:32
end today's podcast. Eon
1:16:35
tweeted and I know what his
1:16:37
first name is, it's not actually
1:16:39
Eon, he said, Steven, I'm
1:16:42
personally inviting you to
1:16:45
the gathering of the Stevens.
1:16:49
Note how it's written. I love it.
1:16:51
Yes. It's PHV.
1:16:53
He said next year in 2025 we're going to set a
1:16:55
Guinness World Record for the
1:17:05
most people named Steven in
1:17:08
one area. First
1:17:10
goal, gather the Stevens in this
1:17:13
discord and he provided a link.
1:17:15
Next goal, conquer the world.
1:17:18
He said, you
1:17:20
down? You down.
1:17:23
I thanked Eon, whose first name
1:17:25
is presumably Steven, for
1:17:27
thinking of me, but I explained
1:17:29
that I was pretty sure that
1:17:31
traveling to a massive meeting of
1:17:34
meeting of people with
1:17:36
whom I phonetically share a first
1:17:38
name for the sake of contributing
1:17:41
with my presence to the setting of
1:17:43
a Guinness Book Record is not
1:17:45
something that when the time was approaching I
1:17:48
would be glad I was taking the time to do.
1:17:50
But I told him
1:17:52
that I looked forward to hearing
1:17:54
more about how it goes even
1:17:57
in absentia. So thank you, Steven.
1:18:00
We're having fun creating the
1:18:03
regular expression for Steven with
1:18:05
a pH or of the
1:18:07
discord. I think
1:18:09
we got it actually. Curly
1:18:12
braces and then a couple brackets
1:18:14
and an or. Okay,
1:18:21
so we've all seen video segments of
1:18:24
complex manufacturing facilities where
1:18:26
thousands, if not hundreds
1:18:28
of thousands of cans
1:18:31
or something, bottles or boxes
1:18:34
or whatever, are moving
1:18:36
through a complex system that's
1:18:38
sorting and spinning and stamping
1:18:40
and printing or counting or
1:18:43
whatever it's doing. Like
1:18:45
these crazy looking manufacturing facilities,
1:18:51
treadmills and gates
1:18:53
opening and closing, routing stuff. I love that
1:18:55
stuff. It's one of the things I love
1:18:58
on TikTok is there's a bunch of TikTok
1:19:00
videos of how stuff's made. It's
1:19:02
always fascinating. Oh, very cool. Yeah. So
1:19:07
just as some of
1:19:09
those pre-electronics early
1:19:11
computers used banks
1:19:14
of mechanical relays, back
1:19:17
before the advent of computers, process
1:19:19
control engineers, as they're
1:19:22
called, would design insanely
1:19:24
complex control systems built
1:19:27
up from individual mechanical
1:19:29
relays. We would
1:19:31
call such a system discrete
1:19:34
as opposed to integrated. Then
1:19:37
blessedly, integrated electronic
1:19:40
solutions became cost effective
1:19:43
and these large process
1:19:45
control solutions were replaced
1:19:47
by PLC systems, Programmable
1:19:50
Logic Controllers. These
1:19:52
PLCs were not very smart because they
1:19:54
didn't need to be. Basically, they were
1:19:56
replacing a bunch of relays. They
1:19:59
were essentially if A then
1:20:01
B wait until
1:20:03
C then do D
1:20:06
and once E go back to the
1:20:08
start but being
1:20:11
solid state they were at
1:20:13
least more reliable. Now
1:20:16
remember that we have the term of
1:20:19
a hardware or software bug
1:20:22
because back in 1947 a dead moth you know
1:20:26
a bug was found to
1:20:29
be the underlying cause of
1:20:31
Harvard's mark 2 relay
1:20:33
computer not working correctly.
1:20:36
Anyway you know relays are
1:20:39
not as reliable as solid state
1:20:41
because you know they can actually
1:20:43
have bugs. Anyway we
1:20:45
talked about these PLCs on
1:20:49
this podcast multiple times because attaching
1:20:51
them to the internet has turned
1:20:53
out to be a generally
1:20:56
really bad idea. They
1:20:58
were never designed for that and it
1:21:00
hasn't been turning out well. I'm
1:21:03
bringing all this up today because
1:21:05
I received a long insightful and
1:21:08
interesting direct message from
1:21:10
a listener whose thoughts about the problems
1:21:13
with PLCs are worth sharing. Here's
1:21:15
what Dylan wrote. He
1:21:18
said good day. I'm
1:21:20
an engineer and occasionally work
1:21:23
with programmable logic controllers and
1:21:25
I have some thoughts on why
1:21:28
these sadly make the news in
1:21:30
a bad way sometimes. I
1:21:32
believe most of the problems boil
1:21:34
down to two root causes. Number
1:21:37
one increased demand
1:21:40
for real-time data.
1:21:44
Just like the CAN bus
1:21:46
protocol in the automotive industry
1:21:49
PLCs were invented and took
1:21:51
hold in manufacturing when security
1:21:53
was not a concern. As
1:21:56
time went on protocols were
1:21:58
developed to have PLCs talk
1:22:00
to each other and to
1:22:02
advanced peripherals like motor controllers,
1:22:05
touch screens, printers, or even
1:22:07
SCADA, Supervisory Control
1:22:09
and Data Acquisition Computers. I
1:22:12
believe the demand for telemetry
1:22:15
and data aggregation is the
1:22:18
real reason most PLCs
1:22:20
get exposed not
1:22:22
because remote WAN side
1:22:24
control is needed or
1:22:27
used. I have experienced
1:22:29
this. Management
1:22:32
wants to know how many
1:22:34
widgets were produced, how
1:22:36
fast they were produced, how
1:22:39
many past QC, was
1:22:41
there downtime, was it planned,
1:22:44
are there idle shift hours, is
1:22:46
one shift of operators more efficient
1:22:48
than another, and on and on
1:22:50
and on. He
1:22:52
says, I don't need or want
1:22:55
to remotely access a PLC in
1:22:57
a machine to change
1:22:59
anything about it. It
1:23:01
has done the same job over
1:23:04
and over and over correctly
1:23:06
for a decade. But
1:23:08
the data the PLC can store
1:23:11
and transmit is the reason it's
1:23:13
connected to a network and pulled
1:23:15
every 15 minutes for new
1:23:17
numbers. To satisfy
1:23:20
this need, PLC manufacturers
1:23:22
are building in web
1:23:24
servers, SQL light
1:23:26
databases, TCP IP
1:23:29
stacks, and a lot of
1:23:31
things that have no business
1:23:33
being attached to a device
1:23:35
based on 1960s technology that
1:23:38
has no provision for
1:23:40
security. Again, going
1:23:43
back to the automotive comparison,
1:23:45
the inventors of CAN bus
1:23:48
at Robert Bosch Company
1:23:50
could not have imagined cars
1:23:53
would be driving down the
1:23:55
road with IP addresses connected
1:23:57
to a global network all
1:23:59
the time. time and would
1:24:01
have security flaws that let
1:24:04
anyone observe and change can
1:24:06
bus communications inside the vehicle.
1:24:11
And then he says number two, security
1:24:14
conscious staff are
1:24:16
not involved with PLCs. Even
1:24:19
though many consider PLCs to be outdated,
1:24:22
at the end of
1:24:24
the day they are exactly like
1:24:26
an Arduino or similar microcontroller. They
1:24:29
store a program that is executed in
1:24:31
a loop at high speed
1:24:33
and the code is evaluated
1:24:35
every scan through the ladder
1:24:37
logic. And just a
1:24:40
quick plug, they do
1:24:42
this for decades in terrible
1:24:44
environments with noisy electrical signals
1:24:47
and with fantastic circuit protections.
1:24:50
Reverse the polarity on your Arduino
1:24:52
and you're going to Amazon to
1:24:55
shop for another one. Reverse
1:24:58
the polarity on a PLC, not
1:25:00
a darn thing happens. You'll realize
1:25:02
you made a stupid mistake, flip
1:25:04
the polarity back and everything works.
1:25:07
Anyway, he says, the people
1:25:09
who program these are aging
1:25:11
out and I
1:25:14
suspect globally fewer people know
1:25:16
how to program ladder logic
1:25:18
than did twenty years
1:25:20
ago. I'm thirty-six and
1:25:22
I learned to program them fifteen
1:25:24
years ago, but it seems
1:25:27
I'm in the minority in my age
1:25:29
group amongst peers in my industry. My
1:25:32
observation is this, IT
1:25:34
people don't understand or
1:25:36
want to understand PLCs
1:25:39
and PLC programmers have no
1:25:42
incentive or instruction to make
1:25:44
the devices secure. IT
1:25:47
staff doesn't consult with the programmers
1:25:49
to tell them what security practices
1:25:51
they should follow or review the
1:25:54
final configuration of the PLC. Conversely,
1:25:57
the programmer just needs the
1:25:59
machine. to work. And they're
1:26:02
probably fighting numerous mechanical, electrical,
1:26:04
and pneumatic problems while
1:26:06
completing the programming and ... Those pneumatic
1:26:08
problems, yeah. Yeah, we had a pneumatic
1:26:10
problem. That's why I didn't get the
1:26:13
code. Do not underestimate those. They can
1:26:15
be a nightmare. You
1:26:17
do not want a problem with your air pressure.
1:26:21
No. Any extra changes could break
1:26:23
the house of cards they've been
1:26:26
building. Everything seems
1:26:28
to be working, but all that
1:26:30
remains is a communication problem. Some
1:26:33
PLCs have manuals 700 to 1,000 pages
1:26:36
long, and various communication features are scattered
1:26:42
throughout the PDF. No
1:26:44
organization there. An
1:26:46
inexperienced programmer engineer who's under
1:26:49
pressure to compete
1:26:52
the already late project
1:26:54
might just start turning
1:26:56
everything on, even if
1:26:58
they don't know what it is or what
1:27:00
the risks are. Require
1:27:03
authentication? Nah. Uncheck
1:27:06
that box. That could
1:27:08
be the problem. Max
1:27:10
number of connections equal one? Well,
1:27:12
I don't know what counts and
1:27:15
what doesn't, so let's just set it to 10. Set
1:27:19
admin password? Better make
1:27:21
sure that's blank or default. Don't
1:27:25
want to keep something from connecting. Oh,
1:27:27
and don't change the port number. That
1:27:29
other device over there might be assuming
1:27:31
the default port is used, and we
1:27:33
don't want to break something that works
1:27:35
now and lose ground. He
1:27:38
says, honestly, I don't
1:27:40
even think we ever are going
1:27:42
to fix this. Either industries
1:27:44
will eventually move to more
1:27:47
advanced systems, which is already
1:27:49
happening in some cases, like
1:27:51
PC-based control with National Instruments
1:27:54
LabView or their competitors, or
1:27:57
existing older PLCs just need to
1:27:59
be caged. kept in a DMZ
1:28:01
or well guarded network segment.
1:28:04
The trouble is, when things aren't
1:28:06
broke, they don't get fixed. So
1:28:09
already exposed or at risk PLCs
1:28:11
are just going to be sitting
1:28:13
there, connected to networks to harvest
1:28:15
data, waiting to be leveraged for
1:28:18
a tax. And these
1:28:20
are the things that keep massive swaths
1:28:22
of our public utilities functioning. So
1:28:26
Dylan, I think you got all
1:28:28
of that exactly right. And
1:28:31
I've said it before, I'm sure this won't
1:28:33
be the last time I say it, this
1:28:35
podcast has amazing listeners. No kidding. So thank
1:28:37
you Dylan. There's something cool about PLCs. Is
1:28:41
it kind of writing in assembly language to write
1:28:43
to one? Yeah, it's
1:28:45
a very low level tree logic.
1:28:49
So it's literally if A then
1:28:51
B, if not or
1:28:53
wait this long then trigger this.
1:28:55
I mean it is the thing
1:28:57
that moves the arms back and
1:29:00
forth in those assembly
1:29:02
lines. I'm sure there are high level
1:29:04
interfaces though to see or you
1:29:06
know, fourth was originally designed to do that,
1:29:09
to program those things. Well
1:29:11
fourth was designed to aim a radio
1:29:14
telescope. That's right. Yeah.
1:29:17
And I imagine the aiming mechanism
1:29:19
was something like a PLC. It
1:29:21
was definitely turn motor on, wait
1:29:23
till star moves to center, turn
1:29:26
motor off. Yeah, Charles Moore. Yeah.
1:29:29
Yep. I love this stuff. There's
1:29:31
something cool about putting your code in
1:29:34
a hardware device. Well
1:29:36
Leo, it's a robot. Robots
1:29:38
are cool. Very cool. So
1:29:40
it's cool about, I mean like
1:29:43
the way to motivate grade schoolers
1:29:45
is... Robots. Remember,
1:29:47
logo was the original... Yeah, little
1:29:50
turtle logic. Yeah. Exactly.
1:29:54
Yeah. And of course start is a great
1:29:56
way for high school students to get into robotics, the
1:29:58
start competition. Yeah, you're right. That's
1:30:01
cool. I think the idea and and
1:30:03
I think also that's where What
1:30:06
is that? World that you
1:30:08
create a Lego block thing. Yeah,
1:30:10
Roblox. Yeah Roblox They're absolutely learning
1:30:12
that kind of logic in Roblox.
1:30:14
Yeah, exactly what they're learning. Yeah
1:30:17
Man, I wish I you know, I would wish
1:30:20
I had another 50 or 60 years. I'd like to really
1:30:22
get into some of this stuff Very
1:30:24
cool. Okay. Well lastly just quickly
1:30:27
on the spin right front Last
1:30:29
week. I Rerote GRC's
1:30:31
code signing system my
1:30:34
original. I just rewrote it in a
1:30:36
week. No bigs Well, I knew
1:30:39
how it worked by then it took me a month
1:30:41
to get it working the first time But yeah, I
1:30:43
did rewrite it because it the
1:30:46
way I had done it which was To
1:30:49
build the code signing into GRC's
1:30:51
server code had not proven to
1:30:53
be 100% reliable and It
1:30:57
needs to be it turned out that when
1:30:59
I was restarting the server The
1:31:02
code signing system did not like that
1:31:04
restart. So that was a problem anyway
1:31:06
So I redesigned the system under
1:31:09
a client server model where we
1:31:11
now have code signing as a
1:31:13
service The code signing
1:31:15
service runs in the background with the
1:31:18
web server being the services client sending
1:31:20
it files to be signed So
1:31:23
and so far I'm feeling really good about
1:31:26
it. It came up It
1:31:28
worked the first time and it has
1:31:30
been flawless ever since it has never
1:31:32
stumbled or had a problem So this
1:31:34
feels like exactly the right solution Oh
1:31:36
and in the process I was able
1:31:38
to switch the signing from using an
1:31:40
sha1 over to sha256 So
1:31:44
that feels better too now Spin
1:31:47
rights paint continues to dry nicely
1:31:50
One popular tool Which
1:31:53
I think is the right way to put it
1:31:55
popular tool for for carrying
1:31:57
around and booting ISO in image
1:32:00
files is something called
1:32:02
Ventoy, which Leo you obviously are
1:32:04
a fan of. When
1:32:07
I initially heard someone report that Spinrite
1:32:10
6's ISO Spinrite 6.0's ISO files worked
1:32:16
fine with Ventoy, but
1:32:18
the various pre-releases of
1:32:20
Spinrite 6.1 did not,
1:32:23
I planned to eventually get around to looking into
1:32:25
what was going on with that. That's
1:32:27
the sort of thing one does while the
1:32:30
paint is drying. So once
1:32:32
I got the signing system redesigned
1:32:35
and apparently finally working perfectly, I
1:32:37
took a look at Ventoy, which
1:32:39
I've never used since I don't
1:32:41
do a lot of portable ISO
1:32:43
image booting. Yeah, it's widely used
1:32:45
for things like having 20 Linux
1:32:47
distros on a single USB key.
1:32:50
Which you are welcome to. Well,
1:32:54
here's a good example. I would love
1:32:56
that Spinrite plus the Windows installer on
1:32:59
a single USB key and be able
1:33:01
to switch between the two, right? So
1:33:03
I brought myself up to speed
1:33:06
on Sunday. It is a
1:33:08
very slick open source project and
1:33:10
tool. It's installed
1:33:12
onto a USB thumb drive,
1:33:14
then you simply drop ISO
1:33:16
files into its directory. When
1:33:19
that drive is then booted, it presents
1:33:21
a list of the ISO files it
1:33:23
found and allows its user to select
1:33:25
any of them to be booted. So
1:33:29
I certainly understand its appeal for
1:33:31
anyone who wants to carry a
1:33:34
toolkit around on a thumb drive. Okay,
1:33:37
anyway, it turns out that
1:33:40
the DOS environment Ventoy
1:33:42
creates does not have
1:33:45
or the PC machine environment
1:33:49
that DOS boots into
1:33:53
doesn't have the HMA. That's
1:33:56
the high memory area. Now,
1:33:59
okay. The high memory area is
1:34:02
one of the cleverest hacks ever invented.
1:34:05
Underscore hack, however. It
1:34:07
is a hack. It
1:34:10
is a 64K memory
1:34:12
segment that starts at
1:34:16
FFFF, the
1:34:18
last 16-byte paragraph
1:34:21
of the machine's first 1
1:34:23
megabyte of RAM. Its
1:34:27
memory in a segmented memory
1:34:29
model is referenced by a
1:34:31
positive offset from the start
1:34:33
of a segment. Starting
1:34:36
a segment at FFFF
1:34:39
allows for accessing 64K
1:34:44
minus 16 bytes past
1:34:47
the 1 megabyte point. In
1:34:50
other words, this allowed PCs
1:34:53
still running in real mode to
1:34:55
access an additional 64K of RAM.
1:35:00
When they were only supposed to
1:35:02
be able to access a megabyte,
1:35:04
it's actually a megabyte plus 64K
1:35:06
minus 16 bytes. Anyway,
1:35:09
it is a neat hack that the
1:35:11
PC industry came up with and adopted
1:35:13
in the later years of DOS and
1:35:15
all recent DOS's have been able to
1:35:18
load themselves and their buffers into
1:35:20
that region in order to
1:35:22
leave more conventional memory available for their programs
1:35:24
to run. Since
1:35:27
the DOS execution environment created
1:35:29
by Ventoy does not provide
1:35:31
that, it forces
1:35:33
DOS to load low. It
1:35:36
turns out that there is just
1:35:39
barely insufficient RAM
1:35:41
left over for
1:35:44
Spinrite 6.1 to run. I
1:35:49
mean just barely. It
1:35:51
turns out that the slightly
1:35:53
smaller size of an unsigned
1:35:56
version of Spinrite, which is
1:35:58
a few Ks. smaller
1:36:01
does run. You know as
1:36:04
easily does the much smaller
1:36:06
DOS only Spinrite executable. So
1:36:09
after today's podcast I'm
1:36:12
going to tweak the Windows component
1:36:14
of Spinrite which is why we
1:36:16
let paint dry just
1:36:18
a bit so that
1:36:20
the bootable ISO image it
1:36:23
builds will contain
1:36:25
Spinrite's 81K DOS executable rather
1:36:30
than the full 250K
1:36:33
hybrid DOS and Windows
1:36:36
executable. That smaller Spinrite
1:36:38
for DOS should then run without
1:36:40
any trouble under Ventoy and a
1:36:43
bootable ISO has no need for
1:36:45
the full larger Windows version anyway.
1:36:47
In the meantime
1:36:51
nothing new not one new
1:36:54
bug has appeared in the last
1:36:56
several weeks despite the fact that
1:36:58
more than a thousand people now
1:37:00
have downloaded and have been using
1:37:02
the pre-release this release candidate 6
1:37:06
of 6.1. So I'm going to
1:37:08
continue to let us paint dry
1:37:10
while I work to get this
1:37:12
new Spinrite documented online then on
1:37:14
bringing up GRC's email system and
1:37:17
at that point we'll start letting
1:37:19
everyone know that it
1:37:21
is ready for prime time. Very good.
1:37:23
How exciting. That is
1:37:25
very exciting and
1:37:28
Leo let's tell our listeners about the
1:37:30
advertiser they're excited to hear about. I
1:37:32
will. Then we're
1:37:35
going to do
1:37:38
something exciting and fun. Look at something
1:37:41
very disturbing. Oh well
1:37:44
you want something disturbing I got a real
1:37:46
story just came in 3 million malware
1:37:49
infected smart toothbrushes have
1:37:53
been using Swiss D-Dos
1:37:55
attacks. These toothbrushes I
1:37:57
have one at home have brand
1:37:59
new. They have a
1:38:02
processor and apparently they're
1:38:04
hackable and have been enslaved.
1:38:06
That's a little bit of an inappropriate
1:38:10
word, into botnets, inscripted.
1:38:12
How about that? Into botnets and
1:38:15
used in DDoS attacks. Can
1:38:18
you believe that? This
1:38:20
is from Tom's Hardware. Thank you,
1:38:22
Tom's Hardware, for that dystopian vision.
1:38:24
You might want to secure your toothbrush. I
1:38:27
don't know how you would do that. You
1:38:31
can't think... I guess they're online. They're
1:38:33
online. I don't know what you can do to... You
1:38:36
know? And
1:38:38
I also want to plug, before we get into the ad,
1:38:40
I want to mention ClubTwit. One
1:38:43
of your correspondents there mentioned that he was a
1:38:46
club member. I'm hoping people are saying, well, what is
1:38:48
that? Well, it is how we
1:38:50
are supporting this effort going forward. Steve says we're
1:38:52
going past $9.99. We're
1:38:55
maybe a little less buoyant
1:38:58
about the prospect. We've
1:39:01
decided that in order to really keep this thing
1:39:03
going, and we really, really want to keep it
1:39:05
going, we need to get you
1:39:07
involved, our listeners. I always had that as the
1:39:09
vision. I always really wanted this
1:39:11
to be ad... not
1:39:14
ad supported, but listener supported. And
1:39:18
the nice thing about having ad support was we can
1:39:20
make it available for free, and we will. We
1:39:22
will continue to do so. Most of the people can't afford it.
1:39:24
But if you can, $7 a month
1:39:27
gets you ad-free versions of all of our shows.
1:39:30
It gets you access to special shows
1:39:32
we don't put out anywhere else,
1:39:34
like Scott Wilkinson's home
1:39:37
theater geeks. iOS Today
1:39:39
is now inside the club. The
1:39:43
Untitled Linux show, hands on Mac, hands on Windows.
1:39:46
A lot of great content. Plus,
1:39:49
you also get access to one of the
1:39:51
best communities ever, which is our ClubTwit Discord.
1:39:53
Everybody who's there paid at least $7 a month
1:39:55
to be there. You'd be amazed
1:39:58
at how that improves the... level of
1:40:01
discourse, you know, eliminates trolling.
1:40:04
People are great, they're nice, they're smart,
1:40:06
we have wonderful conversations. If
1:40:08
you're interested and you'd like to keep this show going
1:40:11
and all of our shows going, we would love you
1:40:13
to be part of the club. All
1:40:16
you have to, in fact, if we just get, if
1:40:18
today we're at 10,922 paid members, all we need is 78 more members
1:40:20
right now. If we can cross that
1:40:26
11,000 mark right now, that
1:40:28
would make me feel pretty darn
1:40:30
good. Visit twit.tv slash club twit
1:40:33
and join the fun. And
1:40:35
we thank you in advance for your support. I
1:40:37
should mention, of course, our sponsors are very much
1:40:40
a part of what we do still. We love
1:40:42
them. And our sponsor for this
1:40:44
segment of security now is Vanta. From
1:40:47
dozens of spreadsheets, yeah, people still
1:40:49
use spreadsheets, to
1:40:51
fragmented tools, to manual
1:40:54
security reviews. Managing
1:40:56
the requirements for modern compliance and
1:40:59
security programs is increasingly challenging. Are
1:41:01
you using a spreadsheet to keep
1:41:03
track? Oh, please. You
1:41:05
need Vanta, the leading trust
1:41:07
management platform. Vanta helps
1:41:10
you centralize your efforts to
1:41:12
establish trust and grow across
1:41:14
your organization. G2 says
1:41:16
Vanta is the best. They love Vanta. Year
1:41:19
after year they've loved Vanta. Here's
1:41:21
a example, just one of many
1:41:23
from G2, from a chief technology
1:41:25
officer. Quote, there is no doubt
1:41:27
about Vanta's effect on building trust
1:41:29
with our customers. As we
1:41:31
work more with Vanta, we
1:41:34
can provide more information to our current
1:41:36
and potential customers about how committed we
1:41:39
are to information security. And Vanta is
1:41:41
at the heart of it. Customers care.
1:41:43
They want to know that you're protecting
1:41:46
their data. Automated
1:41:48
data. That's a 90% of compliance. Strengthen
1:41:51
your security posture. Streamline
1:41:54
security reviews. And reduce third-party risk.
1:41:57
You don't want to say, hey, you see, You
1:42:00
see, we're very, you don't want to do that. You
1:42:02
need Vanta. Speaking of risk, oh,
1:42:05
here's one. SecurityNow listeners,
1:42:07
Vanta is offering you a free
1:42:09
risk assessment. All you have to
1:42:12
do is go to vanta.com/security now.
1:42:15
Generate a gap assessment of your
1:42:17
security and compliance posture, discover shadow
1:42:19
IT, and understand
1:42:21
the key action to de-risk
1:42:24
your organization. It's
1:42:26
all at vanta.com/security now. Get
1:42:28
that free risk assessment. You
1:42:31
need this, you want this, and you'll find out more
1:42:33
about Vanta too. vanta.com/security
1:42:36
now. And I
1:42:39
love their slogan, compliance
1:42:41
that doesn't sock too much. Vanta.
1:42:46
We thank them so much for their support. On
1:42:49
we go with the show and the scary
1:42:51
part is now. Okay. This is
1:42:54
for grownups, this part. Yes. So,
1:42:56
yeah. Everybody
1:42:59
knows how bullish
1:43:01
and excited I am about
1:43:03
Google's privacy sandbox. Yes. We
1:43:06
all know I'm a bit of a
1:43:08
fanboy for technology. And
1:43:10
this is a bunch of very
1:43:12
interesting new technology that solves some
1:43:14
very old problems. Google
1:43:17
clearly understands that their economic
1:43:19
model is endangered due
1:43:22
to the fundamental tension that exists
1:43:24
between advertisers, primarily themselves, who demand
1:43:26
to know everything possible about the
1:43:29
viewers of their ads and
1:43:31
those viewers, along with their governments,
1:43:34
who are becoming increasingly concerned about
1:43:36
privacy and anonymity. The
1:43:39
emergence of global privacy control
1:43:42
and the return of DNT,
1:43:44
do not track, has not
1:43:46
gone unnoticed by anyone whose
1:43:48
cash flow depends upon knowing
1:43:50
something about the visitors to
1:43:52
their websites. As
1:43:55
we've been covering this through the
1:43:57
years, we've watched Google iterate on
1:43:59
a Solution to this very
1:44:01
saw knee problem and I
1:44:03
believe though the final solution
1:44:05
was to transfer the entire
1:44:07
problem into the user's browser.
1:44:10
That. They found a solution that really
1:44:12
can work. And.
1:44:15
This is a huge but that
1:44:17
informs today's title topic. It.
1:44:19
Appears that the rest of the
1:44:21
world. Does not plan to
1:44:23
go down without a fight. Not.
1:44:26
Everyone is convinced. Apparently not everyone
1:44:28
believes that they're going to need
1:44:30
to follow Google and it turns
1:44:33
out that there is a workaround
1:44:35
that is not good. So.
1:44:38
A recent Financial Times headline
1:44:40
read. Amazon.
1:44:42
Strikes Add did data
1:44:45
deal with reach as
1:44:47
Google kills off cookies.
1:44:50
Which. Was followed by the sub head. Media.
1:44:52
Sector scrambles to deal with
1:44:55
fallout from Sees Out. Of
1:44:58
Cross website trackers. So.
1:45:01
A little bit of editing for as
1:45:03
the content for a listeners The Financial
1:45:05
Times writes. Tech giant
1:45:07
Amazon has struck a deal
1:45:09
with the U K's largest
1:45:11
publisher Reach to obtain a
1:45:14
customer data. To. Target
1:45:16
online advertising as the media
1:45:18
industry scrambles to respond to
1:45:20
Googles move to axe cookies.
1:45:24
And one of the first such
1:45:26
agreements in Europe, Amazon and Reach
1:45:28
unveiled a partnership on Monday designed
1:45:30
to compensate for the loss of
1:45:32
third party cookies that help gather
1:45:34
information about users by tracking their
1:45:36
activity across web sites to help
1:45:39
target advertising. Google said this month
1:45:41
that it has started to remove
1:45:43
cookies on it's Chrome browser, following
1:45:45
a similar move by Apple the
1:45:47
block them over Safari aiming to
1:45:49
switch off all third party cookies
1:45:51
by the end of the year.
1:45:54
Reach said it will
1:45:56
partner with Amazon on
1:45:58
sharing contextual. first party
1:46:01
data, for example, allowing advertisers
1:46:03
to know what articles people
1:46:05
are looking at with
1:46:07
the US tech group using the
1:46:09
information to sell more targeted advertising
1:46:12
on the UK publisher's sites. The
1:46:15
company said the deal comes,
1:46:17
quote, as the advertising world
1:46:19
tackles deprecation of third party
1:46:21
cookies, a long anticipated
1:46:23
industry milestone that Google
1:46:25
kick-started in early January,
1:46:28
unquote. Financial details for
1:46:30
the arrangement were not revealed. The
1:46:32
partnership involves the contextual
1:46:35
advertising of Mantis, originally
1:46:37
a brand safety tool that
1:46:39
could ensure that brands were
1:46:42
not being presented next to
1:46:44
potentially harmful or inappropriate content.
1:46:47
The tool is also now used to
1:46:49
place ads next to content users
1:46:51
may want to see, helping to
1:46:53
better target specific audiences with relevant
1:46:56
advertising. Other publishers also use
1:46:58
Mantis. Amazon's
1:47:01
ad director of EU
1:47:04
ad tech says Fraser
1:47:06
Locke said that,
1:47:08
quote, as the industry shifts towards
1:47:10
an environment where cookies are not
1:47:12
available, first party contextual signals are
1:47:15
critical in helping us develop actionable
1:47:17
insights that enable our advertisers to
1:47:19
reach relevant audiences without sacrificing reach,
1:47:22
relevancy or ad performance, I'd quote.
1:47:25
The loss of cookies means that
1:47:27
almost all internet users will
1:47:30
become close to
1:47:32
unidentifiable for advertisers.
1:47:34
The risk for advertisers is that
1:47:37
their advertising offer becomes
1:47:39
much less valuable at a time
1:47:41
when they're already losing ad
1:47:43
revenues, which has led to thousands
1:47:45
of job cuts in the past
1:47:47
year. Reach last
1:47:50
year announced 450 roles
1:47:52
would be axed. Other
1:47:55
media groups are also looking at deals
1:47:57
involving their customer data, according to. industry
1:48:00
executives. Some publishers
1:48:02
are experimenting more with
1:48:05
registration pages or
1:48:07
paywalls that mean people
1:48:10
first give first-party information
1:48:12
that they can use,
1:48:14
such as email addresses
1:48:16
and logins, reaches
1:48:18
already seeking to harvest more such
1:48:20
data from readers. John
1:48:22
Steinberg, chief executive of Future,
1:48:25
said that the quote, elimination
1:48:27
of third-party cookies is one
1:48:29
of the biggest changes to
1:48:31
the advertising market in the
1:48:33
digital age. He
1:48:36
added that quote, advertisers
1:48:38
and agencies will be
1:48:40
looking to publishers that
1:48:42
have high-quality editorial scale
1:48:45
and rich first-party data
1:48:48
and predicted that quote, advertisers,
1:48:50
agencies and quality publishers will
1:48:53
work even more closely together
1:48:56
to reach audiences that drive
1:48:58
outcomes for brands, unquote.
1:49:00
Sir Martin Sorrell, chief
1:49:02
executive of advertising firm
1:49:05
S4 Capital, said that
1:49:07
some clients that did not have
1:49:09
access to first-party data on their
1:49:11
customers were panicking.
1:49:14
He said that there would be more
1:49:16
focus on getting customers
1:49:19
to sign up to websites
1:49:22
with their information as
1:49:25
companies attempted to boost their
1:49:27
stores of consented
1:49:29
data, unquote. Okay,
1:49:34
so let's think about this for a minute. This
1:49:37
notion of requiring
1:49:39
more user signups is
1:49:42
interesting and it's not
1:49:44
something that had occurred to me
1:49:46
before. This article makes it clear
1:49:49
that the advertising industry is not
1:49:51
going to let go and go
1:49:54
down without a fight. They don't
1:49:56
want to change. They don't want
1:49:58
to adopt Google's strong a nationally
1:50:00
anonymous interest-based solution.
1:50:04
No, they want to continue
1:50:06
to know everything they possibly
1:50:08
can about everyone, which is
1:50:10
something Google's dominant Chrome browser
1:50:13
will begin actively working to
1:50:15
prevent, at least
1:50:18
using the traditional tracking
1:50:20
methodology. So what
1:50:22
are they going to do? And what's
1:50:25
up with this signing into
1:50:27
sites business? It
1:50:29
occurred to me that one
1:50:31
way of thinking about the traditional presence
1:50:34
of third-party tracking cookies
1:50:37
is that because they
1:50:40
effectively identify who is going
1:50:42
from site to site on
1:50:45
the Internet, there's no
1:50:47
need for us
1:50:50
to explicitly sign up when
1:50:52
we arrive somewhere for
1:50:54
the purpose of identifying ourselves
1:50:57
to the site and its
1:50:59
advertisers. Cookies
1:51:01
do that for us silently and
1:51:03
unseen on our behalf.
1:51:07
Who we are when we
1:51:10
visit a website is already known
1:51:12
from all of the cookies
1:51:15
our browsers transmit in response
1:51:17
to all of the transparent
1:51:19
pixels and beacons and scripts
1:51:22
and ads that laden today's
1:51:24
typical website. But
1:51:26
soon, all of
1:51:29
that traditional silent,
1:51:31
continuous background identification
1:51:33
tracking is going to
1:51:35
be prevented, and the
1:51:37
advertising industry is finally waking up
1:51:39
to that reality. What
1:51:43
this means for a website itself is
1:51:46
significant, perhaps even
1:51:48
drastic, a
1:51:50
reduction in advertising revenue,
1:51:53
since, as we know, advertisers
1:51:56
will pay much more for
1:51:58
an advertisement that shown
1:52:00
to someone whose interests and
1:52:02
history they know. That
1:52:06
allows them to choose the
1:52:08
most relevant ads from their
1:52:10
inventory, which makes the presentation
1:52:12
of the ad that the
1:52:14
viewer sees more valuable and
1:52:17
thus generates more revenue for the
1:52:19
website that's hosting the ad. And
1:52:22
that's, of course, been the whole point
1:52:24
of all this tracking. That's
1:52:27
why websites themselves have never
1:52:29
been anti-tracking and it's the
1:52:32
reason so many websites cause
1:52:34
their visitors' browsers to contact
1:52:36
so many third-party domains. It's
1:52:39
good for business from
1:52:41
the website's perspective and it
1:52:43
increases the site's revenue. And
1:52:46
besides, visitors don't
1:52:48
see any of that
1:52:51
happening. So
1:52:54
tomorrow, when visitors swing
1:52:56
by a website with Chrome, which
1:52:58
no longer allows tracking, and
1:53:01
those visitors are therefore anonymous and
1:53:04
far less valuable to that site's
1:53:06
advertisers, how does
1:53:08
a website itself
1:53:12
de-anonymize its visitors
1:53:15
to know who they are
1:53:17
for the purpose of identifying
1:53:19
them to its
1:53:22
advertisers so that
1:53:24
those advertisers will pay that site
1:53:27
as much money as possible? The
1:53:30
answer is horrible and
1:53:33
is apparently on the horizon. The
1:53:36
website will require
1:53:38
its visitors to register
1:53:40
and sign up before its
1:53:43
content and its ads
1:53:46
can be viewed. At
1:53:48
the end of that Financial Times
1:53:50
piece, they quoted Sir Martin Sorrell,
1:53:52
the chief executive of advertising at
1:53:55
S4 Capital, saying, quote, some
1:53:57
clients that did not have access to
1:53:59
first party data on their customers
1:54:02
were panicking, and
1:54:04
that there would be more
1:54:06
focus on getting customers to
1:54:09
sign up to websites with
1:54:11
their information as companies
1:54:13
attempt to boost their stores of
1:54:15
consented data. Now
1:54:18
these websites won't be charging any money
1:54:21
for this sign-up, it's
1:54:23
not money from their visitors
1:54:25
they want, it's
1:54:27
the identities of those
1:54:30
visitors that for the first time
1:54:32
they need to
1:54:34
obtain from that first
1:54:36
party relationship in
1:54:39
order to share that information
1:54:41
with their advertisers so
1:54:43
that they can be paid top
1:54:45
dollar for the ads displayed on
1:54:47
their websites. And
1:54:50
you can be 100%
1:54:52
certain that the fine
1:54:54
print of every such
1:54:56
site's publicly posted policy,
1:54:58
privacy policy, will state
1:55:00
that any information they
1:55:02
obtain may be
1:55:04
shared with their business
1:55:07
partners and affiliates, meaning
1:55:09
the advertisers on their sites.
1:55:13
We thought those cookie permission pop-ups were
1:55:15
bad, but things might soon be getting
1:55:18
much worse, and those
1:55:20
sign-up to create an account forms
1:55:22
may also attempt to obtain as
1:55:25
much demographic information as possible
1:55:27
about their visitors. You
1:55:29
know, oh, while you're here creating
1:55:31
an account, please tell us a
1:55:33
bit more about yourself by filling
1:55:35
out the form below so that
1:55:38
we can better tailor our content
1:55:40
to your needs and interests. Uh-huh,
1:55:43
right. Each form fill
1:55:45
will likely be a one-time
1:55:48
event per browser since
1:55:51
a persistent first party log-on cookie
1:55:53
will then be given to our
1:55:55
browser to hold and return to
1:55:57
the site. a
1:56:00
brief hassle once, but
1:56:03
the result of filling out a
1:56:05
form to create an account
1:56:07
at every site which
1:56:09
might begin to require one will
1:56:12
be that our visits to that
1:56:14
site will no longer even have
1:56:17
the pretense of anonymity.
1:56:20
We will be known to that site, and
1:56:23
thus we will in turn be known
1:56:25
to every one of that site's advertisers.
1:56:29
We may forget that we have an account
1:56:31
there. We may find
1:56:33
our name shown in the upper right-hand
1:56:35
corner of the screen with a menu
1:56:37
allowing us to log out, change our
1:56:40
email address, our password, etc. Password
1:56:43
managers are likely going to become
1:56:45
even more important because typical Internet
1:56:47
users will be juggling many more
1:56:49
Internet login accounts than they've ever
1:56:52
needed before. Historically, we
1:56:54
only ever needed to log on
1:56:56
to a site when we
1:56:58
had some need to create an
1:57:02
enduring relationship with that site.
1:57:06
That is what promises to change. Sites
1:57:10
with which we have no interest or need
1:57:12
to be known will begin
1:57:14
insisting that we tell them
1:57:16
who we are in exchange
1:57:18
for access to their content even
1:57:21
though it will be free, and
1:57:23
the reason for their insistence will be
1:57:25
that we become a much
1:57:27
more valuable visitor once
1:57:30
they're able in turn to tell
1:57:32
their advertisers exactly who we are.
1:57:36
And it's all perfectly legal
1:57:38
because no tracking is happening.
1:57:42
We sign up and implicitly
1:57:44
grant our permission for our
1:57:46
real-world identities to be shared
1:57:48
with any and all of
1:57:50
that site's business associates. Most
1:57:53
people will have no idea what's going on. Maybe
1:57:56
it won't actually be that big a deal. It
1:57:59
won't be obvious why. sites they've been visiting
1:58:01
for years are suddenly asking them to
1:58:03
create an account. They already
1:58:05
have lots of other accounts everywhere else
1:58:07
and the site won't be asking for
1:58:09
money just for their
1:58:11
identities, which most people are
1:58:14
not concerned about divulging. One
1:58:17
thing we can be certain of is that
1:58:19
a trend of forced
1:58:22
identification before the
1:58:24
content of an advertising supported
1:58:26
website can be viewed will
1:58:29
cause the EFF to have
1:58:31
a conniption. Nothing
1:58:34
could ever be more antithetical
1:58:36
to their principles. The
1:58:39
EFF wants nothing short of
1:58:41
absolute and complete anonymity for
1:58:44
all users of the Internet,
1:58:47
so this represents a massive step
1:58:49
directly away from that goal. The
1:58:53
EFF would be well-served,
1:58:55
in fact, to get
1:58:57
behind Google's initiative, which
1:58:59
is far more privacy-preserving
1:59:01
than this end-around that
1:59:03
appears to be looming. It
1:59:06
almost makes third-party cookie tracking look
1:59:08
attractive by comparison. I
1:59:11
don't want to be forced to create
1:59:13
accounts for every low-value website I might
1:59:15
visit briefly. If this
1:59:17
happens, it's going to change the
1:59:19
way the Internet feels. It's
1:59:21
going to be interesting to see how all this shakes
1:59:24
out. And yes, I
1:59:26
am more glad than ever to be going
1:59:28
past episode 999 since it's going to be
1:59:30
very interesting
1:59:32
to be observing and sharing
1:59:35
what comes next. We agree. Our
1:59:38
mission has really just begun. For
1:59:40
a long time, the last
1:59:42
five years I thought, well, we've kind of done it
1:59:44
all. How
1:59:46
much fun is there in the newest iPhone
1:59:48
or whatever? No, I
1:59:51
think times are getting very interesting, actually.
1:59:53
Speaking of interesting, It
1:59:56
turns out we have 11,000. He
2:00:01
remembers didn't happen during the show have unless
2:00:03
I can trust gets much as part it's
2:00:06
is a little bit behind a bill. that
2:00:08
all right let's go to twelve thousand. What
2:00:10
do you say We love to have you
2:00:12
in the club or and thank you to
2:00:14
all of you as you know what's great
2:00:17
is I do see a lot of new.
2:00:19
Faces in the discord. Not everybody who joined
2:00:22
the club ends up in the discord lot.
2:00:24
People aren't discord users, but I see a
2:00:26
lot of wonderful. New
2:00:29
people in there and I welcome y'all It's really fun
2:00:31
to be in there. And
2:00:33
talk to you and talk to our
2:00:35
house will get will get stiff in.
2:00:37
there is something he sought solace. To
2:00:41
had Steve year the best! I really
2:00:43
appreciate the work you do it really.
2:00:46
Ah, he is clearly.
2:00:49
The. Most deep. Technical. Shall we
2:00:51
do on the network And that people really value
2:00:53
it's a thank you. For. That
2:00:55
we really appreciate it and. I.
2:00:58
Encouraged everybody to check out
2:01:00
Steve Side R C.com. Or
2:01:03
that's where spinner I live. Six point one. But.
2:01:05
The new Vento a compatible six or six
2:01:07
point know but an event like of animals.
2:01:10
six point one coming soon. You're you're going
2:01:12
to be able to do that right? Your
2:01:14
me be a regular guy I say I
2:01:16
got ya How I'll have a later today.
2:01:18
Oh well. Ask and ye
2:01:21
shall receive assess home. So wizardry that
2:01:23
assembly code? ah Grc That com has
2:01:25
lots of great stuff that's free as
2:01:27
well. Ah insect I would check out
2:01:29
the eyes of hour drive the thing
2:01:32
that is. So what a great tool
2:01:34
you made for checking to see if
2:01:36
the U S P T you bought
2:01:38
actually has the capacity it's supposed to
2:01:40
have so you to return of If
2:01:42
it doesn't that's free and there's a
2:01:45
lot other stuff shields ups. Been there
2:01:47
forever and as a wonderful tool for
2:01:49
me. No checking the security of your router.
2:01:52
When. You there you can also get a copy
2:01:54
the show Steve has to unique versions of
2:01:56
the show vs. we don't have a sixteen
2:01:58
kilobit audio version that. The band
2:02:00
with impaired and. In. Fact:
2:02:03
A reason the sixteen K version was
2:02:05
created. Elaine Ferriss incredible transcript. She was
2:02:07
she said ferrier, she does or shoeing
2:02:10
and out at the Farm in them.
2:02:12
Lot of bandwidth so Steve made a
2:02:14
smaller version for her seats. Types of
2:02:17
those transcripts? beep not included apparently. Ah,
2:02:19
it's for everybody that will be. There
2:02:21
are and of course the Sixty Four
2:02:24
kill bit audio. We have the Sixty
2:02:26
Four killed but audio at our site.
2:02:29
Ah, Trip that he be slashed
2:02:31
s and for security. now. There's also a
2:02:33
youtube channel dedicated to security. Now that's actually
2:02:35
a great thing to know about if he
2:02:37
hears of the evil. I gotta send the
2:02:39
boss this clip or have a friend is
2:02:41
that like want them to know about this
2:02:43
thing. You know, your friends
2:02:45
bugging you about the. About tab
2:02:47
you know third party cookies. who are ya
2:02:49
to hear what was up to? Now on
2:02:51
it's of he skill with Clint. buses you
2:02:53
tube and share it with them. That's good
2:02:55
if you do that. It helps as it
2:02:57
brings awareness to the works these doing here
2:02:59
and course the best thing you do. For.
2:03:02
Yourself and for us to subscribe. and
2:03:04
your favorite podcast clients. You'll. Get automatically the
2:03:06
minutes available and then we make sure you get
2:03:08
to listen and risk. Save
2:03:11
have a wonderful week! And
2:03:14
a ladder and will dry out
2:03:16
down here in Southern California. You
2:03:18
are okay right? Didn't have a
2:03:20
sprinkler hitting your high voltage analysis
2:03:22
and now have set up a
2:03:24
such are seen as we see
2:03:26
on the thirty. A
2:03:31
there's got Wilkinson year. In case
2:03:33
you hadn't heard, Home Theater gets
2:03:35
his back Each week I bring
2:03:37
you the latest audio, video, news
2:03:39
tips and tricks to get the
2:03:41
most out of your A Be
2:03:43
system, product reviews and more. You
2:03:45
can enjoy Home Theater Geeks Only
2:03:47
if you're a member of Club
2:03:49
Twin which costs seven bucks a
2:03:51
month or you can subscribe to
2:03:53
Home Theater Geeks by Itself for
2:03:55
only two ninety nine a month.
2:03:57
I hope you'll join me for
2:03:59
of. Qui dose of home theater
2:04:01
d have.
From The Podcast
Security Now (Audio)
Cybersecurity guru Steve Gibson joins Leo Laporte every Tuesday. Steve and Leo break down the latest cybercrime and hacking stories, offering a deep understanding of what's happening and how to protect yourself and your business. Security Now is a must listen for security professionals every week.Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific / 20:30 UTC.Join Podchaser to...
- Rate podcasts and episodes
- Follow podcasts and creators
- Create podcast and episode lists
- & much more
Episode Tags
Claim and edit this page to your liking.
Unlock more with Podchaser Pro
- Audience Insights
- Contact Information
- Demographics
- Charts
- Sponsor History
- and More!
- Account
- Register
- Log In
- Find Friends
- Resources
- Help Center
- Blog
- API
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More
- © 2024 Podchaser, Inc.
- Privacy Policy
- Terms of Service
- Contact Us