Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
It's time for security now. Steve Gibson is
0:02
here. We got a great show planned for
0:04
you. Steve's going to talk about that web-based
0:07
login that's supposed to be secure. It turns
0:09
out it's not even close. I hope you're
0:12
not using it. We'll talk about the state
0:14
of Nevada. Their attorney general wants to ban
0:16
encryption on Facebook Messenger,
0:18
but just for kids. That'll make
0:20
them safer, right? And
0:23
Steve has a new app
0:26
he just made just for you. That and a
0:28
whole lot more. Coming up next on
0:30
security now.
0:32
Podcasts you love from
0:35
people you trust. This
0:38
is twit. This
0:43
is security now with Steve Gibson, episode
0:46
963 recorded Tuesday, February 27th, 2024. Web portal.
0:53
Yes, please. This episode of security
0:56
now is brought to you by
0:58
Thinkst Canary. Thinkst canaries are honeypots
1:00
that can be deployed in minutes.
1:03
If someone's accessing your lure files
1:05
or brute forcing your fake
1:08
internal SSH server, your Thinkst Canary
1:10
will immediately tell you you have
1:12
a problem with no false
1:14
alerts. Just choose a profile
1:16
for your Thinkst Canary device, register it with
1:18
the hosted console for monitoring and notifications, and
1:20
then you wait. Attackers
1:23
who have breached your network, malicious
1:26
insiders, other adversaries will
1:29
make themselves known just by accessing your
1:31
Thinkst Canary with those little token files
1:33
you've created with it. And you
1:35
will not be in the dark about who's
1:37
wandering around in your system. Visit
1:40
canary.tools slash twit. For
1:42
about 7,500 bucks a year, you'll get
1:45
five Thinkst Canaries. Many companies have more,
1:47
small companies might have fewer. Your
1:50
own hosted console, you get upgrades, you get support,
1:52
you get maintenance, all of that. Plus, if you
1:54
use the code twit in the how did you
1:56
hear about us box, you'll get 10% off that
1:58
price for life. And
2:01
of course you can always return your
2:03
things canaries for a money back refund
2:06
In fact, you can do it for two
2:09
months a 60-day money back guarantee. I
2:11
have to tell you though in all the years It's
2:13
almost a decade now that we've been talking about things
2:15
sconeres their refund guarantee
2:17
has never been claimed People
2:21
love their canaries visit canary tools slash
2:23
twit and at the code twit and
2:25
how did you hear about his box?
2:27
canary dot tools Twit
2:30
you need this thing. It's
2:32
time for security now the show we
2:34
cover the latest security news with
2:36
this guy right here Everybody's
2:38
favorite geek mr. Steve Gibson.
2:40
Hello Steve Leo
2:43
how are you to be back
2:46
with you or the I just realized we got a
2:48
leap year I was looking at the calendar. Yes, we
2:50
got 29 days. Aren't we excited? What
2:55
are you gonna do on your free Thursday?
2:57
How often does that happen? Well, you know
2:59
exactly Because many
3:01
of us have written But
3:05
what was the linear date? Oh
3:07
God, it's hard to do that code.
3:09
It is a mess Yes, it is
3:12
like who came up with this calendar.
3:14
It's certainly not any programmer 29 No
3:16
one would do that to them. No, well
3:19
what they have to because the the actual
3:21
clock is a little bit off from that
3:24
The calendar but there what is
3:26
age? It's a 29th day every every year that
3:28
ends in four unless it ends in zero zero
3:32
like a hundred and four hundred are also
3:34
exceptions a hundred and four hundred. Yeah, and
3:37
and boy Whenever
3:41
there's any talk about like well, we're gonna get
3:43
rid of this daylight savings time because it's a
3:45
real mess We're just gonna stay on one I
3:48
think all the technology
3:50
now that knows when the
3:52
time changes would get
3:55
broken Right. I mean like there's
3:57
a lot of different things like clocks that have that building
3:59
on them now Now that's like,
4:01
okay, well, there's more problems for
4:03
the long way. Speaking of
4:05
problems Leo, our listeners come here to
4:07
find out about problems and boy, we
4:11
got some problems for them today. I
4:15
titled this web portal, yes please, for a
4:17
reason that we'll be getting to, but we
4:20
got a lot of interesting questions to answer.
4:23
What US state is now
4:25
trying to ban encryption for
4:27
miners? Which
4:29
is like, got a lot of people wound up as you
4:31
can imagine. What shocking
4:33
truth did a recent survey
4:36
of IT professionals reveal? Things
4:39
are not good for them. What experimental
4:41
feature from Edge is
4:44
Chrome inheriting? Are
4:46
online services really selling our private data?
4:48
And just how bad a big a
4:51
problem is that? And what
4:53
about browser add-ons? Them too? Should
4:56
we be paying extra to obtain cloud
4:59
security logs is the question. And
5:03
now that the dust has settled
5:05
somewhat, what happened with Lockbit? What
5:08
new features just appeared in Firefox 1, 2, 3? And
5:12
what lesson have we just received about
5:15
another horrible instance
5:19
occurrence? We'll be getting to that. And
5:22
I have some news on the GRC
5:24
software front and we also
5:26
have a bunch of interesting feedback from
5:28
our terrific podcast listeners. So
5:30
another jam-packed episode of Security Now and there were
5:32
a couple of things I couldn't get to, but
5:34
I'll tell everybody about those at the end
5:36
because we'll be getting to a couple of them
5:39
next week. So good. I think a lot
5:41
of fun in the store. You're busy again
5:43
all week long preparing for this show. We also
5:45
have a picture of the week that's tied to
5:48
the headlines. It's ripped from today's
5:50
headlines. That's right. But
5:52
first, a word from our sponsor. Our
5:55
sponsor today is Vantah. Let me talk
5:58
a little bit about... Vanta,
6:00
your single platform for
6:03
continuously monitoring your controls,
6:06
reporting on security posture, yours
6:08
of course, and streamlining audit
6:10
readiness. Managing
6:13
the requirements for modern security programs
6:15
is increasingly challenging and time consuming
6:17
and I think if you do that, you
6:19
know, this is no news to you,
6:21
right? You know this. Well, enter Vanta.
6:23
Finally, there's something that can help you with this.
6:26
Vanta gives you one place to
6:28
centralize and scale your security program.
6:30
You can quickly assess your risk,
6:32
you can streamline your security reviews,
6:34
you can automate compliance for SOC
6:36
2, ISO 27001 and many
6:39
more frameworks. You
6:42
can leverage Vanta's market leading trust
6:44
management platform to unify risk management
6:47
and secure the trust of your customers. It's
6:49
kind of in a way that's what it's
6:51
all about. You're sure you've got the legal
6:53
requirements but your customers too want to know
6:56
you're compliant. You
6:59
can use Vanta AI to save time.
7:01
You know, you get those security questionnaires
7:03
from customers, what are you doing? Vanta
7:06
will do it all for you. G2 loves
7:08
Vanta. Year after year, check out this
7:10
review from a CEO right there on
7:12
G2. Quote, Vanta
7:14
guided us through a process that we
7:16
had no experience with before. We
7:19
didn't even have to think about the
7:21
audit process. It became straightforward. And
7:23
we got SOC 2, Type 2 compliant. And
7:26
get this, in just a few weeks, help
7:29
your business survive and scale
7:31
and thrive with Vanta.
7:34
To learn more, watch
7:36
Vanta's on-demand demo at
7:39
vantavanta.com/security. Now that's Vanta,
7:42
vanta.com/security. Now I know they
7:44
don't have it in the
7:46
ad but they do have
7:48
it on our lower third graphic and I really
7:50
love the slogan. Vanta, compliance
7:53
that doesn't SOC 2 Much. That
8:00
anymore as a. Spider
8:03
Man I bleed or else does
8:05
he get old Your picture of
8:07
the week tell us about the
8:09
as now somebody read purpose this
8:11
picture for the news. As you
8:13
mentioned, the first of all start
8:15
off just as a great picture
8:17
all by itself. We see a
8:19
a yellow painted. A cinder
8:22
block wall. That. Has
8:24
a and x sort of an exterior
8:26
because you know cinderblock as you pm.
8:29
In are you like to install of
8:31
as an outlet in the cinderblock So
8:33
it's A It's A it's a steal
8:36
to plug. Ac outlet
8:38
box which is. Mounted
8:41
on the outs outside of the
8:43
cinderblock as got a black court
8:46
and an orange cord plugged into
8:48
it and are sort of running
8:50
off the the screen but taped
8:52
next to. What? We learn
8:54
is a very important. Set.
8:57
Of chords is says. Do
9:00
not on plug Exclamation point
9:02
twice and Magic Cord runs
9:04
and Tire company to more
9:06
exclamation points So Ill clearly
9:09
the lesson here is whatever
9:11
you do just don't add
9:13
do you know like if
9:15
you need to vacuum the
9:17
floor, don't unplug one of
9:19
these to plug the vacuum
9:21
cleaner in temporarily. Just go
9:23
like your vacuum cleaner and
9:26
somewhere else. Wealth repurchasing this
9:28
picture for today's news. Is
9:30
says. To. Sit down below
9:33
live, look. At a
9:35
T and T network Secure. Boy.
9:38
Were. Of course. Somebody
9:40
tripped over accord somewhere and you
9:42
know when and with eighteen she's
9:45
been. Curiously
9:48
unsatisfying. In what
9:50
little they've said me, I heard that
9:52
an oath that Dhs are does Us
9:54
Department of Homeland Security and Scissors and
9:56
F B I were going to roll
9:59
up their sleeve. That get to the
10:01
bottom of this major of twelve hour
10:03
outage and that that happened last week.
10:05
I'm sure anybody with a T a
10:07
D probably knew I'd even people try
10:10
to call people with a T and
10:12
T. new. And.
10:15
Then eighty is huge is Sarah
10:17
said. Oh ah. Up
10:20
date that we were doing the
10:23
software. When say they software I
10:25
mean that they at their statement
10:27
was completely. Opaque. Opaque
10:30
is a good word. Yes, Yes,
10:33
It. Is the word of the day actually
10:35
while by using opaque several more times
10:37
by the time were done as a
10:39
lot of opacity here in today's podcast
10:41
I'm not sure why that all landed
10:43
and of are today but yes it
10:45
is like what you know and it
10:48
it's not like there's some little nothing
10:50
company right? the doesn't matter, it's like
10:52
this is important we know people want
10:54
to know. You. Know. What? Happened.
10:57
But. Eighteen t like not really
10:59
doing as also find that I
11:01
imagine a hypothetical their shareholders or
11:03
something I would think so you
11:05
know after you talked so many
11:07
years about Bgp routing mistakes I
11:09
thought I could be could be
11:11
that than some some Wagoner mass
11:13
it on wrote probably as certificate
11:15
expired and some server in a
11:17
closet somewhere that own the only
11:19
guy who knows it's there. Was.
11:21
Fired a year Success and stuff.
11:24
Example: it's com o It literally
11:26
took him to of hours to
11:28
get back up and running and
11:30
it could be that embarrassing. Yeah
11:32
right. A Must Were like like
11:34
like a company like a T
11:36
T Cannot say Well. Ah,
11:39
Of we had expired certificate and we
11:41
fire now and it's I was the only
11:44
go. It took us a while to
11:46
figure out what is. I go there and
11:48
also hit heads would roll. They imply
11:50
they were airing some sort of network upgrade.
11:53
But. I think that was self serving to
11:55
like we're expanding our network and will thing
11:57
sometimes go wrong when you expected for our
11:59
listeners Ben. We've had a twelve
12:01
hour outage. Yeah, Wait, Like
12:03
yeah, no, we did it for you
12:06
kids. So I'm. Kim.
12:09
Setters Zero Day blog. Had
12:12
the best coverage I've seen of. this
12:14
is surprisingly aggressive move. I edited what
12:16
Kim wrote down for for length and
12:19
read readability. But here's the gist of
12:21
the news or then to other outlets.
12:23
way in. Nevada.
12:26
His attorney General. Filed
12:28
a motion ah to
12:31
prevent mehta. From. Providing
12:33
end to end encryption
12:35
to users under eighteen.
12:37
Who. Reside. In the
12:40
state of Nevada. And
12:42
there is like what. Up there
12:44
has to request explains that it's
12:47
intention of of course is to
12:49
combat predators who target miners for
12:51
sexual exploitation and other criminal purposes.
12:53
Now there's always that and of
12:56
extra clause in their rights like
12:58
oh would be if would be
13:00
nice if we got some terrorists
13:03
and set it off while we're
13:05
at it as and that they
13:07
say to allow law enforcement to
13:10
retrieve communication between criminals and minors
13:12
from met his servers. During
13:14
investigations. Now what's interesting about
13:17
this language is that suggests.
13:19
That. The. That. There's some
13:21
retention on Meadows part and will get
13:24
of in a minute. Here to what
13:26
map Blaze says about that butts and
13:28
away. Kim said.
13:31
In his reporting last Tuesday age,
13:33
he Attorney General lawyers filed a
13:35
partially redacted brief in Las Vegas
13:38
Federal court seeking a temporary restraining
13:40
order. So they're asking for a
13:42
T R O and a preliminary
13:45
injunction against Metre. To
13:47
prevent it from offering. Well.
13:49
Okay, but. They. Have been by?
13:51
Okay, we'll get to that to offering
13:53
end to end encryption on messenger for
13:56
anyone residing in the state whom Metre
13:58
believes may be a minor. In
14:01
it's requested the court, the Nevada
14:03
Attorney General's Office claims that met
14:05
his decision to enable end to
14:07
end encryption by default is irresponsible.
14:10
And quotes drastically impedes
14:12
law enforcement's efforts. To
14:16
protect children from a
14:18
heinous online crimes including
14:20
human trafficking, predation, and
14:23
other forms of dangerous
14:25
exploitation. Unquote. The
14:27
A D requests and immediate
14:29
hearing on the matter. Two.
14:32
Days from then a myth
14:34
and this was. The
14:37
beginning of the week last week or maybe
14:39
like Tuesday and so they we agree. I
14:41
think this was Tuesday and they wanted to
14:44
hearing on Thursday as like, wait, A
14:46
cave again. Of.
14:50
And it would have been
14:52
yes last Thursday citing the
14:54
extreme urgency. Again, exact quotes
14:57
affecting quote the safety and
14:59
well being Unquote Have children
15:02
in Nevada who use messenger.
15:05
Of. The.
15:07
Court. Scheduled. The Hearing
15:10
for February Twenty sixth.
15:12
So. I didn't quite have it as
15:14
quickly as they wanted to so that
15:17
was yesterday and as response to the
15:19
filing metal said that the recall and
15:21
so so met of course were spotted
15:24
say wait a minute saying that the
15:26
request makes no sense since since it
15:28
and other messaging services have been offering
15:31
end to end encryption the minors and
15:33
other users which is to save anyone
15:35
who wants it for years. And
15:38
law enforcement. On her
15:40
as acknowledged in the
15:42
Nevada ages, own starlings
15:44
can still obtain such
15:46
messages from the devices
15:49
used by criminals or
15:51
miners. Metre. Wrote
15:53
quote: the state cannot
15:55
properly asserts that it
15:57
requires emergency injunctive relief.
16:00
On. Tuesdays know on two days
16:02
notice. Blocking. Met
16:04
his use of end to end
16:06
encryption when their future has been
16:08
in use on messenger for years.
16:11
And began to be rolled out for all
16:13
messages more than two months ago. So.
16:17
A legal expert and a research
16:19
scholar at the Stafford in Internet
16:22
Observatory calls Nevada's request bizarrely aggressive,
16:24
but by said this that was
16:26
her quote and says the timing
16:29
of it is perplexing. Writing quotes,
16:31
it seems to come out of
16:33
nowhere. And what's the motivation for
16:36
this to happen now? The
16:38
experts site is it as being
16:40
the biggest attack on encryption in
16:42
the U S. Since. Twenty
16:45
Sixteen or course we know what
16:47
that date was, which was a
16:49
reference to the Fp eyes attempt
16:51
to force Apple to undermine the
16:53
encryption on it's I phones so
16:55
the agency could access iphone used
16:57
by the suspect in the San
16:59
Bernardino Terrorism case. As we recall,
17:01
of course, the F B I
17:03
wound up gaining access through another
17:05
means and so dropped it's push
17:07
on Apple. Met
17:09
A as made end end
17:11
encryption available to messenger user. Since
17:14
Twenty sixteen a last December,
17:16
the company promoted it to the
17:18
default setting for all messenger
17:20
communication. It being the application used
17:23
for private messaging would ring
17:25
users on Facebook and Instagram. As
17:27
we know, law enforcement and
17:29
investigators can still read the messages
17:32
even if they were encrypted
17:34
in flight. If. They obtained
17:36
the device used by either party
17:38
to the communication and are able
17:40
to access the device with the
17:42
password or by bypassing it using
17:45
forensic tools. This has been true
17:47
since Twenty sixteen when any user,
17:49
including minors, opted to enable end
17:51
end encryption. The only thing that
17:53
has changed recently and this was
17:56
a couple months ago is that
17:58
matters is now and. The Law
18:00
messages by default. But. Nevada's
18:02
Attorney General appears to be asking
18:04
the court's not just to prevent
18:06
Mehta from enabling end to end
18:09
encryption for minors by default, but
18:11
also to prevent the company from
18:13
providing the option to use end
18:15
encryption for all miners who reside
18:17
in the states even though they
18:19
but able to use and encryption
18:21
for eight years. It. Has
18:24
response. Opposing the request
18:26
for a restraining order and injunction
18:28
Met a point out. That. End
18:31
to end encryption has been
18:33
available by default for Apple.
18:35
I. Messages since Twenty a
18:37
lesson. In. Is also
18:40
available to users of signal
18:42
and other similar application. pseudo
18:44
telegram and so forth and
18:47
encryption has been considered essential.
18:49
For. Protecting communications for
18:52
years. Metre. Notes
18:54
and they said indeed,
18:56
Quote Indeed, Nevada law
18:58
recognizes the value of
19:01
encryption, requiring data collectors
19:03
to encrypt personal information
19:05
on close. To. Stanford
19:08
Observatory expert noted that if
19:10
the court word a grant
19:12
the restraining order, an injunction.
19:14
It. Would actually be making miners
19:17
less secure than other users
19:19
of messenger. Writing quote is
19:21
bizarre for the state to
19:23
be saying that the age
19:25
he wants to ensure that
19:28
only children in Nevada receive
19:30
less privacy and security protection
19:32
than any other user of
19:34
messenger. Unquote. And
19:37
of course, there's a danger that this
19:39
could set a precedent with other states
19:41
then following. As a
19:43
basis for it's request to obtain
19:45
a restraining order the it's a
19:47
attorney General's office claims in it's
19:50
filing that is proof that in
19:52
providing. And. To end encryption
19:54
for minors. Metre. Is
19:57
violating. Nevada is unfair
19:59
and. Zip The Trade
20:01
Practices Act. Which.
20:03
Is seems like a stretch
20:06
which prohibits the violation of
20:08
laws. In. The course of
20:10
selling more leasing goods or
20:12
services. Nevada law prohibits the
20:14
use of encryption to commit
20:17
a criminal offense. Or. Conceal.
20:20
A. Criminal Offense or obstruct law
20:22
enforcement. The Attorney journey the
20:24
Attorney General states therefore mehta.
20:27
Is directly and indirectly
20:29
aiding and abetting. Child.
20:32
Predators. Boy.
20:35
By by providing them with and
20:37
the air decryption made her a
20:39
general Also states that matter further
20:42
violates the unfair and deceptive trade
20:44
Practices act by misstating the risks.
20:47
Minors. Face. Less.
20:50
If use exhibitors is just really. Is
20:53
no way to logic about it.
20:55
Makes knows all. Wow.
20:58
The Attorney General states that
21:00
Better Represent The Better presents
21:03
messenger as a safe application
21:05
for minors to use but
21:07
fails to inform them that
21:10
is using messenger. with end
21:12
end encryption, they are putting
21:15
their safety at risk. Wow.
21:19
The Attorney General's document
21:21
actually states quotes better
21:23
represented that messenger was
21:25
safe and not harmful
21:27
to young users well
21:30
being when such representations
21:32
were untrue, false, and
21:34
misleading. Unquote. Wow.
21:37
Well, as you're of, the Attorney
21:39
General will be worth choir to
21:41
back that up with some clear
21:43
evidence, rather the just waving their
21:45
arms around. The Attorney general also
21:47
says that there would be quotes
21:50
minimal or no cost to mete
21:52
in complying with such an injunction
21:54
and therefore the burden on the
21:56
company is light unquote. Medic.
21:59
Of course disagree. So units
22:01
response that it's ability to
22:03
identify users based in Nevada
22:05
is limited and is based
22:07
on Ip addresses and that
22:09
users self disclosure about their
22:11
location you know both of
22:13
which are all not always
22:16
accurate and we talked about
22:18
this before that like like
22:20
ip addresses like the oh,
22:22
I see if Internet routing
22:24
is not constrained by state
22:26
bidders. You. Know us may
22:28
be. By. National
22:30
Borders. But. You
22:33
know, now with the United States
22:35
we route based on state so.
22:38
Of quote to ensure compliance
22:40
with the temporary restraining order.
22:42
As a result metre made
22:45
me may have to attempt
22:47
to disable end to end
22:50
encryption on messenger for all
22:52
users. Oh my! Google Safer!
22:55
That's. Right wearing about. Why should
22:57
only the kids be made saver?
22:59
I hope we all have settled.
23:01
Yes, Exactly as good as A.
23:04
Due to the truncated timeline here,
23:06
metre has not yet been able
23:08
to assess the seas ability and
23:10
burdens of doing so. Unquote. Oddly.
23:13
The Attorney General asserts that as
23:15
filings that request for a restraining
23:17
order is tied to a complete.
23:20
That. It's that it sent
23:22
Mehta at the end of
23:24
January. But. Many notes
23:27
that complaint is based
23:29
on claims that met
23:31
his services are addictive
23:33
to users so. Sir.
23:35
I'd save the children to
23:38
users and contribute to mental
23:40
health issues in teenagers. The
23:42
complete barely mentions end to
23:44
end encryption and doesn't reference
23:47
at all that Nevada unfair
23:49
Practices law which the Attorney
23:51
General sites as the reason.
23:54
For the court to grant the restraining order.
23:57
Wiles: Else course, the register.
24:00
The picked up all this and had a
24:02
field day with it. You can imagine us.
24:04
I just. Grabbed. One little
24:06
piece of it's of us.
24:08
They quoted Georgetown University's professor
24:11
of Computer Science and Law
24:13
Map Blaze. Of a
24:15
matte said quotes, it's worth noting.
24:18
That. Is not actually the encryption.
24:20
That. They seem to object to. Which.
24:23
Would only hinder real
24:25
time interception is the
24:27
failure to make a
24:29
surreptitious permanent third party
24:32
record. Of. Otherwise,
24:34
ephemeral communications for
24:36
the potential future
24:38
convenience. Of. A law
24:41
enforcement investigation who guides and
24:43
the Register also quoted the
24:45
Stanford In or Internet Observatory
24:48
experts saying prohibiting Nevadan children
24:50
and only Nevada and children
24:53
from having end to end
24:55
encryption for their online communications
24:57
would not help children safety.
25:00
It would undermine it. Batting
25:02
children in Nevada from having
25:05
ended encryption means giving some
25:07
of the state's most valuable
25:09
residents. Of sorry most vulnerable
25:12
well yes, at valuable residents.
25:14
Less digital privacy and cyber
25:16
security than everyone else. And.
25:18
She said the Ftc
25:20
and other state attorneys
25:22
general such as California's
25:24
have long been clear
25:27
that it is a
25:29
consumer protection violation for
25:31
companies not to give
25:33
users adequate digital privacy
25:35
and security. A. Strong
25:37
encryption is the gold standard
25:39
means of doing that. It's
25:41
therefore puzzlingly backwards. She wrote
25:43
for the Nevada Attorney General
25:45
to argue that Better is
25:47
violating the vat a consumer
25:49
protection law here. Okay,
25:52
so then I went looking for. The
25:54
outcome of yesterday's hearing is that
25:56
Thursday request got bumped to to
25:58
yesterday the fall. Monday. I found
26:01
a mention in the Las Vegas
26:03
Review Journal which noted that a
26:05
follow on hearing was now scheduled
26:08
for some time next month. So.
26:11
I'll have that would be
26:13
March so we can hope
26:15
that whatever happens, this establishes
26:17
a stronger precedent for encryption.
26:20
Rather, Than one against it. It is.
26:22
as you said, Leo is is just
26:24
nonsense. Throw a based on what map
26:27
blaze said. What Has to wonder whether
26:29
the ban on an end to end
26:31
encryption will then be followed? By.
26:33
A mandatory requirement for the
26:35
archiving of the communications of
26:37
Nevada minors for some period
26:40
of time in Oh. and
26:42
then what? A eyes scanning
26:44
them. Help
26:46
us. Or acts
26:48
against. The theory is a while.
26:50
predators could. Be
26:52
having encrypted conversations with children that we
26:55
wouldn't be able to see, but it's
26:57
already illegal. For. The predators
26:59
to be using encryption so I don't know
27:01
exactly. That's exactly the point that that occurred
27:04
to me to have a look I would
27:06
have a to the animators a clear the
27:08
bad guys can use encryption So okay let's
27:10
do it and the men and then convict
27:13
them for that. Adjusts,
27:16
And. Makes no sense. And
27:20
who knows what is going on. I mean
27:22
it would be will be it's You know
27:24
what? Why Nevada like? What? But.
27:27
And the good news is this
27:29
will probably get smashed hopefully and
27:31
and set a precedent so other
27:34
other states won't even bother. Okay,
27:37
so. What's. It like
27:39
out. In. I t land. Cyber.
27:42
Reason. Conducted a survey
27:45
of more than one thousand
27:47
Enterprise I T professionals asking
27:49
them about. Read. Somewhere How's
27:51
it going? To. The
27:53
survey found that all.
27:56
Respondents. All. One
27:58
thousand Or more than one. And
28:00
eighty professionals suffered at least
28:03
one security breach over the
28:05
past two years. Eighty four
28:07
percent of the respondents admitted
28:10
ended up paying a ransom.
28:13
Two. Attackers eighty four percent. But.
28:15
Only forty seven percent. So
28:17
just over half. Said.
28:20
They got their data and
28:22
services back and running and
28:24
corrupted. So that's interesting,
28:26
and eighty two percent of
28:28
the respondents were hit again.
28:31
Within. A year. Okay,
28:33
So it's difficult for me
28:35
to imagine. Being. Responsible
28:37
for the security. I've said
28:39
this before have a sprawling
28:42
enterprise with complex networking requirements,
28:44
people needing access everywhere all
28:46
the time, with employees receiving
28:48
a stream of email and
28:50
needing to click on links
28:52
in order to get their
28:54
job done. Although all that
28:56
is required for the business
28:58
to function is also all
29:00
a nightmare to secure. I
29:02
I. I can't imagine. How
29:06
you even do that, and the
29:08
job of making all of that
29:10
worked securely, which these survey results
29:13
suggest, is mostly not possible. Is
29:16
also mostly thankless. So.
29:19
I just wanted to take a more but
29:21
having seen these results. To
29:26
say to all of the I
29:28
T professionals who are literally on
29:30
the front lines of cyber defense
29:32
that I salute you. And.
29:34
I sincerely wish you the best of
29:36
luck I'm I'm sure the job. Is
29:39
both are all you
29:42
know of? Fascinating. Frustrating.
29:44
infuriating, And. Certainly challenging
29:46
so you know more power
29:48
to you. And God bless
29:50
because. I'll.
29:55
Do it. No No No. It's
29:58
just it's the hardest work ever. Yeah
30:01
and you know, make sure he didn't pay
30:03
enough money because yeah sure your get no
30:06
need for your health coverage. Live like your
30:08
life. Whenever I talk to these guys are
30:10
mostly what they complain about as not lack
30:12
of money for them. I'm. Sure
30:14
they like more but lack of budget to do
30:16
the job they need to do. Lack
30:19
of resources hodja pressure. To
30:22
do It. For you know,
30:24
less money without the tools they need
30:26
et cetera et cetera. And
30:28
a problem is it. does it look
30:30
like a profit centre, right? It looks
30:32
like Zoe Be Rockets. It looks like
30:34
a profit Sink Rights and. And
30:37
so is this you know is less like
30:39
well but if we if we invest it
30:42
all and in our new crow max nine
30:44
on the assembly line of act you know
30:46
will be able to spit out twice as
30:48
many widgets so that built in. but wow.
30:51
No one will look at
30:53
the reputation damage that we're
30:55
seeing sprinkling across the industry.
30:57
as could major company after
30:59
major company. you know? Deaths.
31:02
Themselves. And eighty two percent
31:04
While I know Leo, our
31:06
oh. Yeah. It's really
31:08
stunning. Okay,
31:11
so we talked about this little goody.
31:13
Three. Years ago. Back And Twenty
31:15
Twenty one. And. I
31:18
did. At Who wouldn't. Love.
31:20
The name. How could anyone
31:22
not love something called super duper
31:25
secure most? is the said ribery
31:27
back to read it. As wonderful
31:29
as as you know and the
31:31
surprise was that it came from
31:34
stodgy old Microsoft. you know the
31:36
I B M of the Pc
31:38
industry in our back, Then Jonathan
31:40
Norman who is leading Edges vulnerability
31:43
research team or the time explain
31:45
that and important performance versus security
31:47
trade off had been noticed. Because.
31:50
More than a half of
31:52
all. Prior. Chrome/chromium.
31:56
Engine. Zero.
31:58
Days. Exploiter to
32:00
the wild. Turned. Out to
32:03
be issues directly related to
32:05
the V Eight. Just In time,
32:07
you know, git. Compiler.
32:11
Will. See and Microsoft we're proposing
32:13
for Edge was it with computers
32:15
having grown so much more powerful
32:17
than they were. In.
32:20
Yesteryear back when just in
32:22
time Compilation was added for
32:24
that for his performance benefits.
32:26
That extra edge in performance
32:29
today had become much less
32:31
important than having a nest
32:33
extra edge in security. And
32:36
that the most obvious way to
32:38
increase security was just utter off
32:41
just In Time code compilation. Super.
32:44
Duper secure, bowed, Did
32:46
just that. The.
32:48
Idea proved to be a total
32:50
success and it eventually went for
32:52
being an experiment to being incorporated
32:55
into edge. Sadly, However,
32:57
in the process Microsoft Starchiness
32:59
did when out and bill
33:01
as it was bound to
33:03
rights is oh, there's no
33:05
way super duper secure mode
33:07
would actually end up in
33:09
the Edu. I know it
33:11
became enhanced security mode. Know.
33:14
Much less fun. But anyway,
33:16
last week we saw the release
33:18
of Chrome one to two.
33:20
The Chrome browser. In. The
33:23
process. Inherited. The
33:25
result of Microsoft pioneering. If
33:27
you put the address into
33:29
your Chrome u R L.
33:32
Chrome. Colon
33:34
Forward/forward/settings. Forward.
33:37
Slash content. Forward.
33:39
Slash v eight. You'll
33:42
be taken to a page
33:44
titled V Eight Optimizers. And
33:47
there you will find. To.
33:49
Radio buttons, The
33:51
first one which is on by
33:53
default sites can use the V
33:56
eight optimizers. The. Other
33:58
one which. I
34:00
would argue is worth exploring.
34:03
Click. It and you get don't
34:05
allow sites to use the V
34:07
Eight optimizers. Now. As.
34:09
For getting their I did
34:11
try searching from the top
34:14
level of settings for Z
34:16
Eight Optimizers for that didn't
34:18
get me there. So again,
34:20
Chrome colon/last settings/content slashed V
34:22
eight in numeral eight. And
34:25
this page. So as I said,
34:28
this page allows you to flip
34:30
the default from yes, everybody gets
34:32
to use V Eight to know,
34:34
don't want V eight because it's
34:36
dangerous. So my advice to Chrome
34:38
users would be to give it
34:40
a try. And see whether you
34:43
notice any difference. I'm.
34:45
Guessing that for most sites maybe
34:47
all odds the probably minor difference
34:50
in performance would end up being
34:52
masked by the site own performance
34:54
and the network overhead of stuff
34:57
getting between you and them know.
34:59
And if that's not the case,
35:01
that is if if a site
35:04
should actually use of like be
35:06
noticeably slower. that page also allows
35:08
for Perseid overrides, so you could
35:11
just disable the use. so it
35:13
was so. You
35:15
could globally disable the default use
35:17
of of the V Eight Just
35:19
In Time compiler. But.
35:21
Then if you end up with a site
35:24
the does benefit from having, it's just a
35:26
white listed for that one side. So.
35:29
And I should also note that were also
35:31
with Chrome One Twenty Two. They.
35:34
Added some experimental ai features.
35:37
And I'm not gonna roll my eyes.
35:39
I would you wind up with grab
35:41
a long way to go where this
35:43
the very beginning of the ai What
35:45
is it journey? So if you clicked
35:47
the three dots in the upper right
35:50
of chrome you that that that that
35:52
the chrome or chrome and shoes settings
35:54
at the bottom of the drop down
35:56
menu. Over. On them a
35:58
blessed. In that list. The on
36:00
the left about a third of
36:02
the way down you'll find experimental
36:04
ai if you flip the switch
36:07
which is off by default to
36:09
on the box their. Expands.
36:12
To. Show you three items. Help.
36:15
Me: write. A. Tab
36:17
Organizer. And create seems
36:19
with a I. Ah,
36:22
I have not gone any further.
36:24
Since I'm not using Chrome any
36:26
longer as my default browser, I'm
36:28
happily back using Firefox, But for
36:30
example, under Help Me Right It
36:33
sells it says helps you write
36:35
short form content for things on
36:37
the web like reviews. Great.
36:41
Oh boy! Suggested content is
36:43
based on your prompts and
36:45
the content of the web
36:47
page. To use this feature
36:49
right, click on a text
36:51
box. So. That
36:54
they were they gave us an example
36:56
in our where you like or know
36:58
I want to ask for a refund
37:00
on my airline tickets and it went
37:02
to have and all and it wrote
37:04
it for yourself. Okay, that away is
37:06
built into chrome now. As
37:08
one. Of. Us
37:12
and we'll see where a i'd take says.
37:15
Of. On
37:17
the topic. Of how
37:19
much is apparently. continuously.
37:22
Going on behind our backs without.
37:25
Our. Knowledge or awareness. I
37:27
noted in passing that the
37:29
home delivery service door-has agreed
37:32
to pay. Not
37:34
a crushing fine of three
37:36
hundred seventy five thousand dollars.
37:38
Still, Attention getting us
37:41
in Civil penalty for
37:43
violating California privacy laws.
37:45
Color Forty California's Attorney
37:47
General sued Door-for selling
37:49
customer data without notifying
37:51
it's users or providing
37:53
a way to opt
37:55
out. The company sold
37:57
customer data such as.
38:00
Names. Addresses and
38:02
transaction histories. To.
38:05
I get like what was brought
38:07
to your door that you are
38:09
dashing to get to a marketing
38:11
cooperatives. Now. More.
38:14
And more were all using these
38:16
services. Coven drove a significant upswing
38:18
in the use of home delivery
38:20
services have all sorts and many
38:22
people use Obe or List or
38:24
something similar and all of these
38:26
services or be managed through online
38:28
apps that need to know a
38:30
lot about us in order for
38:32
them to function and hope we
38:34
give them the information that we
38:36
understand that app needs based on
38:38
the service is providing. But.
38:41
What? We're Not being told
38:43
that that information which could
38:45
be significant about us. Is.
38:48
Gonna be used to create
38:50
further profit for this company.
38:53
That. Seems wrong. And
38:55
all along comes a marketing firm
38:57
and offers these companies real money
38:59
in return for sharing everything they
39:01
know. About. Us. Know
39:05
in many cases, never giving us any
39:07
permission, month, or a opportunity to say
39:09
whether that's all right with us or
39:12
not. So. Ah,
39:15
film and then words the
39:17
go from some marketing cooperatives
39:19
being resold, to veto information
39:21
brokers and who knows what
39:23
else. So. It's
39:25
hidden privacy cost of participating in
39:27
today's connected economy. And. Speaking
39:29
of which, Ah,
39:32
The United States Federal Trade
39:34
Commission. The Ftc has just
39:36
find. The. Cyber security
39:38
from a vast. A
39:41
somewhat larger Some Gulp
39:44
sixteen and a half
39:46
million dollars for selling.
39:48
It's users. Okay, it's
39:50
users. Web. Browsing
39:53
data. oh armory, this and
39:55
whereas good yes, they finally
39:57
got a number. An.
40:00
Odd. And if you're right if
40:02
Assad is up, that sounds familiar
40:05
to people is because we talked
40:07
about this when it first became
40:09
news. It's essentially a vast was
40:11
functioning as a spy in our
40:13
browser. The Ftc accuse the security
40:16
firm of using bait and switch
40:18
tactics by offering browser extensions that
40:20
blocked internet tracking. But. then
40:22
selling browsing data baja is
40:24
of users backs were gonna have
40:26
a block that track and
40:28
for yeah. Because you
40:31
don't want to be a
40:33
crappy. Right up there will
40:35
will be one stop shopping
40:37
for from tracking. So between
40:39
twenty fourteen and Twenty twenty
40:41
a vast get this Leo
40:43
sold browsing data, Sets.
40:46
To. More than one hundred
40:48
third party? Wow. Were.
40:51
Everywhere their users
40:54
went. Through.
40:59
It's Jump subsidiary.
41:02
The. Ftc is banned a vast from
41:05
engaging in similar practices. I wish
41:07
they would ban them from doing
41:09
business on the Plateau and as
41:11
ordered the company to notify without
41:13
be fun notify all users are
41:16
opposed. Data was sold as a
41:18
fourth and fifth or anniversary. Know
41:20
a battle. be at Idriss Legs
41:22
and written and less religious. Okay
41:24
attorneys is as earn your keep
41:27
your thirties make. this are just
41:29
I just the attorneys meet with
41:31
a Pr people. Yeah, that
41:34
that? I probably. Area
41:36
and and and probably
41:38
the. of
41:41
what I forgot the apartment name that
41:43
that a human resources because we were
41:45
all like to keep our jobs orange
41:47
yellow sea ice figure out what without
41:49
what we have the right in order
41:52
to the to said this. Okay,
41:56
one more nimble take our our our
41:58
next break. We know
42:01
how beneficial. Logging. Can
42:03
be for monitoring a networks and
42:05
var a network environments. Security. And.
42:08
To that end, Microsoft.
42:10
Has taken some heat and
42:13
come under the gun for
42:15
charging charging their enterprise cloud
42:18
customers extra money. If.
42:20
They wanted logging services.
42:23
That. Would better protect them
42:26
from security threats which
42:28
were Microsoft fault. Ouch!
42:31
So. In a move that
42:33
sister has greeted happily. After.
42:36
Noting that Microsoft should do it.
42:39
Microsoft. Has finally
42:41
made previously. Extra.
42:44
Pay security logs.
42:47
Free to use. For. It's
42:49
enterprise customers. Thirty one
42:51
logging categories have just
42:53
been moved from the
42:56
premium tear of the
42:58
Microsoft Purview audit service
43:00
into the standard offer
43:02
A good wow Yes
43:04
Rates? Yes. This.
43:06
Was something Microsoft had promised last
43:08
year in the aftermath of it's
43:10
Storm Zero Five, five, Eight Hat.
43:12
So it's a welcome move in
43:15
the right direction. On.
43:17
The other hand, Given. The precipitating
43:19
events and the pressure it was
43:21
under. I wouldn't go so
43:23
far as to suggest that this represents
43:25
any actual change in philosophy with Microsoft,
43:27
but this was definitely the right thing
43:30
to do regardless of this church or
43:32
something else. As that's right, we'll just
43:34
we'll we'll we'll we'll We'll make up
43:36
for the last profit by increasing the
43:38
price of what maybe a security passes
43:40
at how that any. Or
43:44
enlisting will break and then you
43:46
and I shall return with more
43:48
And I'm looking for the hearing
43:50
this the a news that you
43:52
mention that you referred to bad
43:54
or Grc but on it's still
43:56
the time I've I've got on
43:58
another laugh out loud. The app.
44:01
Title. For Leo Oh good I
44:03
love those! Saw the first words
44:05
my sponsor Robin Hood. This episode
44:07
brought to you by Robin Hood.
44:10
Did. You know that even if you have a
44:12
four o one K for retirement, you can
44:14
still have an Ira. Robin.
44:16
Hood as the only Ira. the gives
44:19
you a three percent boost on every
44:21
dollar you contributes when you subscribed to
44:23
Robin Hood Gold. But get this now
44:25
through April Thirtieth. Robin Hood is even
44:28
boosting every single dollar you transfer ants
44:30
from other retirement accounts with a three
44:32
percent match. That's. Right? No cap
44:34
on the three present match. Robin
44:37
Hood Goal gets you the most
44:39
for your retirements thanks to their
44:41
Ira. With a three percent match,
44:43
this offers good through April thirtieth.
44:45
Get started at Robin hood.com/boost Subscription
44:47
fees apply now for some legal
44:49
and for claim as of Q
44:51
and Twenty Twenty Four bounded by
44:53
Radius Global Market Research Investing Valls
44:55
risk including loss limitations applied Iras
44:57
and four O one case three
44:59
percent match requires Robin Hood Gold
45:01
for one year. From the data.
45:03
Verse Three percent match Must keep
45:05
Robin Hood Ira for five years.
45:07
The three percent matching and transfers
45:09
is subject to specific terms and
45:11
conditions. Robin Hood Ira available to
45:13
Us customers in good standing. Robin
45:15
Hood Financial, Llc member as I
45:17
Pc is a registered broker dealer.
45:20
Our. Rights back to the show
45:22
We go. Steve Gibson. Saw.
45:24
Yours Okay, so in a little
45:26
bit of i don't know this,
45:28
this is exactly Siobhan Freud. But.
45:31
While. The politicians in the Edu.
45:34
Consider. Reducing browsers Security.
45:37
By. Forcing you member country roots
45:39
certificates into our browsers. And
45:42
consider the imposition of limits on
45:44
the use of end to end
45:46
encryption for their citizens. The.
45:48
European Parliament's I T
45:51
Service. Has found traces
45:53
of spyware. On. The smartphones
45:56
of its Security and Defense
45:58
sub committee member. Oh.
46:02
Who needs that encryption? Ah,
46:06
the infections were discovered after
46:08
members went in for a
46:10
routine checkup. The you parliament
46:12
has sent a letter. Urging
46:14
it's members to have their devices
46:17
stand by as I T Department.
46:19
So yeah, maybe it's good to
46:22
be running with as security as
46:24
set to max on on your
46:26
smartphones. Law.
46:29
Enforcement agencies as though there's been a
46:31
lot of coverage of this and then
46:33
some brief mention here. As
46:37
I know this lock bit
46:39
gets bitten a lot force but
46:42
agencies from eleven countries. Disrupted.
46:45
the last a bit ras
46:47
the ransom were as a
46:50
service operation in which while
46:52
it in which was the
46:54
most thorough and coordinated take
46:57
down of a cyber crime
46:59
portal service to date during
47:01
the operation which was codenamed
47:04
operation Kronos. C. R
47:06
O N O S. Officials
47:09
seized Lock Bit server
47:11
infrastructure froze crypto currency
47:13
wallets which were still
47:15
holding past ransoms. Release
47:18
decryption tools Arrested members
47:20
and affiliates. Filed.
47:22
Additional charges, it imposed
47:24
international sanctions. Operation Kronos
47:26
began several months ago
47:28
and was led by
47:30
the U K's National
47:32
Crime Agency their in
47:34
Ca. The agency infiltrated
47:36
the gangs, servers, mapped
47:38
out their infrastructure, collected
47:40
they're. They're. Truly secret
47:43
a master encryption keys and
47:45
accessed the lock bit back
47:47
end where admins at Affiliates
47:50
collected stamps about attacks and
47:52
negotiated with their victims. The
47:54
take down occurred last Monday
47:56
the nineteenth and was announced
47:59
the following: A one week
48:01
ago on February twentieth by
48:03
the U K's in Ca,
48:05
Europol and the Us Department
48:07
of Justice in a coordinated
48:09
disclosure In total, Officials
48:12
say they seized thirty
48:14
four lock bit servers,
48:16
identified and closed more
48:19
than fourteen. Thousand.
48:22
Online. And web hosting
48:24
accounts used in past
48:26
Lock Bit attacks seized
48:28
more than two hundred
48:31
crypto currency accounts holding
48:33
past ransoms detained to
48:35
affiliates in Poland and
48:37
Ukraine and indicted to
48:39
other Russian nationals. Lockwood.
48:42
Affiliates who logged into their
48:44
lock bit back and scouts
48:46
are Monday. Were greeted by
48:48
a special message from the
48:50
As blaming the take down
48:52
on lot bits up. Who's
48:54
the dead? Dead Dead dead.
48:57
With. Cheese of Last Bit The
48:59
king pin lock bits up
49:02
as you pee pee and
49:04
they are flawed infrastructure. The
49:07
message urged affiliates to rat have
49:09
their former boss which tends to
49:11
confirm the police that law enforcement
49:13
has yet to identify lock be
49:16
it's creator of After the Zoo
49:18
Even some news since then, you
49:20
might imagine that he's gone into
49:22
hiding whoever he is a. And
49:26
as was done and other
49:28
recent cases of The Hive
49:30
and the else v disruptions,
49:33
the cybercrime officials didn't just
49:35
take down servers, they also
49:37
collected the coveted ran were
49:39
as a service back end
49:41
the encryption keys that were
49:43
used to lock victim files.
49:45
Officials say that the keys
49:47
were handed over to a
49:49
tactical unit inside the Japanese
49:51
National Police. Who. Created
49:54
A Decryption A master decryption
49:56
utility that is able to
49:58
recover. All. Files from
50:00
Windows systems that he previously
50:03
been locked with Lock bet.
50:05
The. Utility is available now through
50:07
your polls. No More Ransom
50:09
Project. The long term impact
50:11
of this take down is
50:13
still unknown, as we've seen
50:15
before reservoir operations that met
50:17
a similar fate. Might.
50:20
Relaunch under a new name. On the
50:22
other hand, for example, built the hive.
50:25
Gang. Never did return After
50:27
the F B I hacked it's
50:30
servers and release did a decryption
50:32
cools a year ago january or
50:34
as the operators of the else
50:37
V. Rather, Were as
50:39
A service did pop back online
50:41
and start launching attacks from a
50:44
new infrastructure. A month after the
50:46
F B I took down their
50:48
servers on and in even more
50:51
recent news Just as we were
50:53
getting ready to start the podcast
50:55
I saw that last bit has
50:58
reemerged already under new infrastructure and
51:00
it has posted the news about
51:02
his first twelve. A new victim
51:05
Didn't take long. Wow, did not
51:07
take long. Nose. And. We're
51:11
at Firefox. Version one, two three,
51:15
That. Happened last Tuesday of
51:17
and they wrote three things
51:19
that might be of interest
51:22
to our Firefox users. They
51:24
said we've integrated search into
51:26
Firefox View. You can now
51:28
search through all the tabs
51:30
on each of the section
51:32
sub pages recent browsing open
51:35
tabs recently close tabs tabs
51:37
from other devices or history.
51:39
That actually has got a cool to be able
51:42
to search like recently close tabs sometimes what I
51:44
am in old, busy and closing things I go
51:46
to. you know what was that thing that I
51:48
had before and up so be able to search
51:50
through that. Content would be very
51:53
cool. I'm also and I
51:55
said well as okay to other things and I
51:57
have a lot a lot to say. They wrote.
52:00
Having any issue with a website
52:02
on Firefox yet the site seems
52:04
to be working as expected on
52:06
another browser, you can now let
52:09
us know via the web compatibility
52:11
reporting tool by filing a web
52:13
compatibility issue, you're helping. Us
52:16
detect target and six the most
52:18
impact his sights to make your
52:21
browsing experience on Firefox smoother. And
52:23
finally as they said address bar
52:25
settings can now be found in
52:27
a Firefox settings search section. Okay,
52:30
so. The
52:32
web compatibility issue was something
52:34
I recently encountered. But
52:37
and. It bugs me I don't
52:39
now recall where because I would like
52:41
to go back on and I seen
52:43
of more than once the page attempted
52:45
to load. And it looked
52:47
like it was going to. But.
52:49
Then it just remained bank. The
52:52
first thing I tried was to disable
52:54
you block origin for the site and
52:56
then reloaded, but that didn't help. The
52:58
same thing happened so I turned you
53:00
block larger back on of of and
53:02
then I'd tried the site under Chrome.
53:05
Were. Beside. Did work
53:07
correctly and so I just do
53:09
whatever was I was doing and
53:11
then came back to Firefox in
53:14
researching this further. For. The
53:16
Story: I found that Firefox is
53:18
enhanced tracking protection which I do
53:20
have enabled for all sites is
53:22
the most likely cause of this
53:25
kind of trouble, but I didn't
53:27
think to try that and I
53:29
should have. So next time this
53:31
happens with Firefox, I will you
53:34
click on the little shield icon
53:36
to the left to the U
53:38
R L bar. And
53:40
assuming that enhance tracking protection
53:42
is on. Do. You turn
53:45
it off. This. Will cause
53:47
an automatic page reload which may
53:49
fix the problem. Now
53:52
the shield will have a/through it
53:54
since and have enhanced tracking protection
53:56
has been disabled for the site
53:58
if you click. Then. You'll.
54:01
See the question site
54:03
fixed. Send. Report. And
54:06
if you click that you'll be able
54:08
to add some optional comments and send
54:10
a report to Mozilla with a single
54:13
click about the site containing the the
54:15
the information that they will need so
54:17
they can see what's going on and
54:20
work on on a on. Fixing.
54:23
Firefox is enhanced track and protection
54:25
compatibility so that it works better.
54:28
So. The next time that happens. That's.
54:31
What I'm going to remember to do, but
54:33
that's not. What?
54:35
What just changed here in
54:37
In Release One, Two Three.
54:40
There's now an explicit. Report.
54:42
Broken site option. Always.
54:45
Present now under that
54:47
shield icon. For. That
54:49
to show you need to
54:52
have allow Firefox to send
54:54
technical and interaction data to
54:56
Mozilla enabled. On. Your
54:58
main privacy and security page.
55:01
But. That's now the default for new installs.
55:03
I just tried it to verify that
55:05
at it is on and I would
55:07
imagine all of the blisters this podcast
55:09
have that turned on and I had
55:11
enough. Doing. This. Figuring
55:14
this out brought me back to the
55:16
privacy and security page in Firefox, and
55:18
I think it's definitely worth going to
55:21
to that page and scrolling through it.
55:24
Just. From time to time beyond. But
55:26
do it soon because it's got many
55:28
friendly settings and you don't? You
55:30
might well find something that is
55:32
off that you thought was on or
55:35
that you'd like now to be doing
55:37
differently. But anyway, for all of
55:39
our Firefox Listers I know we
55:41
have many. If aside, misbehaves. Click on
55:43
the little shield and you'll be able
55:46
to easily and quickly send the.
55:48
Bad. News of that misbehavior to
55:51
Mozilla so that they will be
55:53
able to keep Firefox working well.
55:55
And of course, as we know
55:58
it's unfortunately, it's continued exists. The
56:00
into the world may be a little endangered.
56:02
So. It's is worth
56:04
doing that I think to to to keep going.
56:07
Well. The last thing I've
56:10
been wanting and intending to mention
56:12
for awhile is that I become
56:14
annoyed by Firefox is apparently pointless
56:16
division of the u r U
56:18
R L bar. Into. Two
56:21
separate fields. With. The U
56:23
R L on the left and a separate
56:25
search box on the right. There.
56:27
Are some instances where what I'm
56:29
searching for looks like a domain
56:31
name. And that might be
56:34
confusing to Firefox words trying to
56:36
figure out should I search for
56:38
it or go there. So.
56:40
Placing that into the right him
56:43
search field would make that clear,
56:45
but just to the term in
56:47
quotation marks solve that easily. And
56:50
as the single unified field is
56:52
now the default for new installations
56:54
of Firefox, But. I've been
56:56
using Firefox, Ill. For.
56:58
So long from before that was
57:01
changed so my top of screen
57:03
still had to separate feel. Wow!
57:05
So if I turn that off
57:07
like thirty years ago I feel
57:09
like yes and I all I
57:11
did it like months ago. Wow!
57:13
So Edu I just wanted to
57:15
say if like me you still
57:17
have separate fields of if you
57:19
go to just open settings and
57:21
search for address in a D
57:23
D R E S s the
57:25
opposite will immediately be at the
57:27
top of the. Page Just flip it
57:29
to a unified field arab you're okay with
57:32
it. Now you get used to it. Oh.
57:35
No, I me, I'm I was using
57:37
Chrome for a while. Where is a
57:39
Unified right? Or and right where it's
57:41
a Unified. Nobody else bridal does that
57:43
except me on Windows Seven. so I
57:46
just wanted letter Very know. Firefox let
57:48
you easily turn that off. The.
57:51
Organiser Antarctic is what we call it. know
57:53
asthma the which the youtube rao but I'll
57:56
dig that is a necessity. The Earth as
57:58
a day. You know
58:00
something? They do have an eight hour in. Yeah.
58:03
Okay, so. Did
58:05
this one is wire as the
58:07
reason I titled the podcast web
58:10
portal. Yes, Please. Last.
58:12
Monday the nineteenth, The
58:15
industry was informed. Of
58:17
yet another. For respect.
58:20
Web Authentication Bypass in
58:22
a widely used and
58:25
popular products known as
58:28
Connectwise Screen Connect. Unfortunately,
58:32
This allowed bad guys to
58:34
trivially connect to and enterprises
58:37
screens and network. By.
58:39
Completely sidestepping their need to
58:41
identify themselves as as an
58:44
authorized party. Holy Child. I
58:46
know Leo is just as
58:49
just astonishing and connect they
58:51
did in large numbers and
58:54
almost immediately wasting no time.
58:57
I'm. Not gonna go too far into this
58:59
because you know. We
59:01
are is like really again.
59:05
But. Hunters Labs. Ah
59:07
wrote about what they found
59:09
and it worth giving this
59:11
a little more core their
59:14
the title of there Are
59:16
posting two days later last
59:18
Wednesday was a catastrophe for
59:20
control. Understanding the
59:22
screen connect Authentication bypass.
59:26
They. Wrote. On. February nineteenth:
59:28
Twenty Twenty Four Connectwise
59:30
published a security advisory
59:33
for Connect Four Screen
59:35
Connect. Version. Two
59:37
Three point Nine point eight.
59:40
Referencing. To vulnerabilities and
59:43
software weaknesses. The. Same
59:45
Day Hunters researchers worked
59:47
to understand this threat
59:49
and successfully recreated a
59:52
proof of concept exploit
59:54
demonstrating his impact. This
59:57
right up we'll discuss our analysis efforts and
59:59
the technical. Details behind this
1:00:01
attack which were coining
1:00:04
as/and grab. The.
1:00:06
Connectwise advisory indicated that
1:00:09
in all versions of
1:00:11
screen Connect below. Twenty.
1:00:13
Three Point Nine Point Eight. There
1:00:16
were two vulnerabilities. In other words,
1:00:19
It's. Always been there folks.
1:00:22
And. Authentication: Bypass using an alternate
1:00:25
path or channel. And
1:00:27
improper limitation of a path
1:00:29
name to a restricted directory
1:00:31
and other words, a path
1:00:33
reversal mistake. They.
1:00:36
Wrote. Huntress. Wrote
1:00:38
the first vulnerability was disclosed
1:00:40
with a critical. B
1:00:42
C B S A Score. Of.
1:00:45
Ten. At. Is right
1:00:47
Ten out of ten the
1:00:50
highest possible severity Which is
1:00:52
basically we're a system to
1:00:54
says please. Come. On in,
1:00:56
whoever you are. User.
1:00:58
Name password. Ah. Don't. bother,
1:01:00
just click. It on
1:01:02
submit the authentication bypass would
1:01:05
ultimately opened the door for
1:01:07
the second vulnerability paid. They
1:01:09
wrote connectwise, made a patch
1:01:11
available at expressed. That.
1:01:13
On all premise, all on
1:01:15
on all on premise versions
1:01:17
of Screen Connect Twenty, Three,
1:01:20
Point Nine, Point Seven, and
1:01:22
below. Must be
1:01:24
updated immediately. At the time
1:01:26
of release, the Connectwise advisory
1:01:28
was very sparse on technical
1:01:31
details are there was not
1:01:33
much information available as to
1:01:35
what these vulnerabilities really consisted
1:01:37
of, how they might be
1:01:40
taken advantage of or any
1:01:42
other threat intelligence or indicators.
1:01:44
A compromise to hunt for
1:01:46
L Bright. Basically, Connectwise just
1:01:49
was saying holy crap. Please.
1:01:51
Please please everybody. Update to Twenty
1:01:54
Three Point Nine Point Eight. Dot.
1:01:56
Ask any questions. Just do it. now.
1:02:00
Hundred said Once we recreate
1:02:02
of the exploit an attack
1:02:04
chain we came to the
1:02:06
same conclusions. There
1:02:08
should not be public details
1:02:10
about the vulnerability until there
1:02:13
had been adequately time for
1:02:15
the industry to patch. It
1:02:17
would be too dangerous for
1:02:19
this information to be readily
1:02:21
available to threat actors. But
1:02:25
they wrote with other vendors.
1:02:27
Now. Two days later, Publicly.
1:02:30
Sharing the proof of
1:02:32
concept exploit. The
1:02:35
cat is out of the bag.
1:02:37
We now feel that sharing our
1:02:39
analysis shares no more threat than
1:02:42
what is readily available. So we're
1:02:44
ready to spill the beans. And
1:02:46
they finished with their intro saying
1:02:48
the exploit have a habit in
1:02:50
quotes because it's not. Is
1:02:53
trivial and embarrassingly easy.
1:02:58
Anyway, Further, Details are
1:03:00
unimportant. To further establishing the
1:03:02
point. Everyone. Gets
1:03:04
the just. We. Have
1:03:06
yet another example. Of
1:03:09
the truth. That. We do
1:03:11
not yet fully understand as
1:03:13
an industry. How. To
1:03:16
do web authentication
1:03:18
interfaces securely. Oh.
1:03:21
Yes, we want to. Since.
1:03:23
They're so friendly, colorful,
1:03:26
attractive, and appealing. Look.
1:03:28
At that. You. Just go there
1:03:31
with any web browser. And. You're
1:03:33
logged into the enterprises network or
1:03:35
it's magic and the bad guys
1:03:37
love it just as much. They.
1:03:40
Love how easy we'd made
1:03:43
it to log into Enterprise
1:03:45
Networks web portal. This please.
1:03:49
Could do it. was it. Wasn't
1:03:51
as easy as just leaving the
1:03:53
field empty and have it pressing
1:03:55
submit. Right now I'd I didn't
1:03:57
even go. And Mcgregor is no.
1:04:00
You know, big because it is.
1:04:02
It was immediately picked up by
1:04:04
bad guys yeah and horse and
1:04:06
and and every enterprise that that
1:04:08
we haven't updated by the time.
1:04:11
That. But that that by the time
1:04:13
it was reverse engineered would took
1:04:16
which took apparently minutes to reverse
1:04:18
engineer. ah they were then been
1:04:20
compromised. Wonder. How many people
1:04:22
use connectwise? It's a big deal.
1:04:24
Apparently it's Yes, it is better
1:04:26
at all men and year of
1:04:28
is so powerful. Wow! I. I
1:04:32
hope or M S P o the grizzlies that
1:04:34
I think we know if he does. Iii
1:04:37
Yeas Down Grill I do have some
1:04:40
good news. I'm very pleased to finally
1:04:42
be able to announce that spin right?
1:04:44
Six Ones code. Is. No
1:04:46
longer a release candidate. It
1:04:49
has graduated to it's official release.
1:04:51
Day. Job. I. Am
1:04:53
I now said on Sunday when?
1:04:55
I mean. It means
1:04:58
that I'm well it means that I
1:05:00
thought I was done as as our
1:05:02
interests that such as it turns out
1:05:04
that. Something I
1:05:06
did. With. Probably
1:05:09
conditional assembly. When.
1:05:11
I switched it around.
1:05:14
Out of release candidate stage.
1:05:17
Caused. The. Spin right.
1:05:20
Executable. Which. Is
1:05:22
written to the diskette image.
1:05:25
To have the attribute of the
1:05:27
volume label a set of i
1:05:30
have no idea I may eyes
1:05:32
and I learned about it yesterday
1:05:34
morning when I was already started
1:05:36
in on the on the podcast
1:05:38
production. So I haven't looked at
1:05:40
it, but it makes us be.
1:05:42
It makes biutiful us be just
1:05:44
fine and that's what almost everybody
1:05:46
uses now so it's else is
1:05:48
not a big problem, but. But.
1:05:50
The diskette image is used both
1:05:53
for form for for for creating
1:05:55
a Buddha Bull diskette and the
1:05:57
Iso and the I M G
1:05:59
images. So they don't boot right
1:06:01
now when. I guess this evening I'll
1:06:04
fix it and there will be and
1:06:06
will be spin right. Six Point One
1:06:08
released to. Rather, Than release one
1:06:10
as it is right now, but so you
1:06:12
might want to wait till tomorrow if anybody's
1:06:15
been wearing a wedding. But it's done is
1:06:17
what this means that all the bugs, all
1:06:19
the features, all the bells of bells and
1:06:22
whistles, blah blah blah. it's done. It's more
1:06:24
a typo than a bug is really. Where.
1:06:27
Yes, yes, it is exactly it
1:06:29
is something so dumb as I
1:06:31
mean I'd I'm intellectually I'm so
1:06:33
curious to have decided where are
1:06:36
where do I put that that
1:06:38
had a half a year. So.
1:06:43
Ah, ok, but I learned something very
1:06:46
cool that I wanted to share with
1:06:48
our listeners. As a consequence of this.
1:06:53
Sunday. Evening. I.
1:06:56
Had submitted spin Rights final code
1:06:58
to Microsoft a threat detection system
1:07:00
as I the as ever was
1:07:02
but hearing me talk about the
1:07:04
You Tube pre release users have
1:07:06
been. Driven. To Greece
1:07:09
by. By. Their Windows systems
1:07:11
immediately deleting their copy his own
1:07:13
right? The meat don't
1:07:15
like they were know where they were
1:07:18
unable to run it because it would
1:07:20
immediately be quarantined and deleted thinking that
1:07:22
is some random trojan which is obviously
1:07:24
it's not, but. The detroit
1:07:26
a false positive and if you
1:07:29
give you google that particular. Trojan.
1:07:32
Turns out lot is like it misfires for
1:07:34
a lot of people. A lot of people
1:07:36
are doing something that that that like. That.
1:07:38
Freaks Out Windows anyway. so that's
1:07:41
why I spent a month doing
1:07:43
coats right, hoping that if I
1:07:45
signed my code and then. I.
1:07:47
Would get the benefit of the
1:07:49
doubt, but it didn't seem to
1:07:51
be happening. Okay, since Sunday evening
1:07:53
I submitted this final code to
1:07:55
Microsoft Threat detection system is just
1:07:57
it was generating false positive. Did.
1:08:00
Action and and creating a
1:08:02
problem. I'm.
1:08:04
Yesterday morning. I. Checked
1:08:06
on that and here's the reply
1:08:08
that I received from Microsoft. They
1:08:11
said the warning you experienced
1:08:14
indicates that neither the application
1:08:16
nor the signing certificate. Had.
1:08:19
Established reputation with Microsoft
1:08:21
Defender smart screen services
1:08:23
at the time. We.
1:08:25
Can confirm that the application
1:08:28
s R Six One.e X
1:08:30
he. Has. Since established reputation
1:08:32
and attempting to download or
1:08:34
run the application should no
1:08:37
longer show any warnings. Then.
1:08:40
They said and hear This
1:08:42
was what warmed my heart.
1:08:44
Please note the citing certificate.
1:08:46
Thumbnail: Error on
1:08:48
some print and then they
1:08:50
gave the heck's which I
1:08:52
checked his deciding certificate on
1:08:54
the server. That thumb is
1:08:56
still in the process of
1:08:58
establishing a reputation. Once.
1:09:00
Completed. All. Applications
1:09:03
that are signed with
1:09:05
that certificate should have
1:09:07
a worn free exile
1:09:09
realize from the start
1:09:11
interesting. So. Now somehow
1:09:14
have to establish reputation even
1:09:16
for assigning certificates. Yes,
1:09:18
and that last bit of that last
1:09:20
bit is the best news I've received
1:09:22
at a very long time. And or
1:09:25
as I mentioned before I been despairing
1:09:27
over this because there have been times
1:09:29
in the past few months there. There
1:09:31
was some guy couple days ago who
1:09:34
wanted to respond for have a different
1:09:36
from a recent purchase because he was
1:09:38
unable to run spin reviews all excited
1:09:41
but he couldn't run it because his
1:09:43
his windows eleven tip deleting it out
1:09:45
from under him. so he on. Every
1:09:48
time they tried spin right would
1:09:50
just you know immediately quarantine it?
1:09:52
I mean A or whoop Windows
1:09:54
would immediately quarantine Spin rights and
1:09:56
remove it from their system. So
1:09:58
hoping that a sick. That you're might
1:10:00
mean something. And by the way, this
1:10:03
was the all these have been assigned
1:10:05
right? the citing systems working perfectly now
1:10:07
and beautifully, never having a hiccup. but
1:10:09
it wasn't helping. So.
1:10:12
That's why I had spent that
1:10:14
month figuring out how to get
1:10:16
Microsoft Less well documented code signing
1:10:18
a P eyes to work remotely
1:10:21
on Grc server with a hardware
1:10:23
security module because I have been
1:10:25
ordered the that the the easy
1:10:27
code signing cert is it Hsm
1:10:29
and you have to use and
1:10:31
Hsm for easy post signing So
1:10:34
I did all that and all
1:10:36
I had was hope It wasn't
1:10:38
until yesterday morning when I received
1:10:40
Microsoft note. That if finally
1:10:43
became clear that it would
1:10:45
actually be possible for G
1:10:47
or Sees Easy Certificate to
1:10:49
eventually protect. These. Individual
1:10:52
downloads. And spin
1:10:54
rights users from unwarranted
1:10:56
harassment. Of. And a
1:10:58
means of the reason is. that
1:11:01
every. Word every copy the as
1:11:03
a spin right user downloads. Has.
1:11:05
Their licensing information embedded in it
1:11:08
so it's brand new. It's never
1:11:10
been seen by Windows, which is
1:11:12
why it's it's always freaking Windows
1:11:15
out as I would. What's this?
1:11:17
And because the signing certificate doesn't
1:11:19
yet have reputation? windows,
1:11:22
quarantines. it. So. What's.
1:11:25
Interesting is that the reputation of
1:11:27
that single spin right executable which
1:11:29
I sent to Microsoft for analysis
1:11:32
only took a few hours. To.
1:11:34
Obtain That is that his
1:11:36
reputation. But. G R
1:11:38
C Code signing certificates still hasn't
1:11:41
since. I wanted to obtain the
1:11:43
longest run time possible for this
1:11:45
new signing technology and the certificate
1:11:47
that it would be using right
1:11:49
before I deployed it in the
1:11:51
middle of January. I asked, did
1:11:53
you search for an update. Easy
1:11:56
Certs are good for three years
1:11:58
max so on. January sixteenth,
1:12:00
that new certificate was created
1:12:03
and I immediately placed into
1:12:05
certificate that is exactly six
1:12:07
weeks ago Today. And
1:12:10
over the course of those six weeks. Thousands.
1:12:13
Of copies of Spin Rights
1:12:15
Code. Have. All been
1:12:17
signed by that new certificate.
1:12:20
And. Downloaded and run when
1:12:22
users are able to. And
1:12:25
Microsoft Note exactly identified that
1:12:27
certificate by it's thumb print.
1:12:30
so you know we know.
1:12:32
That. Microsoft has been watching
1:12:35
this certificate for six weeks.
1:12:37
And. It's still says the signing
1:12:40
certificate is still in the
1:12:42
process of establishing reputation. What?
1:12:45
This suggests. Is
1:12:47
it? It takes quite a bit longer. For.
1:12:49
A code signing certificate to establish
1:12:52
your reputation, even an extended validation
1:12:54
of code signing certificate that was
1:12:56
more difficult to obtain an it
1:12:59
can only be used from up
1:13:01
from a hardware. Security
1:13:04
Module. And
1:13:07
really, when you think about it,
1:13:09
that makes sense since a fully
1:13:11
trusted code signing certificate would be.
1:13:14
A very potent source of
1:13:16
abuse. If. It were
1:13:18
ever used to actually sign
1:13:20
malicious code. says. Microsoft
1:13:23
just confirmed what I had
1:13:25
been hoping. Which. Is
1:13:27
that code that get signed by?
1:13:29
It gets a green light by
1:13:32
default. So. It
1:13:34
all at the same time, I'm
1:13:36
quite certain that a reputation that
1:13:39
was long and hard earned would
1:13:41
be instantly stripped obviously throat if
1:13:43
Microsoft were to ever confirm that
1:13:45
a truce or that a piece
1:13:48
of true malware was bearing that
1:13:50
certificates signature. So. Anyway, this
1:13:52
is all good news on the spin
1:13:54
right front. Ah, I've done with the
1:13:56
product. Ah, I'm working on the documentation
1:13:59
of Fix. Little bug in the
1:14:01
head. The executable big flag with
1:14:03
a volume label. Attribute so
1:14:05
it won't run of. Fix that and
1:14:08
released to will be available later this
1:14:10
evening. I'm sure arm and it looks
1:14:12
like go Mice did this are depicted
1:14:15
as on his way to establishing reputation.
1:14:17
Have no idea who to ask or
1:14:19
how long it's going take a month.
1:14:22
Think what I'm going to do though
1:14:24
is the Grc benchmarked. Is. Now
1:14:26
being download about sixteen hundred times
1:14:28
per day and interesting, a valid
1:14:31
driver's turned out to have some
1:14:33
legs. it's now. It's been steadily
1:14:35
increasing in popularity is now at
1:14:37
more than twelve hundred download the
1:14:39
day. so I think I'm gonna
1:14:41
go sign both of those with
1:14:44
this. do the same search so
1:14:46
that it gets so that it
1:14:48
gets way more downloads and Microsoft
1:14:50
season a lot more. Ah and
1:14:52
then on me. I don't know
1:14:54
if it's time of. Or it's
1:14:56
number of downloads or utterances. don't know
1:14:59
what they're metric is for. For. What
1:15:01
it takes to establish reputation. Of
1:15:04
way anybody from Microsoft soliciting. Can.
1:15:06
You give to of do a solid for
1:15:09
our man here and there. run down the
1:15:11
hall and say can you push that through.
1:15:14
The must be somebody who can help you.
1:15:16
The same as show. Leo
1:15:19
as their list of the show
1:15:22
their of upset with me and
1:15:24
Cetera or to help me oh
1:15:26
no they know a they work
1:15:28
for Microsoft their you I Cetera
1:15:31
et cetera et cetera. So I
1:15:33
also have a new piece of
1:15:35
Grc free were to announce oh.
1:15:39
It's a windows app called suitable.
1:15:42
Because. It creates any sort
1:15:44
of boot media us B, C,
1:15:46
D I A, so I M
1:15:48
G, or diskette. For.
1:15:51
The purpose of allowing it's
1:15:53
user to freely confirm and
1:15:55
or figure out. How
1:15:57
to get any given Pc? Com paddle.
1:16:00
The machine to boot Dos. Ah.
1:16:02
At. And Leo. You
1:16:04
know how I am with my naming
1:16:06
programs. I still vividly remember you laughing
1:16:08
out loud as when I first told
1:16:11
you about Never Ten. Yes you, you
1:16:13
forget what a name anyway name So.
1:16:15
I. Was sorely tempted to name this
1:16:18
Das Boot as a. Reserve
1:16:23
this there are is I know I
1:16:25
know it would be so good at.
1:16:29
The. Reason I didn't is that
1:16:31
spin right? Seven will boot on
1:16:33
either Bios or you yeah Fi
1:16:36
machines. And it will
1:16:38
no longer be bringing docile long ride.
1:16:40
So so Buddha both which is more
1:16:42
generic would be the better choice for
1:16:44
the long run. So.
1:16:46
Does anyway exists. I wonder maybe this
1:16:48
to be useful for people who on
1:16:51
install linux to linux has trouble with.
1:16:53
A. Secure Boot in some cases.
1:16:55
You? Yeah Fi? Yes, Yes, I
1:16:58
mean it's so the idea would
1:17:00
be you would have to. Well,
1:17:02
acts. Actually Linux will install on
1:17:04
you. Yeah, Five. and this was
1:17:06
Test that yet? Yeah yeah, this
1:17:08
won't test that yet. Ups the
1:17:10
so so you need Bio's or
1:17:12
a Csm. He knows it. does
1:17:15
the compatibility right. The software module
1:17:17
on on Julia Fi but but
1:17:19
this allows people to. I wanted
1:17:21
something so that people weren't buying
1:17:23
spin. Right and then getting upset that
1:17:25
they wanted to run on a laptop
1:17:27
that you yeah fi only. Or.
1:17:30
That get all the Or or they've
1:17:32
you know they. They were concerned about
1:17:35
whether or not they would be able
1:17:37
to boot spin right on any given
1:17:39
machine. This is free were and it
1:17:41
it it's it is has all the
1:17:43
same boot technology that that that that
1:17:46
spin right six one has and it's
1:17:48
free so you're able to just easily
1:17:50
create a as us be. A
1:17:52
thumb drive and play around with like ill
1:17:54
are you do you have hit f twelve
1:17:56
or f to or delete it up as
1:17:59
you have to. Intercept a normal boot
1:18:01
right in order to get it to
1:18:03
like an onion, never remember. The risk
1:18:05
is said. Yes and there's no there
1:18:07
there. There's no standard, all every machine
1:18:09
is different and either get rammed, they
1:18:11
randomize it at the factory. Settles us
1:18:13
anyway. Odds are just a be
1:18:15
another little simple piece of free wearing out by
1:18:17
saying. Illegal. Us take our
1:18:19
last break and then when or do a bunch
1:18:22
of feedback from our listeners. Great. Let's.
1:18:24
Do us. Feedback. Coming
1:18:26
next and security now. With.
1:18:29
Steve Gibson are shows a brought to you
1:18:31
by serve as I know you're all going
1:18:33
to want to use. We do. Called.
1:18:36
The leads me. Have.
1:18:38
You ever search for your name
1:18:40
online own don't to with it's
1:18:42
just it's awful. It's. Awful.
1:18:45
Ah, So much personal information
1:18:47
online. Well. That's where
1:18:49
you need to lead me to leave me
1:18:51
it. You reduce risk from identity theft and
1:18:53
credit card fraud and robo calls. Cyber.
1:18:56
Security threats, harassment, unwanted communications. Overall
1:18:58
it is. I'm gonna add this
1:19:00
is done in the coffee, but
1:19:02
it is. I seek a very
1:19:04
important security steps take for any
1:19:06
business. And the reason
1:19:08
as we know this from personal experience.
1:19:11
Your. Managers is their information. Their phone
1:19:13
numbers are online and they are direct
1:19:16
reports her online and their phone numbers
1:19:18
are online. You are gonna be subject
1:19:20
to a spear phishing attack. That's where
1:19:22
the spear phishing guys get this information.
1:19:25
We were text message came from lease
1:19:27
or Ceo to her direct reports saying
1:19:29
I'm in a meeting right now but
1:19:32
I need these Amazon gift cards to
1:19:34
distribute at our next holiday event or
1:19:36
something. Can you please order these for
1:19:38
me and bring him in. I'll pay
1:19:41
you back. Now.
1:19:43
That. Would be a normally a
1:19:46
very successful fish because. You
1:19:48
know it all looks real from her
1:19:50
number right to my number how would
1:19:53
she know that? or it was a
1:19:55
a hacker attack And of course together
1:19:57
information. From. The Public Internet personally
1:19:59
edit. While information online, which is why
1:20:01
we immediately signed up for Delete Me, the
1:20:03
first step is you sign up. You give
1:20:05
me some basic personal information. The kind of
1:20:08
stuff that they're going to be looking for.
1:20:10
Rights They need some threads to follow the
1:20:12
lead me experts with and this is done
1:20:14
by humans by the way. which is why
1:20:16
it really works. Know where all those data
1:20:19
brokers lived in? Oh, exactly The procedures for
1:20:21
each and every one of them to do
1:20:23
take downs. They will remove your personal information
1:20:25
literally from hundreds of data brokers. Are.
1:20:27
You know all the people a vast
1:20:30
was selling information to reducing your online
1:20:32
footprint, keeping you and your family safe.
1:20:34
But and this is very important they
1:20:36
don't stop there because these people are
1:20:38
terrible. These data brokers. They. Will
1:20:40
report the late that information the
1:20:43
Susie See have flown by and
1:20:45
and then again to delete Me
1:20:47
then continues to scan and remove
1:20:50
personal information regularly. They don't just
1:20:52
sit on their success, they continually
1:20:55
go out checks and make sure
1:20:57
that information is still gone on.
1:20:59
talk and addresses, photos, emails, names
1:21:02
of your relatives of phone numbers,
1:21:04
social media, Property. Value.
1:21:07
And. More as his privacy exposures
1:21:09
and incidents effect individuals differently.
1:21:12
Their. Privacy Advisors is there on the phone You
1:21:14
know our needs may be different from yours. They
1:21:16
will talk to the explain what you need which
1:21:19
you don't need give you superior. Some.
1:21:21
Has just emotional support like I am
1:21:23
so sorry this is appling to you
1:21:25
but we can help protect yourself. reclaim
1:21:27
your privacy. Go to join theleadme.com Sliced
1:21:29
with the offer code is Twitter Join
1:21:32
it. Delete me. Dot. Com/to
1:21:34
it. With. The Africa to
1:21:36
it and you get twenty percent off, By the way, Ah
1:21:39
so that's pretty good deal. Joined the
1:21:41
lead me.com/ Twit Lisa.
1:21:43
Still using it and. It'll
1:21:46
knock on wood. We still have. Been.
1:21:48
Is not happened again. And I
1:21:50
honestly think this because that information no
1:21:52
longer available. To. Spear Fishers joined
1:21:55
the league. me.com. Slash.
1:21:58
Twits. Back
1:22:00
to Mr. Gibson. So.
1:22:03
Astral Computing tweeted taxes
1:22:05
transitioning it's email service
1:22:07
to Yahoo Mail for
1:22:09
as users. Customers. Will
1:22:11
be moved to Yahoo Email while
1:22:13
still retaining their email address and
1:22:16
password. However, they pop Imap
1:22:18
S M T P. Setting for
1:22:20
Alec will change. My. Main
1:22:22
concern he writes his the security
1:22:24
hassles this is going to create
1:22:26
for users due to the password
1:22:28
reset issues you been talking about
1:22:30
lately. Thinking of moving my eighty
1:22:33
six year old mom off Cox
1:22:35
before this happens, but is going
1:22:37
to be a nightmare to change
1:22:39
all those email addresses for every
1:22:41
utility bank, etc. Keep. Up
1:22:43
the good work Past Nine, Nine Nine S
1:22:45
and listener from day one and proud Spin
1:22:47
Right Enterprise supporter. Signed. W
1:22:50
of. Which brought.
1:22:52
Me them note that as as just
1:22:54
for anyone who's entered a spin right
1:22:57
enterprise Supporter of is rare but I
1:22:59
was like to see it is nice
1:23:01
for don't For those who don't know
1:23:03
we offer three levels of license. The.
1:23:05
Standard Spin right and user license allows
1:23:07
it to be run on any machines
1:23:10
that the user personally owns. And.
1:23:12
As I've offered noted, I would never complain
1:23:14
about someone coming to the rescue of a
1:23:16
friend or family member and need if a
1:23:19
company. Wishes. To use been Ride
1:23:21
on any or all of their machines
1:23:23
at a single location we asked
1:23:25
them to maintain for licenses for the
1:23:28
version of Spin right they're using. And
1:23:31
it's a large multi location enterprise.
1:23:33
wishes of we call out a
1:23:35
sight license if you have for
1:23:37
spin right licenses of if a
1:23:39
large multi location enterprise wishes to
1:23:41
use spin right across their entire
1:23:43
enterprise and know in or wherever.
1:23:46
And maintaining ten licenses officially
1:23:48
allows for that. So again,
1:23:50
Astral Computing, thank you! Have
1:23:52
a little bit of poking
1:23:54
around. And. I've confirmed
1:23:56
that. Eighty six year old
1:23:59
mom's everywhere. Will. Not
1:24:01
a disturbed by this change
1:24:03
of good for our yes,
1:24:05
although Yahoos network and servers
1:24:08
will be the ones are
1:24:10
handling everything for Cox in
1:24:12
the future. None of Cox's
1:24:14
email addresses which all end
1:24:17
in cox.net. Will. Be
1:24:19
changing. And. Their announcement
1:24:21
about this couch road to
1:24:23
ensure the best email experience
1:24:25
possible for our customers. We
1:24:28
had decided to transition the
1:24:30
email service and support of
1:24:32
your cox.net email to Yahoo
1:24:34
Mail. This transition
1:24:36
less you keep your
1:24:38
email address, messages, folders,
1:24:41
calendar and contacts. After
1:24:43
the move Yahoo Mail will become
1:24:45
your email provider and clocks were
1:24:48
no longer manager. Support your email
1:24:50
services. We realize how important your
1:24:52
Cox.that email address is to you
1:24:54
and of carefully selected Yahoo Mail
1:24:57
because we believe they are a
1:24:59
trusted provider that will continue to
1:25:01
offer the advanced support at enhance
1:25:04
protection for your email accounts as
1:25:06
you've had a Cox will work
1:25:08
with young bride A seamless transition
1:25:10
for our cocks.net email customers. So.
1:25:13
Anyway, no need to change anything
1:25:15
related to the email address is
1:25:18
themselves your email client, log and
1:25:20
domain will apparently need to move
1:25:22
to Yahoo, but that change should
1:25:25
be minimal, right? You just change
1:25:27
a couple settings for Popper, I
1:25:30
Map, or ah, Sm Tp and
1:25:32
you're you're good to go. But
1:25:35
Mom. Will not need to change any of
1:25:37
her email addresses. Eric
1:25:39
man asked he said hey Steve I
1:25:41
was just at my local grocery store
1:25:43
and had a thought. In this day
1:25:46
and age. Why? Do credit
1:25:48
cards have the number
1:25:50
expiration date and C
1:25:52
V V code printed/embossed
1:25:54
on them. Everything.
1:25:56
A seat needs is right on the card.
1:25:59
Simply. Not. This is harry for
1:26:01
in person transactions. All the info
1:26:03
can be stored somewhere else a
1:26:05
bit longer. Still, Loving the show,
1:26:08
Eric so. That's
1:26:10
an interesting question. actually it off
1:26:12
as especially Leo the embossed part.
1:26:15
Ah, you know. It's
1:26:17
obviously all a holdover from the
1:26:19
manual credit card processing there were
1:26:21
that the heading of Square Inferior
1:26:24
a job where a card will
1:26:26
be placed in a manual credit
1:26:28
card machine. A multipart carbon slip
1:26:31
would be placed on top and
1:26:33
then the roller would be rolled
1:26:35
back and forth across the slip
1:26:38
and or and over the card
1:26:40
underneath. It. All to to
1:26:42
basically transfer that does the cards
1:26:45
data, us, the the credit card
1:26:47
number and the expiration date, on
1:26:49
to the carbon. Now.
1:26:52
I can't recall the last time
1:26:54
I saw that being done but
1:26:56
it does remain a possible for
1:26:58
box in the event for example
1:27:00
of a power outage where credit
1:27:03
cards still need to be processed
1:27:05
or if there were some internet
1:27:07
connectivity outage where your were not
1:27:09
able to do it light like
1:27:11
your your your credit card processing
1:27:13
terminal wouldn't work even though you
1:27:15
have power of and you know
1:27:17
as will an increasing number of
1:27:19
things like phone books and even
1:27:21
going to a library or. Sadly,
1:27:24
A physical bookstore? I imagine. There are
1:27:26
young people who have never encountered. Ill.
1:27:29
A manual processing of a credit card.
1:27:31
But. Anyway, to sort of interesting
1:27:34
that it has, you'll know they are still
1:27:36
a Boston is as light in the old
1:27:38
days although my yeah, my latest American Express
1:27:40
card. Does. Not have that oh
1:27:42
really details they finally have given that
1:27:45
up. I. Think that other
1:27:47
parts are giving. Up and
1:27:49
a minute does make sense here in
1:27:51
okay cause you you you could just
1:27:53
manually transcribed the number on onto the
1:27:55
same carbon to but you know if
1:27:57
that was actually second year one? Yes
1:27:59
sir. I don't know who's of
1:28:01
yeah, you're right, it's it's if a power
1:28:03
goes out, or some station in Nevada, somewhere.
1:28:05
Some gas station somewhere in. There.
1:28:08
I have. Yeah, So
1:28:10
much humor of fish works I
1:28:12
just as the guys company name
1:28:14
I hope you know Steve young
1:28:16
man. Is
1:28:19
that? Hello Steve! I've been a Secure Now
1:28:21
Lister for many years and can thank you
1:28:24
enough for all the security computer science education
1:28:26
you've given out so freely. Also, my kids
1:28:28
are on a daily Vitamin D regiment because
1:28:31
of you. That's great he said. I had
1:28:33
a question about one of the items from
1:28:35
Sn Nine Sixty two as last week the
1:28:37
gold standard of client side hashing for. Password
1:28:40
creation He said in a
1:28:42
scenario. Where. The clients submit
1:28:44
their own. The client
1:28:47
submit their own hashed passwords,
1:28:49
and the adherence to password
1:28:52
requirements is governed only by
1:28:54
client side controls. Would.
1:28:56
There be any way to prevent
1:28:59
a malicious party like a pen
1:29:01
tester, for example, from swapping out
1:29:03
by hash. In. Transit.
1:29:06
And. Supplying the server with a
1:29:08
valid hash of a non
1:29:10
conforming password. This
1:29:12
would be admittedly counterproductive for the
1:29:15
user, but it would seem that
1:29:17
the server would lose the ability
1:29:19
to make strong assertions about the
1:29:21
hashes that it was accepting. And.
1:29:23
I thinking about this correctly. I love to
1:29:26
hear any thoughts you have on this of
1:29:28
thanks again for all you do! Okay so.
1:29:31
The. Essence of this listeners question
1:29:34
is whether the receiving server.
1:29:37
Is. Able to determine
1:29:39
anything. About. The
1:29:41
quality of the user's password.
1:29:44
From. His hands. And. The
1:29:46
answer of course is no. Assuming
1:29:48
that the user's browser employs
1:29:50
a strong local. P. B
1:29:53
J D S In all a
1:29:55
password based T derivation function. The
1:29:58
result. Will. Be a com. Really?
1:30:00
opaque? Six. Length
1:30:03
Blob. Of bits. From.
1:30:05
Which absolutely nothing.
1:30:08
About the original source password
1:30:10
can be reverse engineered. Hopefully.
1:30:14
That P B J D S
1:30:16
will also be salted so that
1:30:19
it's not even possible to compare
1:30:21
the results of that P B
1:30:23
K D S function with previously
1:30:26
computed passwords. So
1:30:28
it's due to the total opaque.
1:30:31
This of the result that we
1:30:33
now depend upon the user's browser.
1:30:36
To enforce password complexity requirements
1:30:38
right up front before the
1:30:40
P B K Df function
1:30:42
is applied because that's the
1:30:44
only time it can ever
1:30:47
be done. And.
1:30:51
Ah, F from. He
1:30:53
said I steve. Thank. You
1:30:55
for the great show! I'm a long time
1:30:57
lister and excited for the upper due to
1:31:00
continue listening for many more years. In regards
1:31:02
to password list lauded. By.
1:31:04
Way of a link sent to
1:31:06
a user's email and a concern
1:31:08
over email security. He said episode
1:31:11
Nine Sixty One and Nine Sixty
1:31:13
Two. I was wondering.
1:31:16
If. There will be a way to
1:31:18
construct the magic link from a cookie.
1:31:20
Or. The like, From.
1:31:22
The user's browser session. That
1:31:25
way the link would only work from
1:31:27
the same browser session. Where. The
1:31:30
log and request originated. Looking.
1:31:32
Forward to hearing your take. Okay,
1:31:36
At one point, The same thought
1:31:38
had occurred to me, but I was in the middle
1:31:40
of assembling the podcast, so I didn't pursue it. But.
1:31:43
The answer. Is
1:31:45
absolutely and unequivocally
1:31:48
yes, Now. That
1:31:50
I thought about it. Here's. A
1:31:52
so far stronger solution and fact.
1:31:55
It's. Absolutely strong.
1:31:58
Even. Without being logged in. The.
1:32:00
User's browser will have obtained
1:32:02
at the very least a
1:32:04
session cookie from the site
1:32:07
they wished to log into.
1:32:09
That. Cookie will be valid until
1:32:12
the browser is completely closed.
1:32:14
And. In fact, the cookies probably persistent and
1:32:16
long one living, but it wouldn't have
1:32:19
to be. And
1:32:21
a bunch of information. Can.
1:32:23
Be encoded an into
1:32:25
the link. Beyond.
1:32:28
A one time token. The.
1:32:31
Link that emailed to the address
1:32:33
the user provides. So.
1:32:35
The email blink. Could. Include.
1:32:38
The. Time of day. The
1:32:40
users Ip address. And
1:32:43
the value of the unique cookie
1:32:45
that their browser has just received
1:32:48
from the site. When.
1:32:50
The user than clicks on the link. It
1:32:53
will open a new page at
1:32:55
the domain their wishing to authenticate
1:32:57
to. In. Opening that page
1:33:00
and sending the U R L to
1:33:02
the side server. The
1:33:04
server will be obtaining all of
1:33:06
that information which is totally opaque
1:33:09
because it's been encrypted before, whisk,
1:33:11
added to the link and send
1:33:13
to the user, so it first
1:33:15
decrypt the information and verifies that
1:33:18
a reasonable amount of time has
1:33:20
passed since the link was created.
1:33:23
using. The links embedded time stamp.
1:33:26
It verifies that the Ip
1:33:28
address encoded into the link
1:33:30
matches the Ip address of
1:33:33
the browsers query. So.
1:33:35
The user hasn't moved and
1:33:38
that the first party cookie
1:33:40
the browser just returned with
1:33:42
it's query. Also. Matches
1:33:44
the cookie value there was encrypted
1:33:46
into the link. So. It's
1:33:48
the same browser. I
1:33:51
don't see any way. For.
1:33:53
That system to be compromised.
1:33:55
You need know. Email security
1:33:57
it up. You could have.
1:34:00
The link around the people at
1:34:02
it would matter. The ip address
1:34:04
provide strong verification about the location
1:34:06
and connection. The browser cookie verifies
1:34:09
it as the same browser at
1:34:11
that same ip. That link will
1:34:13
be totally useless to anyone else
1:34:16
who might be able to intercept
1:34:18
it as a result of emails.
1:34:20
Less than totally perfect security. So.
1:34:23
Thank. You for posing the question
1:34:25
of from. I am very glad
1:34:27
that we are able to revisit
1:34:29
this once again. With that makes
1:34:31
of three weeks that arose, it's
1:34:33
it's an intriguing idea. We've just
1:34:35
made the email only Loggins system
1:34:37
utterly. Bullet Proof. And
1:34:41
like it. Yet. So
1:34:44
when. There.
1:34:46
Is a room with cookies that
1:34:48
only the site decreed the cookie
1:34:50
can read the cookie. Great.
1:34:53
A meal that matters Rigorous? yeah that's
1:34:55
is protecting your so you get the
1:34:58
email. You. Are
1:35:00
you get the road? You get the link with
1:35:02
the a click in the email. Click the link.
1:35:04
It would open your browser. Now you're in that
1:35:06
session. And you
1:35:08
are theoretically with that first party right.
1:35:11
Side. Of cookies and or had your
1:35:13
back at that site domain we were
1:35:15
i to his first where you want
1:35:17
which is where you want to logging
1:35:19
road so it's first party so so
1:35:22
and and that that that link also
1:35:24
could have encoded your ip address which
1:35:26
would not change from like minute to
1:35:28
minute. right? Because because your
1:35:30
you have a connection to the site. And.
1:35:33
And as you say, I want to log in
1:35:35
here. Send me a link, right? So it sends
1:35:37
you a link. You. Open your email.
1:35:39
you click on the length. And
1:35:42
so the and clicking on a linked
1:35:44
opens your browser back to that site
1:35:46
will is your your your ip address
1:35:48
as unchanged year is like a hill.
1:35:51
Fifteen. Seconds went by to do we know the
1:35:53
oh to be people must be. I would think
1:35:55
people are using that fact. Do.
1:35:57
Know if they are. I don't.
1:36:00
No, but they certainly have been sub.
1:36:02
So you our dream Good. Yes,
1:36:04
You and co the time stamp the
1:36:06
users I p for i your browser
1:36:08
cookie and that lox that link to
1:36:10
that would only moral with where they
1:36:12
are. Yep! I. Should ask
1:36:14
you know who uses that is microblog? Let
1:36:16
me ask him and microblog if he's if
1:36:18
he's doing that because that's the only way
1:36:21
to log in as far as I can.
1:36:23
tell his his. You click a link and
1:36:25
send you an email and you click the
1:36:27
link an email to open. Very open the
1:36:29
site. I bet it can be memories doing
1:36:31
in that it can really be locked down
1:36:33
there. And. Be made super
1:36:35
secure. Yeah, Ah, Mlas of.
1:36:38
As. A good I so Michael
1:36:40
spelled M Y K E L.
1:36:42
Michael Cole Benz he said Steve.
1:36:45
Just listen to your commentary again
1:36:47
on Auto Keys and the banning
1:36:49
of the Flipper Zero. Were.
1:36:51
You in the Canadian government have
1:36:53
missed. Am. An Michael is
1:36:56
one hundred percent correct. Is
1:36:58
that this is only the access to
1:37:00
the inside of the car. All.
1:37:03
Cars for about year two thousand
1:37:05
have used a. Let's. Call
1:37:07
it Aura Fi D chip to
1:37:09
simplify it in the key that these
1:37:12
to be physically present for the
1:37:14
car to start. Typically.
1:37:16
The remote function is a separate system to
1:37:18
the Rf I D chip in the car,
1:37:21
so fixing the remote feature is not going
1:37:23
to prevent the car from being stolen. And.
1:37:26
Don't think that a remote is the only way
1:37:28
to get into a car. Getting. Physical
1:37:30
access to the inside of a
1:37:32
car is easy. Break a window,
1:37:34
use any number of methods like
1:37:36
the Slim Jim it out of
1:37:39
unlocking a door when keys are
1:37:41
locked inside et cetera, banning the
1:37:43
flipper zero will have no impact
1:37:45
on the number of cars being
1:37:47
stolen. Not. Unless it is
1:37:49
able to replicate the Rf I
1:37:51
D function of the key. If
1:37:54
the car has a camp bus,
1:37:56
the net is another avenue for
1:37:58
attack and assessed. There are
1:38:00
videos of Alexis having it's headlight
1:38:02
popped out to access the can
1:38:04
bus at the back of the
1:38:06
headlights and then the car is
1:38:08
opened and started using an injection
1:38:10
technique that fools the easy you
1:38:12
into thinking that the keys present
1:38:14
and the start signal has been
1:38:16
given. Cheers! And
1:38:19
of course. Michael. As one
1:38:21
hundred percent correct. By. Entire conversation
1:38:23
about this was effectively off topic
1:38:25
last week since I was only
1:38:27
thinking about unlocking the car not
1:38:30
about starting it's and thus stealing
1:38:32
it. And. You cannot steal
1:38:34
a car merely by unlocking it's
1:38:37
doors as he points out. So
1:38:39
thank you and your right having
1:38:41
the Canadian government as a consequence
1:38:44
banning Slipper Zeros will obviously have
1:38:46
no impact whatsoever upon auto theft,
1:38:48
or I would imagine that it's
1:38:51
they are the how to tic
1:38:53
talks and the You Tube videos
1:38:55
that provide the greatest impetus an
1:38:58
explanation for the rise in Canadian
1:39:00
auto theft. or but you know
1:39:02
what is. A politician going do
1:39:04
about that? A
1:39:08
Viper Xx said i see below
1:39:10
from Germany. Long time listeners been
1:39:13
right license holder the router topic
1:39:15
he said the company a Vm
1:39:18
a very popular German router brand.
1:39:20
Actually, Does what you
1:39:22
say. They. Require you to
1:39:25
confirm security sensitive changes by
1:39:27
pressing a button on the
1:39:29
router. Or. Via
1:39:32
a connected phone and in the
1:39:34
last release they added a one
1:39:36
time password and and O t
1:39:38
P token which lets you add
1:39:40
it to your authenticator app. So
1:39:43
I just wanted to share that with the world.
1:39:45
Or the company is a Vm,
1:39:48
A German router browned a lot.
1:39:50
That is very cool. Let's hope
1:39:52
that this is a heightened level
1:39:55
of configuration. Security spreads since it
1:39:57
might help to crypt that trouble.
1:40:00
We are seeing with routers and as we
1:40:02
know something really nice to be done. Ah,
1:40:07
Read his can dar. He.
1:40:09
Said hello Steve. I was just
1:40:11
listening to your response on our
1:40:13
new Canadian ban. He must be
1:40:15
Canadian of the flipper. Zero. He.
1:40:18
Said you're challenge system is a
1:40:20
good method to strengthen the the
1:40:22
car. To. Key communication
1:40:25
however, The. Current Canadian
1:40:27
car thefts are not relying
1:40:29
on the jamming method. The
1:40:31
thefts had been recorded by
1:40:34
victims security cameras. using.
1:40:36
A signal extender to allow the
1:40:38
attacker to unlock and start the
1:40:40
car from the owners driveway while
1:40:43
their key is in the house.
1:40:47
And of course we've covered this
1:40:49
to. he says Once the car
1:40:51
as started, the attacker just drives
1:40:53
off with it and as long
1:40:55
as they don't turn it off
1:40:57
before reaching their destination, they got
1:40:59
what they came for. This is
1:41:01
not even a capability that the
1:41:04
Flipper Zero concurrently perform. In my
1:41:06
opinion, this type of attack requires
1:41:08
a redesign of how the key
1:41:10
and car communicate. Perhaps a shorter
1:41:12
communication field would be required like
1:41:14
Nfc in order to make the.
1:41:16
Key signal not audible by a
1:41:18
radio location outside of of victims
1:41:20
house or perhaps a physical kill
1:41:22
switch on the car key itself
1:41:24
so the winner owner is inside
1:41:26
their house. It or not expecting
1:41:28
their key to be used to
1:41:30
actively unlocked the car they can
1:41:32
disable the radio is as I
1:41:35
keep my car keys inside and
1:41:37
are if sleeve which creates one
1:41:39
x or step to unlocking my
1:41:41
car but completely blocks all the
1:41:43
current attacks that have been occurring
1:41:45
in my neighborhood here. looking. Forward
1:41:47
to hearing your thoughts on this.
1:41:50
Okay, so I'm very glad
1:41:52
for the additional information and
1:41:54
are long time listeners will
1:41:56
recall that we extensively covered
1:41:58
exactly this attack. Some time
1:42:00
ago the use of signal extenders
1:42:03
for car theft which serve to
1:42:05
trick the car and the key
1:42:07
into believing that they are much
1:42:09
closer to each other than they
1:42:12
actually are. Keys normally.
1:42:15
I'm not. Working from a
1:42:17
distance is a feature not
1:42:19
a but as. Of. Right
1:42:22
and signal boosters defeat
1:42:24
that's somewhat weak security.
1:42:27
At. The time we talked about
1:42:29
adding time of flight to the
1:42:32
security, though that becomes tricky when
1:42:34
an active agent must respond to
1:42:36
a ping since it's own response
1:42:38
time might be long compared with
1:42:40
the speed of light. Though.
1:42:43
There might be something that could
1:42:45
be done using say, shifting or
1:42:47
interferometer three to determine distance separately
1:42:49
from signal strength, which is what
1:42:51
you would want. Again, I presume
1:42:53
that there's a lot of work
1:42:55
being done along those lines, but
1:42:57
once again, targeting the flipper zero
1:42:59
as the culprit is way off
1:43:01
the mark. So I was going
1:43:03
to show you this is is
1:43:05
the a card key for my
1:43:07
car. And newer B M
1:43:09
w use use Apple's a Car t
1:43:11
they call it so this is in
1:43:14
our if Id card and you can
1:43:16
see this even instructions your tap it
1:43:18
on the or of the Nfc is
1:43:20
not I'm sorry are if I did
1:43:22
tennessee it so it's very doesn't work
1:43:25
that longer distance right if the tap
1:43:27
on the door and then the but
1:43:29
the phone also has an unlock my
1:43:31
cards he is in my Apple Wallace
1:43:34
and it's using you w B. The
1:43:37
all through a wide band
1:43:39
right which is basically directional
1:43:42
radar. And. So ah
1:43:44
it. Is it? Is
1:43:46
I think. Not immune to
1:43:48
those kinds of rarely I tax
1:43:51
rate because harrys young obediently ah
1:43:53
yes, Ah, So I think this is
1:43:55
any. By the way, it works so much better.
1:43:58
Than. The old blue tooth card. He in
1:44:00
my of my Ford Mustang which. Would.
1:44:02
Fail all the time. This
1:44:05
is infallible and fact also works on my
1:44:07
watch as as as as that which is
1:44:09
nice if i i phone my wife's or
1:44:12
get me very in and i can drive
1:44:14
ah other with the card to you hack
1:44:16
because it's or and as see if to
1:44:18
put it in a location. In.
1:44:20
The car to this to be. Proximate.
1:44:23
Ah, right right right right. So you put
1:44:25
it in the eye and that said in
1:44:27
the phone charging tray and it it snows
1:44:29
it did. They provide a solution for people
1:44:31
who have no additional Apple technology as is.
1:44:34
There also were the same thing for Android.
1:44:36
Ah yes it works in Android I don't
1:44:38
have and rate is as secure I presume.
1:44:40
it is. I don't know how
1:44:42
to our worst. I don't think all they
1:44:44
have utterly Android has divided and so it
1:44:46
may not may not be a secure. They
1:44:48
also offer a fobs for people. Like.
1:44:51
Oh my God. Play like me who don't
1:44:53
understand how all this stuff works and who
1:44:55
know what a far been a success as
1:44:58
I. Said.
1:45:00
Oh yeah, I have two of them. Amazing. So
1:45:04
Msf said. Well
1:45:06
she she provided some useful thoughts about needing
1:45:09
to about meeting the need for throw away
1:45:11
email. And Emma wrote.
1:45:13
I have a few comments regarding the
1:45:15
email Sign up for tons of different
1:45:17
throw away website I started moving to
1:45:20
an email alias service about a year
1:45:22
ago. It's been a game changer for
1:45:24
me. Do. A bit. Words Integration.
1:45:26
With. My Choice service and she
1:45:29
has been ordered currently integrates
1:45:31
with simple log in a
1:45:33
non etti. Firefox,
1:45:35
Relay Fast Mail Duck
1:45:37
Duck Go and forward
1:45:39
email. It makes
1:45:41
it super easy to generate email
1:45:44
aliases on the go. So.
1:45:46
Now I no longer mind if I
1:45:48
need to provide an email address to
1:45:50
a random website. As Leo
1:45:52
said when when he said
1:45:54
even if you use a
1:45:56
single throw away email address.
1:45:59
It's. Still a thing. Print. And. It's
1:46:01
still trackable across different web sites
1:46:03
and if you use a personal
1:46:05
domain with multiple email addresses, all
1:46:07
emails with that domain are a
1:46:10
fingerprint. With these alias services there's
1:46:12
no fingerprint. There's no tie between
1:46:14
the different email addresses are not
1:46:16
say whether these email address services
1:46:18
are the best or where the
1:46:20
bit ordinance the best password manager
1:46:23
we think it is here but
1:46:25
I choose a provider I trust
1:46:27
for both my email alias service
1:46:29
and my password managers. And I
1:46:31
have not been disappointed with them yet.
1:46:34
And they're integration with each other is
1:46:36
invaluable. Base. For all you do. So
1:46:38
happy to hear you're going past Nine Nine out
1:46:40
of security now. And
1:46:42
so forth. Anyway, they you m us,
1:46:44
we're glad to have you to as
1:46:47
a listener she's added result. Of
1:46:49
that, she. Was happy debt we're
1:46:51
continuing our and everyone else who finds
1:46:53
his podcast to be worth their time.
1:46:55
I really do understand. How
1:46:58
valuable everyone's time as we talked
1:47:00
about bit words integration before. So
1:47:03
I thought it was worth sharing.
1:47:05
M as experienced, perhaps give our
1:47:08
listeners little bit of a nudge
1:47:10
in the direction of considering email
1:47:12
integration us since more and more
1:47:14
listeners are reporting encountering the join
1:47:17
our website to access are valuable
1:47:19
content notices. I have a feeling
1:47:21
that throw away email is going
1:47:23
to become increasingly necessary for anyone
1:47:26
who would prefer not to be
1:47:28
providing explicit tracking data. A.
1:47:32
D H said hey steve. One.
1:47:34
Remark about the click linked in
1:47:36
email to log into your account
1:47:38
without password featured mentioned and episode
1:47:40
Nine sixty Two as mentioned or
1:47:42
the episode one could see it.
1:47:45
As. A password sharing prevention mechanism because
1:47:47
no one in their right mind
1:47:49
would give access to their main
1:47:51
email account. Nevertheless,
1:47:54
You. Could still use a
1:47:56
shared separate email account specifically
1:47:58
created for lot. In two
1:48:00
specific services you intended to
1:48:03
share. Side. Daniel. And
1:48:05
that's a group point. I. Love
1:48:07
that instead of not wanting
1:48:10
to, not wanting to share
1:48:12
your email address, create a
1:48:14
drip deliberately shared email account.
1:48:17
Which. You share with those who you
1:48:19
wish. To. Share he
1:48:21
to share law and access with.
1:48:24
Then the email loop actually makes
1:48:26
all that easier. You'd have to
1:48:28
like keep a password synchronized among
1:48:30
yourselves because you're just you've already
1:48:32
got email which is serving as
1:48:34
your one way of logging in.
1:48:37
And of course it could be
1:48:39
used for multiple accounts which are
1:48:41
all being shared among among that
1:48:43
group of users. Very nice. Christopher.
1:48:47
Ah er sich. He. Wrote. Steve.
1:48:50
Is as Chris from Cleveland hear
1:48:52
a list or since the days
1:48:55
of the Onion router secure a
1:48:57
both jungle disk and the A
1:48:59
Star Oh Security Gateway He said
1:49:02
he and S and Nine Sixty
1:49:04
Two you gave a recommendation for
1:49:06
client side password quality enforcement. We
1:49:09
need to deprecate website passwords entirely.
1:49:12
But. In the meantime of course when I
1:49:14
was never gonna happen. in the meantime,
1:49:16
I think I have a better idea
1:49:18
that is even easier for sites to
1:49:20
implement. Is it
1:49:23
is should not be difficult
1:49:25
to define a declaratory of
1:49:27
micro format and he says
1:49:29
ah ha a Micro formats.org.
1:49:32
That. Sites can use. To. Manually.
1:49:36
To. I'm sorry to machine
1:49:39
readable the inform browsers
1:49:41
and password managers what
1:49:43
password constraints the site
1:49:45
requires. Bit. Warden or
1:49:47
Mozilla could even right the
1:49:49
standard. This would allow sites
1:49:52
the don't actually handle passwords
1:49:54
properly to at least avoid
1:49:56
burdening the user with cumbersome
1:49:58
rules regards. Okay,
1:50:01
So. I. Agree strongly with
1:50:03
part of what Chris has suggested,
1:50:05
and I think it's brilliant. Okay,
1:50:08
suffers. I doubt that the micro
1:50:10
formats.org that Christopher refers as to
1:50:12
as an example would be adopted
1:50:15
In a world that's pretty much
1:50:17
settled on Jason in O J
1:50:20
S O N Javascript object notation.
1:50:23
As. It's textual representation
1:50:25
for structured data. Micro.
1:50:27
Formats date from two thousand and
1:50:30
four, so that's twenty years now,
1:50:32
and any worries about counting and
1:50:34
minorite minimizing character counts because that
1:50:36
was sort of it's deal back
1:50:39
then. that is impact the same
1:50:41
pledge it does in in. Today
1:50:44
as it would have back. You know
1:50:47
it when the nineties were only a
1:50:49
few years removed. But the representation format
1:50:51
of the data is really beside the
1:50:53
point. And does it matter? The brilliance
1:50:56
is the idea. That. There
1:50:58
could be a very
1:51:00
simple means for our
1:51:03
password managers to obtain
1:51:05
a web sites more
1:51:07
or less arbitrary password
1:51:09
rules and constraints. Without.
1:51:12
Any human intervention. When.
1:51:15
You're using a password manager as
1:51:17
I'm sure now. Everyone listen to
1:51:19
this is ill. And
1:51:22
you know that you're never going
1:51:24
to need to remember any sides
1:51:26
password. The. Longer the password the
1:51:29
better right? So. Thirty
1:51:31
two characters with all
1:51:33
possible character classes mix
1:51:35
together would be perfect.
1:51:38
But. Did you hit upon some
1:51:40
annoying site that says. Your.
1:51:42
Password was too long. Twenty
1:51:44
characters maximum. So. Okay,
1:51:46
you dial the length down to
1:51:48
twenty. That. It says you
1:51:50
must have some uppercase characters. And
1:51:53
of what? And sure enough, by the
1:51:56
look of the draw, that shorter twenty
1:51:58
character password happened to be. All
1:52:00
lowercase numbers and special characters. So you
1:52:02
need to make your password manager regenerate
1:52:05
another password. So you do that, and
1:52:07
now you're told that it must also
1:52:09
have at least for non consecutive numeric
1:52:11
characters. Okay, perhaps I
1:52:13
created a worst taste examples, but
1:52:16
everyone gets the idea as I'm
1:52:18
sure we've all needed to adjust
1:52:20
at least the length of our
1:52:22
password managers automatically generated passwords in
1:52:24
the past. We.
1:52:27
Already have. The. Well
1:52:29
established in all it's
1:52:31
it's in the root
1:52:33
of a server is.well
1:52:35
hyphen known. Directory.
1:52:38
Where. Will
1:52:42
which is used for locating
1:52:44
website information in specific directories
1:52:46
off the route. So.
1:52:49
We've. Got that in place,
1:52:52
the industry could define
1:52:54
a deal.well known directory named
1:52:56
password rules. And. That
1:52:58
directory good contain a Jason
1:53:01
file. Which. Sink Lead
1:53:03
describes the sites acceptable
1:53:05
password policy, A
1:53:08
configuration option in our password manager.
1:53:11
Would. Be to poll we could turn
1:53:13
it on to pull. Any
1:53:15
sites acceptable password policy
1:53:17
Whenever our password manager
1:53:19
is about to present
1:53:21
a password recommendation. And
1:53:24
designed the password it
1:53:27
offers. To. Match the
1:53:29
most secure password allowed
1:53:31
under that sites policies.
1:53:35
Gone. Then. Permanently.
1:53:38
Would be the need to constantly
1:53:40
change that the does that The
1:53:42
details of the password are password
1:53:44
manager creates a could always be
1:53:47
set to maximum and it would
1:53:49
drop down to what a sight
1:53:51
said what it was willing to
1:53:53
accept if necessary. Anyway I know
1:53:55
it would be a heavy list
1:53:57
to get this adopted industry. Why?
1:54:00
The never. I'm the guy who spent
1:54:02
seven years on squirrel, But not all
1:54:04
sides need to do it. And
1:54:06
those that did will be encouraging
1:54:09
the use of the strongest possible
1:54:11
passwords for their account holders so
1:54:13
it would be beneficial to the
1:54:15
site and it would also make
1:54:18
automatic password rotations. Which. Are
1:54:20
sometimes necessary Know you want to change
1:54:22
all your passwords. Or
1:54:24
much more automatic because your your
1:54:27
new password wouldn't be violating of
1:54:29
the at that site rules or
1:54:31
else we know that even with
1:54:33
the adoption of pass keys, passwords
1:54:36
will not be disappearing. Still be
1:54:38
with us for the foreseeable future.
1:54:40
So automating the selection of the
1:54:42
strongest possible password for a site
1:54:44
seems like a useful feature. Okay,
1:54:49
We're. At page nineteen and a
1:54:52
show notes, which typically means that
1:54:54
I've been trying everyone's patience long
1:54:57
enough for the week even. There.
1:54:59
Were three additional stories that I ran out
1:55:01
of time to cover the way I wanted
1:55:04
to. Of. The. First
1:55:06
one. Was. A story
1:55:08
that I thought. Was. Going to
1:55:10
be the most exciting. Generated.
1:55:14
Actually Some Coke? Quite frightening.
1:55:17
Well. It it the stories
1:55:19
self generated some quite
1:55:21
frightening headlines about a
1:55:23
new side channel attack
1:55:25
on fingerprint. Biometrics:
1:55:28
For example, Tom's. Hardware
1:55:30
coverage was headlined. Your.
1:55:33
Fingerprints can be recreated
1:55:35
from the sounds made
1:55:37
when you swipe on
1:55:39
a touchscreen. It
1:55:42
continued Chinese as Us researchers
1:55:44
showed new side channel. Can.
1:55:47
Reproduce fingerprints to
1:55:49
enable attacks. Okay,
1:55:53
now what? The. Only
1:55:55
problem with that? Is. It is
1:55:57
not even remotely true. A
1:55:59
turn. Now. That. Within
1:56:01
the fingerprint biometrics research
1:56:04
community. There.
1:56:06
are too generic. Singer
1:56:08
print templates one called
1:56:11
master print. And. The
1:56:13
other is Deep Master Print.
1:56:16
By. Themselves, these templates have
1:56:18
a one point eight eight
1:56:21
percent. And. One point
1:56:23
One One percent chance. Of
1:56:25
fooling. Any fingerprint
1:56:27
sensor that's been trained
1:56:29
on some specific individuals
1:56:32
actual fingerprint. Okay,
1:56:34
One point Eight Eight percent like that.
1:56:36
this this freaky master print that the
1:56:38
industry is created turns out the sword
1:56:41
like be a generic fingerprint and it
1:56:43
it'll work. One point Eight eight percent
1:56:45
of the time this may be more
1:56:47
of an ally. And fingerprints, They're not
1:56:49
unique. I mean that said, if they're
1:56:51
not even a unique and thus yeah
1:56:54
Zachariah exactly they're vid are fingerprint What?
1:56:56
As we know you look at it
1:56:58
you got like or yeah that would
1:57:00
not be like a fingerprint at a
1:57:02
does it look like. An Old
1:57:04
Duster, Entropy, or even a Qr
1:57:06
code. right? Exactly Okay, so so,
1:57:08
but a better self alone. As
1:57:10
interesting the idea that there is
1:57:12
that this thing called a Master
1:57:14
print. Which is
1:57:17
known. Okay, so. Now.
1:57:19
And that it's a generic template
1:57:21
for fingerprints. But what these researchers
1:57:23
found was that they were able
1:57:25
to. Slightly. Better
1:57:28
inform. Those. Very
1:57:31
low performance generic
1:57:33
master print template.
1:57:35
By. Listening to the sound
1:57:37
of a singer moving across
1:57:40
a touchscreen. I.
1:57:42
Suppose it should not be
1:57:44
surprising that something. Might.
1:57:46
Be learned from that. But. It
1:57:49
should also not be surprising
1:57:51
that it's not very much,
1:57:53
and that is certainly not
1:57:55
as the breathless headlines claimed
1:57:57
your fingerprints can be recreated.
1:57:59
For. The sounds made when you swipe. What
1:58:02
a touchscreen! You know it. It
1:58:04
turns out it barely helped at all. Although.
1:58:07
To be a long time to figure that out because
1:58:09
I had read the research paper. But anyway, So.
1:58:11
Much for that. If you saw
1:58:14
that and you wonder why didn't
1:58:16
talk about it is because it's
1:58:18
nonsense of. I also wanted to
1:58:20
have time to check back in
1:58:22
on the state of our intrepid
1:58:24
Voyager One spacecraft. Since.
1:58:26
It appears that it may
1:58:28
have finally lost his battle
1:58:31
with time and entropy. I
1:58:33
will make some time for a
1:58:35
more detailed look at that next
1:58:37
week. And finally the story. This
1:58:39
probably going be next week's main
1:58:41
topic so I definitely didn't have
1:58:43
time to fit it into Day
1:58:45
is Apple's announcement last week. Of
1:58:48
Pq, three. Were. P
1:58:50
to stance for post quantum. The.
1:58:53
Blog posting from Apple's Security
1:58:55
Engineering and Architecture Group contain
1:58:57
sufficient detail to make for
1:58:59
a terrific main topic, so
1:59:01
stay subscribed. I will be
1:59:03
back next week with all
1:59:05
of the interesting details about
1:59:07
Apple's Pq. yeah at adding
1:59:10
post quantum crypto to ah
1:59:12
messages. Very curious which a
1:59:14
photograph. And
1:59:17
I suppose I'm in Pq Three is
1:59:20
not. It is not one of earnest
1:59:22
protocols but I saw from suppose there
1:59:24
isn't one of the miss Protocol schools
1:59:26
will fight over right? Pp A P
1:59:29
Pq three is their own. Their names
1:59:31
in caps. elation. Have a friend when
1:59:33
or how to how to do and
1:59:35
you got to Kiki, distribution and key
1:59:37
rotation. I mean if they basically. What
1:59:41
this is giving as are some cyphers but
1:59:43
what but the take it as we know
1:59:45
there are that there. There's a long. Distance
1:59:47
between a cipher and the entire working
1:59:50
protocol. That bit has all the bells
1:59:52
and whistles that Apple will need. Pretty
1:59:56
cool actually. That's great. So
1:59:58
so I think that next week. The topic
2:00:00
may just have three letters. Or
2:00:04
characters. I hope so. I
2:00:07
hope so. Steve Gibson Grc like how
2:00:09
by the way our discord our club.
2:00:11
Wonderful clubs with members. Or
2:00:13
tell me that that at least some
2:00:15
Android phones do have. Of. Rod
2:00:17
been including as new good Samsung galaxy
2:00:19
as twenty fours. I'm
2:00:21
sorry know he is a no twenty would
2:00:24
you? As a note, twenty. So it's been
2:00:26
around for some time. some time on that
2:00:28
even maybe even predates Apple. Maybe Apple catching
2:00:30
up? Yes Yes. I
2:00:32
am and tried the a car key feature
2:00:35
in know in the. Android. I
2:00:37
have a pixels air whatever the latest. I should
2:00:39
try it on. Let's get back to. I.
2:00:42
Sure is nice when your car
2:00:44
what's up recognizing is hop and drive
2:00:46
off. I love that. I love that
2:00:48
feature. Save hisatgrc.com Hop in, drive off
2:00:51
with a brand new copy of Spin
2:00:53
Right Six Point One. You'll be glad
2:00:55
you did it sir. It's official and
2:00:58
and you can get your copy Grc
2:01:00
That com. The world's best mass storage
2:01:02
maintenance and recover utility. Ah, so pleased.
2:01:05
Congratulations Sir Stephen, A minute we're going.
2:01:07
What? you got? Three seconds. Siegel? Fix
2:01:09
that. But that moment of fix I'll
2:01:12
be released to avail. refraining bugs While
2:01:14
you're there, Pick up a copy of
2:01:16
this show. Steve has a couple
2:01:18
of unique versions no the normal versions
2:01:21
there, of course the Sixty Four. Killer
2:01:23
audio. But. He also sixteen
2:01:25
kilobit audio. For. The band
2:01:28
with impaired and. A
2:01:30
one of the band with impaired was Elaine
2:01:32
Ferriss a transcription ist are court reporter who
2:01:34
are lives is this is a Ferrier So
2:01:36
she lives in a farm and so she
2:01:38
knew the a low bandwidth version and but
2:01:40
now thanks to that we get wonderful transcripts
2:01:43
from a lane Steve post those take some
2:01:45
a couple of days after the show to
2:01:47
get those up. It's very handy for reading
2:01:49
along Loyalists and much better than near a
2:01:51
I generated transcripts. We do. You
2:01:54
can also use it to search which is
2:01:56
very handy and Elaine always puts in the
2:01:58
air she takes her. The arms and eyes.
2:02:00
But. Always. Get somehow manages to
2:02:03
get the flavor. Of. The conversation in
2:02:05
their earth ah that's G R C
2:02:07
that com sees us on twitter. You
2:02:09
can leave a message is is the
2:02:11
Ems are open at S G. G.
2:02:13
R C we have copies of showed
2:02:16
our website with that Tv slice S
2:02:18
N. For. Security Now. There's.
2:02:20
A You Tube channel devoted to scary
2:02:22
Now he can also a subscriber. New
2:02:24
favorite podcast player! Of course there's a
2:02:26
good way to get security now. Without.
2:02:29
Ads and that is in our club
2:02:31
club Twit ad free versions of all
2:02:33
the shows in every means. Tracker freeze
2:02:36
well. Absolutely
2:02:38
privacy forward. We. Also
2:02:40
and we do that with even the ad
2:02:42
based shows actually where the reasons we need
2:02:44
a club. Because. Advertisers
2:02:46
are getting more and more. What's.
2:02:50
A good word without offending them. Interested
2:02:54
it's in in tracking and as we
2:02:56
just heard that a big agency that
2:02:58
has a lot of our business has
2:03:00
said that you gotta put another tracker
2:03:02
and. And. We said
2:03:05
no and so his last couple of big
2:03:07
advertisers because of it but we wanted even
2:03:09
on the ad supported says to a minimal
2:03:11
amount. Of what we think
2:03:13
is is non privacy invasive. Tracking.
2:03:16
For. Number we have to do for numbers
2:03:18
because that's how we charge and things like
2:03:20
that or even but even that's missing in
2:03:22
the versions that you get on the club.
2:03:25
so if is a privacy is is important
2:03:27
for you and your like this shown you
2:03:29
want to keep it going. In all of
2:03:31
our other shows it's just seven bucks a
2:03:33
month your this get access to the discord
2:03:36
which is always a great conversation those have
2:03:38
fun and they're not just during the show's
2:03:40
but all the time and there's additional content
2:03:42
you don't get elsewhere plus video of some
2:03:44
of the audio only shows we do. All
2:03:47
that at Twitter Tv slice club to it.
2:03:49
I would be very grateful a seat at
2:03:51
least consider it. I. Know you know
2:03:54
times are tough. And. Nobody wants
2:03:56
them those subscription butter. It's.
2:03:58
It's a deficit in having sex. Dirty now
2:04:00
every weekend. Not I think it might be.
2:04:02
wizard. School. Two.
2:04:05
Cents we do or the show
2:04:07
live every Tuesday right after Macri.
2:04:09
Quickly that's usually around one thirty
2:04:11
Pacific for Thirty Eastern Twenty One
2:04:13
Thirty You T C we go
2:04:15
live on you to when we
2:04:17
started as show at that site
2:04:19
you to.com/twitch if you subscribe their
2:04:21
you're in the Station with our
2:04:23
lives to do that For most.
2:04:26
Lifestyle Tips: Thanks
2:04:30
everybody for a joining us. Thank you
2:04:32
Steve! Go fix your bug that have
2:04:34
a nice play tap and will see
2:04:36
you next time on security now. I
2:04:40
don't see them married in March
2:04:42
last.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More