Wi-Peep - FBI purchased Pegasus, Passkey support directory, Quantum decryption deadline, Firefox 107
Wi-Peep - FBI purchased Pegasus, Passkey support directory, Quantum decryption deadline, Firefox 107
Wi-Peep - FBI purchased Pegasus, Passkey support directory, Quantum decryption deadline, Firefox 107
Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
It's time for security now. Steve Gibson
0:02
is here with lots to talk about.
0:05
Red Hat cryptographically signing
0:07
its zips. do you do such a thing?
0:10
We'll talk about the FBI. Apparently, they
0:12
tried to use Pegasus.
0:15
How legal is that? And then we're
0:17
gonna talk about why people, a new way to
0:19
map, WiFi access points
0:21
or more threateningly to attract people
0:24
using WiFi devices all that
0:26
more coming up next on security now.
0:30
Podcasts you love. From
0:32
people you trust. Thanks.
0:35
is twitch. This
0:41
is security now with Steve Gibson, episode
0:44
eight hundred ninety eight. recorded
0:46
Tuesday, November twenty second twenty
0:48
twenty two. WiPeep.
0:52
Security now is brought to you by Tinuum.
0:54
Tanium unites operations and
0:57
security teams with a single platform
0:59
that identifies where all your IT data
1:01
is patches every device you
1:03
own in seconds and implements critical
1:06
security controls all from a single
1:08
pane of glass. Are you ready to protect
1:10
your organization from cyber threats?
1:12
Learn more at tennium dot
1:14
com slash Twitter. And
1:16
by Barracuda. Barracuda
1:19
has identified thirteen types of
1:21
email threats and how cyber criminals
1:24
use them every day. fishing, conversation
1:26
hacking, ransomware. Plus ten more
1:28
tricks cyber criminals use to steal money
1:31
from your company or personal information
1:33
from your employees and customers. get
1:35
your free ebook at barracuda dot
1:37
com slash security now.
1:40
And bye. SecureWorks.
1:43
Are you ready for the inevitable cyber
1:45
threats? SecureWorks detects
1:48
evolving adversaries and defends against
1:50
them? with a combination of security
1:52
analytics and threat intelligence directly
1:55
from their own counter threat unit.
1:57
Visit secure work dot com slash to
1:59
get a free trial of tajus extended
2:02
detection and response, also known
2:04
as XDR. It's
2:06
time for security. Now, the show
2:08
we cover your security, your privacy, your
2:11
online exploits, your
2:13
offline deploy TWiT
2:16
this guy right here, mister Steve Gibson.
2:18
Hi, Steve. Leo agreed to
2:20
be with you again. That's always good
2:22
to see. What is this? The pre Thanksgiving episode?
2:25
It is. Of yeah. Yeah.
2:27
Now And we're almost in
2:29
the nine hundreds, which is a scary
2:31
place to be. Actually, it was
2:33
interesting because when I got
2:36
Elaine's transcript last week, she
2:38
said this was eight hundred
2:40
and ninety seven. Yeah. and
2:42
she she reminded me. She said,
2:44
okay. That means that
2:46
we are one hundred and two episodes from
2:49
nine ninety nine. Mhmm. And
2:51
there are fifty one episodes per
2:54
year -- Mhmm. -- because we we skip
2:56
one for the holidays. She's paying attention,
2:58
which means exact precisely,
3:02
two more years. Wow. I have security
3:04
now. I'll put that in my calendar.
3:07
So, oh, honey, I'm not gonna let you forget.
3:10
So, by then, you might say,
3:12
oh, I'd like to keep doing this. You
3:14
know, Leo, I may have the hang of it
3:16
by then. And so if you like,
3:19
not not that big a deal. Well, as somebody
3:21
who just quit the radio show, after
3:24
nineteen years of doing that, I
3:26
can kinda understand after
3:28
a while you get to a point where it's like, you know, I've
3:30
done everything I'm gonna do. and imagine.
3:32
Now I would say you could sleep in on except
3:35
that the show didn't start till eleven. So if
3:37
this really changes your your
3:39
sleeping habits, then we have a different problem. I
3:41
get to do stuff on Saturday, which is I
3:44
mean, I've worked -- Yeah. -- weekends
3:46
for nineteen years. That's a
3:48
long time. Yes. In fact,
3:50
what was happening was you were only
3:52
working six hours odd,
3:55
you know, two days, Saturday and Sunday
3:57
for three hours. Yeah. And then you
3:59
and I were meeting once a
4:01
month up in Toronto. Yeah. You
4:03
you were spending four days up there to
4:05
record for I mean, I'm getting PTSD.
4:07
Just hearing about it. This is -- And you
4:10
-- crazy. And you had three
4:12
unfilled week day
4:14
weeks And so you said, you
4:17
know, let's do some shows. I got a
4:19
lot of time on my hands here. What's I
4:21
thinking? Let's well, aren't you glad
4:23
now? that you have a
4:25
podcast -- I am. -- work. I was I've been
4:27
telling people this is the first time I I've
4:30
I've I've not been working for anybody in
4:32
my whole working life. I'm
4:35
working for myself for the first time ever,
4:37
something you know a lot about, but well, except
4:39
now you have a wife. So Well, as
4:41
Patrick Norton once told me, because I said, I don't
4:43
wanna work for the man. He said Leo, there's always a
4:45
man. And in this case,
4:47
the man is a woman, but still now.
4:49
She we're partners. But it but it is
4:51
kind of interesting that I've
4:54
been a, you know, employee, a ten
4:56
ninety or AW2 employee. for
4:58
my since I was sixteen years old.
5:00
So that's so that is a big change.
5:03
I think the podcast thing might work out. That's
5:05
all I'm saying. It might turn
5:07
out to be something. I don't need to keep this job
5:09
anymore. Yeah. might. So
5:12
we're gonna note this week
5:14
many things. we've got a new version
5:16
of Firefox. Google
5:18
recently reached a nearly four hundred
5:20
million dollar user
5:22
tracking settlement Steve got
5:24
some interesting legislative things to talk about
5:27
during these next couple hours. Red Hat
5:29
has started cryptographically signing
5:31
its ZIP distributions Like,
5:33
what? You can sign a zip? Well, not
5:35
really. But the FBI purchased
5:38
turns out the nefarious Pegas
5:40
software or the spyware,
5:43
think TWiT just to kinda
5:45
see what it's about. Uh-huh. Greece
5:47
paid seven million euros
5:50
for a similar spire
5:52
called Predator, pass
5:54
keys has a directory listing
5:56
the sites where they can be used. So
5:58
That will be exciting. The OMB,
6:01
the US Office of Management and Budget,
6:03
has decreed a
6:05
quantum decryption deadline. Oh.
6:08
Leo, yes. Of course, we're all gonna
6:10
pay attention to that. Leo, thirty
6:12
three, speaking of paying attention
6:15
to the FTC, thirty three US
6:17
Steve attorneys general have asked the
6:20
FTC to get serious, my
6:22
friends, about online privacy
6:25
regulation We'll see how that turns
6:27
out. We've got some engaging listener
6:29
feedback, and spin ride is
6:31
finally a day
6:33
or two, away from its
6:36
final testing. What's in?
6:38
Yeah. It's done. It's I I'll explain.
6:41
I'll explain. I've got I have a couple of
6:43
drives here. There's three three drives
6:45
which are weird
6:47
and you should not write to these drives.
6:49
So I'll I'll explain about that. Oh.
6:54
And then we're gonna wrap up by examining
6:56
some chilling research, which
6:59
allows the physical location
7:02
in three d space
7:04
of every WiFi device
7:08
within its range,
7:10
like within a multi Steve
7:12
building or whatever
7:14
facility to be accurately located
7:18
within a meter or so by
7:20
someone simply walking past
7:22
or flying a tiny drone.
7:25
for about twenty bucks. So
7:27
that's the white peep thing. So
7:30
we're gonna talk about all this, and we have
7:32
a picture of the week that had you almost
7:34
falling off your chair. It was pretty funny. It
7:36
was it's a pretty It was kids. I
7:39
liked it. I think a good podcast.
7:41
All coming up on this fine
7:44
eight hundred and ninety eight edition
7:46
of security. Now that's kind of
7:48
amazing. Isn't it? Are you at
7:51
ninety eight? Well,
7:54
you know, it's funny because the the last
7:56
tech I show is December eighteenth.
7:58
And it's gonna be, I think, episode nineteen fifty
8:01
five. I'm one shy of my birth year. I thought
8:03
if I could just do or actually one it'll be nineteen
8:05
fifty four and then the best that will be nineteen fifty
8:07
five. but just do one more.
8:09
That's okay. That's okay. Our
8:11
show today brought to you by Tanium.
8:14
Love these guys. They're
8:16
Their position about all this security
8:19
stuff is that get ready for this.
8:21
The industry's approach to cybersecurity
8:24
has a fundamental flaw.
8:27
And I think you'll agree when I say
8:29
what it is, IT management security
8:32
point tools really don't do
8:34
it all. They only offer a small piece of
8:36
the solution needed to protect your environment.
8:38
Many of them promise they
8:40
can stop all breaches. They just
8:42
can't. The
8:44
key to a we've always talked about
8:46
layered security. Right? The key to a successful
8:48
security strategy is layered security, but
8:50
it's also information. knowing
8:53
what's what's out there, what's going on, what
8:55
the threats are, what's happening in your network,
8:58
making decisions based on stale
9:00
data, trying to defend your
9:02
critical assets from cyber attacks with
9:04
tools that that don't even talk to each other.
9:06
That's don't wait for IT teams to
9:08
navigate today's attack surface. It's time for a
9:10
different approach. Tanium is one
9:12
of these disruptors that has come
9:14
along, burst into the and
9:16
has transformed everything. Tanium
9:18
says it's time for a convergence.
9:21
of tools, of endpoints,
9:23
and IT operations and
9:25
security. Now they have solutions
9:27
for every sec. government entities, education,
9:30
financial services, retail,
9:32
health care, you could trust
9:34
their solutions for every workflow that
9:36
relies on endpoint data, they've
9:38
got asset discovery and
9:40
inventory in Leo
9:43
fast, which means you could track down every
9:45
asset in your entire IT
9:47
space and and and know what you
9:49
own instantaneously. They'll help
9:51
you with risk and compliance management. They'll
9:53
let you find and fix vulnerabilities in
9:56
seconds at scale. Notice
9:58
there's a there's a little theme here at
10:00
scale. very fast. Right? Their
10:02
threat hunting is amazing. Hunt
10:04
for sophisticated adversaries in
10:06
real time. You
10:08
can do client management, automate
10:10
operations from discovery to management,
10:12
again, across your entire estate. You've
10:14
got sensitive data monitoring,
10:16
which is Laporte, you gotta index and
10:18
monitor your sensitive data. You could do
10:20
it globally seconds, you know, where every
10:22
bit of data is
10:24
and who has access to it, even maybe more
10:26
importantly. Tanie and protects organizations
10:29
where other endpoint management and
10:31
security providers have failed. all in
10:33
one platform. Tinuum identifies where
10:36
your data is across
10:38
all your entire IT
10:40
estate Can patch every
10:42
device you own in seconds. Can
10:44
implement critical security controls, and it could that do
10:46
it all from a single pane of
10:48
glass. Just ask Kevin Bush He's vice
10:50
president of IT at Ring Power Corp.
10:52
He says, quote, Tanian brings
10:54
visibility to one screen for our
10:56
whole team. And if you don't have that
10:58
kind of visibility, not gonna be able to sleep
11:00
at night. Sounds like Kevin
11:02
knows what he's talking about. With
11:04
real time data comes real
11:06
time impact If
11:08
you are ready to unite operations
11:10
and security teams with a single source
11:12
of truth and confidently protect
11:14
your organization from cyber threats, it's
11:16
time you met tanium. To
11:18
learn more visit tanium, TANIUM
11:21
tanium dot com slash
11:23
twit. Tinuum. dot
11:25
com slash tweet. We thank you so
11:27
much. For supporting SecurityNow,
11:29
you support us by using that address. They
11:31
know you saw it here at tedium dot
11:33
com. slash trent.
11:35
I'm ready my friend for the
11:37
picture of the week. So
11:40
for those who are not video
11:42
connected here. As always, I have
11:44
to explain this. We
11:46
have a a
11:48
flatbed transport
11:51
vehicle, a flatboard trailer sort of
11:53
thing. And it looks like there there's
11:55
a on the left, is
11:57
Laporte of a rust colored red
12:00
container where someone
12:03
probably said, hey, we we need you
12:05
to pick up some dirt So,
12:07
you know, bring a container
12:09
and we got some dirt for you.
12:11
Yes. Well, apparently,
12:13
the container that they brought
12:15
was too small. Yeah. Cons because it's,
12:17
you know, it's about one third of the
12:19
back of this of this
12:21
trailer, this flatbed. And
12:23
the rest of it has been piled
12:25
up with the overflow dirt
12:27
that didn't fit in the container. Now
12:31
in a saying world,
12:33
they would
12:34
throw a tarp over this whole
12:36
thing. Right? And like, lock the tarp
12:38
down, but Maybe
12:41
they didn't have a tarp. Anyway,
12:43
some apparent
12:45
rocket scientist here decided well,
12:47
you know, I've gotta do something. Right? because
12:49
I just got this exposed dirt
12:52
on the big pile on the back
12:54
of this trailer.
12:57
So they did
12:59
what they used what they had. They threw
13:01
a about a two inch diameter
13:03
belt. across the top
13:05
of the pile of dirt, which
13:07
is about I
13:09
don't know. It it
13:11
covers maybe four
13:13
percent of the of
13:15
the pile -- Mhmm. -- the rest of it
13:17
exposed to the air. Now there's
13:19
you can sort of see off on one
13:22
side Leo facing us. There is like there's looks
13:24
like there the strap was somewhere else initially
13:26
because you can sort see some of dirt was
13:28
flattened on the side there. Yeah. It's supposed to be a little
13:30
bit. So it looks like well, it looks like maybe the
13:32
strap was originally anchored on the
13:34
on the slot in the trailer one
13:37
notch further forward. CS Fed
13:39
points down. Too much time looking. So
13:41
there was yes. There was
13:44
Are are you
13:47
telling me there's a reason SpinRite took three
13:49
years? No. I think
13:51
Logan five in our chat room may have
13:53
come up with something. It's not to prevent
13:55
slippage. It's to prevent theft.
13:59
Oh, it's brilliant. You wouldn't want
14:01
someone to steal your dirt. don't don't
14:03
feel a certain man. So the so
14:05
this is like that poll that we
14:07
saw that had the bike lock around.
14:09
Right. where it didn't it TWiT it indicated
14:12
an intention without
14:14
actually providing any enforcement. I
14:16
love it. Anyway,
14:18
Oh, my. Oh, my. Once again,
14:20
we're we're we seem to be drifting here a
14:22
little bit off of the security related
14:24
topics related. The security dirt. No. No.
14:26
It's clear. Well, part
14:28
of the part of the goal of
14:30
podcast is to have some fun, and
14:32
so we're we're providing some entertainment to
14:34
TWiT. Yes. Okay.
14:36
With Firefox version 107
14:38
which was released last Tuesday a
14:40
week ago, nothing was
14:42
earth shattering. There was no
14:45
critical security fixes, but
14:47
there were a very large and
14:49
welcome collection of high severity
14:51
things fixed. No zero
14:54
days that were noted. There were
14:56
also a couple moderate severity
14:58
repairs. So you know,
15:00
it appeared to be primarily be
15:02
released just to fix those things
15:04
since there were not otherwise or even a
15:06
large number of new features a couple little
15:08
developer things. You know, they're
15:10
continuing to push the standards
15:12
which Firefox supports forward
15:14
because, you know, the web people can't keep
15:16
their hands off of like, oh, how
15:18
about if we added the ability
15:20
for it to read your mind?
15:22
That would be good. It's like okay, we don't
15:24
have that technology. You know, but let's develop
15:26
an API for that so that when we
15:28
do, web pages will be I mean,
15:30
that's this is what's going on. So a
15:32
little bit more of that is happening,
15:35
nothing else to see. the
15:38
It was interesting to me
15:40
to see that Google recently
15:43
settled something that we discussed four
15:45
years ago. This
15:48
was a suit brought
15:50
against Google by forty
15:52
states' attorneys general.
15:56
They settled for three hundred and ninety
15:58
one point five million dollars.
16:00
Where that number came
16:02
from? Oh, yeah. Only the
16:04
attorneys know.
16:06
As I said, we talked about this four years
16:08
ago back in twenty eighteen when
16:10
these offices of those forty Steve
16:13
general sued Google alleging
16:16
that Google had been lying and
16:18
misleading users into thinking
16:20
that they had disabled location
16:22
tracking in their account
16:24
settings. The
16:27
lawsuit followed some reporting that
16:29
was produced by the associated
16:31
press which found that Google was
16:33
continuing to track its users
16:36
even after they had enabled the
16:38
account privacy setting that
16:40
claimed to turn off location
16:42
tracking. So in that
16:44
settlement, Google agreed to pay
16:46
this three hundred ninety one and a half
16:48
million dollars in rest tune and
16:50
also, of course, to change the
16:52
way it handled location tracking
16:54
in the future. The the
16:56
first thing we're reminded of is
16:58
that the wheels of justice, when
17:00
they don't completely fall off the wagon,
17:02
do tend to turn slowly, at
17:04
least in the United States So
17:06
it took us four years to get to this
17:09
point. The other thing
17:11
we learned is that thanks to
17:13
Google's posting about this, their
17:15
own posting, we
17:16
learned what
17:17
has changed since then. So
17:19
their posting last
17:22
week was titled managing
17:24
your location data. And
17:26
it brings new meaning to
17:28
the phrase putting on a
17:30
happy face that
17:33
that they wrote Location information
17:36
lets us offer
17:38
you a more helpful experience
17:41
when you use our products From
17:43
Google Maps, driving directions
17:45
that show you how to avoid
17:47
traffic to Google Search,
17:49
surfacing local restaurants, and letting you
17:51
know how busy they are, you know,
17:54
like all the benefits, right, of Google
17:56
knowing where you are. They said
17:58
location information
18:00
helps connect experiences across
18:02
Google to what's most relevant
18:04
and useful. And,
18:06
okay, yeah, that's certainly the
18:08
case. or can be. They said
18:11
over the past few years, right,
18:13
while while this lawsuit was in the
18:15
works, we've introduced more
18:18
transparency and tools
18:20
to help you manage your data and
18:22
minimize the data we collect. That's
18:24
why we, and then they have three things.
18:27
launched Auto Delete Controls,
18:29
a first in the industry,
18:31
and turned them on by default
18:33
for all new users
18:36
giving you the ability to automatically
18:38
delete data on a rolling
18:40
basis Leo only
18:42
keep three months, eighteen
18:44
months, or thirty six months, worth
18:46
of data at a time. And if that sounds familiar
18:48
to our listeners just because, yes, we covered this
18:50
when this was happening. Second thing
18:53
they did developed easy to
18:56
understand things. I'm sorry.
18:58
Easy to understand settings.
19:00
like incognito mode on Google
19:02
Maps, preventing searches or
19:04
places you navigate to,
19:07
from being saved to your account.
19:10
And third, introduce more
19:12
transparency tools, including
19:14
your data in maps and search,
19:16
which lets you quickly access your key location
19:19
settings right from our core
19:21
products. And they said,
19:23
these are just some ways that
19:25
we to provide more choice and
19:28
transparency. Consistent
19:31
with these improvements, we
19:33
settled at investigation
19:36
TWiT forty US state
19:38
attorneys general based
19:41
on outdated outdated
19:44
product policies that
19:46
we changed years ago,
19:48
as well as okay.
19:51
In addition to the three hundred ninety one and a
19:53
half million dollars, outdated product
19:56
policies we changed years ago, as
19:58
well as a financial
20:00
settlement, We will be making
20:02
updates in the coming months to
20:04
provide even greater controls and
20:06
transparency over
20:08
location data. So things to
20:10
come. These updates include
20:12
three things: revamping
20:15
user information hubs To
20:18
help maintain how location data
20:20
improves our services, we're adding
20:22
additional disclosures to our
20:24
activity controls and
20:26
data and privacy pages. We're
20:28
also creating a single comprehensive
20:31
information hub that highlights
20:33
key location settings to help people make
20:35
informed choices about their data. Okay?
20:38
So, you know, more
20:40
transparency. Second thing
20:42
simplified deletion of location
20:45
data. We'll provide a new
20:47
control that allows users to
20:49
easily turn off their location history
20:52
and web and app activity settings
20:54
and delete their past data
20:56
in one simple flow.
20:59
will also continue deleting location history
21:01
data for users who have not recently
21:04
contributed contributed
21:06
new location data history to their
21:09
account. And third, updated
21:11
the account setup. will give
21:14
users setting up new
21:16
accounts. A more detailed
21:18
explanation of what
21:20
web and app activity is.
21:23
what information it includes, and
21:25
how it helps their Google experience.
21:28
So they finished today's settlement
21:30
is another step along
21:32
the path of giving more meaningful
21:34
choices and minimizing data
21:37
collection providing more helpful
21:39
services. So It
21:42
seems clear that what
21:44
was going on during these four
21:46
years, I mean, you know, lots of
21:48
back and forth was some
21:50
negotiation about the
21:52
things that that
21:54
Google was being asked to
21:56
do proactively in
21:58
order to make what, you
21:59
know, make what they were
22:01
doing, make this tracking behavior, which
22:04
initially got them into such trouble,
22:07
that, you know, these forties attorneys general decided to
22:09
gang up and and say,
22:11
look, this needs to change.
22:14
So you know, stepping back from this
22:16
a bit, it it must be
22:18
truer than than I
22:20
guess I'm able to understand that
22:23
The more information an advertiser has
22:25
about someone, the more revenue
22:27
is generated by showing
22:30
that person advertisements you
22:32
know, I mean, as our list as our listeners
22:35
know, I've always been somewhat skeptical
22:37
about that. I mean, that it that it can
22:40
mean that much, but Yeah.
22:42
It seems to me that advertisers would not be
22:44
trying so hard if it
22:46
didn't really make them more money.
22:49
since they also know that no one
22:51
wants to be profiled and tracked across
22:53
the Internet. So they wouldn't be
22:55
risking our wrath to the degree they
22:57
are if it really really wasn't
23:00
valuable to them. So
23:02
anyway, we've got
23:04
well, in a minute, we'll be talking about
23:07
a different issue with some
23:09
more attorneys general and the
23:11
FTC.
23:14
I caught wind of
23:16
a mention that Red
23:18
Hat had started cryptographically
23:21
signing its deployment zip
23:23
files. Oh, god. Can I have made
23:25
me curious since I'd
23:27
never heard of zip files being
23:29
cryptographically signed. We've always
23:31
talking about executables being
23:33
signed. And, you
23:36
know, we know that web web
23:40
assertions of their identity are
23:42
signed, but That was new for me for
23:44
zips. And with all
23:46
the problems that we've been seeing with
23:48
supply chain poisoning, obtaining
23:51
verifiable assurance of
23:53
an archived unmodified
23:56
authenticity, that would be
23:58
great. So A
23:59
cryptographic
23:59
signature could do that.
24:02
And cryptographic signing
24:05
wakes
24:05
weeks
24:06
makes way more sense
24:09
than the old school practice
24:11
of publishing the hashes
24:14
of files on the same
24:16
site where the files are
24:18
being hosted for download. Doing
24:21
that never made any sense
24:23
to me. since if a bad guy was
24:25
able to compromise a web
24:27
server to alter the
24:29
files being downloaded from
24:31
that site, What
24:33
would keep them from also updating the
24:35
hashes shown at the
24:37
same site as proof of a
24:39
file's authenticity? and
24:41
I'll talk about a false sense of
24:43
security. So, anyway,
24:45
this is a lot better than that.
24:47
So looked into what was going on, and I
24:50
found a posting by Red Hat
24:52
titled cryptographic signatures
24:54
for Zip Distributions. I
24:57
paraphrased what they posted to remove a lot of
24:59
their oversimplified descriptions for our
25:02
audience. So they
25:04
wrote Our build
25:06
system, Brew, produces
25:09
our RPM and ZIP
25:11
distributions, and automatically hash
25:13
the archives it makes.
25:16
The hashes are
25:18
used to validate that the files
25:20
have not changed before
25:22
they're uploaded to our CDN
25:24
and made available to customers.
25:26
We've taken advantage of this aspect
25:28
of our build process,
25:30
and extended it by
25:33
combining all of the
25:35
hashes for a particular release,
25:38
and packaging them into
25:40
an SHA2 fifty six
25:43
sum file. So SHA2
25:45
fifty six SUV. file. This
25:48
file is in a standard format
25:50
that lists the hash and
25:52
the corresponding the corresponding
25:55
file name of the
25:57
particular file artifact
25:59
as is a term they use.
26:01
It is commonly used across the
26:03
industry to provide integrity to binary
26:06
files. However, it's not
26:08
limited to that. The
26:10
SHA two fifty six sum
26:12
command on Red Hat enterprise
26:14
Linux, other Linux distributions,
26:16
and Mac OS natively
26:19
support this file format. They
26:22
said since our software production
26:24
team has completed their
26:26
verification procedures I'm
26:28
sorry. Once our software production
26:30
team has completed their verification
26:33
procedures. They sign off on the
26:35
release from both a process and
26:37
technical perspective. the SHA two
26:39
fifty six some file they
26:41
created is signed by
26:43
our latest release Leo,
26:45
which produces a dot
26:48
ASC file.
26:50
This file is an
26:52
Asci armor formatted
26:55
detached signature file
26:57
that proves the integrity and
27:00
provenance of the SHA two fifty
27:02
six thumb file and
27:05
Transitively, the zip
27:07
file artifacts enumerated
27:09
within that file. The
27:12
gPG command on Red Hat
27:14
Enterprise Linux, other Linux
27:16
distributions and macOS supports the
27:18
file format natively. due
27:21
to the potential damage that a
27:23
lost or stolen private key
27:27
could cause we've taken additional
27:29
steps to add assurance to
27:31
the signatures we produce.
27:33
The primary technology behind this
27:35
is our signing server.
27:37
To sign these files, we
27:40
use a high strength ninety
27:43
six bit private key. And
27:45
our public keys are available
27:47
on our website and
27:49
the MIT, you know, Massachusetts
27:52
Institute of Technology Public
27:54
key server. Okay. So
27:56
that's what they posted.
27:59
Red Hat's mention of
28:02
a detached Signature simply
28:05
means that the signature itself
28:07
resides in a separate file.
28:09
The signature is just a
28:12
an an sha two
28:14
fifty six hash of the
28:16
file it's signing which is
28:18
then encrypted under Red
28:21
Hat's Super Secret, and in
28:23
this case, very long, forty
28:25
ninety six bit private key
28:28
which they're careful not to let
28:30
loose. You know, just
28:32
like my GRC code signing
28:35
keys, it probably resides in a NHSM,
28:37
a hardware security module
28:40
where it literally cannot be extracted.
28:42
It can only be used.
28:44
So there's no reason
28:46
for that signature file not
28:49
to stand alone. That is again,
28:51
it's just you so
28:53
there's this this composite file,
28:57
which contains this
29:00
the the hashes and
29:02
the files that they that
29:04
they were hashed from,
29:07
that's just AAA
29:09
list a textual listing,
29:11
an ascii file.
29:13
That file is then SHA2
29:16
fifty six hashed. That's
29:19
the file you whose integrity you wanna
29:21
verify. That SHJ two
29:23
fifty six hash is then
29:25
signed with their
29:27
with their signing
29:29
server and and and
29:32
there was and which
29:34
is to say that the the SHJ two
29:36
fifty six hash is encrypted
29:39
with the private key.
29:42
So that creates an
29:44
encrypted blob, which is the
29:46
signature, and it's a
29:48
freestanding file. So
29:50
somebody who then wants to verify
29:52
that, uses the Red
29:55
Hat's private key, which is
29:57
available from several sources, so you don't have
29:59
to worry about that being
30:01
screwed TWiT, in order
30:03
to decrypt the blob, that
30:05
will bring that decrypting that
30:07
blob which restores the
30:09
SHA two fifty six hash, which you
30:11
can then use to verify
30:13
that the file of
30:15
the hashes that you've got
30:18
matches and has not been tampered with.
30:22
So, you know, this is
30:24
a welcome move as
30:26
a deterrent to the abuses that we
30:28
are now seeing and talking about more
30:30
and more of today's supply
30:33
chain And it's probably
30:35
where the broader open
30:37
source community will need to go.
30:40
The glitch here the glitch to
30:42
doing that is that Red
30:44
Hat Enterprise the enterprise linux
30:48
Corporation, you know, Red Hat Corporation
30:50
has no problem maintaining a
30:52
siding signing server and
30:55
buying a certificate that asserts their
30:57
identity. But the open
30:59
source world has always had a
31:01
problem with the need to pay
31:03
for certificates. as we know,
31:05
let's encrypt, solve this
31:07
problem by making TLS certificates
31:09
free for web servers.
31:12
But the challenge here is
31:14
not the same. Let's
31:16
encrypt offers no
31:18
guarantees about the
31:20
identity of a TWiT
31:23
provides domain validation
31:26
certificates where the only requirement is
31:28
for the certificate to match the
31:30
server's domain name. Specifically,
31:33
it does not offer that is
31:35
Let's encrypt, does not offer
31:37
O. V. Organization
31:40
validation certificates. in order to
31:42
issue o v certificates, any
31:44
certificate authority must
31:47
by by universal agreement
31:50
perform some significant
31:52
reconnaissance to positively
31:54
verify the identity of the entity
31:56
requesting the certificate so that
31:58
the of Venus means
32:00
something. And what's more? Of
32:03
course, many open source projects
32:05
are just some guy working alone
32:07
without any organization to
32:09
be validated. So maybe
32:11
the solution will be, for
32:14
example, to come up with
32:16
a secure means for
32:18
submitting repositories to GitHub
32:21
for its signing
32:23
with its signature then
32:27
using some much stronger
32:29
means for asserting
32:31
the identity of the individual
32:34
requesting the signing service. For
32:36
example, that process might
32:38
require much more
32:40
rigorous multi factor authentication, something
32:43
again, you're you're really wanting
32:45
to put it out of the reach of bad
32:47
guys to get in there and screw this up
32:49
so that it means something. So it's a problem that
32:51
needs to be solved. But, you know, one
32:53
way or another, we need a solution to
32:55
this current supply chain
32:57
pollution problem And, you
32:59
know, the application of a bit of
33:01
of a bit of crypto might be a
33:03
place to start. So, you know, hats off
33:05
to Red Hat for doing a
33:07
little pioneering here in in that way.
33:10
Okay. Now,
33:15
the FBI purchased
33:18
Pegasus. You know, that's the NSO
33:20
group's infamous smartphone
33:25
spyware platform. They said it
33:27
was for, quote, research and development
33:30
purposes, unquote. Last
33:33
week, Yeah. What are they developing? I wonder.
33:36
Uh-huh. Yeah. Last week, the
33:38
New York Times ran a story with headline
33:41
internal documents show
33:43
how close the FBI came
33:46
to deploying spyware. Now
33:50
I have a little bit different take on this, but we'll get to that
33:52
a second. The New York
33:55
Times reported that
33:57
last December. FBI
33:59
director Christopher Ray told
34:02
Congress this is behind this is a
34:04
closed door testimony that the bureau purchased
34:07
bureau as a new Federal Bureau
34:08
of Investigation, the bureau purchased
34:12
the infamous Pigasus phone hacking tool for
34:15
research and development purposes.
34:18
Well, it turns out
34:20
that Voya the US
34:22
Freedom of Information Act can
34:24
be quite handy for figuring
34:26
out things that really
34:28
happened. Here's how the
34:30
times explained what they found. They wrote,
34:32
during a closed door session with
34:34
lawmakers last December, Christopher
34:38
a Ray spelled WRAY
34:41
the director of the FBI, was
34:43
asked whether the bureau had
34:46
ever purchased and
34:48
used Pegasus. These are
34:50
like directly asked. The hacking
34:52
tool writes the times that
34:55
penetrates mobile phones and
34:57
extracts their contents. Mister Rae acknowledged that
35:00
the FBI had bought
35:02
a license for
35:04
Pegasus, but only for
35:06
research and development, quote,
35:08
to be able to figure out
35:10
how bad guys could use
35:12
TWiT. For example, He
35:16
told senator Ron Wyden,
35:18
according to a transcript of the hearing
35:20
that was recently declassified. But dozens
35:23
of internal FBI documents and court records
35:25
tell a different story
35:27
writes The Times, The
35:29
documents produced in response to a Freedom of
35:32
Information Act lawsuit brought by The New York
35:34
Times against the bureau
35:36
show that
35:38
FBI officials made a push in late twenty twenty and
35:40
the first half of twenty twenty
35:42
one to deploy the
35:44
hacking tools made by the
35:46
Israeli spyware firm NSA
35:48
in its own criminal investigations
35:50
that is in the FBI's
35:53
own criminal investigations The officials developed advanced
35:56
plans to brief the bureau's
35:58
leadership and drew up
35:59
guidelines for
36:02
federal prosecutors about how the
36:04
FBI's use of hacking
36:06
tools would need to be
36:08
disclosed during criminal
36:10
proceedings, like Okay? How
36:12
how did you get this information?
36:15
Well, it came
36:18
to us. Uh-huh. So the Times writes it's unclear
36:20
how the bureau was contemplating
36:22
using Pegasus and whether
36:24
it was considering hack the
36:27
phones of American citizens,
36:30
foreigners, or both. In
36:32
January, the Times revealed that
36:34
FBI officials had also
36:36
tested the NSO tool
36:38
Phantom, a version of Pecos'
36:40
capable of hacking phones with
36:42
US numbers. The FBI
36:44
eventually decided not to
36:46
deploy Pecos in criminal
36:48
investigations in July of
36:50
twenty twenty one. amid a
36:52
flurry of stories about
36:54
how about how the hacking tool
36:56
had been abused by
36:58
governments across
37:00
the globe. But the documents offer a glimpse
37:02
at how the US government
37:04
over two
37:06
presidential administrations wrestled
37:08
with the promise and peril
37:10
of a powerful cyber
37:12
weapon. And despite the
37:14
FBI decision not to use Pegasus,
37:17
Court documents indicate the bureau remains
37:20
interested in potentially
37:22
using spyware in future investigations.
37:26
Okay. And of course,
37:28
the Times reporting brings up
37:30
the question of Christopher Rae's
37:34
apparently misleading testimony
37:36
in front of congress,
37:38
senator Ron Wyden is
37:40
not is not happy about that.
37:42
In a statement from his it read, it
37:45
is totally unacceptable for the
37:48
FBI director to
37:50
provide miss leading
37:52
testimony about the bureau's
37:54
acquisition of powerful hacking
37:56
tools and then wait months
37:58
to give the full story
37:59
to congress and the American
38:03
unquote. So
38:05
the times revealed in
38:07
January that the FBI
38:09
had purchased Pegas' in twenty eighteen and over
38:11
the next two years tested the
38:14
spyware at a secret
38:16
facility in New Jersey. Since
38:20
the bureau first purchased the
38:22
tool, it has paid approximately
38:24
five million dollars
38:26
to the NSO group. Now,
38:29
it seems to me that the issue
38:31
with Pecosys is less
38:33
about its use
38:36
then it's potential for misuse and abuse.
38:39
The worry is that
38:41
once they have
38:44
it, Repressive governments would be unable to resist
38:46
the temptation of using it to spy
38:48
on political rivals. We'll see an
38:50
example of that here in a moment.
38:54
and of course, dissidents and other non criminal
38:58
actors. And of course, Pecos'
39:00
doesn't respect
39:02
geopolitical boundaries. So
39:04
anyone who has it can aim it at anyone
39:07
else anywhere. But in
39:09
the United States, we have
39:12
a system For obtaining court orders, for
39:14
searching, and for making
39:16
legal within bounds,
39:18
what would otherwise be illegal
39:22
reconnaissance. So as long
39:24
as the FBI would
39:26
only be using Pegas' within
39:29
our constitutional protections, I think that
39:31
it would be a useful tool
39:33
to empower their criminal
39:36
investigations and yes,
39:38
they would be required to tell a judge that
39:40
this is what we want to do,
39:42
this is how we're gonna do
39:45
it, and we have probable cause and all
39:48
the other, you know,
39:50
requirements of getting a
39:52
court order to
39:54
pursue things like a wiretap and so forth.
39:56
So TWiT seems
39:58
to me, the Yes.
40:00
It is problematical
40:02
because it could be abused.
40:06
But if we're gonna have systems
40:08
that are
40:10
that that are otherwise not prone
40:14
to be subject to court
40:16
order search
40:18
then maybe this is the way it happens. Yeah. I mean
40:20
-- Okay. -- I mean, we allow wire taps
40:22
under quarter three. Exactly.
40:26
Is this Is Peguis
40:28
somehow too dangerous to be
40:30
used? I think the
40:32
concern is TWiT just
40:34
its control. that all the
40:36
reports we have suggest that it
40:38
is a zero click tool --
40:40
Right. --
40:42
which TWiT it is possible
40:44
to target at an individual smartphone
40:48
and it
40:50
goes in against all of the attempts by Apple
40:52
and Google, you know,
40:54
iOS and Android keep
40:56
it out. there
40:58
are enough ways in that it gets TWiT, and
41:00
then it's able to provide the
41:03
entity that deployed it
41:05
with information, you
41:07
know, the the equivalent of someone
41:10
unlocking their phone and
41:12
also being eavesdropped on,
41:14
it's able you know, it is a
41:16
surveillance tool. I guess, question always is
41:18
is it is it first of all, it's gonna be
41:20
a very expensive. It's a million dollar
41:22
surveillance tool. Right? It's very
41:24
very expensive. multi. Multi.
41:26
Because it can't be used too often or it
41:28
loses its its usefulness.
41:30
Because as soon as
41:32
the company's you know, find it. They'll they'll defend against
41:34
it. So these these zero days are
41:36
very, very expensive, especially And it
41:38
might click. also might very
41:40
well be that it is tightly
41:42
tethered. Well, it that's actually
41:44
and this might have been the problem. As I
41:46
understand it, The NSS0
41:49
group is responsible for the
41:51
hack. You don't just give the
41:53
FBI pegasus to say, have fun with
41:55
it, guys. Yes. It doesn't work that way.
41:57
Right? Right. Right. So that's another problem
41:59
is that some international company,
42:01
an Israeli company, would
42:03
then be privy to what you're
42:06
doing. Right? Yeah. That might be a bigger
42:08
problem. And other entities may
42:10
not care but that may be
42:12
something that we can't, you know, get over. And
42:14
in fact, maybe that was the
42:16
beginning, you know, the you know,
42:18
in in
42:20
testimony like this. There's typically some piece of truth.
42:22
So probably yeah.
42:24
The FBI said, maybe
42:26
we need to be empowered
42:28
with this
42:30
tool because we're unable to get in any other way.
42:32
So let's buy a copy
42:34
and let's learn how it
42:37
works. Let's have the Pegas' experience
42:39
Gibson that we can decide if this is something
42:42
that, you know, we can sell to the
42:44
greater government. It's
42:46
my understanding that what you're buying
42:48
really is the NSO
42:50
group access. They
42:52
trigger it on let's say they wanna
42:54
on my phone. The NS0 group gets into my phone triggers it and
42:56
then hands control over to the
42:59
FBI. Right. So
43:02
Right. I'm sure that's
43:04
illegal in the US because
43:06
that's that's an Israeli in
43:09
a company, not even a government entity,
43:11
but a but a business, that
43:13
your the FBI says, okay. Well, wanna
43:15
hack Leo's phone. Here's his phone. Hack it
43:17
for us. I don't I that
43:19
can't be legal. some NBA. Right? They just it
43:21
literally was research. They just wanted, well, Leo know, let's let's understand it
43:23
a little bit. But I can't imagine the NSO
43:26
giving the keys to the Kingdom of the
43:28
FBI either. That's why they do
43:30
it that way. Right? No.
43:32
Yes. And and in fact, I have a an
43:34
another related story that sort of
43:36
speaks to
43:38
that. Greece that, you
43:40
know, that Athens government,
43:42
Greece, bought a a related
43:44
program predator for
43:46
seven million euros. Wow.
43:49
A
43:50
recent report in the Greek press
43:52
claimed that Greece's government
43:54
paid seven million euros to
43:58
Intelexa, INTELLEXA
44:00
Intelexa,
44:02
for access to the predator surveillance
44:04
and spyware platform, and an
44:07
additional hundred and fifty thousand
44:09
euros for the ability
44:12
to rotate ten new
44:14
targets per
44:16
month. So that says, yes,
44:18
they were not given, you know,
44:20
carte blanche. They had to, you
44:22
know, their it is
44:24
tightly tethered to under
44:28
Intelexus control.
44:30
So This little
44:32
bit of accounting news follows
44:34
the massive scandal of the
44:36
Greek government having been caught using
44:40
the spyware to go
44:42
after, not only rival
44:44
political parties, but also
44:46
journalists and prosecutors investigating
44:50
government corruption. So this is
44:51
the this is the double edged sword,
44:52
is that, you know, it it
44:54
seems to be impossible
44:56
for governments that purchase this
45:00
to to behave themselves. Well, again,
45:03
I would hope that if it
45:05
were made possible for the FBI
45:07
to acquire this technology TWiT
45:10
would be done above board. It would be done within the
45:13
constitutional protections of the government. I'm sure
45:15
there were those, Hutlino,
45:18
Edward Snowden, who don't
45:20
believe could be
45:22
possible. But we do have we've set up a
45:24
situation where
45:26
where The technology that our private citizens corporations
45:28
are using is not subject
45:30
to court orders. And
45:35
you know, thus the tension that
45:38
we're currently under. So,
45:40
anyway, it's again, as I said, it
45:42
seems to be the problem is less about the
45:44
tool -- Mhmm. -- than how it's used.
45:46
Mhmm. You know, it is
45:48
technology. It already exists
45:50
and it's going to
45:52
exist. So makes more
45:54
sense to me to properly
45:56
regulate and control its use than
45:58
to attempt to deny
46:00
it completely. which, you know, just forces its use underground. And
46:02
maybe it's old fashioned, but I also feel
46:04
like, where the
46:05
United States, we should
46:08
be better than those other guys. You know, I
46:10
agree. You know, we should have higher
46:12
standards. Just just because
46:14
other countries use these tools doesn't
46:16
mean we have to. Yeah.
46:19
I agree. Leo, I also
46:21
wanna breathe. Okay. I
46:24
do. You agree that it's time to
46:26
take a
46:28
break. You and I both agree about
46:30
that. Our show today brought to you by Barracuda.
46:32
We love Barracuda. Barracuda.
46:36
is a security company that we use, we work with, and a
46:38
lot of people should be working WiPeep. They
46:40
have done some really interesting research.
46:44
They have a threat, you know, a really, really high
46:46
quality threat team. And
46:48
they Steve identified thirteen
46:50
kinds of email threats that are
46:52
in widespread use.
46:54
Cybercriminals are using them every day. Some of them
46:57
you know, fishing, spear phishing, conversation
47:00
hacking, ransomware,
47:04
total of ten plus
47:06
three. So thirteen tricks,
47:08
the three I've just mentioned and and ten
47:10
more. that cyber criminals use
47:12
to steal money from you, from your company,
47:14
or personal information from
47:17
your employees and customers. So now the
47:19
question every business owner should be asking is, we safe? Are
47:21
we protected? I ask Brussels
47:23
every time I
47:26
see him. email cybercrime. It is
47:28
probably the number one way
47:30
bad guys get into
47:32
your system. and it's
47:34
becoming more sophisticated, attacks
47:36
are getting harder and harder to prevent
47:38
perimeter defenses are often
47:40
insufficient. They're gonna use social
47:42
engineering, you know, fear and
47:44
and urgency to convince
47:46
your employees to do something
47:48
they want and to do. Social
47:50
engineering attacks, including spear phishing and Business
47:53
email comprise, cost businesses on average a hundred
47:55
thirty thousand dollars an instant.
47:57
A hundred thirty thousand dollars
47:59
an instant as demands for
48:02
COVID nineteen tests, for instance, at the beginning of a twenty
48:04
twenty two rose. Of course, what
48:07
happens? Barracuda's researchers
48:10
saw an increase in COVID nineteen test related phishing
48:12
attacks. Between October and
48:15
January of this year, five
48:17
hundred twenty one percent increase. Because the bad
48:19
guys, you know, they're they're watching the
48:22
headlines. Again, fear and urgency.
48:24
Right? They're gonna pray on your
48:26
weaknesses. When everybody got
48:28
really interested in cryptocurrency in the
48:30
late twenty twenty, and I guess
48:32
they're interested now for other reasons
48:34
now, but but a year ago,
48:36
remember, and there were all these ads
48:38
encouraged. If fortune favors the brave and
48:40
all that, the price of Bitcoin went up four
48:42
hundred percent between October twenty twenty,
48:44
April twenty twenty one, Guess what?
48:46
Barracuda Research found that
48:49
impersonation attacks using
48:52
Bitcoin and crypto as the,
48:54
you know, The come on increased a hundred and ninety two
48:56
percent in the same period. The
48:58
Internet crime complaint center last
49:00
year, the
49:02
IC three seem nineteen thousand three hundred sixty nine,
49:04
business email compromise, and
49:06
an email account
49:08
compromise complaints. I'm
49:10
sure that's just the tip of the iceberg. That's the ones those are
49:12
the ones that came into the IC three with adjusted losses of
49:15
over one point eight billion
49:18
dollars.
49:19
It's not enough to
49:20
secure your email at the gateway. The perimeter
49:22
defense not gonna do it. You
49:24
got of course, you gotta have you
49:26
gotta have gateway security to protect against,
49:29
you know, malware viruses, zero days,
49:31
all that stuff, spam. You
49:33
gotta fight that too. But your gateway
49:35
is defenseless against spear phishing against
49:37
targeted attacks, attacks. you know,
49:39
that seemed to come from the
49:42
boss, you know, to an
49:44
employee by name,
49:46
for instance. Protection at the inbox
49:48
level. And and by the way, this has to
49:50
include AI and machine learning.
49:52
Is necessary
49:54
necessary to detect and stop the most sophisticated
49:56
threats. I
49:57
get a solution for you.
49:58
It's very easy. Just get the copy of the
50:00
Barracuda report. You should be reading Laporte. Your
50:03
IT department should be reading this. Thirteen email
50:06
threat types to know about right
50:08
now. It explains how cyber criminals are
50:10
getting more and more sophisticated every day
50:12
how you could build the best protection for your
50:14
business, your data, and your people, and of course,
50:16
do it with Barracuda. Find out
50:18
about those thirteen email threat
50:20
types you need to know about, and
50:22
how Barracuda can provide
50:24
complete email protection for your teams,
50:26
your customers, and your reputation. Get
50:28
your free ebook at
50:30
barracuda dot com slash security
50:33
now barracuda dot
50:35
com slash security now.
50:38
Barracuda, your journey. secured.
50:40
We thank him so much for supporting
50:42
Twitter and especially for supporting
50:45
now and Steve's work. They
50:47
care a lot. about your security and they know Steve is here to make
50:49
a big difference. You help us, by the way, when you
50:52
use that address always with all of these
50:54
ads, go to barracuda
50:56
dot com, slash
50:58
security. Now we thank you,
51:00
Barrick. Otherwise, they don't know why they're suddenly
51:02
getting so much more busy than they are.
51:04
I mean, we needed to know.
51:07
It's us. It's us, maybe. Steve,
51:10
Steve. Here we go. The
51:14
password manager one password has added support
51:16
for pass keys to
51:18
its offering,
51:20
and In a nice promotion
51:22
of pass keys, they've created
51:24
a community supported online
51:27
directory listing online
51:30
services currently supporting authentication.
51:32
I've been waiting for this because I
51:34
want to play with passkeys. You know,
51:38
I've got iOS one point one point or sixteen point one
51:40
point one, I think, now. And
51:42
it's supposed to support passkeys, but
51:44
I've never tried it. So now
51:46
we can. So this directory
51:48
is at pass keys
51:50
dot directory. I didn't know
51:52
there was a directory was a TLD,
51:54
really. They've just patent out of
51:56
control Leo. Is there a
51:58
dot Leo? Leo probably is. Anyway
51:59
so again, passkey's
52:02
dot directory takes you to
52:05
this listing. It currently
52:07
has forty three companies listed with
52:09
their URLs, although some
52:12
are flagged
52:14
as MFA. So, you know, multi factor authentication. So I
52:16
suspect that they might not be
52:18
pure passkey's login. They
52:20
may be passkey's plus another
52:22
factor, which
52:23
would be annoying. So anyway, some notable
52:26
names on the list, which do
52:28
appear to be pure passkey's
52:30
authentication without that
52:32
MFA tag. include
52:34
a one password passkey's
52:37
demo page of all
52:39
Leo Buy. It's
52:42
best time. yeah, supports basket
52:44
carnival cruises -- Good. -- eBay -- Good.
52:48
-- kayak. you
52:50
know, the the travel site,
52:52
microsoft dot com. Again, nest cafe,
52:55
like what? Sure. Why
52:58
not? NVIDIA,
53:02
PayPal, and Robinhood. So
53:04
anyway, I just discovered this as I
53:07
was putting the the the the podcast
53:09
together. So I have not made any time to experiment with and
53:11
explore, but I am an avid
53:13
buyer on eBay.
53:16
Oh. often buying,
53:18
like, old hard drives that I need
53:20
to make sure that spin right works
53:22
with. Or in fact, I'll be talking
53:24
about spin right in a in a few minutes here because I actually did
53:26
just buy four drives from eBay,
53:29
which were specific drives
53:31
that I needed. So anyway, I
53:34
ought to be able to give logging in
53:36
to eBay. I've passed keys. I think
53:38
I I'm seeing it. Let me let me
53:40
log in and I'll show you. I'm
53:42
gonna log in to I'll go to Carnival Cruises, and it says
53:44
create create an account. And
53:49
let me show you this. I'm gonna make bigger and
53:51
see that log in
53:53
with your phones face
53:55
ID or fingerprint. That's pass keys.
53:58
It may not say pass keys.
53:59
Right? Right. Right. Right.
54:02
Right. So
54:04
scan this QR code. Alright. Let me try it with your phone's
54:06
camera. So this is yeah.
54:08
That's cool. I'm so glad this is
54:10
the first time I've seen it.
54:14
Alright. I scan it with my camera. I'm logging in.
54:16
Enter your email. Okay.
54:18
I always do it. And the site
54:20
knows, Leah. Look what it's doing. Oh, it
54:23
does. it knew I did something. Yeah. How would
54:26
it know that?
54:28
Well, because You're
54:31
I'm going to a special URL that that that
54:33
that QR code. Okay. Connection
54:36
loss. Something went wrong. Try again.
54:38
I'll, crud. Well, well, after all, it is
54:40
carnival cruise. So We're
54:42
working working
54:44
on it. So
54:47
now what do I do? Now what do I do to take another picture? Let's do it again. Did
54:49
you all I can't. Do you do you
54:51
have an account at Carnival? Not
54:55
carnival. No. Okay. Not I
54:57
mean, how about kayak? Well,
55:00
I think the idea is you would
55:02
have to should I go somewhere? I
55:04
already have an account? You wanna see what that
55:06
That looks like. I don't know. Let
55:08
me let me just I didn't
55:10
do it quickly enough probably. me What happens if
55:12
I log out of eBay? because
55:15
I'm, like, statically. Yeah.
55:17
So now I'm
55:20
pressing continue. Do you oh,
55:22
here it is. Do you wanna allow carnival dot
55:24
com to use face ID?
55:26
Continue. I'm using face
55:28
ID. The the it worked.
55:30
And look at this, on the phone, it
55:33
now says Steve if I could find
55:35
that. Password lists sign
55:38
in enabled. enable evil Fast
55:40
log in by own ID, but this
55:43
is pass keys. Right?
55:46
You've
55:46
got to be
55:47
pass keys. Yeah. So
55:50
that's cool. So now it's
55:52
once, you know, complete your profile blah blah
55:54
blah. But now
55:56
I presume From now on, I can just use my phone. love
55:58
it. Yay.
55:59
Yes.
56:01
Yes. Now
56:03
I have carnival cruise line log in.
56:06
Yeah. Sure. I want
56:08
that. No. Actually, the cruise line that
56:10
we do go on is owned by them. So
56:13
I guess that's one of the cruise lines we'd like to go
56:15
on. Again, I this is the weirdest
56:18
list, like Best Buy -- Well,
56:20
Carnival Cruises. I don't know. But
56:22
don't you think it's like I should trust these people
56:24
because they're at least on top of it.
56:26
Chase Chase is not there, b of a
56:28
is not there. Well, banks is gonna
56:30
be a higher standard. You know, if you in Nescafe, but not Starbucks.
56:32
It's like, okay. I don't know
56:34
what's going on. But anyway,
56:37
I think it's gonna be lower stakes companies. Don't you
56:40
think initially a bank? That's gonna be
56:42
problematic, problematic. Yeah. I guess
56:44
Microsoft has become lower
56:46
stakes here. Would I like to receive
56:48
emails? No. Do I
56:50
accept their terms and
56:52
conditions? Yes? Have
56:54
you already booked your cruise? No. Okay. Now
56:57
now I guess the next time
56:59
I go there, let's go on another
57:01
let's go on another computer.
57:04
This is this is Steve first time I've ever used this. That's cool. So now I'm
57:06
gonna say log in and
57:08
it's gonna say log in with
57:10
your phones face
57:12
ID or fingerprint. I'm gonna
57:14
click that. Oh, I
57:16
have to scan it again. Is that is that right? Is that
57:18
what it should be doing? Yes. Yes. Because don't you
57:20
you haven't transferred your passkey into that computer.
57:22
And then it says, do you wanna log in
57:24
using a saved account? Yes. Logging
57:28
in Bingo, highly o, bunch of
57:30
Leo. It
57:33
works. It's a
57:35
little onerous. It's So
57:38
will I always have to scan my QR code to get in? So
57:41
well, so what you're doing is you're using
57:43
your phone's pass key -- Right.
57:45
-- in order in order to
57:47
authenticate across to a different device. Right. You and
57:50
and this was the problem that I
57:52
talked about is that
57:54
is that
57:56
if, you know, squirrel would there would only be one.
57:58
But but so you need to create another
58:00
pass key in your laptop.
58:03
And so there is there should
58:06
be a way to to you you can't export
58:08
the passkey, but you can you
58:12
can link them, you
58:14
you can create another passkey and then link
58:16
them so that they're identified as the
58:18
same. So yeah. See, I don't see I
58:20
already have a Microsoft account, but I don't see any
58:22
way to log
58:24
in if you haven't set up PASKIs
58:26
with PASKI. Right? I'm just
58:28
going to the Microsoft site. Now I do
58:30
have an account and I could sign in, but I'm gonna say, could I do this with
58:33
my passkey? No. But maybe if I go
58:35
into my account, I could what's
58:37
that little thing down at the bottom? Sign in options,
58:39
but that's I already looked at that, and it just
58:41
gives me GitHub or forgot my
58:44
username. That's not That's
58:46
not passkey. I bet you I have to go to the
58:48
Microsoft account. They'll log
58:50
in normally and then say and I would
58:52
like to establish passkeys
58:54
with this probably. Yeah. Yeah. That would make sense. Yeah. I'll
58:56
try it while you're talking. Anyway,
58:58
all of our listeners now, again,
59:00
pass keys
59:02
dot directory you can check back there and maybe
59:04
eventually some more interesting
59:06
sites will be available. Right. I think it's TWiT
59:08
miracle that Robinhood is using it.
59:12
Yeah. Yeah. Yeah. I bet FTX would
59:14
have if they Go go go to pass keys
59:16
dot directory and see what it Oh, oh,
59:18
there's more
59:20
than just this. Okay. Yeah. Yeah. Yeah. Just yeah. Yeah. because there was a bunch of
59:22
things that also had MFA for
59:24
tags for some reason. So
59:26
so you can see the the little the little
59:28
green dots just in.
59:30
Sign in. And here's Cloudflare MFA.
59:33
Yeah. So I didn't know what
59:35
that meant. probably means I need a password
59:37
to log in and pass
59:39
keys. like it's two factored. Yeah. That's what
59:41
I'm thinking. Just DocuSigning. I could sign
59:43
in Oregon. Interesting. Well, I
59:46
have a GitHub account.
59:48
Let me Leo me play with
59:50
that a little bit and see. Oh, okay. Cool. Yeah. In other
59:53
news, again, paseke's
59:55
dot directory, our listeners, Okay.
59:58
So from the having fun with bureaucracy
1:00:02
department comes in edict
1:00:04
from the
1:00:06
OMB. The US's office
1:00:08
of management and budget has
1:00:10
ordered federal agencies to scan
1:00:12
their systems. Oh, yes. Scan
1:00:15
Those puppies carefully scan
1:00:17
them in scan them
1:00:19
and provide an inventory
1:00:21
of assets containing cryptographic
1:00:24
systems that could be
1:00:26
cracked by quantum computers in
1:00:28
the coming years. That's it.
1:00:31
How would you know? Well,
1:00:33
Leo. Okay. First of all, there is probably not a
1:00:35
single computer in the government
1:00:37
that doesn't use and
1:00:40
depend upon some public
1:00:42
key crypto, and none
1:00:44
of the currently deployed public
1:00:46
key crypto. There's no West Quarter
1:00:49
is quadrant resistant. Yeah. So the
1:00:51
0MB could have
1:00:53
simply said, give us a list of
1:00:55
all your computers. That's a good point. And and by the way,
1:00:57
stop using them. Yeah. That okay.
1:01:00
So the the next point worth
1:01:02
noting is just a
1:01:04
reminder that No
1:01:06
one has come near
1:01:08
to building a quantum computer
1:01:10
anywhere, so far as anyone knows,
1:01:13
they could even begin to
1:01:16
think about breaking
1:01:18
actual public key crypto.
1:01:21
Oh, yes. Factoring the number twenty seven, we
1:01:23
can do that. It's magic.
1:01:26
But the number thirty
1:01:28
five, we're not quite
1:01:30
there yet. Gibson us another ten years or so, and we'll be able to
1:01:32
factor thirty five. Okay. Now that
1:01:34
said, I'm on
1:01:36
the record agreeing
1:01:38
that there's absolutely no reason
1:01:41
not to move us
1:01:43
to Quantum Safe Crypto sooner
1:01:46
rather than later, you know. Let's not wait till
1:01:48
we need it because we know how slow
1:01:50
and painful these moves can
1:01:52
be. So you know, just
1:01:54
as sure or just as
1:01:56
soon as we're absolutely
1:01:58
sure that we're not
1:01:59
gonna be making a
1:02:02
big mistake. because that's possible. Remember that one
1:02:04
of the candidates that had
1:02:06
already been chosen,
1:02:08
already selected, was
1:02:10
recently cracked by conventional computers.
1:02:13
So it would be a
1:02:15
lot better that,
1:02:17
you know, without for us to
1:02:20
stay where we are, where we know we can't crack today,
1:02:22
the the the algorithms
1:02:26
we're using, before moving prematurely to
1:02:28
something that we presume
1:02:30
some future non
1:02:32
existent mythical
1:02:34
quantum computer should also be unable
1:02:37
to crack. So
1:02:39
the OMB eDICT
1:02:40
stated
1:02:42
that federal agencies had until May fourth
1:02:45
twenty twenty three. So, like, is
1:02:47
that, you know, this coming
1:02:50
May fourth. I don't know why
1:02:52
May fourth, but that's
1:02:54
it. And the NSA
1:02:56
ordered that all government
1:02:58
agencies handling
1:03:00
classified information must use quantum
1:03:01
resistant encryption by thousand
1:03:04
and thirty five. Okay?
1:03:06
So that's thirteen years from now.
1:03:10
By then, we ought to be up to
1:03:12
factoring forty five. So
1:03:17
Good to be we'll be switching to over
1:03:19
to quantum computers any minute, you know,
1:03:21
before we need
1:03:24
them. Yeah. Okay.
1:03:26
So this other piece
1:03:28
of attorney's general news that
1:03:30
I wanted to share, one
1:03:33
of the developing themes of
1:03:35
this podcast is the observation that we're still in
1:03:37
the Wild West stage of
1:03:39
the creation of
1:03:42
the Internet. it
1:03:44
remains an unregulated
1:03:46
or only very loosely regulated
1:03:48
medium. And of course,
1:03:51
globally, it's a uncoordinated total disaster.
1:03:54
The idea that we've
1:03:56
linked our fundamentally our
1:03:59
fundamental insecure networks to
1:04:02
those of openly hostile nations
1:04:05
should give anyone pause.
1:04:08
Yet, that's what
1:04:10
we've done. Chinese, Russian, and
1:04:12
Iranian cyber criminals under the
1:04:14
protection of their nation
1:04:16
states who have no love for
1:04:18
the US. are able to
1:04:20
openly attack the networks
1:04:22
of US corporations and its
1:04:24
private citizens. And yes,
1:04:26
there's reciprocity is
1:04:28
able to do the same to them and presumably
1:04:30
that's happening too, although there seems
1:04:32
to be a surprising lack of information
1:04:34
about that. You know, But,
1:04:37
you know, reciprocity doesn't make any of this
1:04:40
sane. You know? It's like,
1:04:42
you know, mutually assured
1:04:44
destruction. So we can
1:04:46
only hope that the
1:04:48
Internet our grandchildren will
1:04:50
use as adults, thirty
1:04:52
years from now, will be much different
1:04:54
from the one we've been watching being born
1:04:56
through these past thirty years.
1:04:59
I bring this up because
1:05:01
various democracies around the world, notably the
1:05:04
EU and the US,
1:05:06
among others, are inching
1:05:08
forward cautiously in an attempt to
1:05:10
provide their citizens with some
1:05:12
legally enforceable rights
1:05:14
to privacy and personal information.
1:05:17
At the moment, We have clear statutes
1:05:19
outlawing overt network intrusion and
1:05:22
attack. When those laws are
1:05:24
broken, people lose their freedom for
1:05:26
doing so. but
1:05:28
nothing yet prevents or
1:05:30
regulates the passive collection
1:05:32
of as much Internet user
1:05:35
data as possible. Google was sued by those forty
1:05:37
states' attorneys general, not for
1:05:40
tracking, but for tracking
1:05:42
after they said they weren't.
1:05:45
As long as a company
1:05:47
doesn't say that they won't do something,
1:05:49
they can do pretty much anything they
1:05:51
want. So how do we get
1:05:53
this to change? Here's a hopeful example.
1:05:55
Last Thursday, a coalition of thirty
1:05:58
three state attorneys general
1:05:59
co signed a letter
1:06:02
formally urging
1:06:04
the US Federal Trade Commission, RFTC,
1:06:06
to pass legislation which
1:06:09
would regulate online data
1:06:12
collection practices. might
1:06:14
not happen, but it's a good
1:06:16
start. These AGs said
1:06:18
they are, quote, concerned
1:06:20
about the alarming amount of sensitive
1:06:22
consumer data that is amassed, manipulated, and
1:06:25
monetized, unquote. And
1:06:28
they also said that
1:06:30
they regularly Steve inquiries
1:06:32
from consumers within their states
1:06:34
about how their own data
1:06:36
is being hoarded and abused. Okay.
1:06:39
So since we've still got a bit of time, and I think
1:06:41
this is extremely important, I'm gonna
1:06:43
first share just
1:06:46
the introduction in
1:06:48
the letter, which was submitted to the FTC
1:06:51
and signed. It's really
1:06:53
pretty. They have, like, different
1:06:55
colors of ink on the signatures. I don't know how they pulled
1:06:57
this off, but it was, like, you know, signed by
1:07:00
forty Steve attorneys
1:07:02
general. So in their in
1:07:04
the beginning of this letter, they said,
1:07:06
we, the attorneys general
1:07:09
of Massachusetts, can I'm not gonna read
1:07:11
them all because they didn't list them all,
1:07:13
but they they did some. Massachusetts, Connecticut,
1:07:16
Illinois, New Jersey, North Carolina, and
1:07:18
Oregon joined by
1:07:20
their respect of attorneys general of the undersigned
1:07:22
states right to the Federal Trade
1:07:24
Commission in response to the August
1:07:26
twenty two
1:07:29
twenty twenty two advanced
1:07:32
notice of proposed rulemaking
1:07:35
on commercial surveillance
1:07:37
and data security. So this
1:07:40
was something that the FTC put
1:07:42
out there and asked
1:07:44
for comments. So that was propose
1:07:47
an advanced notice of proposed rulemaking on
1:07:49
commercial surveillance and data security.
1:07:51
That all sounds
1:07:54
great. So they said, as the chief consumer
1:07:56
protection officials in most of our
1:07:58
respective states, we hope
1:08:00
to inform
1:08:02
the commission as it
1:08:04
contemplates new trade regulation
1:08:06
rules governing commercial surveillance
1:08:09
and data security. The
1:08:11
state attorney's general commend the
1:08:13
FTC for its comprehensive review of corporate
1:08:16
surveillance and data security
1:08:18
in preparing the notice.
1:08:20
We, too,
1:08:23
are concerned about the alarming amount of sensitive consumer data
1:08:25
that is amassed, manipulated,
1:08:27
and monetized. Our
1:08:30
offices frequently receive outreach
1:08:32
from consumers concerned about
1:08:35
the privacy and security of their information. Research supports that
1:08:39
consumers are worried about commercial surveillance and feel
1:08:42
powerless to address it. Oh, really?
1:08:45
Leo. Imagine
1:08:48
that. That's interesting. We're just going on the record
1:08:50
here. Many consumers believe that tracking by companies
1:08:56
is inevitable. yet often do not
1:08:58
even know what is being recorded. These fears intensify
1:09:01
when they learn
1:09:04
more about the commercial surveillance
1:09:06
economy, and in particular consumers fear falling victim to
1:09:09
identity theft and
1:09:12
data misuse. A majority doubt
1:09:14
that their data can be kept secure. Contributing to these
1:09:16
concerns is the
1:09:19
fact that companies
1:09:21
that companies are often collecting more data
1:09:23
than they can effectively manage or need
1:09:26
to perform their services. Our
1:09:31
consumer privacy related enforcement actions
1:09:34
and investigations have resulted
1:09:36
in settlements that work
1:09:39
like Google that have provided significant business practice changes
1:09:41
to strengthen data security
1:09:43
and privacy going
1:09:46
forward. but there is still more work to be done. Our
1:09:49
submission highlights the heightened
1:09:52
sensitivity of certain
1:09:54
categories of consumer information. the
1:09:57
dilemma of data brokers and how they prevail
1:09:59
consumers and
1:09:59
how
1:09:59
data minimization can
1:10:03
help mitigate concerns surrounding
1:10:07
data aggregation. Okay. Then
1:10:09
the letter goes on at
1:10:11
quite some length detailing
1:10:13
five general categories of abuse. Unfortunately, in an effort to be
1:10:15
very clear and to drive their points home, that
1:10:17
part is too long
1:10:20
to share. but
1:10:23
I found a separate release about this
1:10:25
action from New Mexico's
1:10:28
attorney general,
1:10:31
Hector Baldares. In it addressed each of these
1:10:34
five points by reference quite succinctly. So those I wanna share
1:10:36
because It's
1:10:39
good stuff. So first, there there
1:10:41
so there's five five categories.
1:10:44
Location location data data.
1:10:46
He said, or his office said, according to the letter,
1:10:49
many consumers are not even aware of
1:10:51
their location that their
1:10:54
location information is being
1:10:56
collected. and when a consumer
1:10:58
wishes to disable location sharing, their options are quite limited. The attorneys general
1:11:03
sensitive of this information, which can
1:11:06
reveal intimate details of daily
1:11:08
life, such as
1:11:10
where they live and their
1:11:12
shopping habits, their daily schedule, or where they
1:11:14
visited the doc or whether they visited the doctor
1:11:18
or pharmacy. laws passed in states like California, Connecticut,
1:11:21
Virginia respect the use
1:11:23
and collection of
1:11:26
location data can provide a framework to inform the
1:11:28
FTC through the rulemaking process.
1:11:31
So this is this is
1:11:33
him saying or his office
1:11:35
saying, look at what For
1:11:37
location data things, look at what California, Connecticut, and
1:11:39
Virginia have done, use that, you
1:11:41
know, consider using that
1:11:43
as a framework. biometric
1:11:48
data. The coalition urges the
1:11:50
FTC to consider the risks
1:11:52
of commercial surveillance practices
1:11:55
that use or facilitate the use
1:11:57
of facial recognition, fingerprinting, or other
1:11:59
biometric technologies. Many consumers provide this
1:12:01
information to companies for
1:12:04
security purposes or
1:12:06
to learn about their ancestry. But consumers are not always made aware when
1:12:09
their data
1:12:12
is collected how it
1:12:14
is used or if it is resold for purposes to which never meaningfully
1:12:16
consented.
1:12:20
Medical data. The FTC should also
1:12:22
consider the risks of practices that
1:12:27
use medical data regardless of whether the
1:12:30
data is subject to the health insurance portability and accountability
1:12:33
act of nineteen
1:12:36
ninety six. popularly known
1:12:38
as HIPAA, and the privacy rule. Medical data not
1:12:40
necessarily covered by HIPAA
1:12:43
is referred to as health
1:12:47
adjacent data, which can
1:12:49
be collected by many devices.
1:12:51
For instance, smartwatches, health monitors,
1:12:53
sleep monitors, and health or wellness phone
1:12:56
applications. The letter also
1:12:58
highlights medical information risks
1:13:00
through examples such as storage
1:13:02
of health related Internet searches
1:13:04
or appointment scheduling information
1:13:07
being passed to others
1:13:09
through online tracker tools. In other words, you get a sense
1:13:11
for how comprehensive this letter was that the forty states attorney's
1:13:14
general submitted to the
1:13:16
FTC. the middle Two
1:13:19
more to go, data brokers. The attorneys
1:13:21
general reiterated to the
1:13:24
FTC the persistent
1:13:26
dangers of data brokers. data
1:13:29
brokers provide consumers I'm sorry. Data brought
1:13:31
brokers profile consumers by
1:13:36
scouring social media profiles, Internet
1:13:38
browsing history, purchase history, credit
1:13:42
card information, and government
1:13:44
records like driver's licenses, census
1:13:47
data, birth certificates, marriage licenses, and voter
1:13:52
registration information. Data brokers use
1:13:54
this information to create profiles of certain consumers,
1:13:56
which can be
1:13:59
purchased by almost anyone. based
1:14:02
on susceptibility to certain advertising
1:14:05
or likelihood to buy
1:14:07
certain products. This
1:14:09
scale of aggregation of anonymously gathered
1:14:12
information Leo identify consumers
1:14:14
and put consumers at
1:14:16
risk of
1:14:18
scams unwanted and persistent advertising, identity
1:14:21
theft, and lack of
1:14:23
consumer trust in
1:14:26
the websites they visit. And
1:14:28
lastly, data minimization. The attorneys general say that
1:14:30
it is vital that the FTC consider data
1:14:35
minimization requirements, and limitations. With respect
1:14:38
to data collection and retention,
1:14:41
the letter encourages the FTC to examine the
1:14:44
approach taken in
1:14:46
California, Colorado, Connecticut,
1:14:50
Utah, and Virginia consumer privacy which
1:14:52
mandate that businesses tie
1:14:54
and limit the collection
1:14:56
of personal data
1:14:59
to what is reasonably necessary. In relation
1:15:02
to specified purposes, limiting the collection
1:15:04
and retention of
1:15:07
data by businesses will improve
1:15:09
consumer data security as businesses will have less data to protect and
1:15:11
less data potentially available
1:15:15
to bad actors.
1:15:17
Okay. So I think if nothing else, this is
1:15:19
a useful start. In the
1:15:22
United States where we exalt
1:15:24
capitalism, one
1:15:27
to innovation, but we all know that we're
1:15:30
a long way from being, you know,
1:15:33
from being endanger
1:15:36
of that. Much of what is going
1:15:38
on today is only able to happen under the cover of darkness because
1:15:41
consumers are
1:15:44
blissfully unaware You know,
1:15:46
what did Apple discover when they started requiring their apps to proactively obtain cross
1:15:48
application tracking
1:15:52
permission? They found that
1:15:54
nearly everyone who was asked declined. No thanks. You know,
1:15:58
and no surprise. So
1:16:01
We can expect any improvements to be slow going. As I always say, change is
1:16:03
slow, but the pressure
1:16:08
is there. and it's not
1:16:10
gonna go away. At least I think we're moving in the right direction. And, you know, this,
1:16:12
you know, forty
1:16:15
states getting behind this you
1:16:18
know, one wonders why it's not
1:16:21
fifty.
1:16:21
well Well,
1:16:22
knows who knows?
1:16:24
Some presumably buckled
1:16:26
to some pressure. Okay. I have some closing the loop things that I think are
1:16:31
interesting. Vincent shot
1:16:34
me a note that I wanted to share
1:16:36
regarding we we were
1:16:38
talking about the concern that was
1:16:41
raised by a different listener about
1:16:43
the Xima board and how when he changed his credentials, it was
1:16:45
only away from the
1:16:48
log Leo of
1:16:51
Casa OS. Casa OS. It was only
1:16:53
for the web portal log on,
1:16:55
and all of the
1:16:57
other credentials remain the same. He
1:16:59
was concerned that that that would
1:17:01
that the lack of
1:17:04
changing
1:17:04
of other
1:17:07
credentials was unknown to Xima board users and that
1:17:10
they might get themselves in trouble, for example, if they turn this thing into a router.
1:17:12
Anyways, Vincent Stacey
1:17:15
tweeted, Steve, PF
1:17:18
Sense installs its own version of Linux and won't have the default
1:17:20
users of
1:17:24
another distribution.
1:17:25
And that's a very good point for
1:17:28
router. Though just
1:17:30
for the record, it's
1:17:32
actually free
1:17:34
BSD units that PFS runs on top of and brings along with it.
1:17:36
But the main reason
1:17:39
why a Xima board would
1:17:43
not be my first choice as a router, is that
1:17:46
unless a network expansion board
1:17:48
were to be plugged
1:17:50
into its PCIe by four
1:17:52
slot, TWiT only
1:17:54
has a pair of land nicks built in. And I would expect a
1:17:59
router today certainly
1:18:01
one that any of our
1:18:03
listeners would be using to have a few more interface controllers,
1:18:06
a few more nicks.
1:18:09
for implementing useful multi network isolation. So I
1:18:11
can't see it being a
1:18:16
big being really popular as
1:18:18
a router. There are some, you know, some better,
1:18:20
you know, fan
1:18:22
less
1:18:23
solutions like that what
1:18:26
is it? The SG1 thousand, I
1:18:28
think, that that
1:18:30
that I've talked about before.
1:18:33
Charles Turner tweeted
1:18:35
as possible fodder for a listener feedback
1:18:37
section in a future episode
1:18:39
of SecurityNow podcast.
1:18:41
I have a question arising from the
1:18:43
discussion you and Leo had on Tuesday okay.
1:18:45
He says November fifteenth. That was last
1:18:48
Tuesday. During
1:18:50
security now, episode eight, safe languages.
1:18:52
Yep. Last last podcast. He says,
1:18:54
with the future of Twitter in
1:18:58
doubt, What is your prediction on the long
1:19:01
range fate of Mastodon? The
1:19:03
cynical part of me gives
1:19:05
Twitter a fifty fifty chance
1:19:07
of either a rebounding back
1:19:10
to its former glory as or and beyond or
1:19:12
b
1:19:13
becoming a forty
1:19:15
four billion version billion
1:19:19
dollar version next iteration
1:19:22
of MySpace and FTX.
1:19:24
okay so Okay.
1:19:26
So It's clear to us all
1:19:28
that Twitter is currently in
1:19:30
turmoil, and I don't have
1:19:32
any firsthand sense. for just
1:19:34
how fragile Twitter's technology is internally. And it
1:19:37
seems to me that
1:19:39
matters a lot. If
1:19:42
the previous regime engineered really solid bulletproof systems, then
1:19:45
in order to be
1:19:47
able to withstand Elon's shaking
1:19:51
of its foundation. But overall, I'm
1:19:53
a big believer in
1:19:56
inertia and in
1:19:58
things generally changing much more slowly than we expect. Leo, of
1:20:01
course, Elon could trip over
1:20:03
the main power chord and
1:20:06
Twitter could go dark until someone plugged it
1:20:09
back in. And I suppose I'm
1:20:11
interested in what Elon is
1:20:13
doing there. You know? He's an interesting character,
1:20:16
and somehow he he's managed to
1:20:18
get other people in the past, at
1:20:20
least, to do
1:20:23
some truly amazing things. I'll never forget
1:20:25
the sight of those twin booster rides returning
1:20:27
to and landing on that floating platform
1:20:32
for reuse. That was truly astonishing
1:20:34
-- Yeah. -- technology. And it's Elon's SpaceX
1:20:37
StarLink technology, which
1:20:40
actually works that's enabling
1:20:42
Ukraine to survive Russia's increasingly aggressive attacks against its
1:20:48
infrastructure. Again,
1:20:50
Thanks, Elon. Mostly
1:20:52
though, my take is that I
1:20:54
think Elon is just having
1:20:56
fun with his life. as
1:20:58
is his as is his
1:21:01
right. Right? You know? I hope
1:21:03
he's had expensive fun. You
1:21:06
know? What about our lives? He
1:21:08
doesn't care. He doesn't care.
1:21:11
No. He doesn't. He thinks
1:21:13
resimulations. That's why. It's it's his
1:21:15
life. Yeah. And he's not a guy
1:21:17
who likes to make small waves.
1:21:20
Right. Elon's
1:21:22
waves are big. and let's not forget
1:21:24
that Twitter made him
1:21:27
do it. They insisted that
1:21:30
he honor his wildly overpriced purchase offer.
1:21:33
He didn't wanna buy Twitter.
1:21:35
They made him buy it. So
1:21:37
it seems to me that Twitter is
1:21:39
getting what it deserves. The Elon
1:21:42
treatment. He's showing them
1:21:44
that he can do anything
1:21:46
he wants to with it. So all
1:21:49
of this made me curious about what he
1:21:51
is doing with it. You know,
1:21:53
I pick up little bits
1:21:55
here and there but I don't follow
1:21:57
news feeds or even Twitter because they interrupt my work and my train
1:21:59
of thought. So it
1:22:02
was with some joy. that
1:22:05
I stumbled upon a site which I figured
1:22:07
had to exist somewhere. The site's called, Twitter
1:22:10
is going great dot
1:22:12
com. in
1:22:15
the spirit of Molly White. Yep. And,
1:22:17
yes, of course, it's
1:22:19
offering up its
1:22:21
share of Shouten Freud So keep in mind that
1:22:24
it's naturally gonna be biased, but
1:22:26
it's still a lot of fun.
1:22:28
The site hosts
1:22:31
a simple timeline of Twitter's Elon
1:22:33
related happenings. So now I can check-in from
1:22:36
time to time whatever
1:22:38
I want to, you know,
1:22:40
to get a sense for what's going
1:22:43
on over there. I mentioned it because I imagined that some of our listeners would also appreciate knowing
1:22:46
about this nicely distilled
1:22:50
timeline, event resource. It's
1:22:52
hysterical because it's all tweets. Yes. I guess
1:22:54
that's that's a best source of what's
1:22:56
going on at Twitter, I guess.
1:22:59
Yeah. Twitter is going great dot com. I'll
1:23:01
show you another one that you
1:23:03
should read. This is
1:23:06
from a Twitter Reliability site
1:23:08
reliability engineer. Mhmm. I think former
1:23:11
Matthew Tayo, he's on substack, and
1:23:16
it's I think you would enjoy
1:23:18
this. I barely understood it, but he talks about all of the redundancies, all
1:23:20
of the automation. He says,
1:23:23
when I came in, The
1:23:26
list of servers was on a spreadsheet.
1:23:28
Now, of course, it's a much better
1:23:31
system, and he did a
1:23:33
really good job. It sounds like he and
1:23:35
his team did a really good job of
1:23:37
making it run. He was in charge
1:23:39
of the cash, the
1:23:41
cash team, which was a pretty
1:23:43
big deal because everything you're getting is
1:23:45
served from cash. None of it served
1:23:47
from Leo served. I I
1:23:49
don't didn't wanna interrupt you, but
1:23:51
Does Eddie has Eddie would stop to think
1:23:54
about what it does?
1:23:57
Oh, it's phenomenal. Yeah. It is un
1:23:59
Well, freaking believable. This
1:24:01
is just a fraction of
1:24:03
it. What Twitter actually Leo.
1:24:06
Yeah. I I can't imagine building
1:24:08
this system. Oh, yeah. It just stopped. Read this, so
1:24:10
I think you'd enjoy it. And it's just a fraction of what
1:24:12
is going on. And
1:24:15
but his point is These
1:24:18
things are designed to run unattended. A
1:24:20
lot we automated everything
1:24:22
we could. And so it should
1:24:25
unless something you know, nobody's
1:24:28
gonna kick the plug out of the
1:24:30
side. I hope there's more than one
1:24:32
plug. But Good afternoon. You piss off. You piss off. You
1:24:34
let me you might Well, that might yeah. He might he just might pull the blood. So but
1:24:39
but you wouldn't expect it to all fail all of a sudden.
1:24:41
There may be bugs here and there and stuff. And there may and the real problem is there may not be somebody to solve
1:24:43
that problem, which cascades
1:24:47
another one. etcetera. Then I've read I've read a number of
1:24:49
articles. We have Phil Livingston, who was the
1:24:51
founder of Evernote. Very, very
1:24:53
well rounded. I
1:24:55
was very impressed a Sunday. He's a smart guy. And
1:24:57
-- Yeah. -- he was saying, you know, give you on as you
1:25:00
do, just
1:25:02
give you on some credit. There was a good article by a former Tesla engineer
1:25:04
that says Elon did exactly the same
1:25:06
thing in twenty eighteen to Tesla.
1:25:10
He was firing people. His spent in the nights there. He was bemoaning. There
1:25:12
might be bankrupt. This was all in the
1:25:14
lead up to the type three.
1:25:17
The model three
1:25:19
of the Tesla. And so
1:25:21
this is kinda how Elon works, obviously, you know, for some people not the ideal
1:25:23
situation. That's why have left Twitter
1:25:26
voluntarily as well as
1:25:28
involuntarily. Leo
1:25:31
I've also read articles who let's
1:25:33
say, you know, this is how he
1:25:35
he's reinventing Twitter. is
1:25:38
get you have to get rid of almost everybody and then
1:25:41
build a team of people who
1:25:43
believe in your vision. He
1:25:45
hasn't really communicated that apparently, but who believe in
1:25:47
your views. He's just making it up. Yeah. That's making
1:25:49
it up as he goes a lot. Nobody you
1:25:52
know, I don't I'm confused.
1:25:54
I see stuff that looks crazy. He says, you're gonna have a committee
1:25:56
to approve who who comes and goes, and then
1:25:58
he just says, now, I'm gonna bring him
1:26:00
back. And, you know, it's
1:26:02
just it's it's it's seems
1:26:04
chaotic. There was one there
1:26:06
was one piece there that that that said he sat down and explained
1:26:09
to the core
1:26:12
team how how advertising should
1:26:14
be tweets. And he and they said, they are.
1:26:16
He said native. Yeah. It
1:26:18
should be native. It is. That's
1:26:23
exactly my problem with the average. Yeah. He
1:26:25
you know, so he's coming somewhat from
1:26:27
ignorance, but you're right.
1:26:30
He's also a pretty interesting He's
1:26:32
probably sleeping there. He's there. He says he is. hours
1:26:34
a day and and, you know, he'll figure this thing out.
1:26:36
He and he he's a weirdo.
1:26:38
And some of the things he's tweeted.
1:26:42
I'm not thrilled about some of the pictures and stuff. This is from one twenty AM at Twitter.
1:26:44
He this is when he,
1:26:46
you know, came TWiT become in
1:26:48
Saturday. or
1:26:51
Friday night, Saturday morning, to explain
1:26:53
how Twitter works. And
1:26:56
these are the the the
1:26:58
skeleton crew there is sitting with
1:27:00
them but this is his picture of
1:27:02
what they drew on the whiteboard. This is not a code review. This is explaining
1:27:04
in rudimentary fashion to
1:27:07
somebody doesn't know how this
1:27:10
stuff works, how it's working. I get you know what? We don't know
1:27:12
yet. He may this may
1:27:14
be two hundred two point o.
1:27:18
inventing, and maybe this is how he works. I would
1:27:21
never wanna work for him, but
1:27:23
people And we'll see
1:27:25
what There was an interesting
1:27:27
moment I was watching a press conference when
1:27:31
Biden was off
1:27:35
in the east And it it
1:27:37
was that that awkward that awkward press conference where he
1:27:40
meant to
1:27:43
say Cambodia he said Columbia three times. like, oh, Joe. Joe.
1:27:45
But but but but someone in
1:27:47
the press pool asked
1:27:51
him about Elon. And
1:27:52
and so
1:27:53
understand that our relationship, the government
1:27:55
has a relationship. Right?
1:27:59
With Elon, because he's now SpaceX, and we got
1:28:01
all these contracts. Right. So
1:28:03
Biden just locked up.
1:28:05
You know, he it's didn't know
1:28:07
what to say because like, oh, you know, III
1:28:10
can't I don't dare piss off
1:28:14
Elon or, you know, We're gonna be in real we're not gonna have any
1:28:16
think we're looking into it though. You
1:28:18
know, it's it's very complicated because
1:28:21
Elon has relationships with not just the US government.
1:28:23
but many other governments Tesla sells a lot of cars and
1:28:26
builds them in China. It's a complicated
1:28:28
system. And it's kind of a bowl
1:28:30
in a China shop, but I
1:28:33
think he's a care I just think
1:28:35
he's a care person. I think he's having fun with
1:28:37
his life. Yeah. And, you know Too bad, though, because
1:28:39
observer. Twitter is a valuable resource
1:28:44
resource. It's not a public resource. It's
1:28:46
not even publicly held company anymore. And
1:28:48
it's incredibly valuable. Leo it's a
1:28:50
shame if he crashes TWiT, you
1:28:52
know? Well, I mean, I I he
1:28:54
he's I just he's led a bunch of loons back on recently. Yeah.
1:28:56
And, you know,
1:28:59
but I don't I don't ever see tweets from Loons.
1:29:01
I have a very quiet experience with Twitter. I just
1:29:03
talk to our listeners -- Right. --
1:29:05
and and they talk to me. And
1:29:08
it's just a great little channel.
1:29:10
So, you know, I don't care who says, you know, that that vaccines or
1:29:13
garbage alone. Yeah.
1:29:16
Who cares? Okay, Leslie McFarlane said,
1:29:18
hi, Steve. Uh-oh, if Twitter implodes, are you
1:29:20
are you going
1:29:23
to Mastodon or somewhere else.
1:29:25
Your SecurityNow podcast is top notch security and quality.
1:29:27
Well, thank you, Leslie. though
1:29:31
So okay. In order to
1:29:33
get the word out to eighteen years' worth of spin right owners,
1:29:36
I will shortly and I mentioned
1:29:38
this before on the podcast be setting
1:29:40
up an
1:29:42
old school email facility. One of
1:29:44
the several lists that I'll be maintaining
1:29:47
will be for security now listeners
1:29:49
who would like to subscribe to the
1:29:51
weekly links and the show notes and a description
1:29:53
of each week's podcast which I
1:29:55
post to Twitter. TWiT it'll
1:29:58
be nice to have more than two
1:29:59
hundred and eighty characters for that.
1:30:02
So so that will be a possibility.
1:30:04
And You know, as
1:30:06
for Mastodon, I have no I I'm took me
1:30:08
ten
1:30:09
years to get
1:30:11
Steve on Twitter.
1:30:14
Right. Patient. Thank you, Leo.
1:30:16
I'm I'm looking at it. I'm
1:30:18
not looking I'm not looking for
1:30:20
more connectivity. We'll see how Twitter
1:30:23
goes. As it is, I spend most
1:30:25
of my time in GRC's quiet
1:30:27
news group getting actual getting
1:30:29
actual work done. Yeah. and now we have Gitlab
1:30:31
for managing spin right bugs and feature
1:30:34
requests. And I have GRC's web
1:30:36
forums, which will
1:30:38
soon be quite active since that's where spin right's tech support will
1:30:40
be hosted. And a lot of
1:30:42
new users are gonna be using
1:30:44
spin right six one
1:30:47
and and have questions. or maybe not
1:30:49
because it's pretty much the same as
1:30:51
it was. It just works a lot better. You know, so anyway, I I
1:30:53
just don't have any
1:30:55
additional bandwidth available. for
1:30:57
new conversation opportunities. You know, I doubt that Twitter can actually implode. It's as
1:31:00
you said, Leo, it's too big
1:31:02
and too important. You know, I doubt
1:31:06
that even Elon can or will kill You
1:31:09
know, and I have an alternative
1:31:11
means for communicating my and
1:31:13
GRC's events to anyone
1:31:16
who cares through good old email.
1:31:18
So and I will extend this offer after episode 999
1:31:21
You can always
1:31:24
use us to tell the world, I
1:31:26
would bet a lot of spin right users and owners listen to various
1:31:30
other things we do. And We have a lot of different including Twitter channels.
1:31:32
So And Leo, we still have two
1:31:34
years. Who knows? Two years from two
1:31:37
two years from now.
1:31:39
What'll be going on? Okay.
1:31:41
Someone said, I where does his name go? Oh, I didn't have his name here.
1:31:43
Shoot. I think
1:31:47
it was Walt. Anyways, it's
1:31:50
Steve. Did you see? There's a project Hale Mary in
1:31:52
IMDB. project to hail mary
1:31:54
in i am db He
1:31:56
said crossing my fingers. Anyway, indeed,
1:31:59
there is AAA project Hale
1:32:04
Mary movie is in the works. Well,
1:32:06
it is currently flagged as in development. If you had listened to our interview with Andy Weir some
1:32:08
years some months ago when
1:32:10
it came out, he'd already optioned
1:32:12
it. And
1:32:14
he told me and I wasn't
1:32:16
too thrilled. I don't know how well I hit
1:32:18
my discomfort that Ryan Gosling had signed on
1:32:21
Yes. I saw that too.
1:32:24
I saw that. And I went,
1:32:26
oh, okay. But, yeah, we're gonna, you
1:32:28
know, Andy
1:32:31
was gonna be on some months ago,
1:32:33
but he just had a baby. We'll
1:32:35
get him back on. And
1:32:37
by the way, Daniel Suarez
1:32:40
has a new book. The
1:32:42
sequel to his delta book
1:32:44
is coming out soon
1:32:46
in, I think, next January. and we'll
1:32:48
have a lot of fun reading those. Those are great. Yeah.
1:32:50
So we'll get him on too. So, yeah, we'll we'll keep an eye. I'll
1:32:53
have Andy long before
1:32:55
a movie gets made. get the
1:32:57
latest on that one. Okay. So speaking of
1:32:59
books we've loved, so many people have written to me that telling me
1:33:01
that they've that they're
1:33:03
loving the silver ships
1:33:06
series that I wanna share a
1:33:09
tweet I received two days ago.
1:33:10
From the first person I
1:33:13
know who has or we know
1:33:15
who was finished the entire twenty
1:33:17
four book series. I was
1:33:20
horrified as I started to read
1:33:22
the tweet that he might have written
1:33:24
something of a spoiler, but that
1:33:26
concern was misplaced. So here's the content of the DM that Bob
1:33:29
Grant sent.
1:33:32
He
1:33:32
wrote, Wow wow
1:33:33
wow wow superb ending to the
1:33:35
series. There was enough great writing
1:33:37
and new intrigue in the first
1:33:39
part of this final
1:33:43
book in the Silver Ship's series to
1:33:45
be a great book in and
1:33:47
of itself. However, the
1:33:49
wrapping up of all the
1:33:51
various storylines from previous twenty three books. And
1:33:54
he says perez twenty silver
1:33:56
ships and the related
1:33:58
four Pairian books. At the
1:34:00
end, was
1:34:02
superb. There were joyful and poignant endings to each of the major characters
1:34:07
from the books. I
1:34:09
have to say that this is the best series I've
1:34:11
ever not to
1:34:15
take away from Weber's
1:34:17
honor verse. Of course, he's talking about David David Webber's, you know,
1:34:20
honor Harrington
1:34:24
series that was one of the
1:34:26
early series that we talked about in this podcast, or Rick Brown's frontiers series,
1:34:29
he says both of
1:34:31
which I've enjoyed. but
1:34:34
these twenty four books have been a joy to read from beginning to end.
1:34:36
And then he said after a little
1:34:38
break to catch up on some other reading,
1:34:43
I plan to start the new Scott Yuha series called
1:34:45
Gategoasts, whose first book is
1:34:48
Axis Crossing. And
1:34:51
as I mentioned to you, Leo, there are six more in
1:34:53
that series after these twenty
1:34:55
four. So anyway,
1:34:58
obviously, Bob has been following along with my previous
1:35:00
reading discoveries. He knows of
1:35:02
and read David Weber's Honor
1:35:04
verse series and Rick Brown's work
1:35:06
in progress from Tears Saga series. And, you know, for
1:35:08
what it's worth, I'm in complete agreement with
1:35:10
him about this being the best series
1:35:14
I've ever read. I'm at the start now nineteen of those
1:35:17
twenty four, so I have
1:35:19
six to go. And
1:35:21
having already made
1:35:23
this large investment in this series.
1:35:26
I'm delighted to learn in advance that it ends wonderfully. So
1:35:29
anyway,
1:35:30
one
1:35:30
last piece. Simon,
1:35:32
he
1:35:34
said, hi, Steve, persistence paid
1:35:37
off. I was able
1:35:39
to disable one time
1:35:41
code feature, he
1:35:43
has in quotes. He's talking about
1:35:45
PayPal. He said, you can call PayPal and
1:35:48
ask to
1:35:52
unconfirm your
1:35:52
phone number. It may impact
1:35:54
use of the PayPal app, but as long
1:35:56
as you do
1:35:59
not confirm
1:35:59
phone number, TWiT will
1:36:02
not text security codes. So that's Wait a minute. Which
1:36:04
is less secure.
1:36:06
Having no two factor or
1:36:08
having SMS
1:36:11
two factor. Oh, no. No.
1:36:13
No. No. You could still -- Oh,
1:36:15
you still have authenticator. Or you
1:36:17
could -- Yes. -- be here. Oh,
1:36:19
Yes. Yes. Yes. No. I did that on Twitter too. You you had to have
1:36:21
SMS to enable to FA on Twitter.
1:36:23
But once you'd
1:36:26
set up a key, or an authenticator, you could then disable it. So
1:36:28
you're saying you do the same on
1:36:30
PayPal? Yes. Although there is no UI for
1:36:32
doing Oh, interesting. Just You need to
1:36:34
con turn off You need to contact
1:36:36
them. Yeah. You have to contact them
1:36:38
and say, please unconfirm the phone number. And that makes sense. Right? because
1:36:40
you the phone number I don't have
1:36:42
with somebody else. Right. Right. Yeah. Anyway,
1:36:46
it was Simon who originally noticed and
1:36:49
communicated that it was always possible
1:36:51
to cause PayPal to send
1:36:53
an SMS code for account you know
1:36:55
slash password recovery. Yeah. However, I should note someone
1:36:57
else sent me a note and I'm I
1:37:00
apologize to
1:37:02
that person for let letting us slip letting his name slip.
1:37:04
But he sent me a
1:37:06
note that if if users
1:37:08
if users said set
1:37:10
up their own personal account
1:37:11
recovery recovery questions. You know, those
1:37:13
like, you know, who was your
1:37:16
favorite high
1:37:18
school teacher? and what was the name of your first dog or
1:37:20
whatever. If you set those
1:37:23
up, they cannot be
1:37:26
bypassed. So that's another solution.
1:37:28
Deliberately choose impossible to
1:37:30
guess no matter how well
1:37:32
someone knows you, account recovery
1:37:36
questions, and assuming that
1:37:38
that information is correctly provided,
1:37:40
then you'll be
1:37:42
safe from hijacking because nobody else will know what it was that that you up. It's
1:37:44
just TWiT more passwords
1:37:47
basically. Yeah. Yeah. Yeah. Okay.
1:37:51
Finally, I mentioned last week that I
1:37:54
that I thought, spin right's
1:37:56
new AHCI driver
1:37:58
was not
1:37:59
working correctly. Leo
1:38:01
was wrong about that. It
1:38:03
was working correctly. It was the location in my code where I was
1:38:07
taking the hash of
1:38:10
pin rights results that was causing a false positive detection. So I found
1:38:12
and fixed that and
1:38:14
made some other final improvements.
1:38:18
Then as planned, I up I I
1:38:21
updated GRC's server to get it
1:38:23
ready to manage all
1:38:26
subsequent downloads of the prerelease testing versions of
1:38:28
Spinrite that will be forthcoming.
1:38:30
That work is
1:38:31
finished and the server has
1:38:34
been restarted and is now standing
1:38:36
by to make SPINRAID available.
1:38:38
I have one final feature to add, which came up
1:38:41
about ten
1:38:44
days ago. SPINRAID six
1:38:46
one has four levels or degrees of its operation.
1:38:51
The first level never performs any writing
1:38:53
to a drive under any circumstances. It's strictly
1:38:56
read only. I'm
1:38:59
not sure why, but it always seemed like it
1:39:01
ought to offer that, so
1:39:03
it always has.
1:39:06
The second level is allowed to perform data recovery.
1:39:08
So it will selectively
1:39:10
rewrite only those regions
1:39:14
of the media that are in need of repair.
1:39:16
Level three goes further.
1:39:18
Since refreshing any drives
1:39:21
data is generally
1:39:23
good for it, And
1:39:25
that's because latent and
1:39:27
evolving soft errors are completely hidden by all modern drives. Level
1:39:32
three always rewrite the drives
1:39:34
data as it's moving through the drive. And level four
1:39:39
goes even further. writing in writing
1:39:41
inverted data, reading it back to verify it,
1:39:44
then rewriting
1:39:47
the original data. and reading it back
1:39:50
to make sure that it was written correctly. Okay. I mentioned this
1:39:53
because there
1:39:56
are three classes of drives that
1:39:58
I refer to as being right hostile
1:40:00
and should
1:40:03
only be used under Spin
1:40:06
Rights first two, read mostly levels. Those drives are
1:40:12
SSDs, whose media we
1:40:14
know is incrementally fatigued by writing to it.
1:40:16
Hybrid drives, which
1:40:19
incorporate an SSD, on
1:40:22
their front end to serve
1:40:25
as a nonvolatile cash
1:40:27
and SMR
1:40:28
drives. where
1:40:29
SMR stands for shingled magnetic
1:40:31
recording. Shingling,
1:40:33
exactly like
1:40:36
it sounds, refers
1:40:38
to the deliberate overlapping of
1:40:41
adjacent
1:40:41
tracks in order
1:40:44
to push track
1:40:46
density to insane levels. If you
1:40:49
picture a shingled roof, you cannot
1:40:51
change
1:40:51
an embedded shingle without pulling
1:40:54
up the
1:40:55
shingle above it. and
1:40:57
then the shingle above that one, and the shingle above that one and
1:40:59
so on. The same is true for
1:41:01
SMR drives, which makes writing
1:41:04
to them something
1:41:07
you wanna do as little as possible. As I
1:41:09
mentioned, this issue just came
1:41:12
up in Spin Rights News
1:41:14
Group discussion a couple of weeks
1:41:16
ago. Since I
1:41:17
want SpinRite to continue doing everything possible for its user, in this
1:41:19
case, warning them if
1:41:22
they are about to
1:41:24
perform a
1:41:26
level three or four scan on any drive, which should not be written to needlessly.
1:41:33
I need to
1:41:34
be able to detect that, but I didn't own any hybrid or SMR drives. So I
1:41:36
immediately tracked some
1:41:39
down on eBay and
1:41:42
those four drives have all arrived.
1:41:44
The last two just came in yesterday's mail.
1:41:46
So after today's podcast, I'll be adding detection
1:41:50
of those drive technologies to spin right
1:41:52
so that it can take
1:41:55
responsibility for warning its
1:41:57
users if they're about to do something
1:41:59
that they probably don't wanna do. And then with that little Leo with that last
1:42:01
bit of technology in place, as far
1:42:03
as I know, SPINRAID
1:42:07
six one will be ready to start its
1:42:09
final stage of prerelease
1:42:12
testing. And as
1:42:14
for that, I'm absolutely certain there
1:42:16
are things I missed, things I just
1:42:18
can't see because I'm their author, but that's why we test. What
1:42:22
I am confident of is that at this point, so much testing has
1:42:24
already been done by far the
1:42:26
bulk of the work, that there
1:42:29
are no show
1:42:32
stoppers remaining it should be a matter of
1:42:34
cleaning up debris. So by next week's podcast, it will have been under test
1:42:36
for I'm hoping
1:42:38
that this is a Thanksgiving.
1:42:41
present for our testers,
1:42:43
so I should have a good calibration on where we stand. Nice.
1:42:48
Incidentally, Project
1:42:51
Hale Mary is the book of the month
1:42:53
for Stacey's Book Club in January. If
1:42:55
you have read it or wanna read it,
1:42:57
that's a good book to read. And discussion.
1:42:59
We all read it and loved it. It was a great book.
1:43:01
And if you can listen to the audiobook,
1:43:03
there's some features the audiobook
1:43:05
has that the written
1:43:08
page cannot that makes it kind of fun
1:43:10
too. Anyway, it's good either way. Would you like to come back and talk about
1:43:14
why Peep in just a bit late. Alright. First,
1:43:17
a word from our
1:43:19
sponsor SecureWorks SecureWorks
1:43:23
is a leader You probably
1:43:26
I'm sure you know the name
1:43:28
in cyber security. They build solutions for security
1:43:30
experts, buy security experts, they offer superior threat
1:43:32
detection, and
1:43:34
rapid incident response all while making sure customers, and then you'll like this, are never locked into
1:43:39
a single vendor. SecureWorks
1:43:42
offers an open extended detection and response platform tajus, XDR, extended detection
1:43:44
and response. It's now
1:43:47
time to get it.
1:43:49
TWiT you've
1:43:51
been thinking about it, this is it.
1:43:53
This year cybercrime will cost
1:43:55
the world its
1:43:58
estimated seven trillion
1:43:59
dollars with a t
1:44:01
by twenty twenty five ten
1:44:03
point five trillion. Last
1:44:06
year, ransomware totaled twenty billion dollars
1:44:08
in damages that we know. A tax
1:44:11
occurred every eleven seconds. It's estimated
1:44:13
ten years later, ransomware will
1:44:15
cost two hundred six fifty five billion dollars
1:44:17
a year and strike every two seconds. And I think that's
1:44:19
the optimistic. That's the optimistic
1:44:23
guess. Make sure your organization is not the next victim. You
1:44:25
don't wanna be in those stats. With
1:44:27
SecureWorks TAGES, XDR.
1:44:31
SecureWorks TAGES, superior detection you need, identifying
1:44:33
more than get this four
1:44:35
hundred seventy billion security
1:44:39
events a day. A day. They've got
1:44:41
their they've got their feelings
1:44:43
out everywhere. They
1:44:46
prioritize true positive alerts. They eliminate all that alert
1:44:49
noise, which means you're gonna focus
1:44:51
on the real threats. But
1:44:53
it's important that you get that
1:44:55
intelligence right, that you know what's going on out there. In addition, Tejas
1:44:57
offers unmatched response with automated
1:44:59
response actions. And that
1:45:01
way, because they're automated,
1:45:04
you eliminate the threats before the
1:45:06
damage is ever done. Fast response is key in all of this. With SecureWorks'
1:45:08
TAGES managed XDR,
1:45:11
you can easily leverage those
1:45:13
great SecureWorks experts to investigate and respond to threats on your behalf.
1:45:15
This helps you cut dwell times,
1:45:18
decrease operational, burden, reduce cost,
1:45:23
And with TAGES and SecureWorks managed XDR,
1:45:25
you've got twenty four seven
1:45:27
by three hundred sixty
1:45:30
five day a year coverage.
1:45:32
What does that mean? Well, if you experience
1:45:34
a Christmas day security event or half your team is
1:45:36
out sick, you don't have to
1:45:39
worry. You can trust SecureWorks. is
1:45:42
behind you. Of course, these days, everybody's suffering a lack of a dearth of security
1:45:44
talent. It's hard to
1:45:47
find those people. Right? Don't
1:45:50
worry SecureWorks acts as an extension of
1:45:52
your security team on day
1:45:55
alleviating cybersecurity talent gaps, which
1:45:58
means you, can customize the approach and the coverage
1:46:00
level you need and never
1:46:02
be caught. You know, I don't
1:46:04
wanna say with your pants down,
1:46:06
but You don't wanna be surprised. Let's put it that way. What
1:46:08
happens if you've already found an intruder in your system?
1:46:10
I want you to write this. Get a piece
1:46:14
of paper. Write this down. one eight hundred
1:46:16
breached. Even if you're not a customer,
1:46:18
one eight hundred breached that number connects
1:46:20
you with the
1:46:22
SecureWorks emergency incident response
1:46:25
They can provide you with immediate assistance any
1:46:27
time of the day or night, and they can respond to and remediate a
1:46:29
possible cyber incident
1:46:31
or data breach. one
1:46:34
eight hundred breach. Put it put it put
1:46:36
it in your in your wallet. Put it
1:46:38
on a posted note. At SecureWorks, you
1:46:40
can learn more about the ways today's threat
1:46:42
environment is evolving. the risks it presents to your organization. They've got
1:46:45
case studies. They've got reports from
1:46:47
their very very good counter
1:46:50
threat unit. and a whole lot more. Here's what you do right
1:46:52
now. SecureWorks dot com slash twit. Go there right
1:46:55
now, get a free trial of TAEUS
1:46:57
XDR. No words I
1:46:59
can use to try Leo really give you
1:47:02
that full scope of what they do. It's kind of amazing. SecureWorks dot com
1:47:04
slash TWiT. Get
1:47:07
that free trial. SecureWorks. defending
1:47:10
every corner of cyberspace secureworks dot com slash
1:47:13
TWiT.
1:47:15
to it Thank
1:47:17
you. SecureWorks for supporting everything we do
1:47:19
here at security. Now now whatever it is,
1:47:21
I wanna know what
1:47:23
is y WiPeep. Little
1:47:26
-- Okay. -- peep.
1:47:28
Little white peep. So
1:47:30
imagine our technology that
1:47:32
allows someone walking past a
1:47:35
multistory building or a drone flyby to accurately
1:47:37
locate and pinpoint within
1:47:39
that building or any
1:47:41
other similar space closed
1:47:44
or open. with
1:47:46
a positional accuracy of about
1:47:48
a meter, the location of every
1:47:50
WiFi device, such as security cameras,
1:47:54
and locks and switches, and
1:47:56
anything else on WiFi. That capability,
1:47:58
which, you know, jumps off
1:48:00
the pages of science fiction movie
1:48:03
scripts is not only here now,
1:48:05
but it costs about twenty
1:48:07
dollars. The two researchers who
1:48:09
figured out how to make
1:48:11
this WiFi mapping technology real, named at
1:48:14
They presented their research during the recent ACM
1:48:18
mobile com twenty two,
1:48:20
which was held last month
1:48:22
in October in Sydney, Australia. Here's
1:48:25
how they describe what
1:48:27
they accomplished. They said, we present
1:48:30
Waipipeep, a new location revealing privacy
1:48:32
attack on
1:48:35
non cooperative Wi Fi
1:48:37
devices. Wide exploits
1:48:40
loopholes in the 802
1:48:43
dot eleven to elicit responses from WiFi
1:48:45
devices on a network that we do
1:48:48
not have
1:48:51
access to. It then uses a novel time of
1:48:53
flight measurement scheme to locate
1:48:55
these devices. Why Peep
1:48:58
works without any hardware? or
1:49:01
software modifications on target devices and without requiring access
1:49:03
to the physical space that
1:49:07
they're deployed within. Therefore,
1:49:09
a
1:49:09
pedestrian or a drone that carries a y peep
1:49:12
device can
1:49:15
estimate the location of
1:49:18
every WiFi device in a building. Our Y Peep design costs twenty dollars
1:49:20
and
1:49:21
weighs less
1:49:23
than ten grams. We
1:49:26
deploy it on a lightweight drone and
1:49:28
show that a drone flying over
1:49:30
a house can estimate the
1:49:33
location of WiFi devices
1:49:35
across multiple to meter level
1:49:37
accuracy. Finally, we investigate different
1:49:40
mitigation techniques to
1:49:42
secure future WiFi devices
1:49:44
against such
1:49:46
attacks. Okay. So, you know, this this
1:49:49
has never been
1:49:52
done before. that
1:49:54
the key components here are the the non cooperative nature and the
1:49:57
fact that this
1:49:59
that this
1:50:01
is from this is
1:50:03
being done by a probe which
1:50:06
is not on the WiFi network.
1:50:08
So so they set
1:50:10
this up and and
1:50:12
frame the problem explaining
1:50:14
the problems they encountered and
1:50:16
how each such problem was
1:50:19
solved. They they said, we live in an era of WiFi connected
1:50:22
TVs, refrigerator, security cameras,
1:50:26
and smart sensors. We carry
1:50:28
personal devices like smartwatches,
1:50:30
smartphones, tablets, and laptops. Due
1:50:32
to the deep penetration, of
1:50:35
WiFi devices into our lives.
1:50:37
Location privacy of these
1:50:40
devices is an important and
1:50:42
challenging objective. Imagine a drone that flies over your home
1:50:45
and detects the location of all
1:50:47
your WiFi devices. It could
1:50:49
infer the location of
1:50:52
home occupants. security cameras,
1:50:54
and even home intrusion sensors. A burglar could use this information to
1:50:59
locate valuable items like laptops
1:51:01
and identify ideal opportunities when people are either not at
1:51:03
home or away from
1:51:06
a specific area. For
1:51:08
example, everyone is
1:51:10
in the basement by tracking
1:51:13
their smartphones or smartwatches. The
1:51:15
promise of pervasive connectivity has
1:51:18
been to merge our physical
1:51:20
and digital worlds, but the leakage
1:51:22
of such location information brings arguably
1:51:26
the worst aspect of the digital
1:51:28
world pervasive tracking into
1:51:30
the
1:51:30
physical world. In
1:51:33
this paper, we show that
1:51:35
there are fundamental aspects of the WiFi
1:51:37
i triple E802
1:51:39
dot eleven protocol that
1:51:41
leak such location information to a potential attacker. We
1:51:44
demonstrate that it
1:51:46
is possible to reveal accurate
1:51:50
location of all WiFi devices in an indoor environment,
1:51:56
a, noncooperatively, without
1:51:59
any coordination with WiFi devices
1:52:01
or the access
1:52:03
points.
1:52:03
b, instantaneously,
1:52:04
without
1:52:06
waiting for devices to organically transmit
1:52:09
packets and see
1:52:12
surreptitiously. Without any
1:52:15
complex infrastructure, deployment in the in the surrounding. Our goal
1:52:17
is to expose the security
1:52:19
and privacy vulnerabilities of
1:52:23
the 802 dot eleven WiFi protocol by
1:52:25
demonstrating a first of
1:52:27
its kind non
1:52:31
cooperative localization capability. We hope that
1:52:34
our work will inform the design of next generation
1:52:36
protocols.
1:52:39
So I said, we note that been much work past
1:52:42
work in WiFi based positioning.
1:52:44
However, such
1:52:45
past work does
1:52:48
not enable non cooperative,
1:52:50
certitious localization of WiFi devices. First,
1:52:53
most
1:52:54
of this work relies
1:52:56
on cooperation from end devices. For example,
1:52:58
the client needs to switch channels or
1:53:01
physically move or share
1:53:03
inertial sensor data.
1:53:06
Second, state of the
1:53:08
art techniques such as array
1:53:10
track rely on antenna arrays
1:53:13
with multiple antennas that
1:53:15
are typically bulky and cannot be easily
1:53:17
carried by a person or a small drone. Deploying multiple such
1:53:19
antenna arrays near
1:53:23
a target building makes the attack less
1:53:25
practical and easier to detect. And I don't know if they said, but way more expensive,
1:53:28
obviously. Third,
1:53:32
RSSI based, and remember that's
1:53:34
received signal strength indicator, RSSI based
1:53:37
techniques rely
1:53:40
on fingerprinting or trained models
1:53:42
that require physical access to the target space. Finally, most
1:53:44
of these needed
1:53:47
most of these need
1:53:49
client devices to continuously transmit WiFi packets or
1:53:51
share their received WiFi
1:53:54
packets by installing an
1:53:56
application. an
1:53:59
access we cannot assume for
1:54:01
such privacy revealing
1:54:03
mechanisms. So they say
1:54:05
we present WiPeep peep.
1:54:07
a system that
1:54:07
is quick, accurate, and performs
1:54:10
non cooperative localization.
1:54:13
It does not require
1:54:15
any access to devices or the network access points.
1:54:18
It does not even need the
1:54:20
attacker to
1:54:23
connect to the same WiFi network. In our attack,
1:54:25
the attacker, a lightweight drone, or
1:54:27
a pedestrian, passes
1:54:30
by the house. carrying a small Wi Fi capable device
1:54:32
and estimates the location of
1:54:34
all Wi Fi devices in
1:54:38
the target environment. We exploit the design of the
1:54:40
802 dot eleven protocol
1:54:42
to first generate WiFi traffic
1:54:46
from non cooperative clients.
1:54:49
Then use a novel time
1:54:51
of flight based technique to locate these devices, why solves the
1:54:56
following challenges. Okay? The
1:54:58
first challenge, generate WiFi traffic without cooperation. They
1:55:02
explain, we must, a,
1:55:04
we must a Identify
1:55:06
all devices in the
1:55:09
network quickly at the start of
1:55:11
the attack. And b, generate
1:55:14
WiFi traffic continuously from such devices to perform location
1:55:20
estimation. A simple solution to
1:55:22
identifying devices is to passively wait for WiFi devices
1:55:25
to transmit
1:55:28
a packet. This approach is problematic
1:55:30
because it requires the attacker to linger around for a long
1:55:35
time. Instead, we
1:55:36
exploit the 802 dot
1:55:38
eleven power saving mechanism, which is available in all
1:55:41
802 dot
1:55:43
eleven standards from eleven a
1:55:46
and b up through eleven
1:55:49
ax. By injecting
1:55:51
a fake beacon Imitating the
1:55:54
access point that tells all connected Wi Fi devices to
1:55:57
contact the
1:56:00
access point to receive
1:56:02
buffered packets. This beacon elicits a response from
1:56:04
all devices on the
1:56:07
target Wi Fi network. Once
1:56:11
we've identified all devices, we use
1:56:13
targeted packets to each of
1:56:15
these devices. To
1:56:18
perform Time of flight measurements on these
1:56:20
devices, the attacker requires
1:56:22
exchanging packets directly with
1:56:25
target devices. Therefore, natural traffic from
1:56:27
a target device cannot be
1:56:30
used. Recent work has
1:56:32
shown that 802
1:56:35
dot eleven devices always respond to
1:56:38
packets with an act. Even when the packets emerge outside
1:56:40
the WiFi network
1:56:43
and are unencrypted, or
1:56:47
incorrectly encrypted. We
1:56:49
use this flaw to
1:56:52
perform time of flight
1:56:54
measurements to any target The challenge
1:56:56
in using WiFi is that WiFi devices are in
1:56:58
the sleep mode most of the time
1:57:01
and their radios
1:57:04
turned off. We have designed a technique
1:57:06
that allows an attacker to keep the radio of target devices on
1:57:08
during the attack so
1:57:10
that they keep sending acts.
1:57:14
Okay. So basically, what
1:57:16
these guys did was
1:57:18
was to recognize there was
1:57:20
a way to to
1:57:23
to to after learning about the beacon in a
1:57:25
in a residence or
1:57:27
a corporate facility
1:57:30
or wherever, to simulate a broadcast from
1:57:32
the beacon, which will induce
1:57:35
all WiFi devices to
1:57:37
respond. when they respond, they're gonna
1:57:40
get each device's MAC address.
1:57:42
That then allows them to
1:57:45
individually target those devices selectively.
1:57:48
And in real time, you know
1:57:50
so basically, they they they
1:57:53
get an instant inventory and
1:57:55
then they switch into an active tracking
1:57:57
mode where they are their
1:57:59
their spewing out
1:58:02
packets, measuring round trip
1:58:04
time, what they what they which
1:58:06
they call time of flight in order to determine their instantaneous distance
1:58:10
Gibson are away from
1:58:13
each of the devices. And
1:58:16
of course, as they move, all
1:58:17
of those various vectors are changing length
1:58:20
and by changing
1:58:23
their path, they're able to infer where
1:58:25
the device must be in
1:58:27
order for its vector to
1:58:29
have changed as it did
1:58:32
over time. So then they
1:58:34
explain the second problem they had was localization
1:58:36
in the
1:58:39
face of noisy what
1:58:42
they call SIFS, which is short for short interframe
1:58:44
space. So they explain in
1:58:46
802 dot eleven, acts
1:58:51
are sent at a fixed interval
1:58:53
after receiving a data
1:58:55
packet. This interval
1:58:58
is called short interframe space or
1:59:00
SIFS, as illustrated in the figure
1:59:02
that they have in their notes.
1:59:05
They said, Wipe measures the round trip time between
1:59:07
a packet transmission and an accuracy
1:59:12
reception and subtracts the
1:59:14
SIFS. This allows YPF to estimate the time of flight
1:59:16
and hence the distance between
1:59:18
the attacker and the target device.
1:59:22
Unfortunately, our experience our
1:59:25
experiments reveal that even
1:59:27
though the WiFi
1:59:31
protocol mandates SIFS to be ten microseconds. In practice,
1:59:33
this delay can vary
1:59:36
from eight to
1:59:38
thirteen microseconds. Such errors can
1:59:42
randomize the location estimation process. We build a new algorithm
1:59:44
to correct for such
1:59:46
variations in time of flight
1:59:52
estimates. And finally, dealing
1:59:54
with multi path effects.
1:59:56
They explained that the
1:59:59
time of
1:59:59
flight measurements are error prone because
2:00:01
multiple copies of a signal arrive at
2:00:04
the receiver
2:00:07
from multiple paths. you know, reflection
2:00:09
of signals within an environment. They said the strongest path may not
2:00:12
necessarily be
2:00:15
the direct path. Since the
2:00:17
attacker is far away and obstructed from the target, this problem is
2:00:19
further exacerbated. Indeed,
2:00:23
our measurements reveal that
2:00:26
WiPeep Peep's individual time of flight measurements are error prone for this reason.
2:00:28
To counter this
2:00:31
challenge, we take
2:00:32
what
2:00:35
they call the wisdom of the crowd approach.
2:00:37
Even though each measurement
2:00:39
is noisy, WiPeep
2:00:41
Peep involves quick packet act
2:00:44
sequences at the millisecond level. So
2:00:46
they're doing, you know, thousands per
2:00:50
second. Therefore, we can collect hundreds of
2:00:52
measurements as the attacker flies
2:00:54
by or walks by the
2:00:58
target. we exploit the spatial diversity
2:01:00
of these measurements to get an
2:01:02
accurate position estimation of our targets. So
2:01:05
though you
2:01:06
know, that's a brilliant and completely workable
2:01:08
solution. Individual measurements are noisy,
2:01:11
but the truth can be
2:01:13
found by sorting through thousands
2:01:15
of measurements made over time from different positions.
2:01:18
And then they talk about their implementation. They
2:01:20
said, we've
2:01:23
implemented our design on an
2:01:26
ultralight DJI mini
2:01:30
two drone. You probably have one Leo off
2:01:33
the shelf. Well, I have them
2:01:35
in three, but okay. Actually, it's
2:01:37
something I can finally Leo can
2:01:39
do with Yeah. Yeah. There's a picture in there
2:01:41
of paper, but it's kinda cool. Yeah. Yeah. It's neat. Yeah.
2:01:44
Sort of like stuck
2:01:46
on the front of Yeah. I don't know how willing to fly with that on there,
2:01:48
but I guess it's not too heavy.
2:01:50
They managed to do it. Yeah. Anyway,
2:01:54
they said using off the shelf, ESP thirty two,
2:01:56
and ESP eighty two sixty
2:01:58
six Wi Fi modules. Our
2:02:01
hardware weighs ten grams and cost less than
2:02:03
twenty dollars. It could be deployed on
2:02:06
lightweight drones or carried by a
2:02:08
person. Our evaluations in
2:02:11
a real environment shows that
2:02:14
YPIP finds the location of target devices in an 802 dot eleven ax Wi
2:02:19
Fi six network on three
2:02:21
different three different floors of a house with
2:02:23
a median error of
2:02:26
one point two meters in
2:02:30
around two minutes. The contributions of this paper are.
2:02:33
We present a
2:02:36
new way for
2:02:38
802 dot eleven protocol
2:02:40
features to perform time of flight based
2:02:42
positioning of WiFi devices without having any control
2:02:46
over target devices.
2:02:48
We find that many devices
2:02:50
deviate from the standard time
2:02:53
for SIFS which creates a challenge for
2:02:56
localization. We design a localization
2:02:58
technique that finds a target
2:03:00
device without knowing the exact
2:03:03
SFSIFS used by the device. We present
2:03:05
a solution for future
2:03:07
WiFi chipsets that
2:03:11
allows authenticated devices to perform
2:03:14
localization while disabling non cooperative attacks.
2:03:19
though So Consider these facts,
2:03:21
which they then enumerate.
2:03:24
The WiPeep
2:03:28
peep attacks Work with any WiFi device
2:03:30
without instrumentation, in other words, without any application or firmware
2:03:35
level changes. It does not need physical access to the enclosed
2:03:37
physical space and does not
2:03:39
need to break the
2:03:42
encryption of the WiFi network.
2:03:44
Once the target MAC addresses
2:03:46
obtained, the target device doesn't even be connected to WiFi. Due
2:03:51
to the ease of attack, why Peep has many privacy
2:03:54
and security limitations they write.
2:03:57
We list some examples some example implications
2:04:00
below. In these scenarios, we
2:04:02
assume that it is common
2:04:04
for a person to carry
2:04:06
a WiFi capable device such as a smartphone or a smartwatch.
2:04:09
Also note that the type
2:04:11
of device, iPhone versus
2:04:14
smart sensors can be identified through various
2:04:16
means like the vendor specific
2:04:18
information in the MAC address.
2:04:22
Okay. So and
2:04:24
they give us four examples.
2:04:26
One one impacting security. An
2:04:29
attacker contract the location of
2:04:31
security guards inside sensitive buildings. For example, banks if
2:04:34
they carry a smartphone
2:04:37
or a smartwatch and notice that this
2:04:39
is real time. So moving targets are fine. They
2:04:44
will get time feedback as
2:04:46
things move within the area that they're surveilling. A privacy
2:04:51
implication, an eavesdropper, can fly
2:04:53
a drone over a hotel to find the number and types of
2:04:56
rooms currently
2:05:00
occupied. This could be done by
2:05:02
a rival hotel trying to find detailed information of how target business is
2:05:07
performing. that belong to a room such
2:05:09
as smart TVs can be filtered
2:05:12
based on
2:05:14
Mac addresses. If other devices such as tablets and
2:05:16
laptops are found in a room,
2:05:18
it can be considered occupied, and this
2:05:20
could be done in the middle of
2:05:23
the night when most guests are in
2:05:25
their rooms, or a privacy security implication. If the
2:05:27
MAC address of a device that belongs
2:05:29
to a person of
2:05:31
interest is known, White
2:05:33
Peep contract that person individually in a crowd -- Oh,
2:05:35
excuse me. -- or
2:05:39
inside a building, like
2:05:42
a shopping center or an airport, even
2:05:45
when their device is
2:05:47
not connected to any
2:05:50
WiFi network. So this is so you could tail
2:05:52
somebody with one of these in
2:05:54
your pocket. Yep. That's interesting. Yeah.
2:05:58
Security, why could be used by burglars
2:06:00
to find out the occupancy
2:06:02
status of specific parts of a
2:06:04
building. For example, the burglar
2:06:06
can find out all the people are
2:06:08
on the second floor and the basement
2:06:10
is empty. White peep can also be used for positive use cases.
2:06:12
And I like
2:06:15
this, for example, In a hostage situation,
2:06:17
the police can fly a drone over the building
2:06:19
to find out where
2:06:22
the hostages are kept because
2:06:25
many hostages might have smart devices on them, and they
2:06:27
would be collected together in a
2:06:29
dense group and
2:06:32
not moving. TWiT might also
2:06:34
be possible to track the attackers as well. Okay. Then, anyway, through the balance of their paper,
2:06:37
which
2:06:40
is lengthy, they proceed to
2:06:42
deal with every aspect of their system and present its solution.
2:06:45
So
2:06:47
my point is, The method
2:06:49
to do this today is now in the public domain. So
2:06:51
anyone who wants to do it and
2:06:53
has the skill set to
2:06:55
replicate their work can.
2:06:58
You know,
2:06:59
I could do that.
2:07:00
Many of our listeners could do that.
2:07:02
And I would not be surprised if
2:07:05
we didn't eventually see an off the
2:07:07
shelf turnkey white peep mapping
2:07:10
system that would allow
2:07:12
anyone with only a few
2:07:14
dollars to spare, to obtain this potentially
2:07:16
powerful remote Wi Fi
2:07:18
mapping capability, very much the
2:07:21
way script kitties are using scripts
2:07:23
that they were unable to write.
2:07:25
Until now, we've had a
2:07:27
general sense that the
2:07:29
goings on inside our
2:07:31
homes and offices were at least moderately private.
2:07:33
The idea that someone standing outside in the
2:07:36
middle of
2:07:38
the night could first take a complete inventory of
2:07:41
all WiFi devices within
2:07:43
the area. Noncooperatively, without
2:07:46
connecting to or knowing our
2:07:49
network's password and then
2:07:51
determine the approximate location
2:07:53
of every one of those
2:07:55
devices whether they're upstairs or downstairs, and generally wear,
2:07:57
might not be unsettling to
2:07:59
some people. But there
2:08:02
are likely
2:08:02
some situations and installations
2:08:05
where having such knowledge in
2:08:07
real time could be very valuable to the wrong of people.
2:08:12
The authors
2:08:12
spend some time
2:08:14
near the end of their paper
2:08:16
talking about possible future mitigations. And the
2:08:19
overall outlook there is bleak. Leo
2:08:21
bad news is that since this is a hardware level attack with
2:08:23
all which only
2:08:28
leverages standard WiFi features,
2:08:30
which are implemented in the core WiFi silicon, nothing can
2:08:33
be done in
2:08:35
firmware or software.
2:08:38
all WiFi chips today
2:08:41
will and do respond
2:08:43
to the probe request
2:08:46
packet sent during the use of this technology.
2:08:48
It will take a
2:08:51
future generation of WiFi
2:08:53
chips to deliberately break the
2:08:55
WiFi specification or the spec to
2:08:57
be updated in order to sanction
2:08:59
this by not replying
2:09:02
within a microsecond or
2:09:04
two but by
2:09:06
deliberately randomizing whoa. Excuse me. Deliberately
2:09:08
randomizing
2:09:10
Leo short
2:09:13
interframe space interval,
2:09:15
so that time of
2:09:17
flight information cannot readily
2:09:20
be determined. doing
2:09:22
that will allow WiFi to work while still making location impossible. So
2:09:29
Anyway, that is why Apple randomizes
2:09:31
Mac addresses on its iPhones though. I wonder if that is effective as
2:09:36
a countermeasure. Actually, that's different
2:09:38
than this. This doesn't need MAC addresses. But if you were if I were following you around,
2:09:40
I would need your MAC
2:09:42
address to know it's you. I'm
2:09:46
not saying about the mapping feature. That is true. Yes. Yes. Yes. That is true. addresses
2:09:51
as we know are fixed when
2:09:53
when when the phone is attached to a network -- Right. -- they're they're only
2:09:55
randomized when it's not when it
2:09:58
hasn't joined the network. Once it
2:10:00
has, then
2:10:02
then it uses its actual MAC address. But
2:10:04
you're right. Following you around
2:10:07
the MAC address, I
2:10:10
forgot exactly what the algorithm means. I think they change it every fifteen
2:10:13
minutes. But Yeah.
2:10:15
And I wonder if, you
2:10:17
know, since you know it's
2:10:19
him for fifteen minutes, and then the
2:10:21
MAC address changes. There might be some way to say, ah, yeah. That's he's just
2:10:23
changed his MAC address. I don't know. Not
2:10:25
in the not in the
2:10:28
crowd. Not accrued. You would be
2:10:30
you yeah. Because you would be getting you you would be so first of you be
2:10:33
you'd be
2:10:36
only pinging that. And
2:10:38
then suddenly, there would be no reply. Yeah. Yeah. So if you then go dead and and you You would have
2:10:41
lost it by
2:10:44
that. Right. Yeah. You have to
2:10:46
go back into broadcast mode -- Right. -- in order to get replies from everybody in the neighborhood. I'm less concerned
2:10:49
about somebody mapping
2:10:52
my house. I knew
2:10:54
you wouldn't be from WiFi access points, but the tracking thing is concerning. I think others
2:10:58
I think there's Android
2:11:01
funds that also randomize macros. Well, remember that it's listed.
2:11:03
It's not the it's not the WiFi access point that they're locating. It's
2:11:05
all your security cameras.
2:11:07
Right. Right. And WiFi.
2:11:11
Right. Anything anything WiFi. Yeah.
2:11:13
Yeah. Yeah. Again, less worried
2:11:16
about that.
From The Podcast
Security Now (Audio)
Cybersecurity guru Steve Gibson joins Leo Laporte every Tuesday. Steve and Leo break down the latest cybercrime and hacking stories, offering a deep understanding of what's happening and how to protect yourself and your business. Security Now is a must listen for security professionals every week.Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific / 20:30 UTC.Join Podchaser to...
- Rate podcasts and episodes
- Follow podcasts and creators
- Create podcast and episode lists
- & much more
Episode Tags
Claim and edit this page to your liking.
Unlock more with Podchaser Pro
- Audience Insights
- Contact Information
- Demographics
- Charts
- Sponsor History
- and More!
- Account
- Register
- Log In
- Find Friends
- Resources
- Help Center
- Blog
- API
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More
- © 2024 Podchaser, Inc.
- Privacy Policy
- Terms of Service
- Contact Us