Security Now 947, Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

00:00 - Leo Laporte (Host)
It's time for security now. Steve Gibson is here coming up Lots to talk about. Microsoft has some more flaws in exchange server. This time they say, yeah, we're not gonna fix it. Well, maybe they ought to. We'll also talk about an attack on our favorite hardware store. Oh, no, an update on Citrix Bleed. And then Steve's going to talk about something I hadn't heard anything about. But it's a real grab from the EU that will really destroy Internet security. What is section 45? Stay tuned. Security Now is next. Podcasts you love.

00:41 - Steve Gibson (Host)
From people you trust.

00:43 - Leo Laporte (Host)
This is Twitter. This is Security Now with Steve Gibson, episode 947. Recorded Tuesday, november 7th 2023. Article 45. This episode of Security Now is brought to you by Lookout. Whether on a device or in the cloud, your business data is always on the move. Minimize risk, increase visibility and ensure compliance with Lookout's unified platform. Visit lookoutcom today and by Thinks. Canary. Canary tokens are a quick, painless way to help defenders discover they've been breached by having attackers announce themselves For 10% off and a 60-day money-back guarantee. Go to canarytoolstwit and enter the code twit in the how Did you Hear About us box, and by Melissa, the global leader in contact data quality. Bad data is bad business. Make sure your customer contact data is up to date this holiday season. Get started today with 1000 records cleaned for free at Melissacom. Slash Twits. It's time for Security Now the show. We cover the latest news in the world of security, safety and good vibes online with this guy right here, steve Gibson of the government.

02:08
What did we decide? Grc stands for Government regulation.

02:13 - Steve Gibson (Host)
Actually, one of our listeners knew it's French for the. It's the French version of the RCMP, canada's Royal Canadian Mounted Police, and we'll be getting to that later in the podcast. Okay, but first. Yes, but first this.

02:32
This today's podcast has the mysterious title Article 45. What is Article 45 and why do we care? Well, we're gonna explain that and it's like big, a big deal. But first we learn where Microsoft was storing their Azure keys. Oh, no, also, oh, it's as bad as we thought. What four new zero day flaws has Microsoft declined to repair? And what's probably gonna happen next?

03:06
What's this week's latest mass casualty event for publicly exposed internet servers? And do we have any news on last week's Citrix bleed fiasco? What comes after CVSS version 3.1 and why? What happened to Google's Web DRM proposal? And what about the earlier Cisco iOS XE mass casualty mess? Oh, and what's the latest security now podcast slogan to emerge from that event? We've got a new slogan for security now. Our favorite password manager has just announced their support for pass keys. Now what that guy from last week or no actually was several weeks ago with the badly messed up SSD shared the results of using spinrite 6.1 on it. So I'll share what he reported and explain that. And then, of course, after entertaining some great feedback from our listeners, we're going to look into the next big looming battle between conservative tech and rapacious governments. All that and more during this week's security now. Podcast 947, titled article 45.

04:31 - Leo Laporte (Host)
All right, you're not getting political on us, are you?

04:34 - Steve Gibson (Host)
And no, no, never that. But we do have a wonderful picture of the week which begs the question to park or not to park?

04:46 - Leo Laporte (Host)
Yeah, we will get to that in a moment, but first a word from our sponsor, look out. You probably realize this. All you have to do is go downtown in any major city and you'll know it. Business has changed forever. Boundaries to where we work or even how we work have completely disappeared. That means your data is always on the move, whether on a device, in the cloud, across networks or at the local coffee shop. And while you know that's great for the workforce we love that it can be a little bit of a challenge for it.

05:19
Security Look out helps you control your data and free your workforce. Would look out, you'll gain complete visibility into all your data, so you can minimize risk from external and internal threats, plus ensure compliance by seamlessly securing hybrid work. Your organization doesn't have to sacrifice productivity for security, and look out makes it security a lot simpler. Working with multiple point solutions and legacy tools in today's environment that's just a recipe for disaster, but look out solves it. With its simplified, unified platform, look out reduces it complexity, which gives you and your team more time to focus on whatever else is coming your way Good data protection. It doesn't have to be a cage. It can be a springboard, letting you and your organization bound toward the future of your making.

06:11
Visit Look outcom today. Learn how to safeguard data, secure hybrid work and reduce it complexity. Look outcom, and we thank them so much for supporting security. Now I'm ready to domain to have look outcom. Look out, look out, look out, it's a good name. This is a great picture. And look, I could see somebody's thumb in it, so it's obviously from a listener.

06:39 - Steve Gibson (Host)
Yes, Yep, yep, they saw this and said okay, this we got to send this to Steve. So so, for those who are not looking at video or don't have the show notes yet, our picture of the week is a, you know, a municipal sign that is trying to control the parking in this area, and it's two signs stacked on top of each other. The first one is, you know, the one. Everyone is always seen right. No parking anytime, it says, and then there's a red arrow pointing to the left, meaning, you know, obviously left word of the sign, no parking anytime. And then the second sign, the one below it, this one in green, because it's got better news, although it ends up being a little confusing. This sign says 60 men parking. You know, minutes parking all other times.

07:38 - Leo Laporte (Host)
What so that's mean? Wait what Wait? It's not completely inconsistent. I mean basically no other time.

07:48 - Steve Gibson (Host)
That is true. So, you know, if you were to park for less than an hour, probably at any time, you'd be still. Since the first sign says no parking anytime, You'd have a hard time arguing with the judge. Hey, I was following the second sign which said 60 minute parking. All other time the judges say yes, but it said no parking anytime.

08:13 - Leo Laporte (Host)
Basically it's in the benefit of the meter made. They get to choose.

08:18 - Steve Gibson (Host)
And you know, leo, I was thinking about this. This is this sort of explains how corporations screw up. Right, because you know, here we are in a government which is, you know, an organization. Some poor guy was told you know, put up this 60 minute parking sign, you know, underneath the no parking, anytime sign, and he's looking at it, the guy actually on the ground, as we say now, you know, feet on the ground. He's there thinking, okay, this is the most screwed up thing I've ever, you know, seen, but on the other hand, he works for the municipality, so it's probably not the most screwed up thing he's ever seen. It's probably typical. Okay, I'm just going to put it up and.

09:01
I'll ask any questions. I did my job here anyway. Yes, we are enjoying these pictures. Thank you, listeners.

09:08
Okay, so last Thursday, microsoft posted I love this too under the headline announcing Microsoft secure future initiative. You know there was some drumroll and some horns blowing in the background to advance security engineering. So, okay, they've got there. They're announcing their secure future initiative to advance this. You know the state of the art in security engineering and this was written by Charlie Bell, the executive VP of Microsoft security, so he opened this posting. With his introduction he said today, microsoft's vice chair and president, brad Smith, shared insight.

09:53
Because that's what you want, you know you want from your VP and your president. You want some insight on the global cybersecurity landscape and introduced our secure future initiative. These engineering advances anticipate they're anticipating, leo. They're not, you know, reactive. They're going to get there ahead of time future cyber threats, such as increasing digital attacks on identity systems. They also address how we will continue to secure security foundations necessary for the AI era and beyond. In the spirit of transparency and to emphasize the importance of this moment, we are sharing the internal email sent earlier about our secure future initiative strategy and objectives. So, wow, you know we're getting a peek inside under the covers if you would.

10:50
So I have the link to the entire piece in the show notes for anyone who is interested. Mostly, I have to say it's a marketing piece. You know, blah, blah, blah. We're leading the way toward a more secure future, improving the lives of our customers in the face of rapidly growing cyber threats. Blah, blah, blah. And I normally wouldn't have given this a second thought, nor even be mentioning it here, except about 20, I did read it. You know I drag well, that's how I know that I could accurately summarize it with you know, as I just did. But about 80% of the way down, something appeared that did seem worth sharing. They wrote, as part of their secure future initiative, where they're going to get ahead of the bad guys and they're anticipating future cyber threats. They said, to stay ahead of bad actors, we are moving identity signing keys to an integrated hardened Azure HSM. You know, a hardware security module and confidential computing infrastructure. In this architecture, signing keys are not only encrypted at rest and in transit, but also during computational processes as well. What a concept. Key rotation will also be automated, allowing high frequency key replacement with no potential for human access whatsoever. Okay, so, in short, microsoft will be leading the way into a secure future. That's capital S, capital F, by working to catch up with what everyone else who cares about security has been doing all along for many years already.

12:51
As I observed a couple months ago, the only possible way they could have lost control of that private signing key during a system crash and the subsequent RAM snapshot that it took was if that private key was in RAM at the time of the crash, and the only way it could ever have been in RAM was if signing was being done outside of an HSM. Now we learn. Indeed it was because, wow, they're going to move to the future, leo, they're going to lead the way by. You know, I mean, I have them on my various computers, but okay, during last week's Citrix Bleed podcast, we examined, as we know, a crisp and clear example of a bug which allowed for the exfiltration of RAM, and, as it happened that RAM contained active and valid authentication tokens, we don't know whether they needed to be lying around in RAM. It's quite possible that they did need to be there in order to remain valid, but it's also very common to make the mistake of leaving sensitive information lying around even after it's no longer serving a purpose.

14:09
The problem is that our current programming languages are still not secure by default or design, so they must be made. So making our systems secure while using these insecure by default languages is a deliberate act. It must be a deliberate act and I also noted last week that while I was coding the Squirrel client, I was in a more or less constant state of terror that I was going to make a mistake, and I would submit that that's the state you want your coders of secure systems to be in. You know they should not just be distracted and worrying about when it's lunchtime. They should be terrified about the code that they're writing. So you know, a great and useful concept and phrase is the notion of multi-layer security.

15:09
The idea is that there is no single point of failure that would result in a security compromise. In order for security to be compromised, many things would need to go wrong all at once. In the case of this Citrix bleed that we talked about last week, if the system's RAM could have been swept clean of valid tokens and we don't know whether or not that would have been feasible, but if it could have been, then even in the face of that very clear and clean coding error, valid tokens would not have been available for exfiltration. In other words, you know, wipe RAM, not because you know you need to, but because doing so would add an additional layer of security. And additional layers of security, as long as they don't get in the way, are never a bad thing for a secure system to have.

16:07
So back to Microsoft's case. In that almost hard to believe case of Microsoft's loss of their private signing key, they explained that they did indeed already have multiple layers of security in place I think it was like five of them yet in a bizarre and quite unlikely seeming chain of failures where it was necessary for every one of these layers to fail, every single one of them was actually needed. Yet you know, they all collapsed at once. If they had had one additional layer of using a hardware security module in their system you know which now they're boasting about doing then none of those high value government email accounts would have been breached as a result of the failure of every other layer of security. So our takeaway here is it is truly not possible to have too many layers of security. You never know which one of those layers will be the layer that stops the bad guys, and you know I've often talked about it. Well, actually I will a little bit here, a little bit later.

17:32
The asymmetric challenge that security faces, because secure systems cannot afford to make a single mistake because any opening allows the bad guys in, whereas the bad guys all they have to do is find one Well, that's offset. That asymmetry is offset if you're able to layer your security, if you can design the system to be multi-layered. In that case you could have some mistakes and the bad guy still can't get in. Okay, unfortunately, not all mistakes can be qualified as mistakes.

18:16
Last Friday, the day following Microsoft's big Secure Future initiative to advance security engineering announcement that I just talked about, we learned from Bleeping Computer that trended. Microsoft's zero-day initiative had informed Microsoft back on September 7th and 8th of four new zero-day vulnerabilities they had discovered in Exchange Server, one of which allowed for remote code execution. Microsoft acknowledged the reports but decided that the flaws were not severe enough to warrant immediate attention and decided to put off the fixes until some later, unspecified date. In other words, thank you, now go away. And ZDI strongly disagreed with this response. They decided to publish the rough descriptions, and actually the rough locations of the four vulnerabilities under their own tracking IDs, in order to at least warn Exchange admins about the security risks, even though, unfortunately, there's not much for Exchange admins to do about them at this point, except to worry more than they already are Now.

19:29
If something about this overall scenario seems familiar, where security researchers inform Microsoft of flaws that they have found somewhere which they believe are important and, after presumably examining those reports, microsoft decides that the problem is not worthy of their attention, you would be correct. We've been right here before, and if history continues to repeat itself, we also know what lies ahead. Microsoft will leave this unpatched. Some bad guy somewhere will pick up on the possibility of an outstanding unpatched remote code execution vulnerability in Exchange server and they will go hunting. Sometime later, exchange servers will start being compromised in some mysterious new way that no one ever saw before, except that whoops. Trend Micro and Microsoft both saw it in September of 2023, and one of the two of them who could have done something to prevent it chose not to. Like I said, we've seen this whole thing play out before and it's a shame.

20:35
So ZDI 231578, that's their own tracking terminology, they said is a remote code execution flaw in the chained serialization binder class where user data isn't adequately validated. This allows attackers to deserialize untrusted data. Successful exploitation enables an attacker to execute arbitrary code as system the highest level of privilege on Windows. So now our would-be bad guy knows right where to look in Exchange server. And surprise, surprise, the problem is deserialization. We've talked several times about the inherent difficulty of deserializing data securely. The process of serializing data takes some sort of formatted data structure you know, often a JSON structure and turns it into a blob for storage or transmission. That's the thing known as serialization. The reverse process of deserializing the blob requires, yes, the interpretation of the data that the serializer produced Interpretation. So we have some flaw in an interpreter in the chained serialization binder. Probably wouldn't be too difficult to find.

22:23
So just for the record, though they are not also remote code execution flaws, the remaining three are still some concern. We've got 1579 located in the download data from URI method. This flaw is due to insufficient validation of a URI before resource access. Attackers can exploit it to access sensitive information from Exchange servers. Then there's 1580. This vulnerability in the download data from Office marketplace method also stems from URI validation, potentially leading to unauthorized information disclosure. And finally, 1581 is present in the create attachment from URI method. This flaw resembles the previous bugs, with inadequate URI validation, again risking sensitive data exposure. So they all allow those three for some sort of unspecified information disclosure. While it's not running the attackers code which has been remotely supplied, which is what the first of these four can, information leakage can still be very valuable to attackers as part of a larger campaign.

23:39
The mitigating factor behind all four of these vulnerabilities is that they all require authentication. You need to be able to sign in as a user to this Exchange server. So this may be the basis for Microsoft's dismissal of this as anything to worry about. But we've seen cyber criminals have repeatedly demonstrated that they have many ways to obtain Exchange credentials. There's brute forcing, weak passwords, phishing attacks, purchasing them outright on the dark web or acquiring them from info stealer logs. So once the bugs are found, the need for a credential for a specific Exchange server might not pose an insurmountable problem.

24:26
Trend Micro Zero Day Initiative folks said that the only salient mitigation strategy would be to restrict interaction with Exchange server. But you know what are you going to do Unplug it. Many businesses and organizations cannot operate without access to their Exchange server. So anyway, I'm just putting this out there.

24:47
We'll see here in the future whether Microsoft decides to slip some fixes in to a forthcoming update or whether the bad guys decide to do some reverse engineering of those now specified functions in Exchange server, find the vulnerabilities, then, you know, arrange to get themselves an authentication on to Exchange server and then get up to some mischief. We will basically see whether all of the history is going to repeat itself where Microsoft said, ah no, nothing to see here until there was. This is what happened with the horrible Prince server nightmare that we went through a couple of years ago, where, you know, the researcher who found the vulnerability kept trying to tell them over and over and over look, this is a problem, you didn't fix it yet. Then, when they said they did, they turned out they didn't and then it ended up really coming back to bite them. So we'll see.

25:51 - Leo Laporte (Host)
Deny deny fix. Yes, exactly.

25:55 - Steve Gibson (Host)
Yeah, and you know what's the recourse? None, you know the licensing agreement says you know if it works, great. If it doesn't, well, we tried, and you know can't go anywhere else because Microsoft, you know no one could argue that they're not a monopoly and that they don't have that power. Today there is a problem not in Microsoft's camp with something known as Apache ActiveMQ servers. They've been having some trouble recently and unfortunately they are this week's mass casualty event, although because there's a much lower level of deployment of them.

26:40 - Leo Laporte (Host)
I like it this week's no this week's mass casualty event.

26:49 - Steve Gibson (Host)
Okay so Apache ActiveMQ server is a standalone message broker server which facilitates reliable, high availability messaging among clusters of computers. It's written in Java and it's been around and evolving since 2004. So it's you know it's got some lineage there. The flaw being tracked as CVE 2023 46604 is a maximum severity bug in the ActiveMQ scalable open source message broker that is, this server which enables unauthenticated attackers to execute arbitrary shell commands on vulnerable servers, in other words, one of those as bad as she gets. It's unclear when the Apache Foundation became aware of the attacks on ActiveMQ, but two security firms are Arctic Wolf and Huntress Labs found that threat actors had been exploiting the flaw as a zero day to deploy a remote access Trojan known as SparkRat since at least the 10th of October. Apache released security updates to fix the vulnerability 17 days later, on October 27th. So you know two and a half weeks of window, and we don't know how much earlier this was being done. But we do know that a patch being made available and patches being applied are two very different things in today's world. In addition to the deployment of the SparkRat remote access Trojan, activemq servers exposed to the internet are being targeted in HelloKitty and another ransomware known as Tell you the Pass is the name of the ransomware. So those two pieces of ransomware do share a common infrastructure email addresses, cryptocurrency addresses and so forth so they're probably just versions of the same thing or at least being run from the same ransomware group. And in terms of its spread, data from the threat monitoring service shadow server found that there are currently more than 9,200 Apache ActiveMQ servers exposed online, with over 4770, so more than half currently vulnerable to exploitation. So, as I said, not as mass as some of the masses that we've seen recently, but still not good. If the good guys can scan the public internet to obtain a count of victims, bad guys can scan for potential victims to target just as easily. Needless to say, if your organization is using an Apache ActiveMQ server with internet exposure, you'll want to update it immediately and also look around for any indication that the bad guys might have already entered your network and have set up some sort of persistence, because you don't want that.

30:11
Okay, given the sweeping scope of the mess with Citrix bleed, which we spent some time looking at last week, since, well, we talked in detail about the exploit, and that occurred on Halloween the team at Mandiant, which is now a Google property, appears to be more on the ball and current about this than anybody else, since everybody else is just citing Mandiant's research in their own updates. Their last update was from last Thursday, which has added some interesting new pieces of information and helps to bring home, I think, the reality of the situation that is facing those 20,000 plus Citrix users whose network appliances have already been compromised not vulnerable, but compromised. So on Thursday, mandiant wrote Mandiant has identified zero day exploitation of this vulnerability in the wild, beginning in late August 2023, as well as an end day exploitation, meaning after it's been known, you know. So you know n, where n is larger than zero exploitation after Citrix's publication. Mandiant is investigating multiple instances of successful exploitation of CVE 2023-49-66 that resulted in takeover of legitimate user sessions on net scaler, adc and gateway appliances. The session takeovers, bypassed password and multi-factor authentication.

32:03
In this blog post, we will discuss artifacts that can be used to identify exploitation activity and highlight some of the post exploitation techniques we observed during the incident response investigations. Okay, so they lay out what's already known about the vulnerability of the Citrix endpoints, the challenges of investigating vulnerable devices because the web server running on the appliance does not record requests or errors to the vulnerable endpoint. So there's no log of these things being made, making you know tracking them down extra tricky. And they note that they're not aware of any configuration change that can be made to force request logging for these particular endpoints. So you know those remote HTTPS queries.

32:57
But what was most interesting, I thought, and the reason I wanted to share this update, was what they had to say about the post exploitation activity they observed. In other words, what are some of the things the bad guys do once they bypass the system's authentication and gain access by grabbing one of those pre authenticated tokens and then just using it? So Mandiant explained. They said, following the successful exploitation of 4966, mandiant has observed a variety of post exploitation tactics, techniques and procedures TTPs. Once an actor was able to successfully achieve session hijacking, the threat actor performed actions including host and network reconnaissance of the victim's environment, credential harvesting and lateral movement via RDP. You know remote desktop protocol. Mandiant identified evidence of active directory reconnaissance using living off the land binaries such as netexe. And, as we know, living off the land is now an increasingly popular approach, meaning you don't need to bring any stuff with you, you just use this rich environment of command executables that Windows now ships with netexe.

34:27 - Leo Laporte (Host)
It meant something different when I was a kid.

34:33 - Steve Gibson (Host)
That's right, living off the land. Additionally, mandiant has observed the use of the soft perfect network scanner, netexe, to perform internal network enumeration. In several cases the threat actor used 7zip to create an encrypted segmented archive to compress the reconnaissance results because you know, you don't want your, you know your reconnaissance results to be too big.

35:00
So you use an archiver like 7zip specifically to shrink them down. And boy you know, those kinds of logs are typically going to shrink way down. The threat actor then used the built in certutile utility to base 64 encode the segments. So it's not just, you know, ascii going out, it's somewhat, you know, obfuscated. In one case certutile was used to decode multiple files related to credential theft.

35:33
Mandiant observed the threat actor use eexe to load ddll into LSAS process memory. When run the utility creates a memory dump file located at temp slash 1.png. That's sort of interesting. You give a binary memory dump apng extension so that it looks like a known extension. And of course pngs are binary, so presumably they just kind of get passed without much concern. That's interesting Anyway, and prints success to the console. When done, that's nice. So the bad guys know that everything worked fine. The memory dump file can be processed offline by the threat actor to extract credentials, that is, credentials from the LSAS process memory. Mandiant identified sh3.exe as a utility suspected to run the MemeCats LSA dump command.

36:35
In another instance a threat actor use certutile to decode a file that Mandiant identified as a newly tracked backdoor that uses Slack as its command and control, tracked by Mandiant as free fire. It is a lightweight backdoor. Written fornet. Free fire communicates to a hard coded channel, a Slack channel, to retrieve commands and upload responses. It supports loading arbitrarynet assemblies encoded as base 64 sent to it via chat commands. Mandiant observed free fire being deployed by a threat actor through the following certutile command and then they go into it in more detail. They've also observed the deployment, they said, of various remote monitoring and management tools following the successful exploitation of 4966. Currently, mandiant has observed the deployment of ATERRA, nedesc and Splashtop to establish and maintain a foothold following exploitation of 4966. They said Mandiant is investigating intrusions across multiple verticals, including legal and professional services, technology and government organizations. Given the widespread adoption of Citrix in enterprises globally, they wrote, we suspect the number of impacted organizations is far greater and in several different sectors.

38:05
Mandiant, they said, is currently tracking four distinct uncategorized groups involved in exploiting this vulnerability. We've observed some lower degrees of confidence overlaps in post exploitation stages among these UNC uncategorized groups, like using the same recon commands and utilities available on Windows. Two threat clusters used MIMI CATS for dumping process memory. Notably, there were no overlaps in infrastructure between these clusters of activity. The exploits were sourced from different VPN provider IP addresses and previously compromised third party devices.

38:44
Okay so, even though the attack is low complexity, easy to pull off, easy to launch, all indications are that well-versed and very competent threat actors are behind these. They're using tried and true post exploitation tactics to obtain a high degree of leverage in and persistence on, their victims' networks. So we are now inhabiting a world where, the moment a patch to fix a remotely exploitable flaw is announced, powerful malignant forces jump on the patch, determine what was changed, design an exploit for any not yet patched devices, then race to take advantage of the newly discovered vulnerability, using it against anyone who did not instantly patch their devices the moment the trouble and its fix were announced. Asymmetric warfare is notoriously difficult to fight, and this currently broken security model which is the only thing we can call it it is a currently broken security model has these asymmetric aspects. Consider that a small group of miscreants only need to watch for security updates from the major appliance vendors. Yet on the other side, on the receiving side, every single person who is independently responsible for the operation of every deployed instance of every one of those devices, spread anywhere in the world must be just as vigilant as that small team of bad guys. And on top of that, everyone everywhere must be ready to apply the fix at any time night, day, weekend or holiday.

41:05
The only way I can see this evolving is for the high end enterprise appliance world to make the same move that the small office, residential router and consumer desktop world has made of allowing these devices to be remotely autonomously updated without the need for the device's IT personnel to be involved. This feature should be enabled by default, with IT personnel having the option to disable it if they understand and accept the risks that a company doing so. Udp packets are small, they are connectionless and inexpensive to send, so every such device that has not been disabled could send a packet periodically to the device's manufacturer to check in for any updates. One tiny packet every 10 minutes would be more than sufficient. You could make it hourly if you wanted, but you know 10 minutes to be on the safe side In the event of a critical update. An affirmative UDP reply would contain the URL of the update to download and apply, and the certificate of the remote web server could be pinned to prevent any forgery. The appliance would bring up an HTTPS, tls connection to download the updated module, install it and reboot itself.

42:46
And of course, I'm aware of the many arguments against this sort of autonomous upgrading. You know, its first appearance in Windows all those years ago caused quite a stir. You know, those old timers among us were like wait a minute, we don't want this to be automatic. We want control of which security things we install. We want to look over the list and before we say okay, yeah, fine, do it all. You know my own Unix servers send email to inform me of the packages that are in need of attention. This information they're obtaining without any assistance from me, although they do stop short of performing those changes autonomously.

43:28
So while autonomous patching of enterprise class appliances may pose some risk, more than 20,000 users of this one device just had their networks deeply compromised because, for whatever reason, they did not install the patch that the bad guys were reverse engineering before that reverse engineering was turned into an active exploit. If they had 20,000 individual network compromised, disasters would have been averted. It seems to me that, given the world we live in now, it is time to move autonomous patch updating from the consumer desktop and router, where it's now been proven to be providing much more benefit than harm to the enterprise's border equipment, which are subject to swift attack, as we've all just been seeing with the actually the past three, we're now at three recent mass casualty events. And just for the sake of discussion, there are many possible compromise measures. For example, the periodic UDP packet sent by the device back to its manufacturer could contain the device's current build version and the latest current email address and cell phone number for the organization's IT cybersecurity team. That information could be configurable in the device's admin setup as an, in case of critical vulnerability, send email to and send a text to. That way, every one of the manufacturer's devices is pinging home base with the information needed to alert its administrators the instant any new and sufficiently urgent problem is discovered.

45:33
It's difficult to believe that we're not already doing this as an industry and while we're, you know, talking here about any of this, since it's foreseeable that the first thing a compromise device might do is shut down that early warning update system, the device's manufacturer should have these periodic info pings continually updating a database, and which would also prevent malicious changes to that information by retaining a history of previous contact information.

46:06
In that way, the moment a serious problem was discovered, every admin could be made aware that they'll need to prepare for an update. So I suppose my point is we are we're really truly being lame about the way things are being done today, and I can't see any excuse for it. There's like we we have the technology to solve this problem and to prevent what are now becoming weekly, multi tens of thousands of networks being compromised in mass casualty events. I would argue that that that Cisco disaster, which was a web auth problem, should have never happened by policy. But again, the technology to fix this is at hand. So, leo, we're going to talk about a sponsor who's got some other technology to help fix things.

47:09 - Leo Laporte (Host)
Yes, and then?

47:10 - Steve Gibson (Host)
we're going to look at the the move to CVSS version four.

47:15 - Leo Laporte (Host)
CVSS v four. Okay, yep, meanwhile, let's talk about this. This little buddy, it's called a canary. No wings, no, no audible bird song. It's not yellow, it's not yellow, but it will. If something goes wrong in your network, if somebody gets into your network, it will sing like a canary. It will let you know, and that's what's so cool about the think's canary.

47:42
This is a honeypot with a very high signal to noise ratio. Just the alerts that matter, the alert that somebody's wandering around your system. Now I've unplugged it so that I could show it to you. It just. You know, this is a USB cable. On one end, the plugs into power. It's got an ethernet jack on the other end. That's all you need. Let me show you what it looks like on the canary console.

48:05
This is your honeypot. I call it backup NAS. You can give it a MAC address. You can give it a variety of personalities. This is Linux. Four. Four is uh.

48:17
Give some information about the ports that I've opened. You can choose what ports to open. You can open, you know, make, create a Christmas tree of ports, or you can be subtle. You can be subtle and say no, no, I don't want it to be uh, I want it to look like I'm being very coy and careful about how I set this up. You get to choose. You get to choose what the personality is whether Windows file sharing is turned on, telnet Look at all these. I could turn on all kinds of services. Uh, I can make, give it all kinds of personalities. Now, as you can see, this is a Synology NAS, or it pretends to be, but it could be a Jenkins login. Jira, you know, confluence has been recently attacked. You could make a Confluence. Uh, you could make it a, a. A Skata device Uh, here's Oracle Enterprise Cisco router VM where I can go on and on. This can be almost anything you want it to be, except it's not it's, it's, it's this, it's just something that attackers are going to want and once they get, they get in and attack it. You're going to know.

49:26
There's another cool thing you can do with your canary. I'll show this also in the canary console, you can create canary tokens. Canary tokens are documents. Let me show you some canary tokens. Let's create a new token.

49:42
Is it a web bug? Dns, aws, api, key, azure, login certificate, word, excel, word, macro uh, I don't know what a sensitive command is, but it's registry file to detect sensitive command execution. Okay, wire guard. It could be an Adobe PDF, a Slack key, it could be all kinds of things, but it's not Now to an attacker. It looks exactly like those things, but the minute they try to open that file, but a Bing Bada, boom. You get that notification in the way you want. It could be on, uh, on your console here on your canary account. It could be syslog, it could be web hooks, it could be email, it could be text. You get to choose. The point is, when you get that alert you know I got to check this out We've only gotten one alert from this canary in the in I don't know five years we've had it and in fact it was a malicious device. Somebody plugged in in the network that was going out and pinging IP addresses. We got it, we tracked it down, we got it off the network.

50:44
Canaries uh founding team. The thinks team has a background in offense, but that's what you want. You want people who are breaking into systems so that they can think about how to defend systems. They've prioritized defensive thinking and developing these devices. Oh and, by the way really important we don't mention this and I want to really highlight it the canary team is uber conscious of your trust in their product, so they take a lot of pains to ensure the devices are not going to add risk to your network. They're designed to be secure, using memory, safe languages, sandboxing.

51:20
The architecture ensures no critical network secrets are stored on this canary. You can't dual home to maintain security. You can't span V lands with them. You'd want to give attackers a chance to jump across networks. You can even detach them from the the back end authentication, which will prevent think staff even from accessing the console. I mean, they've put immense air of effort into making sure they're not going to put new vulnerabilities on your network and, honestly, like any canary in the coal mine, if this bird can let off just one warning before it's owned, it has lived up to its namesake, it's earned its keep.

52:02
They do constant third party assessment. In fact, the assessments always commend the secure design of the platform. They're always very impressed. I am. Hardware, yes. Vm, yes. Cloud based canaries yes. They're deployed and loved on all seven continents.

52:19
If you want to see the love go to canarytools, slash love, all sorts of customer love from some of the biggest CISOs and in the business for things canary, you want to know how much it costs? Well, you can visit canarytools slash twit. You got to do that and I'll tell you why in a second. About 7500 bucks for five. Okay, so the price will vary depending on how many you get, but just to give you an example, five of these spread around our office 7500 bucks a year. You get your own hosted console, you get upgrades, you get support, you get maintenance and if you use the code twit in the how did you hear about us box, you'll get 10% off, and not just for your first month or year, but for life. Oh, one more thing this, we know.

53:05
This thinks canary has incomparable value. I mean, every network should have one, especially if you're worried about breaches. But to make you feel better, just to reassure you, they've got a two month 100% refund, money back guarantee, 60 days For any reason. You could return it and say I want my money back anytime in that first two months. I mean, that's that's peace of mind, right? I got to tell you in the in the decade we've been doing ads for the canary is it that long it feels like it's been years Not one person has ever asked for refund. These things work. They're kind of amazing. These are the best honeypots ever. Canary go to canarytools. Slash, twit. Enter the code. Twit in the how did you hear about us? Box Thinks canary, these things are great. You need one. All right Back to Mr Gibson and on we go.

54:03 - Steve Gibson (Host)
We've just seen, and we continually see, the burden being placed upon frontline IT personnel to keep their network safe. Yes. Oh my God, yes, when I, when I, when I talked about Adam networks, it's not a job I want, no, no. And if, if someone were to say, given all the evidence we've seen, that is basically an impossible task, it would be difficult to mount a convincing counter argument. As always with security, the good guys must prevent intrusion everywhere, all the time, all at once, which I think was the title of a recent movie.

54:46 - Leo Laporte (Host)
But the bad guys all at once. Yes, that's right.

54:51 - Steve Gibson (Host)
But the bad guys only need to find one mistake anywhere one time.

54:56 - Leo Laporte (Host)
You know deep respect for the people who do this. It's not fair.

55:00 - Steve Gibson (Host)
It's not. It's not like a fair job.

55:03
We've heard that IT security guys are stressed, and it's not surprising. I've mentioned this before, but I'll say it again the job might not be for everyone, but if it sounds like it's a fit with your personality, the good news is the world is desperately looking for you. I saw a statistic recently indicating that there's about a 50% shortfall in IT security staffing some something like 4 million empty job openings right now that need to be filled. One of the many things I've learned from our listeners is that they credit their listing to this podcast with giving them the inspiration to learn more about this subject, which subsequently allowed them to move into the cybersecurity job market. And I found that study. A quote from the study says quote the global cybersecurity workforce is estimated to have reached more than 5.5 million professionals and even though that number is 9% higher than it was last year, 4 million experts are still needed worldwide to fill open positions across the industry. Okay, now what I found is the 2023 cyber workforce study, in which they surveyed a record 14,865 cybersecurity professionals to share their unique perspectives on the state of the workforce. I'm tempted to share more since this thing, as this report is chock full of interesting data and statistics, but instead I have a link to its 84 page PDF in today's show notes and it is this week's shortcut of the week, which I again numbered very carefully. So it's grcsc.947. That will bounce you to this PDF of the 2023 cyber workforce study and really, as I was scrolling through this, I thought oh, this is just full of cool stuff. So I really do commend our listeners. Take a look at it grcsc.947.

57:23
Okay, so where am I going with this? The job of controlling our networks, keeping them secure, is chaotic. The challenge, as I said, is highly asymmetric and arguably unfair. So the overworked cybersecurity professional needs all the help they can get. In a world of software vulnerabilities, how does one know how to start? You know the day. One of the blessings this industry has created in an attempt to bring some form of order from this chaos is the common vulnerability scoring system, which we're constantly referring to on the podcast. You know, cvss scores.

58:06
The initial version one of the CVSS was instituted in February of 2005, the same year when we later began talking about these interesting issues every week. A little over two years later, in the summer of 07, it moved to version two, where it sat until version three was introduced in 2015. That version lasted until 2019, when it was tweaked a bit to give us version 3.1, which is what we've been using up until now. The reason the CVSS system has needed periodic maintenance and updating is that we're not living, as we clearly know, in a static world. The drama we're seeing playing out this instant, for example, with the Citrix bleed vulnerability and the you know, the Apache message queuing problem, that didn't exist to nearly this extent before cryptocurrency, because it was far less clear how attackers in Russia and North Korea could monetize their cyber intrusions. Now everybody knows, and vulnerable devices like Citrix's net scaler technology hadn't yet been created.

59:24
Since today's cyber landscape has changed, so must the metrics we use to characterize today's threats. To that end, work has been completed just now on the next generation of common vulnerability scoring system, and we are therefore now at CVSS version four. So what's changed? There are four primary highlights. First, cvss scoring metrics have been added and redefined to improve the granularity and clarity of CVSS scores. With the previous standard, it turned out like against today's threats, it was common to have different types of vulnerabilities winding up being clumped around the same score, even though it no longer accurately reflected each one's severity. So more scoring metrics in CVSS version four means a better spread across the entire scale.

01:00:27
Second, in keeping with today's world, we now have ICS, ot you know, operational technology and IoT specific scoring metrics. This includes scoring metrics such as safety, automatable and recovery, to let critical infrastructure operators know whether a security flaw just looks bad on paper or if it's actually exploitable and dangerous to their networks. Third, we also have new scoring metrics such as value density, vulnerability, response effort and provider urgency. Those have been added to help responders evaluate and prioritize vulnerabilities. Those last two, for example, vulnerability response effort and provider urgency, are intended to allow vendors to tell customers that a vulnerability needs to be patched ASAP. This is a capability that was not present in the current CVSS and obviously, having a patch this ASAP and have that actually mean something is something we need. So we now have it in version four. And finally, cvss version three's temporal metrics group has been replaced with a new group called threat metrics. Although this replacement group is intended to reflect the same exploitability and proof of concept availability as its predecessor, its application is significantly clearer now under version four. So while we'll still be seeing and quoting the same single one to 10 CVSS composite score, that score will now more accurately track the urgency presented by its vulnerability, and the detailed breakdown of that single score will provide cybersecurity professionals much needed additional details and may help them to decide how to start their day.

01:02:33
And for a perfect example of this, I think, is that we keep seeing all of these 9.8s. Well, what, why, how is it that everything is 9.8? Except every so often, you know, a complete disaster meltdown is a 10.0 it. You know it did feel like there was some, you know, nonlinearity or something to the way the CVSS Version 3.1 that we've been using for the last four years had been operating. I expect we're gonna see a different scale of CVSS, and so we should be prepared also not to apply the the numbers coming from version 4 Against what we've been used to seeing in version 3 and 3.1. I they may look like they're less severe. Probably what they're doing is doing a better job of like reflecting a non clumpy, more uniform scale, so that you know the bad ones are are probably more rare, but but what they signify is probably more significant. So yay, that's all.

01:03:44 - Leo Laporte (Host)
Though subjective right there's no, or do they have some weird Objects right here?

01:03:50 - Steve Gibson (Host)
They actually have a calculator where you go to a website and and you say yes, no, yes, no, yes, yes, no, no, yes, and so forth, and then it gives you the score based on a based on a rigorously pre-established formula. Yeah, so it's not just you know. Oh, my god, you know. This one made me nauseous, it's you know. There's actually a there, there's actually math behind it.

01:04:16 - Leo Laporte (Host)
Oh, okay, and the people's yeah. The question yes or no questions are concrete. They're not. Well, it was really bad.

01:04:24 - Steve Gibson (Host)
Yes, they are, yes, they are. They're concrete and very specific. And there's actually, if you go to the Central CVSS repository, there is a breakdown, a multi-dimensional breakdown of, like you know which way, which are the ways in which this thing is bad, that all worked together to create this composite score. So you know, there's actually a lot of science behind, okay, okay, okay. So I have a soft spot in my heart for ace hardware.

01:04:57 - Leo Laporte (Host)
Leo to we love our ace hardware.

01:04:59 - Steve Gibson (Host)
Yes, we have several of aces at 5700 retail stores in our area and I have to say they have a trilling amazing Array of random little hardware. You know bits.

01:05:16 - Leo Laporte (Host)
Yeah, there's always some old guy and his suspenders with a walrus mustache and he's wonderful. My Sleaking is oh yeah, you come over here, yeah he kind of shuffles along.

01:05:29 - Steve Gibson (Host)
Yeah, yeah, I think we're all sharing it, yeah, so, anyway, many of my own projects were saved right, you know I can the middle of the day when I needed a particular size bolt or washer. You know there are still some things that are difficult to do online. Yeah, I would argue. You know, trying on clothes is difficult and Getting the exactly the washer that you need to fit in a tight space or how many, you know how many of them stack up in order to create a Shim of the required size. So, anyway, you know, when you need to match a bolt to a nut, there's no substitute for being there.

01:06:07
Anyway, I bring this up because nearly 200 of their servers yes, we know where this is going and a thousand other systems were hit by a cyber attack the day before Halloween, so that was last Monday, october 30th.

01:06:22
The attack impacted their ability to pick up new customer orders and also other impacted systems included their warehouse management systems, reward points tracking, their tech support call center and the company's mobile assistant. Despite the attack, the company's 5700 Retail stores have remained open, although with somewhat reduced activity, and I haven't needed any bolts recently, but it's good to know that I can still get them there and we did actually lose one, one ace Retailer, the one that was closest to me, I think it was a kind as a consequence of COVID. It never recovered from, yeah, from the you know the real, the real slowdown, but we still have one that is I know I can get to. If I need a specific thing, you know your, your store probably has a, two, leo, it's a, I can't remember the name, I it begins with H, it's like Hildebrand or high guard or something, but they have, like, like in mine, they have multiple aisles of identical, like slide out trade.

01:07:28 - Leo Laporte (Host)
Yeah, it's been. Yeah, yeah, yeah, with all the different stuff. Yeah, yeah, yes.

01:07:32 - Steve Gibson (Host)
And it is that's all provided by one company, right, that like Reese, that like stocks, all those things and they always have the one you need. Yes, it's amazing, even if it's some, like you know, backdoor Spridge Collapser or something it's like my god, there it is.

01:07:51 - Leo Laporte (Host)
We have the one we had burned down about 15 years ago, burned to the ground and it was on a big deal. It was like on the 4th of July. But they've rebuilt it but it was really nice because a creaky old floors, but they kind of preserved the spirit of it. I I love old hardware stores. I have a lot of stuff from that ace. They probably also have a lot of my stuff In there. In there the database.

01:08:19 - Steve Gibson (Host)
Yeah, the best at the best extension cord I've ever Found is like this supple. I don't it's got to be like highly braided, it's just amazing.

01:08:30 - Leo Laporte (Host)
It just feels so good.

01:08:31 - Steve Gibson (Host)
Anyway, it's one of that nonsense. Remember that bizarre plan Google floated a few months ago, yeah, which would have given websites Absolute control over the extensions and other features that could be used by anyone visiting a. A website that wished to impose such control and restrictions over their browser. Is that the web?

01:08:57 - Leo Laporte (Host)
integrity API. They, yes, exactly and it was.

01:09:00 - Steve Gibson (Host)
It was dubbed the web DRM because you know Nobody likes digital rights management.

01:09:06
That's what it was really. I mean, yes, it really was. The good news is that plan is dead, oh, and I'm impressed that Google didn't make a larger push for something that Really didn't seem to be in the best interest of the end user. We know we talked about it a Bit briefly, but the eye, but you know there wasn't enough known at that point to really take it very seriously. The only upside that, like the only reason I could see that it might be useful, was that, as we know, users are not very judicious in their choices of browser extensions. So you could imagine, like a banking site, you know, for example, wishing to enforce much tighter security when people visited some of its more secure services. So I could imagine that. But the downside was it, for example, sites might just decide to restrict the use of ad blockers by disallowing their use. We know they don't like them, so why not just make them not work on on their site? So, anyway, my hope is that Google did not kill this Because they have figured out some better way to do something similar, because this really seems bad. And if they did, I would hope that Mozilla would not choose to follow with Firefox. So we'll see, but for now it's not going any further.

01:10:34
Okay, so we were just talking about the, the first of the three recent mass casualty events being the Cisco iOS Xe router attack, you know, and that was the one which preceded the Citrix bleed mess. And, as I mentioned before, it was a result of an easily preventable web authentication bypass which, as I ranted at the time, was entirely foreseeable and unnecessary, because no web UI Administration should ever be placed on the public Internet. We, you know, we all know better. Everybody should know better. Cisco should know better. It shouldn't even be an option, since there are now many far more secure ways to do the same thing. And as I was putting this together for the podcast, I came up with a new slogan Because you know it's there, because web, a web UI, is so easy to use, so Ease of use is no excuse.

01:11:42
So, yeah, anyway, this all popped back up because Cisco's own Talos group Just published a full technical analysis of what they call bad candy. It's the implant that's being deployed on those compromised Cisco routers Thanks to those zero-day vulnerabilities. In their report, talos notes that the bad candy malware has evolved Now in its third major version, demonstrating that the threat actors behind this are still actively modifying their attacks to maintain access To those compromised boxes and remember there were thousand, tens of thousands of them. They also noted that the latest version 3 Modifications, which have been made to bad candy, appear to have worked, since the shadow server Foundation, who have been monitoring the attacks progression over time, has stopped detecting any Infected systems, although we know a hundred percent for sure that they're not all patched. You know, presumably, that the shadow server foundation and others, other security researchers, had long ago captured the IP addresses of the infected and vulnerable Systems, but, you know, no one coming along now would see that anything was amiss, although in fact, I'm sure that it's just a cornucopia of compromised Networks. Probably the big problem now is just sorting through them all and deciding which ones to go after first.

01:13:23
Now I know that before this next bit of news, I'm supposed to remind our listeners that bit warden is a sponsor of the twit network, as if we weren't all Already aware of and pleased with and even grateful for that fact. So what's the news? With release 2023, dot 10, dot 0 of the bit warden browser extension, it now fully supports 5.02 style pass keys. Bit wardens mobile clients have not yet caught up, but this is acknowledged and it's on their development roadmap. Meanwhile, the browser extension appears to be ready for prime time.

01:14:06
I have a link in the show notes to the full 2023 dot 10 dot 0 release notes and another link to the specific page. They've got there now discussing a bit warden's browser extension support for pass keys. I've not tried it myself, but from a quick scan of that page it appears that everything is there. At the bottom of the storing pass keys page they have a short Q&A I think it just had three, you know FAQ points where one of the questions the middle one asked Are stored pass keys included in bit warden Imports and exports? To which they reply Pass key imports and exports will be included in a future release. So that's not there yet, but they clearly recognize the need and, as we noted when we recently talked about this, apparently the slow-moving Fido group are Involving themselves in the creation of the import-export format. Although that's making us wait, we definitely want all pass keys clients everywhere, everyone's pass key client to support a single, common, well-designed, unified, cross-platform standard. So I think we're all have, you know, should be quite happy to wait for that.

01:15:38
Okay, recall the tweet from a listener named Victor from a few weeks ago. His Twitter DM was dated October 18th. In it he wrote he said I powered on a couple years old desktop that had been unpowered for about a year. It took ages before the desktop was loaded no errors anywhere. But I decided to try your read speed and look at those SSD speeds. Exclamation point he wrote is it time to invest in spin right now? He said if spin right fixes this, I will try to encourage my employer to get a site license, meaning just purchase four copies and then you can use it on all the machines out there. He said thank you, mr Gibson. Victor, long time SN listener, keep up the good work to 999 and beyond. Okay.

01:16:35
He attached a screenshot from read speed which I described at the time. It showed and explained exactly what he was describing. You know, read read speed takes Benchmark performance, read performance benchmarks at five locations across the drive the beginning, the, the one quarter point, the middle, the three quarter point and the end. And what you'd expect on any SSD. The reason I did these five snapshots was that we all know that that spinning hard drives are slower at the end Because that's the, the inner tracks, where there's less data, since the drive is spinning at a uniform speed. If you've got less data around the circumference, your transfer rate is less than the average speed. At the most circumference your transfer rate is going to have to be much lower. Typically it's like half the speed as the, as the, as the beginning of the drive, the outermost circumference. So I designed read speed just to take, you know, in order to sample those five points. To our stunned surprise. And he discovered many people's SSDs were slower, much slower at the beginning of the drive, even though an SSD being solid state, you'd expect it would be uniform across. You know all five snapshot points, not so Okay.

01:18:06
And in Victor's case he had an extreme case. Remember that the beginning of his drive was 2.2 megabytes per second, the 25% point was 482.5, the 50% point was down to 53, the three quarter point was also bad at 13.8 and the very end was 323.7. So this drive is like across, it is like bad and in fact it peaks at 482 at the 25% point, for who knows why. Anyway, yesterday, just on Monday yesterday, when catching up with my Twitter feed for the podcast today, I found his follow-up. He did purchase a copy of spinrite 6.0, then used his 6.0 license to immediately grab the 6.1 release candidate. Here's what he wrote he said.

01:19:05
Now, mr Gibson, I have some results for you and possibly the listeners. I ran spinrite 6.1 on level 4. It took 28 hours, reported 6199 command timeouts, found and repaired 183 defective sectors. Remember, this is on an SSD, he said. For comparison's sake, here is a new screenshot of read speed. Now the PC behaves like one would expect from an 8 core Intel i9700 with 64 gig of RAM. And so we have that.

01:19:52
Where the beginning of the drive was at 2.2 megabytes per second, it's now 430 megabytes per second. The one quarter point didn't change, the middle went from 53.2 up to 508 megabytes per second, like almost a 10 times faster. The 75% point went from 13.8 to 504 and the end of the drive went from 323 to 513.8. So much more uniform and way faster. And also this SSD had a ton of problems.

01:20:36
Okay, now, under spinrite 6.1, a read scan of a half terabyte directly connected meaning not USB, but, you know, directly connected this is the drive he's booting system boots from would have taken less than an hour. We can easily do half a terabyte an hour and even faster on an SSD, but rescuing and resuscitating that very sick SSD required rewriting its recovered data and actually all of its data. So that would slow things down, but not by nearly that much probably. Only you know it would take an hour or two normally to do a level 4 pass on an SSD, but that SSD was clearly in seriously bad shape and it sounds like it made Spenright work a lot to pull it all back from the brink. So Spenright 6.1 is obviously highly effective for today's solid state storage, in addition to what it has always been able to do for electromagnetic spinning drives. What we've learned is that it turns out that electrostatic storage is prone to long term charge degradation through several different mechanisms, and this only promises to become worse as engineers continue to succumb to pressure from their managers to squeeze ever more data into ever smaller and fewer storage cells. The good news is Spenright 6.1 can resolve those problems today. It is not as optimal as version 7 will be, but it works now and I'm not stopping, you know, once 6.1 is published. It's a big step forward, but I've got much more on the way as soon as I'm able to get away from DOS, which is like gonna be a big treat for me. Okay, we've got some closing the loop feedback, sam Myerilli. He said hey. Steve, he said hey at SGGRC, listening to SN 947.

01:22:49
That was last week on IPv6. Spectrum, the main ISP for Central Florida, for Tampa Orlando and the Space Coast. Ipv6 is still notoriously problematic. For example, pixel 3 and later phones go into Wi-Fi disconnect loops when you let IPv6 hit cheap and good routers. For example, I have a NetGate USA SG2100. This is well documented on Reddit. Outbound DNS queries also frequently have long periods of time when IPv6 is enabled that they simply black hole on spectrum, then randomly fixed for a while, then bad again for months.

01:23:38
He says ISP shrugs. He said I fear the day we're forced to switch to IPv6 given how terrible the back-end tech is maintained for home ISPs. So he's talking from the ISP side and, as we know, he was following up on my somewhat pessimistic appraisal last week of what appears to be the true current state of IPv6. It'll be there when we really need it Actually now I would say hopefully, because it's looking worse than I thought, but until really we really need it is in all caps, bold italics and underlined. All of the prevailing evidence points to everyone doing everything they can to hold on to IPv4 until there's really no other choice. I have 18 IPv4 IPs and I treasure them.

01:24:39
Also, bob Grant provided some additional terrific feedback about IPv6. He said hi, steve, as an IPv6 proponent for a number of years, I've listened with interest to your answer to reader email last week where you said nearly everything appears to be IPv6 ready. I thought I'd share my experience. It is certainly the case that most everyone's routers and many networks are dual stack with both IPv4 and IPv6 support. In the case of my ISP, I am able to request an IPv6 slash 48 prefix, which is 256 separate slash 64 networks, so I can have as many as 256 separate networks, each having a full slash 64 IPv6 subnet. My firewall only allows established connections back in, so there's no additional security issue over my IPv4 NAT. Meaning he's observing that IPv6 does not NAT. So you know individual systems get their own IP. Because there's just so many of them you don't need NAT any longer, but you do still want firewall functionality. He said I recently upgraded my network and Wi-Fi access points so it's trivial to segment multiple SSIDs into separate VLANs. Going back to my open sense, you know OPN sense router. Okay, so I'd say that we have indeed, at this point, established Bob as an IPv6 proponent. He says as an experiment I decided to set up an IPv6 only network where only IPv6 IPs and DNS would be used.

01:26:40
I was quite disappointed to discover how few websites worked with IPv6 only. Huge sites like NFLcom, twittercom and many well-known universities whom I won't embarrass by naming, and others like BitOrdincom, all fail to load with an IPv6 only connection, and I'll just note that all of my own servers at GRC are among those two which are still IPv4 only. He says many other sites work when using wwwsitecom but fail to redirect when using just HTTP sitecom. My three credit unions landing pages load under IPv6 but the financial back ends hosting the login process and displaying account balances fail because they're IPv4 only. Even Microsoft fails after the landing page because the loginlivecom is not IPv6 enabled. I noticed many sites web pages load only because they use a content delivery network, you know, like Cloudflare or Akamai, that supports both IPv4 and IPv6 at their border, thus proxying for their clients IPv4 only web servers. Kudos, he finishes to Google, amazon, netflix, facebook, stanford, mit, harvard and the federal government for fully implementing IPv6.

01:28:28
I hope some of this is useful, bob, and yes, very useful and very interesting. Bob, thanks for sharing our you know, giving us an update on our IPv6 reality check. So we are not IPv6 ready today. That is, we cannot abandon IPv4, just as we cannot abandon TLS version 1.2. As we learned, only one-third of servers are able to do 1.3 connections, so we still need 1.2.

01:29:01
Clt cybersecurity tweeted hey, steve, as security pros, we know what to do, but I'm having trouble explaining why this is the right way to my company. We have DigiCert TLS certificates for our websites. We need to keep those private keys secure. But if our server was ever compromised by a random hacker who obtained our private keys, what could they really do? Just trying to better articulate this to non-security pros, thanks and to and to the nines and beyond.

01:29:33
Okay, the danger presented by the compromise of a service TLS private certificate is one of impersonation, since it's only the server's sole possession of that private key certificate that allows it to assert its identity. So if someone else is able to assert that their server is your server, this paves the way to an impersonation attack. Depending upon who you are, that might be either a big deal or not so much. If this was a site that really mattered to its visitors in some way, then the consequences could be significant. However, even though the theft of the certificate may pave the way to such an impersonation attack. There is still a lot of pavement to traverse to pull off a working impersonation attack.

01:30:31
The biggest roadblock to implementing the attack is that the web browsers or other connecting clients who would be spoofed by this need to believe that they're actually connecting to the authentic server. In other words, they need to look up the IP address of the domain of the authentic server and then send TCP traffic back and forth to the IP that was looked up. In practice, that means that either the DNS lookup needs to somehow be poisoned to return the attacker's server IP or the victim's IP. Traffic needs to be read, it needs to be intercepted and redirected on the fly to the attackers IP. One way or another, the domain name the client believes it's connecting to must match one of the domains that certificate authenticates. So either DNS subversion or dynamic traffic interception must somehow be provided. If that sounds like a high bar to reach, it can be, but it's entirely dependent upon the specifics of who or what population is targeted for spoofing.

01:31:52
At the beginning of today's podcast of today's podcast, I was talking about layered security. Here's another example of layering. Losing control of a website certificate is not immediately the end of the world, since other layers are still in place to provide some protection, but having exclusive use of a website certificate is not a layer you want to give up. This is why the internet world, you know, went nuts several times in the past during this podcast. One of those times was Dan Kaminski's famous discovery of DNS spoof ability, which also would not have been the end of the world, though it would have been bad for HTTP without TLS. Even so, the integrity of DNS wasn't a layer of security that anyone wanted to lose, and similarly, the heart bleed flaw that potentially allowed some server web certificates to escape got everyone's attention big time because again, it would strip a layer of our multi-layered protection, and I think that perhaps this also helps to put the never exploited, as far as anyone knows specter and meltdown vulnerabilities into a useful light. It might at first appear that the industry was way over concerned about what was a purely theoretical vulnerability for which no known attack has ever succeeded. But again, robust inter-process isolation, which specter and meltdown both threatened, is another layer, and in today's heterogeneous cloud computing landscape it's a particularly critical layer. So I cannot think of an instance we're having too many layers of security is a bad thing, as long as it's not way over the top and gets in the way.

01:33:57
Craig from Scotland tweeted was just listening to SN 941, so he's a few weeks of a back and the part about public key, crypto and factoring primes, he said. It got me wondering how likely is it that there are, that there could be collisions in the primes chosen by two different people? Or would it be feasible to create a rainbow table of factored primes allowing the discovery of the private key using a quick lookup of a public key? So that's a brilliant observation and in the past that is the notion of a collision of primes, and in the past that was discovered to be happening with somewhat horrifying regularity. There were problems with the quality of some of the early random number generators which tended to choose, and then test for primality, the same large prime. So, whoops, two complete, two or more completely unrelated servers would coincidentally be sharing the same public-private key pairs, not due to any collusion between them. Well, except for the collusion of them both using the same poor sources of entropy, what was found to be happening was that the servers were booted and were immediately being asked to produce a certificate, so the server hadn't yet had time to collect sufficient entropy from the environment, and it could happen that two completely separate servers would both wind up picking the same keys.

01:35:52
And then into this we add the birthday paradox that teaches how quickly the number of collisions between pairs of unrelated items increases as the number of possible interactions increases. There's not a huge danger from sharing the same keys, but it's certainly not zero. First you would need to compare your servers, public key with the public key being sent by everyone else's server if you did find a collision. Since you know your servers matching private key, you now also know the colluding parties, or the colliding parties private key. Now, that's not good, but we already observed that just having that only removes one of the multiple layers of protection needed to exploit any advantage. The takeaway here is that we don't want to be inadvertently sharing our private key with anyone else. So the best way to assure that is to be certain that the process which is picking keys is using the highest quality possible source of randomness for its key guesses.

01:37:09
And finally, chad Cosby says hi, steve, I'm curious if you would share how you, how and how often you run spin right on the drives in your Synology NAS. He says I to use a Synology and it feels like an absurd oversight that I trust my most valued data to an occasional glance at the drive health meter within DSM, which is the, you know, synology's management console. So, chad, I suppose the question is how much redundancy you're using. I've never bothered to run Spinrite on any of my rated drives. I have four drive raid arrays everywhere. Every one of GRC's servers is running four drive raid, as are both of my Synology NASs and my one still standing Drobo, although I think it has five drives in it. In every instance I'm running raid six, so that allows me to lose any two drives at the same time without any data loss.

01:38:28
And once, not too long ago, I was flying a bit nervously with no reserve on one server until I could get two replacement drives for it. I actually had drives ready for it, but I learned that it would not allow me to mix SSDs and spinning drives in the same array. So far I have never lost any data and I've actually had more trouble with my SSDs than with the spinners. Some spinners just appear to run forever and others seem to tire quickly. You know they last long enough, but I wouldn't really call it infer mortality. It's more like teen angst. Anyway, I'm replacing my SSDs now with spinning drives and with them being so ridiculously huge and inexpensive, I will always be running with raid six and in that case I welcome, you know, any drive that gets tired and no longer wants to play. You know, just let me know and I'll slip in a replacement. But yeah, I'm, as the longtime publisher of Spinrite, I believe in redundancy and so I've got as much as I can afford in the available space. Oh, and I do had two last pieces real quickly.

01:39:46
John Carling had a tip for our listeners. He said hey, steve, listening to 946 and hearing about the requests to extend Windows 10 EOL, the group that did all the testing are they aware of the recently revealed command line argument to Windows 11 setup? And then he reveals it Setup space forward, slash product space server. He says this will install Windows 11 on a Windows 10 box that previously failed at TPM 2.0 requirements. I've done it on two laptops and one desktop myself and they work just fine. So there is a way, apparently just documented and just discovered Setup, slash product space server. You're telling setup that you're running a server rather than a desktop, so don't bother me with all this TPM nonsense and hopefully you know processor generation and all that and you just get it without any fuss or fuss.

01:40:55
And likely Michael Foley. He said, just wanted just watch the latest episode. Now I have to check all my uses of SN printf for the last 30 years. And he said GRC is also the acronym for the French name of the RCMP, which is the Royal Canadian Mount of Police. In French it's Jean-Dame of the, jean-dame of the Canada, canada, exactly GRC. So now we all know it's many things actually. Yeah, it is, there are many.

01:41:36 - Leo Laporte (Host)
It's an overloaded acronym.

01:41:39 - Steve Gibson (Host)
Yeah, and that would explain the offers I get for GRCcom. I think the highest one was $50,000. Wow, somebody who's willing to pay for GRCcom. So of course I'm not selling it, but you know, when I'm you know, 85 or 90, I was like, yeah, okay, fine, I'll.

01:41:58 - Leo Laporte (Host)
Maybe it'll be about time around then when I do a search for just GRC, I get IBM first, that's their government risk management and compliance solution and then I get the home of Gibson Research Corporation. So you're coming in, okay, you're doing all right and I don't see the Mounties here anywhere. So you want to take a break before we get into the the meat of the matter here, article 45.

01:42:26 - Steve Gibson (Host)
I do, we're going to come up. We're gonna find out what article 45 is.

01:42:29 - Leo Laporte (Host)
I'll die in a no.

01:42:30 - Steve Gibson (Host)
Why it matters and what next big battle is brewing. Hmm, interesting, the EU does it again.

01:42:38 - Leo Laporte (Host)
Oh boy. Well, let's first talk about Melissa, our sponsor for this segment of Security. Now they are the global leader in contact data quality and this is the time this holiday season you're probably gonna be doing a little bit of mail-in, right? Let Melissa help your business meet online shopping expectations, increase ROI, reduce waste and costs associated with lost and undeliverable packages, you know, just improve your customers overall satisfaction. The importance of early preparation for retailers before the holiday season is well known. Right there, there are some things Melissa can do to help you get started. First, start by cleaning out your contact data.

01:43:23
With Melissa's data cleansing solutions, all that stale, outdated data gets replaced with verified, accurate information. Replaces old addresses for people who've moved, adds new emails, updates phone numbers. Customers, of course, always want a seamless experience with efficient delivery. Right, make sure your business is meeting those expectations. Next day and two-day delivery implementation is in high demand. Melissa ensures that addresses are verified and standardized to check out with their auto complete tool. Not only does having a verified address to check out ensure the address is deliverable and is accurate, it also cuts down on keystrokes by up to 75%. You've probably experienced this you start typing the first few numbers and it says you mean this and you say yeah and you're done. It's accurate. You don't get any fumble fingered typos. You get the. The right address, saves you time and makes your customers experience quicker and easier.

01:44:21
Offering bundles and cross-selling to existing customers another great way of improving ROI. It's a lot more cost efficient than finding new customers right. The holiday season is the perfect time to do this. Customers are most likely they're not only shop from themselves, but shop for others. Profiling your data can give you a better understanding of your customer base. What products are the best sellers, but products they're likely to buy, which can help you generate more effective marketing strategies. Matching and dedupping the data is also important. Cleaning up your database so you get a complete, 360 degree view of each customer. You send fewer duplicated mailings out. It'll also help you better understand your customers, allowing for more personalized marketing with a better customer experience.

01:45:07
And don't worry about your data, because Melissa has achieved the highest level of security status available by gaining Fed ramp authorization. Now that technology is is exclusively for governmental agencies, but you know everybody benefits, right Melissa? Users all gain from this superior level of security. Melissa's services and solutions, of course, are GDPR and CCPA compliant. They meet sock to and HIPAA high trust standards for information security management. Your data is in white glove, best possible hands. Make sure your customer contact data is up to date. This is the time. Get started today with 1000 records cleaned for free. Melissa comm slash twit. M E L I S S A. Melissa comm slash twit. We love you, melissa. Happy holidays from Melissa and thank you for supporting security now all these years. Mr G and I personally thank you. Article 45 what is that boy?

01:46:11 - Steve Gibson (Host)
oh boy, so there's a storm brewing again in the EU. Yes, it's been brewing for some time, and it appears that we have another case of politicians mistakenly believing that they're able to simply dictate the terms and conditions under which tech companies will serve their populace, regardless of the implications to that populace's security and privacy. We all just saw something similar come to a head of course, with the attempt to force back doors into all encryption services. How'd that turn out? Uh-huh, every messaging provider simply said no, thank you, we'll just leave and you and your citizens can figure out what to do without us. The result was the addition of a nebulishly worded if it's technically feasible to do without weakening security clause, which was, you know, every strong encryption providers, get out of jail free card. Now we're moving into a similar challenge where, believe it or not, the EU might very well find itself and its citizens without any web browsers, or at least needing to return to the good old days of HTTP. Wow the car.

01:47:34
The controversy revolves around a made-up thing known as I guess you'd call it, quacks, quacks, quacks, qwac s, which stands for qualified website authentication certificates. So these quacky things are a specific EU form of website certificate, defined back in 2014 with the EU's EIDAS regulation. Okay, what? Eidas stands for electronic ID authentication and trust services. And actually, leo, we talked about this a couple years ago. What, when it? When this nonsense surfaced once it was, it was something about the EU wanted to be able to display more information to their, to users of websites, so they were gonna like, add it, like some additional something onto the connection, you know, like a banner or something I know anyway. So the EIDAS is an EU regulation. It did pass nine years ago, in 2014. Its stated purpose is governing quote electronic identification and trust services for electronic transactions. After it passed in 2014, its various provisions gradually took effect over time between 2016 and 2018.

01:49:08
That regulation, which never actually did much and was largely ignored, and which, by the way we did, as I said we talked about at the time, has been under review and in an upcoming process for the past several years looks like it's coming to a head. It appeared to be, in fact, going off the rails last year and the tech industry did what it could back then to say hey guys, this is not looking like something we're going to be willing to do for you, but apparently the politicians just figured that they could enact any laws they wanted to, and those techie geeks who are always complaining about something would have no choice other than to comply. So about a year and a half ago, back in March of 2022, a who's who of global internet security governance in fact, it's two pages of co-signers, names and affiliations wrote an open letter addressed to dear honorable member of the European Parliament, dear member of TLE working party, and that letter begins here's just the first few lines they wrote. We, the undersigned, our cybersecurity researchers, advocates and practitioners, we write to you in our individual capacities to raise grave concerns regarding certain provisions of the legislative proposal for a European digital identity framework, the EIDAS revision, and their impact on the security on the web. While we understand that the intent of these provisions is to improve, improve authentication on the web, they would, in practice, have the opposite effect of dramatically weakening web security. At a time when two-thirds of Europeans are concerned about being a victim of online identity theft and over one-third believe they are not able to sufficiently protect themselves against cybercrime, weakening the website security ecosystem is an untenable risk. We therefore urge you to amend the revised article 45.2 to ensure that browsers can continue to undertake crucial security work to protect individuals from cybercrime on the web.

01:51:47
Okay, now to say that this letter appear. It goes on at some length, but to say that this letter appears to have fallen on deaf ears would be an understatement. That was a year and a half ago. The near final text for EIDAS 2.0 has now been agreed upon by the EU's negotiators, and it appears to be even worse than the earlier draft. So now there's a new letter which, as of two days ago, on Sunday, has been signed by 466 scientists and researchers across 36 countries, as well as numerous NGOs, and Google also just added their name to the document. In this day and age, what this document describes is somewhat astonishing, and I need to share the first few paragraphs so that you'll get a feeling for what now hangs in the balance.

01:52:52
This was addressed to dear members of the European Parliament, dear member states of the Council of the European Union. We, the undersigned our cybersecurity experts, researchers and civil society organizations from across the globe. We have read the near final text of the EIDAS digital identity reform, which has been agreed upon on a technical level in the trilog between representatives from the European Parliament, council and Commission. We appreciate your efforts to improve the digital security of European citizens. It is of utmost importance that the global interactions of citizens with government institutions and industry can be secure, while protecting citizens privacy. Indeed, having common technical standards and enabling secure cross-border electronic identity solutions is a solid step in this direction. However, we are extremely concerned that, as proposed in its current form, this legislation will not result in adequate technological safeguards for citizens and businesses, as intended. In fact, it will very likely result in less security for all.

01:54:17
Last year, many of us wrote to you to highlight some of the dangers in the European Commission's proposed EIDAS regulation. After reading the near final text, we are deeply concerned by the proposed text for article 45. The current proposal radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens. Concretely, the regulation enables each EU member state and recognize third-party countries to designate cryptographic keys for which trust is mandatory. This trust can only be withdrawn with the government's permission, see article 45 a, paragraph 4. This means any EU member state or third party country acting alone is capable of intercepting the web traffic of any EU citizen and there is no effective recourse. We ask that you urgently reconsider this text and make clear that article 45 will not interfere with trust decisions around the cryptographic keys and certificates used to secure web traffic.

01:56:00
Article 45 also bans security checks on EU web certificates unless expressly permitted by regulation. When establishing encrypted web traffic connections, see article 45 to a. Instead of specifying a minimum security measure which must be enforced as a baseline, it effectively specifies an upper bound on the security measures which cannot be improved upon without the permission of ETSI. Okay then, skipping ahead a few pages, here's some detail that's actually difficult to believe, but it's true. Same group writing a little bit later in this letter quote the current text of article 45 mandates that browsers must accept any root certificates provided by any member state and a third I can hardly believe I'm reading this and any third-party country approved by the EU. This will have severe consequences for the privacy of European citizens and security of European commerce and the internet as a whole.

01:57:15
They explain root certificates controlled by so-called certificate authorities provide the authentication mechanisms for websites by assuring the user that the cryptographic keys used to authenticate the website content belonging to the belong to that website. The owner of a root certificate can intercept users web traffic by replacing the website's cryptographic keys with substitutes he controls. Such a substitution can occur even if the website is chosen to use a different certificate authority with a different root certificate. Any root certificate trusted by the browser can be used to compromise any website. There are multiple documented cases of abuse because the security of some certificate authorities has been compromised and, of course, we covered all this in the early days of the podcast. To avoid this, there exists legislation that regulates certificate authorities, complimented by public processes and continuous vigilance by the security community to reveal suspicious activities.

01:58:25
The proposed eidas revision gives member states the right to insert root certificates at will, with the aim to improve the digital security of european citizens by giving them new ways to obtain authentic information of who operates a website in allio. In practice, this does exactly the opposite. Consider the situation in which one of the member states or any of the third-party states recognized now or in the future were to add a new authority to the e you trusted list. The certificate would have to be immediately added to all browsers and distributed to all of their users across the e you as a trusted certificate by using the substitution techniques explained above, the government controlled authority would then be able to intercept the web traffic of not only their own citizens, but all e you citizens, including banking information, legally privileged information, medical records and family photos. This would be true even when visiting non e you websites, as such an authority could issue certificates for any website that all browsers would have to accept. Additionally, although much of eidas 2.0 regulation carefully gives citizens the capability to opt out from usage of new services and functionality, this is not the case for article 45. Every citizen would have to trust those certificates and thus every citizen would see their online safety threatened. And lastly, even if this misbehavior was discovered, under the current proposal it would not be possible to remove this certificate without the ultimate approval of the country having introduced the certificate authority. Neither eidas is article 45 nor any provisions in adjacent e you legislation, such as ndis 2 directive, provide any independent checks and balances on these decisions. Further, european citizens do not have an effective way to appeal these decisions. The situation would be unacceptably damaging to online trust and safety in europe and across the world. We believe this legislation text must be urgently reworked to avoid these serious consequences, by clarifying that e I d I s does not impose obligations to trust cryptographic keys used for encrypted web traffic. Okay, so this letter goes for seven pages before we get to the 14 pages of signatures by everyone in the world in a place of authority who knows anything about the way our internet security and privacy ecosystem is put together.

02:01:22
Mozilla authored their own letter, which was dated last thursday, november 2nd. It was co-signed by the bytecode alliance, cloud flare, dns0.eu, fastly, the internet security research group, you know isrg, the linux foundation, mozilla mulvad, open, ssf and sigstore. I'll only share the first line. It begins dear members of the european parliament, dear members of the council of the european union, we represent companies that build and secure the internet. Our organizations are either based in europe or offer products and services in europe.

02:02:03
We write to express our concern with a proposed e I d I s legislation. We appreciate efforts to use rulemaking to strengthen the security of the internet and the leadership role that europe has taken in fostering cross-border interoperability. However, leadership comes with a greater responsibility to consider the broader implications of changes. That's just the top of basically them saying the same thing. You know it expresses the same concerns and issues as the previous open letter. So the question now is what happens next.

02:02:44
A full year and a half ago, the legislators were warned about this and were given a heads up with a full, detailed, careful and respectful explanation.

02:02:57
They were very clearly told do not proceed down this path. They clearly blew it off, ignored it completely, and since then the wording of article 45 has only grown more intolerable. We've observed that in a high level, high stakes politics, it's necessary to give the player who's holding the weaker hand a face-saving way to back down. This happened with the encryption debate, where the loser in that struggle created their own way to save face, but that didn't happen until those holding the stronger hand the encryption service providers, were finally forced to deliver the ultimatum. If you outlaw our use of unbreakable encryption, you will leave us with no option other than with to withdraw our then illegal services from your territories. So is this gonna come to that? Is this going to get to ultimatums? At this point, it appears so, and this will be another important juncture in the evolution of our internet. Governments are going to learn again that they are smaller than the technology which they and their citizenry have grown to depend upon. It's theirs to use, but not to control. This is terrible.

02:04:32
At the bottom of the show notes four links the original open letter from March of 2022, 18 months ago. I've got today's 21 page. 14 of it are signatures updated letter to the EU. I've got Mozilla's the link to Mozilla's open letter and the entire text of the proposed and agreed upon EIDIS 2.0 legislation for anyone who's interested. But yes, leo, I mean it won't come to pass, it can't. I mean it can't. It is exactly analogous to what just happened with the encrypted messaging providers you know with. I mean it's worse than that, actually, and you know, and they're saying, oh, but we want to be able to intercept connections in order to add additional information banners to the you know, to people's web pages.

02:05:35 - Leo Laporte (Host)
No. And it's like sorry you know we're not letting you do that. I mean, I guess it's just EU. If the browser guys make sure it's just EU, but you know you start to add certificates into your browser, it could easily be global. They're going to vote on this tomorrow behind closed doors, so it could be approved, according to the EFF, as early as tomorrow, November 8th.

02:06:04 - Steve Gibson (Host)
Well, it'll certainly have some rollout period you know a grace period, and there'll be some deadline and it's just it's. I mean, everyone's going to have to say no, yeah.

02:06:16 - Leo Laporte (Host)
Uh, I guess I mean, what do you do if you're? It's one thing, if you're Mozilla to say no. It's another thing if you're Google to say no.

02:06:25 - Steve Gibson (Host)
Uh, I believe that Google has altered the security of their, um, of the guts of their browser so that they now use the hosting operating systems.

02:06:37 - Leo Laporte (Host)
Ah, and so that would be that's a good way to pass the buck. So then it's Microsoft or Apple, or? Yeah, that's interesting. Yeah, instead of putting these uh CA uh roots into the browser, you put into the OS. So, edge, I'm sure does that. Chrome does that.

02:06:55 - Steve Gibson (Host)
Safari, I'm sure puts it in Mac OS, right, yeah, I think that the only one who still maintains their own root store is Mozilla, because they, because they had an SS, the Netscape security suite, and and that was where all of their SSL and TLS stuff is contained.

02:07:15 - Leo Laporte (Host)
This is such an obviously horrific idea. Yeah, I mean, oh yeah. Well, you can trust every, every country that you use, great, so obviously this would never be a problem Unbelievable. My hair's on fire, I know, I know, just stunned tomorrow this could happen as soon as tomorrow.

02:07:34 - Steve Gibson (Host)
Article 45.

02:07:35 - Leo Laporte (Host)
Holy moly, e I D A S is the regulation. E I E I O, yeah, e I E O. Old MacDonald, uh, watch with interest. Tomorrow they're meeting in Brussels behind closed doors, so you don't know what that. You know golly how. How stupid and yet how predictable. Yes, the politicians don't understand.

02:08:03 - Steve Gibson (Host)
That this is not theirs to mess with. I fear that they do understand and that they want in.

02:08:10 - Leo Laporte (Host)
They. They don't want you to have a security. They want to write themselves. But I don't think they want us to have security. That's right. They want to be able to mock, to monitor the the conversations of all their citizens, yeah, and they insert arbitrary banners whatever they hell they feel like it, that's right.

02:08:29
Election ads, you know, turn them into a, a, a, a, a, a, a, a, a, a, a. You know, turkeys in the EU, or the one I could easily see him doing that oh, geez, and it, and that's the thing. That certificate is EU wide. So you, you know, you got to ask our friends in in France Do you want a turkey to say, you know, starting inserting banners in your browsing sessions, let alone see what you're up to?

02:08:57 - Steve Gibson (Host)
I just don't think that anyone will do it. I just I can't, you know, I just I don't think. I mean, this has all been curated and carefully managed. It's got some problems, but they're not big. We've tripled, we followed them for years. Yeah, this cannot be allowed to happen.

02:09:16 - Leo Laporte (Host)
Yeah. Well, there you go. This is why you listen to security now to set your hair on fire. We do this show. Wow, Steve, Wow. And you know this is not getting the coverage it really should. I know.

02:09:31 - Steve Gibson (Host)
Uh, it's sort of just happening quietly on the back.

02:09:34 - Leo Laporte (Host)
We'll start yelling about it for sure on on all of our shows. Thank you for giving us an update. Efs also has a piece concurring completely with what you say. Um, wow, I bet they do.

02:09:47 - Steve Gibson (Host)
Yeah, this would just cause them to you know, lose their.

02:09:53 - Leo Laporte (Host)
The problem is that, you know, if you go to the EFF front page, there's plenty of other things to get upset about too. Yeah, they say article 45 will roll back web security by 12 years, or more than that. Really. Steve Gibson's at GRCcom the gendarmerie Pallet, royal Dude, whatever Uh no, it's the Gibson research corporation. That's where he keeps all sorts of good stuff. Valid drive oh, what a great idea. How do you know if that thumb drive has all the data, all the space that you'd says it does it? Valid drive will tell you that's free. So you've got, of course, spin right. The world's best mass storage maintenance recovery utility. Version six is there right now. You can request 6.1. Of course, the full windows capable version of 6.1 will be out any day now. Steve will give that to you for free if you buy today GRCcom.

02:10:48 - Steve Gibson (Host)
We're at release candidates on everything now RC baby.

02:10:51 - Leo Laporte (Host)
Yep, and then of course you can get the show there. He has 64 kilobit audio of the show, but he also has a couple of unique formats formats we don't have, the 16 kilobit audio for the bandwidth impaired and human created transcripts by Elaine Ferris. Those are all at GRCcom we have the show. Web site is twittv slash SN for audio and video. There's a YouTube channel you can also subscribe. We encourage you to subscribe, and if you want to get rid of ads, there's a couple of ways to do that. If you go to twittv slash, club twit, you can just subscribe to this show individually $3 a month or for a couple of bucks more seven bucks a month. Join club twit, which gets you all of the shows ad free. Additional shows we don't put out in public. Soon the live stream is going to be club only. That'll be a chance for you to see it in the club Watch with other club members. We have a great discord there and it supports us. We are.

02:11:53
We are hitting some financial straights. Do no fault of ours or the our great hosts, but just because for some reason a podcast are no longer the flavor of the months among advertisers and it's getting harder to sell, We've had to cut our rates by more than half, so your help makes a big difference. Just seven bucks a month at GRC, I'm sorry. I'm sorry. Twittv slash club twit and we have the GRC, we have the security now podcast there for two 99. If you just want that one. I know you have a lot of fans who want to help out. Steve, I will see you next week.

02:12:31 - Steve Gibson (Host)
And we'll have an update on article 45. I have a feeling.

02:12:35 - Leo Laporte (Host)
Wow, oh, I hope they just turn their oh whoops. Never mind, let's know, let's not. Have a great week, steve, we'll see you next time on security. Everybody Bye.

02:12:47 - Lou Maresca (Other)
Come join us on this weekend at a prize. Tech expert Coase and I talk about the enterprise world and we're joined by industry professionals and trailblazers like CEOs, cios, ctos, cisos every acronym role plus IT pros and marketeers. We talk about technology, software plus services, security you name it everything under the sun. You know what? I learned something each and every week in a picture. You will too. So definitely join us and, of course, check out the twittv website and click on this weekend at a prize tech subscribe today.