Security Now 1004 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
00:00 - Leo Laporte (Host)
It's time for security now. Steve Gibson is here, his reaction to Microsoft's announcement you'll have to have TPM 2.0 for Windows 11. You might imagine Steve's a little upset. He'll talk about that in just a little bit. Apple patents, ai recognizing people by the clothes they wear, the FTC is going after data brokers and steve's going to take a look at coding with chat gpt. He has some very interesting thoughts. It's all coming up. Next, on security now podcasts you love from people you trust. This is Twit. This is Security Now with Steve Gibson, episode 1004, recorded December 10th 2024. A chat with GPT it's time for Security Now, the show. We cover your security online, your privacy, your safety. What's going on in the world of cyber security with a man, a plan panama? No, no, I'm sorry, that's. That's wrong. Mr steve gibson, that's who I'm talking about of of uh, of grc fame.
01:18 - Steve Gibson (Host)
Hi, steve hello leo, great to be with you for, uh, what is this? Uh, episode 1000, like I like I don't know. Episode 1,004.
01:27 - Leo Laporte (Host)
It says it right at the top of the show notes big letters.
01:30 - Steve Gibson (Host)
Hey, and what happens on the holidays? Because we have some. I think things collide with Tuesdays.
01:37 - Leo Laporte (Host)
I don't know if-. Oh, we are doing a best of for you, right, anthony? I think we are, so there'll be a best of security.
01:44 - Steve Gibson (Host)
Now, in fact, people can contribute their thoughts uh, so there'll be a best of and then we're off for a week, right? Or does the best of fill in for, like the between christmas?
01:55 - Leo Laporte (Host)
because christmas is wednesday, so christmas eve yeah it's probably when the best of is anthony. Are we planning to do a New Year's Eve show or not? No one knows.
02:08 - Steve Gibson (Host)
I will have to ask the boss. Can you hear me? Yeah, we're dark.
02:11 - Leo Laporte (Host)
We're dark On New Year's Eve yeah, so no show on New Year's Eve.
02:15 - Steve Gibson (Host)
Steve Woo-hoo.
02:16 - Leo Laporte (Host)
Oh sorry, you used to say no, no, no, I got to do a show. You don't care as much. Okay, there's that wife.
02:27 - Steve Gibson (Host)
You have a, you have a life. Now you're gonna be dancing. I will be kept busy with endless social. What are we doing now, honey, before?
02:31 - Leo Laporte (Host)
you had a wife. You danced with the james tiberius kirk on ours on our set much more nimble.
02:38 - Steve Gibson (Host)
Back then, my friend that would.
02:40 - Leo Laporte (Host)
I'll never forget that. We did our our 24 hour New Year's marathon. Steve came up for it one year and danced with a cardboard cutout of the captain.
02:50 - Steve Gibson (Host)
I remember I was either completely sober or I was way far from it. I think actually I was completely sober.
02:57 - Leo Laporte (Host)
You probably were and people would have thought that I was inebriated. No, you were in the spirit.
03:01 - Steve Gibson (Host)
To make such a fool of myself, but no, no, it was fun, of course. On the other hand, you were getting your butt tattooed, so it was quite the event that year that all.
03:09 - Leo Laporte (Host)
By the way, video of that exists and is still available, Don't?
03:12 - Steve Gibson (Host)
Don't, don't, don't, no, don't, don't, don't.
03:17 - Leo Laporte (Host)
I think it's on our YouTube channel.
03:27 - Steve Gibson (Host)
All right, talking about uh more seriously, and I'm more serious now, okay, so, uh, uh. Today's podcast is titled a chat with gpt, and I listened to the end of mac break weekly, where andy and and alex was singing the praises and coding with chad gpt alex has had the experience and it's interesting because he characterized it much as I have that that is he.
03:46
I he was going further because he was wanting it to basically create an entire application framework with most of the things filled in, except for a few things that it, you know, it just couldn't get right. Um, anyway, I had an experience over the weekend that you know. Again, it was like okay, what? And so I'm going to share that and I have to take us a little bit into the weeds of the questions that I was asking in order to set up the dialogue that we had. And then I have an announcement to make. But so this again, today's episode titled A Chat with GPT. But we have a lot of stuff to talk about. All telecom providers have been hacked and may still not be safe to use, also, which I heard you mentioned, on MacBreak. So now the government is recommending that we use our own encrypted communications.
04:47 - Leo Laporte (Host)
Uh-huh.
04:48 - Steve Gibson (Host)
Uh-huh.
04:49 - Leo Laporte (Host)
Okay.
04:50 - Steve Gibson (Host)
Also, the plan to obsolete all non-TPM 2.0 PCs remains well underway. Microsoft must be feeling the heat, so they're taking the time not to apologize. So they're taking the time not to apologize. Also, whoops, microsoft's product activation system has been completely hacked. Like fully, the things that the hackers weren't previously able to activate they can now activate. So all Windows and Office products may now be easily activated without any licensing. Also, we're going to talk about the coming AI patents Apple patented AI recognizing people by what they're wearing after seeing video of their faces and noting what they were wearing.
06:06
No-transcript. Also, the FTC, fortunately, has set their sights on data brokers, so we can hope that something comes of it. Grc's email finally gets beamy and I had a lot of feedback from our listeners who received email from me showing our Ruby G logo for the first time, so I'll update us on that. We also have a bunch of terrific listener feedback. One, I'm going to go into some depth about authenticator policy and use authenticator policy and use. Also a new and free point-to-point link service, tor's Snowflake proxy. Also a bunch of feedback from our listeners suggesting solutions for linking PCs and smartphones, which I've been complaining about my lack of ability to do. Also, one listener said Steve, how do I refill my SodaStream canisters again? So I'll touch on that briefly and then we're going to talk about the shocking well to me because I was born in the mid-50s.
07:22
conversation I had with ChatGPT over some subtlety of assembly language syntax and how that went and of course we've got a great picture of the week for our listeners. So I think a podcast that'll keep everybody entertained.
07:40 - Leo Laporte (Host)
I'm very curious about ChatG GPT's assembly language capabilities. That will be interesting. You know, it's actually a lot of controversy this year because people are using LLMs to solve the advent of code problems in seconds. It's immediately obvious because I mean even somebody who's a professional coder, you know competitive coder will take a few minutes at least Because you've got to look at the problem it solve it, write the code. These guys are doing it four or five seconds. It's obviously wow.
08:13 - Steve Gibson (Host)
They're using it, wow well, and it's sad too, right? I mean, like what's the point? If you enjoy playing chess, then why use a computer to cheat for you?
08:23 - Leo Laporte (Host)
But people do that, even at the highest level. I know it's very bizarre. I don't get it.
08:28 - Steve Gibson (Host)
It's like me. I don't want it to program. I love to code Leo. When I had 32 employees, oh no, 23. Sorry, I got the digits backwards. I had 23 employees. I was upset because they were getting to have all the fun. I had meetings and I didn't want to have meetings no fun I wanted to do the r&d and write the code and worry about, you know, design, ads and all that, and so now it's just me and you get to do it all with greg and sue to do this stuff.
08:59 - Leo Laporte (Host)
Yeah, you don't want to do the bookkeeping or support that part they can have yeah, yes, they are my chat gpts in that case.
09:07
But you know, it's probably only a matter of time before you've got an ai to do some of that stuff too. Yeah, anyway, we'll talk about that. I'm very curious what you found, so that's going to be fun. But that's just around the corner, because we're going to have a word from our fine sponsor right now the folks at lookout. Today, every company is in the business of managing data right. That's your lifeblood. It also means that every company is at increased risk of data exposure and loss.
09:36
If you listen to this show, you know you see the headlines cyber threats, breaches, leaks and one thing has become apparent cyber criminals are getting more sophisticated every single day. Modern breaches now happen in minutes and not months. So, at a time when the majority of sensitive corporate data has moved to the cloud, those boundaries the traditional boundaries between the outside world and the inside world have just have dissolved. The traditional boundaries between the outside world and the inside world have just have dissolved and the strategies for securing that data have just fundamentally changed. That's why you need Lookout From the first phishing text to the final data grab. Lookout stops modern breaches as swiftly as they unfold and that's wherever your data is, on a device in the cloud across networks, even if it's sitting on a laptop at a local coffee shop where your employees are working remotely.
10:30
Lookout gives you clear visibility into all your data, at rest and in motion. You'll monitor, you'll assess, you'll protect, without sacrificing productivity for security. I mean you got to have that latte With a single unified cloud platform. Lookout simplifies and strengthens. They've re-imagined security for the world that we'll be today. Right, plan ahead. Visit Lookoutcom to learn how to safeguard data, how to secure hybrid work and yes, it's a single platform reduce IT complexity. That's Lookoutcom L-O-O-K-O-U-T, lookoutcom, lookout for Lookout. We thank him so much for supporting security now and the good work that Stephen Gibson is doing. I am ready, mr G.
11:18 - Steve Gibson (Host)
I haven't looked so this picture was a no-brainer to caption. It was demanding the caption. What could?
11:29 - Leo Laporte (Host)
possibly go wrong. All right, I'm scrolling up now to see it for the first time. Oh boy, that is a terrifying sight so, okay now, okay, I'm going to.
11:52 - Steve Gibson (Host)
I'm going to share the feedback that we've already received from one of our listeners, yeah, who asked chat gpt what this picture, what was the significance of this photo? That's interesting. So again, leo, and this is okay. So he wrote, I of course also, being blind, have taken to chat GPT to get even better descriptions of images. I look forward to the upcoming show to see how it did, but I think you'd have to agree that the bar for image descriptions is now insanely high. It's certainly much better than anything we've had up until now, including Microsoft's and Apple's own vision models, useful as they've been in the past, and being offline. Here's what I asked and the response. So our blind listener who received the email there was 13,675 emails, 1004 dot, jpg you know JPEG image From that URL, this technology we have today said.
13:22
The image shows a humorous but precarious scenario. A red door with a silver handle is being unlocked using a key. The person holding the key is positioned above a metal grate that covers an open pit or vent below the door. The text above the image reads this photo demands the caption. What could possibly go wrong? The concern, writes ChatGPT, is obvious. If the key slips or falls, it would likely drop through the gaps in the grate and into the pit below, making retrieval very difficult the situation highlights a classic murphy's law setup where the most inconvenient outcome seems, seems inevitable, holy cow, that is really good like what have?
14:19
what what?
14:21 - Leo Laporte (Host)
um, I can only think that maybe before we get too excited, that that image has showed up somewhere, uh in a newspaper, with similar dialogue below it and that chat gpt's making the connection. But that's pretty impressive. You know, I, my blog is, uh hosted by a site called microblog and it has an automated feature because I post images there, of doing that, of asking an AI Because you want to on a blog, if you have images, put an alt tag for unsighted readers, like your correspondent there, and it does a very good job. I used to write my own alt tags and I have to say this is a lot easier to let the AI do it. But that is above and beyond.
15:07 - Steve Gibson (Host)
So I don't know that I need to further describe the picture, because Jatsy Peachy just did, and one person commented that it might be a grate, which is used in snowy country to allow people to scrape the snow, the packed snow, off the bottom of their shoes, although then I would think the bars would be moving, would be oriented horizontally to make it more easy to scrape. I just think it was an inconvenient location for a drain to be. You know, I mean, as we've seen, there are many instances where you wonder, okay, who's in charge here? This doesn't make any sense.
15:47 - Leo Laporte (Host)
But anyway, it was a perfect setup for the topic we're going to get to at the end of the day.
15:59 - Steve Gibson (Host)
So, wow, unsighted listener last week who thanked me for always going to lengths to describe the photos which she gets so much enjoyment from. So I just wanted to give her the tip that Chad GPT is standing by and, frankly, leo, it'll be interesting to feed it maybe some more obscure images that seem less likely to have been populated on the Internet and just see if this was an anomaly. Or again, it's just we have there, there's something going on and I don't want to step on my plan, but we'll get there by the end of the podcast. I have some news We'll get there by the end of the podcast.
16:44
I have some news. Okay, so Salt Typhoon is the name that's been given to this group. For the past several months, there have been various news reports of Chinese state-sponsored attacks against this or that US telecommunications company. I've seen them. I haven't mentioned them on the podcast because we've had so much else to talk about and I don't know. It sort of didn't seem to have reached critical mass, but that changed. Last week. Ann Neuberger, the US Deputy National Security Advisor, said that at least eight US telcos and actually apparently a total of 80 overall, but eight US telcos have been hacked and that the US is now getting set to take some coordinated, definitive action. So I think we need to do a bit of catching up on the podcast found on. This was headlined Chinese hack of global telecom providers is ongoing. Officials warn with the subhead. Officials from the FBI and CISA say the major Chinese hack began late spring and they're strongly, the strongly urging Americans to use encrypted communications Like what? Okay? Okay, so the reporting says last Tuesday, federal officials said that the federal government began investigating a major Chinese breach of global telecommunication systems last spring and they further warned that the intrusion remains.
18:24
Intrusions remain ongoing and that it's likely larger in scale than previously understood hacking group known as Salt Typhoon. The effort targeted dozens of telecom companies in the US and globally to gain access to US political leaders and national security data. Neither the timeline of the hacking effort nor the scope of the intrusion were previously disclosed. Jeff Green, executive assistant director of cybersecurity at CISA and a senior FBI official, said Tuesday that while agencies started cooperating on their investigations of salt typhoons activities in early October, the effort was first detected in late spring and early summer. He also warned that the breach is ongoing and that there was much law enforcement still did not know.
19:24
Green said, quote we cannot say with certainty that the adversary has been evicted. Oh, wow, we're on top of tracking them down, but we cannot with confidence say that we know everything, nor would our partners. Green strongly urged Americans to quote use your encrypted communications where you have it. Unquote, adding that quote we definitely need to do that Kind of look at what it means long term, how we secure our networks. Wow, yikes, that's definitive. Wow, yikes, that's definitive. And notice the irony of the government telling its citizens that they need to use their own encrypted communications apps wherever possible because the networks of the telecommunications providers are well turn out to be insecure and there doesn't appear to be a lot that could be done about that, and we're not even sure we got rid of them or what they're doing or what's going on they're cockroaches.
20:28 - Leo Laporte (Host)
We can't get rid of them they're in there permanently, of course.
20:32 - Steve Gibson (Host)
Ironic right, because our governments have been chafing over their citizens. Use of the same encrypted applications with the government is unable to penetrate.
20:41 - Leo Laporte (Host)
there's even more irony because the salt typhoon people are taking advantage of wiretaps that were inserted by CALEA 20 years ago because law enforcement said they needed them. The irony is endless, yep.
20:57 - Steve Gibson (Host)
So maybe as many as 80, you know, eight zero telecommunications companies and internet service providers, including AT&T, verizon and T-Mobile, are believed to have been infiltrated in the hack. There are 80 of them, 80 globally. Yeah, basically all of them, right, because we don't want to miss anybody with our Kaleo warrant. T-mobile was the most recent one in the news. Anyway, earlier last Tuesday, cisa, the FBI, the NSA and partner agencies in New Zealand, australia and Canada released a joint alert warning that Chinese hackers were targeting major global telecommunications providers. Major global telecommunications providers. Officials declined to comment on specifics, but acknowledged that quote there were servers used in various countries to facilitate this activity by the Chinese. Unquote.
21:56
Interestingly, the UK did not sign on to the alert, making it the only one of the Five Eyes intelligence sharing group, which was omitted. Green attributed this to each country having different considerations and timelines. Unquote. Ok, a spokesperson for the UK's National Cybersecurity Center said Tuesday that the agency supports our international partners issuing this advisory to help improve the collective resilience of telecommunications infrastructure but at the same time, didn't sign on to it. But oh, yes, we're supportive, we're just not going to put our name on it. And he also said the UK has a separate approach to mitigating cyber risks due as telecom providers. Okay, anyway, the officials from the FBI and CISA noted in their briefing that there were three groups of victims targeted in the hacks. The first group was an undisclosed number of victims, mostly in the United States capital region, meaning.
23:01 - Leo Laporte (Host)
DC yeah.
23:03 - Steve Gibson (Host)
According to the officials, who were impacted by stolen call records from telecom companies. The second group were a small number of political or government-linked individuals, all of whom have been notified by officials. So, based on the records of this intrusion, they at least were able to identify the targets of these attacks who had their private communications compromised. According to a senior FBI official who spoke anonymously as a condition of briefing the reporters, while the officials did not specify exactly how many officials were targeted, it was previously reported that the phones of President-elect Donald Trump and Vice President-elect JD Vance were among those compromised, in both cases prior to the US national election. In many cases, the voice and textual content of call connections and conversations were obtained by Chinese attackers, in other words, not just metadata.
24:05 - Leo Laporte (Host)
That's interesting. Well, well, it's a wire tap, so yes it was wire tapped.
24:09 - Steve Gibson (Host)
In addition, the chinese hackers also accessed and copied us court orders, which the fbi officials said were attained through the, as you noted, leo communications assistance for law enforcement c-a-l-E-A CLIA statute program. This program allows law enforcement and intelligence agencies to submit court orders around intelligence collection from telecom providers. When pressed on whether hackers were able to assess court orders for intelligence collected under the Foreign Intelligence Surveillance Act, fisa, elected under the Foreign Intelligence Surveillance Act, fisa, which allows US intelligence, agencies to collect data on foreign targets the FBI official declined to answer directly, but acknowledged that the CALEA environment does include court orders for FISA investigations.
25:00
The major hacking campaign has been an issue of increased concern for US lawmakers in recent weeks, the Senate Intelligence Committee chair, mark Warner, describing it as, quote, the most serious breach in our history. Now again, we installed the taps. So gee, oops. I mean this is like. Isn't this the perfect analogy for why we don't want the government to have access to encrypted communication? This is the whole proof. They're not good enough at it.
25:30 - Leo Laporte (Host)
No one is. Any backdoor will eventually be discovered.
25:34 - Steve Gibson (Host)
Yep Senator Mike Rounds, ranking member of the Senate Armed Services Committee's Cyber Subcommittee, said during a panel at last month's Halifax International Security Forum, quote unless you are using a specialized app meaning you know our own encryption any one of us and every one of us today is subject to the review by the Chinese communist government of any cell phone conversation you have with anyone in America. Ok, this is Senator Mike Grounds at. You know that, with the Senate Armed Services Committee Cyber Subcommittee saying unless you use something else that is, just don't talk on the phone, you know, do something else Unbelievable phone, you know, do something else Unbelievable. Anyway, I think this news highlights the clear need for independent third-party end-to-end encrypted video, voice and text messaging systems. We're being told that the conversational content, not just connection metadata, of anything carried by our international and national telecommunications carriers can no longer be considered to be secure from eavesdropping by advanced, persistent threat actors who want to know what's being said.
27:00 - Leo Laporte (Host)
Well, they can have my phone calls, I'm not saying anything. Well, they can have my phone calls, I'm not saying anything.
27:04 - Steve Gibson (Host)
Right, but you know there are conversations which we don't want China to have. So, if nothing else, this news, which has now been officially recognized, weakens any argument against allowing users of public telecommunications systems from providing and using their own truly secure end-to-end encryption for their conversations and content. You know the analogy is to the internet, right? The internet is a similar public network which is not itself secure. So to it we've added a layer of authenticated TLS encryption to enable point-to-point end-to-end communications security, https, and no one has any problem with that. So what's the difference and what's the big deal?
27:56 - Leo Laporte (Host)
I should point out a reporter at Forbes looking at the actual request by the fbi that people start using encryption. The request said use responsibly managed encryption, which is encryption that allows us to subpoena the clear text because we have responsibly managed telcom we and how's that working out?
28:25
so what they're saying is use encryption, but, uh, not too good, so what? We should all use signal or whatever it is that you three, ma, whatever it is that you like. Uh, what do you? What would you use these days? Because you need to make phone calls. It has to have audio as well, right, yeah?
28:44 - Steve Gibson (Host)
I guess. I guess I would use Signal if I had to have an end-to-end encrypted system that I trust. Whatsapp is using the Signal protocol, so it's the same as Signal.
28:59 - Leo Laporte (Host)
Basically, If you trust Meta, I mean I'm sure I fully trust Meta. Okay.
29:04 - Steve Gibson (Host)
Yeah, wow, yeah, wow, yeah. I mean certainly Signal doesn't have it, can't have any other agenda, because their entire business model is-.
29:16 - Leo Laporte (Host)
They don't even have a business model, right. I mean, what is their business? There is no business model, it's just-. Yeah, what a world, huh, yeah, it's just you got to do what you suggested go out in the field, take off all your clothes. Go out in the field, far away from any get under a comforter with someone you you know and if you want, to say really private.
29:37 - Steve Gibson (Host)
Bring them and make it with yeah, bring a space heater a little portable, yeah you know. Yeah, make sure it's not made in china, though, oh yeah, you don't want an interconnected, uh internet connected space heater. No, no, it is, it is, it is it is the world we live in.
29:54 - Leo Laporte (Host)
At least there is no privacy no, no, that's a sad fact.
29:59 - Steve Gibson (Host)
Okay, so tpm 2.0 and we're not kidding.
30:05 - Leo Laporte (Host)
Oh, we talked about this with Paul and Richard last week. Wow.
30:09 - Steve Gibson (Host)
Yeah, A posting to the Windows IP Pro blog last week was titled TPM 2.0, a necessity for a secure and future-proof Windows 11. And, of course, I titled this bit of news tpo 2.0, and we're not kidding. I'll give everyone a sense for this by sharing just the first few paragraphs of what is a quite lengthy posting by steve hosking, whose info on x identifying he identifies him as senior program manager for windows commercial, and I I I'm, you know, because I try to get my spelling correct. I noted that he has commercial spelled with one M, so I don't okay. Anyway, he wrote with Windows 10 end of support approaching, this is right.
31:00
Next October, it's important to revisit a key minimum system requirement for Windows 11, Trusted Platform Module TPM 2.0. Let's discuss the role of TPM and its value for those of you who have made the transition to Windows 11. You'll also learn how to check your TPM status and how to prepare for Windows 11, presumably for those who haven't yet transitioned. Tpm refers to a dedicated chip or firmware that offers hardware-level security services for your device. It securely houses encryption keys, certificates, passwords and sensitive data shielding them from unauthorized access. Certificates, passwords and sensitive data shielding them from unauthorized access. Additionally, TPM is tasked with cryptographic operations such as producing random numbers, encrypting and decrypting data and confirming digital signatures. Tpms are available from many different manufacturers, including Microsoft on supported CPUs with Pluton, and I'll just note Microsoft on supported CPUs with Pluton, and I'll just note all of that's true of TPM 1.2 equally Okay, but there's differences.
32:12
We'll get to that in a second. He continues you know that Windows 10 is approaching end of support. In Windows 11, TPM 2.0 advanced encryption techniques offer more versatile and critical key management for contemporary IT infrastructures as compared to its predecessor, TPM 1.2. Integrating with features like Secure Boot and Windows Hello for Business, TPM 2.0 enhances security by ensuring that only verified software is executed and protected confidential details. It's true that its implementation might require a change for your organization, yet it represents an important step toward more effectively countering today's intricate security challenges. And finally, I'll finish with him saying the TPM 2.0 helps keep your identities more secure and your data protection more robust.
33:15
Can you ensure operating system integrity upon startup? Yes. Can you better protect sensitive information, data and secrets? Yes. It provides a vastly more efficient and secure platform for Windows 11, vastly okay to use through advanced encryption methods, improved industry standard cryptography, increased isolation and greater interoperability with other security functions. Okay, enough of that. And that's just like the tip of his iceberg.
33:51
Okay, so is TPM 2.0 really better than 1.2? Yes, it is, without a doubt. It offers newer, updated cryptographic operations such as elliptic curve crypto and SHA-256-bit, SHA-2-era hashing and message authentication functions instead of just SHA-1. And it provides a privilege management hierarchy rather than just the single level hierarchy, which isn't really a hierarchy, the single level offered by TPM 1.2. But here's the problem. While 2.0 is, without a doubt, new and improved and should be adopted and used going forward, there's never actually been anything found wanting about TPM 1.2 that might force its abandonment. As we've observed from the beginning, this is an arbitrary requirement. Tpm 1.2 had been working just fine for everyone, and still is, until Windows 11 came along.
35:04
I would have no problem with Windows 11 taking advantage of the more secure features available from 2.0, if and when they were available in the underlying platform. But it should be up to Windows users whether or not they feel they need to upgrade their PC hardware to obtain that additional security under Windows 11. And Stephen wrote it's true that its implementation might require a change for your organization. Right, A change? What he meant is that the move to Windows 11 may forcibly obsolete all of an organization's current stock of PCs, which are otherwise, right now still quite happily running Windows 10.
36:00
Windows 11 and Microsoft's continuous IV drip of life support to continuously repair the apparently endless supply of serious security bugs in Windows 10 will be coming to an end next October. As we covered previously last Halloween, enterprises and individuals will have the option of paying for extended life support for up to three more years. In the case of enterprises, though, it becomes increasingly expensive each year. Nevertheless, switching is always difficult. I get that, and I would not be surprised to learn that many of our listeners or their organizations were not seriously considering either paying to stay with Windows 10 on their current hardware or perhaps switching to the arguably superior alternative offered by ZeroPatch.
36:56
It rubs me the wrong way for Microsoft to be charging its customers to fix security flaws in its own products when it is already fixing them anyway and has a well-running system in place that allows those fixes to continue being delivered.
37:19
What Microsoft is planning to do next October is to deliberately disable the existing Windows update for Windows 10 users who choose not to pay to have Microsoft continue to repair their own software flaws. What's wrong with this picture. As we noted last week, the United States government recently opened a broad antitrust investigation into Microsoft's abuse of its monopoly power. So Microsoft choosing to force the obsolescence of hundreds of millions of PCs or hold their customers ransom over fixing those software flaws in their own products could not come at a better time. We've seen that it's possible for Microsoft to examine its own behavior and change when it's shown to be wrong. In the case of their cloud computing security, they were previously offering paid security enhancements through logging that should have been included at no charge as part of the base offering, rather than being disabled by default. Once it became clear that this conduct was unusual and wrong, they began including those additional services free of charge. October is still 10 months away and there's time for another policy change regarding the future of Windows 10 and 11. Stay tuned.
39:00 - Leo Laporte (Host)
Yeah, I doubt they will. We'll see tuned?
39:08 - Steve Gibson (Host)
yeah, I doubt they will. We'll see. It's just again, it they're. They're making those updates available to people who pay.
39:12 - Leo Laporte (Host)
Yeah, and and they're. So that means they're doing, they're disabling that for windows 11.
39:19 - Steve Gibson (Host)
Like like just okay, let's take a break so I can calm down.
39:23 - Leo Laporte (Host)
Like just okay, let's take a break so I can calm down, let's make sure that the break is not sponsored by Microsoft, and then, oh yeah, we're good, okay.
39:34 - Steve Gibson (Host)
I don't think we've ever had Microsoft as a sponsor. I don't think we ever will.
39:37 - Leo Laporte (Host)
I don't think that's going to happen At this rate ain't going to happen. They don't even sponsor Windows Weekly. But then again there's Paul Thorat to deal with. I will tell you about something you've got to have. Everybody should have Our sponsor for this segment of Security. Now is the Thinkst Canary. This is such a great idea.
40:02
You and I did an event in boston last pass event yep with, uh, the guy who created the first known honeypot. Was it steve bellovin? I'm trying to remember who it was or bill cheswick? It was bill cheswick. Oh, I'm sorry. Yeah, yeah, bill cheswick, uh, and ches, who's a great guy, said it was a lot of work. It was a very technically sophisticated thing to do.
40:26
What's a honeypot? We've talked about that on this show many times, in fact on our first show. It is a device on your network that looks like it's harmless, right. In fact, it doesn't even look vulnerable. It looks like something valuable, looks like something a bad guy would go. Oh, there's where the treasure lies. Think of it. Yeah, it's a treasure chest that looks so valuable on your network, but inside, surprise, it's not a treasure chest, it's an early warning system. It's a canary, if you will, in the coal mine. That's what the thing's canary is. But now they've solved that whole technical issue of how hard it was to do that Chez was talking about. They've made it simple and easy.
41:08
The thing's canary, it's a honeypot. Looks about like an external usb drive, has two connections, one of the wall, one of your network, one ethernet connection. You can deploy it literally in minutes. You can go into the hosted console and choose what the device looks like to the bad guy. Mine is a Synology NAS and I mean they do it right. It's got a Synology Mac address, it's got the DSM software, it's got the login, it's got everything. I mean it really looks like a genuine Synology device.
41:40
Maybe it's an open SSH server, maybe it's a Linux box or a Windows box, maybe it's a very vulnerable Windows 95. You can make it be a SCADA device. I mean, the sky's the limit. They have hundreds of different profiles. So you select it from the dropdown and you could turn on. If it's a server, you could turn on which services are available, light it up like a Christmas tree back here, or just you know some, select port 139. Let's just leave that open and see what happens. Now here's the thing you set it and you forget it. You walk away. Mine's just running in the corner. But here's the thing If somebody is accessing things to Canary brute forcing that fake NAS or that fake SSH server, or if they're accessing the LUR files because that's the other thing that Thinks Canary can do you can actually create files that look like PDFs or docs or Excel, anything you want but if somebody tries to open it or tries to get into that server, you're going to immediately get an alert from the Thinks Canary that says, hey, you got a problem, you have a malicious insider or a bad guy, but somebody is probing your network.
42:45
And here's the thing no false alerts, just the alerts that matter. So it's very simple Plug it in, connect it to the network, choose a profile for your ThinkScanary device, register with a hosted console. It's going to do the monitoring and it's going to send you the notifications. By the way, this was designed by people who have been teaching companies and even governments on how to penetrate systems. So it is hardened. You're not putting a risky device on your network.
43:12
This thing is super well designed to be really hard, really really secure and not to give you a bunch of false warnings. You set it up, you can get alerts, text messages, email. It supports webhooks, it supports syslog, it has its own console, it has an API if you want to write, it's kind of sky's the limit. Any way, you want to get notified. You can have your smartwatch, say, hey, there's somebody in your network. But when that bad person, that malicious insider or the attacker, makes themselves known by accessing your things to Canary or its lure files, you're going to get the notification and you're going to know you got a problem.
43:53
On average, companies don't find out for more than three months that they've been breached. That's three months. The bad guys get to wander around inside your network exfiltrating customer information, user data, looking for where your backups live, doing all sorts of nasty stuff. Three months, of course, if you've got the thinks canary, they're going to go straight to that treasure chest and try to unlock it and you will know Pricing. Let's talk about pricing. Most you know if you're a big bank or a casino operation, back-end operation, you're going to have hundreds of them. Small business like ours might have, let's say, five.
44:29
Go to canarytools, slash, twit. Five things canaries. 7,500 bucks a year. You get five things canaries. You get your own hosted console. You get upgrades, support, maintenance and if you use the code twit in the how did you hear about us box, you're going to get 10% off the price for as long as you use Kink's Canaries.
44:48
Oh, and here's something else If you are at all like skeptical, get it, because you can always return your ThinkScanary. You have a two-month 60-day money-back guarantee for a full refund, so there's no risk. I will point out that in the seven years Twit has partnered with ThinkScanary, no one has ever asked for a refund Not once. So I think they work pretty well. Visit canarytoolslove if you want to see all the love people are sharing for the ThinkScanarytools. Slash love if you want to see all the love people are sharing for the thinks canary. And if you're interested, go to canarytools, slash twit. Don't forget to put twit in the how'd you hear about us box. You'll save 10 for life. Thinks canaries. These things are genius. Go to canarytools slash twit to learn more. And now now back to Steve Gibson.
45:37 - Steve Gibson (Host)
Okay. So while we're on the topic of Windows or Microsoft, martin Brinkman, writing for GHacks, titled his piece hackers claim to have cracked Microsoft's software licensing protection almost entirely. Oh boy, uh-huh, he writes a team of hackers and it looks legit. A team of hackers claim that they've cracked almost this is a quote almost the entire Windows slash Office software licensing protection, unquote. The breakthrough allows them to activate almost any version of Windows and Office permanently. Windows and Office installations require activation. This may happen behind the scene or when users enter product keys.
46:21
Workarounds and hacks have been available for a long time. One popular choice requires running a single line of instructions from a PowerShell prompt to activate Windows 8 or later or Office. The creators of the solution claim that they found ways to extend this to even more Windows and Office products. The new method works on any Windows client or server version and includes extended security updates which Microsoft starts charging for next October, unless they change their policy and Microsoft customer-specific volume license keys, csvlks. The method used up until now could not activate everything permanently, but now, for the first time, the versions that had remained elusive have been supported Windows 7, 8, and 8.1, any recent Windows Server add-ons and extended security updates are all added. The hack, he says, for example, enables support for Windows 10 ESU once it starts in October 2025.
47:28
The hackers claim that the discovered method is simple. It does not require third-party file installations or system file modifications, according to a post on X. Okay, now I've captured their posting to X, which was posted by at Massgrave M-A-S-S-G-R-A-V-E. In this instance, the reason they chose this moniker is MAS stands for Microsoft Activation Scripts, and they posted hi at everyone. They said we're thrilled to share some groundbreaking news from the At Mass Grave R&D team. Exclamation point Our team has successfully cracked almost the entire Windows Office software, anyway, so they just repeat basically what martin quoted them saying. For anyone who's interested, I have the xcom link to this posting in the show notes and also the powershell mas scripts all, right now I'm about to do this.
48:33 - Leo Laporte (Host)
Steve, should I be? Is it scary? Is it nerve-wracking? Should I even do this? So I have a key. I installed a second virtual machine and, uh, of course the product key was associated with the first one. I could go back and figure it out. But what if I just ran their little powershell script here? What do you think? Oh, it said no, okay, so maybe it's complaining about not, uh, something not getting an sls.
49:04
Yeah, not getting a tls channel. I'm not sure why not. I'm online, all right. This was probably a foolish thing anyway, so I'm glad it stopped me. Okay, okay, well, right, okay, so downloading and running software from the internet.
49:19 - Steve Gibson (Host)
Oh, actually it's, it is, uh, it is a local PowerShell script that that, as far as I know, does not need access to the internet.
49:28 - Leo Laporte (Host)
Oh, but that. But this was. I was using that first uh option, so maybe okay, so anyway.
49:32 - Steve Gibson (Host)
so, so I recognize this is controversial, right, but this is now not any secret. First of all, the scripts are hosted on GitHub, which Microsoft owns oh yeah, you're right, and they're posting on X. When I looked the first time I looked, it had 913,000 views 913,000 views. Then I looked the next day and it was 916,000, more than 916,000. So, again, cats out of the bag. I did download because I was curious. I went to GitHub, microsoft's property, looked at their and downloaded a zip containing their PowerShell scripts. They look very comprehensive. They are very complex and detailed. You know I didn't spend much time with it, since I have no particular interest in any of this. I just wanted to report what has happened because it's news and I'm sure that many frisky script kitties out there literally script kitties are already enjoying many hours of playing around with this to see what it does. An example screenshot of a fully permanently activated version of Windows with extended security updates has been shared as part of the post. The methods have worked for years. This is Martin writing, according to one of the follow-up posts license work, their digital license method worked since 2018 and that the KMS method whatever those are for at least 17 years.
51:28
The discovered hack will be made available in the coming months, according to the original post on X. So I'm a little confused by that, because it looks like what's there is the whole deal. Maybe you're right, leo. Maybe there is some piece of it that it's obtaining from the net, although it looked like to me there was a lot of script there, a PowerShell script that was doing all of the heavy lifting. He writes the discovery is a serious blow for Microsoft, provided that the hack is indeed as foolproof and easy to apply as claimed.
52:00
It's unclear how or if Microsoft will react to the hack. For now it seems that the hackers have, at least temporarily, won the battle. I'm not sure that I agree that it's a serious blow. You know Windows is now free, essentially right. I mean it's loaded down with Microsoft crap that you get as part of it for, and certainly they're being paid for the start menu to come preloaded with all of this junk. So there's that Also. I posted the link over the weekend, leo, and we know Paul Holder well. He related anecdotally that his experience of reporting this to somebody.
52:51
I mean like years ago reporting this and they just sort of shrugged Like they know about it, they don't care. I think you know they figure yeah, okay. Well, you know we're selling bits that don't cost us anything. So if some of them get stolen, fine. You know, for my part, I've been a paid-up Microsoft developer network. You know, msdn developer for decades. You know I pay for the privilege of installing whatever windows additions I need for software development and testing. But it is going to be interesting to see how this develops over time.
53:29 - Leo Laporte (Host)
Um, you know, I never really get it to run, so okay. Yeah, Um, it's just. Uh, I don't know what I'm doing wrong.
53:34 - Steve Gibson (Host)
Well, PowerShell scripts are finicky. You know it may need some other module. Did you right-click and run it as an admin?
53:46 - Leo Laporte (Host)
Ah, maybe I need to do that.
53:47 - Steve Gibson (Host)
There is that kind of thing too.
53:48 - Leo Laporte (Host)
Oh, I bet I didn't do that. Yeah, sure, okay.
53:52 - Steve Gibson (Host)
Well.
53:52 - Leo Laporte (Host)
I probably shouldn't do it on air anyway, because then there'd be video evidence of it.
53:57 - Steve Gibson (Host)
Well, again, I don't know what the current count is. I'm going to click on the link right now. We're going to find out the current number of views of that posting. Last time I looked it was 916,000 plus. Okay, now we're at 918,500 views. So, again, not not a secret anymore. Uh, and you know, people are reporting that it works. So very cool. And again, you know, again, I I never really thought about cracking the activation system, you know, but it's obviously been something of a preoccupation for some segment of the hacker community for quite a while. And you know, again it's. It's like now you get windows with any hardware that you buy. And if you set up your own hardware, I guess what you, I guess you have to pay a few hundred dollars for it. Or, you know, ask somebody else for their key, or you know who knows.
54:58 - Leo Laporte (Host)
Anyway, you can buy. You can buy keys online for pretty cheap too.
55:00 - Steve Gibson (Host)
So yeah I, I think it's anyway, just of interest, for and I thought I would report it because I I'm sure that we have some, some in some parties among our listeners who will think, hey, this is cool, I'm gonna do what leo did set up a vm and play with it see, yeah, I mean.
55:16 - Leo Laporte (Host)
The thing is I have a paid uh license.
55:19 - Steve Gibson (Host)
I just have to move it over, and this is easier than doing that yeah yeah okay, so apple was just granted a patent, like a week or two ago, with the title identity recognition recognition utilizing face-associated body characteristics and that serves to give some sense for where and how future AI will become packaged into consumer devices, because this is an AI-based patent.
55:51
The gist of the patent is that, from the standpoint, if you think about it, of a fixed security camera, someone's face provides the most useful recognition detail, but the camera might not always be able to see the person's face face and is able to identify them.
56:20
It will also now, per Apple's patent, be taking note of other things the clothes they're wearing at the moment, you know that day, and their body dimensions and their walking gait. Then that person may later be recognized, not by their face, which might not be visible at the moment, but by association with the other available characteristic details that had been previously noted at an earlier time when their identity could be positively determined. So, okay, it's roughly the same sort of strategy that a human observer would employ the already buried USPTO as people apply for patents on a gazillion other seemingly obvious things that AI will soon be making commonplace. I have a link to this in the show notes for anyone who's interested, but it's like I think the expression is Katie bar the door or something. It's like wow, wow, you're going all country on us.
57:39
That's great wow, I mean, it's like you know, this has always been my problem with patents. There is a phrase in the law that's in like in patent doctrine, that says that a so-called invention is not suitable for patent. If anyone reasonably trained in the art would see this, if it would be obvious to anyone this, if it would be obvious to anyone reasonably obvious to anyone trained in the art, meaning that, okay, it does. Is this like some flash of inspiration by a genius apple developer? Or do they have board patent attorneys in cupertino who are saying, just kind of, give us something like? And people are saying, okay, how about this one? And, oh, that's great, we'll write it up, we'll get a patent.
58:43
It is abuse of the system. But, on the other hand, that's what patents have become right, you build a portfolio as a defensive measure, so that you're able to do things other people are doing, and when they say, hey, we got a patent on that, you say OK, yeah, but you know you're doing things that we're doing. So let's just agree not to sue each other and we'll keep everybody else frightened. Wow, ok.
59:06
I know, mashable caught an interesting story last week. Their piece was titled Zoom lied about encryption in 2020. Now it wants to pay 18 million to make that go away unquote, and they tagged it with a subhead. The internet never forgets, though. Mashable wrote back in 2020, zoom was one of the hottest software companies in the world and of course, you and I were using them, leo, because you know, I mean, covid happened right and it works. It works well.
59:40 - Leo Laporte (Host)
It's a good product, exactly it works, they wrote.
59:43 - Steve Gibson (Host)
Its video conferencing software surged in popularity due to millions of people being confined to home in offices home offices due to the COVID-19 pandemic. Unfortunately, the company cut some corners when it came to the privacy of its users. Despite Zoom's claims that its video meetings were end-to-end encrypted, it later came to light that this was not true. The result was a class action lawsuit that Zoom settled for $85 million. In 2021, zoom also settled with the Federal Trade Commission over misleading its users about the privacy and security of its core product, but the matter did not go away entirely. There's also the separate matter of a US Securities and Exchange Commission you know SEC probe into Zoom's privacy policies, which the SEC launched in 2020. Now, bloomberg reports that Zoom is offering to settle the matter with the SEC by paying an $18 million fine. The offer is still pending approval by the SEC.
01:00:55
These days, zoom does offer end-to-end encryption for its video meetings and its privacy and security practices have improved, but back in 2020, the company's track record was poor, with Zoom bombings. Remember instances of people hijacking other people's Zoom calls and harassing them becoming something of a trend. The Mashable article finishes by noting by the way, if you've missed it, zoom is no longer called Zoom Video Communications, which was its official name until Monday. The company is now officially called Zoom Communications to reflect the fact that it now offers a suite of communications tools beyond its video conferencing platform and in fact one of them is a shared cloud word competitor, you know, shared note taking and document editing capability. Anyway, we spent a lot of time talking and covering Zoom back during those explosive days and we knew that its security was stumbling a lot during those early days. I recall that we talked about the Zoom bombings as they were known, but I don't remember whether we actually knew that they were lying at the time about their video conference calls not being truly end-to-end encrypted. It certainly it is challenging to do that. The easy way to do it is to encrypt to the hub, a Zoom hub. So have each conference link encrypted to the hub but then decrypted there for redistribution and re-encryption out to the other members of the of of the, the video conference, which is presumably what they were doing. But that's not end to end. You know that's. You know they get to decrypt and and and uh and then re-encrypt. So that's probably what was going on and if they're now doing it properly, that's a good thing.
01:03:05
So one of the problems posed by cloud services, especially in this era of big data, where big can increasingly mean really ridiculously humongously big, is the question of how to seed the cloud by transferring massive amounts of data to and from a cloud provider who will, after that transfer, then become its host. To answer that need, amazon has launched the first of their so-called AWS data transfer terminals. Here's what Amazon explained on December 1st under the headline new physical AWS data transfer terminals let you upload to the cloud faster, they wrote. Today we're announcing the general availability of AWS Data Transfer Terminal, a secure physical location you know like a Kinko's print shop, where you can bring your storage devices and upload data faster to the AWS cloud faster to the AWS cloud. The first data transfer terminals are located in Los Angeles and New York, with plans to add more locations globally.
01:04:22
You can reserve a time slot to visit your nearest location and upload data rapidly and securely to any AWS public endpoints, such as Amazon Simple Storage Service, amazon S3, amazon Elastic File System that's, the Amazon EFS or others. Using a high throughput connection and there they mean really high throughput, they said using AWS Data Transfer Terminal, you can significantly reduce the time of ingesting data with high throughput connectivity at a location near you. You can upload large data sets from fleets of vehicles they're just giving examples operating and collecting data in metro areas for training, machine learning models, digital audio and video files from content creators for media processing workloads and mapping or imagery data from local government organizations for geographic analysis. After the data is uploaded to AWS, you can use the extensive suite of AWS services to the location for upload and retain the data for continued use and not rely on traditional shipping methods. You can find the availability of a location in the AWS storage device and S3 bucket, initiate the transfer of your data and validate that your transfer is complete.
01:06:04
I got a kick out of this. On your reserved date and time visit the floor and your reserved room of the data transfer terminal location. Don't be surprised if there are no AWS signs in the building or room. This is for security reasons, to keep your work location as secret as possible, and you know this sort of thing makes sense after you hear it right. Once these AWS terminals are available in many major metropolitan areas, it's easy to said you know, don't be surprised if there are no AWS signs in the building or the room is this could all-use high bandwidth access to the internet facility and you know the other providers are also going to be announcing similar terminals. And gee what do you know? They're at the same physical location and you know it may not just be AWS that is using that. I got the sense.
01:07:41
I saw a photo of a long corridor with lots of doors and the sense that it may just sort of be a general purpose. Access to the cloud facility. So, anyway, kind of a cool idea. To the cloud facility. So, anyway, kind of a cool idea. The grcsc shortcut I created to quickly take people to that pen tester website which you and I both used when we were talking about this, leo, which you know. It allows anyone to quickly check for their data.
01:08:18
Among all of that which was leaked by the national public data breach is the number one most clicked shortcut of all time. It's grcsc slash NPD and when I checked just now, that is, yesterday, it had been used 12,394 times since its creation on August 20th. I should mention that this was in the show notes which our listeners received, those who are subscribed to them. Yesterday One of them was reminded of this, clicked the link and found that it was no longer taking them. It was taking them to pentestercom, but unfortunately those guys at pentestercom were unable to resist the temptation of monetizing the traffic that was generated, so the shortcut no longer takes you there. I'm not going to take people to the site when they've, you know, when they've sort of done a bait and switch, so it just takes you to a page at GRC that says we're sorry, but these people were unable to resist the temptation of monetizing the traffic. So, anyway, my point here is, as I've observed since unregulated data brokers, just by their very existence, just the aggregation of what is available on the internet. That aggregation itself represents a clear and present danger to society at large.
01:09:58
So I was glad to encounter the news that the US Federal Trade Commission had taken regulatory action against two US-based data brokers. The FTC has banned Mobile Walla, gravy Analytics what a name. And its subsidiary gravy analytics what a name. And its subsidiary ventel with two n's v-e-n-n-t-e-l. From selling the geolocation data of their users, that is, of the data that has been aggregated.
01:10:29
The fdc cracked down on the three companies after they were caught collecting and selling the information they had aggregated without their customers' consent. Right, it's very much the way. We never gave the credit bureaus our explicit consent to at least you know that we knew of to be collecting our data. They just, you know, got it. The FTC said that the data contained information about military sites, churches, labor unions and other sensitive locations, and the FTC specifically singled out Mobile Walla for selling geolocation data to identify women who visited pregnancy centers and individuals who attended George Floyd protests.
01:11:19
So it's difficult to find any sympathy for such parasitic companies. I should also note that when I did a sort by the frequency of clicks on GRC's shortcuts, the second most popular GRC shortcut was grcsc slash pin P-I-N, which our longtime listeners actually you don't have to be a longtime listener because it wasn't that long ago took us yes to that wonderful graphic heat map which clearly showed the extremely non-uniform distribution in the four-digit pins chosen by those who use pins. So just a reminder that we have a lot of fun on this podcast.
01:12:12 - Leo Laporte (Host)
Two excellent short codes. Keep them both, have them ready. Okay, I did that pen tester website, you may remember, and was dismayed by yes, you and I both found our data and, significantly, Lisa's data was not.
01:12:26 - Steve Gibson (Host)
It was not Because she had subscribed to a data scrubbing service. Yeah, Okay. Last week I received notification from DigiCert that they had approved the use of GRC's RubyG logo for display in GRC's BeMe certified email.
01:12:47 - Leo Laporte (Host)
I guess the Internet Archive came back up, yep.
01:12:52 - Steve Gibson (Host)
Our BeMeUp Scotty podcast was back on October 15th, and at the time the Internet Archive, which the entire industry uses for this purpose to verify the long-term use of corporate logos was suffering a long-running and debilitating series of DDoS attacks. And I'm sure that if my need was urgent enough I could have reminded DigiCert before now and pushed the matter. But you know, they did need. They did get back to it on their own without me needing to do so. When I checked last week after receiving that notice, the certificate status was in awaiting final status status. I'm mentioning this because today I awoke yesterday to the news that GRC's verified mark certificate, which was the goal of all this, had been approved and was issued. Although I could have hosted the pair of files one's an SVG, a scalable vector graphic, and the other is a PEM, a P-E-M certificate from my own GRCcom domain I decided that it might seem a little more official if those files came from DigiCert themselves, though I doubt that it matters either way. But since they were pleased to offer to host the files, I took them up on that offer. But since they were pleased to offer to host the files, I took them up on that offer. So then yesterday, monday morning, I added a BME text record to GRC's DNS, which contained the twin URLs for GRC's logo image and its matching certificate.
01:14:34
From that moment, grc's received email was BME enabled. Since I didn't yet have this week's email ready, I sent last week's email to my Gmail account, since Gmail is one of the providers that supports the display of BME logos, and sure enough, there was GRC's Ruby G decorating the opened email. I imagine that everyone who receives this week's email and all subsequent email from GRC through BME supporting providers will also receive the same thing, whether they notice it or not, and actually that's confirmed. Now. I got a whole bunch of email from people, and I don't know if they looked at the show notes and saw me talking about it or looked at this probably just the synopsis, where I do mention that but a whole bunch of people wrote back and said I see it, I see it, I see it. So, indeed, although there were some people who didn't see it, and that's just because their email provider isn't yet- yeah, most aren't you know showing it.
01:15:39 - Leo Laporte (Host)
Yeah, do you have to turn that column on in, uh, gmail or some? No, it's just there, it just shows up and I did okay.
01:15:47 - Steve Gibson (Host)
so I was also curious to see whether the authentication change would have a retroactive effect. So I went back a week in my Gmail to last week's originally sent email. I have my Gmail account subscribed to this podcast, you know, to the mailings for exactly this sort of testing. Interestingly, the new GRC logo was not also shown on that piece of older email, which I thought was interesting, since the email itself does not carry any hint of whether the mailing domain may have a certified BME logo. So it appears that Google is checking for the BME record at the same time as it's verifying the mailing sites SPF, dkim and DMARC status, you know, validating that and then, once that's done and the email has been received, the logo is either established or it won't ever be.
01:16:50 - Leo Laporte (Host)
Oh, I see it, I see it. Oh, that's so cool. There is I. I just sent myself a email email from is that it right here over on the left? Yep, that's it.
01:17:00 - Steve Gibson (Host)
That's really cool and what it used. It used to just show that that the the silhouette of a person you know their their head and shoulders. Right now, it's actually grc's logo nice, very cool.
01:17:13 - Leo Laporte (Host)
It is nice, that's it, that's so. You don't have to insert that or anything. It's just always be there from now on.
01:17:18 - Steve Gibson (Host)
Yep, so it's associated with a domain and so a query to text records for that specific text record at GRCcom returns two URLs. So the SVG is the graphic and and then this there is a signed certificate. Digicert signed a certificate for that graphic. Both of those urls get pulled and that allows the the graphic to be affirmatively, like you know, associated with the grccom domain and any email that it generates so it is neat yeah, I mean, I don't have to see if my fast mail does that, but that's a gmail definitely does.
01:18:05 - Leo Laporte (Host)
That's very cool.
01:18:06 - Steve Gibson (Host)
Yeah, very cool and leo break time. Yes, and we're gonna plow into some feedback from our listeners. All right, actually, I've got a neat, a neat conversation about some subtleties of third-party or second-factor authentication use. Oh, a goodie, good All right.
01:18:28 - Leo Laporte (Host)
Our show today brought to you, by speaking of authentication, our good friends at Bitwarden, which is-.
01:18:35 - Steve Gibson (Host)
Yes, perfect timing Perfect timing, perfect timing.
01:18:37 - Leo Laporte (Host)
The password manager trusted by thousands of businesses and millions of individuals like me. Of course Bitwarden will let you generate and autofill strong, unique logins. It does something else, though. It also autofills credit cards identities, even pass keys, directly from the inline autofill menu without leaving the page. That's a good thing, because it won't autofill it on a spoofed site, so it's another way to protect yourself.
01:19:09
Bitwarden continues to expand its integration ecosystem. This is for businesses across Well, maybe not. Maybe not just businesses, but if you are using enterprise software all the most important platforms you'll get seamless operations and elevated security. As an example, here's some very popular integrations Microsoft Intune A lot of people use that to stay secure in business right. It enhances device security and user identity management by enabling secure Bitwarden app deployment on any Intune managed endpoint. That includes desktops and mobile devices. In other words, intune will now automatically install Bitwarden If you wanted to. I think that's awesome. Do you use Rippling for HR? Of course Rippling will. Also is smart about Bitwarden. Bitwarden integrates with Rippling so that it's easy to onboard and offboard people. It teams can assign and revoke access to the Bitwarden vault as employees join or leave. Do you use Vanta for compliance? Longtime sponsor on our network, vanta compliance audit and reporting will this is really cool will actually add your secure password manager, bitwarden, so that it's reported in your compliance report, which means it'll be better and easier for you to meet SOC 2 or ISO 27001 or other standards.
01:20:33
Here's the coolest one. I really want to know more about this. Rapid7 is a security platform, right. It ensures improved threat detection and response. When it integrates with Bitwarden, it can correlate credential usage with security events. Bitwarden says, oh yeah, that person logged in at that time and you can correlate that to the events. That is incredible. Strengthening proactive monitoring and intelligence for enterprise security teams. This is neat. These integrations increase flexibility. Let you centralize security management across existing technology stacks and employee devices to maintain control over sensitive information. There's integrations with many, many enterprise apps. Bitwarden users can seamlessly connect the tools they use for IT management, compliance and security to Bitwarden to improve and standardize the deployment of enterprise credential management throughout your organization.
01:21:28
I think this is important to mention because I think sometimes when I say and sing its praises, I say Bitwarden's open source, gpl, open source. That's really good news. Businesses might say well, that rules us out. Right, because they're not going to have all that support for enterprise stuff. They do. They do. Your business deserves a cost-effective solution that can dramatically improve its chances of staying safe online. You deserve Bitwarden Switch today. It's so easy.
01:21:57
Bitwarden's setup only takes a few minutes. They support importing from most password management solutions and, of course, because it's open source, bitwarden's source code can be inspected by anyone. But it's also regularly audited by third-party experts and Bitwarden publishes the results of those audits, so you know exactly how secure it is. Get started today with Bitwarden's free trial of a Teams or Enterprise plan. But I always, always want to mention that, because it's open source, bitwarden is free for individual users and that means all devices iOS, android, mac, linux, whatever. I've left out Windows, I must be thinking that Windows as an individual user is free unlimited pass keys, unlimited passwords, unlimited. You could use your hardware UB keys free forever because they're open source. Bitwardencom slash twit for your business. Bitwarden for yourself. Bitwarden for your business. Bitwardencom slash twit. Oh, and steve I, I.
01:22:58
I finally figured out I was misusing the instructions, uh, for that um unlocker. And once I figured out the instructions, I had to download a cmd file. Ah, okay, okay, and run that. So that was the automated thing was to download it and for some reason couldn't get online or whatever. Uh, oh, I know why. Because edge said oh no, this is not safe, and I'm sure that that's also in the system. Oh no, we're not gonna let you download from something called mass grave. No, no, you're not gonna download that. So once I said no, no, it's fine, I'm gonna download that, I was able to download that. So once I said no, no, it's fine, I'm going to download that, I was able to download it. Double click, it gave me the options, worked, worked. Uh, paul thinks and I think he's right that actually it emulates an enterprise, uh, credentials or activation server called the kwm server. It, it emulates that.
01:23:55
Like there is one, yeah, that's one of the the two activation, that's the loophole right oh yeah, I'm an enterprise and, uh, just to connect to my server here, you're okay, you're good. Even it even said registered to leo laporte. It did the whole thing. So, thank you, I and I'm not cheating, I bought a license, I just wanted to move that license over.
01:24:18 - Steve Gibson (Host)
Yes, you own a license.
01:24:20 - Leo Laporte (Host)
You know why? Because the original Parallels version of Windows was 22H2. And in order to get 24H2, I actually had to download it from Microsoft and install it, and so that was not activated. So now it is. Thank you, steve cool. Thank you, hackers again. You can imagine, you can see how it would be like a preoccupation right, like we're gonna crack this thing, oh yeah, you can also see how it's a really dumb thing to do what I just did, which is download and run a file from the internet.
01:24:50 - Steve Gibson (Host)
But you know that's yeah, that's just me you were doing, you were doing it into a VM and you uh, that's true, it is in a VM, yeah.
01:24:58 - Leo Laporte (Host)
Yeah.
01:24:59 - Steve Gibson (Host)
Okay, so Jamie uh, denizard or uh, jaime sorry, jaime, jaime is the and he gave me his pronunciation. Jaime uh said Steve, I've been using Google Authenticator, with cloud backup disabled, for years, but I would like to use a more feature-full solution, and one preferably not run by Google. The main feature I'm looking for is a solution that has a web portal so that I can get TOTPs from any browser instead of needing my phone with me at all times. How much security would I be giving up, if any, if I went with a solution that offered this, such as Bitwarden Authenticator, enteauth or TwillowAuthy? Thank you and keep up the great work, jaime.
01:25:48
Okay, so I chose Jaime's note because this is a question many people have. I get it and we talked about it, but I figured I'd just give it a little more attention and from then in the future, we'll just refer to this. They want the added security of a second factor, but they don't want the added inconvenience. We've talked about the inherent danger of merging all authentication into a single source, for example, of having one's password manager also supplying the one-time passcode second factor. You know, is it as secure as maintaining an entirely separate second factor authenticator and then transcribing the six digit code manually? No. Is it more secure than not bothering with any second factor? Yeah, of course, absolutely. It all boils down to security models and asking the question what exactly are we wishing to protect against? We need to ask that question because, unfortunately, there are many different points of potential vulnerability. Okay, so let's address three cases A full breach of the site being authenticated to, a breach of only the site's known usernames and passwords, or a breach of a user's computer.
01:27:16
In the first case of a full breach of the site being authenticated to, the only form of authentication that remains safe after such a full site breach is passkeys. Passkeys remain safe because, being a public key authentication system as I used to say, of Squirrel, but I'll now say of Passkeys Passkeys gives sites no secrets to keep. The only thing a site can do with a public key it has received from its user is verify their identity. It cannot be used in any way to assert or spoof their identity. One-time passcodes will not protect their users after a full site breach because one-time passcodes rely upon a shared secret. It's that secret which determines which six-digit code is correct every 30 seconds. So if bad guys are able to obtain the usernames, the password hashes and the shared secret one-time password seeds, they'll be able to impersonate the site's users seeds. They'll be able to impersonate the site's users. And even if the site is storing its users' passwords as salted hashes as any modern site now should, a credential stuffing attack that's backed up by having each account's matching second-factor seed would still be able to succeed. So, to recap, in the event of a full site breach, traditional second factor authentication, which relies upon the continued secrecy of a shared secret seed key, would provide no added protection. So it would not matter whether your own authenticator is storing its secrets separately or, for example, in your browser.
01:29:18
Okay, in the second case of only a breach of a site's usernames and has passwords, or even without any breach, just guessing usernames, which are increasingly email addresses, the bad guys would employ, as I mentioned before, a so-called credential stuffing attack that's the new fancy name, you know, which we used to call brute force attacks, although credential stuffing suggests that the stuffer is not just guessing randomly, but is instead working from a list of known possible credentials that have been previously harvested from some other service, and this is where reusing passwords between sites becomes a very bad idea. However, in this case, since the bad guys would not have obtained any of the site's stored second-factor authentication secrets. The use of a second-factor authenticator would strongly protect the user's account. And again, where the authenticator is running, whether it's in the user's browser or offline in a separate smartphone would make no difference, since the bad guys would have no way of guessing the continually changing six-digit passcode. Okay, so to recap that in both of the previous two instances of attacks a full site data breach or one of the increasingly common credential stuffing attacks the location of the user's authenticator has no impact and makes no difference.
01:30:59
This brings us to the third case a breach at the user's end. This could either be a breach of the user's PC, with their web browser and its password manager, or a breach of the user's smartphone, which contains their second-factor authentication secrets, if that's what they're using. This is the nightmare scenario where the only protection is the separation that hopefully exists between the first and second authentication secrets secrets. The presumption is that it's exceedingly difficult for any bad guys to get into either of the user's authentication stores the first or the second factors because we never see that happen right. We're constantly talking about all manner of horrors on the Internet and with Internet-related technologies, but we never encounter instances where users are having their local password managers breached. If I had some wood handy somewhere, I would knock on it, since we don't ever want to be reporting that.
01:32:11 - Leo Laporte (Host)
Well, there is the exception of the LastPass breach.
01:32:15 - Steve Gibson (Host)
Well, okay, but that wasn't a local breach. No, that was headquarters being breached, right.
01:32:23 - Leo Laporte (Host)
Right.
01:32:24 - Steve Gibson (Host)
Okay, yeah, yeah. So it's not the act we don't see. We're not ever reporting stories of, like, some problem with some password manager that it turns out has a horrible problem, right, and so this?
01:32:39 - Leo Laporte (Host)
this substantiates our intuitive sense that it's safe, except for roboform, which was used to hack people's wallets.
01:32:49 - Steve Gibson (Host)
Right so it was that was a non-random generator.
01:32:53 - Leo Laporte (Host)
Yeah, I had a bad random RNG so yeah, yeah so but your point is valid, absolutely Right.
01:33:02 - Steve Gibson (Host)
So the point is, all the evidence we have, not only theoretically but practically, is that we're not seeing problems with password managers being able to keep their secrets. They are, and given that it's exceedingly difficult to break into one credential store, it's beyond exceedingly difficult to imagine that two separate credential stores using wildly differing technologies, separate credential stores using wildly differing technologies, a PC and a smartphone might both be simultaneously compromised in order for bad guys to obtain both first and second factor secrets and then facilitate spoofing authentication. Okay, in other words, the only danger posed by storing both the first and second authentication factor secrets in the same place, in the same device and thus under the same form of protection, is that the security of that device could possibly conceivably be breached, and, moreover, we're aware of no instances where that has happened or has been a problem so the, the, the two, the mfa is not stored in a vault.
01:34:22 - Leo Laporte (Host)
The secret is stored in the vault, on last pass's servers, though, or or bit warden's servers actually copies are downloaded to, to your local browser, the. Yeah, but I'm just saying if those sites, as would happen with LastPass, if the vault has been exfiltrated, I mean that's a good point. Your secret is in that vault.
01:34:45 - Steve Gibson (Host)
If they're holding both first and second and headquarters is breached, then all their users are up the creek.
01:34:54 - Leo Laporte (Host)
This is highly theoretical Right and, as we've said before, you're probably fine doing it yes, I don't. I have a separate app just for that reason. That's all.
01:35:04 - Steve Gibson (Host)
And I actually I wrote in the show notes. So at this point today it's only a theoretical concern and argument, but it is nevertheless a concern and an argument no matter how theoretical it may be which we've just brought up right. It could happen and something did happen at LastPass. So this is very much like our recent discussions of whether it's safe to leave an otherwise unprotected wire guard VPN service port exposed and listening on the internet. You know, as tens, if not hundreds of thousands of people do. As I said last week, it's very much, almost certainly, safe. There's every reason to believe that it is safe and no reason to believe that it isn't, right up until the moment that we learn that it wasn't.
01:35:55 - Leo Laporte (Host)
Right.
01:35:56 - Steve Gibson (Host)
So you know I'm spending so much time on all this because it's an important concept that binds these together. The concept is layered security no single fault, vulnerability or compromise in the security of something. Protecting a system would result in a compromise of that system's security. Another, more colloquial term for layered security would be belt and suspenders. I would always put wire guard, I would behind some other form of access control, if only so that any failure of either one would not result in a failure of the whole. And the concept of layered security is what gave us multi-factor authentication in the first place, not relying upon any single factor. If one is compromised, the other can be trusted to hold.
01:37:00
Ideally, the implementation of layered security doesn't pose an ongoing burden upon its user, and this is where the implementation of the system comes into play. Of the system comes into play If the machine a user is authenticating from already contains a reasonably fresh previous authentication cookie, depending upon the security needs of the website. It would be reasonable to bypass the request for the user's second factor and only ask for it if either a long time has passed since the user last authenticated from that machine or the user is authenticating from a machine that has no record of previous authentication. This model continues, you know the model of doing that only prompting for a second factor when there's some reason to do so, you know, still strongly protects the user from an online credential stuffing attacker, for example, whose authentication guesses would not carry the second factor bypass cookie, while also reducing the annoyance factor to repeat users of the same machine. So, jaime, your question was obviously a good one, because it certainly didn't have a short answer, and the answer that it did have is best viewed in the context of the various possible threats that it needs to protect against.
01:38:33
Practically speaking, I think a good case could be made for most users to just let their existing password managers painlessly supply their second factor one-time passcodes for them. That provides strong protection against the known online password stuffing style attacks that we know are occurring and against those attacks it is providing layered protecting from a theoretical attack that we have no evidence of ever having happened. You know, not being a problem, even though the protection could be provided by moving those second factor secrets to a different device, is almost certainly taking caution too far. Until it isn't, I keep my second factor tokens in my smartphone. My browser doesn't have them. They're not online. They except in the sense that they are, they are synchronized through iCloud and stored encrypted for the sake of synchronizing and I appreciate that, although I really don't have to do that either because I add them so infrequently and I always print out the QR code if I need to synchronize devices or, you know, to restore.
01:40:06 - Leo Laporte (Host)
Well, there's your weakest link. If somebody breaks into your house, he's got the QR codes. Now you're really in trouble. There are not any Russiansussians or suspicious looking foreigners lurking around so I think that's really the other side of that equation is how much harder is it to store it in a separate a program? I don't consider that a big jump in difficulty yes, so I do it.
01:40:29 - Steve Gibson (Host)
Yes, hymie is saying his bar is lower, right he? You know it bugs him having it and maybe he's using some sites that are not well designed and so they're constantly asking him when he's sitting at the same non-shared PC. It's like I just gave this to you yesterday.
01:40:51 - Leo Laporte (Host)
That would be annoying.
01:40:52 - Steve Gibson (Host)
Yes, yeah, I mean most of us have static IPs, so the site could encrypt our IP into the cookie so that it can see if the you know, I mean there's all these things that could be done where you know like properly to properly use a second factor, and it's unfortunate when sites don't you know bother.
01:41:12 - Leo Laporte (Host)
More and more I'm seeing sites forcing me to reauthenticate a lot, yes, and it's really annoying.
01:41:19 - Steve Gibson (Host)
Yes.
01:41:21 - Leo Laporte (Host)
But I guess we live in a dangerous world.
01:41:24 - Steve Gibson (Host)
Nur Eden said Dear Steve, I've been a dedicated listener of Security Now for many years. Your show has expanded my technical understanding and reinforced important values I deeply believe in, particularly that privacy is a fundamental condition for freedom, accountability to the entire Internet community and unwavering reliability. Regarding remote access solutions, while overlay networks like WireGuard and Nebula work well, they lack granular access control and can be complex to set up. Solutions like CloudFlare, tunnel and ngrok provide public-facing interfaces, but I needed something different. I wanted to create a private tunnel from my home Raspberry Pi SSH server to my laptop so I could log in from anywhere. I wanted to connect a cloud web server to a microservice that runs on another cloud. I wanted to link database servers and clients running on different locations. He says I developed a solution based on SSH tunneling through an external server. Since both ends make outgoing connections, opening ports or modifying firewall settings is unnecessary. I have developed a simple web interface, so connecting two devices is as simple as setting up a Zoom meeting, meaning clicking on a link. After using it successfully for years to connect cloud services and remote control devices, I've made it publicly available at wwwpuppetpccom P-U-P-P-E-T-P-C dot com. He says it is currently free to use, as I want to see how far this solution can go. Thank you, nur Eden.
01:43:15
I went over to wwwpuppetpccom and took a look around. The site looks very clean and new and I imagine that it will evolve over time. There is not yet any deep technical documentation that I could see, so I know that many of our listeners would need to know why they should trust it, but I'm aware that others won't care that much and may just be content to play with whatever it is. So I'm not vouching for it in any way, since I cannot. But I wanted to share this very nice-looking creation of one of our listeners to give Nir some attention to his efforts that might be useful to him and to reiterate how amazed I am by the quality of the people who choose to spend their time listening to this podcast. So thank you for the share.
01:44:04
Nerc wwwpuppetpccom. Stephen Sedron wrote. Jonathan Sedron wrote. Hi Steve, I heard you mentioned Tor's call for more bridge operators in SN 1003 last week. He said I wanted to bring to your attention the Snowflake extension slash add-on for Firefox, chrome, brave or other Chrome-based browsers. It allows the Tor network to use your computer as a proxy to help people circumvent censorship, and it's as easy as installing a web browser extension slash add-on. You can also toggle the settings to allow it to continue running even when the browser is not open. They're good about not slowing down your internet connection and they hide your IP address while someone is connected through your computer. The snowflake also changes from purple to green in color if pinned to the toolbar at the top, so you know when someone is currently connected. He said I want to mention this to you in hopes people might help the Tor network in this way as well, because not everyone has the skill to run a server, to run a bridge, as I do Not. The easiest to set up in Linux, he notes. He says read more about it here and then he gives the URL snowflaketorprojectorg. Okay, so that is very cool. I love that something like this could be so easy to set up and be safe to use.
01:45:46
The Tor Project. Folks certainly know what they're doing. And just to explain this snowflake, this proxy serves as a middleman in between nodes. The Tor servers do all of the fronting of connections but, as we know, it's very useful to bounce traffic around a while within the Tor network in order to increase its security. So you're not an end node. Nobody sees your IP address. You're one of the internal nodes that just gets used to scramble the traffic up. That's how Tor is able to keep from overloading your bandwidth. One of the reasons I'm very glad Stephen put this on our radar is that these days most of us have massive bandwidth overkill, with our bandwidth mostly sitting idle. So the idea that we might be able to donate some small piece of our bandwidth to help the Tor project and to provide some more diffusion seems like a great idea. I followed Stephen's link and went over to the Tor project's Snowflakes page. It turns out that Snowflakes function as a traffic proxy is only one of the things it's able to do. It also allows the users who install it to use the Tor system. So they said Snowflake is a system that allows people from all over the world to access censored websites and applications.
01:47:27
Similar to how VPNs assist users in getting around internet censorship, snowflake helps you avoid being noticed by internet sensors by making your internet activity appear as though you're using the internet for a regular video or voice call. There are numerous tools available, such as Snowflake, that transform internet activity, each using a different technique. Some redirect internet and they mean numerous Tor tools, he said. Some redirect internet traffic to appear to be coming from popular cloud providers like Microsoft Azure and Amazon Web Services. Others scramble internet traffic in order to make it appear completely random. It therefore becomes costly for sensors to consider blocking such circumvention tools, since it would require blocking large parts of the internet in order to achieve the initial targeted goal. Unlike VPNs, you do not need to install a separate application to connect to a snowflake proxy and bypass censorship. It is usually a circumvention feature embedded within existing apps. Currently, snowflake is available inside Tor Browser on desktop and Android, onion Browser on iOS and Orbot on Android and iOS. If you've downloaded and installed any of these apps and they are censored in your country, you can bypass the censorship by activating Snowflake through the app settings page.
01:48:59
And then we get to the part that caused Stephen to write his note. The Tor project writes did you know that Snowflake proxies are operated entirely by volunteers? In other words, a Tor user gets matched with a random snowflake volunteer proxy which is run by a volunteer like you. So if you want to help people bypass censorship, consider installing and running a snowflake proxy. The only prerequisite is that the internet in your country is not heavily censored. Already you can join thousands of volunteers from around the world who have a Snowflake proxy installed and running. There's no need to worry about which websites people are accessing through your Snowflake proxy their visible browsing IP address will match their Tor exit node, not yours. There are various different ways to run a Snowflake proxy, beginner to advanced, and then it said install the web extension. The web extension is the easiest way to run a Snowflake proxy. Simply install it on Firefox, chrome or Edge, enable the extension and watch the icon turn green when a user connects through your proxy?
01:50:17 - Leo Laporte (Host)
Oh, that's cool it is. I have installed it on my browser and it's up in this upper right-hand corner. It's very small. It's purple right now, but that's cool. I'll know when somebody's using it. It'll turn green. Oh that's neat.
01:50:31 - Steve Gibson (Host)
And you have become part of the Tor network. While you choose to have your browser open, or even if you select an option, you'll allow it to keep running even if your browser is closed, but as long as your computer is on, obviously, and it allows you to be part of the mixing of traffic that the Tor system is providing.
01:50:53 - Leo Laporte (Host)
I think that's worth doing, especially nowadays. Providing I think that's what it's doing, I think it's really cool, especially nowadays. Yeah, I think we need it Very cool, yeah.
01:51:00 - Steve Gibson (Host)
So thank you for bringing the snowflake to our attention. Stephen John Robinette has a solution for linking smartphones and PCs. He said hey, steve, with regard to your wish for a way to easily type something on your PC and send it to your iPhone, I would recommend LocalSend. And he referred to LocalSendorg. He said the simplest way to describe it is a cross-platform airdrop written in Dart plus Flutter that works on iPhone, android, linux, windows and Mac. It does require installing an app, but the communication is all local between devices.
01:51:36
Localsend uses MDNS to discover other LocalSend clients on your subnet, which then allows you to send and receive text files, photos and so on. He says I've been using it for about a year to move files, various files, between my Windows PC, iphone, ipad and a Linux PC, so very cross-platform. He says. If you don't want to install an app, there's also PairDrop. At PairDropnet, which is similar but entirely browser-based, the actual transfer of data is peer-to-peer via WebRTC. However, establishing this peer-to-peer connection depends on both clients first making a connection to the website, so it won't work if your internet connection is down or if you're paranoid about using someone else's server, but it's open source and easily self-hosted. If you're that person. Hope that one of those or both of those might be useful for you or others.
01:52:39 - Leo Laporte (Host)
And, of course, nowadays on a Mac. Anyway, you have this iPhone access, so you can use this on your Mac Right and on PCs you have it for Android devices. Actually, you can sort of use it with iPhones as well.
01:52:53 - Steve Gibson (Host)
And apparently that is the case and I actually we're about to get to that oh okay, sorry, so I like that.
01:53:00 - Leo Laporte (Host)
I like these two apps, though that's really yes they are very and very, very cross-platform.
01:53:05 - Steve Gibson (Host)
Yeah, so, um uh, jay sock said good afternoon, mr gibson. He's being formal long time. Mr sock pleased to meet you, and he says long time.
01:53:17
First time you got me into bug bounty and I now make a not insignificant amount of income through through bug bounty interesting yeah, he said my wife is obsessed with oh, this is, this is the soda stream guy, my obsessed with LaCroix, and we've spent a lot of money on it over the years. He says this year I'm thinking about getting her a SodaStream-like device. It is the season so she can get her fix more easily and we can hopefully save some money. I remember that you discussed some techniques you had used to save some money on a similar device on the podcast and I'm going to go through the notes and find that information. What I would like to know is if you have any updates to your previous process.
01:54:06
As I recall, you had changed the adapter on the CO2 cartridge and were getting your CO2 canisters refilled somewhere in Irvine. He said I'm in Fullerton. Do you still do this? Has this process held up over many uses and years? I would love any thoughts you have on whether this is a worthwhile investment or not. Thanks for sharing your very valuable time. Okay, I'll take up just a bit of everyone's valuable time because it has been such a win for us. The trick is to have a single large CO2 master tank that's used to directly refill empty SodaStream canister little mini tanks that the SodaStream uses canister little mini tanks that the SodaStream uses. This allows you to perform the refilling from the big tank to the little tank at home, using the SodaStream canisters over and over again and really part of it was saving money it.
01:55:11
Continually recycle these canisters, yes, and the master tank can in turn be filled over and over by any home brewing shop.
01:55:25 - Leo Laporte (Host)
Now, I tried this and I was unable to find anybody who was willing to do that. Oh, okay. You may have lucked out there in Irvine.
01:55:32 - Steve Gibson (Host)
Yeah, I've got one off of Bristol, a few like a mile away, and so people. So you do want to verify that first right.
01:55:40 - Leo Laporte (Host)
And you may want to get the tank from them, because that was one of the issues is a lot of people said well, I'm not going to fill some strange tank. They wanted to know it was something that they had and I imagine that the tank from them is probably no more expensive, right?
01:55:57 - Steve Gibson (Host)
Although it does have to be a special tank. So, first of all, people who brew their own beer at home use the same tanks and get them refilled. Okay, the first trick is interconnecting the two tanks, and Amazon has plenty of adapters for exactly this purpose. They are typically nicely machined brass adapters that have a valve. One end of the adapter fits the empty SodaStream canisters and the other end mates with a standard CO2 tank, which is also available from Amazon. I believe mine is a 20-pound tank.
01:56:35 - Leo Laporte (Host)
I bought one and then palmed it off on Micah and he didn't want it because we couldn't get it filled, so I think we gave it away. I wish I had known, I would have sent it to our correspondent.
01:56:46 - Steve Gibson (Host)
Yeah, definitely make sure you're able to fill it. They're about $150, so they're not inexpensive.
01:56:53
But the 20-pound one was light enough for me to drag and roll from my car to the shop for refilling and back. The only requirement for the tank is that you need to be sure and that's what allows you to fill the empty SodaStream canisters with liquid carbon dioxide taken from the bottom of the tank rather than CO2 gas, which will be taken from the top. And, as I said, they're not inexpensive they're about $150, but it's been worth it for us. And I have not counted the number of times we're able to refill a small canister from the much larger tank, but it's many, many, many times. I mean, I think I've only gone to the home brewing place maybe three times in total and they had no problem refilling the tank three times in total and they had no problem refilling the tank. But you might, you know, certainly it makes sense to buy it from them, as long as they can provide you with one with a siphon tube, because you do need to have that for sure. Otherwise you have to turn the thing upside down while you're doing it.
01:58:07 - Leo Laporte (Host)
That's no fun. You don't want to do that.
01:58:10 - Steve Gibson (Host)
Okay. Finally, troy in Montana suggests Intel's Unison. But then there was one other. He said Steve, longtime listener since day one If you have an Intel PC well, we know I have those you can use their app to connect your iPhone to a PC and get access to sending messages iPhone to a PC and get access to sending messages Not perfect, but a way to do what you hoped. And then he provides a link to it's Intelcom and it's there something that they call Unison. He says thanks for all you and Leo do to keep us safe.
01:58:50
So, okay, I was excited when I read Intel's description. It says following a simple pairing process between the phone and the PC, you can make or take phone calls from your PC, send or receive text messages using the PC's mouse and keyboard and view phone notifications on the PC screen. Also, you can seamlessly and bidirectionally share photos, videos and documents between your phone and PC. The Intel Unison solution fully supports both Android and iOS. And I mean, like I put a picture of what they have on their website in the show notes. It looks like a full-size desktop version of iMessage on the screen with all the contacts and messages shown. I mean it looks utterly amazing. But when I drilled down a bit more, I tripped over the following quote the Intel unison application is available for download on any windows 11 PC that meets the minimum requirements as detailed in the app store descriptions, both laptops and desktops are supported.
02:00:09
For anyone who has already made the move, was it that the Microsoft guy said who had transitioned to Windows 11? Yes, that's right. It really looks like more than I could have ever dreamed of, you could actually have apparently a functioning messages app sitting on your Windows desktop with your phone nearby on its charger. I already have a need to run a Windows 11 VM, since the work on the DNS benchmark, which is what I'm doing now, has turned up some subtle but important differences in Windows 11 handling of some app resizing. So I was planning to get Windows 11 set up under a virtual box in any event, but if I could load this onto that machine, I might have Windows 11 VM running 24-7. So thank you for that, troy.
02:01:10
And then Heinrich Johnson said unfortunately not available for Windows 7, but supported in Windows 10. And later he said you can check out. Phone link should be built into Windows and enabled by default, and, and there's a link in the show notes at, and, and the URL ends with sync across your devices, and Heinrich says you can read and answer texts, see any notifications and even make phone calls from your computer. It uses Bluetooth underneath to make the magic work. He says I just switched from Android and was really missing push bullet, but this is a pretty solid replacement.
02:01:59
Okay, so it appears that my prayers may have been answered and that the frustration I've been feeling has not been mine alone and that solutions to this have been created. I don't know how or whether this is related to Intel's Unison, but it looks like the same thing and Intel is just sort of private labeling the same Windows application. I was a bit nervous because I tracked down PhoneLink and there Microsoft says requires Windows 11. But Heinrich clearly said Windows 10. So I'm hopeful Microsoft might just be refusing to in any way promote the continued use of Windows 10. So like they've just scrubbed it from their website. So anyway, thank you, heinrich, and also thanks to all of our listeners who heeded my call and my pleas for a solution. And Leo, yes. After this break let's talk about GPT.
02:03:01 - Leo Laporte (Host)
All right. And, by the way, I've been using PhoneLink for some time on Windows 11. I'm not sure if it works on Windows 10, but I bet it does. It works best with Android. But you see, we can send text messages. I'm connected right now to an Android device my Z Flip, my Samsung Z.
02:03:19 - Steve Gibson (Host)
Flip Okay.
02:03:20 - Leo Laporte (Host)
And it really does work best with Samsung. But I've been able to use it with iPhone. It just doesn't have all of the features.
02:03:26 - Steve Gibson (Host)
I don't need all, I just need my sanity preserved yeah. Well, I can't promise you that, steve.
02:03:37 - Leo Laporte (Host)
You know that that may be a All right. Before we get back to the matter at hand, which is, of course, everything exciting and wonderful that Steve is talking about, I thought it might be a good idea to take a little break and remind you about the most important thing you're going to do today, which is join Club Twit. Now, many of you are already members of Club Twit, and for those I am very grateful, because they've allowed us to continue on the air. You might have noticed, though, fewer ads on this episode. All of our episodes MacBreak Weekly had no ads For some reason I think some uncertainty about the economic future, I don't know. Advertisers have really disappeared. Right now, at this point in podcasting, it's the top 10 podcasts that get half literally half of all the advertising, and the rest of us are left begging for scraps, and the scraps just aren't there.
02:04:29
I always thought it'd be fun to make this network be listener-supported. Back in the day when you and I started, steve, there just weren't any really good infrastructure ways to do that. We do have them now, thanks to Patreon, and we use a Patreon company called Memberful. We can do that, and it's still my hope that we could maybe make this entire network supported by you, our listeners. You know what we could do it. All we would need is about 5% of the audience, that's all, to join the club. We wouldn't have to put stuff behind paywalls. We could expand, we could add shows, we could add content, but until we get 5% joining, it ain't going to happen. Right now it's somewhere less than 2%.
02:05:10
One isn't that sad. One in 50 people who listen to this show are subscribers. Let's up that by the end of the year. I want to get 5,000 new subscribers. We almost have to get 5,000 new subscribers to survive into 2025. Help us out Now.
02:05:27
There are benefits. It's only seven bucks a month. Add free versions of this show and every show. You wouldn't even hear this pitch for Club Twit. It is, it is. There are other benefits. I mean there's the Club Twit Discord, which is a great place to hang out and chat about everything geeks are interested in. That's where our Advent of Code group hangs out. There's also, you know, special events and shows that we put on the club.
02:05:52
We did an Advent of Code last week. I did live coding Crazy huh For the first, I think. Four days of Advent of Code. That was a lot of fun. Stacy's Book Club is coming up on the 19th. Also Micah's Crafting Corner. He's doing a little tiny kitchen or something, little tiny rooms. But you don't have to do that, you can do whatever things you're interested in. It's just kind of a cozy hang. There's also Chris Marquardt's photo review coming up on Thursday. I can go on and on. We do a lot of great stuff in the club. We give you video for shows that are audio only in public, things like that. But the main reason to do it is if you appreciate this show and all the shows we do and you want them to keep going. The main reason to do it is if you appreciate this show and all the shows we do and you want them to keep going. We need your support. Twittv slash club twit.
02:06:40 - Steve Gibson (Host)
All right, let's get back to security now, okay, so I'm going to warn our listeners that the introduction here is, uh, dense, but it is important. It is not actually important to understand every nuance of what I'm going to explain, although some people will find it interesting. So for them, and because this is what happened, in order to set this up for the conversation that I have, it's important. This up for the conversation that I have, it's important. Okay. So, as I mentioned at the top, I had an interesting interaction with the coding version of ChatGPT 4.0, which they call 4.0 with Canvas, and that's while I was working on the update that I'm working on to GRC's DNS benchmark and, as I've mentioned recently, I've been using the coding platform version as sort of a super Google search on steroids. I'm often astonished by the quality of its replies. Something that I don't understand happened over the weekend while I was working on code, but frankly, I don't understand any of this AI stuff. It's all voodoo, and that's the problem, because I'm 100% certain that this is too important for us to not understand, and I have a plan for that. But let me first share what happened.
02:08:11
Okay, one of the facilities of Microsoft's macro assembler which I use to make my assembly code more concise. That is one of the features that I use, and more legible is the assembler's macro facility. I have a macro named it happens to be named append rich edit which it takes a string argument. That is, the macro takes a string argument. So in my program code I would write, for example, append rich edit and then in quotes benchmark results. Now the way assembly language macros work is that when the source code is being assembled, the assembler does what's called macro expansion, which causes it to follow the simple macro script to create additional code from that script, from that script. The point is that this is all nicely hidden behind the macro, which just says append rich edit and then a string in quotes which makes for a more readable program. In the case of my append rich edit macro, which, as I said, takes a string argument, when the code is being assembled, the macro script places that string argument into the program's data section. Then it writes a call to my append rich edit function, passing it a pointer to that string. I could have done the same thing by hand, but this creates a much clearer communication and one thing I've learned from yes, 55 years of programming is that coding is all about communication. I mean almost as much about communicating to me as it is to the computer, which is why my code is, frankly, it's beautiful, I mean, the computer doesn't need it. I've seen people write assembly language where there's a bunch of op codes down the left-hand margin of the page and it's like what is this crap Mine? It's about communication.
02:10:27
Okay, so the use of this macro simulates the semantics which everyone is used to in high-level languages where it's possible to use a literal string as an argument in a function call. You know this would be like writing in the basic programming language. You know you would write print quote hi mom, exclamation point, close quote. You know it's very convenient, but in assembly language the string HiMom needs to be defined elsewhere in a data section of the program and then the address of that string is provided to the print function for it to print. So this is very efficient if you might have some repeated use of the string HiMom throughout the program, since all of those repeated instances can all reference that single HiMom data string. But the need to define the string elsewhere in the program that is from where you're using it makes the resulting code somewhat less clear. By default, assembly language doesn't offer the high-level language convenience of in-place string declaration and use, so I use a macro to give me the same semantic flexibility. Essentially, it looks like a higher level language is being used, although it's still low level underneath.
02:12:01
Ok, so I apologize for the long and esoteric inside baseball explanation, but I wanted to explain the situation surrounding what I was about to ask chat GPT-4-0 about. What I needed was the ability to optionally add another argument to the macro. If that optional argument was present, it would be provided to the function call which the macro wrote for me, and if I did not supply that optional argument to the macro, the macro would provide a default argument in its place. Now, this is not a feature of Masm. Masm is Microsoft's macro assembler M-A-S-M that I frequently use. But I knew that Mazem allows the specification of both required and optional parameters. What I wasn't sure about was having it supply default values for non-specified parameters. But since Mazem has a very powerful macro facility, thus called a Microsoft macro assembler, I had the sense that it probably had the capability to supply a default value for missing optional macro parameters.
02:13:22
To get the details of something like this once upon a time back in the old days, which in this case is about two months ago, before I started using ChatGPT for these things, I would have Googled around a bit to see whether I could quickly find an answer, but more often than not, since the sorts of things I'm looking for tend to be somewhat obscure, I would wind up reading a couple of pages of the Masm documentation. But now we have ChatGPT, which, as I've mentioned, I've been using more and more. So the first thing I do now is ask it. So I got a ChatGPT prompt and I wrote, quote Can I use a macro in Masm where an optional macro parameter has a default value if it's not specified? Question mark, close quotes. I mean that's exactly the phrase I put in, to which ChatGPT4O quickly replied yes.
02:14:31
In Masm, and it helpfully added parens. Microsoft Macro Assembler, you can create a macro with optional parameters that have default values if they are not specified. This is achieved by using the IFB directive to check if a parameter is blank and it says parens, ie not provided close parens, and then assigning it a default value within the macro. Here is an example to demonstrate how to define and use such a macro colon. And then it gave me some sample code.
02:15:09
Okay now, right off the bat, the syntax it showed for the macro seemed suspicious. The way it was specifying a default value looked wrong to me. It was a construction that various higher-level languages use. But I thought, well, I did ask. So I modified my original macro definition as ChatGPT had specified, and Mazem was not at all pleased with it. Since ChatGPT seemed quite clear and authoritative in its answer, I first made sure I hadn't made some mistake. But everything looked good. I tried tweaking it myself and doing some various things, sort of variations on that theme but nothing I tried worked. So I replied to ChatGPT and this may be the first time I've ever done this. I wrote that didn't work.
02:16:08
The syntax, the first line of the macro definition, was incorrect. Any ideas? And chat GPT replied you're right, mazem's macro syntax, you're right, I'm an idiot. It's like yeah, it said you're right. Yeah, he said you're right, yeah, mazem's macro syntax doesn't directly allow you to specify default values in line in the macro definition. And then it quoted its own previous incorrect sample code with an example. For example, the quote is param2 equals and then a default value in angle brackets, in less than greater than symbols. Then it said period. Then it said, however, you can achieve the same effect using the IFB directive to test for blank parameters and handle them manually. Here's a corrected example, colon. And then it gave that and, although I needed to modify what it provided for my needs, that second attempt worked.
02:17:30
Okay, so, to recap, I asked this thing. Okay, so, to recap, I asked this thing, which often conversationally refers to itself in the first person, which is still a little annoying and jarring. It's an, it, not a, you know, doesn't have pronouns. So I asked this thing a question. It quickly provided an authoritative sounding and reasonable answer, which was nevertheless wrong. Then I pointed out that you know the part of the answer that was wrong and it said you're right and then proceeded to offer a corrected answer.
02:18:08
But I remained haunted by my original impression that Mazem did in fact allow default values to be specified for optional and missing parameters. You know, it's kind of the way my mind works. I mean, I still remember all of the WordStar keystrokes because they were, you know, built into me and they've got some deep neurons in my brain because I use them so much. So I went to the source, which is where I would have wound up in the old days, and the Mazem reference revealed the truth. It is indeed possible to specify a default parameter for an optional and unspecified macro parameter.
02:18:51
Chatgpt was almost correct the first time. It simply forgot that a colon and an equal sign were needed to separate the parameter and its default value, instead of just an equal sign. So it gave me an answer that was initially wrong but was almost right, gave me an answer that was initially wrong but was almost right. When I told it that there was a problem with that answer, it agreed saying you're right, masm's macro syntax doesn't directly allow you to specify default values in line in the macro definition, which that statement later turned out to be wrong. And it gave me what was effectively a workaround for the feature that it then assumed was missing from Masm. Finally, having found the correct answer to this, I decided to let it know. So I replied. Following up on this, it turns out that your I'm saying your okay, I don't know how else to address it. Following up on this, it turns out that your I'm saying your I, okay, it's, I don't know what else, how else to address it. Following up on this, it turns out that your first response was almost correct. The proper syntax for the first line of the macro definition is my macro space macro space param one, comma, param two, colon equals and then the default value in the angle brackets. I said the thing that was missing was that colon in front of the equal sign. Okay, and I hit enter and the damn thing responded ah, you're absolutely correct. Thank you for pointing that out.
02:20:39
In Masm, the syntax for specifying a default value for a parameter does indeed require the colon equals operator, not just equals. Here's how it should look, and it provided a correct example. Then it provided me a little tutorial with the heading why colon equals works. Writing it said. It wrote to me the colon in colon equals is required to differentiate default values from other constructs in Mazem. Without the colon, mazem doesn't interpret the equal sign as part of the default value definition. Thanks for catching that nuance exclamation point it makes the macro much more concise and straightforward than relying on IFB. And then it actually gave me a smiley face.
02:21:42 - Leo Laporte (Host)
I got bad news for you, though, steve. Unfortunately it's not going to remember that, so if you ask it again, it's going to still make the same mistake. And thank God, you're not allowed to change the training, can you?
02:21:54 - Steve Gibson (Host)
imagine the garbage that the internet would be filling with.
02:21:58 - Leo Laporte (Host)
You might remember it locally, because it does remember some stuff locally, but you can't teach it because, obviously, if you could, oh, the world, the end of the world as we know it. It was very polite about the correction. That is a very useful prompt tip that a lot of people uh have noted is you can say no, that's wrong, and it will actually come back to you and often get it right.
02:22:19 - Steve Gibson (Host)
So it's very interesting no, I'm not dead yet something like I wanted to share this conversational event because I'm still startled it's amazing by this thing. Yeah, and, and you heard what it apparently said about our picture of the week.
02:22:37 - Leo Laporte (Host)
Yeah, it was just like amazing yeah.
02:22:39 - Steve Gibson (Host)
You know, and because I was left staring at the screen wondering what have we created? The fact that I really have no idea is unnerving, and I know I'm not alone in being unnerved by this. Whatever this is, as I said several weeks ago, I believe it's the biggest and most significant transformative event of our lifetimes. Aliens have not landed in our backyard. We have created them.
02:23:15 - Leo Laporte (Host)
You know it's funny. You should say that because I have a friend who works in the business and he said that's a better way to think of it as an alien intelligence. It's just different from ours, yeah, yeah.
02:23:26 - Steve Gibson (Host)
And it seems clear that this is just the tip of the iceberg. Now I have a picture at the end of the show notes Leo, I have spent my entire life this is amazing, by the way.
02:23:39 - Leo Laporte (Host)
I love this picture.
02:23:39 - Steve Gibson (Host)
Working to understand the way things work, and I have proof of that. The last page of the show notes has a photo my dad took of me at age four Four At the picnic table in our backyard in Orinda, california. I needed to understand exactly how electricity worked and why you couldn't just hook up one wire to a light bulb.
02:24:06 - Leo Laporte (Host)
Because why not right the electricity?
02:24:08 - Steve Gibson (Host)
comes out of the battery and goes to the light bulb. Nothing has changed since then. Did your dad make you that board?
02:24:15 - Leo Laporte (Host)
no, no, made the whole thing.
02:24:17 - Steve Gibson (Host)
Yeah, I mean, you can see the way you can see the way the kite string is wrapped around the dry cell battery yes, a little a little excessively hey, it's not going anywhere so I wanted to understand this.
02:24:35
Nothing has changed since me at age four back then. Today I want to understand this, whatever this is. So two days ago, I identified and purchased two quite lengthy technical and detailed textbooks on the subject of large language models, conversational and generative AI. I am blessedly and finally nearing the end of part one of Peter Hamilton's seemingly endless two-part Archimedes Engine novel series. Two-part Archimedes engine novel series. Once I'm finished with that, I'm going to turn my attention to educating myself about AI, and not just for myself. I have every intention and expectation that I'm going to reprise my role as Security Now's explainer-in-chief to explain to this podcast audience exactly what I've learned about what we are creating. I need to know, and I'm pretty certain, that among this audience I'm not alone, you are not alone, so stay tuned.
02:25:47 - Leo Laporte (Host)
Can't wait, Mr Explainer-in-chief. Yeah, it's a fascinating subject.
02:25:54 - Steve Gibson (Host)
It's just mind-boggling, leo. I have no idea. I understand how all this other stuff works. This it's I. I just don't have a clue.
02:26:03 - Leo Laporte (Host)
Well, to some degree it's a black box I mean you can understand how it's trained and you can understand roughly how it works. There's a very uh. I recommend for a shorter version of these longer books. Uh, steven wolfram has done a really excellent explainer of how they work. Um, as one would expect, he's done a lot of writing now about ai. He's very interested, but, uh, the problem is the rules they generate are not visible and are essentially a black box, and so that's kind of an interest. I see you looking it up right now. That's great. Um, yeah, I didn't want to. I didn't want to lose that.
02:26:38 - Steve Gibson (Host)
Um, we certainly know that's the case with neural networks, right, you know they adjust their strengths based on on being trained and and adjusting their outputs to to match what is told they should be, but we don't actually understand the weightings of the neural network, it's just what it does and it works.
02:27:03 - Leo Laporte (Host)
Transformers are basically a form of neural network, so it's very similar. I will be very interested to see what you can figure out. I can't wait.
02:27:13 - Steve Gibson (Host)
Well, I intend to do a uh security now style uh explanation of of this once I understand it myself. So we'll see what we'll see what we get. I don't know what's gonna happen.
02:27:27 - Leo Laporte (Host)
Steve gibson, aren't we glad we've got him. You are a national, international treasure. Mr g? Uh, he is here for you every tuesday. That's when we do the show right after mac break. Weekly 2 pm pacific. 5 pm eastern 2100 sorry, 2200 utc.
02:27:44
You can watch live on eight different platforms, including uh discord for our club members, youtube, twitch, linkedin, facebook, tiktok, xcom and Kagi no Kik. Those are the eight different platforms, but most people don't try to watch live or if they do, they still want a copy of the show and actually there's a few different copies you might want to get. If you go to Steve's website, he has the 64-kilobit audio version. That's the same as we do at our website, but he also has a 16-kilobit audio version at GRCcom. So if you want something a little scratchier but a lot smaller, a quarter the size you can get it there. But also very handy, the transcripts that Elaine Ferris uses those 16-kilobit versions to make. That really is helpful to read as you're listening or to use for a search engine. All of that's at grccom. While you're there, pick up a copy of spin, right? Steve didn't talk about it today, but you said you had a big announcement. I I thought that might be a some sort of announcement, but maybe not.
02:28:49 - Steve Gibson (Host)
Um, maybe I misunderstood anyway, I think, I think I would just uh this that was gpt?
02:28:54 - Leo Laporte (Host)
was the announcement?
02:28:55
I'm going to learn ai and then share what I know I want a steve gibson ai so I can and ask questions of it. That would be useful. Maybe you'll work on that too. Um, grccom, get a copy of spin right. World's best mass storage maintenance, performance, performance enhancer and recovery utility. Really is a great tool for anybody with mass storage. Current version 6.1 just came out. That's at GRCcom. Lots of free stuff there as well, and of course, the show.
02:29:25
If you want to get the little Ruby G in your email, you'll need to sign up at GRCcom slash email. Now you don't have to get those newsletters although that's where the Ruby G will be unless Steve personally emails you. If that happens, even better. But the Ruby G goes on those newsletters that he sends out. But when you do validate your email at that site, what you will also get is the ability to email questions, thoughts, pictures of the week, security. Now at grccom you can't do that unless you, unless you validate your email first. Yep, it bounced right back at you.
02:30:03
Um, and he has two newsletters. One is one is the show notes. By the way, I didn't even mention that's another thing you can download from his website. The show notes are really basically everything he talks about the show, so it's a very easy way to see what's going on. Uh, we also have copies at our website, twittv slash sn. There's a link there to the youtube channel great way to share clips. That's my recommended way to. You know you hear something on the show. You know you want to say hey, steve, talked about this. Send a clip it. The show helps us a lot, makes it very easy for your correspondent to see what Steve said. That's from the YouTube channel. We also, of course, are a podcast, so you can always subscribe audio and video versions available in your favorite podcast client. I think I've mentioned everything. Join the club to TV slash club to it. Thank you, steve. Good luck with the and Join the club Twittertv slash club at Twit.
02:30:59 - Steve Gibson (Host)
Thank you, Steve. Good luck with the engine, the Andromeda engine. Oh God, I looked this morning. I was at 89%. I thought, okay, God, 10% more. And I understand John rereading it immediately because so much happens and it's so complex that you feel like who is this? What do they do, what, what, what.
02:31:17 - Leo Laporte (Host)
And so I actually opened a Apple notes and started writing stuff down so I could keep track. I'm putting it. I put it aside briefly because Stacy's book club is coming up on the 19th and we're doing a James essay. Corey's a newest one. He's the guy who did the expanse and I know you're a big fan of his Expanse.
02:31:35
Or I should say their Expanse, because it's two people writing. Their new one, the Mercy of the Gods, is really really good, and I think you will find it very similar to Peter F Hamilton, actually one of my.
02:31:53 - Steve Gibson (Host)
Oh yeah, I don't know, I guess I'm thinking of something different. I was thinking of uh, jack campbell also has a new series.
02:31:59 - Leo Laporte (Host)
Uh, he did the lost fleet series so much to read and so little time, and that's just it.
02:32:05 - Steve Gibson (Host)
You know, I I actually cannot recommend this peter hamilton it's too long, it is it's too much work, it's, it's um, you know it's. It just doesn't measure up to his earlier stuff Fallen Dragon and the Pandora's Star and Judas Unchained.
02:32:22 - Leo Laporte (Host)
Such good stuff.
02:32:24 - Steve Gibson (Host)
Those were really good, but his later stuff it's just wow, are you being paid by the page? The?
02:32:31 - Leo Laporte (Host)
page. Well, I'm really liking the new james sa cory so I'll just throw a plug for mercy of the gods. It's really good. We're going to do it in stacy's book club on the 19th, so I had to fit. I have to finish it before the book club so I had to put here aside. Sorry, peter. Um, thank you, steve gibson. Have a wonderful week. We will see you on the 17th for 1005. Oh, I love it.