Security Now 961 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

0:00:00 - Leo Laporte
It's time for security now. Steve Gibson is here. Lots to talk about yeah, that three million toothbrush DDoS attack thing Maybe that wasn't exactly how it happened. Steve has the details on that. Why is password security really just security theater, yikes. And then we're going to talk about what probably many of you heard about the BitLocker hack. Is it something you should worry about and what can you do about it? Steve's got a very simple fix. You'll want to listen to this episode for sure. Security Now is next. Podcasts you love. From people you trust. This is TWIT.

This is Security Now, with Steve Gibson, episode 961, recorded Tuesday, february 13th 2024. Bitlocker Chipped or cracked. Security Now is brought to you by DeleteMe. Have you ever searched for your name online? Oh don't. It's a nightmare. You will not like to see how much of your personal information is there in public. That's why you need DeleteMe, not just for your own personal use. It does reduce the risk of identity fraud or credit card fraud, robo calls, harassment, unwanted communications, but it's also good for cybersecurity. In fact, if you ask me, every executive, every manager in your business should have a DeleteMe account. We found out the hard way before we started using DeleteMe, when Lisa's direct reports all got text messages saying quick, I'm in a meeting and I need 20 Amazon gift cards sent right now. Of course, we our staff is well trained and they did not fall for it. But you got to wonder how did they know who our direct reports were? How did they know what her phone number was? How did they know that, what their phone number was? It's all online. That's why we signed up immediately for DeleteMe.

Now let me explain how DeleteMe works. You're going to give them some basic personal information, just enough for them to find the record about you so they can remove it. Deleteme's human experts will go out and find and remove your personal information from hundreds of data brokers, helping reduce your online footprint and keeping you and your family and your business safe. But this is really important. Deleteme will then continue to scan and remove personal information regularly. That's because these data brokers are nasty individuals. They will repopulate your record after they delete it. They'll go okay, yeah, we'll delete it, and then they'll go back and fill it right up again, because all that stuff's still out there. You need somebody out there looking out for you, constantly checking. We're talking everything addresses, photos, emails, relatives, former spouses, phone numbers, social media accounts, property value, income value and since privacy, exposures and incidents affect everybody differently, their privacy advisors at DeleteMe will ensure that you get the support you need.

Sometimes it's just like an arm around you saying it's going to be okay. Sometimes, though, it's really. There are things you need to worry about, things you don't need to worry about. It's great to have an expert on your side. Protect yourself, reclaim your privacy by visiting JoinDeleteMecom slash Tweet and using the code TWIT TWI T. That's join, deletemecom slash TWIT. Offer code TWIT for 20% off. It's time for security now. Yes, you wait all week long for this moment. I know you do. Steve Gibson is here, the man in charge with the latest security news. Hello Steve, hello Leo.

0:03:43 - Steve Gibson
Great to be with you. This is the 13th, which is regarded as a, you know, sort of an unlucky number, at least in the West. I know the China's got a whole bunch of numbers.

0:03:54 - Leo Laporte
Oh yeah, they ate it. They're lucky. I can't remember what the unlucky ones were, but yeah, yeah, 13,. Though this is the day before Valentine's Day, so it's only unlucky if you haven't bought Laurie a gift yet.

0:04:06 - Steve Gibson
Oh, the best thing about my having actually, she chose me more than I chose her is the cheap. To care less, absolutely, I have to like you know. By the way, honey, it's your birthday, what? Oh, love that, it's wonderful. Love that, yes, fellow, I've been in earlier years of my life. It's been, this has been. The Valentine's Day was my most hated day, oh, okay, and because you know, girlfriends were comparing what their friends, boyfriends or husbands did and it's like, well, he did more than you did oh.

0:04:41 - Leo Laporte
God, just shoot me now. You can't win, you can't win, you can't win. So what is what's in the dockets for today's show?

0:04:50 - Steve Gibson
We have a mostly listener driven show because, as I was going through the incoming from our listeners, they expanded into some really interesting discussions. So we do, of course, have what's the story behind the massive, incredible three million toothbrush takeover attack.

0:05:16 - Leo Laporte
Oh, I'm so sorry, I brought that up last week. No, no, you were, you were right where the rest of the Internet was at that point, I got suckered with everyone we were on the leading edge of a fiasco Although. I had just used my mind, my noggin, I would have realized how hard to believe it was. But anyway, you'll get to that.

0:05:34 - Steve Gibson
Well, okay, so so with that, there's some interesting stuff to win on with that. Okay, Also, we're going to look at how many honeypots are out there on the Internet. It's more than you might think. Also, what's the best technology to use to access our home networks while we're traveling? Exactly, why get this? Is password security all just an illusion? Oh no, oh yes. Does detecting and reporting previously used passwords create a security weakness? Will Apple's opening of iOS in the EU drive a browser monoculture? Can anything be done to secure our routers? Really problematic. Up and P, you know, universal plug and play.

0:06:28 - Leo Laporte
just turn that off. You told me to turn it off, so yeah yes.

0:06:32 - Steve Gibson
Has anyone encountered the unintended consequences we theorized last week? The answer uh-huh, and I even. Even I have. Are running personal email servers no longer practical? And finally, what's up with the recently reported vulnerability that afflicts, affects many TPM? You know, trusted platform module protected bit locker systems. Oh boy, yeah, that's a big one. Today's topic to was tight, or today's podcast titled bit locker chipped or cracked. So, I think we have another great podcast for our listeners.

0:07:13 - Leo Laporte
Well, this would be a good time, maybe, to mention Security. Now is brought to you by Bitwarden. If you are using a password manager, may I make a strong recommendation for the only open source password manager you can use at home, at work, on every device you've got, absolutely free. I'm talking about Bitwarden, is what I use, is what I recommend, is what I tell everybody to use and, by the way, I love it because Bitwarden knows that you are a technical audience, so they always have the most technical ad copy here, just for the security. Now, audience Account switching account switching one of the new features on Bitwarden.

You know they did the secrets thing, which is fantastic to keep you from accidentally putting your API secret into your GitHub, you know, accidentally committing it to your GitHub repository. They're always adding features. That's one of the nice things about Bitwarden. Account switching is now part of the Bitwarden browser extension, which means you can log into up to five separate Bitwarden accounts and switch seamlessly between them in the desktop without leaving the browser. This is great for personal and work Bitwarden. That's. That's, by the way, the way it kind of works. To set up a personal account, you add your organizational account, you have access to both those vaults, and now it's easy to switch If you're self hosting. Bitwarden has developed a Helm chart to enable deployments to Kubernetes clusters, which is nice because if you're already using Kubernetes, you can, you know, keep that software stack simple without needing to add a new service. You just you've got Bitwarden in the Helm chart.

Generating and managing complex passwords with Bitwarden is easy as can be. I just love it. In fact, I just started using the ARC browser and it works so beautifully with ARC. It's almost like they knew it is the trusted credential management system. As far as I'm concerned, named by wired as best for most people, honored as fast companies 2023 brands that matter in security. Bitwarden is the open source password manager trusted by millions and at least us too as well to 1 million and 2.

Get started with Bitwarden's free trial of a teams or enterprise plan, and I always love this and this. You know I know you're using a password manager, right, but you know you have family and friends and co workers who ask tell them it's free. Sometimes they say I don't want to pay for it's free for personal use across all your devices. It supports. It supports a UB key, it supports pass keys all for free forever. Go to bitwardencom slash twit. Find out about the enterprise plans, the teams plans or the personal plans. Bitwardencom slash twit. I like to do this with Steve. I have not seen the picture of the week yet. I am ready to scroll it up now, though, if you're ready.

0:10:04 - Steve Gibson
Yes, this one.

0:10:05 - Leo Laporte
I gave this one the title your municipal tax dollars hard at work, oh now, john, I can't show this at this point because you haven't switched a given me a switch for the computer screen. So I guess, people, you're just going to have to look at your show notes here. Here it is your municipal tax dollars, hard at work. Oh, I wish you could see this. Maybe, steve, you're just going to have to describe it for us.

0:10:36 - Steve Gibson
Okay, so well, I always do for our, for our listeners who are driving and commuting and jogging or whatever it is they're doing. They're listening rather than than viewing. This is just another one of those insane like what are they thinking? So? So we have a street corner where we resumed in on just one corner, like where you would have sidewalks of, and it looks like a rural community. We see something in the background with a couple trailer homes and some parked cars and some you know screens and things. It looks like rural US. And okay, now we have it on the screen for those who are watching the video.

And and there's like a patch of side walk concrete which, and the, the curb, is dropped down to street level so that if you're rolling up on, you know, on a with a wheelchair, you'll you'll not have to go over the bump or you're using roller skates or whatever. There's even that, that, that special textured in this case it's bright, pink and kind of nubbly rubber on the leading edge, so that, so that I guess, if you're not sighted, or maybe in a wheelchair, you know, you're able to sense that you're on the edge of the sidewalk. The problem is, this sidewalk extends maybe a yard, you know, maybe three feet, and then there's this big sign sticking up that says end of sidewalk. Because well, I mean it's correct.

0:12:29 - Leo Laporte
At least you got up the curb, Okay.

0:12:31 - Steve Gibson
But I just, you know, leo, you look at this, and I mean the pictures we've been showing recently. You know, they, they, there just has to be a story behind them.

0:12:42 - Leo Laporte
I'll tell you the story. This is malicious compliance. Yeah, this is complying with ADA regulations, but the problem is it's. This is the same way in Petaluma. I don't know if it's what it's like where you are, but developers don't want to put in sidewalks. So if they're not work absolutely required by city regulations to put in sidewalks, they won't. And this is an example of the. They had a ADA compliance feature, which is a curb cut, but they didn't have to put in the sidewalks.

0:13:10 - Steve Gibson
So they didn't. So it's not a sidewalk, it's a sidestep, yeah, because basically you take one step and then you're done. It's ridiculous and it's, and I was thinking, maybe the corner is there to join another sidewalk running in the other direction, but it looks like, but there's grass along there and it looks like this is aimed at only, you know, in only one direction of of of entry from the, from the street, anyway it's the least they could do, literally and in case you weren't sure, Leo.

yes, the sidewalk has ended. So you know, because there's grass, so there's a end of sidewalk sign posted.

0:13:53 - Leo Laporte
I like that. That's a really useful piece of information.

0:13:56 - Steve Gibson
Yeah, because you wouldn't know otherwise.

0:13:59 - Leo Laporte
You would. If you were in a chair, you would immediately sense the change in terrain. Good Lord, wow, wow.

0:14:08 - Steve Gibson
Okay, so just as we were recording and I did give this one the title, brushing up on the facts Just as we were recording, last Tuesday's podcast, news was breaking across the internet that somewhere around 3 million electric toothbrushes had all been compromised and had been enslaved into a massive global botnet and more, that actually it had been used to attack a Swiss firm, blasting them off the internet completely.

0:14:43 - Leo Laporte
And I owe you such an apology for breaking into the show breathlessly relaying this story. I should have known better.

0:14:53 - Steve Gibson
Why? Why isn't that in your notes, steve? Well, gee should have known better. So the independence. But, leo, really you were in good company. The independence headline was millions of hacked toothbrushes used in Swiss cyber attack report says Fuzzilla Well, that's a good, well named. Their headline was hackers turned toothbrushes into cyber weapons. Oh boy, boing, boing Headlined millions of smart toothbrushes used in botnet attack on company, even ZD net, and they actually made it even worse. But the way they ended their headline ZD nets headline three million smart toothbrushes were just used in a DDoS attack period. Really, well, not really Even Tom's hardware. Three million malware infected smart toothbrushes used in Swiss DDoS attacks. Botnet causes millions of euros in damages. We even know, leo, what it cost.

0:16:00 - Leo Laporte
We don't think the company that was attacked, oh God.

0:16:04 - Steve Gibson
And finally the sun. The sun reports over three million toothbrushes hacked and turned into secret army for criminals.

0:16:14 - Leo Laporte
Experts claim Now in my defense, this news headline came over the wire as you were doing the show. Yes, but I should have used some critical thinking, because I have one of those toothbrushes. They're not connected to the internet.

0:16:27 - Steve Gibson
Right, they have Bluetooth. They do not have Wi-Fi.

0:16:30 - Leo Laporte
They do connect to. I mean, I guess you could in theory hack them because they do connect to your phone.

0:16:35 - Steve Gibson
So if you had a malicious app, the phone in the toothbrush. Yeah, I know you had a malicious app that then and this really brings a whole new meaning to the notion of disinfecting your tooth.

0:16:48 - Leo Laporte
But there's not enough power in there, there's not a memory and, most importantly, there's no Wi-Fi.

0:16:53 - Steve Gibson
Well, there were many, many similar reports hundreds yet none of them, of course, were true. Highly respected news outlets repeated the story because, well, talk about clickbait, oh goodness. So how exactly this massive reporting screw up came to pass Even today remains a little unclear. I should note that all of the responsible reporting, for example Tom's hardware I think it's had three updates since then and like really been diligent in rolling this thing back and correcting their own record. So everybody who did this, you know, said whoops and like and fixed it. But I think that, well, part of the problem is in following up and following back this trail. The parties who were directly involved still to this day disagree about who said what to whom.

This occurred during an interview with a. Well, I've got the details here, so I'll explain it without quoting myself or misquoting myself. But you know, what was originally published was certainly, you know, pear curling, if not teeth straightening. So here's what the world read. This was in the original article. She's at home in the bathroom. She's part of a large scale cyber attack. God, the electric toothbrush is programmed with Java and unnoticed criminals have installed malware on it and approximately three million similar toothbrushes. One command is enough and the remote controlled toothbrushes simultaneously access the website of a Swiss company, the site collapses and is paralyzed for hours, resulting in millions of dollars in damage. I'm so embarrassed this example, which seems like a Hollywood scenario, actually happened. It shows how versatile digital attacks have become. Yes, even your toothbrush is not safe.

Stefan Zuggerm, head of the Switzerland offshoot of the cybersecurity specialist firm Fortinet, said quote each device connected to the internet is a potential goal or can be misused for an attack, whether baby monitor, web camera or the electric toothbrush, the attackers do not care. So the day after hundreds of media outlets worldwide repeated the false claim that a botnet of three million toothbrushes had attacked a Swiss company, fortinet, the now quite embarrassed cybersecurity firm which was at the center of the story, issued a statement they said quote to clarify yeah, let's get a little clarification. To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or Fortiguard labs. It appears that, due to translations, the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred. Wow, give that PR person a raise. That's just beauty. It's like, well, the hypothetical and the actual met in the middle and we're not sure where one ended and the other one started, and after all, it was lost in translation, right. So Fortinet went on to say that its experts have, quote not observed Mirai or other IoT botnets targeting toothbrushes or similar embedded devices.

Now Graham Cluley, who's been following this whole mess, he, on the day after that, day after, on Thursday the eighth, graham wrote I can imagine how a Fortinet researcher might have regaled a journalist with tales of how IoT devices like webcams could be hijacked into botnets for DDoS attacks. After all, this has happened. However, giving the journalist a juicy, hypothetical example of millions of smart toothbrushes taking down a Swiss company is playing a dangerous game, he says. I'm not surprised that journalists seized the story and, as we've, as we've seen, then, other news outlets repeated it without double checking its truth. A more experienced spokesperson would have gone to pains to make it clear that the toothbrush DDoS attack example was hypothetical and had not actually happened. Failing that, since the original article was published get this on January 30th Fortinet had plenty of time to contact the Swiss newspaper and correct the report or post a clarification on social media, debunking the story as the hysteria spread in the press, but Fortinet did not do that until skeptical voices in the cyber security community questioned the story. Ironically, fortinet's researchers have published some genuinely interesting proof of concept research in the past on the toothbrush topic, albeit hacking Bluetooth-enabled toothbrushes to mess with brushing time rather than knock a company's website offline.

So, anyway, many of the various publications that were forced to update, amend and retract you know what turned out to be an erroneous story took the time to add that, you know, like trying to cover themselves a little bit. While, yes, whoops, this didn't actually happen, it was still an entirely possible and even likely scenario, except, of course, on with toothbrushes, they only had Bluetooth. It actually wasn't, and of course, that may also account you know the fact that we're prepared for this. That could account for the fact that everyone rushed to submit the story. You know, even though it was not true, it carried the ring of truth for any tech publication since, as everyone listening to this podcast knows, routers and security cameras and IoT devices of all makes, models and functions are indeed being compromised and enlisted in botnets daily. It's not science fiction, even though this particularly intriguing story was pure fiction. So anyway, leo, again, no harm, no foul, and I may have picked up on it if my news gathering had been a little later in the day. Then it turned out to be because, as you said, just happened as we were getting the podcast, so so, so there, okay.

So so I got a kick out of the blog post headline posted at the Vuln VULN Vuln check website. It read there are too many damned honeypots, exclamation point. So here's what the Vuln check guys explained. They wrote determining the number of internet facing hosts affected by a new vulnerability is a key factor in determining if it will become a widespread or emergent threat. If there are a lot of hosts affected, there's a pretty good possibility. Things are about to pop off, as they put. But if only a few hosts are available for exploitation, that's much less likely. But actually counting those hosts turns out has become quite a bit more challenging. They said, for example, take CVE 2023 22527. So that's last year. This affected the Atlassian confluence servers. They said at the time of writing, confluence has appeared on CIS's Kev you know kev, the commonly exploited vulnerabilities list nine, yes, nine times that they wrote. That's a level of exploitation that should encourage everyone to get their confluence servers off the internet.

But let's look for ourselves. There are a number of generic confluence showdan queries floating around, but x, hyphen, confluence, hyphen request, hyphen time, so x confluence request time might be the most well known. This simply checks for an HTTP response header being, you know, being returned, in other words. Okay. So breaking from them for a second, and as we know, the showdan internet search scanner is constantly scanning the net and aggregating the presence of hosts on the internet who's listening to what port on what IP? And in the same way that Google indexes the internet so that it's easy to find a site by by search terms, showdan indexes the internet so that you're able to find vulnerable or or least present services by IP and type of service. So it's a, you know, it's a search engine for stuff that's listening on ports. So the showdan can make an HTTP query to confluences service port and if the reply coming back from that port contains the reply header x confluence request time, that strongly suggests that there's a running confluence server answering queries at that IP and port. So the volncheck guys then show a showdan screen capture showing get this 241702 occurrences of that reply header being returned from queries across the internet.

Then they point out one particular thing. They say 241,000, you know it's a little more than that hosts, they said, is a great target base for an emergent threat. But on closer examination there's something off about the listed hosts. For example, this one and they select one has the Confluence X Confluence Request Time header, but it also has an F5 favicon, you know, as in the well-known security firm F5 Systems. And they say it also claims to be a QNAP TS128A, you know, nas device. They say this is a honeypot, you know, because it's arranging to look like a bunch of things In order to attract flies.

0:29:33 - Leo Laporte
I gotta tell you this is something that our sponsor would never have done. They have so much, so accurate, and they don't put their little logo in it and they don't personate more than one device. So this is not a canary, obviously. This is some other.

0:29:49 - Steve Gibson
Right? Well, and I was thinking about this too canaries are not meant to be publicly exposed. They're there for your lamb, in order to detect intrusion. That's what you want, you don't?

0:30:01 - Leo Laporte
yeah exactly.

0:30:02 - Steve Gibson
Yeah, there was no reason you would stick it out there. You know, just to take incoming from the Internet.

0:30:07 - Leo Laporte
No, we know there's bad guys out there. We don't have to test for this.

0:30:11 - Steve Gibson
Yeah, what we want is to find out if any of them get inside. So the VonCzech guy say. Whoever created this honeypot was somewhat clever. They mashed together the popular showdan queries for confluence F5 devices and QNAP systems to create what they described as an abomination that would show up in all three queries. To avoid throwing exploits all over the Internet and thus getting quickly caught, some attackers use showdan or similar to curate their target lists. This honeypot is optimized for this use case, which is neat, but it blocks our view of what is real Right. Can we filter them out of our search? They say at this point is probably useful to look at what a real confluence server HTTP response look like. The server has a number of other useful headers to key off of, but we'll try to filter by adding in setCookie colon JsessionId equals. That update brings the host countdown. Now they modify their showdan query so that they want it to have both that very popular X confluence request time header and to be setting a cookie named JsessionId equals. They're doing an and on those two requirements they write that update brings the host countdown from 241,702 to just 37,964. So just shy of 38.

They call that probably actual confluence servers publicly exposed to the Internet. But is that number real? They say it still seems high because most of those do not respond with an actual confluence landing page. A simple way to capitalize on that is to also search for a snippet from the confluence login page in our search criteria. So they add another term to the showdan query, looking for the report, for the returned HTML to contain the phrase confluence base URL, and they say, ah, now we're down to 20,584, a little over half as many as before.

They added that additional term and they write this knocks off 17,000 hosts and things are looking more confluency, but there seems to be a whole bunch of entries without favicons.

Let's drill down into that one and see.

So they do that looking for the presence or lack of any favicon for the site, and at one point it occurs to them to examine the value being returned in the confluence J session ID, cookie settings, reply header and what do you know? A great many of those across the Internet have identical values, meaning they're not being generated dynamically, they're part of some fixed confluence simulating honeypot, and this and the simulation took some shortcuts. That is, the simulation of the honeypot took some shortcuts, for example, randomizing the J session ID which gives it away when it's examined closely enough by applying this spoofed J session ID filter, the number now drops to 4,187, probably authentic, publicly exposed confluence servers. So again they write and conclude they said a quick investigation suggests that this could be the complete set of real confluence hosts or just very, very good honeypots. They say that's a reduction from around 240,000 hosts all the way down to just 4,200. That means there are approximately 236,000 confluence honeypots on the Internet, or more than 50 times the actual number of real confluence servers.

0:35:23 - Leo Laporte
I'm thinking that's interesting. Why do people want to do public honeypots? I don't get that.

0:35:30 - Steve Gibson
Right, just you know, just probably to see, just to see. Anyway, they say a vulnerability that only impacts 4,000 hosts is much less concerning than a vulnerability that impacts 240,000 hosts. Understanding the scale of an issue and therefore being precise about the number of potentially impacted hosts is important. To those who copy overinflated statistics or haven't done their due diligence are making vulnerabilities appear more impactful than they truly are. 3 million toothbrushes anyone. Anyway, while we focused on confluence, they said this particular problem has been repeated across many different targets. Honeypots are a net good for the security community, but their expanding popularity does make understanding real world attack surfaces much more difficult for defenders, not just attackers. And Leo, I really think you raise a good point. We're talking a quarter of a million. It's a lot of them. Bougas Confluence servers what you know I get right, that's I don't know that they're that many bad Russians, it's just not as much fun to be a hacker as it used to be.

I just so, anyway, this will be a very good rule of thumb for us to keep in mind moving forward. So, academically, it's interesting that the explosion in honeypot use and population is this large. I mean, it's like what? Who are all these people? You know, that's sort of astonishing. But this means that the tendency to immediately rely upon and believe the results of a simple, you know, not very critical this show, dan search for a given open port, assumes, you know, assuming that that means there's a truly vulnerable service running there needs to be significantly tempered. And it also suggests that future internet vulnerability scanners will themselves need to do a better job of filtering out the honeypots. Well, since the problem has obviously become you know nothing less than massive.

0:37:55 - Leo Laporte
It might be worse even than that, because these were not well configured honeypots. I mean, any hacker worth his salt would have immediately noticed the Fortinet or whether are the F5 icon and the fact that it was both a QNAP, and I mean that's a little bit. You know, the whole thing doesn't ring true and I would think most bad guys, except for script kiddies, would be sensitive to that and watching out for that. They're probably many, many, many more that they can't see because they're well configured. They look just like a real Confluence server, yep.

0:38:34 - Steve Gibson
Leo, let's take our next break. Yes, and then we're going to plow into some user driven, really interesting discussions, and again, I'm sorry about the toothbrushes.

0:38:47 - Leo Laporte
They're just. They're just just Bluetooth, they kill.

0:38:52 - Steve Gibson
I'm glad to know you're taking good care of your keys. I should have. They are very important.

0:38:56 - Speaker 2
Yes, they are, I should have just paid more attention and you've got a high tech toothbrush.

0:39:00 - Steve Gibson
Hopefully it hasn't been hacked to have its running time reduced because we will get to him someday.

0:39:06 - Leo Laporte
We will kill him with tooth decay. It may take a few years. Our show today Thank you, steve Brought to you by Collide. We love Collide.

When you go through airport security, this is not how your security probably works, but it is how airport security works. You go through two lines, right. The first one. The TSA agent then checks your ID, looks at your face Actually, nowadays they have face ID, face recognition machines and then you get through that first barrier. But then you take your bags, you put them on the X-ray and they check your bag.

You know, in theory the same thing happens in enterprise security, but instead of passengers and luggage, it's end users and their devices. And most companies these days are good at the first equation. You know they're good at who you say are. In fact, if you really care, you probably use an octa, right, and that really does a good job of authentication. But then the devices that the user is carrying with them roll right through. Well, we know you're you. We figure everything you've got is safe. That's not the case.

47% of companies allow unmanaged, untrusted devices in to access their data. That should be terrifying to you. It means an employee can log in for a laptop that you know doesn't have a firewall turned on or hasn't been updated in six months or is running an unpatched version of Plex from 2009. I mean, we know these things happen, or it even could be that the laptop might belong to a bad actor who is using the employee's legitimate credentials to get in. Collide solves the device trust problem by ensuring no device can log in to your octa-approved apps until it passes your security checks. And it's great because you can use it collide on devices without MDM, which means on your Linux fleet, on your contractor devices, every BYOD phone and laptop in your company Completely crossed platform. Visit collidecom slash security. Now you can watch a demo. See how it works. K-o-l-i-d-e dot com slash security Now. This patch is a very real hole in your security. You need this thing. Collidecom slash security Now on with the show, steve.

0:41:28 - Steve Gibson
Dextra tweeted. Hello Steve, thank you for introducing me 13 plus years ago, to the world of being security minded from a tech perspective. I travel a lot and over the years I've been working on trying to come up with a solution where I can appear on my home network so I can access and watch content on my cable providers app while being secured, with the least amount of possibility of opening my home router up to external threats. I have a Synology RT2600 AC router at home. I recently started to travel with a Burl travel router. I do have an extra Synology RT2600 AC router that I've traveled with in the past. Do you have any suggestions on how to go about appearing to be on my home network in a secure manner so I can access my cable providers catalog live TV signed RM? Okay, so this has changed over the years. 10 years ago, the standard generic answer would have been to arrange to set up a VPN server at home and then VPN into your home network from afar. That's no longer the optimal solution. Among other things, it's often more easily said than done. It requires opening a static port through your home router which is then visible to anyone on the internet, like Shodan, not just you. While there are ways to do this safely, it's no longer necessary thanks to the widespread availability of many free and terrific overlay networks. The very early such network we talked about many years ago was Hamachi. It was originally free, then it went paid and then it was purchased by LogMeIn. It's still possible to use LogMeIn's Hamachi for $50 per year. But many free solutions exist and they're just as good Nebula, which was done by the stack, people, tail, scale and zero tier, or three of the very popular ones.

Since I didn't know anything about Synology's RT2600AC router, I went over to Michael Horowitz's astoundingly useful and comprehensive routersecurityorg site. It's, you know, as the name sounds. Routersecurity is one wordorg. There's just so much stuff there. His site allowed me to quickly learn that the router has some possible use as a VPN client. It builds in a VPN client, but it doesn't appear to be general purpose enough to host an over.

The router itself Doesn't appear to be general purpose enough to host an overlay network, you know, which any Raspberry Pi can do, for example. So this would mean that when traveling, some machine inside your home network would need to be left running. But, as I said, that could just be a Raspberry Pi serving as a quiet, always on fanless network node to anchor the overlay network. Then you'd run another node on your laptop and all of these things are multi-platform. So whatever OS you're carrying will be, it'll be compatible. And then you'd be all set. Essentially, your laptop and your cable providers, catalog and video streaming would see that you were connected to them from home, and this is just trouble free.

Now, as I mentioned before what I've talked about overlay networks and these various ones, I get people saying, okay, well, which one do you recommend? I can't recommend one because I have not had the need nor the chance to do this myself since I've not been traveling, but the next time I'm going to be out and about, I will make time to check out the various overlay network solutions. I can say, however, that the response from our listeners who have bitten the bullet and set up overlay networks has been like gobsmacked positive. I mean, they can't believe that it is that simple to obtain world-class security in cross-device networking through the public internet, which is anything but secure. So the day has truly arrived when it no longer needs to be difficult in order to do that. You just have to poke around there's. You know, youtube is full of how-to videos on overlay networks. You know again Nebula, tailscale and Zero Tier are top of the list.

0:46:27 - Leo Laporte
Seems like Tailscale is very popular, so yes, that would be your first guess.

0:46:34 - Steve Gibson
So Evan wow, I can't pronounce his name. So, uh, phileaer, sorry Evan. Anyway, he said hey, steve, love the show. I run an e-commerce site and my customers have been asking for an easier way to log in. I was wondering if there are any security considerations for going passwordless, via email only. The system I would like to set up is registration and login via email. Ie customer just enters their email and then receives a six-digit code in their email to authenticate and login. Is this just as secure as email plus password authentication? Thanks, so I thought that was a really interesting and intriguing question.

Okay, so let's answer the last question first. Is this just as secure as email plus password authentication? At first we might be tempted to answer no. It cannot be as secure, since we've eliminated the something-you-know factor from the login. But of course that's a red herring right, since, as I've often noted, every login everywhere on the planet, always and without fail, has the obligatory.

I forgot my password link and sadly we're now also seeing I can't use my authenticator right now, like, oh, my god, that annoys me. It's like what? So you don't need that really yet either? It's just kind of like well, yeah, how about if you have it? Wow, and I've even made this notion of the ever-present email link into a joke.

You know where someone explains that they don't need no stinking password manager, while they're creating an account by just mashing on their keyboard to fill in their password field. And when they're asked but how do you login again? Later, they glibly explain that they just click on the I forgot my password link, then click on the link in their email that they receive and they're logged in. The point, of course, is that so long as all username and password logins include the I forgot what I was supposed to remember get out of jail free link.

Our ownership over and control of our email is the only actual security we have. Sad to say, the rest is just feel good security illusion. This in turn means that the service the password and the password manager are actually performing is only login acceleration. If your password manager is able to supply the password quickly and painlessly, then the much slower I forgot my password login process, which is always available using an email loop, can be bypassed. So it's login acceleration which is good. As Bruce Schneier would probably describe it. Quote the password is just security theater, oh God. So calling passwords a login accelerant is the perfect context to put them in.

0:50:09 - Leo Laporte
This is so important, I this please everybody, clip that paragraph, that previous paragraph, and send it to everybody. Because we've said this many times the weakest link is always the, the real determinant of how much security you have. And if there is a forgot my password, that's the weakest link, that's, yep, the security you've got, yep.

0:50:34 - Steve Gibson
So let's return to Evan's question Is emailing a one time passcode to someone who wishes to log in just as secure as using a password? It should be clear that the correct and defensible answer is yes, it's identical. If the actually if. Yes, yeah, if the users of his e-commerce site do not wish to be hassled for a password, there is no reduction in security to eliminating passwords entirely and just using an email loop. However, there's also no need for even a six-digit code, since that does not provide any additional security and it's more hassle, which Evan and his users are wishing to avoid. What Evan wants to verify is that someone who is wishing to log in at this moment is In control of their previously registered email account. Remember, that's the same fallback test that's being used by every login challenge in the world. This means that all Evan needs to do is email this user a direct login link which contains a one-time passcode as a parameter, and, since the user no longer needs to transcribe it, the passcode can be, as long as Evan wishes, 32 digits, no problem. The only requirement for security is that the code must be unpredictable and only valid the first time it is used. Okay, so how do we do that let's design the system for Evan. We'll start with a monotonically increasing 32-bit counter. That'll be good for 4.3 billion logins before it wraps around. Now you can make it 64 bits if you like, so that the most significant 32-bit counter is Incremented if the lower 32 bits should ever overflow even though that would seem to be quite unlikely. And Actually, since we're gonna put a timestamp in this design also, even if it did, even if you did have 4.3 billion and it finally came around to the same you would, you would know you would not have a valid timestamp in any event. Okay, so, so we have a binary value which will never repeat, since it's a simple counter that only ever counts upward and and it's stored non-voluntarily by the server so that you know it takes the like in the registry or In a file so that it writes it back and always starts, even after a reboot, with the next count. From where had it left off?

Okay, so we can do several things with that Always incrementing binary value. It could be fed into the AES Rindahl cipher, which is keyed with a random secret and unchanging key. That that secret is known only to the server. It's also, you know, it might be coded into it or also written somewhere so that it's non-volatile, it never changes. Then the hunt, the Rindahl is a 128 bit block, so the 128 bits that comes out of the cipher Basically we have.

We have a random secret key which is going to encrypt our 32 bit counter into a 128 bit result that you run through a base 64 converter those are available in every language which produces 22 ASCII text characters. Since the encryption key will never be changed and the input to the cipher is an upward counting counter, the output will never repeat and it will be cryptographically unpredictable. So we've met our, we've met several of our conditions unpredictable, never. It never occurs again. So if, for you know, just just to explore the territory, you could take a salted hash With a secret salt, the counter value would be hashed and then the hash's output would be similarly converted into text using base 64. Now it's true that there's an Infantesimally small chance of a hash collision where two different counter values Might produce the same output. But any good hash will be cryptographically secure. And remember that any single bit which changes in the hash's input will on average, change half of its output bits. So Collisions there would really not be a problem, but no reason not to use Rindall. That's kind of cool anyway.

Okay, so now we have a 22 character one-time token. Evan's e-commerce system should append that token to the link that's sent in the email to the individual who has just asked to log into his system. The instructions in the email are to simply click the button in the email. They do that. This confirms that someone who provided the email address is Is receiving email at that address and they are instantly logged in at Evan's end. When the token is obtained and the email is sent, those two items, along with a timestamp, are added to a pending login list, a, you know, a? A list in the sense of a linked list in. In programming terms, anytime someone clicks a link, the list is scanned, searching for a matching token.

The objects on this pending logins list should use a timestamp so that they are self-expiring. And the way I've organized this on my own expiring lists, of which I have many over in GRC server, managing all the DNS stuff and shields up and everything, and of course this is technically called a queue, as as I'm traversing that list from its start, I'm also checking the timestamps for every object that I encounter, whether or not that they match the one I'm looking for. If that objects timestamp has expired, I I delete it from the list right then, so that the list is self pruning. When I get to the object whose token matches, and If its timestamp has not expired, this confirms the, the login. I accept the, the inbound link and log this person in and remove that little object from the list. It would remove itself after it timed out anyway, but might as well, you know, keep it clean. So anyway, this simple system gives us everything we want. We have unpredictable, self-expiring single-use tokens that go and that's the other reason to remove it from the list. As you're, as you're honoring it and the login, you delete it from the list so that Anyone who might capture it somehow is unable to do to login again using that, that token, which is meant to be single-use.

Evans users no longer need to mess with a password. They simply go to a login page, enter their previously registered email address, click the email me a button, open the email that they received, click the button and they're in, no passwords to worry about and every bit as secure, actually, as if a password being used it's. If you have a password manager, then you have you're able to use on sites that support passwords. You're able to use that as an accelerant to logging in, but it doesn't make you any more secure, and you could argue if it's a poor password, it could make you even less secure. And that's the danger, right? Passwords that are bad Allow bad guys to brute force. If you don't have a password, there's nothing to brute force, so you could make the argument that a password list login is even more secure than a system that did have passwords Yikes.

0:59:32 - Leo Laporte
But a really great question. I mean, yeah, really you got me thinking a lot of counter-intuitive, isn't?

0:59:39 - Steve Gibson

0:59:39 - Leo Laporte
Yeah, medium uses that. They don't have passwords. It's sort of annoying because it means I have to go to my email every time I want to log in.

0:59:49 - Steve Gibson
Exactly, but and and Evan is suggesting that his users would rather do that, yeah, and then have to remember a password.

0:59:57 - Leo Laporte
So I'm seeing that more and more often on sites like medium, where you just don't set up a password, it's you just. You should say email me, micro blog.

1:00:09 - Steve Gibson
Well, that too, and we're about to encounter that, because that what you're describing is the Is the unintended consequence. That was yet last week's topic of sites asking for your email because they want to Replace right first person tracking Because third person tracking is going away, right, anyway, we'll get there in a second. Margrave said hey, steve, I've been a loyal listener since the early days and thought, and though I'm not a security expert, I work in software quality automation and have found the security now podcast incredibly helpful several times. I Recently created a link. I recently created a LinkedIn article and was given the option to share it on social media.

When I chose Facebook I, I encountered an interesting situation. I remembered changing my password, but it struck me as odd that Facebook would notify me about it and In his, in his message to me, he included a screenshot that of what he encountered. Where it's? It's a Facebook pop-up says log into your Facebook account to share, and then it says you entered an old Password. Your password was changed about two weeks ago. If you don't remember making this change, click here, and then it prompts him for his current password. So then he says he continues I'm not entirely sure if this is a positive or a negative feature for Facebook.

Sure, facebook is often filled with a lot of random stuff, like pictures of cats in sunglasses, chicken's wearing hats, breathtaking sunsets from someone's backyard and other equally ridiculous images, but this made me ponder the implications of such notifications. I'm curious to hear your thoughts, as well as those of other listeners, on this feature Facebook is offering. I'm also eagerly awaiting spend right. 6-1 has been a fantastic tool, and I appreciate all the other facets of your podcast, including your involvement with vitamin D3. Best regards, tom you know.

1:02:25 - Leo Laporte
Part of this is because Facebook, which was originally for college kids Exactly 20 years ago, by the way it launched is now primarily for old folks, people like you and me who forget our passwords, who change our passwords and forget we changed our passwords, things like that and or often, often, hacked. I think Facebook accounts are most often hacked. I mean very, very common.

1:02:50 - Steve Gibson
So I don't see, to answer Tom's question, any downside to this. And given that Facebook, exactly as you said, leo, caters to the people who are taking and posting those images which do not, which do not impress Tom, I Can see the merit in reminding someone when their password was changed and then, for whatever reason, they entered their earlier Password.

1:03:13 - Leo Laporte
I think more sites are gonna be like this.

1:03:15 - Steve Gibson
To be honest with you, as we age, yeah, and in fact, you know, to demonstrate that in Tom's case, this was useful to him. He did recall having changed his password several weeks before, but for whatever reason, he entered his earlier password. The alternative to having Facebook Helpfully saying hey, you entered an old password would be sorry, that password is incorrect. This would be more confusing than having Facebook Recognize and helpfully report that the password was the user's attempted use of an earlier password. You know, and and I don't know whether multiple people in a household Routinely share a single Facebook account. That's a good point, yeah, but if so, one of them might have changed their shared Password and failed to inform the others. So this would be a huge help in that instance.

The only problem I can see would arise if Facebook were to honor Tom's use of his retired password, but that would obviously, or hopefully, never happen. So I don't see any downside, and we know that those really annoying systems require their users to Periodically change their passwords for no reason and then also refused to allow any recently used password to be reused. And you know they are. So that means they are similarly storing Previous password hashes, so the practice of remembering previous password hashes is not new. I think this amounts to a useful and user-friendly feature.

1:04:56 - Leo Laporte
Good and and secure, which is what, yes, really worried. Yes, that's great, exactly.

1:05:01 - Steve Gibson
I don't see any any problem for security. Good, um, gimmicks 3, he says. Hey, steve, I've been thinking about this thing that now will be able to choose our browser in iOS, and whilst I'm excited to be able to run Firefox in my iPhone, I'm feeling a bit uneasy. Safari, by being imposed on iOS and the default on Mac OS, has gained popularity over the years and has been too big to ignore Until now. Are we going back to the days of the hegemony of Chrome and Websites that can only be used on Chrome? So I thought about this for a while and I would say that it's really up to the other browsers. All of the standards that Chrome Obviously and currently the global dominant browser for here and for the foreseeable future. The standards that Chrome is using are open, open source and available for adoption by anyone. It may indeed be that if they wish to retain what market share they can, they will need to adopt the same set of open standards that Chrome has. These next few years are going to be really interesting. The only place where Apple is being forced to allow third-party browser engine cores is the EU, and we know that Apple is infuriated by this interference with their sovereignty over their own platform. So it seems unlikely that Apple will similarly be be opening their devices to other browsers browsers elsewhere also.

The internet as a whole appears to finally be maturing, waking up and Sobering up a bit. You know we're seeing things tightening up everywhere. Advertising is pulling back sites that never had a clear and justifiable reason for their own existence. Yet we're carrying a huge overhead with a plan to well make it up in volume. You know they're disappearing. What a shock. So in today's climate I cannot see anyone willfully turning away visitors who come surfing in from any platform. You know, perhaps Internal corporate sites might force their employees to use some specific browser in order to run their poorly designed software, that that will only run on a specific browser. But that's their fault. I, that is never gonna happen. As a general rule, no matter what happens on the platforms side, especially with the, what with the web standardization process so well established today, I doubt we're ever gonna see any public sites you know, certainly none that plan to survive, telling their users that they must go get another browser. That's. I think those days are over, and really those were written by, or. You know, those days were largely Back, when browsers were incapable of doing everything, and so it was. You know, go get flash, download flash if you want to use this site. And then, as we know, entire sites were Once written in flash, which you know was crazy. So any browser that wouldn't run flash wouldn't be able to run that site.

Barbara says it occurs to me that the third Syssa recommendation that might address universal plug-and-play issues if you P&P is on and Malware tries to open ports, the user would be notified, right, okay. So Barbara's referring to Syssa's third recommendation, which we discussed last week, about configuration changes to the router or network device requiring a manual changes which affected security, requiring a manual Intervention by the user of some kind, like them going over and pressing a button saying you know, enable me to make changes to this router. And she raises a very good point about you P&P, which we know is a real security problem. But I'm afraid that's not what Syssa was referring to and there's really no good way to deal with that particular problem. Upnp is so ubiquitous that all of today's routers Enable it by default out of the box. Otherwise Things break. And since it's not the router's fault when UPNP is abused, there's no downside for the router to default to having it enabled, as they all do. The last thing any router manufacturer wants is for some online reviewer to write up that they swapped in this router and A bunch of things that were working before Broke. You know the fact that it broke because the router is more secure will be lost on the audience.

So the value of UPNP for providing hands-free connectivity is Is you know which is what it does. It is that it needs no management interface. That you know. It's just magic. Unfortunately, its magic is black and it is certainly prone to abuse Because it allows anything on the internal network, without any authentication Barriers of any kind, to create static incoming port mappings to whatever devices are chosen. Because UPNP is totally freewheeling nature by design, there's no way to require any sort of manual intervention. You know today's network devices just expect it to be the UPNP to be there and for and for their Network traffic to be able to come and go as they please and unfortunately, secure it is not.

Giliermo Garcia said hey, steve, listening to SN 960 in your explanation on the reaction and work around to Google's protected audience solution, I have two comments. If this registration requirement is widely adopted, I'm wondering how that will affect the indexing spiders that index the web for us. And then I wonder what kind of password reuse nightmare will emerge if a login is required for every website on the web. I Thought those are two good points, and the second of those two questions occurred to me last week. If we're being asked to create what are essential, essentially throwaway accounts Just for the privilege of visiting websites, then why not use a throwaway password, come up with something that probably meets modern password requirements and reuse it for sites that just don't matter? The problem, of course, is that there will probably be some tendency to keep using that password, even on sites that are not throwaway. So this reuse for convenience is instilling a very bad habit, which, well, we spent the last decade training everyone out of, and this would also render our password managers web Checkup features useless, since they would be freaking out over all of our deliberate password reuse.

As for spiders, I hadn't considered that, and I wonder how that works today, since news sites behind paywalls appear to be indexed. One thought would be that the user agent header which identifies a spider, might be checked by the site, but of course that would be easy for anyone to spoof in order to get past the paywall, just like the spider does. I suppose that the IP address blocks from which spiders crawl are likely well known and fixed. Or you could do reverse DNS on the IP to see if, like it comes, it's coming in from Google, from a Google you know, dot-com property you know, and, of course, ip addresses cannot be spoofed. So it would be possible to admit un incoming requests from a set of previously well known IP ranges Without requiring a gratuitous login first. But having said that, there's really no reason why spiders could not just log in like everyone else. I'm sure that, assuming this comes to pass, the problem of keeping the web indexed will be solved somehow, and what we're about to learn is that it turns out no password required and that's the solution.

Just like you mentioned, leo, for a firm medium, earl Rod tweeted regarding unintended consequences and websites requiring an account to view their content. I first encountered this a few weeks ago and wondered why it clearly was not a paywall. Now I understand why he's referring to last week's podcast. He said, in fact, no password is needed, since it's not an account but merely a way to track me. They did verify that my email was a real one, so the friction for a user is minimal, really nothing to remember except my junk email, which I have for such purposes. He said ps. The site was Fox news calm, he says, one of the several entertainment sites I look at to see the going narratives related to the news. Okay, so, first of all, it's very interesting that no password is needed, and Earl is correct the only thing they really want and need is our email address. That's what they're trying to get.

I went over to Fox News and poked around a bit and I was not initially prompted for anything. I noticed in the URL bar that Firefox was saying that I had given the Fox site some special permissions of some sort. It turned out that I had disabled autoplay and audio was blocked on that site. So I cleared any cookies that Firefox might have been carrying and then, sure enough, I got the same thing Earl reported. I grabbed a picture of it by myself for the show notes and it's a box that says Join Fox News for access to this content. It says plus, get unlimited access to thousands of articles, videos and more with your free account. Then there's a form to fill in. You know just a one liner, enter your email and then a continue button and then, in the fine print below. It says by entering your email, you're agreeing to Fox News terms of service and privacy policy, which includes our notice of financial incentive. That's bold to access the content, check your email and follow the instructions provided. Okay, so they do that that page fade effect where you can see the top of the story, but it fades to white, you know, and so that it becomes unreadable while this box appears.

I was curious about the notice. So, in other words, you know you can't really continue reading the story until you've entered your email, click the button gone to your email, click the link there to confirm your email address. All of that gives your browser a cookie which is now tied to your email address. So every time you come back in the future they know who you are. So I was curious about this, this notice of financial incentive they referred to. So I followed the link which brought me to the following disclosure under notice of financial incentive. It says this notice applies to our offers or programs per ends, each an incentive program that link to this section of our privacy policy. Okay, and of course, the page blocking that email that brought me here linked to this. So it applies to what we just did right and which California may consider to be a financial incentive.

You can opt in to participate in an incentive program by providing your email address or other personal information. In exchange for providing your personal information, and depending on the incentive program in which you participate, you may be able to access certain content, features or events, receive a discounted price on an applicable subscription or receive special news alerts or other entitlements. We will, in turn, use your personal information for the purposes set forth in this privacy policy, such as sending you alerts and marketing messages and personalizing your experience, including providing advertising you may find more relevant and interesting. To the extent we can estimate the value of your personal information to us, we consider the value of the offer, such as special content or features, the cost to us associated with providing the offer In other words, right, it's a net zero, it's a net equal and the potential benefit to us in the form of additional advertising or other revenue we may receive as a result of you using our services. The value to us, if any, will depend on the extent to which you engage with our services.

Rich boy, some attorneys made a bunch of money putting those couple paragraphs together. Basically, what this amounts to is you've given us your email address, which we're going to use to enrich ourselves, and the more time you spend here, the richer we get. All the sites that are doing this are saying the same thing. It's very clear that this is exactly what Earl, who first encountered this, suggested it was. I don't visit the Fox News site often enough to have appreciated this as a change of behavior recently, but apparently Earl does, and it changed for him.

1:20:21 - Leo Laporte
This is new. The CCPA, I bet, is that financial. The California Privacy Act is the financial one, right? But yeah, it makes sense. You know, we don't need a password. You don't need no stinking password. Just give us your email address. That's all we ask.

1:20:37 - Steve Gibson
I see that a lot, by the way, as he put it.

I first encountered this a few weeks ago and wondered why it's not obnoxious, and the lack of any request for a password makes it much less obnoxious.

So it looks like we have a perfect example of last week's topic the unintended consequences of trying to take tracking away from an industry that does not want to let it go. Everyone who fills out these join our site online forms, aside from subjecting themselves to an ever increasing torrent of spam, will be receiving a completely legal and legitimate first party browser cookie to uniquely identify them to the site and tie it to their email address. So long as their browser returns that cookie during that and subsequent visits, they will be seen as a member of the site, so they won't be bothered again. This is a one time deal, however. Yes, the site with members come advantages. The site will, in turn, forward the visitor's email address to all partners, including all advertisers on that site, who will effectively be paying them, be paying the site for that information. You know, before I had switched away from the site, by the way, you block origins, blocked access. Attempt account was up to 98 different domains.

1:22:12 - Leo Laporte
Oh my God, that has to be a record. Holy cow 98. Oh boy, you're going to start getting some pillow ads real soon in your email, I think.

1:22:21 - Steve Gibson
Yep, there's more evidence of this.

As I was researching the title story for today, the Trusted Platform Module Bitlocker Decryption Story, I scrolled down on the pcgamercom site and I encountered exactly the same thing PC Gamer Newsletter sign up to get the best content of the week and great gaming deals as picked by the editors.

And there it is. And then there's two check boxes that were not default checked, which I at least appreciated, that was, contact me with news and offers from other future brands and receive email from us on behalf of our trusted partners or sponsors. Yikes, and then same fine print by submitting your information, you agree to the terms and conditions and privacy policy and are aged 16 or over. So one thing I didn't mention last week during our discussion of this is that if anyone doesn't yet have a throwaway junk email account, now would certainly be a good time to establish one. The new site to whom we provide this email address will be respecting our privacy. That's the entire point of obtaining our email address. It's so that our privacy can be more explicitly ignored than ever before. And note that we are also implicitly agreeing now to every such site's privacy policy, which should be renamed their lack of privacy policy.

1:24:14 - Leo Laporte
Yeah, and you know, even if you use a burner email, they don't care. It's a fingerprint, so you know, exactly.

1:24:19 - Steve Gibson
You don't have to even the burner email it all ties back to you.

1:24:23 - Leo Laporte
It's marginally better, I guess. Now I have to ask you one thing. In the screenshots I see a last pass icon. Are you still using last pass? I thought you stopped using last pass.

1:24:37 - Steve Gibson
That's a good point. And this computer? I think I must not install it, Okay.

1:24:41 - Leo Laporte
Yeah, all right. Yeah, oh, that's your screenshot computer, probably not your main machine. Okay, right, right, right, it's off the net.

1:24:50 - Steve Gibson
Yeah, okay, so we're an hour and 14. We're at a good point. Let's do our last break and then we're going to finish with a couple questions and talk about the.

1:24:59 - Leo Laporte
TPM issue. Tpm the topic as we continue on security. Now, right after this, this episode brought to you by Robin Hood. Did you know that even if you have a 401K for retirement, you can still have an IRA? Robin Hood is the only IRA that gives you a 3% boost on every dollar you contribute when you subscribe to Robin Hood Gold. But get this Now. Through April 30th, robin Hood is even boosting every single dollar you transfer in from other retirement accounts with a 3% match. That's right. No cap on the 3% match. Robin Hood Gold gets you the most for your retirement. Adds to their IRA with a 3% match. This offer is good through April 30th. Get started at robinhoodcom. Slash boost. Subscription fees apply. And now for some legal info Claim as of Q1 2024, validated by Radius Global Market Research.

Investing involves risk, including loss. Limitations apply to IRAs in 401Ks. 3% match requires Robin Hood Gold for one year from the date of first 3% match. Must keep Robin Hood IRA for five years. The 3% matching on transfers is subject to specific terms and conditions. Robin Hood IRA available to US customers in good standing. Robin Hood Financial LLC. Member. Sipc is a registered broker dealer. All right, thank you, robin Hood, for your support for security. Now On, we go with TPM, mr Gibson.

1:26:26 - Steve Gibson
Okay. So Tom Walker tweeted hi, steve, years ago you mentioned that you leave your phone plugged in all the time, so you still do that. Just curious if, in your experience, that has kept the phone battery healthy. Now I do keep my phones charged up all the time. I have an iPhone X that is stuck to an electromagnetic charging stand at either my day or evening location. Otherwise it's in my pocket when I'm out or between locations, but the moment I return home I walk right to the charger and it docks Separately. I also keep an older iPhone 7 that my wife retired right here next to me as my desk phone and, as we can see in the video, it is never unplugged. It is essentially a corded phone, and I have three iPads which I use daily. Each, similarly, is always plugged in.

Now I can't claim to have any clear experimental evidence that this helps the batteries to live longer. The science all says that today's lithium cycle batteries do not like to be deep discharged, but neither do they like to be overcharged. No, they don't like that at all. They much prefer to be kept nearer to their fully charged state, and I assume that Apple understands all of this and is doubtless very careful not to overcharge their devices, so leaving them connected is safe. One thing I can say is that my devices always outlive their batteries, that is, I never have batteries die on any of my things. So there's one data point.

Another is that I have a friend of many years who used to allow his Apple devices to discharge fully before plugging them in. He was remembering the previous nickel cadmium battery admonishments to always deep discharge that type of battery chemistry, nicad, to avoid the famous memory effect where NICADs that were only partially discharged a little bit before they were recharged would start thinking that they were empty at that point where they had been recharged. Anyway, he killed one Apple device after another until I noticed, I mean, he had. He complained to me, says these darn Apple batteries are no good, and I noticed that his battery symbol was red and like screaming for his attention. It was in pain. Oh, and I explained that plugging them in at every opportunity is the way to treat lithium cycle batteries.

1:29:20 - Leo Laporte
I think also, you can trust companies these days to manage their batteries very well, especially Apple, because Apple actually has traditionally smaller batteries than some of the other companies in their phones and so they're very. They're constantly tweaking everything to make sure they get back to that?

1:29:36 - Steve Gibson
Well, yes, but the problem is, if you refuse to plug it in and insist on using it, there's nothing around that.

1:29:43 - Leo Laporte
They can't do that. They can't do that. You're going to discharge all the way. Yeah, just, I guess what I'm saying is my advice is generally to people just let the don't worry about it, let the phone do its thing. Devices these days are pretty good about all that stuff.

1:29:59 - Steve Gibson
I would say I mean I've. It took a long time to train my wife to plug her phone in. If there was no reason not to, that is it's better to have it on power than not, because you know, if you don't have the habit, it's easy to leave it. Leave it lying around. Then you grab it when you're running out the door and it's already low and it's not going to last long and it's just not good for it. So anyway, for what it's worth, I just you know I keep everything charged up.

Mark Jones said hey Steve, I know you get no spam, but would like your advice on email deliverability. I too am an old timer and maintained websites with email for decades. You have not. You have not commented on how hard email deliverability is in the age of SPF, dkim and DMARC. You also have an offered advice about maintaining your own email server. February 2024, that's now marks changes for both how Google and Yahoo regard appropriate settings. What's your take? Costs continue to escalate for services that interpret delivery fail your events. Easy DMARC was free for multiple sites at one point, now only free for one, and paid plan is more than I pay per month for shared hosting.

Is it time to give up running email off my own domains. Okay, so I've not commented upon the difficulty of email delivery in the age of SPF, dkim and DMARC because I've not yet tried ramping up GRC's rate of mail delivery. I do run my own email server and it fully supports all three sender verification standards. They're all configured and running and GRC has been trickling email in and out of its domain for years with never a hint of any trouble.

So it occurred to me there's some chance that I may have already established more of a positive reputation than I was worried might be needed. It's not as if the email that will begin coming from me will emerge from some never-before-seen domain and suddenly bulk email starts going out. So anyway, we'll see how it goes and I will absolutely 100% share everything I encounter along the way. But Mark concluded his note with a question is it time to give up running email off my own domains? And I think that's a question only he can answer. But from what he mentioned of escalating costs for something called easy DMARC, for example, it doesn't sound as though he's running his own email server so he's incurring additional service costs. I am running my own email server so I have zero cost associated with hosting email environments.

1:33:17 - Leo Laporte
Well, and our sponsor, fastmail, will do all the DMARC and SPF for you on your domains. By the way, all my email comes to my own personal domain. I don't have Gmail or Yahoo or Outlook, anything like that. It's all legal or whatever, and I do all the MX records are all through Fastmail. They do all of the authentication. Nice, I don't see any reason. I think, if he's asking the question, should I run my own server? Only if you're Steve Gibson, you've got to be nuts to run your own email server. That's just for one thing. You don't use you're not using consumer IP addresses. Anybody who has an ISP based IP address forget your email ever getting through. Yeah, you're you. You least level three addresses, right, you have commercial addresses. I am a beautiful block of 24.

And you've been using them for so long that they've never been used for spams. Right, you're not on any blacklist, or? I mean? This is, steve, is an unusual case. Very few people should be running their own servers, domains, different servers. Don't do that. Don't do that. That's crazy. That's crazy. Well, you're fine now, right, because, for whatever reason, you know you're you're, those addresses are safe and you're doing all the right authentication. So you're fine, right, right.

1:34:38 - Steve Gibson
Max fine, lab fine. Finally said thank you so much for sharing. At a Brentley's tip about checking iOS app sizes, he says I just deleted over 10 gig off my phone. Yeah, these sizes are in what's in what seems to be nothing but craft. It's terrible so. So so for anyone who's interested, remember, you know, go go through, look at the sizes of the data and if it doesn't make sense to you, delete the app and reinstall it and none of that crap will come back. That really you really is wrong. I'm surprised that Apple doesn't have like a, you know, a space cleaner. On the other hand, they don't mind selling you larger memory for more money.

1:35:23 - Leo Laporte
Yeah, a lot of the other stuff is stuff like attachments in your messages and things, and those get big and you know they're not going to delete those willy nilly, they're going to. You know they presume that you want them. Yeah, until you delete them. And I wish they did have a way of doing it, but they don't yeah.

1:35:44 - Steve Gibson
Andrei Arroyo. He said at SGG RC this was a public tweet. He said Spenright 6.1 release candidate six running directly on my old iMac and booting off USB. He said I couldn't do this before. Now it's easy. Thanks for Spenright and security now. And I put a big picture in the show notes just because it was very cool to see Spenright sitting there proudly on his on his iMac screen.

1:36:13 - Leo Laporte
Now how does he do that? That's a, that's a, that's a advanced tip.

1:36:19 - Steve Gibson
Yeah, you, you, you know if you're able to boot from USB. That's all it takes.

1:36:26 - Leo Laporte
Okay and run. And this is obviously an Intel iMac, it's not.

1:36:29 - Steve Gibson
It's got to be an Intel iMac. Yes, yeah.

1:36:32 - Leo Laporte
Because you have to be able to run this. You're still using free DOS right now, right, yep, yep, but next time it'll be this other DOS that you, that you own practically, yep, the.

1:36:42 - Steve Gibson
R-TOS the last user.

1:36:45 - Leo Laporte
I bought it as the synch with ship as the sink, as the ship was sinking. Hey, I'll take it off your hands. Wait a minute.

1:36:52 - Steve Gibson
I'll buy it. I'll buy it. So, speaking of Spenright, I am, as I had hoped, at work on Spenright's documentation now while Spenright's paint continues to dry. For example, one user in GRC's forums who had a dying SDHC SD card with a large non-critical file wanted to experiment with its recovery. So here's what he wrote.

He said Hi, steve, I'd like to know if there's a way to have Spenright perform an operation like a level to scan multiple times. The reason I ask is that I have a Samsung 32 gig SDHC card that has a couple of spots it cannot read or write to. I was able to copy all the files except one large one off it. He says Perenn's an MP4 phone video I took. That's not important and I decided to play with it to see if it's recoverable. The card passes the Spenright level two test but does not pass level three in two areas where I get a device fault error. The really interesting thing about this is that in running level two a number of times, I've been able to heal some of the bad spots and increase the amount of the file being copied using windows from 60% to 86%. My thought is, if I was able to have Spenright do the level two scan overnight multiple times, it might just heal any remaining bad spots.

Okay, so the first thing I explained in my reply to him was that Spenright can now be completely controlled from its command line. So it would be possible to start it with a command that will bypass any user interaction, select the proper drive and processing level, run Spenright over the drive, then exit back to DOS once that's done. At that point it's a simple matter to create a DOS command script which of course DOS refers to as batch files that jumps back up to loop to repeat the command over and over until it's interrupted. So it would just be running level two over and over and over, which is apparently good for that drive. The reason I'm mentioning this is that Spenright's user can interrupt anything Spenright is doing at any time. But if the user then manually exited to DOS in this situation that the batch file will still be in control and would immediately restart Spenright, it would be possible to exit Spenright. Then, you know, frantically hit control C over and over and over to attempt to get DOS' attention and break out of the loop.

But that's certainly ineligent. So when programs exit this is all programs everywhere a nearly universal convention is that they will return an exit code to whatever invoked them. This code can signify whatever the program wishes, which is typically the program's sort of generic success or failure. Today Spenright exits with a zero exit code, unless it's unable to parse its command line, in which case it exits with a one. So what occurred to me while answering his question is that when Spenright is exiting automatically due to the exit verb on its command line and not because of a manual intervention, it could exit with an error code of two. This would allow for much more graceful infinite loop termination by using the DOS line if error level two go to scan at the bottom of the batch file. Anyway, that way it would loop and when you use the escape key to get out of Spenright it would drop back out and break out of the loop, allegedly so.

Anyway, at some point, when my eyes are crossing from writing documentation all day, I'll take a break from that to add this tiny little additional convenience feature, and this is the great advantage of having some time to let the paint dry. Spenright is done, it's working perfectly, no one is encountering any new errors and again, it's like it's done. But there's still time for some minor touch ups, and history has shown that once I finally do release it as Spenright 6.1 and have started working on its successor, I'm going to be extremely reluctant to mess with it any further. So now is the perfect time for those last little tweaks while I'm working on the documentation and getting it ready for the world. Nice, how exciting. That is really Okay. So BitLocker chipped or cracked the number one most sent to me news item of the past week.

Wow, it was like everybody did you see, this, see this, see this, oh yeah Was the revelation that PCs whose secret key storage, trusted platform module functions are provided by a separate TPM chip outside of the main CPU, are vulnerable to compromise by someone with physical access to the machine. This came as a surprise to many people, who assumed that this would not be the case and that their mass storage systems were more protected than they turn out to be by Microsoft's BitLocker. During system boot up, the small, unencrypted startup portion of Windows sees that BitLocker is enabled and configured on the machine and that the system has a TPM chip which contains the, the decryption key. So that pre boot code says to the TPM chip hey there, I need the super secret encryption key that you're holding. And the TPM chip replies yeah, got it right here, here it comes, no problem. And then sends it over to the processor. The only glitch here is that anyone with a hardware probe is able to connect the probe to the communicating chips of the processor or the TPM chip, or perhaps even to the traces on the print, a circuit board which interconnect those two, if those traces happen to lie on the surface. Once connected, the computer can be booted and that entire happy conversation can be passively monitored Neither end of the conversation will be any the wiser and the probe is able to intercept and capture the TPM chip's reply to the processor's request for the BitLocker decryption key.

These are the sorts of tricks that the NSA not only knows about, but has doubtless taken advantage of who knows how many times. But it's not made more widely obvious until a clever hacker like this stack smashing guy that was his handle comes along and shines a very bright light on it. So it's a wonderful thing that he did, and I should note that this is not the first time this has come to light. It happened a few years ago and a few years before that. So it's the kind of thing that surfaces every so often and people go what? Oh, my God? Okay, the fundamental weakness in the design is that the TPM key storage and the consumer of that stored key are located in separate components whose communication pins are readily accessible, and the obvious solution to this dilemma is to integrate the TPM's storage functions into the system's processor so that their highly sensitive communication remains internal and inaccessible to casual eavesdropping. And, as it turns out, that's exactly what more recent Intel and AMD processors have done. So this inherent vulnerability to physical attack occupies a window in time where discrete TPM modules exist and are being maybe overly dependent upon for their security and before their functions had been integrated into the CPU. It's also unclear, like just broadly, whether all future CPUs will always include a fully integrated TPM, or whether Intel and AMD will only do this for some higher end models or, perversely, it turns out, some lower end models.

Anyway, all of this created such a stir in the industry that yesterday, on Monday the 12th, ours Technica posted a very nice piece about the whole issue under and under the subhead. What PCs are affected. The ours guy wrote BitLocker is a form of full disk encryption that exists mostly to prevent someone who steals your laptop from taking the drive out, sticking it into another system and accessing your data without requiring your account password. In other words, they're unable to start up your laptop, so they just take the hard drive out and stick it in a different machine which they know how to start up. Many modern Windows 10 and 11 systems, they write, use BitLocker by default. When you sign into a Microsoft account in Windows 11, home or Pro, on a system with a TPM, your drive is typically encrypted automatically and a recovery key is uploaded to your Microsoft account. In a Windows 11 Pro system, you can turn on BitLocker manually, whether you use a Microsoft account or not, backing up the recovery key any way you see fit.

They say regardless, a potential BitLocker exploit could affect the personal data on millions of machines. So how big of a deal is this new example of an old attack? For many individuals, the answer is probably not very. One barrier to entry for attackers is technical. Many modern systems use firmware, tpm modules or FTPMs that are built directly into most processors.

1:48:17 - Leo Laporte
I think all AMD systems do that right Right.

1:48:20 - Steve Gibson
Yeah, in cheaper machines, he writes, this can be a way to save on manufacturing. Why buy a separate chip if you can just use a feature of the CPU you're already paying for? In other systems, including those that advertise compatibility with Microsoft's Pluton security processors, it's marketed as a security feature that specifically integrates these kinds of so-called sniffing attacks. That's because there's no external communication bus to sniff for an FTPM. It's integrated into the processor, so any communication between the TPM and the rest of the system also happens inside the processor. Virtually all self-built Windows 11 compatible desktops will use FTPMs, as will modern budget desktops and laptops. We checked four recent sub $500 Intel and AMD laptops from Acer and Lenovo. All used firmware TPMs, ditto for four self-built desktops with motherboards from Asus, gigabyte and Asrock. Ironically, if you're using a high-end Windows laptop, your laptop is slightly more likely to be using a dedicated external TPM chip, which means you might be vulnerable. The easiest way to tell what type of TPM you have is to go into the Windows Security Center, go to the Device Security screen and click Security Processor Details. If your TPM's manufacturer is listed as Intel for Intel systems or AMD for AMD systems, you're most likely using your system's FTPM. This exploit won't work on your system. The same goes for anything with Microsoft listed as the TPM manufacturer, which generally means the computer uses Pluton, but if you see another manufacturer listed that is not Intel, amd or Microsoft, you're probably using a dedicated external TPM.

He said I saw STM Microelectronics TPMs. That's a very popular one in a recent high-end Asus, zenbook, dell, xps 13, and mid-range Lenovo ThinkPad Stack Smashing. The guy who publicized this again, reminded everybody of this, also posted photos of a ThinkPad X1 Carbon Gen 11 with a hardware TPM and all the pins. Someone would need to try to nab the encryption key as evidence that not all modern systems have switched over to FTPMs admittedly, something I had initially assumed. He wrote. Laptops made before 2015 or 2016 are all virtually guaranteed to be using external hardware TPMs. When they have any, that's not to say FTPMs are completely infallible. Some security researchers have been able to defeat the firmware TPMs in some of AMD's processors with quote two to three hours of physical access to the target device. Unquote Firmware TPMs just aren't susceptible to the kind of physical raspberry pi-based attack that stack smashing demonstrated.

Okay, so there is some good news here, at least in the form of what you can do if you really need and want the best possible protection. It's possible to add a pin to the boot up process even now so that the additional factor of something you know can be used to strongly resist TPM only attacks. Microsoft provides a couple of very good and extensive pages which focus upon hardening BitLocker against attacks. I've included links to those articles in the show notes. But to give you a sense for the process of adding a pin to your system right now, ours explains under their subhead so what can you do about it? They say most individual users don't need to worry about this kind of attack. Many consumer systems don't use dedicated TPM chips at all, and accessing your data requires a fairly skilled attacker who's very interested in pulling the data off your specific PC rather than wiping it and reselling or stripping it for parts. He says this is not true of business users, who deal with confidential information on their work laptops, but their IT departments hopefully, do not need to tell anyone to do that.

Okay, so if you want to give yourself an extra layer of protection, microsoft recommends setting up an enhanced pin that is required at startup, in addition to the theoretically sniffable key that the TPM provides. It admins can enable this remotely via group policy To enable it on your own system. Open the local group policy editor using Windows R to open the run and then type gpeditmsc. Hit enter. Then navigate to computer configuration, administrative templates, windows components, bitlocker, driver encryption and operating system drives. Enable both the require additional authentication at startup and allow enhanced pins for startup. Then open a command prompt window as an admin and type manage-bde-protectors-addc-tpm and pin that command. And this is all the show notes. Of course, that command will immediately prompt you to set a pin for the drive. I would think of it as a password.

Anyway, he says once you've done this, the next time you boot the system will ask for a pin before it boots into Windows. He says an attacker with physical access to your system and a sufficient amount of time may be able to gain access by brute forcing this pin. So it's important to make it complex, like any good password and again, I would make it really good. If you're taking the time to do it all, why not? He finishes. A highly motivated, technically skilled attacker with extended physical access to your device may still be able to find a way around these safeguards. Regardless, having disk encryption enabled keeps your data safer than it would be with no encryption at all, and that will be enough to deter lesser skilled casual attackers from being able to get at your stuff. So ultimately, we're facing the same trade off as always Convenience versus security.

In the absence of a very strong pin password, anyone using a system that is in any way able to decrypt itself without their assistance should recognize the inherent danger of that. If the system escapes their control, bad guys might be able to arrange to have the system do the same thing for them, that is, decrypt without anything that they don't know. Requiring something you know is the only true protection, maybe something else that you have, if that could be arranged, that's what I did. What I did, my little European trip to introduce Squirrel is I had my laptop linked to my phone and my iPhone had to be present At the same time. Bit locking or bit lockering a drive is certainly useful, since it will provide, you know, it will strongly prevent anyone who separates the drive from the machine from obtaining anything that's protected in any way. So bit locker, yes, pin, yes, and, as we've seen, it's possible to add a pin after the fact. And if your pin is weak, you can still strengthen it and you should consider doing so.

1:57:29 - Leo Laporte
Do we still like Vera Crypt? Would you prefer Vera Crypt to bit locker? Bit locker is so convenient, but it's convenient and Vera Crypt is 100% strong.

1:57:40 - Steve Gibson
I was thinking the same thing. Bit locker suffers a little bit from the you know the monoculture effect of everybody having it and it just being built in. On the other hand, it's convenience means it won't get in anyone's way.

1:57:56 - Leo Laporte
Right, yeah, you just log in the computer as normal. Yeah, yeah, but if you want a really better security, I think Vera Crypt is we still. That's still our choice. Now that bit, what was it? It's a predecessor I forgot. Now Beak what was it? True Crypt, true Crypt. All right, if your pin is weak, you can still straighten it. The motto of the day If the pin is weak, you can still straighten it.

1:58:26 - Steve Gibson
I like it Leo.

1:58:28 - Leo Laporte
That's Collier, who is a textile worker. Thank you very much, steve Gibson. You are the best. We reward Steve, don't we, by all joining ClubTwit. Let's not forget, let's not forget. That's the best way to support this show and all the shows we do. Steve's pledged going to four digits, but we might. You can't really do it if the lights are out and the cameras are shut down. So come on down to clubtwit, twitchtv, clubtwit. You get all the shows, ad free, the discord, all the benefits, for $7. If you just want to support this show, $2.99 a month $2.99 a month will support any individual show, but I think for a few bucks more you might as well support them all, because I think everything we do on the network is of value. I hope it is to your work or to just your understanding of how technology works.

Steve lives at GRCcom. That's where Spinrite 6 also lives, soon to be 6.1, like a butterfly, it's coming out of the chrysalis and emerging into the there's movement folks. There's movement. The wings are fluttering. If you get 6.1, 6.0 now, you get 6.1 automatically free. Well, not completely automatically, you'll have to download it, but it's worth getting 6.0 now so you can have it, and 6.1 the minute it's available. You can also get the beta version now if you are a owner. You can also get this show at the website GRCcom and that's free. He has two unique versions a 16-kilobit version for the bandwidth prepared and the very well done transcripts by Elaine Faris so you can read along as you listen or search or that kind of thing. All that's at GRCcom, along with Spinrite and ShieldsUp and Validrive and all the great stuff Steve does in assembly language in the middle of the night we are. What are your coding hours? You're not a late night coder, I don't think.

2:00:33 - Steve Gibson
No, I'm 68. I'm not a late night coder. When I remodeled my home and I was 38, I had blackout drapes installed in the master bedroom. I have normal cloth drapes and then behind it is opaque thick vinyl, because I would be coding and I would be looking out the window and noticing the sky was getting lighter. Oh, no, oh, that's feeling, and I always, afterwards, I chastised myself, I never wanted to stop, but I was useless the next day. I mean, it just screwed everything up. So what you needed to have is the self-control back then to make yourself go to sleep. Now I don't need self-control because I'm tired and so I'm like looking forward to hitting the sack and being fresh in the morning.

2:01:27 - Leo Laporte
Well, it is fresh, almost 6.1, almost fully cooked. We have the show at our website. What?

2:01:34 - Steve Gibson
What Laurie does comment. When I measure that, she says well, yes, you're tired, you just coded for 18 hours straight.

2:01:41 - Leo Laporte
So there is that 6 am till 10 pm or something like that. Right, yeah, yeah, very nice. He's a hard-working guy. I went to code. Yeah, I mean it's fun, isn't it?

2:01:54 - Steve Gibson
Yeah, I am completely stuck, it's better than anything I've ever found, Well except one thing. But you know, you can't do that whole time, yeah.

2:02:01 - Leo Laporte
That's right. A lot of endorphins, though. Very good for the endorphins. We have copies of the show at our website twittvslashsn. We have the same 64-kilobit audio that Steve has, but we also have video. That's our unique format. You can watch the video on YouTube as well, in fact, a great place to go to share clips. If you wanted to share that little clip we were talking about earlier with friends and family, so they understand how important it is to secure their email, for instance, you could do that right there on the YouTube channel. Best thing to do, probably, is subscribe, though, and your favorite podcast player. You can get audio or video automatically as soon as we're done with the ads. If you're not a club member without the ads, if you are, just find your favorite podcast client and subscribe. We will be back here doing the show, as we do every Tuesday, right after MacBreak Weekly 130 Pacific, 430 Eastern, 2130 UTC. I will see you back here right then. Thank you, steve. I will be back in a week Bye-bye.

2:03:05 - Speaker 2
Hey, I'm Rod Pyle, editor-in-chief of Ad Astra Magazine. In each week, I joined with my co-host to bring you, this week in space, the latest and greatest news from the final frontier. We talk to NASA, chief space scientists, engineers, educators and artists, and sometimes we just shoot the breeze over what's hot and what's not in space books and TV, and we do it all for you, our fellow true believers. So, whether you're an armchair adventurer or waiting for your turn to grab a slot in Elon's Mars rocket, join us on this Week in Space and be part of the greatest adventure of all time. 

All Transcripts posts