Security Now Episode 887 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for security. Now, Steve Gibson is here. Lots to talk about. Did that TikTok hack really happen? Steve says, yeah, probably not. There's a new Chrome zero day. You definitely will wanna patch an Oxford university. Physicist says quantum computing is bogus and then Steve will reveal his brand new favorite science fiction author and a new 20 volume series. Plus a look at why people are embedding AWS credentials in their apps. It's a bad idea. All coming up next on security. Now podcasts you love from people you trust. This is TWI. This is security. Now with Steve Gibson episode 887 recorded Tuesday, September 6th, 2022. Embedded AWS credentials. Security now is brought to you by ITProTV. Give your team an engaging it development platform to level up their skills. Volume discounts. Start at five seats. Go to itpro.tv/securitynow, and make sure to mention SN 30 to your it pro TV account executive for 30% off or more on a business plan.

Leo Laporte / Steve Gibson (00:01:19):
And by Kolide K O L I D E is an end point security solution that uses the most powerful untapped resource in it. Your end users visit kolide.com/securitynow to learn more and activate a free 14 day trial today, no credit card required. It's time for security. Now get ready to protect yourself. Put on your hard hat. We've got some construction to do with Mr. Stevegibson@Grc.Com. Put your, put your hard hat on your hard head, a hard hat with a propeller. If you had you're listening to this podcast, you're you don't, you're not soft line it with tin foil. You'll be set. So here we are beginning of September security now episode 8 87 and this, okay, so I didn't have a topic for most of the setup for this until I ran across a report that Symantec just published about their findings and, and okay, now I should finish that F thought their findings for the cloud security of mobile apps.

Leo Laporte / Steve Gibson (00:02:33):
And I was a little confused cuz they were talking about supply chain and I thought, how is mobile app security about supply chain? And now I get it. And it's really interesting. So it became I, so I moved things around. I was gonna start talking about this gr leaf physicist from Oxford who doesn't think that qu he's a quantum physicist who doesn't think that this quantum computing stuff is ever gonna come to anything. Oh, music to my ears. I've been grumbling about this for a long time. I know. And, and I'm no physicist, so that's no, but Leo when factoring 33 is an achievement. Yeah, exactly. Ah second. Yeah. Anyway, so, so that got moved to the end of our discussion of all the other stuff and Symantec story now takes the lead, which puts it at the, at the far end. But, but we got a lot of other cool things to talk about first.

Leo Laporte / Steve Gibson (00:03:32):
So we are gonna take a look at Google's just announced and launched latest open source software vulnerability rewards program. We asked the question whether TikTok leaked more than 2 billion yeah. Of their users records. We look at Chrome's urgent update to close its sixth zero day of 2022 and at a worrisome feature. I, I think it's a bug in Chrome. I have a little demo for our listeners, which is a little bit unnerving. Everyone can do it. I also have a somewhat well news of a somewhat hidden auto run facility in PI's PIP tool, which is used for downloading and installing Python packages. That feature is being used to run malware to the surprise of people using PIP. And as I said, we're gonna examine a recent anti quantum computing. We'll call it an opinion. It borders on a rant from an Oxford university quantum physicist.

Leo Laporte / Steve Gibson (00:04:47):
Then I've got two bits of miscellaneous, three pieces of listener feedback, a fun spin, right video discovery from this morning. And the I'm most frankly excited about this in anything else. My discovery of a wonderful and blessedly prolific sci-fi author. And after all that we're gonna look at, as I said, semantics research into their discovery of more than 1800 mobile apps, which they found to be leaking critical AWS cloud credentials, primarily due to the carelessness in the use of today's software supply chain. So I don't think our listeners are gonna be bored. <Laugh> no, in fact, I've been waiting for this show all week. There's so much to talk about I've you know, and is the funniest thing happened on the radio show on Sunday, somebody called and said, oh, do you already know what I'm talking about? The false positive. Yes.

Leo Laporte / Steve Gibson (00:05:52):
Oh. And I said, what? No. Yeah, cuz apparently a lot of windows users suddenly thought they were in, in fact, all windows users suddenly thought they were infected. Anyway, just so many stories. So little time let's get to the show in a second. First a word from our sponsor, the great folks at it. Pro T V. They are so happy by the way, Steve is sponsored this show. It's such a nice relationship. Because so many of your listeners are it professionals. So many of them have become it professionals. And I know you get email. I get email from people who say, you know, I had a dead end job and I was listening to this show and I heard the ad for it pro TV. And now I have a great career in it. Hear from this, hear from people all the time about this it pro TV started in, I think it was 2013 started advertising that year with us.

Leo Laporte / Steve Gibson (00:06:45):
And so many of you now are it pro TV graduates? Although we really never do graduate from it pro TV. I mean there's, that's one of the things that's fun about it, right? It's not a, you don't learn it and then you're done. You, you, you learn it, you get the search, you get the job and then you want to keep, ER, get, get new skills, learn more things. Things are constantly changing. So it's an every changing field. So really, I don't think you ever graduated from it pro TV, but we talked so much about the individual. I thought it'd be nice today to talk about it pro TV for your it team. So if you were a boss, if you're a manager, if you've got an it team, this is for you you know, you wanna keep your team upskilled, right? I would point out they also wanna keep upskilled.

Leo Laporte / Steve Gibson (00:07:29):
And you may say, well, I don't wanna get 'em too good. They might leave me. No, no, no. I mean, if they do, that's fine. That's good for everybody. But honestly, what you want them to do is have the latest skills, the latest information in all the most important, critical areas for bus, for your business security job, one, right? Networking, desktop maintenance. There's so much to learn and they wanna learn it. So, and you want them to learn it. So this is a benefit you can give your it employees. They will really appreciate cuz it pro TV is not a grind. It's not a, it's not a chore. It's not a task. More than 80% of the people who start a video on it, pro TV, they know this, they see the stats actually go all the way through cuz it's engaging it. Pro TV hires experts in those fields.

Leo Laporte / Steve Gibson (00:08:15):
People are really, they're all working professionals. They really know their stuff, but they have one thing that not everybody has. They have a passion for what they're doing and a great sense of humor and a great sense of fun. So they make it an enjoyable process to gain these skills. They're entertaining. They're binge worthy. Your team will stay interested. They'll stay vested in learning and that's what you want. And by the way, you get every kind of training for your team in one place, every vendor, every skill you need Microsoft, Cisco Linux, I, I almost hesitate to give you a list cuz you'll say, well, what about this? It's all trust me. It's all there. Apple security cloud. They even have some soft skills like compliance, marketing, things like that. 5,800 hours of training in their library. Now some of you say, well wait a minute.

Leo Laporte / Steve Gibson (00:09:06):
It's, it's been 5,800 hours for a couple years now. Yeah, but it's not the same 5,800 hours. They, it pro TV has seven studios that are running all day, Monday through Friday, creating new content because stuff changes. There's new certs, old certs go by the wayside, the tests get new questions. Software gets updated. New software comes along. So yeah, it's 5,800 hours, but that gets turned over constantly videos go from the studio to the library within 24 hours, it's all super up to date. And that's something you cannot say. I have to say for any book, any on, you know, any, any class, any technical school, a lot of times you get instructors teaching stuff. They used to use way back when no, no you're getting the latest and the it pro TV business plan includes the best dashboard ever. So you can completely track your team's results.

Leo Laporte / Steve Gibson (00:09:57):
You can manage seats, assign unassign individuals. You can create groups, ad hoc groups and assign even as little as just one video, not the whole course, but just one video to that group saying, you guys really gotta learn more about, I, I don't know, you know fi oh two authentication, something like that. And they can watch these two videos. You'll see metrics like logins, viewing time tracks completed. So you'll be able to justify to the higher ups yet we're using it. They're using it. You'll know exactly who is you get immediate insight into the team's viewing patterns, their progress. So, you know, you're getting your money's worth and you, and have all the information you need. Don't forget it. Pro TV does have individual plans. I think you know that, but I want you to, I really wanted to emphasize the team plans, give your team the it development platform.

Leo Laporte / Steve Gibson (00:10:46):
They need level up their skills while enjoying the journey. It's a great benefit for them and a great benefit for you for teams as small as two, as large as a thousand or more the volume discounts start with just five seats, go to itpro.tv/securitynow let me say that again, cuz that's important to us. That's the special address for this show it pro.tv/security. Now there is an offer code and this offer codes for individuals, but also for the enterprise plan S N three zero SN 30. Just mention that to your it pro TV account executive, then they'll know you saw this and they will give you at least 30% off, at least 30% off on a business plan. Probably more. But, but, but it's really important to us. You mentioned that code go to itpro.tv/securitynow offer code SN 30. It's important to you too.

Leo Laporte / Steve Gibson (00:11:35):
You're gonna save a lot of money. Thank you. It pro TV. We really appreciate your support of the very important work Steve does here and nothing more important than the picture of the week. <Laugh> okay. So this, this is just so classically XKCD. I love it. It's titled general physics safety tip and it's a very small flow chart, very simple flow chart, which is designed to help you decide where to stand. <Laugh> it, it answers the question and imposes it. Should I stand near this thing? <Laugh> it's a simple question, but an important question. Oh my God. Well, yes. And it's got then, so it's got that it poses that question in the top box, which feeds into the decision triangle or I'm sorry, the decision diamond where it, the a, the way to answer the question. Should I stand near? This thing is to ask well, are physicists excited about it? And so if there, if physicists are not excited about it, then maybe you should stand near it. <Laugh> if physicists are excited about it. No, then no, definitely not. Get away. Do not run to get <laugh>.

Leo Laporte / Steve Gibson (00:13:05):
Oh, Steve froze in general, says re con five avoid exposure to any temperatures pressures, particle engineer energies, or states of matter. That physicists think are neat. <Laugh> I love it, Steve. That's awesome. That's he? Randall is so good. You know, I interviewed him on a triangulation some years ago. I'm so glad you did. Yeah. And you know, and I, and I was thinking like, this is the kind of stuff that we would never have. Were it not for the internet? Yes. I mean the internet brings all God the nerds. Yes. You know, it brings all kinds of crap along with it, you know, it's not just inevitable, but like this, this all before the internet, we had magazines that were, you know, right. Monthly. Right. You know, and wet up to date and no, and the new, the new Yorker would have some great cartoons, every, you know, that would like stand out, but you didn't have like a, you couldn't get an IV of, of this stuff.

Leo Laporte / Steve Gibson (00:14:03):
Yeah. And this is just Randall Monroe. It was, it went back in 2019, triangulation four 12, if you haven't heard it yet. Great interview with the creator of XKCD. Yeah. I agree. Thank goodness. The Internet's given us some real nice things and that's one of them, you know? And, and you think about it, like the, the bounds and the depth of his creativity. Like how, how, where did this come from? Right. I mean like you, you, you, he, he could easily think, well, I don't have any good ideas. And then here's like this, which is just right. Is just walking. And then day's gone by, where would you go? Would you go to a newspaper and say, I'd like to publish this comic and they go, no, no one will understand this. Right. this guy with his genius capabilities probably would be under employed and, and no one would know about 'em.

Leo Laporte / Steve Gibson (00:14:53):
So, yeah. Yeah. It's great. It's, it's why, it's why, when, when people have asked me sort of like for some career advice I've said to them, I would specialize. Yeah. That is be the be become, invest. However many tens of thousands of hours are necessary to become the best something. Yeah. And it doesn't matter what, well, I mean, it has to have some application, but, but the point is, well, not now with the internet, not even then. <Laugh> not even that. No, that's true. You know if, if a thousand other people might be interested that's enough. Yes. And, and the idea is that, you know, if you were like just the unbelievable best plumber, well, in the old days, well, all of the toilets in your city would be working on them. Yes. You know, but you wouldn't, you wouldn't have much marketing reach beyond that.

Leo Laporte / Steve Gibson (00:15:48):
Right now, you know, the Vatican might hire you because they really need your help. I think that's brilliant, Steve. Yes. And they, and they could find you that's the point. Exactly. They would be able to find, they just put into Google, who is the best plumber and up would come Mor Morganstein <laugh> and they go find him and say, Murray, we need some help here with the popes commode, actually, you just told the story of father Robert Ballas there that's <laugh> that's in a nutshell, the, the secret to his success. So there you go. Yeah. Yeah. Yeah. Okay. So last week, Google announced and launched a new Google targeted open source software vulnerability rewards program. I say it's Google targeted because you know, it's for their open source software projects, but okay. Their money's good. So this is what they said, and yes, it's a little bit commercial, but it's still interesting.

Leo Laporte / Steve Gibson (00:16:49):
And after all, they're giving away money. So they said today we're launching, Google's open source software vulnerability rewards program, which, because it's a mouthful you can shorten as OSS V R P to reward discoveries of vulnerabilities in Google's open source projects as the maintainer of major projects, such as go Lang angular and fuchsia. Google is among the largest contributors they write and users of open source in the world. With the addition of Google's OSS V R P to our family of VRPs researchers can now be rewarded for finding bugs that could potentially impact the entire open source ecosystem. Google they write has been committed to supporting security researchers and bug hunters for over a decade, the original V P program, or just V P established to compensate. And thank those who helped make Google's code more, more secure was one of the first in the world and is now approaching its 12th anniversary over time.

Leo Laporte / Steve Gibson (00:18:01):
Our V R P lineup has expanded to include programs focused on Chrome, Android and other areas. Collectively these programs have rewarded more than 13,000 submissions totalling over 38 million paid. That's pretty good. On average, the average the, they said the addition of this new program addresses the ever more prevalent reality of rising supply chain compromises. And actually we're gonna be winding up talking about supply chain compromises of a different ilk. They said last year saw a 650% year over year increase in tax targeting the open source software supply chain, including headliner incidents like code Cove, and of course, log for J vulnerability that showed the destructive potential of a single open source vulnerability. Google's OS S V R P as part of our 10 billion commitment to improving cybersecurity, including securing this, the supply chain against these attacks, these types of attacks for both Google's users and open source consumers worldwide.

Leo Laporte / Steve Gibson (00:19:13):
And finally Google's O OSS V R P encourages researchers to report vulnerabilities with the greatest, real and potential impact on open source software under Google. Under the Google portfolio, the program focuses on all up to date versions of open source software, including including repository settings stored in the public repositories of Google owned GitHub organizations. So Google Googled APIs, Google cloud platform, and so forth. And this is I thought was surprising and significant those projects, third party dependencies with prior notification to the affected dependency required before submission to Google's OSS V R P. So if you find a problem, not only in Google's own stuff, but in something they're pulling into their project and are dependent upon that qualifies too. So you fix it there and then you say, Hey, Google, I found something that just helped you pay up. So they, then they finish the top rewards go to vulnerables found on the most sensitive projects.

Leo Laporte / Steve Gibson (00:20:30):
Oh, <laugh> I did get a kick out of this, depending on the severity of the vulnerability and the project's importance, G rewards will range from $100 to 30 1003 37. And of course, 1, 3 37 is, you know, hacker S you know, it's L E E T upside down. So yes, a little tip of the hat to the, the hacker community. Anyway. So I've got links to where to go, to find out more information. It's generally@bughunters.google.com. You can start there and then browse around. They've got rules for qualifications and, and so forth. But, and, but overall, what occurred to me as I was reading through this and in, and choosing to include it in today's to start off today's podcast is the degree to which bug bounties had become a part of today's modern software ecosystem. It's no longer a surprise for a company to be offering a bug bounty for the discovery and responsible reporting of problems found in their software.

Leo Laporte / Steve Gibson (00:21:40):
But it wasn't so long ago that this was unheard of, or that it was an enlightened exception today. It's the way large companies do business. They figure if we can't find all of the important bugs ourselves, and what we're seeing is that apparently no one can, then you reward the white hats who do, and more significantly as we've seen this sort of bug hunting while not guaranteeing a steady paycheck, at least not at the start could increasingly be considered a valid and workable career of sorts. So, very cool that, I mean, I'm glad to see Google's doing this, you know, they've got the money to do it. They're gonna get the benefit. And, and again, you know, they've obviously got a very capable stable of internal security researchers and bug hunters yet, even. So they're saying we'll take any help we can get, which is really the mature thing to do.

Leo Laporte / Steve Gibson (00:22:47):
In's and age. It's also a, a defensive move, because as you know, we've talked about many times there's places like erodium offering big bucks for Google flaws as well. Ah, and not, not fixing the packages, but selling them to yes. Typically state sponsored. Yeah. Yes. Bad guys. Yeah. A good point. So did TikTok leak 2.05 billion with a B user records? Tiktok says no, but other independent researchers are not so sure. Every week, while I'm looking through the past week's news half, really half of what I see are breach reports, you know, this or that company reports that it was breached and bad guys may have obtained the data for typically a couple hundred thousand of their users, you know, more or less, you know, and okay, that's not good, but there's generally not much more to say about it. You know, it's a bit like, you know, this or that company got hit by ransomware, not good.

Leo Laporte / Steve Gibson (00:23:57):
We're sorry. Hope you recover. But the potential exposure <laugh> of more than 2 billion user records by TikTok. Well, you know, we're talking about this one because of who it is and the size, scale, and impact of the possible breach. When news of this appeared last week to pressed their respond to the press button and out popped a statement, reading TikTok, prioritizes the privacy and security of our user's data, our security team investigated these claims and found no evidence of a security breach. Then the button popped back out. But tos canned sounding denial follows reports of a hack that surfaced on the breach forums message board Saturday with the threat actor, noting that the server holds 2.05 billion records in a single humongous 790 gigabyte database. The hacking group known as blue Hornet also known as against the west or ATW tweeted, who would've thought that TikTok would decide to store all their internal backend source code on one Alibaba cloud instance, using a trashy password.

Leo Laporte / Steve Gibson (00:25:35):
Bob Diatchenko, who's known as the, the open database hunter and he's a threat intelligence researcher at security security discovery. He said the breach is real in quotes. I mean, like that's exactly what he said real, and that the data is likely to have originated from hang zoo JLo network technology company limited rather than TikTok, but Troy hunt wasn't yet convinced Troy tweeted quote. This is so far pretty inconclusive. Some data matches production info, albeit publicly accessible info. Some data is junk, but it could be non-production or test data. It's a bit of a mixed bag so far.

Leo Laporte / Steve Gibson (00:26:30):
And then just before I put everything together, I checked both of their Twitter feeds for any updates. Bob diet Chenko feed had two updates. The first was said update while there is definitely a breach. It is still work in progress to confirm the origin of data could be a third party that was followed up sometime later with update two. Okay. Talk breach is real. Our team analyzed publicly exposed repos to confirm partial users' data leak, but then Troy retweeted a tweet and added the thread on the hacking forum with the samples of alleged TikTok data has been deleted and the user banned for lying about data breaches.

Leo Laporte / Steve Gibson (00:27:30):
The group that was banned as explained in the tweet that Troy retweeted was that same blue Hornet against the west who made the original allegation. So it appears that the whole thing was as TikTok originally claimed not a breach at all. And though this story sort of cancels itself out, I wanted to share this because it's a great example of what is continually going on behind the scenes, in the security industry. Not all players are on the up and up and not everything surprise that's tweeted is factual and Troy for whom this is certainly not his first rodeo knows to remain skeptical until all the facts are in and proven. Yeah, so we, you know, we have to deal with this all the time. A lot of other publications hoping to get the links will go with us. When I saw this story, one of the first people I looked at was Troy hunt, his skepticism immediately stopped me cold.

Leo Laporte / Steve Gibson (00:28:40):
It's very easy for some jerk to claim this, get a lot of attention and worse. It's a lot of publication will just jump on it, cuz they know that's how you get you drive traffic. So as, as any journalist, you, you really gotta be, we're very skeptical about all this stuff until it's proven to be the case. And we do not jump on these things. And in fact, even Brian cribs, you know, who was a well known great journalism reporter of, you know, within this whole info sec I'm not gonna say great anymore. Go ahead. Keep going. Okay. Well he got big trouble with this ubiquity thing and that's what I that's where exactly what I was gonna say was that he did like say, you know, I, I had a single source. I went with it and I apologized ubiquity and had to retract it, sued <laugh>.

Leo Laporte / Steve Gibson (00:29:37):
And it's pretty much widely believed that this was part of the, the settlement with ubiquity. And in fact, he would've lost because he knew the guy was the hacker and continued to run the story when he should have immediately said I was wrong. This guy was the guy I perpetrated the hack. He used me to basically to extort ubiquity and in fact interest, you know? Yeah. So I think Brian, I'm sorry, but Brian's got a black mark in my book now. I, I'm not sure I'm gonna fully trust him going forward. Yeah. A little bit too much inertia behind the story. Yeah. I guess, and again, the case of, I think somebody very anxious to get clicks and as a result, not being very thoughtful and, and, and unfortunately, you know, if clicks are your model, then you have to, it's, it's really tough.

Leo Laporte / Steve Gibson (00:30:34):
Yeah. To say whoops. That's that's, you know, that's not what happened. Yeah. So yeah. So Krebs has fully retracted now and taken all those stories down, but in the kind of Anine language that tells me this was part of the settlement, you know, I see. So not a huge MEA culpa. No, just, okay. Well an urgent Chrome update required a and got a, a urgent patch last Friday, Chrome bumped up to, you know, version blah, blah, blah. <Laugh> ending in 1 0 2 to urgently close a vulnerability that was being actively exploited in the wild as usual, little more is being said of, you know, CVE 20 22, 3 0 7 5, which involves all we know is insufficient data validating in mojo, which is a library of routines to provide platform agnostic, inter process communication, Google credited, and anonymous researcher with their report of the high severity flaw on the August 30th.

Leo Laporte / Steve Gibson (00:31:45):
And I'm again, impressed by the chromium team's three day incident response, you know, to, to learn about it on the 30th and push it out on Friday. The second that's great. So this is zero day number six for the year in Chrome. And while it's not likely to be an emergency for everyone, everyone, you know, as always is advised to be sure they're running that version ending in.one oh two. The update applies to the desktop versions of Chrome for windows, Mac, OS, and Linux, and as always the users of chromium based browsers, you know, edge brave opera and Vivaldi are also advised that, you know, to look around for updates for theirs, when they're available. Okay. Now Leo <laugh>, if you've got a version of Chrome around you wanna go to web platform.news, w E B P L a T F O R m.news.

Leo Laporte / Steve Gibson (00:32:48):
And what comes up is an, an innocuous looking page, but it just puts something on your clipboard without your permission. So you now open like notepad or something and hit control V to paste, and you will see a message reading. Hello, this message is in your clipboard because you visited the website web platform news in a browser that allows websites to write to the clipboard without the user's permission. Sorry for the inconvenience for more information about this. Yeah. Huh? <Laugh> no, it did not happen to me. I'm not using Chrome. Okay. This, this happened on all Chrome browsers. I tried it on edge and it all, yes, it's gotta be a chromium based browser. Ah, so I'll try it on the edge. Okay. Using not Firefox. Ah, good for you because Firefox now Firefox has a related problem. And this wasn't clear to me as I was tracking this down.

Leo Laporte / Steve Gibson (00:33:53):
So again, to all of our listeners, you know, chromium based browser Chrome, or, you know, edge, brave opera ity, that was just talking about web platform.news and then like open notepad and hit control V to paste and you'll get a happy little message planted onto your oh, clipboard, <laugh> you, right. You are my friend. Yeah. So hopefully to our listening audience, it's needless to say, this is not safe. Yeah. and more than being unsafe, some consider it to be a major security issue. The problem is that the browser's interaction with the clipboard is somewhat tricky and web developers have been tinkering around with it, considering the deliberate addition of some non interactive access. You know, it seems pretty clear to me that a user should have to clearly highlight and mark something on a webpage, then explicitly issue some form of clipboard copy command to, for their browser to be given permission, to modify their systems clipboard now.

Leo Laporte / Steve Gibson (00:35:09):
And, and what it feels to me is that like the, the web designers must be saying, Hey, well, other, you know, native first party OS apps are able to put something on the clipboard if they want to, why shouldn't a browser? Why should it not be, you know, equally entitled? Well, the answer is, you know, browsers are out hitting random pages, pulling ads in from God knows where running scripts from, who knows who and all of that should have the ability to put stuff on your desktop clipboard without your knowledge or permission. I don't think so. So, okay. So, you know, I, I could see the benefits of having a webpage announce that something has already been placed on the user's clipboard. You know, if that was like clearly in their benefit, if they, if they really wanted that to happen. But unfortunately it offers bad guys far more, you know, far too much opportunity for carnage.

Leo Laporte / Steve Gibson (00:36:20):
And there are clears to be, there appears to be some lack of clarity on this front web developer. Jeff Johnson said that what he is calling the clipboard poisoning attack was accidentally introduced in Chrome version 1 0 4. Okay. And I don't know what, what 1 0 4 he's talking about? We just got 1 0 2 and that's what I'm running and it's in there. But looking over the pertinent chromium discussion thread, it actually kind of muddies the water. I have a link to the, in the show notes to the discussion thread, but for example, last Monday, that is Monday before last night, yesterday eight days ago from Microsoft on August 29th mic, a Microsoft edge person using the chromium engine said it's P three, which I guess means priority three because this behavior has been here since we shipped ay clipboard APIs. It is not a regression. However, I agree that this should be fixed, but okay.

Leo Laporte / Steve Gibson (00:37:31):
So not a regression means it isn't something that we broke, but this guy is saying, I agree, this should be fixed. And we should send a breaking change, email to blink hyphen dev to figure out the right process, to add the transient user activation restriction to the APIs. And then he says, I guess, P one makes sense since Firefox and safari are also considering adding the transient user activation. And then Perens instead of a user gesture requirement, which is what they have now, the reason Leo, it didn't happen to you under Firefox is due to the deliberate presence of something they're, they're calling the user gesture requirement, meaning you have to do something in order to like enable this event now. And so it is, it is writing, not reading. I mean, if I reading the clipboard, correct, would be very problematic. Correct. What is the hazard of writing to my clipboard?

Leo Laporte / Steve Gibson (00:38:41):
Okay. So I could see the, I could see the usefulness of it. Yes. But I don't know what the problem is. So Jeff says, for example, while the problem exists in apple and safari, an apple safari, and Mozilla MI and Firefox as well what makes the issue more severe in Chrome is that the requirement for a user gesture to copy content to the clipboard is currently broken. Jeff appears to be okay. So I, I had this here somewhere. It says, oh the idea that the danger of this is not glaringly apparent to the web developers is a bit surprising. So so okay. I, I sort of got thrown off here. <Laugh> I apologize. I, I should checked. I'm sorry. <Laugh> cause I did, I, I have that covered here. Okay. Go back to your, you can answer, put a pin in it and get to that.

Leo Laporte / Steve Gibson (00:39:38):
So <laugh> so we're gonna get to your question again. Thank you. So, so the, so the, so last Tuesday on August 30th, the chromium guy in this thread said to be clear reading, he had it in all caps from the clipboard, always requires a permission. He says very much like geolocation microphone, et cetera. And he said to see what this looks like, check out this demo site. And there's a link to async hyphen clipboard, hyphen api.glitch.me. Then he says, writing plain text or images to the clipboard can currently be accomplished without a permission or user gesture. Although the site and tab in question must be foregrounded. He says, we are looking to tighten up the security model here. And he said, neither one of these behaviors has changed recently, nor does the new tab page test rely on permissionless gesture, gesture list, clipboard access. Anyway.

Leo Laporte / Steve Gibson (00:40:49):
So anyway, so at this point, the, the web developer who thinks this is an issue, Jeff Johnson says, you know, that safari that safari and Firefox are considering making this smoother, not requiring there to be a gesture. So Jeff appears to be saying that safari and Firefox require the user to have some interaction with the page though, not necessarily a clipboard copy. He, he does say that clicking a link or pressing the arrow key to scroll down, gives the website permission to overwrite your system clipboard. So you don't even need to do you just need to have any inter interaction with the page in order for that permission currently in safari and Firefox to be given. And they're considering synchronizing themselves with chromium where even that's not necessary. So although the chromium guys are saying and, and even the Microsoft guy is saying, maybe we better rethink this.

Leo Laporte / Steve Gibson (00:41:58):
So the idea that the danger of this is okay, so blah, blah, blah, blah, blah. Okay. So aside from being annoying and, and worrying, we have the ability of any webpage to replace my system's clipboard data without my permission. Okay. If I were, if I were using my computer and I had something on the clipboard, and then I went to paste it somewhere else, and I got some message, I got some like image or text that I had never seen before. I would be sure that my machine had been infected with malware of some kind that had messed with my clipboard without my permission. No, I mean, I would be freaked out that's somebody doesn't understand how the clipboard works, cuz it happens all the time. Password managers wipe the clipboard. So you're pasted. So your clipboard can't be read with the password on it.

Leo Laporte / Steve Gibson (00:43:04):
It's not at all unusual for clipboards to have multiple different versions of the content, depending on where you're pasting and do content aware paste. So you might get an image. In some case you might get a text. In another case, the clipboard is, is often manipulated by the OS. This is not at all unusual. So you're saying if you pasted the contents of your clipboard and it was something you had never seen before and you had never pasted into the clipboard, that wouldn't concern you well, yeah. I mean, I guess it shouldn't be something random, but clipboards are often manipulated by the operating system. That's not unusual by you by user hitting edit. No, no, no, no, no copy. No, no, no, no. I mean last pass wipes. How many times you have a, a password on your clipboard that gets wiped after 10 seconds or you set the time it gets wiped automatically.

Leo Laporte / Steve Gibson (00:43:57):
There's things happen to your clipboard all the time. And as I said clipboards have at least on the Mac, probably not on windows. Okay. So you're saying you would have no problem if random pages that you visit are writing to your desktop. Well, usually they do that for utility, right? So they'll pay something in there that you're gonna want to a link or something that you're gonna wanna pay somewhere else. So they'll try to do it for utility. That's why this feature exists. All right. So it's scaring you. I got it. Is it hazardous? Certainly you could imagine that you're, that you, that a, a site or page manipulates you so that you, you have a a, a cryptocurrency address on your clipboard, which the webpage changes behind your back without you knowing it. That's a good, there's a good dalicious use, but we say all the time, you shouldn't trust your clipboard.

Leo Laporte / Steve Gibson (00:44:55):
Right? I mean, we say that all the time. Okay. So, so the issue is no user permission. The, I mean, no user action at all. You, you go to the New York times and an a on the New York times put in your clipboard. Yeah, yeah. No puts anything it wants, right? Not the ad. It puts anything it wants in your clipboard. It just, to me, I mean, you know, the good news is the, the, every, the, now that this has come to light that the web designers are saying, oh okay, we need to do something. I I'm sure that they thought it was cool that you'd be interacting with a web app. And, and, and the web app would say, okay we're all finished doing what you wanted. The, the results are waiting for you on your clipboard. I don't have any problem in, you know, using Google docs and marking something and then hitting control V.

Leo Laporte / Steve Gibson (00:45:55):
And it gets pasted to my clipboard. That's what I want. But I have a problem if I go to some website and without knowing, cuz cuz I'm like you Leo, I mean, I'm using my computer. I know what's on my clipboard. You know? And, and, and typically I'm copying and pasting things and yes, I've also often had the experience. Sometimes it's annoying. In fact, that last pass has erased, erased a password. You know, it's always annoying before I, before I was able to paste it right. Somewhere. But it's for good reason. Yeah. And so I go off. Yeah, no, I think, okay. I, yeah, I could see the, I could see the hazard here. You, that was a perfect example of it, you know, cuz you can't really crypto account number so long. You might not remember the one you had cut and instead put a different one in that would be a big problem.

Leo Laporte / Steve Gibson (00:46:44):
Normally you don't even attempt. It's like, it's like a long password you don't even attempt to, to like, you know, memorize it and then make sure that it, so we use copy and paste for, for something like that all the time. Yeah. That's a good point. Right? Yeah. Yeah. So anyway, the good news is that these guys are looking at it. I just thought it was, it, it was a little jarring to just go to a page and you know, and have it change our clipboard without us giving permission. And so to me, it just because, I mean, yes, it's true that any app that we have on our desktop could do this, but we would consider it a, an a, a misbehaving app. If it was changing our clipboard in a way that didn't benefit us. And we know what's on the internet, you know, I would say way less than half of it benefits us.

Leo Laporte / Steve Gibson (00:47:34):
So I don't want, you know, pages that I happen to encounter or, or components of pages like an ad to run some script that changes my clipboard. That's just like hands, hands off my clipboard. I ju I, I think there's utility and that's why they put it in. Yes. But I could see that potential hazard. Yeah. And yeah. And you know, they're wanting it to be a first class citizen of the desktop. And my only reservation is not everything that lands in my browser is something that I want to trust. My desktop. You actually raised probably the real reason why Google did this Google docs, which is a browser only experience, but they want it to be like a desktop app. Right? Yep. Or Gmail. Yep. Yeah. Yep. And I use the crap out of the, the, the, the docs, you know, cross clipboard ability in fact, oh, one of my biggest peeves is that you cannot copy an image out of Google docs and move it somewhere else.

Leo Laporte / Steve Gibson (00:48:39):
It like refuses to let you have it. For some reason, it just drives me nuts. But you know, you have to jump through hoops to do that. But anyway speaking of unwanted features <laugh> oh, actually speaking of my throat, big dry <laugh> I got unwanted feature, another fine commercial. We weren't speaking of that because I can't speak <laugh> security now is brought to you by collide. Actually, this is a client that I love and a, a product I'm a big fan of collide. We've talked about it before. Collide is end point security for companies that use slack. That is awesome. It uses the most powerful untapped resource in it, your end users. I think we've all learned a lesson from trying to shut down end users from trying to lock them in using MDM. And, you know, I mean, going to the extreme of gluing USB ports, sure.

Leo Laporte / Steve Gibson (00:49:33):
Your users can really get you in trouble, but if you can get your users to be on your side, if you can teach them and enroll them as your partners in security, it's gonna be a much better experience. Whether you're trying to achieve security goals for a third party audit or your own compliance standards. It's, it's understandable. And it is. In fact, I think the conventional wisdom that you treat every device like Fort Knox, but I think we've also seen now that MDMs force employees basically to become enemies, it degrades performance. It treats privacy as an afterthought. It keeps them from doing the things they want, what happens. They end up using their own laptops or their own devices. And now you've got a huge problem. Wouldn't it be better to turn your users into shadow it, to help you out. Kaly does things differently.

Leo Laporte / Steve Gibson (00:50:24):
Instead of forcing changes on users, collide sends them security recommendations through slack. The, the platform they're using every day, all the time collide will automatically notify your team when their devices are insecure. And by the way, they cover a huge range of potential problems. Explain why this is an issue and give them step by step instructions on how to solve the problem. They reach out to employees via a friendly slack. And by the way, it's a DM. It's not a public message, but a friendly slack, DM educating them about company policies about security. It helps you build a culture in which everyone contributes to security instead of trying to thwart it. And they contribute, cuz everybody understands how and why to do it. I think this is brilliant and you're gonna love it as an it administrator, cuz Kaly gives you a single dashboard that lets you monitor the security of your whole fleet, Mac, windows, or Linux.

Leo Laporte / Steve Gibson (00:51:18):
It's completely cross-platform. You could see in a glance, which employees, for instance, have their discs encrypted, have their OSS up to date. Their password manager installed. It makes it easy to prove compliance to your auditors, to your customers, to your leadership and your users will love it. So that's collide user centered cross platform, endpoint security for teams. This slack, you can meet your compliance goals by putting users first. You can. It's a little leap of faith. I understand a little trust thing. No, no you're gonna, oh, you gotta try it. K O L I D E Kolide. K o l i d e.com/security. Now follow that link. They'll hook you up with a goody bag, including a t-shirt yes. You get a free t-shirt. This is one of the, they have several designs just for activating the free trial. I wear my collide t-shirt with pride kolide.com/securitynow.

Leo Laporte / Steve Gibson (00:52:18):
This is an idea whose time has come. I think it's brilliant. You, you at least owe it to yourself to check it out collide and now a collision with security and Steve Gibson. <Laugh> all right, Steve. Eh, that sway was no less awkward in mind going into it. So, okay. Speaking of unwanted, we collided, is that what you're saying? We did indeed. PI pie is the Python languages, popular package, index repository inviting alliteration Python package index, thus Pipi and in another discovery that would expose developers to increased risk of a supply chain attack. It was found that nearly one third of the packages in PII trigger an automatic code execution upon downloading them. Now, you know, at, you know, sort of as with auto copying to the user's clipboard, if it's what the user wants, then fine. Having a Python script auto run after downloading a well designed and benign package.

Leo Laporte / Steve Gibson (00:53:34):
Well, that's just convenience, right? It just like, if you say PIP install, you want it to do that. But a researcher at check marks noted in a technical report, they published last week that a worrying feature in Pip's command allows code to automatically run when developers are merely downloading, not necessarily installing a package, he added that the features alarming because I is that a great deal of malicious packages are finding, are finding we I'm sorry. We are finding in the wild use this feature of code execution upon installation or download to achieve higher infection rates. Yeah. That would follow. Anyway, one of the ways by which packages could be installed for Python is by executing the PIP install, command, which in turn invokes a file called setup dot P Y which comes bundled along with the module set P Y as it's name implies is a setup script.

Leo Laporte / Steve Gibson (00:54:44):
That's used to specify metadata associated with the package, including its dependencies. It provides some of the, you know, the welcome automation that makes package management con convenient in this environment and in what amounts to a documentation flaw, meaning that it was undocumented and, and actually surprising a cautious user might opt to use the safer appearing PIP download command since its documentation states quote PIP download does the same resolution and downloading as PIP install. But instead of installing the dependencies, it collects the downloaded distributions into the directory provided, which defaults to the current directory. In other words, the command can be used to download a Python package without having installed on the system and all of its dependencies. But as it turns out, executing the download command also runs the embedded setup dot P Y script resulting in the execution of whatever malicious code it might contain.

Leo Laporte / Steve Gibson (00:55:59):
It turns out that setup dot P Y auto running only occurs when the package contains a tar dot GZ file instead of a wheel file, which is dot w H L although PIP defaults to using wheels instead of tar GZ files, attackers take advantage of this behavior to intentionally publish Python packages, you know, malicious Python packages, obviously without a dot w L file leading to the execution of the malicious code present in the setup script, the check marks report noted that quote, when a user downloads a Python package from PI pie, PIP will preferentially use the w L file, but will fall back to the tar GZ file. If the w HHL file is not present at the moment, there's not much that Python users can do. If PIP is used to either install or download a PI pie package, bad guys can arrange to run their script dot P Y on the user's machine.

Leo Laporte / Steve Gibson (00:57:15):
And, you know, given all the recent troubles with supply chain attacks, that's a bit nervewracking. So anyway, I just wanted to bring that to our listeners' attention. You know, Python is popular and only becoming more so for many good reasons. And so this looks like a problem that needs to get addressed somehow. Yeah, this is also a problem with some Linux. Distros arch for instance, has a user repository that if you, you don't have to, but many people use an arch user repository installer that will run the script. And the better ones will say, no, no, you gotta look at the script before you run it. And there are plenty of sites you go to and you install, you know, home brew is one for the Mac and Lennox, it's a package manager and you install it with a curl command <laugh>, you know, right.

Leo Laporte / Steve Gibson (00:58:04):
Oh, <laugh>. And you know, they even say, you know, we know this is a terrible way to do it, but you know, but here's the command, here's the command it's it's easy. It's a lot easier. Oh, goodness. Yeah. We had some fun years ago talking about dangers of curl. Whoa. Well, and there have been some vulnerabilities in it too. Okay. So we've been talking about quantum computing recently, even though the capability to break our current public key cryptographic security protocols remains purely theoretical. And I mean, entirely theoretical, the existence of technology that could do so could render the asymmetric cryptography, which we depend upon to manage our symmetric keys, useless for that purpose in practice, the security of anything and everything we currently protect with certificates and the public handshakes we make to negotiate secret keys would be open to circumvention and abuse astonishing to me as it is, although bombs are not flying through the air between hostile superpowers, there is clearly very active, continuous, and slowly escalating cyber warfare being conducted among and between the world's hostile superpowers.

Leo Laporte / Steve Gibson (00:59:33):
The only thing keeping this under control a and at parody is that none of these superpowers has meaningful superiority in cyberspace or don't as Leo don't do. It would never say don't do it in cyber don't die. <Laugh> don't <laugh> in qu in quantum computings. If quantum computings promise is realized someone will have it first and that someone will have a massive destabilizing power over the entire rest of the world. The degree to which we depend upon the stabilizing force of today's status quo should not be overstated. I don't think you can overstate it. And it's for this reason that researchers in cryptography armed with an understanding of what a future working quantum computer might be able to do. They've already been at work, as we know, and we've talked about it recently for several years on the design and implementation of next generation, so-called post quantum replacement cryptography, the website, futurism runs a column called the bite.

Leo Laporte / Steve Gibson (01:00:54):
And last Saturday's title was Oxford physicist unloads on quantum computing industry says it's basically a hype bubble. Mm mm-hmm <affirmative> now it would be a full time job to know everything about what's going on in quantum computing. And I suppose that's this guy's job, you know, and that's good because I'm already overbooked. At the same time, I don't know anything about what biases this guy might have. He certainly seems disgruntled, you know, maybe he applied for some grant and didn't get it. I don't know. But I, I found the synopsis of what he wrote to be interesting and worse sharing. So this was in the bite column on futurism. They wrote Oxford, quantum physicist, Nikita OV tore into the quantum computing industry this week, comparing the fanfare they have in quotes, cuz that was his word around the tech to be a financial bubble in a searing commentary piece for the financial times.

Leo Laporte / Steve Gibson (01:02:05):
Now financial times is behind a high paywall or I'd have gone to the source, but I tried and I couldn't get there. In other words, they said, in other words, he wrote, it's far more hype than substance it's scathing, but also perhaps insightful analysis of a burgeoning field that at the very least still has a lot to prove. Despite billions of dollars being poured into quantum computing, ion Ave argues the industry has yet to develop a single product. That's actually capable of solving practical problems and out he doesn't even mean crypto crypto turns out to be an extremely high bar because you can't have any fuzziness. And fuzziness seems to be a side effect of, of quantum at least now, anyway, he says that means these firms are collecting orders of magnitude more in financing than they're able to earn in natural revenue. And he says a growing bubble that could eventually burst goov wrote for the financial times, quote, the little revenue they generate mostly comes from consulting missions aimed at teaching other companies about how quantum computers will help their business as opposed to genuinely harnessing any advantages that quantum computers have over classical computers.

Leo Laporte / Steve Gibson (01:03:42):
Okay. Now, from my part while I think this is an interesting opinion from someone whom others apparently believe knows something about quantum physics, I'll just note as a counterpoint, that something is impossible right up until the time it isn't. So, you know, and, and this doesn't guarantee that that's something will ever not be impossible, but when the stakes are as high as they are, this sort of tax deductible research is easy to justify to a company's board of directors. Anyway, Nikita OV went on to say, contemporary quantum computers are so error prone that any information, one tries to process with them will almost instantly degenerate into noise, which scientists have been trying to overcome for years. He also took aim at other assumptions about the field, arguing that fears over quantum computers, being able to crack even the most secure cryptographic schemes are overblown and notably go KNS ran in the financial times, comes just weeks after a group of researchers found that a conventional computer was able to rival Google's Sycamore, quantum computer undermine Google's claim in 2019 of having achieved quantum supremacy recalling <laugh> the sentiment there's gold in them, th Hills, despite the industry's lack luster results to date investors are still funneling untold sums of in, into quantum computing ventures.

Leo Laporte / Steve Gibson (01:05:30):
You know? Yeah, because what if OV said in essence, the quantum computing industry has yet to demonstrate any practical utility despite the fanfare. He says, why then is so much money flowing in? Well, it's mainly due to the fanfare. The money he argues is coming from investors who typically don't have any understanding of quantum physics while taking senior positions in companies and focusing solely on generating fanfare. So in short goof believes it's only a matter of time until the quantum bubble will pop and then the funding will dry up. So anyway, I wanted to share this presumably informed perspective since many tech media outlets covered this at this rant in the financial times the financial times is, is well regarded because this Oxford university, quantum physicist may know what he's talking about because on some level it does appear to fit the evidence after all.

Leo Laporte / Steve Gibson (01:06:43):
And because it serves as an interesting counterpoint to what does indeed, despite huge expenditures still seem to be quite a long ways off if it is even ever practical. So will this qu will, will this quantum crypto panic ultimately turn out to have been misplaced maybe, but the stakes are clearly so high that a great deal of wealth is being transferred. And in Leo, as I said at the, at the top, if factoring the number 33 is considered a huge achievement just recently. And if, as goov appears to believe this particular branch of quantum physics is not about to be visited by a breakthrough, then the crypto industry probably has time to get its post quantum crypto right. The first time. And I think that's good. You know, even if quantum never happens, the replacement of our aging quantum unsafe crypto only makes sense, you know, why not do it?

Leo Laporte / Steve Gibson (01:07:55):
And since the replacement of everything we will have now will take significant time. I'm very glad we're already working to determine what that replacement will be. And it'll be interesting to see whether it is the replacement of pre quantum crypto with post quantum crypto that finally bursts the quantum height bubble. Maybe if like no one's is suddenly any longer has any cause to worry about a achieving, you know, a, a crack in current crypto, then it's like, oh, well, okay. Isn't weather forecasting already. Good enough? <Laugh> I mean, yeah, it doesn't hurt to come up with better crypto. No exactly techniques I'm using and we know how long it's gonna take, it's it gonna take forever? Yeah. I'm using ECC and you know, some other, like, I use that what is it? The 2, 5, 5, 1 9. Now for my SSH keys, this doesn't hurt. Right?

Leo Laporte / Steve Gibson (01:08:53):
Well, those are all crackable. Well, oh, right. That's right. <Laugh> those are all, those are, I mean, anything public, anything public key today. So elliptic curve is public key, right? 2, 5, 5, 1 9 is public key. Right. Anything public key today. And so that's why I think we do need to like, and we know we know how long it's gonna take, it's gonna take forever to replace what we have. Right. This is a common problem in general, for people who cover technology, fusions hard CR you know, Quantum's hard. Like these easy problems have been solved. Yeah. AI is hard. Self-Driving vehicles are hard. Does it mean they're not gonna happen? Not necessarily, but maybe not. I think it's good to be skeptical. Devor act taught me that he thought everything was crap <laugh> but you know what, that's actually, if you're gonna pick a default position, that's the most likely correct.

Leo Laporte / Steve Gibson (01:09:56):
Cause most stuff is crap, but then you're gonna miss a few jewels. Like he thought the mouse was a terrible idea and you're, and you know, no, everybody remembers that nobody remembers the 101 other things that he saw were crap that went away. So it's, it's something I deal with a lot, you know we're talking a lot now about augmented reality. And I, I think I was right when I said 3d in, in movies and TVs was a terrible idea and is, was a gimmick. I'm not sure about VR, I think is a gimmick AR I'm not sure about quantum, you know, the real problem is, is as you point out, there's a gold rush cuz the governments are throwing money at scientists. So of course they're gonna, so you know why they are too? Oh yeah. I mean, oh my God, if somebody does come up with it, I would, I would like, and I think they're starting to, but I would like to see throw as much money at fusion fusion could solve so many of our energy.

Leo Laporte / Steve Gibson (01:10:52):
It solve all of our energy issues. Yeah. Today. Yeah. But it's hard. So is it never gonna happen? I don't know. We don't know. It's an interesting conundrum for the tech journalist. So I have a couple bits of miscellaneous a, a black hat. The, the organization is somewhat notorious for being quite slow to release the materials after their conferences. So an enterprising re an enterprising researcher has put them all up on Google drive with open public sharing access. He tweeted a link to the collection and I've captured it in this week's show notes. And to make it easy for those who don't want to track it down in this week's show notes. I also gave it a GRC shortcut of BH for black hat, obviously BH 2 0 2, 2. So if you go to GRC, do SC slash BH 2022 that'll bounce you over to Google drive and you will see a ton of PDFs containing all of the slides for all of the presentations for black hat, 2022, which I just thought was cool.

Leo Laporte / Steve Gibson (01:12:10):
Yeah, these are great too. That's great. Yeah. Thank you. Black hat. Okay. URF NPM the package manager library has a mistake. So, so the NPM hosted JavaScript library named sea surf is a JavaScript library designed to protect applications from cross site request, forgery attacks known as C SFS. There you can see where the name CF C S U RF got its name. So these are cross site request, forgery attacks, library protects JavaScript apps from that. Unfortunately, researchers at the security company, Fort bridge discovered a CSRF vulnerability in C CF. And unfortunately the package apparently cannot be used to protect itself since the projects authors have apparently decided it's not worth repairing. They chose instead to mark URF as vulnerable and deprecated. And I suppose at the same time as evidence of the need for it. So there I didn't think I was gonna have anything new to share about spin right today.

Leo Laporte / Steve Gibson (01:13:30):
Work is proceeding well, it's running and I almost have all the obvious problems fixed, which I created by this basically rewriting most of it except the UI stuff. I may rearrange its real time activity screen to make better use of its real estate. As a consequence of other things that I've had to change on that screen. You know, lots of field links had to change in order to make, to make room for the number of sectors that drives now have and so forth. But in any event this morning, I encountered a Twitter direct message from Matt foot. One of our listeners with whom I exchanged notes on Twitter, he explained that he was searching for how spin right works. And he encountered a surprisingly recent 20, 21 YouTube video showing a full demo walkthrough of spin, right? Two, which used Roman numerals back then running on a 20 megabyte Seagate S T 2 25 drive.

Leo Laporte / Steve Gibson (01:14:40):
I hadn't seen spin right. Two run in quite a while. So I wound up watching the entire 13 minute, well narrated video. The drive was initially actually in pretty bad shape, but spin right, fixed it for anyone who's interested, it's this week's shortcut of the week. So GRC SC slash 8 87 at which will bounce you over to a 13 minute YouTube video, which is sort of interesting. And thanks to Matt, a little bit of closing the loop with our listeners Tyson Moore said, hi, Steve just listened to, to SN 8 86. So that was last week. He said, I have a different take on Nick LEDs, you know, network interface card, or controller LEDs. You might find interesting. He said, I worked for a large Canadian telco telco that had disabled activity lights on almost all of their switches and routers. Okay.

Leo Laporte / Steve Gibson (01:15:39):
Which makes me S shutter. But he said <laugh>, can you imagine that Leo wasn't a very in there <laugh> oh my God. Well, you would think the power had failed, right? I mean, oh, I use my lights all the time. Oh, I need those act lights because I need yeah, yeah, yeah. Yeah. He says from small one U 16 port access switches to 30 U that's. That's like, you know, 30, 19 inch rack. U height. Yeah. May multi terrabit routers. Wow. He said on many devices, this was done through undocumented commands or special firmware. Wow. He says though it made troubleshooting difficult. Yeah. You do you think the idea is that an adversary wouldn't be able to distinguish dormant or lightly used links? Ah, from busy ones. Okay. Okay. Especially when faced with hundreds or thousands of options in a large telephone exchange, he says, I was never shortly sold on the usefulness of this measure, but as a defense in depth strategy, I figure it couldn't hurt.

Leo Laporte / Steve Gibson (01:16:53):
And I guess my feeling is if you could like turn them on when you need them or like, you know, have like then, you know, cuz I look at the activity light to know if the card is talking. I can't imagine. Yeah. Not having those little flickering lights. I know you absolutely need. And the router and the modem, you really need them. Yes. To know what the hell am I connected? Am I not? Yeah. Yeah. I turn 'em off though on the wifi access points, cuz I don't like those little green lights all over the house, but other than that, you know, that's an interesting point. Yeah. I don't like all those LEDs everywhere. Okay. So ties in. Thank you. Also okay. Now I, I looked, I removed this person's name cuz I was, I felt I needed to be maybe a little critical and I didn't want to embarrass him.

Leo Laporte / Steve Gibson (01:17:40):
He said, hi Steve, I enjoyed your discussion of the last past breach. Whilst users vaults are strongly encrypted and therefore presumably fairly safe. Do you think there could be another risk in that conceivably the hackers could have introduced a back door into the last pass code? How can we know the code itself is still safe given that hackers have had access to it for an unspecified amount of time? Okay. Well I think this is where the meaning of words matters. You know, since everyone is on the outside, looking in, we don't know precisely what happened and I doubt we ever will. So we can choose to take their CEO's statement as fact or not. If we do choose to accept it as fact then exactly what he said matters. He said, quote, this is the CEO for who I quoted last week. We have determined that an unauthorized party gained access to portions of the last past development environment through a single compromised developer account and took portions of source code and some proprietary last pass technical information.

Leo Laporte / Steve Gibson (01:18:52):
Okay. Certainly taking source code is a world different from may have modified source code. We must assume that they have well established source code controls in place. And that verifying the extent of the intrusion would've been their top priority. Yeah. So again, if we choose to trust the CEO's statement, then there's no danger to us and we can hope that they will respond to this by making, like, making anything like this from ever happening again much less likely. And if we choose not to trust what the CEO said, then nothing he said matters. Anyway, people may not know that, you know, a code repository, isn't just a bunch of text files that you can change. And then, and then there's, nobody will notice. Nobody will know there's a whole process, you know, it's and there's a, and of course there's a complete log of everything that's been done.

Leo Laporte / Steve Gibson (01:19:51):
They even, I think that's nice. They call the command blame and you can see who's who is to blame for <laugh> a particular commit. Well, and how many times have we talked about like, you know, the there's a problem and then they'll go back and they'll go, oh, that was Johnny when he was having that bad week. Yeah. 1987 or something. Yeah. It's like, oh you can see in any I blame is a get command, but there was an audit trail there always, you can see which lines were changed. Who changed them when all of that is completely transparent. Right? Yeah. And on, on Saturday, Leo bill Creen tweeted, Hey Steve just set up my San Sarah last night. He said smaller than I imagined, but still fascinating to watch. I don't have mine yet, but that means that they have shipped them and presumably I'll have a box on my porch and you will too.

Leo Laporte / Steve Gibson (01:20:50):
I think I added, I think I asked for the addition of black sand and apparently that really freaked out customs for some reason. Yeah. Cause its like powder. See why? Or, or like, you know, micro caviar or something. I don't know. Can I have yellow cake on mine? I think that would be the best <laugh> and finally one of our listeners Tweeta just listened to S N 8 86. I've been in the Fu duck.com beta for about a week now, meaning the email filtering that we talked about last week, he says it is worked as advertised. And as you described, I'm not seeing 85% of my email with trackers, more like 50 to 60. It's equally surprising to me who is and who isn't using trackers. And he didn't say more, but now I'm curious. It's like, oh I think I need to start routing some stuff through with it and find out cuz that seems really cool to find out.

Leo Laporte / Steve Gibson (01:21:54):
Okay. And now the one thing I am more excited about than anything else, what? Yes, this must be good. I have a new sci-fi author. Leo, thanks to one of our listeners whose Twitter handle is Laforge 1 29 and Laforge. Thank you. Thank you. Thank you. I'm very excited to announce the discovery of a completely new and blessedly prolific science fiction author. This author's name is pronounced Scott YHA, which is spelled J U C H a. His website domain is his name. So Scott S C OTT, J U C H a.com. Okay. So first of all, Scott can write, which is an endangered talent these days. And he has a pleasantly expansive working vocabulary, which is a joy to encounter. He writes stories containing well formed characters who at every turn do what you hope they're going to do. And then, then surprise you by exceeding your expectations.

Leo Laporte / Steve Gibson (01:23:08):
Many of his Amazon reviewers in their review, they're like their final review. After they finished the final book in his, the silver ships series state that this is the best space opera series they've ever read. It would take a lot in my mind to compete with Rick Brown's frontiers saga, but there's room for a top two. I received Le four's tweet a week ago today. And since then I've read the first book. Oh, I know why you like this. There's 20 of them. <Laugh> oh my God. Actually 24, because he did a, a short little four book series that branches off after the thir, after book 13. Oh, so I need, as I said, Leo he's prolific. Yes. He's also on audible. Narrat narrated by Grover Gardner. Oh, I love Grover Gardner. Oh good. All right. He the, okay, so so outcast.

Leo Laporte / Steve Gibson (01:24:19):
So I read the first book then I needed to see what was about to happen next mm-hmm <affirmative>. So I read just enough of the second book to relieve the, that pressure. Then I went back then I went back and reread skimmed the first, third of the first book in order just to relive its key parts. Wow. You know, because now I knew what the author had in mind. And at one point my wife Lori asked where I was in my reading and I explained that I was rereading book one. She just shook her head <laugh> and, and said, we are so different that way. And, and so I explained, slashed asked, I said to her haven't you ever seen a movie that was so good that you immediately watched it again, able to enjoy it even more since you knew how everything fit together and that generated some more head shaking.

Leo Laporte / Steve Gibson (01:25:22):
And I, I went, I'm thinking Lori says life is too short to read a book more than once I'm guessing, but yeah exactly. We actually encountered a, another couple neighbor friend of ours out on our, our, our walk, our evening walk yesterday. And one, one of them said that when I was explaining this, that she goes to the end of the book to see how it ends ES oh my God, you'll just cut to the chase. Oh. So anyway 10 years ago in 2012, Scott began writing in April of last year. He finished his 24 novel series, which he calls the silver ships. All of the first five novels in the series were three times awarded Amazon's number one best selling sci-fi book. And they also won the number two spot twice across multiple science fiction categories of first contact space flight and alien invasion, the stories all three favorite topics.

Leo Laporte / Steve Gibson (01:26:33):
And there's asteroid mining as well, just to, oh baby. A a actually the main character, Alex is an asteroid minor in the beginning. So the story is said in the far future, it follows a number of earth descended colonies, which encounter a very, non-human quite powerful and quite hostile alien race. Ever since I caught up with Rick Brown's frontier saga series, I've been casting about looking for something next, you know, while Rick continues working on his books. So I am absolutely certain that I found what I've been looking for. I have no idea what's gonna happen, but I, I love what has happened so far. Oh boy, the books are all on Amazon. They're all available through their Kindle unlimited program. And as I mentioned, also on audible narrated by Grover Gardner look for the silver ships series, adding it to my list and oh, Leo.

Leo Laporte / Steve Gibson (01:27:33):
Oh, I like it. That it's Kindle unlimited, cuz that means I can dip into it and just see if I like it. Yes. good. Yes. I already told jammer B John is in the middle of a trilogy, but he, and he like, so, but he can't wait. So I'm just finishing these singularity traps. So I've got a ways to go. Yeah. Yeah. Only a few more chapters on that. Okay. let's take our last break and then we're gonna talk about what Symantec found in eight more than 1800 mobile apps. Wow. Are you, do you ever attempted to write a novel, a sci-fi novel yourself? It'd just be a bad use of my time. Yeah, no, I wouldn't be now maybe in retirement whenever that is <laugh> I wish I could, because I would love to be a writer. That seems like the perfect occupation.

Leo Laporte / Steve Gibson (01:28:23):
Right. It's kinda like coding. Right? I would love it too. Yeah. I mean, if I, yeah, but I can't, I can never think of any good stories <laugh> so I don't think it's gonna happen. <Laugh> our show today is brought to you by listeners. Like you, not you or you wouldn't be hearing this the people who are members of club twit, don't get these adverts, they get ad free versions of this show and every show we do but it's their donations and it's not expensive seven bucks a month that lets us do so many more things. We've been able to launch new shows, thanks to club TWI. Like this week in space shows, you know, when we launch a show, we spend a lot of money to launch a show with no chance for revenue. At first, you have to build enough of an audience to get advertisers interested.

Leo Laporte / Steve Gibson (01:29:14):
And that can take time years. In fact, in the past, we've had to cancel shows because even though I knew they were great shows we just didn't have enough of an audience to get the advertising. In fact, many of our best shows if that's happened to like the new screensavers and, and our gaming show game on. So the club is great because it gives us a chance to create new shows subsidized by the club. And, and then as they grow, if they develop an audience, put 'em out for the rest of the world, that's what's happened with this week in space, we have a number of shows that are club only right now, hands on Mac with Micah, Sergeant Paul Thra hands on windows, the ultimate, I'm sorry, the untitled Linux show. That's Jonathan Bennetts Stacey Hagen Gotham's book club, which is a sci-fi book club.

Leo Laporte / Steve Gibson (01:30:00):
Steve, you might enjoy that. And of course, stick T Barlow's GI fizz plus new shows coming new one off content, special club events and so forth. So that's a second benefit. You get, you get all of our current shows ad free. You get unpublished shows in the discord. You can actually participate in the making those shows. The discords also great for conversations going back and forth and in every possible area, including, you know, things I don't talk about on the show like crypto and and NFTs. We've got a book club, we've got coding hardware, ham radio hacking and of all, all of our shows. And then one more feature. I, I know hard to believe all this for seven bucks. I know it's amazing. One more feature, which is the twit plus feed that's stuff that isn't part of the podcast conversations before and after the shows, things like that.

Leo Laporte / Steve Gibson (01:30:52):
A and of course, all of those shows that are club only seven bucks a month. I mean, honestly I think we could and probably should charge more, but Lisa wants to make it available to everybody, a cup of a cost of a, a couple of lattes and it really helps us out. So if you would go to twit.tv/club TWI, join the club, there's a monthly and or a yearly plan. There's enterprise plans as well. If your business wants to subsidize it, we have a number of businesses that, that I think it's mostly cuz of this show actually have subscriptions. I should mention. If you go to twi.tv/club TWI, you'll also see at the bottom individual subscriptions for shows this show hands on Mac, hands on windows, $2 99 cents a month. So that's another option. If you just want one show ad free and none of the other benefits you know, 2 99 a month, I think seven bucks a month and you get everything is the way to go.

Leo Laporte / Steve Gibson (01:31:46):
We thank you so much for your support and thanks to all the members of the club, because they are making all of this possible twit.tv/club TWI, and now, and what, yes, apparently Lori is listening to us uhoh because she, she sent me a text and she said, I, that she had watched some movies multiple times. Oh, right. She's a har the Harry Potter movies. She's a big fan of the Harry Potter movies. And so there you go. You know, and for me, I, I think probably the matrix, I'm sure I watched it a second time Terminator. The first time I saw that I would've had to it's like, watch it again. So, you know, there's just some that are really good. So, all right. Yeah. I'm not a big movie re watcher. I try cuz I foolishly have bought movies in the past and that's a waste if you're not gonna watch it again, but that's a good point.

Leo Laporte / Steve Gibson (01:32:38):
Yeah. Yeah. Yep. Okay. Embedding AWS credentials last Thursday, Kevin Watkins, a security researcher with Symantec revealed the results of Symantec sobering research into a previously unappreciated or at least grossly underappreciated, serious weakness and vulnerability created by the way, today's increasingly powerful mobile applications are being developed. The problem surrounds the collision of the increasingly ubiquitous use of the cloud by mobile apps, with the merging of outsourced code libraries and SDKs, which use the cloud to contain their sometimes massive databases. Another problem appears to arise from a failure to follow the old adage, which carries the well known abbreviation R RT M we know what that stands for the data belonging to both users and the enterprises hosting these dangerous ill designed apps are thus put at risk as is the data of all the customers of these enterprises. The problem is big. So I wanted to get specific and put a sharp point on this, flushing it out by sharing what Symantec's research revealed.

Leo Laporte / Steve Gibson (01:34:06):
They opened this report with a punchline over three quarters of the apps, Symantec analyzed, contained valids access tokens that allowed access to private AWS cloud services. Okay, now that was 1,859 iOS and Android apps, which were found to be leaking actionable AWS cloud credentials. That must be kept private. So here's how Symantec framed the problem and explained what they found. They said most of us by now have been impacted in some way by supply chain issues, an increase in the price of fuel and other items, delivery delays, and a lack of product availability, or just some of the consequences of supply chain issues stemming from recent events around the world. Okay, well, that's not doesn't apply to us. They said, however, in the context of software and technology infrastructure, the consequences resulting from supply chain issues are very different. Mobile apps, for example, can contain vulnerabilities introduced in the supply chain that can potentially lead to the exposure of sensitive information, which in turn could be used by threat actors or for other attacks.

Leo Laporte / Steve Gibson (01:35:32):
They said mobile app supply chain vulnerabilities are often added by app developers, both knowingly and unknowingly, who are likely unaware of the downstream security impacts putting not only the app users, privacy at risk, but sometimes putting their company and employers, privacy and data at risk too. Okay. So in other words, this is what I would call the, the modern modular software component assembly dilemma, where it's too easy to plug this library into that library and have this API calling into that API and where everything just appears to work. But without the developers ever obtaining a full in depth working understanding of exactly what's going on. And of course, you know, that's the whole point of using a plugin modular library and it's APIs is that you don't need to learn everything about what the serving library is doing. The trouble is this is also the way implementation mistakes happen.

Leo Laporte / Steve Gibson (01:36:48):
And in the case of a AWS, the mistakes have huge consequences. So they said similar to the supply chain for material goods, mobile application, software development, undergoes a process that includes the collection of materials, such as software libraries and software development kits, you know, SDKs manufacturing, or developing the mobile application and shipping the end result to the customer. Often using mobile app stores, this research, they said examined the type of upstream supply chain issues that can make their way into mobile apps, making them vulnerable. The issues include mobile app developers, unknowingly using vulnerable external software libraries and SDKs companies outsourcing the development of their mobile apps, which then end up with vulnerabilities that put them at risk and companies often large ones developing multiple apps across teams using cross team vulnerable libraries in their apps. They said in order to better understand the prevalence and scope of these supply chain vulnerabilities, we took a look at publicly available apps in our global app collection at that contained hard coded Amazon web services, credentials hard coded cloud credentials is a type of vulnerability.

Leo Laporte / Steve Gibson (01:38:20):
They said we've been looking at for years and have extensively covered in the past this time in order to get to the bottom of the supply chain impacts caused by the issue we've looked into why app developers hard code cloud credentials inside apps where the hard coded credentials are located in the apps, tracking the sequence or chain of events leading to the vulnerability. And finally the size of the problem and its impact. They said we identified 1,859 publicly available apps, both Android and iOS containing hard coded AWS credentials, almost all were iOS apps, 98%, which is really a curious number. And they said a trend and difference between the platforms we've been tracking for years, possibly linked to different app store, vetting practices and policies. And I don't understand, or maybe the application market is, is just that different between iOS and Android. Oh, it is, is at any.

Leo Laporte / Steve Gibson (01:39:37):
It is. Yeah, yeah, yeah. That, that would be my guess. And they said, in any case, we examined the scope and extent of the risks involved when AWS credentials were found embedded inside apps, we found the following over three quarters, 77% of the apps contained valid AWS access tokens, allowing access to private AWS cloud services. Jesus Louis. I know Leo they're like hard coded in. Yes, yes. There it's like, you know, we, we, we, we we've talked about how lame it is for routers to hard code in a username and password for like some backdoor. No, Cisco spent years recovering from that practice is this cuz they're U like they're using AWS as a server for images or something. And so they have to do that. Maybe one of the reasons maybe it's not private stuff, it's like parts of the app. Well, yeah, but, but this is access to private AWS cloud services seems like a bad idea.

Leo Laporte / Steve Gibson (01:40:43):
Yeah. Sounds bad. Then they also said close to half 47% of those apps contain valid AWS tokens that also gave full access to numerous often millions of private files via the image, the Amazon simple storage service. Oh, that's definitely bad. <Laugh> that's definitely bad. And they're gonna get much more specific about this in a minute. So then they said we will explore the type of private data exposed in the examples discussed later in this blog, but the message is clear apps with hard coded AWS access, tokens are vulnerable act are a vulnerable, active and present risk. They said, okay, well, so, so yeah, and, and presented to risk risk, they said, so, you know, I, I should explain that it would be entirely possible for apps not to embed. And Leo, you already get this, not to embed static, AWS access tokens into their code, you know, and again, how many times have we talked about the insanity of a Cisco router, for example, embedding some backdoor access, username and password into its firmware, where it's ripe for discovery.

Leo Laporte / Steve Gibson (01:42:11):
You know, it's just malpractice and laziness in the case of well connected mobile apps, it would be trivial to have apps reach out, to obtain the AWS token on the fly over a secure encrypted and authenticated connection that would have the added flexibility of allowing the apps, developers to change AWS credentials on the fly, if some access right problems such as we'll be discussing in a minute were to be found in any event, Symantec continues. They said, we then looked into why and where exactly the AWS access tokens were inside the apps. And if they were found in other apps, we discovered to get this, that over half 53% of the apps were using the same AWS access tokens found in other apps. Interestingly, these apps were often from different app developers and companies, this pointed to an upstream supply chain vulnerability. And that's exactly what we found.

Leo Laporte / Steve Gibson (01:43:26):
They wrote the AWS access tokens could be traced to a shared library, third party, SDK or other shared component used in developing the apps. As for the remaining question of why app developers are using hard coded access keys Leo, to your point, they said, we found the reasons to include downloading or uploading assets and resources required for the app. Usually large media files, recordings, or images accessing configuration files for the app and or registering the device and collecting device information, storing it in the cloud accessing cloud services that require authentication such as translation services, for example, or no specific reason dead code and or used for testing and never removed. They said if an access key only has permission to access a specific cloud service or asset, for example, accessing public image files from the corporate Amazon S3 service, the impact may be minimal. Some app developers may be assuming this is the case when they embed and use hard coded AWS access tokens to access a single bucket or file in Amazon S3.

Leo Laporte / Steve Gibson (01:44:56):
The problem is often that the same AWS access token exposes all files and buckets in the Amazon S3 cloud. Often corporate files, infrastructure files, and components, database backups, et cetera, not to mention cloud services beyond Amazon S3 that are accessible using the same AWS access token. They said, imagine a business to business company providing access to its service, using a third party SDK and embedding an AWS hard coded access key exposing not only the private data of the app using the third party SDK, but also the private data of all apps using the third party component. Unfortunately, this is not an uncommon occurrence, as you can see in the following case study examples. Okay. So we've got, I think three here and they, they kept them anonymous not to embarrass the actual provider, but these are specific iOS apps. They said we found as in an intranet platform, SDK, we found a business to business company providing an intranet and communication platform that had also provided a mobile SDK that as customers could use to access the platform.

Leo Laporte / Steve Gibson (01:46:32):
Unfortunately, the SDK also contained the business to business companies. <Laugh> cloud infrastructure keys, oh, please. Oh, exposing all of its customers, private data on the business to business companies, platform, their customers, corporate data, financial records and employees, private data was exposed. Wow. All the files the company used on its intranet for over 15,000 medium to large size companies were also exposed. Why did the company hard code the AWS access token in order to access? Because it is better <laugh> exactly. Yes. Yes. In order to access the AWS translation service, what oh, please. Instead of limiting, instead of limiting the hard coded access token for use with the translation cloud service, anyone with the token had full unfettered access to all the business, to business companies, AWS cloud services and uses. Wow. Wow. I start to think that just as we license drivers before they're allowed to go on the road, we should have some sort of minimum competency standard for programmers before they're allowed to publish software.

Leo Laporte / Steve Gibson (01:48:15):
I know I know, and it's completely lacking it's, you know, doctors and lawyers have to get, got to go through extra school and get certified and pass tests to demonstrate that they have a, in the case of lawyers, you know, a basic understanding of the way to do their job programmers, not so much. Wow. I mean, not at all actually. And you know, there are, there are, as we know it, pro TV produces certifications those exist, but you don't have to have one in order to write code. Yeah. We have another instance, a digital identity and authentication. They said, we discovered several popular banking apps on iOS that rely on the same vulnerable third party, AI I digital identity K outsourcing the digital identity and authentication component of an app is a common development pattern. As the complexities of providing different forms of authentication, maintaining the secure infrastructure and accessing and managing the identities can occur a high cost and requires expertise in order to do it right.

Leo Laporte / Steve Gibson (01:49:32):
Unfortunately, in this case, things were not done right embedded in the SDK, which again was shared by several popular banking apps on iOS embedded in the SDK were cloud credentials that could place entire infrastructures at risk that credentials could expose private authentication data and keys, belonging to every banking and financial app using the SDK. Furthermore users, biometric digital fingerprints used for authentication along with users' personal data names, dates of birth, et cetera, were all exposed in the cloud. In addition, the access key exposed the infrastructure server and blueprints, including the API source code and AI models using used for the mobile operation in total over 300,000 biometric digital fingerprints were leaked across five mobile banking apps, five mobile banking apps using the SDK and finally online gaming. They said often already established companies rely on outsourcing or partnering with other business to business companies for their digital and online services.

Leo Laporte / Steve Gibson (01:51:08):
This allows them to quickly move their brand online without having to build and support the underlying technology platform. At the same time, by relying on the outsourced company to run the technology platform, they often have to give exclusive access to their business data. Furthermore, they have to trust that the outsourced company will protect the online private data, not to mention the reputation of the brand. Overall boy, talk about skating on thin ice. They said, we found a large hospitality and entertainment company depending on another company for their technology platform, even forming a sports betting joint venture with the company with a highly regulated sports betting market. The, the complexities of building and supporting infrastructure for online gambling cannot be underestimated. Unfortunately, by giving the joint venture company exclusive access to that part of its business, the company also exposed its gaming operations, business data, and customer data to the world in total 16 different online gambling apps using the vulnerable library, exposed full infrastructure and cloud services across all AWS cloud services with full read, right root account credentials.

Leo Laporte / Steve Gibson (01:52:49):
And they said all of the organizations whose vulnerable apps were discussed in these case studies have been notified yeah. About the issues we uncovered. Now, you know why there's so many S three bucket exploits. Yes. I mean, this happens, this is a, probably the most common kind of breach. Yes. It seems like there, Amazon, maybe isn't doing a good job of explaining permissions or something like maybe Amazon could fix this. Yeah. I, I, I agree with you. It is. I, I think what happens is that it's easy to BR it's so easy to use Amazon S3 buckets. I have I'm, I haven't maintained a bunch of my own. Like E every time I, every time I upload the edited audio to Elaine copies of the podcast, go into an S3 bucket just to have it in the cloud so that it's, you know, archived, archived the problem is I think that developers get it going with like, without any and without any access controls.

Leo Laporte / Steve Gibson (01:54:03):
And then they just forget to go back and lock it down and like restrict it so that it's not just left as public because unfortunately that's the way it is by default it's public, unless you make it private. And that seems to be the mistake that's being made crazy. Wow. And, and it just it's, it is also maybe it's because it's remoted that you somehow, you don't have the same level of visibility into access controls that you do for something that, that that's local or just, you know, they didn't RTFM, they didn't, you know, I mean, I seem to remember having set up quite a few of these, they kind of tell you, this is like the password. This is gives you access you know, they even hide it. Right. You have to reveal it. Yeah. It, it seems to me that, well, I don't know what's going on lazy.

Leo Laporte / Steve Gibson (01:55:01):
It's not good or yeah. Or something. Well, and the problem is, and this was the point that Symantec was, was making, is that, is that we've got a difficult, a clearly a difficult to secure or, or too often not secured cloud resource, which because of the way business to business are now beginning to contract with each other for big chunks of responsibility. That, that, that cross business contracting is what Symantec is calling a new form of supply chain. And if your, if your provider of these services, isn't careful with the design of their dev of their product it's inherent security appears to be lacking. There's no other way to explain why 16 different entirely separate gambling environments, which all use a common package. Would've had all of their data. Cross-Ex expos. If it weren't for the, for the MIS design of that package. Yeah.

Leo Laporte / Steve Gibson (01:56:20):
Unbelievable. Yeah. That's the other problem. People just kind of, willy-nilly just pasting packages it. Yeah. It's like, oh, well. And because who wants to learn all that? I don't wanna write all that code. Oh, look, somebody wrote it. We, we can get it from Joe. Great. Yeah. Import import press the import button. Yeah. Well that I am. I kind of sympathetic to that. It's really up to Joe to make that secure. <Laugh> Joe's gotta do a better job. Wow. Well, another great security now as always. Thank you, Steve. Steve Gibson lives@grc.com. It's all sorts of great stuff there. Of course spin. Right? The world's finest hard drive recovery at mass storage, recovery and maintenance utility. And you could pick up a copy right now. 6.0 6.1 is in process. We'll be out sometime, and you'll get it for free if you buy today and he's working on seven.

Leo Laporte / Steve Gibson (01:57:17):
Oh, apparently I just found out so busy man plans, plan planning for seven. Oh, you gotta think about, I know what, I know what it's gonna be. You gotta know what S3 buckets to stick it in. <Laugh> that's right. That's one good thing about assembly language. Probably not a lot of S3. Hopefully it's not leak tokens. Yes. <laugh> and there's no one else's modules who I'm that I'm nobody else makes them Nope. Right. That's where you gonna go to find those modules? Look, we've got a whole library of assembly language routines. You can, you can use aggressively non cross platform. That's Steve right there in a nutshell. <Laugh> no 80, 86. That's it? But boy, I'll tell you what it works. Good. He also has, of course, the copies of this show. Now he has the 64 kilobit audio, which is the kind of the standard audio podcast version.

Leo Laporte / Steve Gibson (01:58:13):
But he also has a 16 kilobit version for people who really don't wanna spend the bandwidth. And he's got transcripts. Elaine Ferris writes those out after every show takes a few days. That's really nice to read along as you listen or to use for reference or to search. I bet you, I know, I know somewhere out there, there's somebody with three shelves worth of three ring binders with all the transcripts printed out and indexed. Don't you think Steve, somebody's done that. The Magnum Opus all of that's free@grc.com. All you gotta do is buy, spin, write everything else takes care of itself. Lots of other stuff as well, you can leave him a question or a comment or suggestion at grc.com/feedback. Probably the better way to do it is to go to his Twitter account SG, GRC, SG, GRC. You can DM 'em there.

Leo Laporte / Steve Gibson (01:59:04):
As DMS are open. After the fact we have the show as well on our website, twit do TV slash SN. We've got the 64 kilobit audio. And we also have video, which is weird, but we got it. Oh, time, time to go shows over. <Laugh>. <Laugh> I heard, I swear and I must be dreaming, wind chimes. Do you have wind chimes in your studio, in your office? That was Lori's iMessage coming in. Ah, yes. Cause I do have sounds associated with everything. Nice. So she's for hers. She's very relaxing. Wind chimes. Nice sound. Yep. I thought I, I, I, I must have died and gone to heaven. Steve Gibson has wind chimes at the GRC labs. There's no wind here except what comes outta my, except what comes outta my world. Hot air, but no wind. Yeah. Hot air here today.

Leo Laporte / Steve Gibson (01:59:59):
I'll tell you we also invite you to watch live if you want. You could we stream it live as we do with all our shows. We just open up the cameras in the studio and let you watch it live.twi.tv. It's usually right after Mac break weekly. That's about, you know, one 30 Pacific four 30 Eastern, 2030 UTC. If you're watching live, you could chat with us. Live an IRC that IRC site is irc.twi.tv. You can go there with a browser. It has the deeds on how you could use a IRC client. If you prefer, if you do it more than once, you should probably get an IRC client. Of course the discord folks are also chatting behind the scenes. If you're a member of club, twit, YouTube channel also dedicated to security. Now that's most useful. I think, well, if you watch a lot of YouTube, it's great.

Leo Laporte / Steve Gibson (02:00:47):
But also it's a great way to send just a little clip to somebody cuz that's easy to do on YouTube. So if you know, if you heard something you thought I gotta, I gotta send this to Joey. He keeps putting our S three bucket credentials in the app. You can just snip that part, send it to Joey. Let Steve explain why it's a bad idea. Oh, of course. The best way to get it would be subscribe that way. You know, you can add to your six foot shelf of binders. You could add the complete security now. We are, we are now in our 18th year, 19th year, 18th year 18th. Yep. Episode 8 87. So collect all 887. We only do 10 at a time in the feed. So if you want to go past, you know, 8 77, you'll have to go to the website either Steve's or ours and download all of 'em, but they're all up there on the website. You get 'em all Steve, have a great week. I am gonna be reading this new silver ships. I'm excited about it. Oh, I think you're gonna like it. It's just, it's just so pleasant to read somebody who can write and this guy writes well nice. Oh, I can't wait. I'm excited. A great story. And I love first contact stories. I really do. Yeah, yeah, yeah. This is that. Yeah. Well see next time on security now. Okay. Bye security. Now.