Security Now Episode 921 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for Security Now. Steve Gibson is here with some really interesting topics. Can the UK force companies to break their encryption and what is to be done about it? We'll also talk about an unusual case, but some evidence that maybe it isn't always a good idea to rush those security updates out. And a word, if you don't mind, from the creator of Curl. It's all coming up next. Plus, a lot more with Security Now.

... (00:00:31):
Podcasts you love. From people you trust. This is TWiT.

Leo Laporte / Steve Gibson (00:00:40):
This is Security Now with Steve Gibson. Episode 921, recorded Tuesday, May 2nd, 2023. OSB OMG and Other News!

(00:00:53):
Security Now is brought to you by Thinkst Canary. Detect Dratackers on your network while avoiding irritating false alarms. Get the alerts that matter for 10% off and a 60 day money back guarantee. Go to canary.tools/twit and enter the code twit in the how did you Hear About Us Box. And by DeleteMe, reduce enterprise risk by removing employee personal data from online sources. Protect your employees and your organization from threats ranging from doxing and harassment to social engineering and ransomware. Go to join elite me.com/twitter tv and by Drata. Security professionals often suffer through manual evidence collection, but with Rada, companies can complete audits, monitor controls, and expand security assurance efforts to scale Automatedly say goodbye to manual evidence collection and hello to automation. All done at Drata speed. Visit drata.com/twit to get a demo and 10% off implementation. It's time for security. Now, the show we cover the latest news in security, the show that gets longer every week.

(00:02:06):
<Laugh> <laugh> because there's never any lag, Mr. Steve Gibson. Good day, sir. It is. It is funny. Sometimes I have an occasion to go back in time and look at some of our earlier numbers, the 20 minute versions. Yeah. Yeah. And I think, how did we get anything done in 20 minutes? <Laugh>, you know, we're, we're still busy saying hi to each other. And by the way, Leo did have you run across Barry on H B O. You know, I've watched the first three seasons and I saw that a fourth has arrived. Yeah. So, yeah, we'll be watching it. You like it? Yeah. The yes. It, it, it starts a little slow. We're not a lot sure. And what was weird was I was used to seeing the name Alec Berg and I couldn't place it. So I, you know, Googled him.

(00:02:47):
Well, he was the guy behind Silicon Valley. Right. Which is, you know, talented. He does have, yeah, yeah, yeah. And Bill Hater's hysterical. So I love Bill Hater. What a good job. And the bald guy in it still. Yeah, he he, he, he's in it all the way through. I, I love him. And, and, and they are, you know, they're making him increasingly gay. So it's, you know, they're, they're, they're, they're having fun with all of that. It's, he's such a great character. The ga, he's a a what a Chechen mobster with, but with who's sensitive. He's a sensitive with st He has style. Yeah, he has a lot of style. He's a lot of style. Yeah. I really, I quite enjoy that. They really blinged, they, they really blinged him out in one of the episodes. They really season, so, oh, that's great.

(00:03:31):
And, and the way I found it was that some, so somehow I, I clicked, I saw something that, I think it was on Vox or something that said that, that the show on H B O that you're not watching just started its fifth and final season, or is about to start its fifth and final season. And, and I thought, oh, that's interesting. We're ready for something. So cuz we're rewa, we're re re-watching a house because we're sort of out of things. So anyway. Well, you and I, after and every once in a while I'll get a text from Steve saying, you gotta watch this. You and I after maybe we'll com compare notes cuz we found a few shows that we are, we're quite enjoying. Of course. I know you're a succession fan, so you've gotta be watching this. Yes. Actually we're holding off.

(00:04:11):
Oh, that's so we can smart. So that we can do the whole thing. But because these cliff hangers, it ain't easy because there's a lot of spoilers on the internet and there's some real spoilage that can happen. So just close your eyes. The good news, Leo, is I don't use the internet. Oh, smart. Yes. Stay off Twitter and you're okay. Yes. I, I do not think, I do not have that luxury. I wish I did. I don't think wifi works and I don't use the internet. So, you know, it's funny, yesterday I was telling Lisa, cuz we've been having iot troubles and all sorts of stuff, and I said, I can't wait till I can retire and I don't have to use technology anymore. We're gonna move to a cabin in the woods. All I need is hot and cold running water and electricity. Forget the internet.

(00:04:53):
She doesn't believe me. So there Leo is half of our show from the old days <laugh>, that, that, that could 10 minutes. The happy talk. That, that, yeah. Mm-Hmm. <affirmative>, none of our listeners will ever be able to get back <laugh>. Okay. So this week, because the UK's online safety bill continues to stir up a hornet's nest of worries and concerns within many industries, we're gonna examine WhatsApp's reaction to signals. We plan to walk Oh yeah. Position. Oh yeah. Oh yeah. And, and Wikipedia's concerns over the Bill's age verification requirements and undaunted. I have another idea that might be useful, <laugh>. So well never stop coming up with ideas, Steve. We love it. That's right. So we also have a new U D P reflection attack vector lots of amplification in it. A welcome and late update to Google Authenticator, more NSO Group client news, a Russian os the unintended consequences of releasing updates for routers that won't actually ever be updated.

(00:06:00):
A smart move by Intel with pre-release security auditing, yet another side channel attack on Intel CPUs C curls, maintainer, implores Windows users not to delete it, and virus Total gets ai. So I think a great podcast. We ti I titled this O S B O M G and some other news <laugh>, so well, we'll get to it. PDQ <laugh>. But, but first a word, fyi, FYI, <laugh> from our sponsor. This is one of it's funny, we've been doing ads for the Thinkst Canary for many years now. One of the most popular devices we talk about on this program. And that kind of makes sense to me. The Thinkst Canary, I mean, we started the program talking about honeypots. The Thinkst canary is a very easy to use honeypot that you could put all over your network. Everybody knows honeypots are a great idea, right?

(00:07:00):
The idea is if somebody gets into your network, they'll be attracted to this, you know, device which they don't know is a security device. And, and, and thereby alert you to the fact that they're inside the network. The question is, why don't all internal networks run a honeypots? Well, it's probably because all our network pro with all our network problems, nobody needs another machine to administer another machine that could even add security flaws. So, you know, the benefits of honeypots, I hope the cost and effort of deployment always drops honeypots to the bottom of the list of things to do. And that's why I think the thanks to Canary is such a great solution. It's so easy to deploy. I actually haven't shown you the interface for the canary in a while. I should probably do that. Log into our canary. This is one right here.

(00:07:49):
The beauty of this is it could be configured to look like anything, anything valuable, not vulnerable, but valuable. The, the canary triggers are simple. If someone's accessing your lure files, and you can use this by the way, to create as many documents as you want. Pdfs, docx, spreadsheets, whatever you want, that aren't really PDFs. But when somebody, but they could say things like, I have a, I have a spreadsheet somewhere on our network called payroll information. Now that's pretty attractive if a bad guy's wandering the network, but the minute they try to open it, boom. <Laugh> boom, I'm gonna know about it. Canary uses deceptively uncomplicated, high quality markers of trouble on your network if someone accesses those lure files or tries to brute force your fake internal SSH server. In this case, it's a Sonology NA with a very nice login page. It's exactly like the SM seven, cuz it, you know, they copied it.

(00:08:49):
The Mac address even is a Sonology Mac address. So no bad guy's gonna be able to look at that and say, well that's, that's a canary. But the minute they log in, I'm gonna get a notification and that notification is gonna fit my needs. I can get it as an email or a text message. You can use CIS log, you can use, you know, whatever system that you want to get notified. Webhooks it supports. It pretty much means anything can be used and you get just the notifications that matter. The ones where you're actually being attacked. No false alarms. You simply choose a profile for the Canary device. It could be a Windows Box, a brand named router. It could be a Linux server. You choose what ports are open. You can have a Christmas tree if you want, or just a selective few attractive ports.

(00:09:36):
If you want, you can even tweak the services the Canary runs. You can have a specific version of ISS iis for instance. You know, there's a exploit and, you know, version, whatever. You can use that version. You can have a specific version of Open SS ssh. You can have a, i I think you probably won't do this, but you could have a Windows file share with actual files constructed according to your naming scheme. <Laugh>, you know, I think there's probably enough people with window with open files shares that probably would work, right? That guy go, oh yeah, I got another one. You register your canary with a hosted console that's part of the deal with a canary. You get notifications, you get monitoring, and then you wait. And, you know, this one's been online for years. And I there's no false alarms.

(00:10:22):
I did get one alarm once when Megan Moroni put a, a Western digital NAS device on the network and it went out and started sniffing all the ports. Oh boy, I heard about it then. And we immediately said, what's this? It's coming from inside the house. 10.0 what went and found it. Disconnected it. Thank you Canary. Thank you. Canary attackers who have breached your network. Or, and I should point this out, it doesn't have to be a bad guy coming in from the outside. I never mentioned this. It could be a malicious insider, but whatever. They'll let them, they'll kind of let you know they're there by accessing that canary or accessing those canary tokens. If someone browses a file share, opens a sensitive document on your canary, you're gonna, you're gonna know. Go to canary.tools/love if you have any doubt. There is a list of tweets of love letters, messages from people, actual people.

(00:11:18):
And then they'll name, names CTO of Slack, for instance, who love the Canary Canary dot slash love customers on all seven continents. Yes, in Antarctica too. Love their thanks Canaries probably cuz you can deploy this bird and forget about it. The, like a canary in a coal mine. Well, they actually, it's even quieter than that. <Laugh>. There's no, there's no peeping, no chirping. They will just sit there quietly until something bad happens. You get your alert in any way you want. Let me give you an example. Pricing. A lot of, you know, small businesses might have a half dozen big banks, casino operations, things like that. Might have hundreds just, you know, you know what you need. But let's say you wanted five, go to canary.tools/twit, 7,500 bucks a year. You get the five canaries, you get your own hosted console. All upgrades included, all support, all maintenance for the year.

(00:12:12):
If you sit on your canary, don't worry. They just send you another one. And by the way, you, if you're not watching the video, this thing looks like you know, one of those portable u s b hard drives. It's small, it's compact. All you need is to connect power. And I've got ethernet on it. And and it's on your network. And, and you can conf configure it from the website. Canary.Tools/Twit. Use the code twit in the, how did you hear about Us box? You're gonna save 10% off. And not just for your first year, but forever for the life of your account. Thanks Canary adds incomparable value. But I'm always quick to say this cuz I know people you know, you don't know. Is this really good? Is Leo making this up? I'm not. But the good news is, you can return your canary for 60 days.

(00:12:56):
They got a two month full refund money back guarantee. And I have to tell you, during all the years Canary's been advertising with us, not one person's ever asked for that money back. They're happy to offer it. Maybe you'll be the first. I don't think you will. Once you see how great this is, you're gonna love it. Canary.Tools/Twit offer code twit. Don't forget that, that's important. So they know you heard it here. This thing is, everybody should have one of these on their network or five or 10 or whatever. Canary.Tools/Twit. We thank Canary a great company. We love these people and they've done a great job with a great product and we really appreciate their support. One of the most popular things we talk about on the show, the second most popular thing we talk about on the show, the picture of the week, Steve <laugh>.

(00:13:42):
Okay, so this is wild. This is, and Leo, I'm, it has to have been Photoshopped, don't you think? I mean, yeah, nobody would do this on purpose. No, no one could build this. So for those who don't have the advantage of video, what we have is this is a bizarre swing set <laugh> where just past the, the bar that, that holds the, the chains mounting the swings is a concrete, is, is a, is a brick wall so that, you know, you can't swing because the moment you would go past center, you'd be hitting this brick wall. Literally you know, maybe kids could sit there and like push off of the brick wall with their feet. I mean, I just don't know what, as soon as it came back, boom, you're gonna hit the wall. That's not good. Crazy. That's crazy. So, yeah, so, but the, but the picture captivated me, so it made it into this week's. Oh, and I believe it, Steve. I think it really happened.

(00:14:49):
Do you? No. <laugh>. I'm just trying to give you credibility. No, that's definitely real. What I like is it's, it's like the best built swing set you ever saw. I mean, this thing is, it's very sturdy. Sturdy, except it, it doesn't do anything <laugh>. Good. anyway, so it, it came with the caption that I used, which is security should never be added as an afterthought. <Laugh>, I love it as, as if to say that, you know, the brick wall was added after the fact and oops, you know, it broke the swings, but, but the swings wouldn't work without the brick wall. So, you know. Anyway, I just, it was quacky enough that I thought, okay, well we don't, we don't really have an explanation for this, but we'll just put it in the show notes. Okay, so before we get into everything that happened since last week's podcast, I wanted to follow up on last week's topic about the clear collision of encryption ideologies.

(00:15:46):
We're in the midst of witnessing. While I don't have anything completely novel to say, I wanna go on record, I adamantly hope that not one of the encryption providers backs down from their absolutist position, which I do believe is the only tenable position for our industry to take. No one wants to provide cover to any community of lawbreakers of any kind. Certainly not anyone trafficking and child pornography or terrorism. But the fact is that while it's not zero, the illegal use of technology represents an infinitesimal minority of the technology's total user base. Everyone else who are law abiding users will obtain clear benefits from access to technology, which protects their privacy to the maximum degree possible. For the past several weeks, we've been talking about the thriving marketplace for commercial smartphones. Spyware a market created by the very same governments who want to expand their ability to monitor not just targeted individuals, but everyone's private communications.

(00:17:05):
Sadly, government bureaucracies are too large and too unaccountable to be trusted. Edward Snowden provided a wake up call and the revelations have never stopped since. This podcast draws lessons from events, which is, I think, much more useful and enduring than a dry recitation of the weekly news. One such lesson we have seen demonstrated time and again, is that if it is possible for privacy to be breached, it will be breached. We must not willingly and knowingly provide deliberately breachable tools to unaccountable governments. The final piece of this argument is that it, as we know, and as as we've often said, it would not work anyway if fully private encryption is outlawed, only outlaws will be using fully private encryption, as we've often observed here. Now that such encryption already exists, it's never not going to exist again. So the only thing that will happen if the tools everyone uses should lose their privacy by law, is that privacy will be obtained outside the law.

(00:18:21):
Okay, so this leaves us with a question, what's gonna happen? You know, no one knows, which is, I think what makes this so interesting, there doesn't appear to be any possible way to compromise. Either governments have no officially sanctioned way to monitor communications, or they do, it's glaringly binary. If the UK's current proposal were to be enacted into law, there would presumably be some length of time provided for encrypted service providers to come into compliance. Then there would be three choices. One, a company could choose to tough it out and call the UK's bluff by simply ignoring the law and continuing to offer fully encrypted and unmonitored communications. Or two, they decide to comply. And during the grace period they add the technology for side channel monitoring to their product. This complies with the UK's requirement by copying all communications to a central repository for content screening.

(00:19:27):
It's still unclear how the requirement to prevent grooming is accommodated, but it begins with monitoring. Or three, they just say no to compromising their user's privacy. They choose to boycott the UK removing access to their service from all UK users. Okay, option one, don't toughing it out and call in the UK's bluff doesn't appear to be practical. A piece of related news I'll share in a moment from the B BBC contains the line. If a service does not comply with the bill, there can be serious consequences, potentially including large fines, criminal sanctions for senior staff, or restricting access to a service in the uk. JD Supra, a legal news site, had this to say about the online safety bills, penalty provisions they wrote, penalties available include fines of up to 18 million pounds, or if higher 10% of global turnover, meaning, you know, their global revenue.

(00:20:36):
And which for the larger providers could be significant sums. In addition, it can impose business interruption measures, including ultimately service restrictions. A particularly controversial measure has been the availability of up to two years imprisonment for senior managers who suppress, destroy or alter information requested by ofcom, remember that's the, the com, the UK's communications regulator who failed to comply with obstruct or delay ofcom when exercising its powers of entry, audit and inspection for providing false information or for employees who fail to attend or provide false information at an interview. A recent amendment also provides a further offense where a senior manager has, quote, consented or connived in ignoring enforceable requirements, risking serious harm to children. For these purposes, a senior manager is the individual, as if the individual plays a quote, significant role in the making of decisions about how the entity's relevant activities are to be managed or organized, or be the actual managing or organizing of the entity's relative rel relevant activities.

(00:21:56):
And they finish the OSB is in the latter stages of the legislative process. And while substantive amendments may still be made, it is likely to receive royal ascent by mid-year. The OSB may also have the unintended effect of causing terms of service to be watered down as to what content a service may contain. Ultimately, some providers may decide it is simply too difficult to comply with and instead block UK users. Okay. Well there's obviously no way Tim Cook or Mark Zuckerberg are going to prison <laugh> over this. Yeah. You know, nor are they gonna give up 10% of their respective company's annual revenue. No, that's, that's like, that's like for Apple. That's like 36 billion. That's Yeah. Massive amount of money not gonna happen. So, you know, ignoring the law doesn't appear to actually be a practical option and note that the law was clearly crafted to make exactly that fact exceedingly clear.

(00:23:02):
But I wanted to cover that case since it was theoretically one of the three possibilities. Okay. So it turns out that I wasn't totally out on the weeds last week with my proposed design for a device centric age verification solution. And something like that may actually be the right answer. Even if the online safety bill that's, you know, O S B fails as we all hope it will, in enforcing the monitoring of all private communications within the uk, which is, which now a US bill called the Csam Act, cuz they know, you know, nobody's gonna vote in favor of child porn. So this is, this is gonna a problem everywhere, not just the uk Yes. That was the thing that the Senate enacted on Wednesday. Yeah, I think you're talking, yeah. So, you know, regardless of how, in this case the UK Bill's authors want it to be interpreted, you know, what the bill requires is, you know, AAL monitoring.

(00:24:03):
Yes. Oh, backdoor. It's extensive provisions which require the moderation of all content made available, especially to those under the age of 18. Those provisions appear very likely to survive. So it appears that some answer to the unsolved challenge of online age verification w is gonna be needed. Okay. So this was highlighted by some news that was covered four days ago by the B BBC in their piece titled Wikipedia will not perform Online Safety Bill Age checks. Okay. So here's what the B BBC wrote. They said the Wikipedia Foundation says it will not comply with any age checks required under the online safety bill. Rebecca McKinnon of the Wikimedia Foundation, which supports the website says it would quote, violate our commitment to collect minimal data about readers and contributors a senior figure in Wiki media. UK fears the site could be blocked as a result, but the government says only services posing the highest risk to children will need age verification.

(00:25:17):
Wikipedia has millions of articles in hundreds of languages written and edited entirely by thousands of volunteers around the world. It is the eighth most visited site in the uk. Yeah. According to data from analytics companies, course web, many, many of those are kids. And it's just a matter of time before they decide that Oh no, Wikipedia accounts. Right. Exactly. That's, sorry. Yeah. And that is the concern here. The online safety bill currently before Parliament places duties on tech firms to protect users from a harmful or illegal content and is expected to come fully into force sometime in 2024. Neil Brown, a solicitor specializing in internet and telecom law says that under the bill services likely to be accessed by children must have, quote, proportionate systems and processes I know designed to prevent them from encountering harmful content that could include age verification. Lucy Compton Reed, chief executive of Wikimedia uk, an independent charity affiliated with the foundation warns some material on the site could trigger age verification.

(00:26:29):
For example, she said educational text and images about sexuality could be misinterpreted as pornography. But Ms. Mckinnon wrote The Wikimedia Foundation will be verifying the age of UK readers or contributors, as well as requiring Wikipedia to gather data about its users. Checking ages would also require a drastic overhaul to technical systems. In other words, you know, they don't have any capability to do that. If a service does not comply with the bill, there can be serious consequences potentially including large fines, criminal sanctions for senior staff, or restricting access to a service in the uk Wiki media UK fears that the site could be blocked because of the bill and the risk that it will mandate age checks. Okay. And now, Ms. Compton Reid wrote quote, it is definitely possible that one of the most visited websites in the world and a vital source of freely accessible knowledge and information from millions of people won't be accessible to UK readers, let alone UK-based contributors.

(00:27:37):
There are currently 6.6 million articles on Wikipedia. As she said, it was impossible to imagine how it would cope with checking content to comply with the bill she added worldwide. There are two edits per second across Wikipedia's 300 plus languages. The foundation has previously said that the bill would fundamentally change the way the site operated by forcing it to moderate articles rather than volunteers. It wants the law to follow the EU Digital Services Act, which differentiates between centralized content moderation carried out by employees and the Wikipedia style model by community volunteers. Last Tuesday, the House of Lord's debated an amendment from conservative peer, Lord Moylan, that would exempt from the online safety bill services provided for the public benefit such as encyclopedias. Heritage minister Lord Parkinson said he did not think this would be feasible, but added that Wikipedia Uhhuh oh was an example of how community moderation can be effective.

(00:28:55):
Meaning figure it out and you guys do it. Wow. He said the bill did not say that every service needed to have age checks. And it was expected that quote only services which pose the highest risk to children will be required to use age verification technologies. Ms. Compton Reid told a b BBC that while Lord Parkinson's remarks reassured her, the charity did not want to be relying on, as you said, Leo, on future goodwill and interpretation Yeah. Of legislation. She said they would continue to urge the protections to community moderation. Were in the bill through measures such as the exception for public benefit websites like Wikipedia. Okay. So our takeaway from that is that while Wikipedia will refuse to comply with age related regulation, it hopefully is unlikely that Wikipedia would actually be required to do so. You know, it's not a porn site. They would appreciate receiving confirmation that this will not be necessary in order to remove any uncertainty.

(00:30:06):
But there certainly are services that will, that will be required to provide age verification such as legal websites, which make it their business to provide extremely adult sexual conduct. Okay. So, well, and this just happened in Utah and porn Uhhuh <affirmative> has withdrawn in state. Yeah, exactly. The problem is if it's just England, you know, honestly, fine. Bye-Bye. But it's not gonna just be England and that's the problem. It really is. Well, and that's why I I'm hoping that we're gonna see, I mean, so, so this, this stuff is separate from encryption providers. I think encryption com providers are gonna just, you know, decide this is the hill they want to die on. Yeah. And they, what's gonna say that's what they're just gonna say No. Yeah, yeah. Signal says, no, we're not just not gonna happen. So last month, and I think honestly, encryption is gonna end up being civil, disobedient using encryption is gonna be a form of civil disobedience.

(00:31:02):
The problem is that's for individuals. It doesn't solve the problem for these big companies. I'm not sure how they solve this. Right. So last month the Guardian published what they called an explainer about the age related aspects of the impending online security bill. Their piece was titled, will UK's Online Safety Bill Protect Children from Adult Material? And their subheading was sort of the crux of it, saying legislation puts duty of care on tech firms to protect under eighteens, but does not mandate use of specific age checking technology. Okay. So they said the online safety bill is due to become law this year, and it imposes a duty of care on tech companies to protect children from harmful content. However, there are calls from campaigners and peers to toughen the legislation's provisions regarding pornography. Here's what the act proposes to do on adult material. The bill requires all pornography websites such as PornHub, to ensure children do not encounter their content.

(00:32:07):
This will require age checking measures. The legislation refers to stringent age verification, checking a user's age via government ID, or an authoritative data source such as a person's bank. As a means of doing so. Breaches of the act carry the threat of a fine of up to 10% of a company's global turnover, or in extreme cases blocking a website altogether. So what are the rules currently they wrote, MPS have described the legal approach to pornography in the UK as a loose patchwork comprising more than a dozen laws. It is a criminal offense to publish work under the Obscene Publications Act that is deemed obscene and it is illegal under the Criminal Justice in Immigration Act to po possess an extreme pornographic image. It is also an offense to make, possess or distribute indecent images of a child. The primary regulator of legal pornography offline is the British Board of Film Classification, which gives pornography rating age ratings r a teen for the most extreme, but legal content or 18, but it has no control over online content off com.

(00:33:23):
The communications watchdog already has the power to regulate UK-based video sharing platforms such as TikTok, snapchat, and only fans. These platforms are required to protect under eighteens from videos containing R 18 material such as pornography. The age appropriate design code was introduced in 2021 and is designed to prevent websites and apps from misusing children's data under its terms, social media platforms would be breaching the code if their algorithms served adult material to under 18 year olds. Age verification has been a troublesome is issue for the government age. Checking for pornography was announced as a conservative policy in 2015. However, plans to introduce a nationwide age verification system for online pornography were abandoned four years later in 2019. The bill will not mandate use of specific technologies for age checking, although off com will issue codes of practice on age assurance, which is the umbrella term for assessing the age of people.

(00:34:36):
Online age verification is the term for the toughest measures such as requiring proof of official id. One solution is to use age verification companies that vet a user's age via a range of methods, including checking offline ID or bank statements, and then notify the porn provider that the person wishing to access their service who is anonymized is over 18 years old. Off comma said, it will launch a consultation on protecting children from pornographic content, including on user generated platforms such as only fans in the autumn. The government has indicated that there will be clear instructions to mainstream social media sites and search engines to prevent children accessing pornographic content on their services. That's right. Search engines of course, is another problem. The bill requires sites to prevent children encountering what it terms primary priority content because it qualifies as a user to user service subscription only SI subscription site only fans is also covered by this part of the bill.

(00:35:46):
We will not, we will not know what is primary pri priority content officially until it is defined in a statutory instrument that will be published after the bill becomes law. However, pornography is expected to be on that list, and it was listed as primary priority content by the previous culture secretary. Nadine Doris in a parliamentary statement last year, according to a timeline published by Ocom, though it could be more than 18 months after the bill is passed, before these provisions come into effect. Social media sites and legal pornography sites will also be required to shield all users from illegal pornography such as obscene content and child sexual abuse material. The bill will update the law on sharing intimate images without someone's consent. In England and Wales, there will be a new base offense where it is an offense to share an intimate image of a person if they do not consent and the perpetrator does not believe they have consented.

(00:36:51):
Currently, these offenses apply if the image is shared in order to cause humiliation or distress. The base offense will now apply regardless of the motivation, including sharing it as a joke for social status, financial gain, or where there is no motivation at all. Okay. So from all of that, the article subheading seems to me the most pertinent to those of us who care and are interested in how these things work and, you know, and how they're done. The Guardian wrote legislation puts duty of care on tech firms to protect under eighteens, but does not mandate use of specific age checking technology. So, you know, said another way, we don't know how you're gonna arrange to do what the new laws we have just written require you to do, but that's not our problem. <Laugh>, it's yours because we said so the, the old, this is because the old law required that you go to a pub <laugh> <laugh> or, I mean, I think there might have been like post offices, but somewhere where they had a system of checking id.

(00:38:03):
But, but most of the time it sounded like a pub to verify your age. And, and everybody said, you're gonna send 15 year olds to a pub to verify your age. And Oh, what about somebody who says, I'm an adult, I want to view porn. I gotta go to a pub and say, Hey, can I have a porn license? Please. I mean, this was a terrible plan and they haven't solved it. They've just said, well, it's not our Yeah. Not our problem. Yeah. E exactly. They're saying, we don't know how you're gonna do it. It's very, it's very much like the encryption problem. Right. Well, we don't want you monitoring everyone's content, but you have to. So, you know, I'm so depressed by all this, Steve. I really, I know. It's just, I I know. It is, it is a, like a, it's the collision that we've seen coming for a long time.

(00:38:49):
So whether it's the perceived need to monitor everyone's communications all the time in the off chance that something illegal might pass by or the need to impose strict age restrictions on access to internet content and behavior, it's apparent that the UK's legislators believe that they can ask for whatever they want, leaving it up to the tech companies to figure out how to do it while all the while imposing penalties if they failed to achieve what might well be impossible or at least impractical like the, the the, as you said, the previous legislation that they had passed. So after last week's podcast, I received a DM from someone who said, please don't go spending another seven years solving the age verification problem like you did with the online login authentication problem. To which I will formally respond, fear not as they say, fool me once <laugh>, I have quite thoroughly learned my lesson.

(00:39:52):
Oh no. And I'm having too much fun working on new technology for spin. Right. Where I can actually make a difference. So, you know, it's, you did propose some years ago, I'll have to find the episode to kind of some sort of third party key escrow. Yeah. And that still, that could still be done, but it doesn't solve, so that would, that would allow privacy to mean be maintained and search warrants to be served. Right. That is so, so that was, that, that, so it, it, the idea there was to, to try to bring into the, the end-to-end encryption space, the, the similar US constitutional protection where, you know, where you need to prove to a court that you've done something wrong. Right. On the other hand, when now we've seen what the courts have been doing lately, so I was like, oh. And also as others pointed out, if you have a back door, it, those keys leak.

(00:40:49):
I mean, it's hard to keep it. And you proposed a very good system with the you know, you have, it was a, it was well thought out. I thought it was a very good idea. And it may be our last best hope because it may be that, you know, it's the, it's the better of two bad alternatives. But, but it doesn't solve this problem that the UK wants to solve. They literally want to, to look to somehow screen all text messaging in case it, it might be Yeah. Grooming children. Yeah. See, and, and every image that you send in case it might be illegal content. So it's not, it's everything. It's a fishing expedition. It's a broadness Yes. Catching everything. It's a side channel monitoring. Yeah. It's terrible. You know, that that's what this, this online safety bill requires, you know, and, and, and, and that was my, my, the, the, the point at the beginning of this is that no one wants to provide any cover to those creeps to allow them to do what they're gonna do.

(00:41:46):
No, of course not. But they will do it using illegal technology if we, if we open up the, the encryption. Right. And so that we're doing backchannel monitoring. Right. The, the, so it's not gonna solve the problem and it's going to compromise everybody else's privacy. And if you think a government only cares about csam and grooming, you aren't, you're not paying attention. Well, yes. You, you, you haven't been noticing where the cash for for Pegasus is coming from. Yeah, exactly. It's coming from governments. Exactly. So in a little bit of happy news, recall that signals President Meredith Whitaker made some headlines when she told BBC News that signal quote would absolutely 100% walk and stop providing services in the UK if required by the online safety bill to weaken the privacy of its encrypted messaging system. That's the only stance that any entity like Signal, Thema or Telegram could take.

(00:42:50):
Right. Because, you know, their entire existence is, is is encrypted communications. But what's the position of the number one most popular and largest messaging app in the uk? Whatsapp? WhatsApp is used by more than seven and 10 adults who are online according to the UK's communication regular regulator off com. Okay. So the b BBC asked, will Cathcart, the head of WhatsApp, will replied that WhatsApp would refuse to comply if asked to weaken the privacy of encrypted messages. Full stop. He said WhatsApp would rather be blocked in the UK than undermine its encrypted messaging system if required to do so. Under the online safety bill, he said, quote, we won't lower the security of WhatsApp. We have never done that. And we have accepted being blocked in other parts of the world. And he feared the UK would set an example, as you said, Leo, other nations might follow, will added that undermining the privacy of WhatsApp's messages in the UK would do so for all users.

(00:44:08):
He said, quote, our users all around the world want security. 98% of our users are outside the uk. They do not want us to lower the security of the product. We've recently been blocked in Iran, for example. We've never seen a liberal democracy do that. When a liberal democracy asks, is it okay to scan everyone's private communication for illegal content that emboldens countries around the world that have very different definitions of illegal content to propose the same thing after Will went on the record with WhatsApp's position signals, Meredith Whitaker tweeted, looking forward to working with at w Cathcart and others to push back after, which will replied on Twitter. And very important, we worked together and honored to get to do so to push back. So what appears to be forming is a bit of an insurrection. And this be, this may be where the encrypted services companies decide they need to take a stand.

(00:45:19):
Last week we saw their open letter to the UK regulators. So they all know each other and they have each other's email addresses and they're talking. That's all for the good. I wondered what Apple might do. Since iOS has always encrypted iMessage is so deeply integrated into their products, then I considered the green bubbles. Assuming that Apple also decides to just say no to government communications monitoring, they could simply drop the use of iMessage encryption and fall back to sms. Hmm. Whenever they're communicating inside the uk. There you go. Yeah. So it would mimic the way iOS devices currently operate when messaging outside of Apple's closed and encrypted ecosystem to Android devices. UK or Android. Both Green. Yep. Yep. Exactly. And Leo, speaking of green, I, let's make a little green <laugh>. All right. We need some green right now. This is such a good subject.

(00:46:18):
I have a feeling there's gonna be mass civil disobedience. You know, I hope you're saving your crypto code. All of you and, and you know, coding what you need to have it cuz I, it is just not gonna be. Okay. The problem is all these companies, eventually companies are gonna have to give in. If it's just the uk maybe they can write it off. If it becomes the EU or the EU plus Australia or the u EU plus Australia, plus the us you know, the seven ayes the companies are gonna comply in the long run. They have to in which case is gonna be up to individuals to preserve their own privacy. Yeah. And I have, this is where my, I my next idea comes in. We'll get to it in a minute. Coming up <laugh>. Yeah. That's exciting. You know, this actually ties right into our next sponsor.

(00:47:09):
It's kind of a perfect segue into DeleteMe. This is a service that Lisa has used have, if you've ever searched for your name on the internet, you know, you know that that information is out there, that information is out there, and you are, that's as an individual. If you are protecting the data inside a company's network, you might also think about your company's employees and executives too. We just had a text go out to most of our employees purporting to be from Lisa Laport, C e o of twit. Now our employees are smart, but we still had to go out and tell everybody. And it was clear that whoever had sent that knew about our organization, they knew what Lisa's number was. They knew what other people's numbers were and messaging platforms were. They knew they had a lot of information about our organization.

(00:48:10):
And this is where DeleteMe becomes very important. There is a DeleteMe for enterprise, specifically designed for the enterprise so that you can remove employee and executive personal data available on the open web. This is being weaponized. It was weaponized against us. It's one of the reasons Lisa uses Delete me. She's been using it for years and I think, you know, we we're gonna have to start using it as a company. Too. Bad actors, they're bad out there. They're, they're gonna use anything. They can get publicly available data online and they're gonna use it for social engineering attacks. They'll, they'll get data from data brokers. Did you know there are 580 different data brokers out there, and by the time I finish this ad, I'm sure they'll be 581. They're, they're springing up like mushrooms. The data is weaponized against executives and employees in a way security professionals may actually be overlooking at this point, which is easy.

(00:49:07):
Access to employee personal data online. How did this attack happen? They knew Lisa's phone number. They knew Lisa was the CEO of the company. They knew the, the hierarchy of the company, who her direct reports were. I didn't get one That was, this is how I know that cuz I didn't get one of these messages. They weren't going to cuz they knew. I would just go, Lisa, did you send this? And then the jig is up. They went to her direct reports hoping to catch somebody out. How did they get that information? It's out there and vulnerable data leads to potential harm. Doxing is another problem. Brianna Wu was just swatted in Dham this past week. How did they have her home address? It's out there. It's public information in many cases. Harassment, social engineering, ransomware attacks, executives and board members are very often targeted and harassed online by cyber criminals, by activists, you know, disgruntled former employees.

(00:50:06):
They'll use you, you know, the executives information. They'll use their family's information. That's really scuzzy to get to them. Executives have a 30% higher pi i exposure risk than the average employee. Yikes. Public facing employees may have their home addresses and affiliations exposed online by activists, angry hackers, individual contributors, personal email addresses and mobile numbers. Often used to socially engineer their way into enterprise systems. Hey, it's Joe. In it, you know, I I just sent a text to your phone with the code number and make sure our, our Okta's working. Can you gimme the code just to make sure it worked? It's terrifying. Delete me. Actively monitors for and removes personally identifiable information. P i i for your employees to reduce enterprise risk, protect yourself, protect your executives, protect your employees, reduce risk with DeleteMe's five easy steps. One, employees, executives, and board members.

(00:51:08):
Complete a quick signup. You obviously you have to give, DeleteMe some information so they know what to delete. Right? Delete me. Then we'll scan and they go, they have a deep scan. It's not just a Google search. They know all the data brokers, everybody. 580 different data brokers. They'll scan that for the exposed personal information. Then they will automatically begin optout and removal requests. I mean, you, some of this you could do yourself, but there's so many you couldn't keep up. They do it automatically. Automatedly then they will share within seven days an initial privacy report. They will do ongoing reporting, continuous privacy protection and service all year. Lisa's been using this for years. It and I, you know, now I think we're gonna have to use it for everybody. We're gonna have to use it for everybody. Protect your and you need to too.

(00:51:56):
Protect your employees, protect your organization by removing their personal data from online sources, easily accessed by bad actors. Go to the website, join deleteme.com/twittv tv, join deleteme.com/twittv and at least find out about this. And I can tell you from personal experience is something you really do need to do. Join deleteme.com/twittv. Okay. Okay. Yes. Here comes my idea. Good. Steve's idea. I want to get off this, I want to get off this topic, but there's one more thing I need to share. It's just a concept and observation that I wanna plan in everyone's mind. Given WhatsApp stance, which aligns with all of the other encryption providers, I doubt this idea will be needed. I, I truly hope that's the case. And I believe that if everyone just says no, you know, that's likely to work. I doubt that the citizens of the United Kingdom would choose to be without all of their messaging capabilities with each other and with the rest of the world, especially when having that happen would only serve to drive the creeps further underground.

(00:53:09):
But if just saying no doesn't work for some reason, we may ha we may need a fallback. One of the mixed blessings of today's technologies is that most people have no idea how they operate. And for the most part, that's good. You should not need to be a car mechanic to drive a car. That's the leverage provided by technology. But this also means that most car drivers have very little idea what's going on under the hood. If they don't need to know, then not knowing is fine. But if there's a problem, some knowledge could come in handy when it comes to making decisions. For quite a long time, third party cookies lived in obscurity. They were always there, but by design, they remained part of what was under the hood, out of sight and out of mind. And third party cookies liked it that way.

(00:54:01):
But no one who was asked whether they wanted to have third party tracking cookies said that they thought that would be a great idea. Tracking has a similar history. For years it's been going on largely unseen, often aid by those same third party cookies. And it is enabled an entire online web surveillance industry. But when Apple began requiring iOS applications to obtain explicit permission to allow the app's users to be tracked outside of the application, the result was an overwhelming and resounding cry of no thank you. And that's putting it politely. And I had my own firsthand experience with people being unhappily surprised. Leo, you used to introduce me by mentioning that I discovered the first spyware and in the process coined that term. Right. What happened was I discovered that a freeware utility I had installed on my Windows machine, as I recall it was an early version of WinZip, wasn't as free as I was led to believe it was an ad supported application.

(00:55:08):
And so it brought along an advertising d l l from a third party company named Orientate. What I discovered was that this orate spyware was inventorying my machine monitoring my actions. Yep. Monitoring my actions and usage, and then phoning home without ever obtaining any permission from me. I had no idea was there. And to say that I was unhappy when I found something, communicating behind my back without my knowledge or permission would be an understatement. So I created optout, the world's first spyware removal tool, a bitter freeware, which successfully removed orate and of several of the, of, of several other earlier forms of stealth spyware. The reason I bring this up is that the management of at Orate shared with me some of the way over the top enraged and nearly psychotic emails they were receiving from PC users who were more than just a bit unhappy to have used opt-out to discover that their machines had also been infected.

(00:56:22):
The OR people said that the ad supported software packages, which installed their spyware, I I mean their adware were supposed to explain the situation and obtain their user's consent. I asked why they didn't have their D L L present its own permission dialogue. They didn't reply anyway. The name Orate had been ruined by my crusade. So the company renamed itself to Radiate and not long after seized operations. Yeah, the whole victory, the whole con <laugh>, the whole concept of, you know, was never really viable. And after this no freeware developer wanted anything to do with them. Okay, so what does all this have to do with the UK's online safety bill? What occurred to me was that if encrypted applications were going to be required by law to arrange some sort of side channel government mandated monitoring, you know, eaves dropping and surveillance, they should make very clear to their user that that's what they are doing.

(00:57:30):
And not repeat past mistakes of doing things that people would find objectionable if they were clearly informed of what was going on. So the presence of state mandated communication surveillance should be placed front and center for every UK resident and anyone they communicate with the top of any application that's being forced to break into its user's privacy in order to comply with the UK's online safety bill should clearly display against a red background. The message this communication is being monitored by your government. I imagine that the presence of that notice at the top of any communicating application might provoke a reaction similar to what happened when the news of the Orate spyware broke. Yeah. The UK government will clearly wish the fact of this being hidden from its citizens view, but it should be there to serve as a constant reminder of what the country's politicians have decided is in the best interests of their citizenry.

(00:58:39):
And, you know, could you imagine, you know, you know that red little red banner up, up at the top, this communication is being monitored by your government. You know, that'll provoke some, some change. Mm-Hmm. <affirmative>. Okay, so we got some closing the loop feedback from our listeners. T w s tweeted. Hi Steve, are you still using the ZMA board? You mentioned many episodes ago. Would you still recommend with the shortages of pies? I'm considering them. Thanks for making spin. Right. And the SN podcast in a word. Yes. Yes, yes. Oh, okay. Wait, that's three words. THEMA board is the best thing I've found for my own work during the development of spin. Right? It is perfect. And while I haven't taken a show of hands in the spin right.dev news group, I keep seeing people referring to their ZMA board in passing. So I know I'm not alone, but also for other uses, it is really a terrific little machine.

(00:59:42):
It's been around long enough that there are now a ton of YouTube how-to videos covering pretty much anything you can think of. Just go to YouTube and put in ZMA Z I M A B O A R D and you'll see and while working as, as it happens to assemble today's show. This morning I received an email from them announcing a Star Wars Day discount of 20%. Their email said, may the fourth be with you. Apparently there's a little bit of lift and their emailing said that the sale runs for three days from tomorrow, May 3rd through Friday the fifth offering, again, a 20% discount. So yeah, zma board.com. And if I didn't already own five of them, I'd be purchasing some more. It, it was a real find. But remember, unlike the Raspberry Pie, which is arm based, the ZMA board is Intel based.

(01:00:44):
That makes it incredibly useful to me. But you'll want to be sure that whatever you wanna do with it, you can do with Intel based software. And definitely check out YouTube. And ju I just wanted to make sure, make sure that everyone knew we have a bunch of news we'll be covering after I deal with a couple of these little blurbs from from feedback from our listeners. David Schofield. Yeah, he said, good morning Steve SN listeners since 2007 Spin right user since my s st two 20 fives, which of course were Seagate 20 meg. Oh, I remember those Thrives. Yep. I had 'em too. And he said, encouraging news about Microsoft rewriting parts of windows in memory safe rust. So his note is a perfect segue for me, mentioning a bit of news. I had encountered David's direct message to me linked to an article in the register.

(01:01:43):
Here's just the top of their piece. They said Microsoft is rewriting core windows libraries in the rust programming language and the more memory safe code is all reaching, already reaching developers. David Weston, director of OS security for Windows. Well, he's gotta have an interesting job, announced the arrival of rust in the operating systems kernel at Blue Hat L 2023 in Tel Aviv, Israel last month. He said, quote, you will actually have windows booting with rust in the kernel probably the next several weeks or months, which is really cool. The basic goal he continued here was to convert some of these internal c plus plus data types into their rust equivalence. So the register continued. Microsoft showed interest in rust several years ago as a way to catch and squash memory safety bugs before the code lands in the hands of users. These kinds of bugs were at the heart of about 77 0% of the C V E listed security vulnerabilities patched by the Windows maker, meaning Microsoft in its own products since 2006.

(01:03:00):
The Rust tool chain strives to prevent code from being built and shipped. That is exploitable, which is an ideal wor, which in an ideal world reduces opportunities for misre to attack weaknesses and software. Simply put, rust is focused on memory safety and similar protections, which cuts down on the number of bad bugs in the resulting code. Rivals like Google have already publicly declared their affinity for rust. Amid growing industry support for memory safe programming, Microsoft's exploration of rust has become more enthusiastic. And last September, it became an in an informal mandate. Microsoft Azure C T O Mark Rossovich declared that new software products should use rust rather than c and c plus plus. And of course, as we know, all of the evidence suggests that we're not really making any headway with simply trying to be more careful using powerful but unsafe legacy languages. Our software is growing more and more complex, and people make mistakes.

(01:04:13):
The adoption of newer languages, which prevent those mistakes from proving fatal to a system security looks like the only way we are ever gonna get to the point where we start removing more existing bugs than we are introducing new bugs as we go forward. So, yay to Microsoft for making this move. Frank s tweeted Dear Steve, I have two kids and I'm very happy that they are under seven. This gives me and the market some time to find best or better practices for children using the internet. As a parent, I want my children to be safe, both physically and online. However, I don't think that we can stop existing C S A M images that are already out there. What we can and should do is try to prevent new cases and victims. I believe it is up to the parents to take better care and guide our children when growing up.

(01:05:15):
And I don't want the government spy on them. As a parent, I would like more tools to keep my children safe online. So I wanted to use Frank's note as a catalyst to thank all of our listeners who took the time to write after last week's podcast. It's clear that everyone understands that the internet is a true mixed blessing when it comes to our youth who haven't yet obtained the life experience, which would allow them to place some of the horrific crap they might encounter on the internet into its proper context. Unfortunately, bad and taboo things can be exciting, and excitement can be addictive. I was brought up short by a tweet I received, which noted that unfortunately, giving parents control and oversight over their children's communications could be harmful to the child. When the child's nature is rejected and not understood by their parents in such situations, having private communications creates a potential sanctuary.

(01:06:26):
I think my answer to that situation, which I can certainly imagine and empathize with, is to observe that the internet didn't create such problems. It's just another part of a complex world. And I think that it's easy to make the mistake, which I would argue UK legislators are making of assuming that all such problems can be solved by the proper application of technology. I'm certain that's not true, and I think it's possible to get ourselves tied up in knots trying to whack every mole. Well, and I sympathize with Frank and as every parent, but I have to say the problem is not people like Frank or his kids or their access to the internet. The problem is from parents, unlike Frank, who don't care, who exploit their children, most abusive children comes from relatives and people they know or their parents know. Yeah. it is not from caring parents like Frank, and it is, frankly, it's not from the internet.

(01:07:25):
And I think that the, all this focus on, oh, they're groomers are gonna get you in an AOL chat room, and then all of a sudden you're gonna go out and do child porn is really I think misdirecting it. And and maybe it's easier for legislators to attack technology. Well, and and it's called a straw man, right? It's a strong man. Yep. you know it, which is not to say that it can't or does it happen, right? But that the purpose is, is not, is not sincere. No. The real dangers inside the house when it comes to children, it's par it's relatives and people they, they know. Yep. protect him from those people. Frank, you're doing a great job. I don't think you have to worry about a technological solution to protect your kids. If you're just paying attention, <laugh>, that's all you need to do.

(01:08:15):
It isn't that hard. Yes. Be involved. Be involved. But that's, but the problem is not there. I mean, there are a lot of parents who aren't involved, who don't care or worse participate. And, and, you know, we need to, we, we need to, need to catch those people. But yeah, there are ways to do that. And, and all you're gonna do is drive these things underground. Yep. that's not gonna solve it either, because if you're motivated, you'll find a way to get it done. Yep. Anyway, I agree with you, Steve. Yep. So we've been focused upon the UK so far, but this is probably a good time to mention what you had said earlier. Leo, a new US federal bill was announced and unveiled last Wednesday, aiming to regulate access by age to social media platforms in the us. Here's a bit of CNN's coverage of this new proposal.

(01:09:07):
They said a new federal bill unveiled Wednesday would establish a national minimum age for social media use, and require tech companies to get parents consent before creating accounts for teens, reflecting a growing trend at all levels of government to restrict how Facebook, Instagram, TikTok, and other platforms engage with young users. The proposed legislation by a bipartisan group of US senators aims to address what policymakers mental health advocates and critics of tech platforms say is a mental health crisis fueled by social media under the bill known as the Protecting Kids on Social Media Act as pk S M A. Okay. I didn't say anything. That's good. Social media platforms would be barred from letting kids below the age of 13 create accounts or interact with other users. Though children would still be permitted to view content without logging into an account. According to draft text of the legislation.

(01:10:09):
Tech platforms covered by the legislation would also have to obtain a parent or guardian's consent before creating new accounts for users. Under the age of 18, the companies would be banned from using teens personal information to target them with content or advertising. Though they could still provide limited targeted recommendations to teens by relying on other contextual cues. It's the latest step by lawmakers to develop age limitations on for tech platforms after similar bills became law this year in states such as Arkansas in Utah. But the legislation could also trigger a broader debate and possible future court challenges, raising questions about the privacy and constitutional rights of young Americans. Speaking to reporters. Wednesday, Hawaii, democratic Senator Brian Shaz, an architect of the Federal Bill, said, Congress urgently needs to protect kids from social media harms Shaz said, quote, social media companies have stumbled onto a stubborn devastating fact.

(01:11:18):
The way to get kids to linger on the platforms and to maximize profit is to upset them, to make them outraged, to make them agitated, to make them scared, to make them vulnerable, to make them feel helpless, anxious and despondent. And I'll just note that this discovery is not unique to social media platforms appealing to children. Precisely the same observation has been made by cable news outlets about how to engage and enrage their audiences to encourage viewership. I'm not sure what gen we are on now. Leo, X, Y, or Z. I've lost track <laugh>, I get me too <laugh>. But young people have grown up with the internet and hundreds of cable channels each with their own agenda. I hope they can figure out how to handle the mess we have made of this. So, speaking of messes and then we're gonna get to the weeks' news.

(01:12:20):
Simon Zafa, a good friend of the show, he tweeted Showdan quote, Twitter canceled our a p i access, which broke the ability to log in to Showan via Twitter using single signon. Email us@supportshowan.io if you're currently logging in via Twitter and would like to migrate to a regular Showdan account instead of using single sign-on. Yikes. And this reminds us that aside from the well-appreciated privacy implications of using OAuth style, you know, sign in with whatever Facebook, Google, and so forth authentication, if that third party authentication service should ever become unavailable for any reason, you're hosed since the only way you are known by the site you're wishing to log into is courtesy of that other third party entity, which may no longer exist. So yeah, another downside of the super convenient log on using somebody else. You better, you better help. You better hope those else.

(01:13:35):
People stick around. I had a little tiff with Dave Weiner a few months ago, cuz all of his online services, which are very cool use Twitter OAuth. And I said, Dave, can you just do something else? He said, no, no, this is good. I wonder how he feels now. Yeah. It's he's, he is all the people that were using that. It's not free. Yep. Yep. Exactly. It's not free. Let's take our last break, Leo, and then we're gonna plow into the news of the week. Yeah. His defense was, it's easy. Hell yeah. Good. Uhhuh, <laugh> I'm not a fan, as you know, of third oa. Nope.

(01:14:14):
Security now is brought to you by Rada. Is your organization question for you? Finding it difficult to collect manual evidence and achieve continuous compliance as you grow and scale, you're doing it manually. What <laugh>, I understand. You know what, this all kind of crept up on us, you know, all this compliance stuff, but it's a, it's a serious issue. You gotta do it. And maybe there's a better way. I think there is, as a leader in cloud compliance software, G two crowd says Drata, D R A T A, see all those little plaques down there? There you go. That's all the awards they got from G2 DDA streamlines your SOC two, your ISO 2700 0 1, your P C I D S S G D P R, your hipaa, your, and, and many other compliance frameworks. And it does it automatically, not manually with 24 hour continuous control monitoring.

(01:15:17):
So your team can focus on doing what they do best. You know, things like scaling, securely, innovating, but you get the compliance auditing done. You get it done with a suite of more than 75 integrations strata easily indicate in integrates through all the applications you use, whether it's aws, Azure, GitHub, Okta, CloudFlare, and on. There's 75 of them. I'm not gonna read 'em all. Go to the website. If you wanna know more countless security professionals from companies like Lemonade, like our favorite notion, like Bamboo HR have said how crucial it has been to have Drata as a trusted partner in the compliance process. This's just one thing off your plate. Just, you know, you know it's handled. You can expand your security assurance efforts using Thera platform, which lets you see all the controls, easily map them to compliance frameworks. So you'll have immediate and continuous insight into what's going on.

(01:16:14):
And here's a nice thing. You'll see some framework overlap, which means you could save money. Jada's automated dynamic policy template support companies who are just getting started with compliance, using integrated security awareness training programs, automated reminders, all of which ensure smooth employee onboarding. And they're the only player in the industry to build on a private database architecture. And you want that because it means your data can never be accessed by anyone outside your organization. It keeps it safe. All andrada really is on your team. They're really, they're there to support you, which is why every customer gets a team of compliance experts. You'll get a designated customer success manager. Andrada has a team of former auditors. They've completed more than 500 audits between them, which means your Drata team can keep you on track to make sure there are no surprises, there are no showstoppers.

(01:17:10):
And they'll even do pre-audit calls with you to prepare you. So you're ready when those audits begin. It's nice to have an expert there with you Drata's Audit hub is the solution of faster, more efficient audits. You'll save hours of back and forth communication. What about this? What about that Never misplace crucial evidence. You could share all that documentation instantly. All the interactions and data gathering can occur Inda between you and your auditor. So you don't have to switch between different tools. Hey, wait a minute. Let me, let me look that up. Or <laugh> can I email you? You know, you don't ha it makes it so much easier with strata's. And by the way, auditors love it too. With Drata's risk management solution, you can manage end to end risk assessment and treatment workflows. You can flag risks, you can score them, decide whether to accept them, to transfer them, to mitigate 'em, or just avoid them entirely.

(01:17:59):
Draw maps appropriate controls to risks, which is gonna simplify your risk management. It's gonna automate the process. Andrada Trust Center is fantastic. Real-Time transparency into your security and compliance posture. That's great for sales. It's great for security reviews. It'll improve your relationships with your partners, with your customers. They'll know you're doing it right. You gotta try this, right? Say goodbye to manual Evidence Collection. Hello to automated compliance and convenience. Visit Drata drata.com/twit drata.com/twit. Get the demo. You can get 10% off, but you gotta go to that address so they know you saw it here. Bringing automation to compliance. Atda speed. That's DDA D r ata.com/twit. We thank 'em so much for the job they're doing and the support they're given to our security. Now, fam, you're part of the family too, so make sure you use that address drata.com/twit, Steve. So we've previously talked about UDP reflection attacks unlike TCP connections, which are inherently bidirectional and therefore require packet round trips between the endpoints to establish bite numbering and other connection parameters.

(01:19:23):
The U D P protocol is often referred to as connectionless because although it's still possible to establish connections by mutual agreement, U D P doesn't have that baked into its protocol. This makes U D P the perfect protocol for DDoS bandwidth flooding attacks. Since the sender of a U D P query can spoof the U D P packets that they're sending out, SPAC spoof, its source IP so that the recipient of a query will redirect its reply to the victim of the attack. What's then needed are publicly exposed and available U D P protocol services, which will generate a large answering reply from a very small query. This is known as the U D P query amplification factor. How many times larger is the reply than the query? A not very exciting example of set your service is good. Old D n s A relatively small query for a D N S record can return a significantly larger answer.

(01:20:32):
But d n s is optimized for very small size and its internal compression is really quite clever. So, as I said, d n s is not very exciting. We're revisiting this subject today because research security researchers from BIT Site and Cures have stumbled upon a way to exploit a network service that was only ever intended for internal land use, but for which for some reason, about 77,000 instances are currently exposed on the public internet. The service in question is the service location protocol, S l P, and by cleverly abusing it through the, through the means that these researchers discovered and unfortunately have now published in full with all the exploit details. U D P query amplification factors as high as 2200 to one can be achieved. This makes this technique one of the largest amplification factors ever discovered on the internet. And since the services available over U D P, it is ready made for DDoS flooding because of the protocol's, huge potential for DDoS attacks.

(01:21:54):
Both CloudFlare and NetScout have said that they expect the prevalence of S L P based DDoS attacks to rise significantly in the coming weeks once threat actors learn to exploit it. The only good news is that since S L P is transported over Port 4 27, and since it has no business being exposed on the public internet, it's, it's like it's for printers and things to like find each other. It's a way for a printer to, to broadcast its existence and, and like be found. So it only makes sense in a land context. It's only exposed publicly due to your typical mistakes of having a ports exposed that shouldn't be anyway, because it has no business being out on the public internet. I would expect that many savvier carriers like CloudFlare will already be proactively blocking that port traffic at their borders. They just don't need to allow Port 4 27 stuff to get even close to it.

(01:22:59):
Its targeted victims, there's no reason for it, but that won't help any unprotectable or targets. So d Dosers have had another arrow added to their quiver, and of course they, they don't lack for arrows unfortunately. Google Authenticator, which was first released 13 years ago in 2010, has just been updated with an extremely useful new feature, which I've had in my favored iOS O T P oth app from the start Cloud backup <laugh>, in their announcement of this groundbreaking technology they wrote, one major piece of feedback we've heard from users over the years was the complexity in dealing with lost or stolen devices that had Google Authenticator installed since one time. Codes in authenticator were only stored on a single device. A loss of that device meant that users lost their ability to sign in to any service on which they'd sent up two factor authentication using authenticator very much like <laugh>, using Twitter to log on with this update, we're rolling out a solution to this problem making one-time codes more durable by store.

(01:24:18):
That's what you want in your one-time code. Some durability by storing them safely in users Google accounts. What a concept this change means. Users are better protected from lockout and that services can rely on users retaining access, increasing both con convenience and security. Talk about upselling a small feature. Anyway, that's great. Someone odd that it took them this long to get it, but I wanted to make sure that any everyone listening who might still be using Google Authenticator you know, I was at one point before I moved over to O T P off would know of this critically useful new feature. And I would imagine you definitely want all of the, the, the private secret keys that are in authenticator to be backed up. So that should you need them somewhere else. You can get them. When are they, you know, I'm, they don't, it's not currently end to end encrypted.

(01:25:13):
When are they? Goo Wait, they're gonna do that. What, what is not Google? The Google your, oh, no kidding. Yeah. stuff to your so maybe that's what they added was a some means of having a a, a secret key. Yeah. so it sinks, but it sinks unencrypted. So misk, M Y S K was the group or person who discovered this, and Google has confirmed it and they said, well, we're gonna add that later. But we thought it would be just faster just to put this out right now because Leo, after 13 years we're Yeah, why not hurry? That's right. So you haven't seen anything that, yeah. So my data syncs between devices with a new Google Authenticator update could be viewed by third parties. Google says the app works as planned Christian brand of the Google group product manager identity and security tweeted that this has, this is our intention.

(01:26:18):
<Laugh> because I guess E to E would be hard. I don't know. The lack of end-to-end encryption also means Google has a transparent view into what services each account owner uses as it's being transmitted. Ah, that's true. It's not client side encrypted. Yep. So they're, they're getting that misk found, the app does not expose the two a credentials associated with the user's Google account. So that's still secure <laugh>. Okay, everybody, let me tell you about otp oth <laugh> you use, tell us what the name is of the one you use. O T P. Oth otp. Okay. Space oth. And the logo is just, is a simple gray padlock. Okay. Very modest logo. And it, you know, it does all of this correctly. Yeah. And, and I've been using one that's open source called two f a s Authenticator. And the way it works is you encrypt it client side, and then it will put it on your iCloud or your Google Drive in, in an encrypted log as, as an encrypted blog.

(01:27:21):
Right. Which then can download and and, and so you can move it around. Both you and I have this problem, well, me, maybe more so than you, of moving from device to device like a butterfly sampling nectar. And so I have to do this all the time. So I, for a long time, that would be a good description. Yes. Yes, ma'am. <Laugh> a long time I used othe, but Oy has that dis it does encrypt, but has a disadvantage of storing it in the cloud. They're cloud. So I like this two F fas and it is open source, which I like, so it's free. Good. Anyways, and apparently multi-platform. Yes. Two good, two good choices though. And yes, someday Google says we're gonna add end-to-end, and when they do that will be great. Yeah. Brand said on Twitter.

(01:28:02):
Twitter, the extra protection offer by end-to-end encryption was set aside to balance against quote, the cost of enabling users to get locked out of their own data without recovery, which is always the excuse for not using encryption. Right. So in my drawer, I have all of my QR codes printed on, I you print them out and you put 'em in a notebook, right? That's right. You still do that. Yeah. They're, they're in a safe place. You know and if that, if it ever comes that to the point where I need to set up a new authenticator, not a problem. Yeah. I just scan the QR codes once again, and we're back in business. So the other thing to look for is that on, on an authenticator that will allow you to do that because, you know, it is nice to have, you know, hard copy back up.

(01:28:48):
I agree. Ultimately, I agree. You know, I am, I have, I have encrypted my most important my most important accounts with two-factor authentication. And, you know, it's, it's the right thing to do. Oh, God, yes. Okay. So I suppose we should not be surprised that Israeli law enforcement is apparently using their own homegrown N s O groups spyware to spy on their own citizens in response to reports in ASRA in Israeli media, which claimed that their police had been using a reduced strength version of the n o group's. Pegasus Spyware known as Sifa Sifa. I <laugh>, I guess you Yeah. You, I guess you pay less for it, Leo, if if you use the reduced strength, you don't need the, the what's mean. No, the government or the military grade Pegasus. So, you know, you're, you're, you're just some cops. So we're gonna give you the reduced, the, the Pegasus light cyan two target activists, business figures, reporters, and politicians.

(01:30:00):
And so perhaps to say face, the Israeli government has announced the formation. Oh, we'll be so glad to hear this, Leo of a commission Oh, wow. To probe into the use of spyware by police forces to hack the smartphones of Israeli citizens, which made me think, isn't the definition of a commission, the place where sensitive political issues go to die <laugh>. Yes. <laugh>. So they actually admit that they're, they're hacking politicians and reporters, smartphones. That's stunning. At least announce a light version. <Laugh>. Yes. The announcement of the commission makes everyone happy. Where since, you know, be and no one can say that the government isn't doing anything, Hey, there's a commission for that <laugh>. But then after a few years of inaction, it will be quietly disbanded. Yeah. In any event, the Israeli media, if the Israeli media event media reports are accurate, it was interesting that Israelis own police are also getting in on the act, but the privacy of activists, business figures, reporters, and politicians is being breached.

(01:31:15):
Unbelievable. Yeah. Oh my gosh. Unfortunately. Too believable. Imagine if the go, I mean, I'm sure our government does it too, but imagine if they admitted that the uproar, you know? Ooh, yeah. The FBI's monitoring smartphones of reporters and activists Yeah. And politicians. Yeah. Yeah. So rarely have, I wanted a Russian translation of anything, but the article in Russia's Commerce news was written in Russian, and I didn't see any easy way to translate it into English. And by the way, Leo, those char those Russian characters like glyphs and fonts, yeah. It's weird. They're weird looking. Yeah. <laugh>. But the news is that the Russian government is working on a law to force retailers to pre-install Russian operating systems on all new PCs sold in the country instead of windows. The first wave of feedback claims that this will lead to an increase in laptop and PC prices across Russia.

(01:32:23):
Now, despite efforts to get Russian companies and users to move to Russian operating systems, windows market share remain the same in Russia as it was last year. You know, and it would be interesting to see what a Russian operating system looks like. I think it has to be a derivative of Linux. You know, that's the only thing that I can imagine would be feasible in this day and age. We, we talked about how you just can't start from scratch No. And create, you know, Rusky os that just, I don't know how you do that, you know, but, but if it's a derivative of Linux, why would it be more expensive than Windows? You know? Why would it increase the cost? Because capitalism, <laugh> <laugh>, right? So, by the way, you should watch the the Apple TV show Tetris about the history of Tetris.

(01:33:12):
It's fascinating. Ooh, speaking of cool. K Lisa, I, I think we did Oh, watch it. L Laurie and I Oh, okay. Yeah, it was really fun. Yeah, I completely agree. Yeah, it was really neat. Okay. During the Toronto poem to Own Hacking Contest, which we covered last December, one of the successfully exploited devices was a fully patched at the time TP Link router. Oh. After the exploit was created and demonstrated during the contest event, it was assigned a C V E and the contest organizers, you know, Z d i, the Zero Day initiative responsibly disclosed the vulnerability to TP Link. TP Link found and fixed the trouble and released a patch for it this past march. And unfortunately, that patch was all the operators of the Miri DDoS botnet needed in order to reverse engineer the change to discover the original flaw that was for which the pass the patch had just been released.

(01:34:23):
They immediately then set about taking over and hijacking every TP link router that had not yet been updated. So we have a story where everyone did everything right. Everyone acted correctly. A problem was found, it was demonstrated, the details were kept secret, and the underlying flaw was responsibly reported to the products publisher, who in a somewhat timely manner, and it would have really mattered how quickly fixed trouble and made an update available to their devices. But despite everyone doing everything exactly right, the bulk of TP link routers were almost certainly never updated. And with today's internet scanner databases, discovering the locations of those routers is no longer difficult. The evidence suggests something that's obvious. In retrospect, bad guys are watching every minute of hacking contests, such as poem to own. They're just waiting to see someone hack something where there will be a large patch gap, which exists between the eventual release of an update and those updates being installed into vulnerable gear.

(01:35:49):
And probably nowhere is the patch gap larger and more glaring than in consumer routers. When was the last time any of us checked to see whether our router had new firmware available? I just checked it last night, and sure enough, my Aus consumer router has newer firmware available. But how would I know that I'm not obsessively checking it every day in Don't routers auto update nowadays. No, yours does not. Some mine doesn't. Yeah. and it's, it's a feature that is, you know, making its way. But I know, I'm sure even if, if it's even enabled by default, and of course we know if it's not, it might as well not exist. Right. So, in retrospect, and perversely, it would almost have been better if TP Link had not published a public update for their firmware. Yeah. Because the act of doing so painted a big red bullseye on every publicly exposed, vulnerable TP link router, and the phrase publicly exposed is redundant for a router, since that's what they're almost by definition Right.

(01:37:05):
Publicly exposed, assuming that the problem was present in their current product line, TP link might have simply fixed it there and then, and never published and pushed out a fix for the problem. And I know this goes against everything we think and believe about fixing and updating known problems. But if patches cannot reasonably be expected to be applied, then what will happen is what just did, cuz I mean, I'm not, this is not theoretical mi I exploded into all the, the vulnerable TP link routers and honed them and, and they were all enslaved in into this mii botnet. And, you know, I appreciate the surrounding this, but I think that generic consumer routers all need to occasionally phone home to check for updates. Yes, yes. And be willing to take themselves offline Yes. For an autonomous update cycle. Yes, I agree. Yep. That the clear prevalence of bad guys who are now waiting to receive and reverse engineer router patches, coupled with the fact that router owners don't know to patch, I think that tips the balance clearly in favor of all such consumer routers being autonomously, self updating by default.

(01:38:38):
Let the owner turn it off if they want, but ship this thing with that, with that check mark turned on. And, you know, for 99.999% of routers, that's the way it's gonna stay. They phone home and they, they know what time of day it is. They do it in the middle of the night or, and they're also monitoring traffic. So they do it when there's like, no, like they, they find the, the, the sweet spot, the, the block of time where traffic is minimal and that's when they go, you know, download their firmware. There are all kinds of embedded OS solutions dead man switches and, and, and, and watchdog timers where if a firmware upgrade were to fail, the hardware could automatically roll the pre back to the previous firmware. So, I mean, there, there are ways to do this safely. We talked about this years ago.

(01:39:30):
Yeah. There was somebody who was I think it, as I recall, someone you knew Leo, who was involved in, in, you know, the I o T aspect of this and, and, and looking for a safe way to deal with automatic, with IOT T devices, being able, you know, being empowered to update themselves. This is a perfect classic example of, of where we really do need that. Yeah. I'm, my ubiquity system will auto update. And sometimes it's a pain. You know, I would set to do it at two in the morning, but we have ceiling mounted wifi access points. There's one in the bedroom, the light on it is turned off, but when it's updating, it blinks a bright blue <laugh>. Lisa woke me up last month saying, is there's something wrong. Something's going on. What's that? I said, oh, that's just the router updating <laugh>.

(01:40:18):
It's the, that's, that's, that's very cool. But it Yeah. And that's nice. And now one of the problems with uni ubiquity stuff is some of the beta versions are notoriously awful. So I have it set for only stable releases. Yes, yes. But it does it automatically. And and I think that's how, frankly Stacy says and I agree with her, don't buy home automation stuff that doesn't auto update really good. And this day and age you need it. Yep. I'm glad that that's, that that's beginning to be the, the word that is spread. I, I would not have a consumer router on the public internet. All of mine are behind a PF sense firewall. So I have a separate box that is that, that, that is in front. And actually I need that, cuz I need, I do a bunch of crazy stuff with port mapping in order to link my two sites and get around Cox's blocking of ports that are useful to have open.

(01:41:12):
So. Right. So, you know, I, and does fpf sense auto update? It must, right? No, no, it doesn't. It, it will, it will check for updates, but it won't do it by itself. Yeah. I guess that's the theory is, you know we need to be a hundred percent uptime and Yeah. And I, yeah, exactly. And, and I think that's something we're gonna have to get over. And then of course, the other problem is what if the update fails? Right? And, and this, the router stumbles and now you're offline and you have no connectivity. Right. Well, again, there are ways to, to roll back from a failed update. Yeah. And ubiquity will do that automatically. So, perfect. Yeah. Perfect. Yeah, I'm very happy with the skier. It's been very good. So we have a bit of happy news from Intel. We first need to know what Intel's TDX is.

(01:41:58):
TDX stands for trusted domain extensions. Intel describes it as Intel Trust do trust domain extensions. Intel trust domain extensions is introducing new architectural elements to deploy hardware, isolated virtual machines called trust domains. Intel TDX is designed to isolate VMs from the virtual machine manager slash hypervisor and any other non TD software on the platform to protect trust domains from a broad range of software. So anyway, so it's, it's, you know, further virtual walls. In order to control security, they said VM isolation with Intel tdx is a key component of Intel's confidential computing portfolio, which also includes application isolation with Intel S G X and trust verification. With our upcoming service Codenamed Project, Amber Confidential Computing uses hardware to protect data in use from a wide variety of threats and enables organizations to achieve, to activate sensitive or regulated data that may have otherwise been locked down and idle.

(01:43:16):
So, okay. So it's, you know, more security stuff that they're building into their, to their baseline hardware. After this announcement, Intel brags that before releasing this new tech to the world, they ran it through a very useful security gauntlet. They wrote three points first in our first ever pre-release activity. We also took Intel TDX through project circuit breaker part of Intel's Bug Bounty, where we challenged a community of elite hackers to find bugs in some of our top technologies using simulation software. The community went through two rounds of bug hunting over several months, earning bounties to help us find potential vulnerabilities so we could mitigate them. Second, we, we then took it to security experts at Google Cloud and Google Project Zero to conduct a deep security review. They looked for security weaknesses while evaluating the expected threat model for any limitations that would inform Google's decisions.

(01:44:29):
The nine month collaboration resulted in 10 security issues and five defense in-depth changes that were mitigated. And finally, Intel offensive researchers also spent considerable time reviewing the product. Their job is to apply an attacker mindset to evaluate security technologies. They were able to find and mitigate potential vulnerabilities like the use of memory disturbance, errors, threat modeling, penetration testing, and hackathons were all applied during the research. Okay. So the good news is that even though the authors of Intel's code were as sure as any code authors ever are that their code was correct, they nevertheless subjected it to pre-release third party scrutiny. Naturally, Intel put a happy face on the results saying that it had succeeded in improving the code quality. What we learned from other sources is that indeed vulnerabilities were uncovered during the security audits that could have resulted in arbitrary code execution, cryptographic weaknesses, and denials of service.

(01:45:47):
So I hope that somebody who's pulling the strings over there recognized fully how much benefit they got from this and that this becomes standard practice. Cuz it is a, it's a great idea. And in what Intel wrote, they didn't say something that I did see elsewhere, which is they provided the source code, they made the source code available to Google's Project zero guys, so they could, you know, really, you know, take a look at it and weren't being forced to reverse engineer it and just guess at what was going on. On the flip side, an academic paper was just published titled Timing the Transient Execution, A New Side Channel Attack on Intel CPUs. And since we've entered the world of yet another side channel information leakage from Intel CPUs, I'm not gonna spend undue time digging into this one, but in case it might wind up being important, which hopefully is unlikely, I wanted to at least share the brief description of these authors.

(01:46:55):
They were they were a bunch of Chinese researchers but located domestically. But you, you'll, you'll hear in in their description that some of their word choices are a little confusing. It's, but still we can see what's going on. They wrote The transient execution attack is a type of attack leveraging the vulnerability of modern C P U optimization technologies, new attacks surface rapidly. The side channel is a key part of transient execution attacks to leak data. In this work, we discover a vulnerability that the change of the EFLs register in transient execution may have a side effect on the J C C that's jump on condition code instruction after it in Intel CPUs and EFLs is just, you know, all processors have a, have a status register, A flags register e as it, it stands for extended because it used to be 16 bits long and now it's 32 bits long.

(01:48:03):
Anyway, they said, based on our discovery, we propose a new side channel attack that leverages the timing of both transient execution and J C C instructions to deliver data. This attack encodes secret data to the change red to the change of register, which makes the execution time of context slightly slower, which can be measured by the attacker to decode data. This attack does not rely on the cash system and and doesn't need to reset the e flags register manually to its initial state before the attack, which may make it more difficult to detect or mitigate. We implemented this side channel on machines with Intel core I 7 6700 I 7 7700 and I 9 10, 980 x e CPUs in the first two processors. We combined it as the side channel of the meltdown attack, which could achieve 100% success leaking rate. We evaluate and discuss potential defenses against the attack.

(01:49:13):
Our contributions include discovering security vulnerabilities in the implementation of J C C instructions and EFLs register and proposing a new side channel attack that does not rely on the cash system. So yeah, once again, aspects of our modern processors, which were developed to improve their performance over a long period of time in common contexts and which existed for years with no one worrying are one by one turning out to each be exploitable to leak information wherever hostile code might be sharing hardware with targeted code, which contains secrets. And I'll note that these days, virtually all operating systems contain valuable data that needs to be kept secret. They've all got keys. So, but that, but that's the key. And the reason not to get too overworked about this is it, it does require that hostile code already be present. Hmm. Certainly in our own, you know, personal workstations.

(01:50:22):
If something's in them that's, that's evil, it's already too late. The, the real concern is in all of the virtualization, which is going on now, where you might have multiple companies systems sharing a, a common set of hardware and you know, it, it's, it, there, there, it's cross os or cross VM leakage that you need to be concerned about. There are, there've never been any in the wild that we know of examples of these site channel exploits like meltdown inspector. Nope. No. Still that's hard to do. Yes. I mean, even heart bleed, you know, it, it required that you pound on the server for a long time and you know, maybe you got something. And remember when Hartley was first, first came out, the, the, the, the discoverers recognized the call and called it a theoretical problem, but doubted it could ever actually happen and then it did.

(01:51:21):
Right. So, right. Yeah. So it's, so the, the, the real problem here is that what we're seeing Intel being forced to do is they're having to back out a very useful performance optimizations, right. Driven by the world that doesn't want to have any known possibility of problems. Well, and the problem is mostly on shared servers, right? You said you had Yeah. Only, only on shared servers. So Yeah, if you're, you know, it's not your home machine you have to worry about. Right, exactly. Yeah. So early last week, DA Daniel Stenberg posted two messages at Mastodon Social regarding some recent hysteria about Curl Daniel's. Feelings about Curl are significant because Curl is pretty much his baby. His own bio says, I am the founder and lead developer of Curl and Live Curl an internet protocol geek, an open source person and a developer. I've been programming for fun and profit since 1985.

(01:52:28):
You'll find lots of info about my various projects on these webpages. And on my GitHub profile, my name appears in products. Daniel was also the 2017 winner of Sweden's prestigious PHE prize for his work on Curl. Curl is. So the single, single probably most useful program for interacting, interacting with the internet. There is, I mean, it's incredible. Yes. Yeah. Yes. So here's what Daniel posted to Mastodon. His, his purse post said, do not, not in all caps do not, I repeat, do not remove Curl dot xi from your Windows system 32 folder to silence az stupid closed Peren security scanner. It will lead to tears and sorrows. And if you do, please don't ask me for help when you've broken your windows install. I can't fix that. <Laugh>. And he followed up the tweet with Why do People Remove it? Because N V D has exaggerated a curl security flaw to an inflated level and now security scanners, he has in quotes, insist that the bu that the bundled Curl executable has a high severity, again, in quotes, security flaw and scaremongers people into removing it.

(01:54:04):
Wow. And then they realize Windows Update refuses to work. Oh, interesting. And then he, he finishes, are we sure this is the best we can do? So Windows Update uses Curl, I guess apparently some faster of, of Windows Update does. Yeah. Yeah. And I didn't realize it's, it's sitting there a Curl Xi in the system 32 folder. Wow. Yeah. Well certainly it's on all Linux distros and all in all Max. Oh, yeah, yeah, yeah. I I I'm a big W get user. So you know, that that's the, I always replace it with w get because it's easier, but yes. And just a little, a little tip for w Get fans, I went, there was something I needed to download, I'm sure, actually I'm sure it was, it was some network driver long forgotten for, for a, a card that a motherboard had that I needed to get on the network in order to do you know, net network based debugging of spin.

(01:55:03):
Right. So wherever it was, I think it was on I, IBM actually on ibm.com, there was an archive when I clicked on it. No luck. It was ftp and then I remembered Yes. W get does F dp. Yeah. Yeah. So Curl supports every possible You could do posts and gets and everything with Curl. That's awesome. Yeah. And finally, AI comes to virus total. During last week's annual RSA security conference, Google announced Virus Total Code Insight. Code Insight is a new feature for virus total that uses AI and machine learning to generate simple natural language summaries from submitted malware and source code samples. Google says that at present, the new functionality is deployed to analyze PowerShell files submitted to virus total. The company says it plans to expand the service with additional file formats in the future. So I think this is potentially very cool and useful.

(01:56:11):
However, increasing real world, increasingly real world evidence is suggesting that ai, at least in the form of our well-known chat, G P t, always sounds absolutely convincing and authoritative while being completely wrong with its facts. So at least in this early stage, anything and everything that's produced should be regarded with skepticism and carefully vetted and verified by all means, you know, see what the AI has to say, but then go do your homework. You know, use that as a starting off point and verify it yourself. On the other hand, since this is a Google effort and they know their technology it would be truly cool to have something that where you could update this and it would provide an automated analysis of whatever malware you provided. So I hope that this gets better and continues to grow in the future. Sounds like a good idea.

(01:57:11):
Yay. And Leo, well, well, well, here we are. That's our show once again, at the very end, sadness rules the land. And remember, I think it was on Windows 95, there was that really bizarre comment that would come up. Maybe I don't m maybe it was the paperclip and it said Never run with Scissors <laugh>. No, I don't remember that. Oh, yeah. It was like, that sounds like Clippy. It was like Clipy always looking out for you. Yeah, I just wanted to tell anyone. Never be in a hurry when you're shaving me. Oh my gosh. It's like, Jack the Ripper hit you because yeah, well it looks worse than it is, you know, just a paper cut, but just a flesh wound. I'll be fine. <Laugh>, you used to be an adventure, then you took a razor to the chin. Oh, and it's all over.

(01:57:59):
I haven't cut myself a lot for a long time, but it was, yeah, Steve, always a thrill. Always a pleasure. It's great to see you. I'm glad you've got your power back at your head at your headquarters, your world headquarters or is, is it both locations? So I will be retiring this emergency. We call this what was it on the enterprise? It was the auxiliary bridge. Auxiliary bridge shutting down for the week. Now let me tell you how you can get a copy of this show or you can tell your friends that you, you already know cuz you just, you're less this, you must have already gotten it. But for future reference Steve's got copies of the show@hiswebsitegrc.com, including the unique 16 kilobit audio version, the handcrafted transcripts, and of course the 64 Kilobit audio and the show notes, all of that@grc.com.

(01:58:53):
While you're there, pick up a copy of Steve's Bread and butter Spin, right? The world's finest mass storage, maintenance and recovery utility. New version coming. You'll get it automatically if you buy right now, automata free upgrade grc.com. You can leave Steve some feedback there at grc.com/feedback. You're still on the tweets, you're still doing the Twitter? Yeah. Come on. Hasn't got, I, I am I at, I I think I had 64,000 followers and I'm at 63 and a half. I was curious. I didn't How's your blue check doing? You still have that or disappeared? Disappeared. It went away last week when everybody else's did. And I'm not paying that. Who cares? Person, if you go to add SG grc, take my word for it. That's the guy. His dms are open. You can ask questions, make suggestions, submit content for the show there, including our picture of the week AF <laugh>.

(01:59:43):
We have a copy of the show, of course, at our website audio and video actually at twit tv slash sn. When you're there, you'll see a link to the YouTube channel dedicated to security now. Great way to share little video clips and of course a variety of different podcasts and, and an RSS feed. So you can subscribe on your favorite podcast here and get it automatically the minute it's available. If you wanted to watch us do it live, you can. We record the show Tuesdays round about right after Mac Break Weekly, which can vary one 30 to 2:00 PM Pacific, let's say about 5:00 PM Eastern Time, 2100 utc. The live video and audio streams are live twit tv. You can also, if you're watching Live chat in our open to all chat room, I cwit TV Club TWIT members, you get special access at in our Discord. And if you're not a Club Twit member for seven bucks, you could be one less than a blue check and you get ad free versions of all the shows and a lot more TWIT TV slash club twit. We will be back here next Tuesday, Steve and I hope you have a wonderful week. We'll see you next time on Security. Will do. You too, my friend. Talk to you then. Bye.

Scott Wilkinson (02:00:55):
Hey there, Scott Wilkinson here in Case you hadn't heard, Home Theater Geeks is Back. Each week I bring you the latest audio, video news, tips and tricks to get the most out of your AV system product reviews and more you can enjoy Home Theater Geeks only if you're a member of Club Quit, which costs seven bucks a month. Or you can subscribe to Home Theater Geeks by itself for only 2.99 a month. I hope you'll join me for a weekly dose of Home Theater Geeks.