Security Now 1002 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

00:00 - Leo Laporte (Host)
It's time for security now. Steve Gibson is here. He's in love with these Chinese cranes that they use at container ports, but he says there's a problem. Apparently there's a Chinese back door. Oh no, We'll also talk about the nearest neighbor attack and a warning about a new feature of Microsoft Windows they call connected experiences. Steve says it's a recipe for disaster. All of that and more coming up next on Security Now. 

00:33 - TWiT.tv
Podcasts you love. From people you trust. This is TWiT.

00:36 - Leo Laporte (Host)
This is Security Now with Steve Gibson, episode 1002, recorded Tuesday, november 26th 2024. Disconnected Experiences it's time for Security Now, the show where we talk about your security, your privacy, how the internet works, how computers work, a little bit of sci-fi, thrown in, maybe some vitamin D, and it's all because of this guy, the man in charge, our very own Steve Gibson. Hi Steve, hey Leo.

01:11 - Steve Gibson (Host)
You know, when you're saying security now, you're leaning back. I have to. It's kind of a nice like that's right. A little Doppler shift effect there.

01:21 - Leo Laporte (Host)
I learned that from Adele. It's so funny because I realize I we'd had a photo meetup in new york city um a couple months ago, a couple months ago, september, and I would look back at the pictures and there were a bunch of people doing the live long and prosper sign and I realized that has become not just the security now thing, but everybody. Now it's, it's early, that's, it's our twit hand sign that's very cool thanks to you, that's good what's going on?

01:49
not everybody could do it no, I know, I know, didn't they have to tape, uh, leonard nimoy's fingers because he in fact could not do it? Interesting, and they had. I believe there's an anecdote of how did they when they first he was a guy who came up with it but he couldn't do it.

02:06 - Steve Gibson (Host)
Maybe that, maybe it was somebody else who couldn't do it, but I but uh, yeah, anyway, I'll go find that anecdote we want as I was saying to you, I was saying to you before we began recording every time I look at these four digit episode numbers I'm thinking whoa, what I mean? That really does seem like an accomplishment it is. Yeah, you should be very proud, yeah uh, well, we're at 102, 102, 1002, see there's the problem right there yeah his brain can only do three digits or at 1002 and the software didn't collapse.

02:41
I did spend some time updating grc systems so that it also would not freak out when four digits were presented to it, and that experience was smooth. Emailing continues to go well. It was 13,219. Subscribers received the show notes, the picture of the week, various links and things yesterday evening, so that's turned out great and we're going to have lots of feedback, because there was also lots of news.

03:12
But my discussion of what I titled Disconnected Experiences wasn't half of the podcast, as some of our main topics have been in the past. I have something like 3,800 pieces of feedback from our listeners, so I have plenty to choose from. I feel a little bit badly that I'm getting so much feedback that I can't even begin to put a dent in it, but thank you everybody for sending me your thoughts and, as I said, the quality of the feedback has a very different flavor, since we were able to switch to email and people didn't have to try to squeeze something into 280 characters so big benefit. We're going to talk about at the end of this something that Microsoft calls their connected experience, which is an interesting turn of phrase. We'll understand what it is, why they sort of slipped it in under the covers and why it may not be what everyone wants and, if so, how you can turn it off, thus disconnecting your experience from Microsoft. And it's not what it sounds like either, because I mean, it's not at all that. But we're first going to talk about something known actually, and this was probably the most sent-to-me topic for the show, and it happens that it's what I had chosen myself. Already by the time I saw that the nearest neighbor attack and wow, it just sort of goes to show you how clever bad guys can be, whether we like it or not.

04:48
We also have let's Encrypt, just turning 10. We're going to take a little bit of a retrospective look at the changes that it has wrought. Also, now the Coast Guard is worried about Chinese-built ship-to-shore cranes. Turns out, 80% of the big cranes that we use for offloading containers are made by China, and what could possibly go wrong there? Also, pakistan becomes the first country to block Blue Sky. I'm going to talk about that. There's also a new way to get git repos swatted and removed from their repositories. I know again, it just it's just incredible how clever bad guys can be.

05:38
Who's to blame for palo alto network's serious new zero-day vulnerabilities and if you have any of six specific older D-Link VPN routers, the advice would be to unplug them immediately. We'll see why. Turns out that, speaking of VPNs, they are against Sharia law so says some legislators in Pakistan. A law, so says some legislators in Pakistan. So we'll touch on that. Also, we have the return of Windows Recall. What are we learning from that, and how many of today's systems remain vulnerable to last year's most popular exploits? So, after sharing, then a bunch of feedback from our listeners, we're going to talk about disconnecting your experiences from Microsoft. So, I think, another interesting podcast for our pre-Thanksgiving listeners.

06:31 - Leo Laporte (Host)
Yeah, shatner, according to Patrick Dillahandy was unable to do the salute, so he would have to push his fingers in position and then he would hold it up or he would hold it up behind and did he actually do it often?

06:48 - Steve Gibson (Host)
obviously, spock was the original. What was that?

06:51 - Leo Laporte (Host)
it was a vulcan hand sign it was a jewish hand sign that leonard nimoy has seen in his childhood. Uh, that meant roughly, it was a jewish benediction, and it wasn't in the script, uh. But nimoy thought, well, you know. And he asked the director is it okay if I do this? Uh, and the director said, yeah, that'll work real well and it became, of course, a trademark. Um shatner joked that it took years of diligent practice and self-denial for him to be he was on conan to be able to do it, because he could not, could not do the live long and there are people who can't uh.

07:29 - Steve Gibson (Host)
The the best man uh at my wedding was unable to do it wait a minute you you had this at your wedding, of course.

07:38 - Leo Laporte (Host)
At what point did you live long and prosper? Was this? Instead of kissing the bride. What?

07:44 - Steve Gibson (Host)
did? Gary got up for the best man's toast and said to you know, was holding the microphone. I said, yeah, now Gibson made me promise that I would not do anything to embarrass him. Oh, so I'm just going to say and then he held his hand up and said live long. That's beautiful, but he had two orthodonture braces bands around his fingers because he also was unable to do that.

08:13 - Leo Laporte (Host)
I can't do it with my left hand. I can only do it with the right hand.

08:15 - Steve Gibson (Host)
Without some assistance.

08:16 - Leo Laporte (Host)
Yeah, well, you'd expect that you didn't like the sound effects, but I will play one more. Live long and prosper and continue on now.

08:23 - Steve Gibson (Host)
Yes, with the show, thanked gary for keeping his toast quite quick and to the point.

08:28 - Leo Laporte (Host)
That's a perfect toast that says it all yes, yes, all right, we're going to get to the picture of the week in just a moment, but first a word from our first sponsor, mr gibson. Uh, today it's experts exchange. You listen to this show because you've got a real live expert who talks about the things you care about the most on the show. Well, imagine having that kind of expertise available to you anytime, day or night. That's what Experts Exchange has been doing for I think it's almost 20 years now. I know I started using them early on when I needed an answer and I couldn't find it anywhere else. Experts Exchange is a network of trustworthy and talented tech professionals. You can go to them to get industry insights, to get advice, and it's not just advice from some stranger on the street, it's from somebody who's actually using the products in your stack. That sure beats paying for expensive enterprise-level tech support. As the tech community for people tired of the AI sellout, experts Exchange is ready to help carry the fight for the future of human intelligence. Now you might say, well, there's got to be a future, but remember, ai is starting to creep into all of these intelligence things, these question and answer sites. Worse, it's using the answers humans give on these sites, scraping them and then adding it to their own LLM's body of knowledge not at Experts Exchange.

09:56
Experts Exchange is about human intelligence. Experts Exchange gives you access to professionals in over 400 different fields. We're talking coding, microsoft Azure, aws, devops and more, and, unlike some of these other places, there's no snark. Duplicate questions are encouraged. There are no dumb questions. You don't get the snarky oh well, I wouldn't do it that way kind of an answer. You get real help because the contributors are serious tech enthusiasts who love graciously answering all questions. In fact, I would go even a step further to say these are experts who believe that the best thing that can happen, the best way to celebrate your expertise, is to graciously share it with others, to help other people to pay it forward. That's what Experts Exchange is all about. So let's talk a little bit about it. One member said I've never had chat GPT, stop and ask me a question before, but that happens on EE all the time. It's a dialogue, it's a conversation.

10:59
Experts Exchange is proudly committed to fostering a community where human collaboration is fundamental. Their experts directory is full of experts to help you find what you need. One of them's listening right now Rodney. Hello, rodney Barnhart. He's a VMware expert and a SecurityNow fan. There are people like Edward Von Biljon. Maybe you've seen Edward's YouTube videos. He's a Microsoft MVP and an ethical hacker who really knows his stuff. He's on Experts Exchange plus Cisco Design Professionals, executive IT directors.

11:29
Yes, you can get management questions answered and a lot more. But here's the most important thing. Other platforms betray their contributors by selling the content on the platform to train AI models. Linkedin does it, they just announced that Reddit does it. So many sites do it. But you know what? At Experts Exchange, your privacy is not for sale. They stand against the betrayals of contributors worldwide and they have never and will never sell your data, your content, your likeness. They block and strictly prohibit AI companies from scraping content from their sites to train their LLMs, and the moderators on Experts Exchange strictly forbid the direct use of LLM content in their threads.

12:10
Really, it's humans talking to humans, and that's the best kind of expertise, the best kind of conversation. Experts deserve a place where they can confidently share their knowledge without worrying about some company stealing it to increase shareholder value. Humanity deserves a safe haven from AI and you. You deserve answers, real answers, useful answers to your questions. Now they are so confident you're going to appreciate Experts Exchange and love it and get value out of it.

12:40
They're offering you 90 days free, no credit card required, just three months free to try it out. So, at the very least, I want you to go to e-ecom slash twit sign up. You don't have to give them a credit card. Try it for three months. If you don't get anything out of it, no harm, no foul. But I have a feeling you're going to really appreciate the community that Experts Exchange has built. Really amazing. E-ecom, slash twit, the tech Q&A for people tired of the AI sellout Real humans with real answers to real questions. Thank you, experts Exchange, for supporting this real human, steve Gibson, in his never-ending quest to make the world a safer place. All right, I have the picture of the week. Shall I look at it?

13:27 - Steve Gibson (Host)
Yeah, All right, I'm going to scroll up here. I gave this the caption. What's wrong with this picture? Oh, I love it. I do. Okay, so for those who aren't seeing it, we have the entry to a facility where there's a big staircase, sort of front and center in the middle, and you can imagine, the parking lot is on a lower level. So these stairs are leading up to the entrance to this facility facility, and to make things easier for the people who wish to come and go, at the extremes, the far left and the far right of the staircase are escalators, one an up escalator and the other the down escalator, which would all be fine. But the sort of the non sequitur of this whole thing is that the facility is 24-hour fitness and nobody's on the stairs and the people are taking the escalators. No, no, I have to go to Stairmaster, I can't just climb stairs. And of course, the show notes went out yesterday evening, and so I've already had feedback from saying how do you know they're not going up the down escalator?

14:46
which is actually giving them extra exercise, rather than if the stairs were fixed and there is that. Or what about for people who are there for physical therapy you know PT and so they're not able to climb the stairs? They need to be gentle? I thought, well, yes, of course, thank you very much, we have to be accessible. On the, I saw well, yes, of course, thank you very much, we have to be accessible those alternative possibilities. Anyway, I always, I, we, I think we showed this once before, I have, I know, I've seen it before and I just, yeah, I always get a kick out of just sort of the like okay, we're, we're going to 24 hour fitness, but we're not ready to start working out just yet. We're going to take the escalator up rather than taking the stairs.

15:25 - Leo Laporte (Host)
Well, that's the equivalent of searching for the closest parking space. Too right, why walk?

15:29 - Steve Gibson (Host)
Yes, in fact yes, Somebody else also wrote to me using exactly that analogy. How many times, in fact, at his gym he's seen people circling waiting to get a close parking place, rather than walking from?

15:44 - Leo Laporte (Host)
there's exercise and there's just, then there's just work, you know.

15:49 - Steve Gibson (Host)
OK, so wow. Last Friday, on the 22nd, the security firm Veloxity published the details of a somewhat astonishing and successful attack, being several years old, predating Russia's invasion of Ukraine. This story is not about a threat any of us will ever face, at least almost certainly not, but I wanted to share it since it presents a perfect example of my porosity theory of security, where the security of today's systems is best viewed as being porous to varying degrees. I like this model of a porous system, which I think fits best because, while the amount of effort an attacker may need to exert to obtain access to any specific system may vary, most systems and look at systems in the broadest sense most systems can ultimately be breached by a sufficiently motivated and determined attacker. Okay, now, that might mean, you know, arranging to install a subverted employee into the organization, right, playing the long game. Or it might mean, you know, subjecting employees to phishing attacks of increasing complexity until you finally make it happen. The point is, our systems are not infinitely secure. They're, you know, kind of secure, where it kind of varies. So the term astonishing attack which they're now able to talk about, they wrote in early February of 2022, notably just ahead of the Russian invasion of Ukraine, and that ends up being significant.

17:59
As we'll see, voleksity made a discovery that led to one of the most fascinating and complex incident investigations we'd ever worked. We'll refer to them as Organization A because they're still going to be anonymous. Even today indicated a threat actor had compromised a server on that customer's network due to a very motivated and skilled advanced persistent threat. You know APT actor who was using a novel attack vector Velexity had not previously encountered. At the end of the investigation, velexity would tie the breach to a Russian threat actor it tracks as Gruesome Larch, publicly known as and by many names. One is best known, I like APT28. There's also Forest, blizzard, sofacy, fancy Bear and among other names. In other words, the Russians. Larch was actively targeting Organization A in order to collect data from individuals with expertise on and projects actively involving Ukraine.

19:34
Okay, so what did Velexity's investigation uncover? Strange as it might at first seem, despite being thousands of miles away in Russia, this well-known APT28 group of Russian state-sponsored actors breached an unnamed US company, this Organization A, by gaining access through its enterprise Wi-Fi network. But wait, we're thousands of miles away in Russia. How's that possible? If I told you that the attack had been dubbed the nearest neighbor attack, you'd start to get the idea. That's right.

20:17
Apt28 pivoted to their ultimate target after first compromising an organization in a nearby building that was in Wi-Fi range of their target. Apt28 has this level of expertise. They're part of Russia's Military Unit 26165 in the General Staff Main Intelligence Directorate, the GRU, and they're known to have been conducting offensive cyber operations dating as far back as 2004,. So for the past 20 years, apt-28 initially obtained the credentials to the target's enterprise Wi-Fi network through password spraying attacks targeting a victim's public-facing service, but the presence of multi-factor authentication prevented the use of those credentials over the public web, so they couldn't use the web, although connecting through the enterprise Wi-Fi did not require multi-factor authentication, as Vileksity phrased. It quote being thousands of miles away and an ocean apart from the victim presented a problem. So the hackers got creative and started looking at organizations in buildings nearby that could serve as a pivot to the target wireless network. The idea was to compromise another organization and search its network for a wired, accessible device containing a wireless adapter, so a dual-homed, both wired and wireless Such a device, whether it be a laptop, a router or an access point, would theoretically allow the hackers to use its wireless adapter to connect to the targets.

22:13
The organization A, the targeted organization's enterprise Wi-Fi, phylexity, wrote this. They said Phylexity now determined the attacker was connecting to the network via wireless credentials they had brute-forced from an internet-facing service. However, it was not clear where the attacker was physically. That allowed them to connect to the enterprise Wi-Fi to begin with. To begin with, further analysis of data available from Organization A's wireless controller showed which specific wireless access points the attacker was connecting to. After overlaying them on a map a physical map that had a layout of the building and specific floors Vilexity could see the attacker was connecting to the same three wireless access points that were in a conference room at the far end of the building, near windows along the street. This gave Vilexity the first evidence that, as they put it, quote the call was not coming from inside the building. Unquote. They put it quote the call was not coming from inside the building. Unquote. Could this be an attacker conducting a close access operation from the street outside? Nothing was ruled out, but Vilexity was not too far off from discovering the real answer.

23:42
What they discovered was that APT28 had compromised multiple organizations as part of this attack. They daisy-chained their connection using valid access credentials device containing a Wi-Fi radio that was able to connect to those three access points near the windows of the victim's conference room. Then, using a remote desktop connection you know RDP from an unprivileged account, the threat actor was able to move laterally within the target network to search for systems of interest and to exfiltrate the data which had been their target all along. The attackers generally used living off the land techniques, as they're now referred to, which rely mostly on already present native Windows tools in order to minimize their footprint and thus reduce the chance of being detected. And one of the things that's happened in Windows through the years is the number of already present built-in utilities. You know, things you just don't even realize are there have really expanded, realize are there have really expanded. So for attackers who have full knowledge of just how much available utility is in Windows for them to repurpose, there's a lot they're able to use, even with all their research.

25:21
Phylexity was working from forensic data and was unable to trace the attacks back to the original attackers. Attribution at that point was still impossible, but a Microsoft report just this last April provided them with the missing clues. Vilexity saw clear overlap in indicators of compromise, as we call them IOCs. That clearly matched and pointed to the Russian Advanced Persistent Threat Group. Based on details in Microsoft's report, it's very likely that APT28 was able to escalate privileges before running critical payloads by exploiting a zero-day vulnerability back in 2022, cve-2022-38028, that existed in the Windows Print Spooler service remember we talked about that a lot a couple of years ago within the victim's network.

26:25
So our unsettling takeaway from this is that close access operations, as they're known, that typically require proximity to the target, such as from an adjacent parking lot sometimes is used, can also be conducted from great distances by compromising something nearby. You know. That makes an otherwise impossible attack possible and has the benefit of eliminating all the risk to the attacker of being physically identified and caught on sight. Nobody can get them. And caught on sight, nobody can get them.

27:06
The other and this is the most significant takeaway, I think, for our listeners is that everything should be logged.

27:22
The mantra should be log everything. It's crucial to appreciate that it is inherently impossible to know which logs will be needed after the fact, and nothing brings an investigation to a grinding halt more quickly than running up against the oh, we don't have logs of that. Today's storage is so inexpensive that it's no longer a factor. Logs don't take up much space. They contain so much redundant information and formatting which is repetitive that they compress down to nothing, and they serve as a form of time machine that later allow forensics investigators to venture far back into the past to view what happened when and to retrace the previously unseen footsteps of unknown network users. And logs are not only useful for tracking Russians. Large corporations cannot be certain about the changing motivations and loyalties of their own employees. Being logged is a bit like planting a sign on the front lawn to let would-be burglars know that the premises is being monitored by such and such a company. It could be an ounce of prevention.

28:52 - Leo Laporte (Host)
It reminds me of the warning that I always get when I do an SU do and mistype the administrator password and then it says or give the wrong name, it says you're not allowed to do this. Your presence will be logged. They back in the day they knew this stuff.

29:11
You know. The other lesson, though, is also important, which is that we are not operating on our own, that we are in a community and our security impacts other people's security. Right that this is not just our machine that we're securing or not securing, we could be a vulnerability happening to our neighbor.

29:32 - Steve Gibson (Host)
Yeah, Well, and in fact oftentimes now you go and look at the available Wi-Fi access points within range.

29:42 - Leo Laporte (Host)
Oh, man, it's astonishing, it is really yes. Access points within range. Oh man, it's astonishing, it's really yes, we're, we're living in a community and, uh yeah, we all have a responsibility.

29:51 - Steve Gibson (Host)
so it is. It is the case that one wi-fi network is able to see another one and if the hackers are good, they can get near you and then use that wifi link to jump across the air gap. So wow, the world we live in today Okay, let's Encrypt has turned 10, leo and you and I have been here the entire time watching it happen.

30:20
You did a show when it first came out, right? Oh yeah, last Tuesday was the 10th anniversary of let's Encrypt, and its statistics page shows that its certificates are now being used to encrypt the connections of get this 500 million domains Half a billion domains, wow. And the rate of certificate issuance. I have that chart and the rate of certificate issuance both in the show notes for anyone who is interested. The rate of certificate issuance tells a story. This shows that the number of certificates issued per day has now touched 6 million. Now, that's, of course, because these certificates are short-lived, right? They're 90 days. So that's one of the things that let's Encrypt has been able to do is to reduce certificate life by automating the process.

31:21
20 years ago, when we began this podcast, most websites used unencrypted and unauthenticated HTTP. Those sites which needed to obtain private and confidential information from their users, even if it was only their username and password to log in, would typically switch to an HTTPS connection only during the transmission of that information and then would switch back. We later learned the problem with that, because during that secure negotiation of username and password, the browser would be given a cookie, but then, when the browser switched back to HTTP non-secured, non-encrypted connections, that cookie would be transmitted in the clear, which we had a lot of fun with under the name FireSheep, which was a means of very easily capturing that credential from an unsecured Wi-Fi network and immediately impersonating a logged-in user. The good news is, those days are gone. But as the world began to grow ever more dependent upon the internet for everything, it became clear that this original trust by default model was not going to take us where we needed to go in the future. The industry needed a future where the privacy provided by encryption could be available to everyone, not just those who were willing to pay to purchase a certificate. Because the trouble was that encryption required certificates, and certificate authorities had made a lucrative business out of verifying the identity of website owners and signing their certificates which attested to that verification having been performed. And since performing this verification did require significant work, certificates carrying those attestations were not free. The ISRG, the Internet Security Research Group, was formed to solve this problem. Two engineers from Mozilla, a guy from the EFF and one from the University of Michigan, incorporated the ISRG and set about solving the problem. The group decided that the inherently expensive and scaling-resistant verification of domain ownership could simply be bypassed in favor of reducing the test to anonymous domain control, and if that was done, web and DNS servers would be able to verify the domains they were serving and the entire process of certificate issuance and maintenance could be automated. Thus the ACME Automated Certificate Management Environment protocol was born and today, half a billion domains later, by any measure, this has been a huge success.

34:47
Thanks to let's Encrypt, any website that wishes can now have every connection encrypted for privacy for free. Have let's Encrypt's free certificates been abused? Of course they have. That's what happens on the internet when anything is free. Look at email spam and today's social media. You know it's abuse frenzy. Both are an utter catastrophe because both are free. But this was not the problem let's Encrypt was trying to solve or prevent. Their clearly stated goal was to offer equal opportunity privacy through encryption for all. Bad guys and phishing sites were every bit as welcome to have let's Encrypt certificates as anyone else. At least the communications of the people they were scamming would now also be private and encrypted, and that really was all that the ISRG intended to provide. So 10 years, and thanks to these guys, as we've seen, we had a pie chart, remember a couple of months ago, that showed that they'd just taken over. Yeah, why not?

36:10 - Leo Laporte (Host)
Everybody uses them. We did just. Patrick Delahanty has sent me the link. This is our episode almost exactly 10 years ago, November 25th 2014, where you introduced let's Encrypt to the world Security now 483. Let's encrypt to the world security now for 83. And Grayson Petty, who is very sharp eyed, pointed out that you had, at the time, three PDPs still do what happened to? The other one.

36:36 - Steve Gibson (Host)
Maybe I moved them up.

36:37 - Leo Laporte (Host)
There is one, oh the angle of the shot change. That's all, grayson. It's nothing, is no? No PDPs have died in the making of this program.

36:49 - Steve Gibson (Host)
Okay, leo, let's take a break. Then we're going to talk about, oh, the latest concern of stuff coming from china, and a little bit of a sticky wicket in this case. And oh, leo, I want one of these cranes. Oh, wait till you see, I have a picture of you do.

37:05 - Leo Laporte (Host)
What would you do with a crane steve?

37:07 - Steve Gibson (Host)
oh wait till you, see you just have to have one.

37:12 - Leo Laporte (Host)
You take your, offload your hard drives or something I don't know. Well, if you lived in a container, you could use the crane to move your house around every once in a while. That's true. Yeah, there you, that would work. Well, right, we'll come right back.

37:25
I want to find out about these hackable cranes, but first a word from our sponsor, bitwarden. And if you listen to this show, you know. You know without any question in your mind that you need to have a password manager. Unfortunately, there are lots of places that don't know that. Maybe your business does not yet have a password manager, maybe your friends and family, in fact, this would be a great thing to talk about around the turkey on Thursday. Bitwarden, the only password manager I recommend and trust because it's open source. It is also trusted by thousands of businesses. Yes, they have a business plan.

38:10
Of course, what Bitwarden does you know perfectly well is generate and autofill strong, unique logins. You don't have to remember them, so you don't have to make them easy to remember, and that means they're harder to crack. Bitwarden takes care of all of that. But the important word in there is autofill, and I think we don't maybe emphasize this enough. If you're using the Bitwarden extension and you go to a site and you fill in the password, bitwarden's protecting you in more ways than you might know. For instance, it will not autofill that password on a spoofed site. If you go to tvvittercom, it's not going to fill in your Twittercom password, right? Actually, that made a problem for me when it changed its name to Xcom. I had to change my password to Xcom. But that is a great thing. It means Autofill only works on the legitimate sites and Autofill is not just for passwords, it's also for credit cards, for identities, it's even for pass keys and that is really nice to have that in the inline autofill menu. So you don't leave the page and it will also protect you if it's not the page you think it is.

39:20
Bitwarden is really great for business. It works with all the tools you already use. They continue to expand their integration ecosystem across key platforms to support seamless operations and elevated security. They just this is so cool they just integrated with Microsoft's Intune. You know that Intune is their you know service to keep your Windows machine safe. Now with Bitwarden Intune it enhances device security and user identity management. It enables secure Bitwarden app deployment on any Intune-managed endpoint. That's great for the IT department, including desktops and mobile devices. The HR tool Rippling simplifies employee onboarding and offboarding by integrating with Bitwarden, which means the IT team can assign or revoke access as employees join or leave. It's built in.

40:14
Here's another one Vanta, longtime sponsor. Here Vanta combines Vanta compliance audit and reporting with secure password management, which helps your organization meet SOC 2 and ISO 27001 and other standards. Helps your organization meet SOC 2 and ISO 27001 and other standards. Rapid 7 ensures improved threat detection and response by oh, this is so clever correlating credential usage with security events. You were talking about logging earlier, steve. Automatic logging. Right, that lets you know, hey, you had a security event and look who was logged in where this really helps you strengthen your proactive monitoring and your intelligence for enterprise security teams and it's automatic. But those are just a few of the many, many integrations Bitwarden can do in your business. These integrations increase flexibility to centralize security management across existing technology stacks and employee devices and it helps you maintain control over sensitive information. I think it's really.

41:09
We talk about Bitwarden a lot as being a great tool for individuals and it is free forever for individuals, which is great. It's open source. But it's really important to remember that Bitwarden has a great enterprise story as well. Bitwarden users can seamlessly connect tools for IT management, for compliance, for security, which helps you improve and standardize the deployment of enterprise credential management throughout your organization. It's not just saying to your employees here this is our password manager, use it. It's so much more than that. Your business deserves a cost-effective solution that can dramatically improve its chances of staying safe online, and that's Bitwarden. It's easy to set it up. They support importing for most password management solutions, so it should just take a few minutes. And, of course, I emphasize this. I think it's so important. Any crypto tool should be open source so that you or an expert can verify. There are no back doors. It does what it says it does. It's using good, strong encryption, it's not using out-of-date technologies and all of that.

42:08
Bitwarden is open source. As we talked about last week or maybe it was two weeks ago. It's GPL. It's true open source. It can be inspected by anyone. It's right there on GitHub and they regularly get audited by third-party experts. But, even more importantly, they publish the results of those audits without fear of favor. They guarantee they're going to put them online, so you know you're always using a password manager you can trust.

42:35
I can go on and on. I'm a big fan. As you can tell, I may be a little bit of a Bitwarden nerd. Get started today with Bitwarden's free trial of a Teams or Enterprise plan.

42:43
And if you're an individual or you're sitting across the table at Thanksgiving with a member of your family, says oh no, I don't worry about passwords, I just use my kitty cat's name and my birthday and my mother's maiden name and I'm so clever about how I smush those together. No one will ever guess that you need to tell them about Bitwarden. And if they say, well, I don't want to pay for a password manager, you tell them Bitwarden is free for individuals forever. Bitwardencom slash twit. Now I happen to pay $10 a year $10 a year for the premium plan because I want to support them, but you don't have to. And if and if uncle Joe says I don't want to pay for it, you tell him hey, don't worry, joe, it's free. And Leo says it's the best. Bitwardencom slash twit. We thank him so much for supporting the fine work steve does to protect you and uncle joe on security now, steve, okay.

43:39 - Steve Gibson (Host)
So last wednesday's report in gov info, govinfo security, was titled coast guard warns of continued risks in chinese port cranes. Oh boy, this becomes an issue actually when it's accompanied by the news. Get this, leo 80 of all heavy lift gantry cranes used to load and unload container ships at american ports were manufactured by a single company, zpmc, a state-owned company in china. 80 of these cranes and, and I know why, oh my god, they are just the most lovely things you've ever seen they're good.

44:24 - Leo Laporte (Host)
This is the problem.

44:26 - Steve Gibson (Host)
They're the best in the business, right like the dji drones, which are the best drones there are. Right, right, yes, so okay, the report explains that the us coast guard is warning that chinese made, as they're called, ship to shore sts cranes come with and this is unspecified, but that said, with quote built-in vulnerabilities like back doors. Well, yeah, okay, enabling remote access and control. Consequently, the coast guard has begun urging operators across the country to adopt enhanced security protocols. Okay, are these the cranes you're talking about? Oh, I've got one in the show notes.

45:14
Scroll down another page or two, it's just the most gorgeous thing you've ever seen. Oh so in their notice, the Coast Guard wrote additional measures are necessary to prevent a transportation security incident unquote. And the Coast Guard cited quote threat intelligence related to the, a copy of the official directive from their local Coast Guard officials, stating that the materials contain sensitive security information. In other words, we're not telling you what we know in this public notice. Get this, get the official directive from your local Coast Guard, they'll tell you more.

46:12
A congressional report published in September warned a Chinese company with a major share of the global market of STS port cranes posed quote significant cybersecurity and national security vulnerabilities for the United States. According to the report, the Chinese state-owned company ZPMC supplies 80 percent of all ship-to-shore cranes in the US market and has significant involvement in militarizing the South China Sea. Lawmakers warned that the company and its cranes could serve as a Trojan horse, allowing Beijing to exploit and manipulate US maritime equipment and technology at their request. What remains unclear is what measures the Coast Guard could implement to restrict the remote functionality of ship and Chinese-made security cameras, which those in the US have been blithely purchasing and plugging in everywhere for years because, as you said, leo, they're the best. The answer to the question of what are we to do about these cranes is the same as for the DJI drones and cameras.

47:46
I think In theory we could purchase the hardware and independently source the firmware or software for these devices. But nothing prevents firmware buried deeply within the hardware from being similarly compromised. So you know, it's not just flash memory in obvious firmware. So you know, the real truth is, in any instance where we've seriously and firmly determined that we cannot trust the supplier of equipment, that equipment cannot be used anywhere. Its physical or cyber compromise might lead to other damage. And imagine if Beijing could do nothing more than cause and I say nothing more than cause 80% of all US ship-to-shore port cranes to self-destruct. It would instantly and irreversibly cripple all major US ports. And at the bottom here of page six, I have a picture of this thing. Oh my God, look at that thing. It looks like something out of Star Wars. You definitely don't want to have that thing walking in your direction well, it doesn't walk.

49:08 - Leo Laporte (Host)
It does roll back and forth. One of the things I love about going on cruises, which we do a lot of, is you get to see these, uh, these ports and you get to see these cranes in operation well, it's beautiful, but then then, to give you a sense of scale, look at the itty bitty size of the standardized containers yeah, next to it's huge.

49:28 - Steve Gibson (Host)
I mean it's, that's my god. It's just amazing yeah so, anyway, it is a beautiful machine and it's a pity that we, apparently we can't trust it. I mean, we don't know what. What is known that you know says what was it? Pre-installed vulnerabilities. What does that mean? Yeah, I mean like it's probably have they have they discovered, have they reverse engineered the firmware and actually found back doors that china knows are there?

49:59 - Leo Laporte (Host)
that would be a real shame service.

50:01 - Steve Gibson (Host)
There's probably a back door, right, I mean well, or it ought to be a documented front door right, I mean, where where we're like, what like, like zpmc is able to update the, the software right in order to you know, handle the new type of shipping container, which is 30 bigger.

50:22 - Leo Laporte (Host)
This is a universal issue. We've talked about how the chinese uh, what do they call this attack? They're in the phone systems, they're listening to phone calls, they're taking advantage of the legitimate wiretapping capabilities that law enforcement put in in in 20 years ago to listen to. I mean, they're in our power grid. We know that they are. They're just sitting there, they're not doing anything, but, honestly, it sounds as if the Chinese government has infiltrated pretty much all of our infrastructure and has full access to it.

50:55 - Steve Gibson (Host)
We're buying all of our stuff from China. They didn't have to even try, right? I mean we said, oh, we like those cameras, we'll take a million of them but they're taking advantage of flaws in ss7.

51:09 - Leo Laporte (Host)
That's been there since 30, 40 years ago, right so?

51:13 - Steve Gibson (Host)
right, so so so they're.

51:15
They're on on the one hand our stuff there are vulnerabilities in the technologies that we're using, but the but but on. On the flip side, I mean, we don't know that. There's no evidence, for example, that DJI actually was ever used in a covert surveillance effort. We just know it could happen and we know that they are a Chinese-based company. So everyone is now and now we're looking at these cranes saying, oh my God, what if you know? No crane has ever gone crazy and done anything wrong. Is there any reason?

51:50 - Leo Laporte (Host)
the crane is online. Should that crane not?

51:53 - Steve Gibson (Host)
be air gapped. My switches are online. My plugs are online.

51:59
You know, your blender is online, the microwave is online, the coffee maker is online, everything is online. Yeah, we're out of luck. I mean, that's really what has happened is we've gone online, happy right, and so you bet you, you, you know, you, you. I mean, who knows how those cranes even get installed? I'm sure a whole bunch of people who are experts in installing them, you know, erect them and then you've got to install the software because, again, it's going to all be software controlled. Once upon a time, there was a guy sitting in a cab with big levers oh, there still is now.

52:33 - Leo Laporte (Host)
Now you've got a game controller that runs the whole thing. Yeah, that's one of my favorite uh series, uh seasons of the wire. Did you ever watch the wire?

52:43
oh leo, one of the best shows ever produced absolutely, and one of and one of the seasons they're down at the shipyards talking to the guys who operate those big cranes and they have lots of scenes of them in there and how fast they can move them and so forth. It's pretty cool, but that was that was a long time ago. I'm sure it's even cooler now yeah, and chinese infiltrated, attacked.

53:23 - Steve Gibson (Host)
We know that, we know. But commercial companies there's no evidence that I'm aware of of misbehavior yet, because it's possible you know, I don't know, I'm going to throw this out here.

53:36 - Leo Laporte (Host)
I think this narrative is a little disturbing to me because where it leads is well, you just don't have anything that's made or but from china, which probably still wouldn't secure you right, because, correct, we still are using ss7. So, yeah, I've ripped and replaced all the huawei equipment in my network, but I still have software that's got massive holes in it and I'm not willing to replace that. But let's say that's the road we go down. Let's get rid of all the chinese stuff. I think that makes us more vulnerable because china no longer is economically dependent on us, is no longer intertwined with us. I think we're less vulnerable if we trade with our enemies, I know and they're economically tied.

54:17
Their fate and our fates are economically linked. That, to me, is a better strategy for for keeping the peace than putting up a big wall and saying, no, we're not going to buy any chinese stuff. Well then, it doesn't matter. Then they have no dog in this hunt, right, they have no economic incentive for for for keeping their number one customer right, so I don't have, as I mean, look by the way we're infiltrating their stuff.

54:41
We know this from the edward snowden yep leaks. The nsa has plenty of tools to do the same thing back, and they buy american stuff probably not as much american stuff as we buy chinese stuff, but I I think it's a. It makes me nervous to think of the direction we seem to be heading with these reports.

54:59 - Steve Gibson (Host)
That well, let's just not have anything from china at all same way, because that could be, uh, a prelude it would be better if we just all got along, yeah, which, and you know what?

55:11 - Leo Laporte (Host)
we've got there is, by the way, there is this mutually assured destruction, because we do have stuff in their gear as well, and there is there. In fact, these were they even. Uh, bill clinton even made the and obama made these agreements with china. Okay, you're gonna have your stuff in there, but we're gonna have our stuff in your stuff and we'll only go so far in this espionage game and these are the rules and, um, you know, that's I don't know how good a way to do that. That's a very good way to do things, but that is kind of where it is right now. So I'm just nervous about the idea of oh, let's cut off all chinese stuff. No, no, no chinese stuff. Maybe the other direction would be safer and look at the crane.

55:54
It's gorgeous and they make good stuff oh, I mean probably it's also cheaper than the american made or the german made cranes. I don't know german. I'm sure germany makes equally good cranes I'll bet, I'll bet.

56:07 - Steve Gibson (Host)
And who's to say, though, that if we start, we switch to those? There wouldn't be some vulnerabilities, even even if germany didn't intend to? That's the problem. There's still be vulnerabilities that that the chinese cyber ops could get into.

56:20 - Leo Laporte (Host)
There's still supply chain issues. There's still software vulnerabilities.

56:24 - Steve Gibson (Host)
I don't is perfect security possible no, I wonder what the german cranes look like.

56:30 - Leo Laporte (Host)
I might be where are you gonna put this crane? As if you talk to laurie about your crane a little model.

56:38 - Steve Gibson (Host)
I want a model. Model would be okay yeah, and you can have.

56:41 - Leo Laporte (Host)
It can have little model containers.

56:44 - Steve Gibson (Host)
There are little model ships and you could go one of the best things about my wife is she loves trains. Like I could have model trains running around the house.

56:54 - Leo Laporte (Host)
Well, there's a very small difference between a model train and a model crane. That's what I'm saying.

56:59 - Steve Gibson (Host)
That's what I'm saying. I think this would probably work. I love it Okay. I love it Okay. So, after a phenomenal surge in new users, blue Sky has received its first country-level block, and the winner is Pakistan, congratulations.

57:18
For those who don't know, blue Sky was originally conceived as a project with Twitter back in the Twitter days at Twitter by Jack Dorsey. It was designed to create an open, decentralized standard for social media, and it was launched in 2021 as an independent entity. After that, blue Sky quickly evolved into a strong competitor to X, offering a more customizable and transparent UI user experience, ux. Blue Sky's overall popularity has been soaring recently, and in Pakistan specifically, this is being driven by increasing accessibility issues with X. Due to government restrictions and the growing need for a VPN to access X, many Pakistani users have turned to using Blue Sky as an alternative. Unfortunately, now it appears that within Pakistan, blue Sky is quickly hitting the same barriers as X.

58:23
I should mention that I've received Twitter DMs from our listeners asking when I'll be moving to Blue Sky. I'm not moving anywhere. For me, x is being, you know, just kind of slowly allowed to fade. I'm still posting the weekly show notes to X because I've been doing so for years and some of our listeners who hang out there continue to appreciate that. But a nicer presentation of today's show notes was, as I said earlier, emailed to more than 13 and a quarter thousand of our listeners yesterday and every one of those listeners is able to email directly back to me at securitynowatgrccom, directly back to me at security now at grccom. Um, and all of that works even for our listeners in pakistan.

59:14 - Leo Laporte (Host)
There you go anyway, mail works. When I was in china, I used mail to post to my blog and facebook and twitter because I could email it. Yeah, yep, by the way, I got something for you, steve. Actually, should I send a link to Lori? It's the Lego City Seaside Harbor, with cargo ship toy model container crane and boat with eight minifigures. Steve, this is what you want.

59:38 - Steve Gibson (Host)
You know we don't need a train running around the Christmas tree.

59:43 - Leo Laporte (Host)
You need a crane, we can set this puppy up, wonderful this is yours, is yours, man? That's great rise before christmas. Thank you to uh uh chocolate milk mini sip as you know, I'm paul holder in our chat for providing us with that so under the section of what will they think of next, we now have what's being called repo swatting attacks.

01:00:12 - Steve Gibson (Host)
I know Repo is, of course, short for repository, which is the unit of organization employed by GitHub and GitLab. So get a load of this. Threat actors have been abusing a hidden feature to cause GitHub and GitLab accounts to be taken down. The technique allows—this will really strike home for you, Leo, with the problems Twit has with anything copyrighted users to open issues against a targeted repo, upload a malicious file and then abandon the issue without publishing it. On both GitHub and GitLab. The file remains attached to a victim's account. Then the pesky threat actor reports the hidden non-public file for breaking the service's terms of service, which forces the repo to be removed for hosting malware. Good lord, apparently this is just one more reason why we can't have nice things I hope we do that.

01:01:24 - Leo Laporte (Host)
The administrator this is the problem with dmca takes down. So you so right on youtube, is it? The process is so efficient, works so fast. You have no, virtually no time to defend yourself, right? One would hope that both get both github and get lab would start to understand this attack. Figure out, this is what's going on. It's a divisible file, not so quick, yeah.

01:01:43 - Steve Gibson (Host)
Yeah, a couple of weeks ago I touched on two recently announced zero-day flaws that had been discovered to affect Palo Alto Network's enterprise firewalls. That led to my quite predictable rant about the proven impossibility of protecting any form of remote management access to internet-facing services. Even firms like Palo Alto Networks, whose business is security and security appliances, still don't know how to do that. As this, you know, two recent zero-day flaws demonstrate. In this case, to say that Palo Alto's internal architecture seems somewhat wanting would be an understatement. An analysis by Watchtower Labs that's spelled T-O-W-R they've dropped the E reveals that this vulnerable appliance and it's actually a family of them is implemented in what they declare with tongue-in-cheek to be the absolutely stellar PHP language unquote, which is served by Apache, fronted by an NGINX reverse proxy. They then note that the system implements its authentication layer by using a PHP feature known as auto-prepend file, which prepends the file uienv, as in environment uienvironmentsetupphp, to anything PHP loads, which is just such poor design I can't even begin. Ok, this is implemented by the line auto prepend file equals UI, env, setup dot, php and PHP dot any file which they preface by saying quote. Take a look at this gem of a hack in the phpini file and I could not agree more. They introduce its use by noting. We guess auto prepend file actually has legitimate uses besides writing PHP exploits. I mean, it's just you know.

01:04:09
The bottom line is that this is all quite dispiriting. I don't know why. I always imagined that Palo Alto networks would be doing things right. I suppose I wanted to give them the benefit of the doubt. The UI environment PHP text file, which provides front-end authentication by redirecting pre-authenticated access to the login page, actually contains the comment this is their own source code. Their own PHP code contains the comment quote, quote. These are horrible hacks. This whole code should be removed and only made available to a few pages main comment, debug comment, etc. In other words, their own coders know this was awful that's.

01:05:04 - Leo Laporte (Host)
That's exactly what you'd expect some engineer to write. Looking at this code, just to put in the comment this is a hack. This is terrible. Please don't. I don't know why I'm doing this.

01:05:13 - Steve Gibson (Host)
It's late, don't make me, I'm hungry. It's or they just delivered pizzas to the conference room, oh my god. Anyway, I couldn't agree with the with the coder's own comment, and and I would never say that Palo Alto Networks deserves to have been hit by these vulnerabilities, especially since it's their customers who will be taking the hit for this. But a design that is this slipshod can only be called asking for it. It's unconscionable that this is the utter crap they're shipping. And in order to see any of this because it's not out for public display the watchtower guys needed to first jailbreak this Palo Alto Network's appliance, which they did. But this means that this extremely poor design is locked away out of sight so that it's only visible to intrepid researchers who go to the effort to create a jailbreak. But even if it cannot be seen, every Palo Alto Network's customer remains reliant upon it. Palo Alto Network's customer remains reliant upon it. We all know the rigid line I draw between bad policies, which are deliberate, and true mistakes which anyone could make. None of this is an example of a mistake anyone could make. You know these are policies. There are developers inside Palo Alto networks who know this is what they are shipping. Those people should be looking for a new job, far away from anything having to do with security.

01:07:04
And so today we have the news from the Shadow Server Foundation of evidence that at least 2,000 of these Palo Alto Networks firewalls have been compromised using those two recently disclosed zero days. 2,000 of Palo Alto Network's enterprise customers have been penetrated as a result. Once they've been compromised, the firewalls contain a PHP web shell which allows attackers to return later at their leisure. The presence of this web shell is one indicator of compromise. The Shadow Server Foundation said that their number was a conservative estimate, since it relies upon a limited set of IOCs released by Palo Alto Networks last week. Now, to their credit, palo Alto Networks had warned of a possible zero day earlier this month, which is what I talked about it back then, and their communication throughout this has been stellar. I talked about it back then, and their communication throughout this has been stellar, so there's much to commend Palo Alto Networks about their response to this trouble.

01:08:18
Unfortunately, this stands in stark contrast to whomever is developing their devices. Did they fix it? They probably patched it and it's probably largely the same. Not, yeah, maybe if a bright enough light is shined on this. They'll say wow, uh, is what gibson just said. True is what is what? Wait a minute. Does anybody know?

01:08:44 - Leo Laporte (Host)
is that true? Oh man, I don't know it's not you know and don't blame php because you can code securely in php it. But the problem is it makes it very easy to code insecurely it has.

01:08:56 - Steve Gibson (Host)
Thank you for finishing the sentence I was about to rebut with it doesn't.

01:09:02 - Leo Laporte (Host)
It doesn't exactly get in your way, I guess.

01:09:05 - Steve Gibson (Host)
Yeah, if they had developed it in interpreted basic, you would wonder about the level of the programmer expertise that chose the basic language to do the work. And PHP is similar. It's a very nice language. You know, we know what PHP, the initial, stands for, right?

01:09:30 - Leo Laporte (Host)
Yeah, personal homepage language. You know, we know what php the initial stands for, right? Yeah, personal home page. Do not write your security clients front ends in personal home page.

01:09:37 - Steve Gibson (Host)
No, exactly right, wow, okay. So a responsible security researcher going by the handle delit, who reportedly answers email at dellsploit at gmailcom, has privately and responsibly disclosed their discovery of a terminally serious stack buffer overflow vulnerability across D-Link's past VPN routers. I characterize this as being terminally serious because this now known to exist vulnerability allows unauthenticated users, also frequently referred to as anyone anywhere, to remotely and at their whim execute their remote code on the victim's targeted D-Link VPN router. The concerns are that D-Link's announcement of this sobering reality last Monday contains a field for link to public disclosure which is currently filled in with the abbreviation TBD as in to be determined, which strongly suggests that this DelSploit character is being responsible with his or her knowledge and is giving D-Link some time to respond. But there's a problem with that. All six of these venerable and vulnerable D-Link VPN routers have gone well past their end of life. They're no longer being supported by D-Link and thus will not now and not ever be receiving updates to correct this most critical vulnerability critical vulnerability. No CVS tracking designation will be assigned to track this vulnerability because it's never going to be fixed and if a CVS were to be assigned, it would be carrying a flashing red CVSS score of 9.8, perhaps or maybe even the rarest of 10.0s.

01:11:49
Okay Now, this vulnerability is as bad as they come, because this otherwise lovely family of routers offers a standard SSL VPN which runs a simple web server at the standard HTTPS port 443. I have a screenshot in the show notes of what you get when you use your HTTP browser to connect to this thing's port 443. It looks like a web page asking you for your username and password. From the standpoint of almost actively soliciting attackers, this could not be any worse. The page that's displayed to any device connecting to port 443 of an affected router prominently displays the device's model number and both the hardware and firmware version numbers. This thing effectively shouts please exploit me, so you know. Where they are on the internet will never be any mystery, and I have no doubts that the lists of their IP addresses have long ago been assembled. Okay, so now everyone knows the situation. The two oldest affected routers are the DSR500N and the 1000N, which both went end of life nine years ago, back in September of 2015. The more recent four VPN routers are the DSR-150, 150n, 250, and 250N. All four of those went end of life justa few months back in May of this year. But, as the saying goes, close only counts in horseshoes and hand grenades, meaning in this case that end of life is end of life and that D-Link formally states in their disclosure that these now known to be seriously vulnerable D-Link VPN routers will never receive updates.

01:14:04
Longtime listeners of this podcast know what will come next as sure as the sun rises every morning. Many tens of thousands of these devices are currently sitting on the public internet. Number may be around 60,000. I haven't seen an exact count, but I'm sure that either Shodan or Census would have that number and be able to provide their IP addresses, since every one of them, as I said, proudly presents its logon page to any passerby. There's been no public disclosure of the details of the vulnerability that DelSploit found, but D-Link has confirmed it and at some point DelSploit is going to want to have their day in the sun and bragging rights about having discovered this vulnerability. So it's going to be published and no one can really fault DelSploit for eventually disclosing the vulnerability they discovered, because that's the way the game is played these days you wait long enough to give the impacted parties a reasonable amount of time to respond and after that, no matter whether or not they have, and regardless of the consequences. The entire hacking elite is then informed of exactly how to bypass the internet-facing authentication which protects tens of thousands of networks that are currently behind every one of these VPN routers. There's nothing any of us can do other than protect ourselves and those we have responsibility for and care for, so make absolutely double damn certain that nowhere within your spheres of influence do any of this. Six D-Link VPN routers currently exist because we all know exactly what's going to happen next.

01:16:04
In their disclosure, d-link ineffectually recommended that this hardware should be replaced. We know that most of the owners of these devices will never receive any sort of notice of this and probably wouldn't pay it the attention it deserves even if they did. We're all being so inundated by all of our software being constantly updated that it's easy to become numb to it, but if anyone is in the market for a replacement, I would now say to stay well clear of D-Link. They have a long and still growing history of very serious, remotely exploitable vulnerabilities being discovered after the fact in their past end-of-life products. This happened earlier this month with 66,000 of D-Link's internet-connected NAS devices. Their response was effectively well, we're sorry, we don't make NASs any longer, and even if we did, those 66,000 internet-connected, remotely exploitable, network-attached storage devices we once made are now past their end of life, so it wouldn't matter even if we still made them.

01:17:25
It's true that hardware is not forever and that it would not be unreasonable to expect an aging NAS or router that's past its end of life to be rotated out of service in favor of something new, but we all know that that doesn't happen often. Given their track record, I would be disinclined to give D-Link any more commercial support. If you really like the brand, okay, you know, I get it. It is truly nice-looking hardware. But you should be aware that end-of-life or end-of-support probably means end-of-secure service life, after which point a device, a D-Link device, should be rotated out of service. And if you have any existing inventory of D-Link devices, you should be very certain to have a current subscription to their security bulletins and other notifications and really pay attention when you get one's too bad.

01:18:26 - Leo Laporte (Host)
This used to be a good company, right? I mean, I had a lot of d-link I did too.

01:18:31 - Steve Gibson (Host)
My day right, I did too, but you know they're having problems and I mean again, it's not, it's not unreasonable to say, okay, well, it's, it's end of old and we're not going to support it anymore. Yeah, yeah, I mean you know all the other companies do that too. But even Microsoft has gone back and like, fixed a really bad Windows 7 problem after Windows was end of life, because they recognized they didn't want to hurt their own users.

01:19:03 - Leo Laporte (Host)
The problem really is that D-Link was a consumer, dominant consumer brand for a long time, and so there are a lot of people who aren't that sophisticated who have d-link gear and they're not paying attention, they don't listen to this show and right, so they'll never know that there's a problem with their router. Or actually it's not a router, it was a nas uh well, yeah, it is a, yeah, it is a.

01:19:28 - Steve Gibson (Host)
the earlier this month it was 66,000 NASs and now we've got. We have six different models of SSL VPN routers Routers- okay. And so an SSL VPN router is sitting there listening for incoming SSL connections on port 443. Right, so I mark my words. A month or two from now, we will have a count of how many systems have just been taken over. Yeah.

01:20:01 - Leo Laporte (Host)
I mean, at least an SSL router is not a consumer product. That's not in grandma's hands.

01:20:06 - Steve Gibson (Host)
Well, actually I don't know. I would say that's a bigger problem, because it means that it's hooked to a more valuable network, yeah something you're trying to protect, it's not on granny's land Right it's on some small businesses network that can have all their systems encrypted and then held for ransom.

01:20:26 - Leo Laporte (Host)
Yes, some IT guy 12 years ago installed it in a lawyer's office and nobody's thinking about it. It just works and security is not a concern. Except it should be.

01:20:35 - Steve Gibson (Host)
I had sort of a related story. It turns out that, as many people know, sharia is a religious law that governs some aspects of the lives of Muslims based on the teachings of Islam and the Koran. We were just talking about Pakistan being unhappy with pretty much all things Internet. I should note that Pakistan's religious advisory board recently ruled that the use of VPN apps is against Sharia law, apparently because Sharia law is whatever they want it to be sharia law, apparently because sharia law is whatever they want it to be. Yeah, uh, the council of islamic ideology said that vpn technology was being used in pakistan to access content prohibited according to islamic principles or forbidden by law, including quote immoral and porn websites or websites that spread anarchy through disinformation. Um, and this gave me pause to wonder, leo, whether they might be inclined to change their minds if they were able to get a really good deal on some used d-link vpn routers yeah, that's the ticket.

01:21:41 - Leo Laporte (Host)
Oh lord, uh, what a world, huh what a world huh, what a world. Well, this is yeah. I mean yeah.

01:21:50 - Steve Gibson (Host)
So we have the return of recall. Let's take a break, yes, and then we're going to talk about recall now being put back into Windows Insiders to begin testing.

01:22:03 - Leo Laporte (Host)
Yep, congratulations. We talked about it on Sunday on Twit and all four of us said yeah, but we would love to have something like recall. In fact, my problem with recall is it should be on every device, it should be on everything, but of course that would be a security nightmare. But we'll let you talk about that in a second Our show today brought to you by ThreatLocker. This is the opposite of recall. This is basically zero trust. It's the opposite of what you were talking about earlier, which is, you know, kind of allow everybody and then, you know, filter out the bad guys. No, no, it's quite the opposite.

01:22:43
If zero day exploits and supply chain attacks are keeping you up at night and I think they probably are if you run a business, it's quite the opposite. If zero-day exploits and supply chain attacks are keeping you up at night and I think they probably are if you run a business here's a solution. You don't have to worry. You can harden your security affordably and easily with ThreatLocker. I mean worldwide companies like JetBlue trust ThreatLocker to secure their data to keep their business operations flying high. But even small businesses can benefit with ThreatLocker's easy-to-implement zero-trust solutions, very affordable. Imagine and this is kind of the nut of how it works, taking a proactive, deny-by-default approach to cybersecurity. Deny-by-default, that's what zero-trust is. You don't assume just because somebody's in your network that they're good guys, that they should have access to everything, unless you give them explicit approval, every action is blocked, every process is blocked, every user is blocked and it will continue to be blocked until authorized by your team, and even further than this. You were talking about logging earlier. Threatlocker, which will make it easy to do this, also will give you a full audit for every action, fully logged. So that's great for risk management, for compliance, too. Right, you can demonstrate your security posture. This is how it should be done. This is done right, and their 24-7 US-based support team will fully support you getting started, getting onboarded and beyond.

01:24:09
Stop the exploitation. This is so cool. I'm going to talk about one of the things they do, called ring fencing. Stop the exploitation of trusted applications within your organization. Keep your business secure, keep it protected from ransomware. Organizations across any industry can benefit from ThreatLocker's ring fencing. That's what they call it, and it's a great name for it, because you're, in a sense, fencing stuff in. You're isolating those critical and trusted applications from unintended uses, from weaponization. You're eliminating an attacker's lateral movement within your network. You're eliminating attacker's lateral movement within your network.

01:24:52
Threatlocker's ring fencing works so well. It was able to foil a number of attacks that were not stopped by traditional EDR, including the SolarWinds Orion attack. We talked about it for many years. It was foiled by ring fencing because you couldn't move laterally in the network. Oh, and ThreatLocker works for Macs too. Get unprecedented visibility and control of your cybersecurity quickly, easily and cost effectively. Threatlocker's zero-trust endpoint protection platform offers a unified approach to protecting users, devices and networks against the exploitation even of zero-day vulnerabilities.

01:25:24
When we first talked about these guys, I went out and I looked at reviews. I was blown away. But the people who use ThreatLocker love it and it really works and it's very affordable. You could get a 30-day free trial right now. Learn more how ThreatLocker can help mitigate threats no one's ever heard about before and ensure compliance. Visit ThreatLockercom. Visit ThreatLockercom. That's ThreatLockercom. We thank him so much for supporting the good works of Mr Stephen Tiberius Gibson and you support us when you go to ThreatLockercom and if they ask, tell them you saw it on Steve's show. That will help a lot. Okay, steve.

01:26:02 - Steve Gibson (Host)
So last Friday the Windows Insider blog announced the return of Recall to Windows 11. They wrote Hello Windows Insiders. Today we're releasing Windows 11 Insider Preview, build 26120.2415. Or, as one of my employees would have once said, start 8, which I thought always was funny, they said to the dev channel with this update, we welcome Windows Insiders with Snapdragon-powered Copilot Plus PCs to join the dev channel to try out recall preview with click-to-do preview, which is a new feature that they're now going to be testing. So anyway, I have a link to the lengthy rollout text in the show notes for anyone who wants more.

01:26:52
Suffice to say that Microsoft has done exactly what they had promised to do. The setup experience of course promotes recall as a wonderful and really secure feature. It's unclear from the few screenshots Microsoft provided what the user's decision tree looks like and how readily the user is able to decline to receive the recall experience. But presumably, after all the backlash Microsoft received and their commitment to disable recall until and unless its user explicitly enabled it, that's what they've done. I do know from reporting that recall can mostly be removed from Windows through that turn Windows features on and off dialogue. One security researcher noted that a few recall-related DLLs do remain under the Windows system apps directory, specifically MicrosoftWindowsclientaix. But this researcher noted that the core functionality is removed, so that's good. A few items of note from their blog posting were quote Recall Preview will begin to roll out on Snapdragon powered copilot plus PCs, with support for AMD and Intel powered copilot PCs coming soon as we gradually roll out Recall in Preview. Recall is supported on select languages, including simplified Chinese, English, french, german, japanese and Spanish. Content-based and storage limitations apply. Recall is not yet available in all regions, with expanded availability coming over time. Were anecdotal reports of researchers being able to get the first shot at recall running on PCs without any fancy AI GPU support. So it might be that recall will be made more widely available over time, and so this might also mean that for now, no one without Copilot Plus PCs will need to worry about removing it, since it may never be present and again, not yet in the main channel. This is all just insider preview, also of interest in the posting for our enterprise customers.

01:29:25
Recall is removed by default on PCs managed by an IT administrator for work or school, as well as enterprise versions of Windows 11. It administrators fully control the availability of recall within their organization. Organization Employees must choose to opt in to saving snapshots and enroll their face or fingerprint with Windows Hello for snapshots to be saved. Only the signed in user can access and decrypt recall data. Theoretically. So, although enterprises cannot access employee recall data, they can prevent recall from being used altogether and prevent any saving of specific apps or sites. So essentially they're saying that group policy settings that the IT admin controls can prevent recalls use, but if recall is allowed, then employees will. It is still a one-to-one relationship between the machine and the employee that under no circumstances does the enterprise have access to the data that recall is collecting for that employee. So that's good. And of course that was not the case when this was first rolled out in that very what many people feel was a premature mode because none of the data was encrypted, it was just all there in a user directory.

01:31:03
So just for the record, microsoft is also previewing a recall feature which they call click to do and they write with click to do in recall, you can get more done with snapshots and improve your productivity and creativity. Click to do recognizes text and images in snapshots and offers AI powered actions you can take on these, saving you time by helping complete tasks in line and or quickly getting you to the app that can best complete the job for you. They then show that that the user is able to mark and highlight, to select text in an image on a recall snapshot, which is cool, and then, once selected, you get a context menu with copy, open with search the web, open website and send via email. And if the user happened to right-click on a recalled image as opposed to text, a block of text, then the context menu commands are copy, save as share, open with visual search with Bing, blur the background with photos, erase objects with photos and remove the background with paint. So some things you can actually do with images that are recalled and apparently soon with things that are not recalled. They said in this update, click to do only works within the recall experience and, by the way, we're going to have a lot of experiences with Windows, apparently, and Microsoft, that's their new favorite word. They said in a future update you'll be able to effortlessly engage with ClickToDo by simply pressing Windows logo key plus mouse click, windows logo key plus Q through the snipping tool menu and print screen, or searching Click to do through the window search box. In other words, it'll be pervasive in Windows. They said, these methods will make it easier than ever to take immediate action on whatever catches your eye on screen. We're also working on introducing more intelligent text actions to enhance your experience even further, just like with recall noted above. Click to do preview is available only on Snapdragon powered copilot plus PCs. Support for Intel and AMD power copilot plus PCs is coming soon. So, okay, uh, you know, uh, for for people who have those uh again, not yet mainstream, not yet released, but it's clearly coming.

01:33:51
I was talking earlier about the fact that we absolutely know that very, very few of the now known to be vulnerable D-Link VPN routers will be removed from the internet as a result of D-Link's announcement of their serious vulnerability. How do we know? Well, all of the history that we've talked about on this podcast shows that, in this case, cisa maintains a list of the most exploited security vulnerabilities by year. Exploited security vulnerabilities by year. We know that at least 60 known threat actors exploited vulnerabilities from CISA's list of the most exploited bugs last year, and we have details. According to the security firm Vulncheck, v-u-l-n check, the North Korean group, silent Coloma, was the most active in this regard. They targeted nine out of 15 CVEs from CISA's list. China and Russia's groups were the most active among the 60 known threat actors, with China sponsoring 15 groups of those 60 and Russia supporting nine groups.

01:35:16
And here's the most distressing news. That gets back to why we know that few of those D-Link routers will be removed from service. Hopefully all of our listeners will. If there's any intersection between those D-Link routers and our listeners, the action will be taken. But Volncheck reports that over 400,000 systems that are currently online at this moment are vulnerable to attacks using one of last year's most popular vulnerabilities. 400,000 systems online now are vulnerable to at least one of 2023's most popular and I have you popular most exploited vulnerabilities. So, wow, we have to do better.

01:36:13 - Leo Laporte (Host)
As an industry, we really do somehow need to do better okay, it just shows you how hard it is to do, though I mean yeah, well, and and you know, I'm sure that notices are going out, as I said, we all just get inured to them.

01:36:33 - Steve Gibson (Host)
Essentially, I mean, we just stop paying attention to every one of them because it's like oh my God, oh my God, oh my God, and finally say, oh yeah, fine, well, we keep hearing that, but nothing ever bad happens until something bad happens.

01:36:48
Okay, some great feedback from our listeners. Thomas wrote on a recent episode. You mentioned a device that acts like a Bluetooth keyboard and connects via a dongle between a phone or other Bluetooth device and a computer, or basically anything you could plug a USB keyboard into, and a computer, or basically anything you could plug a USB keyboard into. It sounds to me like an input stick, and that's http//inputstickcom. He said a device that I used frequently as a hardware tech when replacing HP motherboards. After you replaced the motherboard, you had to enter a setup command string that was about 30 characters long and case sensitive. Since it was entered before slash during BIOS, you could not copy it into the field from the web. It was a nightmare. Okay Right, 30 characters of upper and lower case gibberish, he said, but with the input stick. This is so cool. Oh Leo, I immediately ordered one.

01:37:57 - Leo Laporte (Host)
I was about to order one myself it is very, very cool, and the apps kind of like a YubiKey, but you could program it to do whatever you want.

01:38:05 - Steve Gibson (Host)
It's exactly what it is, and not only keyboard but also mouse. Wow, so you're able to remotely control. I know, like do mouse functions, so he said. But with the input stick you could go to HP's website on the phone, copy the string, paste it into input sticks software and send it. Slash, input it directly. The first time so clever, he said. Been a while since I've done that. Mostly it now works as the volume control to turn my computer down when I'm going to sleep, he said. And because they have also complete multimedia controls also he says any keyboard does of course.

01:38:49
Yes, exactly he said, still one of my favorite toys, though even though I'm no longer in the biz, I still keep up with the news via security, now signed thomas nice. So, as I said, thomas is 100. The gizmo that is the gizmo that another listener mentioned, which I immediately purchased since it looks clever and interesting. I think it was $39 US plus shipping from Poland and they immediately shipped it. I got a notice of it being shipped like hours later. I'll report again once I've had a chance to play with it.

01:39:22
Its creator appears to have done quite a lot with the capability. It's able to simulate both a keyboard and a mouse and, as I said, it's able to simulate multimedia control keystrokes. It's got macro capabilities and the works. So you know, I'm constantly annoyed that, despite my decades-long loyalty to all things Apple for everything other than PCs, macs offer integration features that Apple refuses to bring to Windows. You know, I would oh my God, would I love to have iMessage for Windows, but no, no, I don't get that message for windows. I, but no, no, I don't get that, and I was wondering if this would somehow allow me to bridge that gap. But it's actually, it's going in the wrong direction. Probably, unless I were to, I guess I could no, it's going in the wrong direction. So, um, I guess, at the same time, if they they brought us something that was like itunes for windows, then so I'm probably better off without it.

01:40:21 - Leo Laporte (Host)
So you have a solution. No, I'm just I'm trying to think of how you would use it. So your, your goal is to be to do what?

01:40:33 - Steve Gibson (Host)
uh, I guess my goal would be okay, so I, I it's. It's burdensome writing a long message on the horrible touch screen. Yeah, you want to do it on your keyboard, so yeah, you want to do it on your keyboard, so I'd like to do it on my keyboard, right? And then just send, send that yeah, and I've like, I've emailed me myself messages and then gone to email on the iphone, opened it, copied it, gone to messages, pasted it and said it's like that, what this is how Apple keeps people in the Apple ecosystem.

01:41:04 - Leo Laporte (Host)
It's easy to do if you're an Apple, if you're all Apple, I know. Otherwise, you might buy other people's computers and we can't let that happen.

01:41:18 - Steve Gibson (Host)
Right Gino Guidi, who signed his note. The Network Ninja earns his title. He wrote Steve was listening to the episode where you had a listener ask about how to capture the command and control you know, c2 traffic when it's using a hard-coded IP. The solution you offered would absolutely work. I think the more elegant solution would be to just NAT the destination.

01:41:46
I'm not entirely familiar with PFSense or OPNsense and I use Untangle and Palo Alto at home. However, if you have firewall software that supports it, you could create a NAT rule that changes the destination from the hard-coded IP to a host of your choice. You won't even need additional interfaces. If you configure the rule correctly, it will re-NAT it back for return traffic. The malware will have no idea that it isn't actually talking to that IP no idea that it isn't actually talking to that IP. The additional advantage is that you wouldn't have to change the IP or add additional IPs onto the machine you're sending the command and control traffic to. You could easily create as many of those NAT rules as you want, which I think would make it more robust long-term. I appreciate the podcast and hope to be listening for another 1,000 episodes, okay.

01:42:46 - Leo Laporte (Host)
Hope this suggestion makes sense.

01:42:49 - Steve Gibson (Host)
Okay. So, given that a router's firewall supports it, I think it's a brilliant solution that's clearly superior to the more complex approach that I propose, so I like it a lot. Okay, so let's think this through. As I understand it, it would require routing software that's able to perform NAT translation for packets traversing the router's internal LAN interface. That's different from typical consumer router NAT, which is generally applied to outbound packets crossing the router's WAN interface. So this would definitely require some third-party routing software. You know higher-end routing software like PFSense or OPNsense.

01:43:39
Applying NAT to the internal interface would cause any packets sent from any machine on the LAN, such as the malware-infected machine which is addressed to a specific external public IP, to have its destination IP changed to another host machine on the LAN, the one that's serving as the command and control server, so that packet's source IP would remain. The source IP would remain unchanged, the IP which would be the IP of the infected machine. So, on its way out from the malware-infected machine, the outbound packet crosses the LAN's selective NAT translation, which would give it a local destination LAN IP address. This would cause the router to send it back out the same LAN interface, now addressed to the command and control server and since that packet arriving at the command and control server would still be carrying the local source IP of the malware infected machine, the spoofed command and control server would return its replies directly to the malware infected server. So it's an elegant solution and I can't see why it wouldn't work. I haven't tried it, but it's a sort of an interesting concept. I replied with this to our network ninja Gino, who sent me a follow-on link that referred to this using the term a hairpin gnat. So this thing, it is a known technique and you can see a hairpin right, it's like bent, it's like a. It does an immediate 180. So it's called a hairpin gnat, where you gnat across your local interface, your LAN interface, as opposed to the WAN, in order to perform these sorts of tricks. So very cool. Thank you, lina wrote. Hi, steve, I've been listening for the past 12 years. Your podcast has been a constant on my drive to work and dropping my kids to and from school. My kids have grown up listening to your voice. Sorry about that, and more security conscious because of you. So thank you. Yeah, I guess the kids are probably on edge now.

01:46:22
He said in your last show, episode 1001, you mentioned Cloudflare Tunnel as an option for accessing home networks. One main clarification I would like to make, which you did not mention, is that although a Cloudflare Tunnel is simple to set up and use, it does not provide true end-to-end encryption use. It does not provide true end-to-end encryption. While it encrypts traffic between your origin server and Cloudflare's network, cloudflare can decrypt and inspect the data in transit as it terminates the TLS connection at its edge network, meaning it is not fully encrypted from start to finish. And he says what we all know for true end-to-end encryption.

01:47:05
An overlay network like Tailscale can be used For more detailed comparison, and he gives us a link that I haven't seen before at tailscalecom slash compare, slash, cloudflare hyphen access, flair hyphen access, he says. I looked into cloud flair tunnel myself base uh to access my self hosted bit warden running on my home sonology nas, but I decided to use tail scale instead. For this reason. Love the show to 2000 and beyond, leo, which appears to be everyone's new goal for us, since we did pass 999 unscathed. So, abhi, we need to come up with a hand gesture.

01:47:50
Yeah.

01:47:52 - Leo Laporte (Host)
I don't know.

01:47:59 - Steve Gibson (Host)
He provided a link, which I have in the show notes, to Tailscale versus Cloudflare Tunnel side-by-side feature comparison, and I tend to agree with Abhi's feelings. I think that the best way to think of it is that these two solutions Cloudflare Tunnel on one and an overlay network like Tailscale on the other they have some overlap in their capabilities, which allows either one to solve the remote access problem, but they are also very different. Cloudflare Tunnel has a large range of features that go far beyond what's needed for remote access to a user's LAN. It's really aimed at secure remote access to servers, and an overlay network's true full end-to-end encryption is really what we want for remote network access, and it sort of tips me in its favor. Stephen Clowater reminds us of an even simpler solution, writing hey, steve, congrats on hitting 1,000 plus episodes. Thanks for all the thoughtful content you've shared.

01:49:20
I wanted to share an observation about remote access to home labs. He said, having tried CloudFlare tunnels and various VPN clients, for those who don't need the features of an overlay network like TailScale, wireguard is worth considering. It offers simple, lightweight layer 3 connectivity, modern elliptic curve, crypto and straightforward setup. While TailScale builds on WireGuard for robust overlay features, a standalone deployment keeps things minimal and widely supported across platforms like Linux. Supported across platforms like Linux, pfsense and OpenSense. What has kept me using WireGuard, he writes, is how it handles iOS sleep cycles, meaning the WireGuard client on iOS, he said, ensuring apps can reliably access data when waking from sleep. Vpns like OpenVPN, cfwarp and IKEv2 often struggle with app-level connection failures because their clients cannot wake up properly in the selective sleep process iOS has or renegotiate stale connections before a TCP timeout. Wireguard's small kernel footprint and fast connection renegotiation allows it to reconnect on demand without timeouts. He says I started using WireGuard in 2020 to 2021.

01:50:54
While setting up a self-hosted email server, I needed a reliable way to fetch mail on my phone while keeping port exposure to a minimum. Since then it's become a core part of my setup, enabling reliable email fetch cycles, isolating ubiquity cameras and syncing files via sync thing on my phone. Just thought I'd share in case it's helpful to anyone exploring options best. And he signed off another Steve, because he's Stephen Clowater, so I'm really glad Stephen reminded us of the many benefits of just plain old WireGuard, at the time viewed as the replacement for OpenVPN, which had grown very old and stale, back when it first appeared on the scene. About five years ago, in episode 744, I first talked about WireGuard after meeting and being very impressed by the founders of the Mulvad VPN service and learning that they were already adopting WireGuard VPN service. And learning that they were already adopting WireGuard, and recall that not long after that, linus Torvalds incorporated WireGuard natively into the Linux kernel, which is saying something for it, because he would never do that casually.

01:52:17
The only downside to running, for example, wireguard on a PFSense or OPNsense router is that the first thing you need to do is open a static port through the router's WAN interface to the WireGuard service running on the router and from then on, that port is open, facing the outside world, and you're relying on WireGuard not to have any critical vulnerability that would allow an authentication bypass. If you're okay with that, then WireGuard is likely the lightest weight and most secure solution available, and I loved what Stephen shared about its compatibility with iOS, and I loved what Stephen shared about its compatibility with iOS. But running with a statically open port, which is never required when using any of port knocking solution, that would allow a remote IP to be authenticated so that that IP, and that IP only, could then connect to the WireGuard VPN running in the home-based router. You know, since, for example, an ICMP ping packet can contain plenty of payload, a simple and secure challenge response mechanism that incorporates the endpoint IP addresses and some crypto would do the trick, you know, and I would write one. I would create it, if only there were more hours in the day, but maybe somebody has or will.

01:54:01
Enrico gave his note, the subject EP-989, backdoor or incompetence and he said happy 1000. I'm still a bit behind. I'm listening to episode 989, where you talked about the Chinese RFID badge chip that was found to have a backdoor. We've heard plenty of reports about vulnerabilities found where the manufacturer left some debugging credentials in. We've also heard lots of reports about backdoors and products. I'm curious in general how does one determine if something is a backdoor or incompetence? How can the researcher infer intent? Perhaps an internal company memo gets leaked that shows it was on purpose? It is still hard to tell if this was mandated by the government unless top secret governments get leaked. Is it just based on the country that manufactured the device and whether they're friendly to the US? I also heard about the guy that has gone back and started listening to your podcast from episode one. I wanted to do this too. However, I'm already over 10 episodes behind, so I just fall even further back, only listen to podcasts while driving. Maybe I need to plan some long road trips, okay, so I think Enrico makes a very valid point.

01:55:30
Controversy is inherent when attempting to ascribe intent. The question of the Windows metafile escape, which I talked about last week, is another perfect example. Why was it there? Why had it been faithfully copied and re-implemented through many editions of Windows, even jumping from Windows 3, 95, 98, and ME over to the brand new Windows NT, where it had to be re-implemented? Was all that an accident?

01:56:01
The original intent of its designers has been lost to history and we'll probably never know and remember, about 10 years ago, when Cisco kept discovering hidden backdoor credentials in one appliance after another, month after month and I have discovering in quotes because these were their own systems how difficult could it be to discover an undocumented login account in software that they wrote and for which they have the source code? They just had to look. So I guess they just looked and it's like whoopsie. Anyway, since Cisco is not evil and never was, and since they were confessing over and over to what they kept finding in their own machines, I think that's a case of poor judgment and changing times.

01:56:59
20 years ago, just as it may have been acceptable to design an escape hatch into Windows Metafiles, it may have been acceptable for developers to just kind of lazily leave their development accounts in Cisco Appliance Firmware. Back then it may have been no big deal. But as we've seen times change, as does our expectations, my feeling is that in nearly all cases it's just a mistake. For one thing, no clever developer would implement something that was meant to remain a secret by leaving a username and password in the firmware. That's way too obvious.

01:57:43
If someone told any competent developer okay, not somebody using PHP, I did say competent developer to design in a backdoor, it would be far more well hidden. For example, it would be necessary to first bounce an ICMP ping packet off the device with a particular payload length. This would leave an insignificant trace. Then it would be done again with a different specific length, and that pair of events would prime the device to then accept anything originating from the same source IP only without requiring any authentication or something like that. My point is nothing is dumb and obvious as leaving a username and password account burned into the firmware. There are an infinite number of ways to bury a true backdoor in today's insanely complex systems, and there's something that keeps people awake at night, because these things could be really difficult to find.

01:58:57 - Leo Laporte (Host)
Yeah, I guess it doesn't, the intent doesn't really matter, it's the fact that it exists. Period is sufficient, right, and I guess?

01:59:03 - Steve Gibson (Host)
the real point exists, period is sufficient, right, and I guess the real point is who else knows about it, right?

01:59:09 - Leo Laporte (Host)
Eventually, everybody knows everything. Don't think you can hide anything. That's really the truth, exactly. There are no back doors.

01:59:17 - Steve Gibson (Host)
David in the US wrote hello, steve, I'm a longtime listener but haven't reached out before. I credit you in large part for my career in InfoSec. I was unable to get formal education in the field, so I self-taught using resources including your podcast. It's been many years since I started my first job in the field, but I still listen regularly and learn a lot. Thank you for all your efforts.

01:59:42
I'm sure this is an edge case, but regarding your remarks about Soho routers and security now 995, I was recently treated to an experience with a new Nokia. They still exist Soho router slash access point. I changed ISPs and they provided one for free with a Wi-Fi access point ready to use. They came out and installed it for me and plugged what they thought was my computer into it. He says parens, as if I had only one. Ha ha, he said. After they left I plugged my entire home infrastructure into their router. As a result of your recommendations some years ago.

02:00:32
My main firewall is PFSense running on a Protectly unit. You know P-R-O-T-E-C-T-L-I that I mentioned recently. He said I didn't bother to reconfigure the new Nokia box for a couple of days because I didn't consider it an important layer of security. However, I finally got around to logging into it and was stunned by what I found. For some unfathomable reason, the firewall was set to light filtering mode. Apparently it had a short, self-described, non-disruptive block list it was using to blacklist certain things. However, it was not performing NAT services for the Ethernet. Nat services for the Ethernet. It was a pass-through mode by default, giving my public IP address to my PFSense firewall behind it. There was an option on the Nokia device to enable NAT, but it was disabled.

02:01:39
While I would like to think that perhaps it detected the firewall behind it and switched itself off, I somehow doubt it was that smart. If I was a typical user, whatever I plugged into that Ethernet port would have been immediately exposed to the Internet. The Wi-Fi did seem to be using NAT, so perhaps they thought that was good enough for most users. Okay, so this was really interesting to me. The thing that occurred to me first, after thinking about what David wrote, was that I'll bet almost no typical internet user today ever plugs anything into their routers wired ethernet ports. I know that many of us who listen to this podcast do, but we're far from typical internet users. Wi-fi really has overtaken wired ethernet, and that's the only way I can think to explain what David experienced is that you know, just everyone uses Wi-Fi, so that was what was set up in order to you know, share a single IP from that box.

02:02:52 - Leo Laporte (Host)
Maybe that Nokia just wants to say you know, anything you plug in is DMZed, and maybe that's you know. I wonder if it even says that If you're going to hook up a web server to this, put it on the Ethernet port, because then it'll be DMZed. It's directly connected to the Internet, right?

02:03:08 - Steve Gibson (Host)
Yeah.

02:03:12 - Leo Laporte (Host)
As you can tell, not a recommended solution. Not a recommended solution.

02:03:17 - Steve Gibson (Host)
I have a couple inches at the bottom of this final page before we switch to today's main topic. Okay, a couple inches at the bottom of this final page before we switch to today's main topic. So I wanted to answer the many questions I received from listeners who've taken note of the fact of the remarkable pro box on the bookshelf behind me. You could see it right there over my, my left shoulder. It's right, it's there. I'm pointing at it. They've wanted to know what I think of it. I very much wanted to love it, but I don't. I wanted to like it.

02:03:51
I don't. I wanted to like its support for color, its slightly higher pixel density, its larger size and its reputed higher stylus tracking rate, but I don't. Its support for color feels like it's not ready for prime time. The display goes through all sorts of conniptions when using color. I mean it's almost comical what the thing has to do with things flashing and switching back and forth and blinking. It's clearly not easy to pull off color and I don't think it was worth the effort.

02:04:27
Also, the darn thing is heavy. I mean it is really heavy and its stylus now requires charging, which the Remarkable 2 doesn't. By comparison, its predecessor, the Remarkable 2, by comparison, its predecessor, the Remarkable 2, I really love, you know. I do wish I could get the cool cover for the Pro, which much more securely captures the stylus than on the Remarkable 2. But at least for the time being, it appears that that cool cover is only available for the pro. So anyway, to answer everyone's questions, uh, I was hoping I would like to pro as much as I love my remarkable twos. I have a couple of them, but it doesn't really make the grade.

02:05:13 - Leo Laporte (Host)
You tried the Amazon scribe right.

02:05:15 - Steve Gibson (Host)
Yeah Well yeah. Yeah, I, I it's only because the remarkable is just I mean yeah. I it's only because the Remarkable is just. I mean, I don't do any reading on it. I don't read PDFs. I just use it as a replacement for my engineering pad Right and a soft number two pencil.

02:05:33 - Leo Laporte (Host)
It's nice to have unlimited graph paper, isn't it?

02:05:38 - Steve Gibson (Host)
Oh yeah, and I now have you're able to sync three devices through to a single account and because I purchased one in the old days, I'm grandfathered in to the no charge iCloud connectivity. So if I doodle at one location, when I turn it on on the other, it's synchronized Multiple location doodling.

02:06:04 - Leo Laporte (Host)
What more could anybody ask I? Got everything I want yeah, the advent of code is coming up in. Uh, just five days that's right, and that's. That's one where it's very often handy to sketch out.

02:06:17 - Steve Gibson (Host)
Uh, yeah I'm a big algorithm bits sketcher, yeah yeah, yeah, just to understand.

02:06:26 - Leo Laporte (Host)
And the advent of code, it's all about text problems. And so to even understand the geometry, sometimes you have to draw it, because otherwise it's like. In fact there were people a couple of years ago cutting out paper and making paper cubes, so they could understand the relationship of one side to another.

02:06:39 - Steve Gibson (Host)
No, I absolutely get it. It's all those off by one problems. Oh, you want to make exactly sure? Yeah, that do you mean greater than, or greater than or equal right and uh, so I, I, just I, I quickly jumped to a little, sketching out a a little simple example of of a more complex problem.

02:07:00 - Leo Laporte (Host)
I do exactly the same, yeah.

02:07:03 - Steve Gibson (Host)
Did we do all of our break?

02:07:05 - Leo Laporte (Host)
We have one more. Would you like to do one more, and then we'll talk about disconnected experiences. Whatever that is, we'll find out in just a moment.

02:07:13 - Steve Gibson (Host)
Why you may want to be disconnected from some of these experiences.

02:07:16 - Leo Laporte (Host)
Yes, please, here's. You know you listen to this show, I'm sure, because it gives you no, I'm right here. No, you do.

02:07:24 - Steve Gibson (Host)
I'm talking to our fine audience.

02:07:27 - Leo Laporte (Host)
Yeah, I was watching the F1 race on Sunday. It was in Las Vegas, and they talked to one of the drivers longtime F1 driver and they said do you ever watch your races? He says, no, I was in it, I don't need to watch it, I know what happened. Yes, we don't listen to our own podcasts. We were in them. But I'm talking to you, our dear listeners, our wonderful listeners, who listen to this show for information. Right, they get intelligence out of it. Governments have intelligence agencies. Why don't companies? Well, now you can with Flashpoint. This episode of Security Now brought to you by Flashpoint.

02:08:08
For security leaders, this year has been insane. It's like no other year. Cyber threats match with physical security concerns and they're both increasing. And now you've got geopolitical instability, adding a new layer of risk and uncertainty. And how important is it for you and for your business to know ahead of time where the threats lie? Let's talk numbers.

02:08:33
Last year, there was a staggering 84% rise in ransomware attacks, almost doubled A 34% jump in data breaches. That should give you chills. Nobody wants a data breach. The result trillions, trillions with a T of dollars in financial losses, threats to safety worldwide. Well, okay, that's where our sponsor, flashpoint comes in. Flashpoint empowers organizations to make those mission-critical decisions that will keep their people and their assets safe, and it does it with information. That's what you need information. By combining cutting-edge technology with the expertise of world-class analyst teams and with Ignite, flashpoint's award-winning threat intelligence platform, you get access to critical data, finished intelligence, you get alerts, you get analytics and you get it all in one place. It's a dashboard to the world out there and what's happening. It helps you maximize your existing security investments.

02:09:33
Some Flashpoint customers say they avoid a half a billion dollars in fraud losses every year and have a 482% ROI in six months. That's probably one of the reasons Flashpoint earned Frost and Sullivan's 2024 Global Product Leadership Award for unrivaled threat data and intelligence. Here's an example A senior vice president of cyber operations at a big I can't say the name, but you would know it US financial institution I can't say the name, but you would know it US financial institution. He said and this is the quote Flashpoint saves us over $80 million in fraud losses every year $80 million. They're a proactive approach and sharp insights are crucial in keeping our financial institutions secure. They're not just a solution, they're a strategic partner helping us stay ahead of cyber threats. Wouldn't you like a partner like that?

02:10:26
It's no wonder Flashpoint is trusted by both mission-critical businesses and even governments worldwide, because not everybody has their own intelligence service. Well, now you do, with Flashpoint to access the industry's best threat data and intelligence. Visit flashpointio today. That's Flashpoint F-L-A-h, flash point p-o-i-n-t dot and it's dot io. Okay, flashpoint dot I o. The best data for the best intelligence. We thank you so much for supporting security now. Really, it's a good match, right, because we're both in the same business and we thank you for supporting security now by telling them if they ask oh yeah, I heard it on security now. Yeah, it was, it was on steve's show. That helps us. That way we you can say, see, see, we're sending you traffic.

02:11:10 - Steve Gibson (Host)
All right, steve, you got to explain the title okay, so, um, the way things are going, it looks like I'll be needing to set up uh well, I guess, what I would call a sacrificial lamb.

02:11:23 - Leo Laporte (Host)
Oh, no, oh, I'm so sorry.

02:11:27 - Steve Gibson (Host)
Yeah, running the current, which is to say, the latest Windows. The last thing I would use for myself would be such a machine, because Microsoft really does appear to be pushing well past the limits of what is acceptable practice. For me, windows Recall was a perfect case in point. If the industry hadn't pushed back so loudly and quickly, they may have delivered that first disaster. Who knows? But it occurs to me that if this podcast is going to continue to be as relevant as it has been in the past, it's becoming clear that I'm going to need to have a machine that's running what the rest of the unwashed masses are running, which is to say, you know, the latest version of Windows.

02:12:17
There was a time when creating a sacrificialAM PC meant exposing the machine to the Internet without protection. As we know, the half-life of such machines is best measured in seconds, and not many of those. But the way the Windows desktop environment has been evolving today, the creation of a sacrificial LAM PC means just exposing a machine to Microsoft. A sacrificial lamb PC means just exposing a machine to Microsoft. The need for such a machine became clear when I encountered the news that Microsoft has silently enabled the use of its users Microsoft Office, word and Excel document content for training its AI models. Rather than being straightforward and calling this something like I don't know how about AI training, they obscure it behind the title Microsoft Connected Experiences. Now how the hell would anyone ever know that that means that they're training AI models? Connected experiences, and that's my point. This is what Windows has become At the moment. I'm reporting this blind because I have no way to verify the reporting that I've seen. At the moment, I don't have a Windows 11 machine and that's going to have to change. But okay, so here's what we know. In Microsoft's documentation for their so-called connected experiences. Under the topic connected experiences that analyze your content, they write connected experiences that analyze your content are experiences that use your office content to provide you with design recommendations, editing suggestions, data insights and similar features. The key phrases are analyze your content and connected, but connected to what and to where? That appears to mean what the reporting on this states, which is that the connection is to some AI which is doing the analyzing and being trained against Windows users office document data. Now add to this the fact that it's been reportedly enabled by default, because of course it has, and I should say since the show notes went out last night. I have heard back from listeners who found this stuff enabled by default, so this reporting is confirmed and they turned it off.

02:15:01
Just as a great many people are made uncomfortable by the idea of having Windows Recall silently collecting and analyzing everything they do on their computers, some Windows users may not be interested in having Microsoft's AI being trained on the content of their otherwise private Word and Office Excel documents Excel documents First. I'll note where this connected experiences setting is located, since they clearly want their Windows users to have ready access to this potentially significant privacy setting. So under file in an Office application, you choose options Under options, go to trust center In the trust center, select trust center settings. There you'll find privacy options which you need to select in order to get to the privacy settings. And on the privacy settings page there's a section for optional connected experiences, where you should find a checkbox labeled turn on optional connected experiences, where you should find a checkbox labeled turn on optional connected experiences, which all regular users will reportedly find and a bunch of our listeners have has been thoughtfully enabled for you by default.

02:16:21
Users whose machines or Microsoft accounts are managed by their organization may not have these options showing and Microsoft appears to confirm this on their own website where, under the topic choose whether these connected experiences are available to use, they write Outlookcom email address or with a work or school account. If you're signed in with a Microsoft account, open an office app such as Word and go to File Account Account Privacy Manage Settings. Okay, now note that that's a very different path from what I had first shared. From the reporting on this, it turns out and I've heard from our listeners both are correct. You can get to the proper setting either way, and Microsoft's is a shorter path file account account privacy manage settings, although maybe once you get to manage settings, then you go to privacy settings.

02:17:41 - Leo Laporte (Host)
I don't know.

02:17:42 - Steve Gibson (Host)
Anyway, if you've got it, you'll be able to find it. And they said, under the connected experiences section, you can choose whether certain types of connected experiences, such as experiences that analyze your content, are available to use. If you don't go to manage settings, all connected experiences are available to you. In other words, all your content gets analyzed. So there it is. What's apparent nowhere is that connected experiences is a euphemism, for we're going to share all of your office documents to train an AI in the cloud in order to make office smarter for you and, of course, for themselves. So, talking about content retention, they write most connected experiences don't retain your content after performing their function although I should tell you there's about 50 of them to help you accomplish a task, but there are a few exceptions. In those cases, Microsoft retains the content for as long as your account exists and it's used to support, personalize or improve that connected experience.

02:19:08
Now, as I write, this part of me wonders whether I'm just becoming an old curmudgeon. Why not just? You know, enjoy all of the many benefits of having Microsoft watching everything I do on my PC, thus allowing me to scroll back in time and ask questions about things I did in prior years and sending my document content to the cloud to train their AIs so that it can provide me with more relevant stories on Edge's homepage, more relevant search results in Bing and more relevant advertising on my Windows Start menu. And of course, I'm not being facetious when I say that many Windows users might actually want all of that. I get it. You know just as many may have been enjoying having Candy Crush, Soda Saga or whatever. All that flippy tile nonsense is under Windows 10, along with Xbox crap that refuses to be removed. I've never owned an Xbox, but it has taken up residence on my start menu nevertheless. It seems clear that an alternative view of Windows is apparently an all-encompassing, deeply connected entertainment portal that also has some productivity applications, and really that's fine. It's just not for me.

02:20:38
I mentioned a while back about the eventual move I would make to Windows 10 when I finally decide to retire this Windows 7 machine that still works great. I was briefly thinking that a server addition might allow me to avoid all of this commercial crap before I remembered that I had tried that years ago, when I wanted my desktop to be running the identical code as GRC's servers, when I wanted my desktop to be running the identical code as GRC's servers, but I had encountered many instances of desktop software refusing to install on server editions. Some of our listeners have since suggested that I take a look at the enterprise editions of Windows 10, explaining that, unlike even the professional editions, the enterprise editions are also free of Xbox and other unwanted nonsense. As I was digging around the Microsoft documentation, I was encountering all of the places where Microsoft has been and is installing AI. Microsoft is essentially AI-izing every nook and cranny of Windows 11 and their office suite. I have no doubt that a memo went out a year or two ago stating that AI was coming and that it was the future and that once it had arrived, it was here to stay. Therefore, every single Microsoft product manager and product planning team within Microsoft was hereby being tasked with figuring out anything and everything that adding AI to their offerings could do, and then to get going on implementing all of that immediately, While that will turn Windows into you know what?

02:22:30
I have no idea. I know that it won't be any machine that I'm sitting in front of while I produce these weekly Security Now podcasts, nor while I'm working on code for the DNS benchmark, the Beyond Recall product, or Spinrite's 7, 8, and 9 and beyond, but it's also clear that I need to stay in touch with the frontier, or, as many have called it, the bleeding edge. For now, I want to be certain that those listeners of ours and I know there are many of them who may also dislike the idea of Microsoft sharing their office content with their AIs in the cloud while acknowledging that this is being done by default and that in many cases, the data is being retained indefinitely will at least be informed of this new behavior and would know that they have the option of deliberately disconnecting their windows experiences from microsoft before, before we move on, because I know you want to finish this up, but it's not I I think you're implying that this is being used for training LLMs for other people to use.

02:23:46 - Leo Laporte (Host)
I don't think that's what this is. No, this is asking permission, just as a spell checker would do, to train against your own data, right. So a spell checker tells you whether you've misspelled a word. In order to do that, it needs to actually look at the words you're typing. A grammar checker needs to look at the words you're typing.

02:24:06 - Steve Gibson (Host)
That's what it's doing. This comes back to your original assessment of AI, right? It's just a spell checker.

02:24:12 - Leo Laporte (Host)
Well, yeah, I mean. So what Microsoft's offering you with these things is you're designing a power, it's kind of clippy on steroids. You're designing a PowerPoint and it says hey, you know, I see what you're trying to do here. Would you like this image? It's that kind of thing. I will have to check into this. I don't think it's sending it to their. You know a lot of content is. You know LinkedIn content is being sent to train LLMs. Um, you know, the New York times is being is suing because they say open, I used it to train LLMs. I don't think that's what this is. We'll have to check in more detail.

02:24:47 - Steve Gibson (Host)
About how much containment of the data they say they'll retain it because that's information you've provided.

02:24:54 - Leo Laporte (Host)
That you just like a cookie is that might be useful down the road.

02:24:58 - Steve Gibson (Host)
Well, all of your previous documents that have been used to train an AI model that they maintain, I guess.

02:25:06 - Leo Laporte (Host)
Yeah, but the real question is is it the AI model that is going to be used by others which I don't think it is, because that would immediately be a problem in all businesses or is it an AI model that you will then be able to use for yourself?

02:25:18 - Steve Gibson (Host)
Yeah, probably we need to look at the terms of service and actually read the fine print. Probably we need to look at the terms of service and like actually read the fine print.

02:25:24 - Leo Laporte (Host)
I'll ask Paul and Rich tomorrow, but my sense is it's not, you know, going to send it out to their own LLM servers and train their own servers. Well, that would exfiltrate your own data. It is basically for your use, just as a spell checker, grammar checkers for your use.

02:25:42 - Steve Gibson (Host)
Well, they're retaining something and they're saying that they're retaining, so it is being sent to them yeah, after performing they don't do it.

02:25:50 - Leo Laporte (Host)
There are after performing a function to help you accomplish a task, but there are a few exceptions. They retain your content for as long as your account exists, implying that it's attached to your account right, and it's used to support account Right, and it's used to support, personalize or improve that connected experience, your experience, in other words, not for other people. But I will check into that because I think it's an important distinction. It's like Clippy Clippy in the day would have asked the same permissions. Hey, I'd like to keep track of everything you're doing so I can offer you suggestions. It's like that, except it's on steroids, right, right, anyway, we'll find out.

02:26:25 - Steve Gibson (Host)
Anyway, I was done. I just wanted to wish all of our listeners who celebrate Thanksgiving and I know Leo and all the Twit crew join me in wishing everyone the best holiday and with this particular opportunity to spend time, which is precious, with your family and friends.

02:26:41 - Leo Laporte (Host)
And don't argue about things, and we'll be back in December for more. And tell them to use a password Ranger. Thanks, steve, have a great Thanksgiving, all our love and best wishes to you and Laurie, and have a great time, and we'll see you in December Yay, which is only a week away.

02:26:58 - Steve Gibson (Host)
It's next week.

02:26:59 - Leo Laporte (Host)
Don't get too concerned about that, we'll see you next week. Don't get too concerned about that, we'll see you next week. Thank you, steve. You can watch Security Now, as we do it live every Tuesday right after Mac Break Weekly. That's roughly 1.30 pm Pacific, 4.30 Eastern, 21.30 UTC, and we stream live on yes, eight different channels. Now.

02:27:19
Our Club Twit members can watch and chat along with us in Discord, but there's also a YouTube channel dedicated to TwitLive. That's YouTubecom slash Twit slash live. You can chat there too. We have chat there too, as we do on Xcom, as we do on Facebookcom. We stream live and you can chat with us live there. I see TikTok occasionally, tiktok commenting coming through kickcom. All of these have chats associated with the video and I have a unified chat that I can see all of it. Have I left anybody out? Tiktok X kick, facebook, linkedin, youtube. Oh, twitchtv, I left them out. You can also chat there. That's if you're watching live Now.

02:28:02
Most people don't watch live, they like to watch after the fact. That's why we put copies of the show on our website, twittv slash sn. We have audio and video. Steve also has a show on his website, grccom. He has an unusual version a quarter bandwidth, 16 kilobit version for the bandwidth impaired. He also has human written transcripts are very good. Elaine ferris does those so you can read along as you listen. Or steve talked about last week. You can use it to search um and he has a 64 kilobit audio. That's all at grccom. While you're there, check out spin right version 6.1, the world's best mass storage performance enhancer, recovery utility and maintenance utility. It does all of that and if you have a earlier copy you can get 6.1 for free, if you don't get it now because, uh, you, if you've got mass storage, you need spin rate. Lots of other free stuff at this site, including shields up, which is a great way to test your router. I really love his new Validrive, which tests USB thumb drives that you buy on Amazon to make sure they actually have the storage capacity that is claimed to. Surprisingly often they do not. Validrive will do that and that's absolutely free, plus lots of other freebies, fun information. Steve's site's really great, grccom.

02:29:24
One more thing on our site, actually, two more things. One is are we doing a best of Anthony for this show? I think we are For the holidays. Yes, we are. So if you have a moment on this show that you thought was from 2024, you thought was oh, we got to redo that. We're looking for little clips to put in our year-end best of security.

02:29:44
Now All you have to do is go to the website twittv slash best of. Give us as much information as you know, but don't get thrown by the form, because we're asking for everything, but you don't have to give us everything, even just say hey, that time when Steve and Leo tried to do the Vulcan salute, I remember that that was great. Even that's a good start If you remember the day, the time of year, the climate, whatever. That will help us do a best of. It's a lot of work, but our team likes to put those together. Well, we don't know if they like it. We make them put those together at the end of every year so we can give the staff the holidays off. Help us do that. The other thing I'd like you to do is go to our club twit page, twittv slash club twit.

02:30:27
There's some new things in club twit. If you're not a member, we now offer a two-week free trial, which is a great way to see what you get for your seven dollars a month. You could also uh, when you sign up, you'll be getting a code that is a reference code, and every single person who signs up using your code gives you a free month. Do they get anything? They get like a discount or anything for using your code. Hey, it doesn't matter. They get the excitement, the thrill, the satisfaction, the deep rooted satisfaction of knowing they're a member of Club Twit, the best podcast network in the world. Seven bucks a month gets you ad-free versions of all the shows, extra content we put anywhere else, we don't put anywhere else Cries from my cat down the hall. Actually, everybody gets that. Please join the club. It helps us financially.

02:31:17
It looks like 2025 is going to be even rockier than 2024 was. 25 is going to be even rockier than 2024 was. The good news is the club now pays about half of our payroll, which is fantastic. Thank you, uh. Help us out. Twittv slash club twit. Seven bucks a month. It's worth it for the great content, right? Uh? Thanks to anthony nielsen, who's filling in today, for benito gonzalez, who's taking some time off for the holidays. Appreciate your work, anthony. Thanks to everybody for joining us and I hope you will tune in next time next week for Security. Now Bye-bye.