Security Now 1003 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

00:00 - Leo Laporte (Host)
It's time for security. Now Steve Gibson is here, we're going to respond, or at least get Microsoft's response to Steve's episode last week. They say no, we don't use your data to train AI. What is a digital epileptic seizure? And why does your self-driving vehicle have fits when it approaches an emergency vehicle? Do you use Zello Time to change the password? And then we're going to talk a little more about our favorite friend, the farthest object humanity has ever put in space, Voyager 1, now nearly a light day away. It's going to be another great Security Out episode coming up next

00:45 - TWiT.tv (None)
Podcasts you love. From people you trust. This is Twit.

00:55 - Leo Laporte (Host)
This is Security Now with Steve Gibson, episode 1003, recorded Tuesday December 3rd 2024. Tuesday, december 3rd 2024. A light day away. It's time for Security Now, the show. We cover your security, your privacy online, how things work. What's a great book to read when you're trying to get some sleep and you don't want to, and I don't know all sorts of stuff. What's a good show to watch? What's a good vitamin to takeve? Gibson is a polymath. He, uh, he knows everything and tells all on the show. Hello, steve, great to be with you again for episode 1003.

01:33 - Steve Gibson (Host)
Yikes, and it's still. I look at these four digits and I think wow, okay, we're getting used to it now, though it really does feel like somehow a lot more than just three digits, which is a cliffhanger there for a while, but we made it over the cliff and we're still flapping.

01:51
We've got a bunch of fun stuff to talk about. Microsoft makes very clear what data they are not going to be using to train their AI models, so we're revisiting that topic that we touched on last week. Also, what's a digital epileptic seizure, what induces them and why you don't want your self-driving car to?

02:14 - Leo Laporte (Host)
have one no.

02:16 - Steve Gibson (Host)
Yes, we've got a public plea for help in the form of volunteer bridge servers being asked for by the tor network that we're going to talk on and explain. Um, also, if you're one of the 140 million zello users, you should heed their notice to change your password zello or zell later zello.

02:43
I had to double check that too, and in fact, some of the reporting, I think. I think the reporters are so used to typing zelle z-e-l-l-e that some of the text was mixed up. So it's zello which is a. It's a push to talk app for for smartphones.

03:00 - Leo Laporte (Host)
They have that many users 140 million, 140 million holy cow, nobody wants to dial a number.

03:06 - Steve Gibson (Host)
So, yeah, apparently you just press it, press the screen and you get to talk to your mom, I don't know. Anyway, the us federal trade commission opens a broad antitrust investigation into whether microsoft has been naughty or nice. A new form of android smartphone scareware which is really sort of interesting. At first glance it simulates a seriously malfunctioning, cracked and broken screen and scares people into like oh no, yeah, getting tech support. It's a struggle. It really is. And when you see it I got a picture of it in in the show notes it's like whoa, okay, that would freak me out. Anyway, it's almost certainly positively and completely safe to leave WireGuard open and listening for incoming connections Almost Is almost certainly positively and completely safe. Safe enough for you. We're going to look at that. Um, if the internet fills with ai output, what happens when ai starts training on that? It seems that we know that some experiments have been done and it's not looking good. It's not good. We're gonna lose some very popular dog breeds, among other things.

04:23
Last, last week, australia passed the social media age restriction law. Now what? And finally, we're going to talk about once again one of our sort of favorite side topics Voyager 1. Not only is it now nearly an entire light day away Think about that, it takes a day. That's amazing, like that's how far out it is it is beginning to have some harder to remotely repair problems.

04:56
There was so much interesting science and engineering shared in the last week that I thought, okay, this is just, it's just cool stuff. I mean, it's like you know, we're beaming up and we're doing a warp drive and all this crap that we can't have phaser beams. No, we don't have any of that. What we actually have is a shockingly well-designed piece of hardware from the 70s 70s that is still going. So, and of course, we do have our a great picture of the week. I've already had some feedback from people I haven't looked and uh, yeah, uh, and so I think a great show for everybody, probably worth your time while you're mowing your lawn or commuting to work or walking your dog, whatever you're doing.

05:40 - Leo Laporte (Host)
I always, every time you do a voyager segment, I always call it V'ger and I should clarify that after the first one I looked it up and the V'ger from Star Trek is actually supposedly the worst movie ever made. Is that the one where Spock dies?

05:56 - Steve Gibson (Host)
I can't remember, no no, that was a good one, that was the good one.

05:59 - Leo Laporte (Host)
I think that might have been. The Wrath of Khan V'ger was the first one.

06:02 - Steve Gibson (Host)
Maybe, yeah, oh it was the first and they had bad uniforms and it's like what happened? You know.

06:08 - Leo Laporte (Host)
I remember watching, though, and being so thrilled when that elevator opens and there are Kirk and Spock and McCoy, and it was just like, oh, they're back, they're back, yeah. Anyway, veejer from that movie is theoretically Voyager 16. There is no Voyager 16. So the Voyagers we're talking about one and two are not V'ger.

06:32 - Steve Gibson (Host)
Yeah, and I didn't say this and I may forget, so I'll say it now. One does need to wonder, like, why they're expending all this effort. I mean it's done its job, I mean more than it is outside the heliopause. We are getting information. We're getting science data we've never had before. Yeah, but at this point it's clearly just can't. Let's see how it's a flex, what we can do, yeah, exactly what you know. Can we? Can we keep this little sucker aimed at us?

07:07 - Leo Laporte (Host)
they can.

07:08 - Steve Gibson (Host)
That's what's amazing yeah, wait till you hear what they are. Wait, wait till you hear what's happening now oh, I can't wait.

07:15 - Leo Laporte (Host)
Oh, it's going to be a good one. Security now 1003, uh in your ears, uh, and we will get to the first bit in just a bit. But first our first sponsor of the show and the great folks at Melissa. We've been talking about Melissa for years, but they are even older than security now is. They are and have been the trusted data quality expert since 1985. That means next year they're going to celebrate their 40th anniversary. That's really cool.

07:45
What's actually even better is, as the years have gone by, melissa has become more sophisticated, more powerful, more useful. It's done so much more to keep your address book in business, your customer list I should say not really address book, although it's the same thing, right or your supplier list it's the same thing, right, or your supplier list accurate, up-to-date, so that you save money, you save time. Personalization is as important as ever during the holiday season, but if you're offering personalization, it could kind of backfire, because no one wants to be misidentified. That's what Melissa can help with. They have a fluid knowledge base of global names, oh, and even, as important, naming conventions. So if you put in a name associated with a specific country, you can parse it more accurately. For instance, as an example, senora is the first word in some countries and if it is, it would be flagged. They'll say, oh yeah, that's not the first name, that's not her first name, that's honorific, and, and melissa knows that, and much, much more. Melissa's database also has a large list of cultural names, also vulgarities, because you know there's people out there who will try to get an embroidery done with some bad words. Some names might be flagged as valid but need extra checking because for, for instance, it's a celebrity name. Melissa can do all of this with your business names, your customers and your suppliers.

09:14
Be sure to check out Melissa Marketplace too. This is really cool. That's where they offer premium third-party data on demand to improve campaign performance. They have data visualization tools in there. They have data visualization tools in there. They have business decision tools in there. And here's a very good bit of news Melissa now offers transparent pricing for every one of its services. So no more guesswork when estimating your business budget. You'll know exactly what it's going to cost to use Melissa day in, day out. And of course, I shouldn't even have to say this, but I want to reassure you.

09:45
Melissa uses secure encryption for all your data, for file transfers. Their information ecosystem is built on the ISO 27001 framework. They adhere to GDPR policies, soc 2 compliant, so your data is safe. Whether you need the full white glove service or just the nuts and bolts, melissa is the best choice for your enterprise. Get started today with 1,000 records cleaned for free. Get your address records in order with Melissa. Melissacom slash twit. M-e-l-i-s-s-a. Melissacom slash twit. We thank them so much for supporting security now, and you support us when you use that address so that they know you saw it here. Melissacom slash twit. We thank him so much for supporting security now and you support us when you use that address so that they know you saw it here. Melissacom slash twit. All right, I'm ready for the picture of the week, mr gibson so this one.

10:36 - Steve Gibson (Host)
I gave it the caption and not for the first time. We've had a few other, uh, ironic pictures, I, but I've called this one irony defined. All right, I'm scrolling up, that's gotta be.

10:53 - Leo Laporte (Host)
That can't be.

10:55 - Steve Gibson (Host)
That's hysterical it is just too fun.

10:58 - Leo Laporte (Host)
It's too fun go ahead, read it for us, for those not watching the video.

11:03 - Steve Gibson (Host)
Right, and so what I clipped out of the photo? One of our listeners sent me what looks like his camera screen.

11:14 - Leo Laporte (Host)
So this is real.

11:15 - Steve Gibson (Host)
I think it's real. Wow, we're looking through a glass door into a region behind which we learn is because of the headline on the sign that's been posted on this glass door. This is the mall maintenance shop. So it's some sort of like a large mall and it looks authentic. You can see a very long ladder, an extension ladder. Against the far wall. There's some coiled up stuff in the foreground Looks like an industrial tile, cleaner kind of thing. So I mean this looks like the real deal. This is clearly a mall like some large retail mall maintenance shop, and the sign brags about their capabilities, saying we can repair anything, but then it says in parentheses below that please knock hard on the door.

12:17 - Leo Laporte (Host)
the bell doesn't work okay, so they probably have a good sense of we haven't gotten around to fixing the bell yet.

12:27 - Steve Gibson (Host)
But other than our own bell, if you've got something broken, we'll fix it. I love it. Yeah, and it would be really fun I agree with you, Leo to learn the actual backstory here. It may just be a crusty old guy who's got a great sense of humor, as you say, but I have a feeling that the bell doesn't work.

12:48 - Leo Laporte (Host)
No, I think it's true in that respect.

12:50 - Steve Gibson (Host)
Maybe there isn't even a bell felt the need to clarify what had become the widespread misapprehension that they would be training their AI models against the private and personal data of their office product users. And of course, we looked at that speculation behind that last week. So the day after we did so, last Wednesday, bleeping Computer did a great job of summing up the situation, so I'm just going to quote. I've edited what they said, but you'll get the gist. They wrote Microsoft has denied claims that it uses Microsoft 365 apps, including Word, excel and PowerPoint, to collect data to train the company's artificial intelligence AI models. This comes after a Tumblr blog post spread on social media claiming that Redmond used their connected experiences feature to scrape customers' Word and Excel data for AI training. And, by the way, paul was correct on Windows Weekly the day after our last podcast saying that nowhere did any of Microsoft's own documentation ever say that it didn't use the word AI training. So that was a presumption.

14:18
A Microsoft spokesperson told Bleeping Computer, quote Microsoft does not use customer data from Microsoft 365 consumer and commercial applications. Now I should just mention I wish that the person hadn't put that caveat in. They should have just said Microsoft does not use customer data from Microsoft 365 applications. Why say consumer and commercial applications? You know it's like a little. Are they hedging, I don't know? Anyway, to train large language models. Additionally, the connected services setting has no connection to how Microsoft trains large language models. Okay, so that's good. So the company also told Bleeping Computer that this optional setting has been on by default since it was first made available in April of 2019. So five years ago always been on.

15:15
Bleeping Computer was also told quote the connected experiences feature enables features like co-authoring, real-time grammar suggestions and web-based resources and, leo, this is precisely the assumption you were making. Also last week, they said these features are on by default because they're features people naturally expect in a cloud-connected productivity tool. However, customers always have control, they wrote, and can adjust their connected experiences settings at any time, unquote. So, as Microsoft explains on its support website, the feature is used to first provide design recommendations, editing suggestions or data insights based on the office content through features like PowerPoint Designer or Translator, and it also downloads online content, templates, images, 3d models, videos and reference materials, including, but not limited to, office templates or PowerPoint Quick Starter. To toggle this feature off, microsoft 365 users have to open their Office apps like Word or Excel and choose whether to enable or disable experiences that download online content or analyze their content under connected experiences, after going to the file account account privacy manage settings menu. So, as we said last week, privacy manage settings menu. So, as we said last week, so quoting them, the connected experiences setting enables cloud-backed features designed to increase your productivity in the Microsoft 365 apps like suggesting relevant information and images from the web, real-time co-authoring and cloud storage, and tools like Editor in Word that provide spelling and grammar suggestions.

17:08
Microsoft has been using their AI in Microsoft 365 for years Now. Maybe that's where some of this confusion comes in, because they're calling spellcheck AI. So this is them saying Microsoft has been using AI in Microsoft 365 for years to enhance productivity and creativity through features like designer and PowerPoint, which helps create visually compelling slides, and editor in Word, which provides grammar and writing suggestions. You know that's not today's definition of AI, but they then said these features do not rely on generative AI or large language models, but rather use simpler machine learning algorithms. Unquote so Bleeping Computer says. At the end, microsoft added that the setting has been available since April 2019, with enterprise admins having the option to choose if connected experiences are available to users within their organizations using multiple policy settings designed to manage privacy controls for Microsoft 365 apps and Office for Mac, ios and Android devices. Microsoft 365 apps and Office for Mac, ios and Android devices. So, ok, I'm certainly all of us, I'm sure glad for the clarification. Whatever Microsoft is doing exactly, and, unless anything has changed recently, it's been doing whatever it is for the past five years. It's always been on by default, you know, like grammar and spelling suggestions, and anyone who isn't comfortable with this is free to turn it off if they wish. If nothing else, it seems very clear that this has nothing whatsoever to do with Copilot Plus and any of the recent concerns over Microsoft's AI being used to otherwise enhance their users' experiences, and it's one thing to be mistrustful and another thing to accuse them wrongly. We can certainly have one without the other.

19:15
Given what I've witnessed firsthand of what they've done to Windows' Start Menu, tray and Edge, none of which enhances my own use of Windows, I'm obviously not a big fan of the direction they're taking their consumer desktop. Nevertheless, make no mistake, I love Windows. So I got some feedback from people saying wow, you know, if you're so unhappy with Microsoft and Windows, why are you still using it? I love it. You know I mean for my purposes it's far better than any alternative and I'm hopeful that when I set up my next Windows desktop, my Microsoft developer access to the enterprise edition of Windows 10 will provide me with the cleaner experience that I look for in what I consider to be a tool rather than a toy. You know, I just don't have any interest in Windows being a toy with, you know, offering me Candy Crush, soda Saga and Xbox features on my start menu in addition to everything else. They've done so anyway.

20:22
You know Microsoft is obviously very sensitive to all of this, after the pushback and concern that the industry showed with their stumbling rollout of what they plan to do with recall in Copilot Plus, going to great pains to calm people and there's every reason to believe this is just grammar and spelling checking. It is worth noting that in bleeping computers coverage, they don't talk about the fact that Microsoft does say whatever it is they're doing with connected experiences. There are those where they're collecting data over the lifetime of the user's account, so maybe that's just they're learning what spelling mistakes people always make, or they're learning the grammar of the user and getting better at helping them to correct themselves. You know that's what I presume. But we did learn last week that from their own statements that there is something that continues to exist at their end in the cloud on a per user account basis, presumably helping it to do a better job with those things that it's been doing for the last five years, and unfortunately they call that AI, which nobody else bothers to.

21:52
Okay, so I was put onto some new research from our friends at the Ben-Gurion University of the Negev and Fujitsu research by both groups, that's, by one of the researchers who's also one of our listeners, ben Nassi. The title of their 21-page paper is Securing the Perception of Advanced Driving Assistance Systems Against Digital Epileptic Seizures Resulting from Emergency Vehicle Lighting against digital epileptic seizures resulting from emergency vehicle lighting. Okay, now, I suppose it's unavoidable to anthropomorphize driving assistance systems, but somehow calling this problem digital epileptic seizures rubs me the wrong way. You know the overlap in. Apparently, this behavior is the flashing of lights which, as we know, can trigger human actual epilepsy, epileptic seizures. So they're saying that auto driving systems don't like lights flashing either. Anyway, I'm not sure what bothers me about it, but something does. In any event, it turns out that driving assistance systems do have a problem with the flashing lights used by emergency vehicles.

23:12
Wired has a nice summary of the very good research this group has just conducted and published under Wired's headline. Emergency vehicle lights can screw up a car's automated driving system With the subhead. Newly published research finds that the flashing lights on police cruisers and ambulances can cause and here we go, you know quotes digital epileptic seizures unquote in image-based automated driving systems potentially risking wrecks. And actually, apparently there have been 16 instances that have been seen so far. Anyway, wired, we'll get to that. Wired wrote.

23:53
Car makers say they're increasingly sophisticated.

23:57
Automated driving systems make driving safer and less stressful by leaving some of the hard work of knowing when a crash is about to happen and avoiding it to the machines.

24:09
But new research suggests some of these systems might do the virtual opposite at the worst possible moment. A new paper from researchers at Ben Gurion University of the Negev and the Japanese technology firm Fujitsu demonstrates that when some camera based automated driving systems are exposed to the flashing lights of emergency vehicles, they can no longer confidently identify objects on the road. The researchers call the phenomenon a digital epileptic seizure epileptic car for short where the systems trained by artificial intelligence to distinguish between images of different road objects fluctuate in effectiveness in time with the emergency lights flashes, the effect is essentially I'm sorry, is especially apparent in darkness. The researchers say, and that kind of makes sense, you know, much greater contrast there. Emergency lights, in other words, could, writes, wired, could make automated driving systems less sure that the car-shaped thing in front of them is actually a car. The researchers write that the flaw quote poses a significant risk unquote because it could potentially cause vehicles with automated driving systems enabled to crash near emergency vehicles and be exploited by adversaries to cause such accidents.

25:40 - Leo Laporte (Host)
You know it's interesting, because a lot of Teslas have crashed into emergency vehicles, exactly Maybe we now know why Exactly, they said.

25:50 - Steve Gibson (Host)
While the findings are alarming, this new research comes with several caveats. For one thing, the researchers were unable to test their theories on any specific driving systems, such as Tesla's famous Autopilot. Instead, they ran their tests using five off-the-shelf automated driving systems embedded in dash cams purchased off of Amazon. And Wired said friends, these products are marketed as including some collision detection features, but for this research they function as cameras. They then ran the images captured on those systems through four open source object detectors, which are trained using images to distinguish between different objects. The researchers are not sure whether any automakers use the object detectors tested in their paper. It could be that most systems are already hardened against flashing light vulnerabilities. Okay, now to me. While this might appear to render the value of this research more questionable, there was at least some good reason to wonder, and the researchers findings bore this out. Wired says the research was inspired to your point, leo right by reports that Tesla's, using the electric car makers advanced driver assistant feature, autopilot, collided with some 16 stationary emergency vehicles between 2018 and 2021, says Ben Nassi, a cybersecurity and machine learning researcher at Ben Gurion University who worked on the paper. Quote it was pretty clear to us from the beginning that the crashes might be related to the lighting of the emergency flashers. Ambulances, police cars and fire trucks are different shapes and sizes, so it's not the type of vehicle that causes this behavior. In other words, you know, these guys started by probably correctly inferring that you know. Okay, what is it that is unique about these emergency vehicles that Teslas keep crashing into? Well, they've got flashing lights.

28:10
So a three-year investigation, writes Wired by the US National Highway Traffic Safety Administration into the Tesla emergency vehicle collisions, eventually led to a sweeping recall of Tesla autopilot software, which is designed to perform some driving tasks like steering, accelerating, braking and changing lanes on certain kinds of roads without a driver's help. The agency concluded that the system inadequately ensured drivers paid attention and were in control of their vehicles while the system was engaged. They said other automakers advanced driving assistance packages, including General Motors Super Cruise and Ford's Blue Cruise, also perform some driving tasks, but mandate that drivers pay attention behind the wheel. Unlike autopilot, these systems work only in areas that have been mapped pilot. These systems work only in areas that have been mapped.

29:09
In a written statement sent in response to Wired's questions, lucia Sanchez, a spokesperson for the NHTSA acknowledged that emergency flashing lights may play a role. She said, quote we're aware of some advanced driving assistance systems that have not responded appropriately when emergency flashing lights were present in the scene of the driving path under certain circumstances. Unquote. Tesla, which disbanded its public relations team in 2021, did not respond to Wired's request for comment. The camera systems the researchers used in their tests were manufactured by HP, pelsi, asdome, imagebon and Rexing. None of those companies responded to Wired's request for comment.

29:57
Although the NHTSA acknowledges issues in quote, some advanced driver assistance systems, the researchers are clear they're not sure what this observed emergency light effect has to do with Tesla's autopilot troubles. Ben Nassi said I do not claim that I know why Teslas crash into emergency vehicles. I do not know even if this is still a vulnerability. Unquote. The researchers' experiments were also concerned solely with image-based object detection. Many automakers use other sensors, including radar and L, but also here we go completely autonomous vehicles. Oh boy. Last month, tesla CEO Elon Musk said the automaker's vision-based system would enable self-driving cars next year.

31:11 - Leo Laporte (Host)
He's been saying that for 10 years 2025, baby. It's been next year for at least six years. That's right.

31:18 - Steve Gibson (Host)
Indeed, they wrote. How a system might react to flashing lights depends on how individual automakers design their automated driving systems. Some may choose to tune their technology to react to things it's not entirely certain are actually obstacles. In the extreme, that choice could lead to false positives, where a car might hard brake, for example, in response to a toddler-shaped cardboard box. Others may tune their tech to react only when it's very confident that what it's seeing is an obstacle. On the other side of the extreme, that choice could lead to a car failing to brake to avoid a collision with another vehicle because it misses that this is another vehicle entirely.

32:04
The Ben-Gurion University and Fujitsu researchers did come up with a software fix to the emergency flasher issue. It's designed to avoid the seizure issue by being specifically trained to identify vehicles with emergency flashing lights. The researchers say it improves object detectors accuracy. Erlens Fernandez, an assistant professor of computer science and engineering at University of California, san Diego, who was not involved in the research, said it appeared sound. He said, quote just like a human can get temporarily blinded by emergency flashers, a camera operating inside an advanced driver assistance system can get blinded temporarily emergency flashers, a camera operating inside an advanced driver assistance system can get blinded temporarily. For researcher Brian Reamer, who studies vehicle automation and safety at the MIT Age Lab, the paper points to larger questions about the limitations of AI-based driving systems. Automakers need repeatable, robust validation to uncover blind spots, so to speak, like susceptibility to emergency lights. He says he worries some automakers are moving technology faster than they can test it. Okay, so my own take is that this sort of research conducted by independent researchers is vitally important. It needs to be done.

33:35
It's obvious that the various car manufacturers are holding their cards and their cars very close to their vests. They understandably consider their future auto driving technology to be ultra proprietary, and because they want the best and no one else's business. Yet flesh and blood, human beings and pets are moving within the same space as these autonomous, high speed rolling robots. As these autonomous, high-speed rolling robots, it's a recipe for disaster, and this has the feeling of being driven by the same sort of gold rush mentality as the push for general artificial intelligence. So the headlines that these researchers have generated will doubtless, if nothing else, induce all of the developers of similar self-driving technology that actually is being fielded to consider and test the effects of bright, flashing lights on their driving AI, the lives of people and pets have probably been saved.

34:38
So hats off to these guys, and I have links to their 21-page paper where they really dig into the technology. They show the operation of the AI learning neural networks and just how badly they are upset by flashing lights. So this has absolutely been useful for the long-term safety of vehicles. And again, I I just think that because the the proprietary interests of automakers is to keep their stuff, you know, proprietary, not open. This limits what researchers are able to test, but but this kind of research is, I think, vitally important. And, leo, I I know that you've had a tesla for quite a while and well, we got rid of it.

35:34 - Leo Laporte (Host)
Yeah right, so used to call it christine, because it would drive her into things and then do exactly what they were talking about, which was just stop randomly, know, screech to a halt as if it had seen something you know, and I think that that's the same. You know the flip side of that coin, right?

35:53 - Steve Gibson (Host)
Yeah, I have a. I finally replaced my 21 year old uh BMW uh and I have a car that's got sensors too, and when I'm backing up I have garages in both locations where there's not a lot of space and it's going dinging and donging and buzzing and it actually creates anxiety in me because I'm thinking it's seeing something I don't know about.

36:21 - Leo Laporte (Host)
Lisa says she, literally. I have a BMW I, i5, which is a very highly technically advanced machine, an ev, and she won't. Uh, she says back out of the garage before I get in because it makes me crazy, all the beeps and the boops, and I have a heads up display, you know, from 2001, a space odyssey showing me the, the different vectors and synthetic imaging generation and it overlays all sorts of stuff on top of it.

36:50
But I've learned what to pay attention to and whatnot, and you can see why, at least for now, ai is not good enough to replace a human. It's a nice pal, it's useful replace a human. It's a nice pal.

37:04 - Steve Gibson (Host)
Yes, and the problem is, everybody you know there is clearly a rush to the promise of this your car can drive itself. Yeah, and you know it does. It feels like that. You know they're always going to be pushing ahead of the envelope that they should stay in, and it's, you know, research like this, that this, that this you know is, is the only place we get an independent reality check. And so, even though they weren't able to actually train on on infield self-driving technology, you know they were able to look at similar systems and say, uh guys, there seems to be a problem with flashing lights over here there seems to be a problem with flashing lights over here.

37:48 - Leo Laporte (Host)
Well, I hate to say it, but anytime I hear the words elon musk said, I discount most of what follows.

37:52 - Steve Gibson (Host)
Because he is, he's a marketer, he's a monster we too have been trained by elon musk to discount to discount everything he does at the same time, you know, he lands, he captures, returning rocket boosters with chopsticks, and you know, and folding, fold out legs, and you know, and he, you know, starlink is providing internet connectivity to people who would otherwise never have it.

38:18 - Leo Laporte (Host)
Yeah, I mean, this is our backup when Comcast goes down, which they do sadly, sadly, a little more often than a, a podcast network would like. Uh, if it autumn ubiquity fails over to the satellite dish on the roof right up here. Yeah, and it's. It's, by the way, it's very reliable, even in rain and it's. It's really pretty amazing how well that works. So I'm not saying saying that Elon's companies don't produce good products. I'm just saying he is, like most marketers, prone to overstating things.

38:50 - Steve Gibson (Host)
Okay, we're 35 minutes in, let's take a break, and then we're going to talk about the Tor network and how they need you.

38:58 - Leo Laporte (Host)
They need me to operate a Tor node? I'm guessing, but we'll see All right. First, though, a word from our sponsor and this segment of security now brought to you by Big ID. I really like this company. They are the leading DSPM solution. What is DSPM? You ought to know. Actually, data security, posture management. If you're in business, if you run an enterprise shop, you know you need DSPM.

39:28
Bigid is the first and only DSPM solution to uncover dark data, to identify and manage risk, to remediate the way you want. Doesn't tell you what to do, gives you the options to scale your data security strategy through unmatched data source coverage, and it becomes especially important in the AI era, when you have, and your company, training your own AIs on data from the company. You want to make sure that you train it on the data that's appropriate to train it on and not train it on the data you don't want it to be trained on. Bigid helps with that. Bigid seamlessly integrates with your existing tech stack. It allows you to coordinate security and remediation workflows because, with BigID, you can take action on data risks and, as I said, you decide, annotate, delete, quarantine, whatever you want based on the data, all while maintaining an audit trail, which is so important for compliance. Bigid has some of the biggest companies in the business using its service. Now uses Big ID Palo Alto Networks, microsoft, google, aws, and on and on and on. With Big ID's advanced AI models, you can reduce risk, accelerate time to insight and gain visibility and control over all your data.

40:45
Think about companies. You know, usually legacy companies, companies have been business for a long time that have data in a variety of different places. No one probably in the world has data in a broader variety of places than the United States Army. Right, they use Big ID yeah, the Army does to illuminate dark data, to accelerate cloud migration that's, by the way, a mandate right throughout our entire military infrastructure. Get up into the cloud. They help the Army minimize redundancy. They help it with automated data retention. Here's a quote this is gold from the US Army Training and Doctrine Command. The first wow moment with BigID came with just being able to have that single interface that inventories a variety of data holdings, including structured and unstructured data, across emails, zip files, sharepoint databases and more, to see that mass and be able to correlate across all those completely novel. I've never seen a capability that brings this together like Big ID does. Boy, you've got to do something special to get US Army Training and Doctrine Command to say something that nice. That is high, high praise.

42:00
Cnbc recognized Big ID as one of the top 25 startups for the enterprise named to the Inc 5000 and Deloitte 500. For two years in a row. They're the leading modern data security vendor in the market today. In fact, when you think DSPM, you should really be thinking BigID. The publisher of Cyber Defense Magazine says BigID embodies three major features we judges look for to become winners Understanding tomorrow's threats. Today, that's one Providing a cost-effective solution Of course, that's always important and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the breach.

42:39
You got to know where your data is. You got to know what's going on out there, right? Big ID will help you start protecting your sensitive data wherever your data lives Very important in this AI age as well. Go to bigidcom security now. Bigidcom security now you can get a free demo. See how Big ID can help your organization reduce data risk and accelerate the adoption of generative AI. That's BigID, b-i-g-i-d, bigidcom slash security Now they actually have a number of reports, if you go to that website that are free, that you can download white papers, including one that provides insights and key trends and issues on AI adoption challenges, the overall impact of generative AI across organizations Very helpful and it ties right into BigID's mission BigIDcom slash security now. We thank you so much for your support, bigid, and we invite all of our listeners and viewers to support us by going to that address so that they know you saw it here BigIDcom slash security Now. Steve.

43:49 - Steve Gibson (Host)
Okay. So last Thursday, the Tor network posted their plea for volunteer help. They wrote recent reports from Tor users in Russia indicate an escalation in online censorship with the goal of blocking access to Tor and other circumvention tools. This new wave includes attempts to block Tor bridges and pluggable transports developed by the Tor project, which I'll explain in a second, removal of circumvention apps from stores stores and targeting popular hosting providers, shrinking the space for bypassing censorship. Despite these ongoing actions, tor remains effective. One alarming trend is the targeted blocking of popular hosting providers online by none other than ross kamnadzor I'll put an echo on it for the next time as many circumvention tools are using them.

44:52
this action made some tor bridges inaccessible to many users in russia.

44:59
As ross kamnadzor, the internet service providers in in Russia are increasing their blocking efforts, the need for more web tunnel bridges has become urgent. Ok, so they say why web tunnel bridges, and I'll explain a little bit about what they are in a second. They wrote web tunnel is a new type of bridge that is particularly effective at flying under a sensor's radar. Its design blends itself into other web traffic, allowing a to prioritize small download sizes for more convenient distribution and simplified the support of micro TLS integration, further mimicking the characteristics of more widespread browsers. This makes WebTunnel safe for general users because it helps conceal the fact that a tool like Tor is being used. Because it helps conceal the fact that a tool like Tor is being used, we're calling on the Tor community and the Internet Freedom community to help us scale up web tunnel bridges. If you've ever thought about running a Tor bridge, now's the time. Our goal is to deploy 200 new web tunnel bridges by the end of this December 2024, to open secure access for users in Russia.

46:30 - Leo Laporte (Host)
So a bridge is not the same as a Tor node, correct?

46:33 - Steve Gibson (Host)
Okay, correct, it is literally a bridge to a node, so it is not itself a node, it is an endpoint, and this is what's so cool which uses technology they call it plug-in protocol technology to hide the fact that what the user is doing that connects to the bridge is using Tor. So, anyway, their posting goes on to explain how to set up and run a web tunnel, among other things. It can be as straightforward as just hosting a Docker image, so I've got a link to this posting in the show notes blogtorprojectorg. Slash call-for-webtunnel-bridges hyphen web tunnel hyphen bridges. Since we haven't looked closely at Tor's web tunnel technology, I wanted to share a bit about it. From their description where it was introduced just last March. It was titled Hiding in Plain Sight Introducing Web Tunnel, and they wrote Today, march 12th, on the World Day Against Cyber Censorship, the Tor Project's anti-censorship team is excited to officially announce the release of WebTunnel, a new type of Tor bridge designed to assist users in heavily censored regions to connect to the Tor network.

48:02
Available now in the stable version of Tor browser, which, as we know, is based on Firefox, webtunnel joined our collection of censorship circumvention tech developed and maintained by the Tor project. The development of different types of bridges are crucial for making Tor more resilient against censorship and stay ahead of adversaries. In the highly dynamic and ever-changing censorship landscape. This is especially true as we're going through the 2024 global election megacycle, the role of censorship circumvention tech becomes crucial in defending internet freedom. If you've ever considered becoming a Tor bridge operator to help others connect to Tor, now is an excellent time to get started, and this was their posting back in March. You can find the requirements and instructions for running a web tunnel bridge in the Tor community portal.

49:00
So what's a web tunnel and how does it work? Web tunnel is a censorship-resistant pluggable transport designed to mimic encrypted web traffic HTTPS. It works by wrapping the payload connection into a web socket-like HTTPS connection, appearing to network observers as an ordinary HTTPS connection. So for an onlooker, without the knowledge of the hidden path, it just looks like a regular HTTP connection to any web server, giving the impression that the user is simply browsing the web. In fact, web Tunnel is so similar to ordinary web traffic that it can coexist with a website on the same network endpoint, meaning the same domain, ip address and port. This coexistence allows a standard traffic reverse proxy to forward both ordinary web traffic and web tunnel to their respective application servers. As a result, when someone attempts to visit the website at the shared network address, they will simply perceive the content of that website address and won't notice the existence of a secret bridge, the web tunnel, and I'll explain a little bit about that in a second.

50:38
They said web tunnels approach of mimicking known and typical web traffic makes it effective in scenarios where there's a protocol allow list and a deny by default network environment. In other words, russia can put up a firewall that only allows web traffic, not Tor, not anything unknown. That is, it's a deny by default. But after all, we need to let people visit websites. Right? This is indistinguishable from someone visiting a website and in fact the sensors can go to the site that they observe Russians going to and they see a website Russians going to and they see a website, whereas the people using this really cool Tor technology see Tor, they said.

51:33
Consider a network traffic censorship mechanism as a coin sorting machine with coins representing the flowing traffic. Traditionally, such a machine checks if the coin fits a known shape and allows it to pass if it does, or discards it if it does not. In the case of fully encrypted, unknown traffic, as demonstrated in the published research, how the Great Firewall of China detects and blocks fully encrypted traffic which doesn't conform to any specific shape. It would be subject to censorship, meaning being discarded. In our coin analogy, not only must the coin not fit the shape of any known blocked protocol, it also needs to fit a recognized allowed shape, otherwise it would be dropped. Recognized allowed shape, otherwise it would be dropped.

52:30
Web tunnel traffic resembling HTTPS web traffic. A permitted protocol will be allowed to pass. So this is so cool. Again, what this means is that any regular website and you don't have to be hosting a website, but you can be can also be hosting a Tor web tunnel at the same IP and same port, side by side, and no one would ever be the wiser, Since in this case, russia or any other censoring regime would be unable to detect that someone is not just visiting a website.

53:09
The traffic would not be blocked. But this also makes it clear that the more pseudo websites are available the better. So if any of our listeners is moved to help the Tor project, and specifically Russian citizens who are unable to see out past their country's censorship, and presumably Chinese citizens as well, which is being enforced, of course, for propaganda purposesCsc, slash Tor. And that will take you to the recent posting that has updated resources, including just a Docker container that you can download if you're interested in exploring this and getting going. But if you've got a Linux system you can install stuff and so forth.

54:07 - Leo Laporte (Host)
It's probably not a very heavy process either, right? I mean it probably doesn't use a lot of CPUs, right, it might use bandwidth?

54:15 - Steve Gibson (Host)
Oh yeah, exactly, bandwidth only very little CPU, because it's just forwarding traffic through Very cool. It's just a forwarding traffic through, very cool. So Zello Z-E-L-L-O is a mobile push-to-talk service used by 140 million first responders, hospitality services, transportation, and family and friends to communicate via their mobile phones using a simple push-to-talk app. The news is that over the past two weeks, starting on November 15th, zello's customers have been receiving legitimate notices from Zello because, of course, everything is suspect these days asking them to change their passwords. The notice reads Zello Security Notice. As a precaution, we're asking that you reset your Zello app password for any account created before November 2nd 2024. We also recommend that you change your passwords for any other online services where you may have used the same password.

55:31
Well, it doesn't take a rocket scientist, nor anyone who's been following this podcast for more than a few months, to know what must have happened over at Zello headquarters, and it's not good news. But Zello is also not saying Bleeping Computer has reached out to Zello and been rebuffed. Customers who received that notice told Bleeping Computer that they had not received any further information from Zello, and Bleeping Computer's repeated attempts to contact the company have gone unanswered. Repeated attempts to contact the company have gone unanswered. So at this point it's unclear whether Zello may have suffered a data breach or a credential stuffing attack, but the notice certainly does imply that threat actors may have access to the passwords of any users who had accounts before November 2nd. Bleeping Computer noted in their reporting of this that Zello had previously suffered a data breach in 2020, which also required users to reset their passwords. Oh great, yeah, I know.

56:36 - Leo Laporte (Host)
It's happened before.

56:38 - Steve Gibson (Host)
Yeah, after Threat, actors stole customers' email addresses and hashed passwords customers' email addresses and hashed passwords. In any event, 140 million users is a substantial user base, as you noted, leo. It's like a big chunk of the US, yeah.

56:55 - Leo Laporte (Host)
I'm surprised, Of course it's global.

56:57 - Steve Gibson (Host)
If our listeners or anyone they know may be affected by it, it would be a good idea to heed this notice. And just a short note that the US Federal Trade Commission has opened an antitrust Microsoft probe, announcing a broad antitrust investigation into Microsoft's business practices. The investigation will cover the company's software licensing practices, cloud computing, cybersecurity and AI business units. The FTC allegedly received complaints that Microsoft was locking in customers. Gee, perhaps like the US government, preventing them from moving to competitors. In September, google filed an official antitrust complaint against Microsoft's cloud business in the EU. So this will be something to keep an eye on, and we don't know what the fate will be. You know nothing. Much will happen right this month and we get new administration in early january, so we don't know what uh approach that administration.

58:08 - Leo Laporte (Host)
uh, you know the the second trump administration will take, so we'll see there's been so much activity from the ftc and other and fcc and the cfpb in the last few weeks and I really feel like they're going. Let's get everything done before the before january 20th but you can't get anything done.

58:25
Right right three in three weeks and then in january 20th. Who knows what's going to happen. I mean, uh, there are plenty of people in the trump administration who don't like big tech, but there are people like elon and uh others who do, and so who?

58:40 - Steve Gibson (Host)
is who is big tech is big tech, so it's really kind of an interesting.

58:45 - Leo Laporte (Host)
Uh, it's really uncertain what's going to happen, right? I don't know if this Microsoft case will go past January 20th. It might not.

58:52 - Steve Gibson (Host)
It just could get dropped in favor, or put on the back burner in favor of what the new administration perceives as more urgent priorities.

59:01 - Leo Laporte (Host)
Yeah, and it's unpredictable. You know, trump has said I hate google the way they're too big, they're big tech. But he's also said but on the other hand, china's afraid of him. So I love google. So you just don't. You just don't know, you don't know what the hell's gonna happen. It's gonna be a interesting few years. That's like it will.

59:16 - Steve Gibson (Host)
Indeed the truth okay, so check out this screen, leo. I've got a picture of it in the show notes.

59:22 - Leo Laporte (Host)
This is unbelievable, yeah.

59:24 - Steve Gibson (Host)
Under the headline you mean this actually convinces someone.

59:28
That's actually my headline. Security researcher, lucas Stefanko, has identified a new form of Android scareware that he refers to as convincing full screen images that resemble cracked or malfunctioning screens, which trick users into calling tech support numbers or downloading malware on their devices. Now I included a photo of this malware in action in the show notes. Now I could see how a neophyte might be led to believe that something has gone very wrong with their phone, because the screen looks like it's no longer even remotely able to display an image, except the only problem exactly the only problem with is that it is, at the same time, having no problem whatsoever. You know, apparently, despite the cracked and malfunctioning screen of displaying the malware's warning pop up notice claiming that a virus has been detected on the handset. So I suppose we'll give them points for coming up with something new it gets your attention, I mean if initially you look at that go oh, I mean, and down there in the lower right I mean, it looks like it looks real, it really does look like.

01:00:57
oh, shoot some. Something bad has happened to my phone. Thank goodness that that notice telling me to click here to remove the virus is still visible, right, wow?

01:01:07 - Leo Laporte (Host)
Now I'm curious, because if you click remove this, is that sufficient? I would think they put a phone number in there or something. I mean, maybe it's just a click It'll run the virus, because you clicked it, right, that's often the case.

01:01:22 - Steve Gibson (Host)
If it said I'm a virus, click me. You'd be disinclined to do that. That's a good point.

01:01:29 - Leo Laporte (Host)
Excellent point. Point well taken, Steve. Maybe I click that.

01:01:36 - Steve Gibson (Host)
I don't think so. Okay, so Matt Warner said hi, steve, regarding your comment about WireGuard's static ports in episode 1002, so last week he said I run WireGuard on an OPN Sense firewall with Securicata and CrowdSec. Watching my WAN interface, neither ShieldsUp nor any other port scanner could find an open port, even when I specify the port number. I don't have WireGuard mapped to a specific allowable IP, because that changes depending on my location. I'm happy to leave this as it is for now, but will certainly change my setup if a new vulnerability surfaces in any of the tools I use. Love the podcast. I look forward to it every week. Okay, so there is no reason to believe that it is not completely safe to leave a WireGuard VPN server running on a firewall such as OPN Sense listening for incoming connections from a WireGuard client. There's no reason to believe that's a problem Until there is Everything we know tells us that this could flip from absolutely safe to oh my God within a single heartbeat of a skilled hacker who, while studying WireGuard's open source code, notices something no one else has that's one of the ways these things happen. Else has. That's one of the ways these things happen. Or perhaps the hacker is throwing nonsense packets at WireGuard's listening service port and one of them suddenly crashes the WireGuard server. That's another way this could happen. The specific packet that crashed the server is then examined and the source of the crash is reverse engineered to create a repeatable working exploit. But it's every bit as true that none of this may ever happen. It's also true that perhaps it can't. The conundrum of security as that could happen does not necessarily mean could happen. Perhaps it really can't. The trouble is, today's systems have become so complex that it's no longer possible for us to be absolutely and mathematically provably certain about the behavior of anything above a distressingly low level of complexity. Today. We just can't know. That's one of the things I'm hoping future AI might be able to help us with. My intuition suggests that this is the sort of thing that ought to be right in AI's backyard, but we don't have that today. What we have today is hope. Hope's better than nothing, but hope is not enough for me. I fully respect Matt's decision and position. It's one that's shared by tens of thousands of others. But my network is not the typical residential network. But my network is not the typical residential network. It's both the development and production arms of GRC. So the stakes for me are higher. I'm not suggesting that my network is utterly impervious to attack, but it's as utterly impervious as I've been able to make it without exception impervious as I've been able to make it without exception. So deliberately exposing a wire guard process, no matter how safe I hope it is, to the public internet would be an exception. I will not make another listener identifying himself as anon reminds us why we trust and should trust wire guard's design. He wrote hi steve.

01:05:53
Regarding the discussion of wire guard and port knocking on this week's security now episode, I just wanted to let you know that it's not really necessary. With WireGuard, the server will not respond to client connection requests at all. He has that in all caps and he's right unless the client provides a public key that the server knows and trusts. This, in addition to the fact that the protocol is UDP-based, means that it's not possible to even know if there is a WireGuard server listening on a specific IP and port unless you already have public key credentials to connect. While it technically would still be possible to have a bug where this can be bypassed, this is very unlikely because this is the first thing the server checks, so the code surface for bugs is minimal. This technicality would also apply to any port knocking techniques, which can have their own bugs in implementation Regards Non Okay.

01:07:07
So Non is 100% correct, and this is why WireGuard represents the best of the best today. Is that good enough? Almost certainly, and his point about the possibility that adding port knocking to introduce an additional layer of pre-wireguard security might itself introduce a new vulnerability is also a keen observation. That could happen. Port knocking is that, from an implementation standpoint, unlike anything like WireGuard that necessarily invokes a huge amount of complexity in order to validate a cryptographic certificate, port knocking adds an appealingly trivial layer of complexity while providing virtually absolute protection. In other words, what might be termed as its security gain is nearly infinite, and the port knocking service is inherently sitting behind the firewall which it's monitoring, so it's much more difficult to see how its failure could do anything other than fail to open a port. And all of this is, of course, what makes the study of security so interesting. So great points from our listeners and, as always, great incoming feedback to securitynowatgrccom. Thank you everybody for that. To securitynowatgrccom Thank you everybody for that.

01:08:50
One of our listeners, richard Craver in Clemens, north Carolina, pointed me at something that was so interesting it needed sharing. First of all, here's what Richard wrote. He said Hi Steve and Leo. I just finished the AGI episode. Interesting to ponder. I personally am not a particular fan of AI in general as I see it as crowdsourcing knowledge. That may or may not be correct. Science is based on challenging and testing prevailing assumptions and thought. Ai, in my humble opinion, discourages critical thinking. But for good or bad, it's here, he said. Below is a link to Tom Fishburne, the marketoonist, with a thought-provoking cartoon and short viewpoint message, and I have the cartoon in the show notes. It's got two frames. The left, one guy is saying to someone else once we train our AI, I can't wait to see the wide variety of new ideas it comes up with. And in the foreground we see a conveyor belt with all different shapes and sizes and brightly colored bottles and containers of different sorts, and this conveyor belt is sending them into a box in the middle that divides the two frames, labeled AI.

01:10:17
On the right hand side, we see this guy with his hand up to his chin, as if thinking hmm, guy with his hand up to his chin, as if thinking, hmm, and what's coming out is a nearly identical set of almost the same shape and size and color bottles. So the AI has sort of generified everything. Okay, so the interesting information is that Tom Fishburne shares. He writes it's still early days with AI generation tools. We're all still learning potentials and limitations, the tendency for AI results to look alike. As AI predicts what to generate, the path of least resistance is and all the rest are powered or powerful conformity machines giving you the ability to churn out Bible-length material about yourself and your business. That's exactly the same as your competitors. Unquote and Tom continues. A couple months ago and Tom continues.

01:11:42
A couple of months ago, oxford and Cambridge researchers illustrated the risk of homogeneity in a study of AI generated content in Nature magazine and for anyone who doesn't know, nature magazine is a serious magazine. Lori and I were subscribing to it for a while, but the articles were so dense that it was like, okay, well, we're just wasting our time on this. So I mean, it's the real deal. He says the risk increases as AIs get trained, not only on human-created content but on other AI-generated content. As an example, the researchers studied an AI model trained on images of different breeds of dogs. The source material included a naturally wide variety of dogs French bulldogs, dalmatians, corgis, golden retrievers, etc. The works, but when asked to generate an image of a dog, the AI model typically returned the more common dog breeds golden retrievers and, less frequently, the rarer breeds French bulldogs. Over time, the cycle reinforces and compounds. When future generations of AI models are trained on these outputs, it starts to forget the more obscure dog breeds entirely, soon only creating images of golden retrievers. Eventually, the researchers found there's model collapse and I love that term model collapse where the LLM is trained so much on AI-generated golden retriever images that the results turn nonsensical and stop looking like dogs at all.

01:13:40
Writes substitute dog breeds for whatever you're trying to create New products, new packaging, new advertising, communication and the risk is that all outputs devolve to look the same. A related study from the University of Exeter found that AI generation tools have the potential to boost individual creativity, but with a loss of collective novelty. The good news is that this baseline situation creates opportunities for those who can push against this new status quo. Homogeneity is ultimately at odds with distinctiveness. As with all tools, it's all in how you use them. You can't break through the clutter by adding to it. So, anyway, I love that you know. These conclusions feel intuitively correct to me, and the research cited above supports that intuition that there is an unrealized danger, as the Internet's content becomes more and more AI generated, while our AI models are being continuously trained against the Internet's content. Future historians may wonder what happened to all the French bulldogs.

01:15:04
And on that, leo, let's take another break and then we're going to look at uh, some more questions and feedback from our listeners.

01:15:10 - Leo Laporte (Host)
Good, great, uh, you're watching security now with mr g. This episode brought to you by delete me, a tool that we use actually at twit. Uh, and it became a very useful tool when our ceo started being targeted by hackers who were using her name and phone number to try to scam her direct reports. How do they know her name, her phone number, her direct reports? It's all out there on the internet. Have you ever searched for your name online? I do not recommend it, but if you do, you'll see a surprisingly large amount of personal information is available. Maintaining your privacy is, by the way, not just your own concern. It's a family affair too. That's why delete me offers family plans. Actually, they offer a variety of plans corporate plans, individual. Check it out at joindeleteemecom. Slash, twit, delete Me helps reduce risk from identity theft, from cybersecurity threats, from harassment and more. I mean there really is a cybersecurity side to this, because the more information that's out there about you, about your company, about your employees, the more likely bad guys will get that data. It's easily available to them, for a very small cost, actually, if you go to a data broker and use that data to impersonate you.

01:16:35
I was watching the morning news and it was alert local woman scammed by a bad guy out of $5,000. I thought, well, what's new right that's happening all the time. Why is it news? And actually it's probably good that they showed this, because the woman received a call from a person who said he was her grandson. The person knew her grandson's name, knew some basic information about her grandson, said I've been arrested, I'm in jail, I need bail. She wired bail to the bad guy, not her grandson. Her grandson wasn't in jail. But this is a perfect example of how hackers can use the information online about you to take advantage of you or your family members, your grandma. That's why you need to delete me. That's why grandma needs delete me. I have to say we, of course, as soon as that hacker attacked Lisa, we got delete me.

01:17:30
And it's a funny thing because a couple of months ago, we were talking about the data broker breach that showed so much information, including social security numbers. Turns out, by the way, that's legal. The FTC has just announced. Maybe we shouldn't make that legal. Anyway, that's another thing that's not going to change.

01:17:48
But we were talking about this and I did a little search. My data was in that breach, as was yours, steve. My social was in that breach, lisa's wasn't, and I realized that's because we've been using Deleteme and the personal data brokers didn't have her data because Deleteme had made them delete it. That's what Deleteme does. They actually, the Deleteme experts, go around. They know all the data brokers and, by the way, that's not an easy job because there's new ones. It's so profitable. There's new ones every day.

01:18:23
They keep track of this. They find and they remove your information from hundreds of data brokers. So they did that for Lisa. That's why her data was not in the breach. It had been removed. And if you want to do it with family members, like grandma, you can assign a unique data sheet to every family member, tailored to them, so you can say you know, grandma has an Insta account, she doesn't have a Twitter account. That kind of thing. You can manage privacy settings for the whole family.

01:18:48
But, by the way, it's more than just going to those data brokers and saying get rid of that stuff. And they do. They're required to, so they delete it. But here's the thing they're not required to never start over, so they just start reacquiring that data and building a dossier almost instantly. That's why Delete Me will continue to scan and remove your information. Regularly. They go back again and again. I'm talking addresses, photos, emails, relatives, phone numbers, social media, property value. All of this stuff is online. You know it is. It's a shock, right, and it's completely legal, at least it is for now. So this is why you need Delete Me. You need it as an individual, you need it as a family and, by the way, you need it as a business. Protect yourself, reclaim your privacy.

01:19:35
Visit joindeletemecom slash twit. If you use the offer code twit, you'll get 20% off Joindeletemecom slash twit. It was. It was a real eye opener to see that Lisa's social was not in there. Her address was not in there. It had been removed before the breach.

01:19:53
Join. Probably too late for you and me, right, but but let's do it now before the next breach. Join, delete me dot com. Slash twit. And it's not even breaches. They sell that to anybody who wants it. A hacker doesn't have to wait for a breach. They just say, hey, here for a buck 15, can you tell me who runs that company? What's her phone number? What are all our direct reports? It's all in there. Join, delete mecom. Slash twit. Until we have some sort of national privacy protection. At least you've got to leave me join. Delete mecom slashcom slash Twitter. Please use the offer code TWIT for 20% off. We thank JoinDeleteMe for their support. You support us too, of course, if you use that special address and the offer code, because then they know you saw it here. Joindeletemecom slash Twitter. Offer code TWIT On.

01:20:43 - Steve Gibson (Host)
We go with the show, mr G Okay yes, I T on, we go with the show, mr G. Yes, so um. Our listener, greg Haslett, has an interesting problem. He said, steve, I have an edge router. You know, that was the router that we were loving for a while I still have one yeah, yeah, it's a, it's a.

01:21:00 - Leo Laporte (Host)
I've. I've upgraded now to the full Ubiquiti system that impressed me so much.

01:21:05 - Steve Gibson (Host)
Oh well, and it was so inexpensive and so powerful about what you know like in terms of the way it could be configured. So he said I have an edge router and created an IoT network. My problem is I cannot reach my Asus RT66 to update the firmware that's on the IoT network. Oh boy, so he created isolation and now he's isolated.

01:21:30
Yeah, he said any quick ways to allow temporary access to the ASUS router. My last-ditch answer would be to backup the Edge router meaning that it's config and reset to original settings, Hopefully find the IP address of the ASUS and update the firmware. Then restore the edge router from backup with IOT. Longtime listener and met you at the squirrel take in Irvine, so that's very cool. So okay, I'm not a hundred percent certain that I completely understood Greg's problem and question, but I think I do. But my first thought is that maybe he's making things too complicated. Leave the edge router alone and just temporarily rearrange some wires. Take it out of the line.

01:22:17 - Leo Laporte (Host)
Exactly.

01:22:18 - Steve Gibson (Host)
Rather than get fancy with reverting the edge router's configuration to its original simple switch, the Edge router's configuration to its original simple switch, why not plug the Asus RT66 into the LAN where a PC is located and update its firmware? You know, I suppose if Greg doesn't have a spare old wired Ethernet switch lying around and you know I have to think he would you know who doesn't. They make great doorstops, you know then that could be a problem. But it's also possible to plug the Asus RT66 directly point to point into a PC's LAN socket. So if I understood Greg's question, it would appear that being less fancy and going old school might be the right solution that is the issue with, with v, landing off your iot and creating iot network.

01:23:12 - Leo Laporte (Host)
If the iot device is done, you know, controlled through the cloud, right then it's not a problem because you're going to on one vlan contact the cloud.

01:23:23 - Steve Gibson (Host)
You go up to the cloud, it comes back down.

01:23:25 - Leo Laporte (Host)
Yeah, but more and more, and actually for security this is probably a good thing, and for long-term survivability it's a good thing. These guys are talking directly. You're talking directly to the IoT device, which, of course, isn't going to work if it's on a separate VLAN, unless you create some rules. That's the other way around it. I ended up just giving up.

01:23:49 - Steve Gibson (Host)
I put it, rules. That's the other way around it. I ended up just giving up. Yeah, um, uh, our solution is to have, because we, because we also want to have guests over, right, who are bringing untrusted equipment, right? Uh, we have two radios, so we have, we have our network, and then we have, and then on the iot network is is a different access point and so if I need to talk to something there, I just quickly switch my Wi-Fi over to that we were doing that, but it's a pain in the butt if you want to print, to switch to the secure, insecure VLAN, print and switch back.

01:24:21
And printing is a good example, because, boy, printing is so security riddled and problematic you don't want to put a printer on your network. Not if you can help it.

01:24:30 - Leo Laporte (Host)
Yeah, so this is tough. It really is. That's the truth of it.

01:24:37 - Steve Gibson (Host)
Oh, and while we're on the topic of old school solutions that are, in this case, obvious in retrospect, our listener, troy, was responding to something to what we're talking about. Last week, about my having a problem typing on this horrible keyboard screen of my iOS device and wondering about a solution for reversing that dongle, the Bluetooth keyboard dongle that you put into your computer, he said, steve, congrats on security. Now, hey, regarding typing long messages on the iPhone, I hope you know that you can connect a Bluetooth keyboard to your iPhone, and this is where the use of the expression comes in. I confess I had completely forgotten that, and I should have remembered it, because one of my first reactions to the loss of the wonderful physical clicky button keyboard of my beloved BlackBerry, which I, oh I loved it so much, but I had to switch to an iPhone because you know what has to I added that little add-on keyboard that you could stick onto the bottom of the phone, which did indeed link the phone via Bluetooth, and it worked perfectly. So, needless to say, I have a cute little Bluetooth keyboard now, thanks to Troy's note, which allows me to quickly type on my iPhone. So thank you, troy.

01:26:11
Earl Rod in North Canton, ohio, shared some facts about social media age restrictions. He said the recent book by Jonathan Haidt titled Anxious Generation by Jonathan Haidt titled Anxious Generation.

01:26:26 - Leo Laporte (Host)
Okay, I know he loves it and you're going to read his praise. Okay, that's not widely accepted. Haidt is nonsense. He said that it's not true, so go ahead.

01:26:37 - Steve Gibson (Host)
So who said?

01:26:39 - Leo Laporte (Host)
So I will send you the article by I think what was her name? Cougars, who is an expert in the field. Jonathan Haidt is a polemicist. Article, uh, by I think what was her name? Kujers, who is an expert in the field. Jonathan hate is a polemicist and a social. He's a. He's a social psychologist, psychologist, yeah, and uh, a lot of what he claims in the book is highly disputed by experts in the field. Uh, so it's, it's convincing. If you read the book as a lot of stuff, you know when people are polemicists, they write convincing books. Malcolm gladwell does it too. That aren't true, but they sound right and a lot of people come away with it with this conviction as a result. This is why there's that australian law. Uh, there's this widespread thought that social networks are causing major mental illness issues with our kids, but experts disagree. I'll just say that Now go ahead. You can read his note.

01:27:30 - Steve Gibson (Host)
Well, I'm okay.

01:27:36 - Leo Laporte (Host)
I just wanted to inoculate people against what you're about to say.

01:27:38 - Steve Gibson (Host)
He's about to say Okay, okay, so I will, because it gives me the context for my reactions to it. So he said, the recent book by Jonathan Haidt, anxious Generation, has extensive discussion of the age limit issue. The main theme of the book is rather convincing evidence to your point, leo, that the dramatic 100, 200% increase in teen mental health problems which corresponds to the introduction of smartphones is in fact caused he has in all caps by the use of those phones and in particular social media. Haidt's argument rests on his work as a social psychologist, combining knowledge of the vulnerability of early teens due to brain development happening at the time of life with research on how social media is carefully designed to hook young adolescents. If Haidt is right, and our listener says and I think he is the problem is very severe. We make a huge mistake equating our older adults, who grew up before the smartphone era, use of various apps and how we handle it with adolescents during critical brain development years. And he says, per end's note, my adult children have been telling me this for years that I cannot transfer how I use social media for just the few things I want to the experience of youngsters. And he says the book has an extensive discussion of what to do. In that section, jonathan discusses some technical ideas, not at the technical depth of security now, but also the social factors like parental role, the problem of peers having more access and how some methods can be neutralized. The book has references to extensive discussions of both social scientists like Haidt and technical sources by people who have thought through a lot of the issues.

01:29:26
While I share some skepticism of the effectiveness of age verification, I think the combination of laws requiring age verification, more parental awareness and cooperation between schools and parents can have a very positive impact.

01:29:40
So my response was to say that, you know, in our recent discussion I happened to also touch on a number of the same potential pitfalls of age restriction, such as parents being pushed by their own children to make exceptions for them, which is then followed by other kids complaining to their more strict parents that their peers have been given access by their parents, so why can't they have the same, you know? And saying after all, how bad can it be if 16-year-olds are able to have access? You know, I note also that, among other things, my wife Lori is an accomplished therapist and while she rigorously honors the privacy of her clients, she's noted on a number of occasions that many of today's parents appear to be afraid of their own children, whom they appease by giving them anything they want. So how are such parents not going to capitulate to their children's demands, especially having previously established that pattern? So anyway, as-.

01:30:49 - Leo Laporte (Host)
I'll point you, now that we've talked about it, to. This is a great place to start Mike Basnick's article, in which he quotes Candace Hodgers, who is a actual expert on this stuff and has been doing this kind of research for years, and then his podcast about this essentially debunking hate.

01:31:08 - Steve Gibson (Host)
Hate is a polemicist, he is not an expert, period so do you not think, do you not conclude that um there is something age-related, or that there is not damage, or that kids are not addicted, or so?

01:31:26 - Leo Laporte (Host)
what? Yeah, so the research shows that it's not the case period. He's saying something that makes sense, and this is the problem with a lot of these just so stories. Oh yeah, that makes perfect sense, that makes a lot of sense, but if you actually look at the research, by the way, you can read her article in nature, your favorite magazine, all about this.

01:31:46
Uh, the issue is is there a increase in mental health issues with kids? Because it's more reported, there are a lot of correlation does not equal causation, as you well know, and because there's a, because the iphone came out in 2007 and they're correlating that to a rise in mental health issues. There are many other issues involved in this, including COVID and isolation of kids, stranger danger from the 80s, which made a lot of parents keep their kids at home instead of letting them out to play because they were so afraid of by the way, this was also a specious argument there were strangers in the neighborhood about to abduct them. We know perfectly well that the real danger to kids is people may know people at home, their relatives, but this stranger danger actually prompted a lot of parents to say, oh, no, more playing outside for you. That could be one of the causes. There are many things going on.

01:32:40
Correlation does not equal causation and as we've said many times, and when you do the actual research with many have done, including candace odgers, uh, it is in fact, uh, under it's problematic because it's very easy to say, oh, it's social media. We put an age, uh limitation on social media. We limit iphones, we keep parent, you know, we give parents the power to stop doing all this stuff. It's all going to get better. And what you're not addressing, for instance, is the fact that schools no longer have mental health professionals, let alone nurses, in the school. There are a lot of other issues you're not addressing because you oh all fixed. You've already found the problem. You found the problem. So I would recommend people look at Mike. Mike Masnick, I think our audience trusts and likes, did an excellent podcast with her about youth mental health, talking about Jonathan Haidt's book. The problem is it's become a political issue.

01:33:38 - Steve Gibson (Host)
So do you think that the actual driver is mental health or that people don't want kids so stuck on their phones?

01:33:48 - Leo Laporte (Host)
Steve, you remember when you were young and your parents said stop listening to that rock and roll and cut your hair? Do you remember when Newton Minow, the chairman of the FCC, said that television was a vast wasteland and ruining the brains of our young people?

01:34:02
And then we have the whole video game phenomenon Do you remember when Tipper Gore said video games are ruining our children? It's happened again and again. The problem is with that kind of moral panic is you can be miss. You can focus on the wrong problem and not really address the issues. So there is a huge replication crisis, a problem with the data that hate quotes. It's not been replicated. The actual experts who are working in this field, and have been working in this field for decades, say we actually don't see that. If you're interested and everybody should be, watch this podcast. It's a great starting point. It's at techdirtcom. It's the Tech Dirt podcast with Candice Odgers, o-d-g-e-r-s, titled Making Sense of the Research on Social Media and Youth Mental Health. Actually, I think hate's on it, so that would be kind of interesting.

01:34:59 - Steve Gibson (Host)
Well, of course, our interest for the podcast is just the idea that that legislation is going to impose a new, a new technical right requirement.

01:35:13 - Leo Laporte (Host)
It's nonsense that that australia has said no, nobody under 16 can use social media. Besides the isolate I mean, you can make the case that social media is how kids socialize today. It may and well isolate a great many kids and cause worse problems. How do you do it? How do you? And so there's no good technical way, without violating human privacy, our own privacy, to identify who's an adult, who's not an adult.

01:35:40 - Steve Gibson (Host)
Yes, and that is the interest of this podcast is what are they going to do? You know, like you know, something is going to happen unless the law gets overturned and or isn't implemented. The fines are 35, the equivalent of 50 million Australian dollars, equivalent of about 32 and a half million US dollars, which?

01:36:04 - Leo Laporte (Host)
makes me think companies like meta and others will just pay the fine, if you think it's a one-time fine.

01:36:11 - Steve Gibson (Host)
And the other thing that I thought was odd was that youtube is excluded.

01:36:15 - Leo Laporte (Host)
Yeah, it's not considered perfect example? Yes, perfect example. Um, it's nonsense. And, by the way, the campaign in aust, campaign in Australia was started by Rupert Murdoch and Rupert Murdoch's newspapers who, in the spring of this year, launched a massive campaign and convinced the Australia legislature to do this.

01:36:35 - Steve Gibson (Host)
Well, from a technology standpoint, it's going to be fascinating to see what they come up with.

01:36:40 - Leo Laporte (Host)
We talked about it on Sunday and I think the consensus of the panel was this is really mostly just kind of saying fix it, because it's a year more than a year away, right yes, it takes effect on november 20th of 2025 yeah, so, uh, I we think it's mostly just saber rattling and trying to convince them I do something so that we can, you know, sit back on this law, but if not, we got a problem we got it.

01:37:07 - Steve Gibson (Host)
We have a need for some technology.

01:37:08
Yeah, that doesn't exist finally, dawn appreciates our picture of the week for audio only listeners. She says hello, steve and leo. I've listened to your show for a while now and I really enjoy it. I love all things computers, technologies, etc. And there's one thing I can definitely say with 1000% assurance there will always she has in all caps be a need for this podcast and experts such as yourselves to cover and explain it all, with the added challenge of putting the cookies on the bottom shelf where the kids can get them, which you're very good at doing.

01:37:45
I wanted to write you an email thanking you for describing the pictures of the week. I have to admit I got quite a bit of laughs from the one last week where the little troublesome twosome were finding a way to get upstairs. Even now, as I write this, I'm chuckling. It means a lot to me that you guys describe the pictures of the week, because I'm completely blind. Oh interesting. Without your descriptions I would not be able to get any enjoyment out of them. Very good, she said.

01:38:14
Sometimes I think we do things like this without a second thought and without knowing the impact that we have and will have on someone when we do those things. This is one of them. Please keep the picture descriptions coming Before you ask. I think one of my favorite picks of the week was the one that said treat your passwords like your underwear, she said. I remember I just couldn't stop laughing for a long time after that. One then had to rewind the podcast a couple of times just for the laughs. I must admit I had never heard Password Safely put that way before. Thank you once again for the podcast and image descriptions and please keep them coming. Don so Don, I hope you're listening. Thank you for your note and I can promise that we'll keep the picture of the week descriptions coming.

01:39:06 - Leo Laporte (Host)
Yeah, you're very good about it. You realize that we have audio listeners and they aren't seeing it, and so you're always very good about that. It does remind us, though. Also, when you post images online, you should always use the alt tags in HTML Right, so the blind viewers who are using screen readers will actually know what that picture is, and I forget sometimes. I actually have a little thing on my Mastodon account that pings me when I post a picture without an alt tag. It says you didn't put your alt tags in. It's not too late, go back and edit it, and I always do. Thank you, don, it's nice to have you listen.

01:39:37 - Steve Gibson (Host)
Okay, our last break, and then we're going to catch up on the current status of voyager one, as it's uh, continues its well endless journey because it's way outside the the, the sun's gravity field at this point.

01:39:55 - Leo Laporte (Host)
so and uh, just along the australia uh thing. You'll remember that it was the australian parliament, a parliamentarian in australia, who said we don't have to worry about math, math does. From our point of view, there's no need to pay attention to math, math doesn't matter.

01:40:15 - Steve Gibson (Host)
And this is another one of those examples where of legislators ignoring the technology, even though they're legislating technology.

01:40:24
Yeah, technology, even though they're legislating technology, yeah, saying that saying the social media companies, like some and a subset of social media companies, have to do something. And well, we don't know how, but you can do it. It's like the eu saying, well, we want you to uh, to block, uh, you know c sam, and we don't know how you're going to do it, but you have to do it without breaching anyone else's privacy. It's like, uh, well, yeah, I mean, you know, we here. It is this is the?

01:40:52 - Leo Laporte (Host)
uh, it was the australian prime minister who said the laws of mathematics don't apply here. He's no longer prime minister.

01:41:01 - Steve Gibson (Host)
Those pesky, those pesky mathematicians.

01:41:05 - Leo Laporte (Host)
How dare they? Uh, yeah, governments do that. They say, well, you'll figure it out yeah, you guys are the smart big brains you've figured out. Yeah, uh, trumbull is no longer. I don't think malcolm trumbull is no longer the prime minister, but math. But math is lives on, which is kind of interesting love math.

01:41:22 - Steve Gibson (Host)
Yeah, math makes it eternal math lasts longer even than if you didn't have math, we wouldn't have voyager one, that's for sure there you go.

01:41:31 - Leo Laporte (Host)
Yeah, I often say when people say oh science, you know science isn't always perfect. Dude, you're listening to a technology podcast. All technology is is science applied right. Give me a break. That's all we got yes, we have.

01:41:45 - Steve Gibson (Host)
We live in a noisy world and yet the digital bits get from point a to point b perfectly somehow magically.

01:41:53 - Leo Laporte (Host)
Well, math doesn't apply here. That's uh, no, I don't know what that is. Anyway, our show today. We're very glad to have you listening. We're gonna get very excited about talking about vger. I can't wait lots of really cool information, yeah, but before we do that, I want to talk a little bit about our sponsor, bitwarden, the open source password manager that will drastically improve your chances of staying safe online. We love bitwarden. It's open source, uh. It's trusted by thousands of businesses. Like all password managers, the basic functionality is to generate and autofill strong, long passwords. You don't have to remember them. It remembers them for you in an encrypted vault. That is part one of why I think it's really important that Bitwarden is open source.

01:42:41
When you're talking encryption, I've always been of the opinion it's got to be open source, because you have to be able to vet it, you have to be able to look at it or some expert does and say there's no back doors, it's properly implemented. In fact, bitwarden does that. Not only do they post, they are GPL. As, steve, you pointed out a couple episodes ago. They are fully open source. They post their source code on GitHub. Anybody can read it, but they also engage every year, in fact several times a year, third parties to look at the source code, vet it, validate it, say this is what it does, this is what it doesn't do. And they also go one step more. A lot of companies do that, but then they go one step more. Bitwarden promises to publish in full the reports from these third parties. So I'm saying this is the only way you can really be sure it's doing exactly what it says it does. So that's reason number one I love Bitwarden. Bitwarden for business. Reason number two Businesses. Bitwarden is a lifesaver in business. It's not just simply a password manager. It integrates with all of your existing software to support seamless operations and elevated security in every part of your enterprise.

01:43:51
I'll give you some examples. You use Microsoft Intune. Bitwarden works with Microsoft Intune to enhance device security and user identity management. It enables secure Bitwarden app deployment on any Intune managed endpoint. That's desktops, mobile devices, everywhere. Do you use Rippling for your HR? You'll love it. Rippling integrates with Bitwarden to simplify employee offboarding and onboarding. Your IT team can assign and revoke access as your employees join or leave. It's kind of push button simple. Maybe use Vanta, one of our sponsors. We love Vanta. Vanta combines compliance, audit and reporting with secure password management. It says look, they're using secure password management. It's being used effectively. It helps organizations meet their SOC 2, iso 27001 and other standards.

01:44:42
Here's a really interesting one Rapid7. Rapid7, which is an EDR solution, ensures improved threat detection and response. And how does it work with Bitwarden? By correlating credential usage with security events. So Bitwarden says, yes, this password was used on this device, on this app at this time, and Rapid7 then can correlate it with a security issue, strengthening proactive monitoring and intelligence for enterprise security teams. That's really cool. Bitwarden is really focused on these integrations. They increase flexibility to centralize security management across existing technology stacks and employee devices so that you can maintain control over sensitive information.

01:45:24
There's a really great story to tell for Bitwarden, both for individuals and for businesses. In business, bitwarden users can seamlessly connect tools for IT management compliance security to improve and standardize the deployment of enterprise credential management throughout your organization and your employees will love it. It's easy to use. It's effective. Your business deserves a cost-effective solution that can dramatically improve its chances and your chances of staying safe online. It's very easy to switch to Bitwarden it only takes a few minutes. They can import quickly from most password management solutions. It's open source. Bitwarden's fantastic.

01:46:01
Bitwarden's also very affordable. You can get started right now with a free trial of Bitwarden's Teams or Enterprise plan. And the thing I always tell folks I told everybody Thanksgiving make sure you I hope you did this Talk to your relatives, ask them about their password system, their security, and if they don't have any security or they're reusing the same password, heaven forfend, tell them. Get Bitwarden Very important free forever for individuals because it's open source. Free forever for individuals. That's unlimited passwords, unlimited device, mac, windows, ios, android, linux and that includes pass keys unlimited pass keys and the use of hardware keys like Yub, like yuba keys all of that's in the free plan. Now I pay him 10 bucks a year because I want to support him. I have the premium plan 10 bucks a year, so even then it's very affordable.

01:46:55
Uh, I just and, and, by the way, with bitwarden for the individual plans, you can even host your own vault. I know there's some real tno people out there. Trust no one people. That's one way you can really do it is to host your own vault. Personally, I trust Bitwarden to host my vault. I feel fine about that. Bitwarden, get started for free across all devices. It is an individual user or free trial of a Teams or enterprise plan for your business at bitwardencom slash twit. This is the one really is, and if you're not using a password manager, by all means I know if you listen to Security Now of course you're using one Tell your friends bitwardencom slash twit. Thank you, bitwarden, for supporting Security Now and thank you for supporting it by using that address. So they know you saw it here.

01:47:40 - Steve Gibson (Host)
Veejer. Okay, so our listener, rob Woodruff, brought this bit of news to my attention. Nasa's posting was titled NASA's Voyager 1 resumes regular operations after communications pause, and I'm going to share it because, as I said, it contains a bunch of interesting and amazing science and engineering information. And then we're going to even dig down a little deeper. So they wrote NASA's Voyager 1 has resumed regular operations following a pause in communication.

01:48:13
Last month, the probe had unexpectedly turned off its primary radio transmitter, called an X-band transmitter, and turned on the much weaker S-band transmitter. Due to the spacecraft's distance from Earth, about 15.4 billion miles, 24.9 billion kilometers, this switch prevented the mission team from downloading science data and information about the spacecraft's engineering status. Earlier this month, the team reactivated the X-band transmitter and then resumed collecting data the week of November 18th from the four operating science instruments. Now engineers are completing a few remaining tasks to return Voyager 1 to the state it was in before the issue arose, such as resetting the system that synchronizes its three onboard computers. The X-band transmitter had been shut off by the spacecraft's fault protection system when engineers activated a heater on the spacecraft Whoops, okay. Historically, if the fault protection system sensed that the probe had too little power available. It would automatically turn off systems not essential for keeping the spacecraft flying in order to keep power flowing to the critical systems. But the probes have already turned off all non-essential systems except for the science instruments. So the fault protection system turned off the X-band transmitter and turned on the S-band transmitter because it uses lower power. Unfortunately, that also means it transmits at lower power, which means you can't get the data through, which is why they had stopped collecting data.

01:50:17
They said the mission is working with extremely small power margins on both Voyager probes. Powered by heat from decaying plutonium that is converted into electricity, the spacecraft lose about four watts of power each year. About five years ago, after some 41 years after the Voyager spacecraft launched, the team began turning off any remaining systems not critical to keeping the probes flying, including heaters for some of the science instruments. To the mission team's surprise, all of those instruments continued to operate despite reaching temperatures lower than what they'd been tested for. The team has computer models designed to predict how much power various systems, such as heaters and instruments, are expected to use, but a variety of factors contribute to uncertainty in those models, including the age of the components and the fact that the hardware doesn't always behave as expected, with power levels being measured to fractions of a watt. The team also adjusted how both probes monitor voltage, but earlier this year the declining power supply required the team to turn off a science instrument on Voyager 2. The mission shut off multiple instruments on Voyager 1 in 1990 to conserve energy, but those instruments were no longer in use after the probe flew past Saturn and Jupiter. Of the 10 science instruments on each spacecraft, four are now being used to study the particles, plasma and magnetic fields in interstellar space, which is where both probes are.

01:52:07
Voyagers 1 and 2 have been flying for more than 47 years and are the only two spacecraft to operate in interstellar space. Their advanced age has meant an increase in the frequency and complexity of technical issues and new challenges for the mission engineering team. Okay, so reading that the article said the X-band transmitter had been shut off by the spacecraft's fault protection system when engineers activated a heater on the spacecraft. What it didn't tell us is why the JPL engineers turned on that heater. And there's even more fascinating information about that.

01:52:50
Our listener, jeff Root in San Diego, supplied the link to a story in the register of all places titled Best Job at JPL what it's like to be an engineer on the Voyager project. What it's like to be an engineer on the Voyager project. This was posted two days later, on the US's Thanksgiving Thursday, and it too is chock full of interesting science and engineering insight. So the Register wrote the Voyager probes have entered a new phase of operations. Phase of operations as recent events have shown, keeping the venerable spacecraft running is a challenge as the end of their mission nears, and, of course, end of the mission just means we don't know what happened, right?

01:53:37
I mean, it's like it's way past its design end of mission and it keeps getting extended. So they wrote. As with much of the Voyager team nowadays, kareem Badaruddin, a 30-year veteran of NASA's Jet Propulsion Laboratory, divides his time between the twin Voyager spacecraft and other flight projects. He describes himself as a supervisor of chief engineers, but leaped at the chance to fill the role on the Voyager project. Suzanne Dodd, jpl director for the Interplanetary Network Directorate, is the project manager for the Voyager interstellar mission. Batarudin told the Register she knew that the project was sort of entering a new phase where there was likely to be a lot of technical problems. And so chief engineers, that's what they do. They solve problems for different flight projects. Dodd needed that support for Voyager. Batarudin would typically have found someone from his group, but he said I was just so excited about Voyager. I said you know, look no further, right, I'm the person for the job. In other words, this was one he did not want to delegate. He said I'm your engineer, you know, please pick me. So Batarudin has spent the past two years on the Voyager project, after decades of relatively routine operation following plans laid out earlier in the mission when the team was much larger.

01:55:13
The twin Voyager spacecraft had begun presenting more technical challenges to overcome as the vehicle's age and power dwindles. The latest problem occurred when engineers warmed up part of the spacecraft, hoping that some degraded circuits might be healed by an annealing process. Quote there's these junction field effect transistors, jfets, in a particular circuit that have become degraded through radiation. We don't have much protection from radiation in an interstellar medium, remember, where this thing was never designed to function right Because it wasn't expected to live this long. We don't have much protection in an interstellar medium because we're outside the heliosphere, where a lot of that stuff gets blocked. So we've got this degradation in these electronic parts and it's been proven that they can heal themselves if you get them warm enough long enough. And so we knew we had some power margin and we were hopeful that we had enough power margin to operate this heater and as it turned out, we didn't. It was a risk we took to try to ameliorate a problem that we have with our electronics. So now the problem is still there and we realize that we can't solve it this way, and so we're going to have to come up with another creative solution. Unquote.

01:56:51
So the register says the problem was that more power was demanded than the system could supply. A voltage regulator might have smoothed things out, but the Voyagers no longer had that luxury. Instead, engineers took a calculated risk and ran afoul of the then-innovative software on board the spacecraft. The undervoltage routine of the fault protection software shuts down loads on the power supply, but since the Voyager team had already shut down anything that's not essential, there isn't much left for it to shut down, batarudin explained. He said so, quote the undervoltage response doesn't do much except turn off the X-band transmitter and turn on the S-band transmitter, and that's because the S-band transmitter uses less power, making it the last safety net to save you, he said, and save the mission it did. While the S-band is great for operations near Earth, such as the moon, it's almost useless at the distance of the Voyager spacecraft. However, by detecting the faint carrier signal of the S-band transmission, the team was able to pinpoint that the problem had been the act of turning on the heater, even without X-band telemetry from the spacecraft. The challenge for engineers isn't just the time it takes to get a command to the Voyagers and receive a response, but also checking and rechecking every command that gets sent to the spacecraft, he said, the waiting is apparently not as frustrating as we might think.

01:58:40
Batarudin said this is the rhythm we work in. We've grown accustomed to it. It used to be a very small time delay and it's gradually grown longer and longer through the years. With duplicate physical hardware long gone, the team now works with an array of simulators. Batarudin said we have a very clear understanding of the hardware. We know exactly what the circuitry is, what the computers are and where the software runs. And as for the software, it's complicated. There have been so many tweaks and changes over the years Remember 46 years, 47 years that working out the exact revision of every part of Voyager's code has become tricky. Batarudin said it's usually easier to just get a memory readout from the spacecraft to find out what's going on out there. The challenge for the Voyager team is that the spacecraft are nearing the half century mark, as is the documentation. He said we have documents that were typewritten in the 70s that describe the software, but there are revisions. 70s that describe the software, but there are revisions. And so, building the simulators, we feel really good about the hardware, but we feel a little less good about understanding exactly what each instruction does.

02:00:10
The latest bit of recoding occurred with the failure of one of Voyager's integrated circuits, which manifested itself as meaningless data last year, and of course we talked about that on the podcast at the time. Batarudin reminds us the basic problem was figuring out what was wrong with no information. We could see a carrier signal. We knew we were transmitting in the X-band. We knew we could command the spacecraft because we could tweak that signal slightly with commands. So we knew the spacecraft was listening to us and we knew the spacecraft was pointing at Earth, because otherwise we wouldn't get a signal at all. The engineers went further down the fault tree and eventually managed to get a minimum program to the spacecraft to get a memory readout. That readout could be compared to one retrieved when the spacecraft was healthy. 256 words were corrupted indicating a specific integrated circuit.

02:01:15
Code was then written to relocate instructions around that failed area, and remember this is almost a light day away at that point a year ago. The problem there is the code was very compact. There was no free space that we could take advantage of, so we had to sacrifice something so that you know they're patching on the fly on an operating machine. What is it Fifteen billion miles away? That's something that needed sacrificing was one of the Voyager's higher data rate modes used during planetary flybys. And that makes sense, right? It's like hey, you know what don't we need? Well, we don't need the high data rate mode used during planetary flybys, because we're not going to be flying by any planets. So now back to the present.

02:02:12
The current challenge, if you'll pardon the pun, involves dealing with the probes. Oh, thrusters. And here's the problem, leo. Silicon from bladders inside the fuel tanks has begun to leach into hydrazine propellant. Since silicon doesn't ignite like hydrazine, meaning it doesn't get burned off, a tiny amount gets deposited in the thrusters and slowly builds up in the thruster capillaries.

02:02:44
Batarudin uses the analogy of clogging arteries. Eventually, the blockage will prevent the spacecraft from firing its thrusters to keep it pointed at Earth. However, the pitch and yaw thrusters, each of which have three branches, are clogging at different rates. The current software works on the basis that branch 1, 2, or 3 will be used. But could it be operated in mixed mode, where branch 2 is used for the pitch thruster but branch three is used for yaw? Batarudin notes, so that's a creative solution. It would be very complicated. This would be another modification in interstellar space to the software and getting it right the first time is not just nice to have, it's almost essential. By the time the results of a command come back from the voyage or spacecraft, it might be impossible to deal with the fallout of a failure what do they write it in?

02:03:51 - Leo Laporte (Host)
what is it assembly language? What oh?

02:03:53 - Steve Gibson (Host)
yeah, it's all individual like they have. They invented their own processor, they're not using any commercial processor. They invented a computer that reads this code. And that's where he's saying sometimes we're not sure what an instruction does, because somebody typed it in 1970 and may have said oh lunchtime, I'll get back to you later wow, oh wow.

02:04:24 - Leo Laporte (Host)
This is amazing.

02:04:25 - Steve Gibson (Host)
It is just incredible he said, the voyager spacecraft are unlikely to survive another decade. The power will eventually dwindle to the point where operations will become impossible. Is it a nuclear power? Plane on? Yeah, yeah, it is a nuclear power, it is. It is using decaying plutonium to the heat generated from the particle decay to heat a thermocouple which generates the electric current to drive all of this. So it's a tiny bit of and it and it's been exponentially decaying for 47 years pretty good since this thing was first launched that's a long time.

02:05:05
Yeah. So he says, high data rates, which is to say 1.4 kilobits per second, will only be supported by the current deep space network until 2027 or 28. After that some more creativity will be needed to operate Voyager 1's digital tape recorder. Batarudin speculates that shutting off another heater, the Bay-1 heater used for the computers, would free up power for the recorder. But I should mention that we're only able the Deep Space Network, as I recall, is only out of Australia, and so it's only during a brief time window, once a day as the Earth rotates, that the Deep Space Network antenna is able to point at Voyager 1. And so Voyager one records its data during the dark period and then dumps it to us when it knows we're able to receive it.

02:06:08
So he says um, turning off the bay one heater used for the computers would free up power for the recorder, according to the thermal model. But it'll be a delicate balancing act and of course the recent annealing attempt demonstrated the limitations of modeling and simulations on Earth. So does Batarudin have a favorite out of the two spacecraft? He replies well, voyager 2 is the one that's been flying the longest and Voyager 1 is the one that's furthest from Earth. So they both have a claim to fame, he says. To use another analogy, they're essentially twins. They're basically the same person, but they live different lives and they have different medical histories and different experiences.

02:06:55 - Leo Laporte (Host)
What a great line.

02:06:57 - Steve Gibson (Host)
Batarudin hopes to stick with the mission until the final transmission from the spacecraft. He said I love Voyager, I love this work, I love what I'm doing. It's so cool. It just feels like I've got the best job at JPL.

02:07:14 - Leo Laporte (Host)
And he's, I'm sure, in his 60s, if not 70s, right? Yeah, he's been with it for 30 years with JPL.

02:07:20 - Steve Gibson (Host)
Yeah, wow. So I just checked on the Voyager 1 mission status, which is what gave me the title for today's podcast. That intrepid little spacecraft is now so far away that light and radio signals take more than 23 hours to travel in each direction. Not round trip each direction, so two days round trip. So it's nearly an entire light day distant. Yet Voyager 1, and this is what boggles my mind is managing to keep itself pointed at our Earth across all that distance and we still have working bidirectional communication with it.

02:08:03
This entire endeavor has been an astonishing example of incredible engineering. The original design and this too the original design was flexible enough. That was flexible enough, that and software controlled enough that, even though it was designed in the 1970s and launched on September 5th 1977, all well before the Internet and all the technology that we now take for granted this machine has endured and has exceeded everyone's expectations many times over. The story does make one principle absolutely clear no pure hardware solution could have ever done this. No pure hardware solution would still be alive, functioning and communicating after 47 years of spaceflight. Nor even could any fixed firmware hybrid hardware-software solution. The reason is that none of what has transpired since Voyager 1's original mission was redefined and extended after it continued to perform so brilliantly could have been anticipated by NASA's brilliant engineers in the mid-70s.

02:09:28
The sole key to Voyager 1's success today is that, to an extremely large degree to an extremely large degree the original designers of the spacecraft put the machine's hardware under software control. The reason they did that way back in the 70s was different from the reason they're now glad they did that. They created a deeply software-based control system back then because software doesn't weigh anything and the spacecraft didn't have an ounce of weight to spare. So the engineers of the 70s put their faith in software, and that faith and the inherent dynamic redesign flexibility it enabled has given the spacecraft a far longer life than it could have ever otherwise enjoyed, because software doesn't weigh anything. Isn't that amazing? And all of that said, yesterday's and today's software is ultimately at the mercy of hardware. You know, if the attitude control systems capillaries ultimately become clogged with leached and deposited silicon, the spacecraft's ability to maneuver and keep itself pointed at the Earth will eventually be lost At some point in the not too distant future. It will still be alive out there, but we'll have lost contact with one another.

02:10:59
You know, what an amazing accomplishment, Leo.

02:11:02 - Leo Laporte (Host)
It's a great story. I mean, it makes you proud. It also there's another lesson, which is sometimes constraints force a kind of creativity. That's better than if you have unlimited hardware and software, unlimited memory, unlimited storage.

02:11:18 - Steve Gibson (Host)
It's why I'm pointing at that PDP-8 behind me.

02:11:23 - Leo Laporte (Host)
Yeah.

02:11:24 - Steve Gibson (Host)
It came with 4K words of memory and it was expandable to 16, I think, or 12. Um, it's, it's. It's what I miss about the old days where where there you, you really there was, there was creativity and engineering, instead of just asking chat GPT for a program.

02:11:49 - Leo Laporte (Host)
Right, you know which, you know which it spits out from having ingested the internet.

02:11:54 - Steve Gibson (Host)
Right it's. It is a different world.

02:11:56 - Leo Laporte (Host)
Yeah, fascinating, right it's. It is a different world. Yeah, fascinating. Well, wow. As you know, we've covered this story for a couple of years now and it's as it's been that intrepid little probe has been out there and there are. I've mentioned already, there are some documentaries. There's one fairly recent one that covers the old folks and I watched it after your recommendation.

02:12:17 - Steve Gibson (Host)
It was fantastic. So great these guys fun.

02:12:20 - Leo Laporte (Host)
This is their life work. Uh, it's just really neat, um, amazing. Thank you, steve, once again for a great show. As always, steve uh hits it out of the park each and every time. I hope you listen.

02:12:33
We do the show live on tuesdays right after mac weekly, which usually ends up being somewhere between one 30 and 2 PM Pacific, let's say, 5 PM Eastern time, a 2200 UTC. You can watch us live on eight different platforms, thanks to our club twit members. Of course, we're on a discord that's where our club to it Members live, but we're also on YouTube, twitch, we're on xcom, we're on Facebook. We're on Xcom, we're on Facebook, we're on LinkedIn, we're on Kik, we're even on TikTok, so you can watch us live there if you're around of a Tuesday evening. If not, of course there's on-demand versions of the show. We have a 64-kilobit audio version and a full video version you can watch at twittv. Slash sn. Steve has the 64-kilobit audio, but he also has the 16-kilobit audio. But he also has the 16 kilobit audio which he makes handcrafts himself every week so that you can listen if you're bandwidth impaired and one of the bandwidth impaired folks is our own, elaine ferris, who does the transcripts, so she downloads that and literally by hand transcribes everything we say.

02:13:32 - Steve Gibson (Host)
Does a beautiful job of that it's actually why we have the 16 right. It was for elaine that I created. I started doing that. That's so nice uh.

02:13:41 - Leo Laporte (Host)
So if you want to read along as you listen or use it for searching, that's also on his site, of course, the full show notes, and steve uh does a really nice, better show notes than anybody I've ever seen. I mean, it's all written out there, lots of images, links, and you can also get that from steve's site. You can get it emailed to you as well. Steve has a couple of newsletters, one of which is the Security Now newsletter, the show notes, and all you have to do to get on his mailing list is go to grccom. That's his website. Grccom slash email. What you're actually doing is validating your email, so that gives you the opportunity to email him. You have to validate it first because he doesn't want spam. It's a very effective technique against that. But you'll see there are two boxes that you could check. They are unchecked by default, but you could check them if you want to get those newsletters. Grccom slash email. While you're at GRC, pick up a copy of Spinrite. That's Steve's bread and butter, the world's best mass storage, maintenance, recovery and performance enhancing utility. 6.1 is the current version at GRCcom. Lots of free stuff there too. It's really a fun site. Just to browse around the site looks like it came out right about the same time as Voyager 1. But you know what weighs? Nothing, so that's. That's a good thing.

02:15:02
Grccom there's a youtube channel dedicated to the video. If you want to watch better yet, that's the place you can use to share clips. Youtube makes that fairly easy. And, uh, and if so, if you heard something and you said, oh, you know, my friend ought to hear that, you can clip it, send it to them. That helps us two ways. One is, of course, you know you're sharing it. But two, your friend might say, hey, I want to hear that show again, or I want to hear more of that and subscribe, and we like that. We appreciate that. We especially appreciate all of our club members who are watching and listening tonight. Uh, we couldn't do it without you and increasingly, as the times get tougher and tougher for independent podcasts like ours, we are relying on club members to keep the lights on.

02:15:43
It's $7 a month. You get ad-free versions of this show and every other show. You also get access to the Club Twit Discord. You get special shows we do. I've been streaming every night for the first three nights. The advent of code solving that is so much fun. Steve. It was really scary for me the first time to say I'm gonna let somebody watch me write code because I'm not. You know, I'm no pro and even, I'm sure, even somebody like you. They're false starts. There's, there's dumb like you.

02:16:12 - Steve Gibson (Host)
Oh I left out a comma or something like that.

02:16:15 - Leo Laporte (Host)
Yep, so I'm, we're doing it live. You can watch me do dumb things, but fortunately I have, uh, from our own club, three really accomplished coders. They wait till they've solved the advent of code themselves, which takes about 10 minutes, and then they come and dial in. So sy phase. Uh, darren oki, who's australian. Uh, our canadian friend, paul holder you know very well who helps on your forums. Um, they helped me out last night. Actually, they helped me quite a bit doing some regular expression stuff. They were very helpful there. So please join us. I think I'm going to do it again. I'm going to, I think what my plan is. I'm going to keep doing it until I hit that wall where I go.

02:16:56 - Steve Gibson (Host)
I can't.

02:16:58 - Leo Laporte (Host)
Or it passed two in the morning and that's you know, I don't want to stay up all night doing it, so, but let's try it again. So far it's so good. It's taken a couple of hours, it's been really fun. So I'll be streaming that on my YouTube channel. But that's another club event. So join the club, because that's what, that's where the fun happens, uh, and it's what really supports the work steve does and the entire team. Twittv slash club to it. Seven bucks a month, that's all it costs right now. One and a half percent of our audience is a member. I would love to get that. It doesn't have to be 100, four or five percent. Uh, that would. That would make it so we didn't have to worry about what we're going to do next year. Right now we're we're quite worried. Twittertv club, twitch steve.

02:17:42 - Steve Gibson (Host)
Have a wonderful week we'll do and we'll be back next week for 1004. Holy moly who knows what's gonna go on between now and then whatever it is we'll cover it mivIV, episode MIV coming up.

02:17:59 - Leo Laporte (Host)
Thank you everybody, We'll see you next time on Security Now. Security Now.