Transcripts

Security Now 991 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
 

0:00:00 - Mikah Sargent
Coming up on Security. Now. I'm Micah Sargent subbing in for Leo Laporte, as he is on vacation and we have a great show ahead. Steve tells us all about how YubiKeys can be cloned and how. Maybe that's not something you have to worry about, but I mean, if you are, you know, a leader of a nation state, maybe it is something you need to be concerned about. Plus, we talk about a lot of listener feedback, including whether WhatsApp is more secure than Telegram, what is going on with elevators in Paris, and, of course, we cover the very interesting Rambo, an attack that involves air-gapped systems, special encoding and the ability to read RF signals coming from RAM. Very interesting stuff coming up on this episode of Security Now.

0:00:58 - Steve Gibson
Podcasts you love From people you trust. This is Twit. From people you trust this is Twit.

0:01:08 - Mikah Sargent
This is Security Now, with Steve Gibson and me, micah Sargent, episode 991, recorded Tuesday, september 10th 2024. Rambo, it's time for Security Now, the cybersecurity show that you tune into every week so you can panic and feel anxiety, but then feel better, because Steve Gibson is here to help you feel better. I am Micah Sargent, subbing in for Leo Laporte this week, who is enjoying a nice time away on vacation, and I am pleased to be joined by the true star of this show, steve T Gibson. Hello, Steve.

0:01:48 - Steve Gibson
Hello Mike, it's great to be working with you this week, and on top of the normal level of anxiety that this show tends to induce, today's podcast is titled Rambo. So if you were thinking, well, we're just going to have a calm, little nothing podcast. No, that's not the case. We've got all kinds of good stuff to talk about. We're going to cover Microsoft's recall, which briefly looked like it was going to be uninstallable. Microsoft decided nope, that's a bug. Also, yubikeys can be cloned. How worried should we be? Nope, that's a bug. Also, yubikeys can be cloned. How worried should we be? When was that smoke detector installed? Yeah, oh, this is probably one you missed, micah, so you're going to enjoy this one. This actually relates to last week's Picture of the Week. We're also going to share and discuss lots of interesting listener feedback.

Is WhatsApp more secure than Telegram? Does Telegram's lack of true security really matter? It turns out that elevators in Paris have problems too. The relevance of that will be made clear. There's a fourth credit bureau that should probably be frozen. Can high-pitched sound keep dogs from barking? We'll be hearkening back to a long-ago podcast. We also have a reminder of a terrific Unix 2023, you know end-of-the-world-as-we-know-it countdown clock. There's a new Bobiverse sci-fi book, which was that early series was very popular among our listeners, and a new Peter Hamilton novel, also another one of our sci-fi faves why does Spinrite show user data flashing past? And the main topic of the show, rambo, tells us that Tempest-style attacks are alive and well. So a lot of good things to talk about and, of course, we've got a great picture of sort of a classic picture of the week, and Benito pointed out that it also fits right in with today's recent Apple News theme that you just were talking about over on MacBreak Weekly. So I think a great podcast for our listeners, Absolutely.

0:04:04 - Mikah Sargent
In fact, I thought this was specifically picked for the Apple event, so I was kind of pumped, but, as is always the case, now that you've got your intro to the show, it's time to take a quick little break before we come back with the first of several topics that I am very interested in. So we'll hear those soon, but I want to tell you about Flashpoint. Who are bringing you this episode of Security? Now, you know, for security leaders, this year 2024, has been a year like no other, because cyber threats and physical security concerns have just continued to increase. Now geopolitical instability is adding a new layer of risk and uncertainty. New layer of risk and uncertainty. So let's talk about numbers. Just last year, there was a staggering 84% rise in ransomware attacks and a 34% jump in data breaches. The result Trillions, trillions of dollars in financial losses and threats to safety worldwide. Now you may be going. Okay, great love to hear all of that.

What do we do about it? Well, that is where Flashpoint comes in. Flashpoint actually empowers organizations to make mission-critical decisions that will keep their people and assets safe. So how does it do that? Well, by combining cutting-edge technology with the expertise of world-class analyst teams, and with Ignite, Flashpoint's award-winning threat intelligence platform, you get access to critical data, finished intelligence, alerts and analytics all in one place. You can maximize your existing security investments.

Some Flashpoint customers avoid $500 million in fraud loss annually and have a 482% return on investment in six months. Flashpoint earned Frost and Sullivan's 2024 Product Leadership Award for Unrivaled Threat Data and Intelligence. An SVP of cyber operations at a large US financial institution had this to say about Flashpoint Flashpoint saves us more than $80 million in fraud losses every year. Their proactive approach and sharp insights are crucial in keeping our financial institutions secure. They're not just a solution. They're a strategic partner helping us stay ahead of cyber threats. So it's no wonder why Flashpoint is trusted by both mission-critical businesses and governments worldwide To access the industry's best threat data and intelligence. Visit flashpointio today. That's flashpointio, and we thank Flashpoint for sponsoring this week's episode of Security. Now All righty, back from the break.

0:06:41 - Steve Gibson
Okay. So this week's Picture of the Week. Again, I owe such a debt of gratitude to our listeners who keep sending me these wonderful things that they encounter. I gave this picture the headline the Very Definition of Form Over Function. So what we have?

Gates of various sorts seem to be a recurring theme. We've often, like, found gates out in the middle of a field, like what is going on here. In fact, we had one really famous one a gate and a bunch of sheep were standing behind it, as if waiting for it to open, even though they could have walked around it. So never really clear what was going on with those sheep. But in this, oh, and another one of my favorite gates was a gate that blocked people from passing through, with a series of horizontal bars, meaning that it was also a ladder that you could easily use to climb over the gate. It's like, okay, maybe these bars should have been vertical.

Well, in this case, this form over function gate is blocking, sort of a long corridor, clearly meant to prevent people from passing.

There's some sort of locking mechanism and handle and so forth all over on the left, so it makes it look like you know, this gate will not open unless you're authorized.

Yet they wanted to celebrate the apple. More than a third not quite half of the gate is a large apple made out of the same bar material, except the center of the apple is open. I mean, you can just go through the gate by ducking down and moving through, and at first I thought, okay, maybe this was not really meant to keep people out, except that if you look on the outside the gate, in the margins, outside of that gate area, there's extra bars there extending to the very edge, definitely intended to keep anybody from squeezing around the side. But you don't have to squeeze around the side because the center of the gate is a wide, open body of an apple. Anyway, I, uh, you know there are so many of these pictures, though, that we've shared where you, you want to find the person who is in charge of this design and say, okay, now, like the Apple, is this actually supposed to keep anybody out? Like, what's your thinking?

0:09:33 - Mikah Sargent
here. What were you thinking? What were you thinking? You have to tell me.

0:09:38 - Steve Gibson
Okay. So the Verge carried some news that really makes you wonder what's going on at Microsoft. Their headline read Microsoft says its recall uninstall option in Windows 11 is just a bug. In other words, don't get your hopes up that we're going to allow our illustrious forthcoming recall feature, which, as we know, most people don't want to be removed from Windows. That was a bug, not a feature.

So the Verge wrote while the latest update to Windows 11 makes it look like the upcoming recall feature can be easily removed by users, microsoft, they wrote, tells us it's just a bug and a fix is coming, meaning that that option will be removed as like the bug fix. They wrote that desk modder spotted the change last week in the latest 24 h2 version of Windows 11, with KB504-1865, seemingly delivering the ability to uninstall recall using the Windows Feature section, and I grabbed a snapshot of that for the show notes and you can see it very clearly. Underneath the print and dialogue services option, uh, is recall, which is checked as as as the blue check Mark, and that's just above the remote differential compression API support, which I guess everybody wants to have. So you know, there it is suggesting that if you were to uncheck that and click OK, recall would be removed from your life, but only for, apparently, that release of an issue where I love it. It's an issue we're aware of an issue where recall is incorrectly listed as an option under the turn windows features on or off dialogue in control panel, which we would all argue is where, exactly where it should be, they said. Brandon said this will be fixed in an upcoming update. So the Verge goes on to tell us much of what we already know, which is to say why many of us wish that the checkbox would remain. But the Verge also adds a bit of news. So they wrote, the controversial recall AI feature, which will create screenshots of mostly everything you see or do on a computer, was originally supposed to debut with Copilot Plus PCs last June.

Microsoft was forced to delay the feature after security researchers raised concerns. Microsoft says it remains on track to preview recall with Windows Insiders on Copilot Plus PCs in October so that's next month After the company has had more time to make major changes to recall, which nobody would argue it needs, they said. Security researchers initially found that the recall database that stores the snapshots of your computer every few seconds was not encrypted and malware could have potentially accessed the recall feature. Microsoft is now making the AI-powered feature an opt-in experience instead of, on by default, encrypting the database and authenticating through Windows Hello. Now I'll just pause here to note that Windows Hello has been broken multiple times and they're not going to be saying, well, you know, we have this recall feature, but people are really uncomfortable with it. No, they're going to be saying we have recall, it's jiffy quick, spiffy, wonderful.

0:13:42 - Mikah Sargent
And you definitely want to. You want it. It's amazing, oh my God.

0:13:46 - Steve Gibson
You're not going to want you After a year you're going to wonder how you ever got along without it. So, yeah, it may be opt-on, but it's sort of like if anybody's been using Windows recently and tried not to back up their computer using one of Microsoft's facilities, you know you have to say no, no, thank you. No, I'm really seriously sure I don't want to use your backup because oh no, they want you to back up to OneDrive. Anyway, the Verge said we did ask Microsoft whether it will allow Windows users to fully uninstall Recall, as its appearance in the Windows feature list suggests. They said it's possible that Microsoft may need to add a recall uninstall option to EU copies of Windows 11 to comply with the European Commission's Digital Markets Act, the DMCA.

Microsoft has already had an option to uninstall Edge in the European Economic Area countries, alongside the ability to remove the Bing-powered web search in the start menu. So maybe Europe is going to come to our aid and although the problem is, you know, microsoft knows if these copies of Windows 11 are in the EU or not, so that may not help us. You know, when you really think about it, what does it mean? That Windows has a feature that prevents a clear and present privacy and security danger to all of its users, which Microsoft knows full well. Many of its users feel extremely uncomfortable about and where it's obvious that the feature could be readily removed from windows, yet microsoft refuses to allow their users to do so. One thing that means for certain is that grc's forthcoming freeware, which will totally neuter and remove recall, promises to be quite popular.

0:16:06 - Mikah Sargent
Okay let's talk about this, okay. So, first and foremost, I 100% agree, and right now there have to be at least 10 people inside of the company who are cringing at the fact that this was discovered in the first place, because it's such a clear and easy way to say if it can be removed and we're not giving people the ability to do so now. That's there. That's so bad that they've shown that it can be taken away and now they're not giving people the opportunity to completely take it away. Secondarily, though, do you have concerns that because you've created other tools like this, so I know that you have a better understanding of this freeware that removes something that Microsoft says can't be removed or shouldn't be removed? Does that introduce any issues in the system, or do you have concerns about that?

0:17:09 - Steve Gibson
I guess I would say we'll find out. So what this most reminds me of is what we went through with Internet Explorer back in the early days of Windows days of Windows. Microsoft was so committed to having their own web browser built into Windows that they told the world that it could not be removed. You know there was no way to remove IE from Windows, and so you know that was the story that we heard up and down, and this was where a lot of the antitrust problems came from back in the beginning. So we kept hearing oh no, the browser is an integral component, it's deeply integrated into Windows and cannot be removed. Until the EU said, ah, you know, we think that's wrong. And so then Microsoft made it removable. So you know it was only unremovable because Microsoft didn't want it to be removed until they were forced to say, okay, well, I guess we'll let people turn it off and, in fairness, there are some parts of Windows that have always been, and almost still are, dependent upon IE components. So you know it was integrated into Windows.

What's interesting here is that the progression of this demonstrates that it is an add-on to Windows. I mean, windows 10 doesn't have it. Windows 10 is apparently going to be getting it. Windows 10 doesn't have it. Windows 10 is apparently going to be getting it. Windows 11 doesn't have it. Windows 11 is definitely going to be getting it as a feature of Copilot, so I think it's.

I mean, microsoft could do anything they want to with the OS, right, so they could arrange to make Windows dependent upon it in some fashion.

But to your point, clearly, the fact that there is a remove it feature now and they're removing the remove rather than removing recall suggests that recall can be removed. So I will. And if it turns out that it cannot be removed that is, like it literally cannot be removed from the system, or that every Windows update brings it back if it's taken out, you know whatever then the least I could do would be to have my thing set up a little background surface in Windows whose job is to absolutely kill it when it appears or turn it off when it gets turned on. I mean, just basically take responsibility for keeping it shut down. Responsibility for keeping it shut down now, and we know that that is possible because microsoft has said if you're doing something sensitive, you can stop recall from snapshotting your system while you're doing something that you specifically don't want it to watch, so which is everything for me exactly, and so it's certainly, and I do have a great name for it.

I'm just keeping it quiet for now. But yeah, leo, I'll never forget him laughing when I told him that the freeware that was going to prevent Microsoft from upgrading your Windows 7. Of course I called it Never 10, which he really liked. Anyway, I've got something good for this one.

As soon as it actually happens and becomes a problem, I'll spend I mean, it's only going to take a couple days to create something that you know that does the job. Okay, so many, many, many people sent me a link to at least as many pointers to the recent Yuba Key exploit stories as I received with news about this Rambo attack, because people wanted to hear what I thought about this Rambo attack. And also, hey, gibson, look, your favorite key has a problem. So of course, this is due, of course, to the fact that Yubico themselves largely credits me thanks to the listeners of this podcast with discovering them at an RSA conference where I met Yubico's primary mover and shaker and co-founder, stina Ehrensvard, and then the podcast put them on the map and really helped them get going. Now it's clear that this would certainly have happened for Yubico sooner or later, and, knowing Stina, probably sooner. So it was just fortune that I happened to be someone who had a microphone, who recognized the cleverness of what they had created back then. And, of course, the YubiKeys have evolved dramatically since that first thing. That was basically a keyboard, a USB keyboard emulator, which was very clever, and so the world is changed, but Yubico has remained the leader, which was very clever, and so the world is changed, but Yubico has remained the leader.

Ars Technica's headline about the recent discovery was quote Yubikeys are vulnerable to cloning attacks thanks to newly discovered side channel and their subhead read Sophisticated attack breaks security assurances of the most popular FIDO key. The researchers at Ninja Lab, who performed the research and previously informed Yubico of their findings, so much so that Yubico has already solved the problem for any new keys that they then sell. Ninja Lab said in the present work, ninja Lab unveils a new side channel vulnerability in the ECDSA, that's elliptic curve digital signature algorithm implementation of Infineon 9. That's the actual chip inside the YubiKey that does the crypto on any security microcontroller family of the manufacturer, meaning of Infineon. They said this vulnerability lies in the ECDSA ephemeral key or the nonce modular inversion, and more precisely, in the Infineon implementation of an extended Euclidean algorithm. They said to our knowledge, this is the first time an implementation of the EEA, that's, the extended Euclidean algorithm, is shown to be vulnerable to side channel analysis. They said, contrarily to the EEA binary version, the exploitation of this vulnerability is demonstrated through realistic experiments and we'll discuss how realistic they are in a minute, because it takes something to make this happen, they said. And we show that an adversary only needs to have access to the device for a few minutes, although the you know, I'll put access in air quotes as we'll see. They said the offline phase, that is, after the access for a few minutes, took us 24 hours. With more engineering work in the ATT&CK development it would take less than an hour. So yes, it's possible, after we've demonstrated the problem, to improve its performance.

They said, after a long phase of understanding Infineon implementation through side channel analysis of a FETIEN 10 open Java card smart card, the attack is tested on a. So that was a smart card using the same chip. So they actually developed the attack on something no one had ever heard of. Then they thought, okay, to get some press, we're going to see if the YubiKey is vulnerable. So they said the attack is tested on a YubiKey 5CI, a FIDO hardware token from Yubico. All YubiKey 5 series, they said, before the firmware update 5.7.11 of May 6th 2024, are affected by the attack. In fact, all products relying on the ECDSA of Infineon cryptographic library running on an Infineon security microcontroller are affected by the attack. In other words, all kinds of other things too, they saids. Or AVA van five, for the others, from 2010 through 2024. And they said a bit less than 30 certificate maintenances. Okay, so in other words, this has had the crap tested out of. It's what I thought, okay, good, yeah, over and over and over. So like no problems were ever found and everybody's using this in the industry because it is the industry standard secure microcontroller, super high volume, super cost, and that's what's in the YubiKey 5 series, as well as many other secure tokens and HSMs, for example, of different kinds.

The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out only by nation states or other entities with comparable resources, and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low. As in nil Roche said that two-factor authentication and one-time password functionalities are not affected. So this is a specific function among many functions in this cryptographic library. So two-factor authentication, one-time password functionalities not affected. So it's very likely and I didn't dig into this enough to get a sense for of all the things that are affected, what are. But fido is so fido to paskey stuff that'll be a problem. Um, okay, so he said.

Tuesday's report from ninja lab outlines the full flow of the cloning attack, as first the adversary steals the login and password of a victim's application account protected with FIDO, right? So it's not like the key is all you need. You still need the login and password. First, the adversary gets physical access to the victim's device during a limited time frame, without the victim noticing, thanks to the stolen victim's login and password for a given application account. The adversary sends the authentication request to the device as many times as necessary while performing side-channel measurements. In other words, you give your login and your password to authenticate. Then the account says now you need to use your key in order for us to verify that you're in physical possession of the key. So the bad guys have to make all that happen so that the device is actually doing successful passkey or FIDO authentications over and over and over.

Then they said the adversary performs a side channel attack over the measurements and succeeds in extracting the ECDSA private key linked to the victim's application account. The adversary can sign into the victim's application account without the FIDO device and without the victim noticing. Now notice that they already could because they had the key somehow right. So what this is doing is it's allowing them future access, which they already got present access for, because they had the guy's login and password and their device in a very intrusive way, so they were able to do things with it, use it successfully, authenticate. So it was during multiple successful authentications that, under the scrutiny of this $11,000 worth of equipment, that they're getting the private key, whose entire purpose is not to do something now but to do something in the future.

And then, of course, they've got to get this back back. It's like a mission of possible episode. They got to get this back to the user and wait till you hear that they had to crack the key open in order to do any of this anyway, because that's part of it too. So they had to glue it back together after cracking it open and getting it back to the guy before they know that it's even that's ever been taken, so that they won't go and change the key, because anyone who knew this had been done would stop using it right. So it's like, okay, fine, so this allows them to, in the future, sign into the victim's application account using the stolen login and password and the then stolen elliptic curve private key which allows them to do this in the future.

And then Dan says the list which we just finished, however, omits a step, which is tearing down the Yuba key and exposing the logic board housed inside. He says this likely would be done by using a hot air gun and a scalpel to remove the plastic key casing and expose the part of the logic board that acts as a secure element storing the cryptographic secrets. As a secure element storing the cryptographic secrets. From there, the attacker would connect the chip to the hardware and software that take measurements, as the key is being used to authenticate an existing account. Once the measurement taking is finished, the attacker would seal the chip in a new casing and return it to the victim. So okay.

0:32:47 - Mikah Sargent
This isn't easy, this isn't realistic for the average, even the person who had the equipment, like there's still so much that could go, what could possibly go wrong? So much It'd be hard to do this. Yeah, it's not like you scan it in some guy's pocket from 20 feet away or something.

0:33:06 - Steve Gibson
So, to put this into context, dan adds he says the attack and underlying vulnerability that makes it possible are almost entirely the same as the one that allowed Ninja Lab to clone Google Titan keys in 2021. The attack required physical access to the token for almost 10 hours. In the case of the Google Titan keys, he says the attacks violate a fundamental guarantee of FIDO-compliant keys, which is that the secret cryptographic material they store cannot be read or copied by any other device. This assurance is crucial because FIDO keys are used in various security-critical environments, such as those in the military and corporate networks. That said, he writes, fido-compliant authentication is among the most robust forms of authentication, one that's not susceptible to credential phishing or adversary-in-the-middle attacks, as long as the key stays out of the hands of a highly skilled and well-equipped attacker with a hot air gun and a scalpel I'll just interject, you know at $11,000 worth of equipment and the ability to get it out of your possession for the time required to do it, and who already knows your login name and password, it remains among the strongest forms of authentication, he says it also. It's also worth noting that cloning the token is only one of two major steps required to gain unauthorized access to an account or device. An attacker must also obtain the user password used for the first factor of authentication. These requirements mean that physical keys remain among the most secure authentication methods To uncover the side channel. He finishes, the researchers reverse engineered the Infineon cryptographic library.

The Infineon cryptographic library a heavily fortified collection of code that the manufacturer takes great pains to keep confidential. The detailed description of the library is likely to be of intense interest to cryptographic researchers analyzing how it works in other security devices. Okay, so what we have here is Yubico, in the spotlight only because it is by far the most successful and well-known user of high security token hardware by Infineon that, despite years 14 years of previous reviews and extensive analysis by the industry, was finally found to have an extremely subtle flaw that could be used to extract its secrets. And even then, and only then, through the use of quite high-end, expensive engineering equipment, including the need to physically compromise and crack open the key. And even then the attacker would still need knowledge that only the key's legitimate owner and user probably possesses.

So Infineon has fixed their problem with a firmware update. But in the interest of security, infineon's firmware is not field upgradable. So Yubico has obtained the improved hardware from Infineon and is now offering keys that have this fixed. Whether or not anyone should or would bother to update is up to them. But this attack seems so far-fetched I mean literally Mission Impossible 9, and is so far out of the realm of ever happening to anyone and after all, we're just using the keys to contain additional factors of login credentials that I can't imagine. This is worth another thought.

0:37:07 - Mikah Sargent
Can I ask you you say, in the interest of security, infineon's firmware is not field upgradable. How is it and it's probably just not obvious to me why is that a security thing to say you can't upgrade the firmware and fix this? Why does it have to be new hardware?

0:37:29 - Steve Gibson
So what it actually is. The firmware is in ROM. In literally old school it's called masked ROM, where the bits are actually little bits of metal mask, which are present or not.

Literally like physical connections making ones and zeros, bits of metal mask which are present or not, literally like connection, physical connections, making ones and zeros, as opposed to it being in flash memory, where it is dynamically writable. And and the reason is if, if you are able to put the key in and change the firmware, then an attacker could put it in and change the firmware. Then an attacker could put it in and change the firmware to be insecure. So you, just you, absolutely like the top level security says we fix this in the factory so that you can't ever change it. Got it, so it is it is the.

0:38:22 - Mikah Sargent
What is it? It's the like the fruitcake firmware. It so dense and so it's a nearly concrete, as opposed to firmware that exists on the other side, where it's a software update.

0:38:33 - Steve Gibson
This is literally like actual physical firmware update I would say that that we're using the term firmware because it's the code that drives the microcontroller inside, but it's actually so firm that it's hard. Yeah, it's actually hardware firmware, got it yeah?

0:38:52 - Mikah Sargent
Wow, that's cool. That's really cool. Have a significant other who is secretly a spy from some nation state organization to a be able to guess that your username and password is this, or have access to that in the first place and can get that away from you and can keep you entertained by something for 10 to 10 or more hours. I think it's more in this case to be able to pull this off you and I probably don't need to go buy a new yubiKey I'm not the least bit concerned.

0:39:32 - Steve Gibson
Um, you know they're, they've been. You yubiKey's been totally responsible. They immediately, um, in concert with the the announcement from ninja lab, they put out their own explainer that that, yes, it turns out that our supplier and the supplier of everybody else on the planet has a problem. It's you know, this is the nature of it, and we've responded the only way we can, because these are not field upgradable is, you know, if you really are concerned, we'll offer you, you know, a new key. But, yeah, really, you know, if we're really talking nation state level exposure for this to be a problem, Got it.

0:40:18 - Mikah Sargent
So, yeah, I will keep my YubiKeys. Thank you very much. I have five series, and so whenever you first said this, I thought, oh dear, yeah, not a problem, and let's take another break. All righty, it is time for another break. This time, security Now is going to be brought to you by BigID, the leading DSPM solution where data security posture management is done differently. Data security posture management is done differently.

Bigid seamlessly integrates with your existing tech stack and allows you to coordinate security and remediation workflows. You can uncover dark data, identify and manage risk, remediate the way you want and then scale your data security strategy so take action on those data risks. You can annotate, delete quarantine and more based on the data, all while maintaining an audit trail, which, of course, those of you who work in this know that that audit trail is very important. With BigID's advanced AI models, you can reduce risk, accelerate time to insight and gain visibility and control over all of your information. Bigid even equipped the US Army that's right to illuminate dark data, accelerate cloud migration, minimize redundancy and automate data retention. Us Army Training and Doctrine Command says quote the first wow moment with BigID came with just being able to have that single interface that inventories a variety of data holdings. I've never seen a capability that brings this together like BigID does.

So don't miss the exclusive CISO Digital Summit on October 17th at 11 am Eastern Time. There it's going to be centered around the next era of data security. This virtual summit will feature deep dives into the latest data security practices and technologies. They'll explore everything from DSPM to AI to DLP and beyond, with expert-led panel sessions and interactive discussions with peers. They have a great lineup of speakers, including a keynote from the head of cybersecurity and compliance at Denny's, and you can get two CPE credits and a raffle entry for attending. So be sure to tune in and strengthen your organization's security posture in an ever-evolving digital landscape. Start protecting your sensitive data wherever your data lives.

At bigidcom slash security now. Get a free demo to see how BigID can help your organization reduce data risk and accelerate the adoption of generative AI. Again, that's bigidcom slash security. Now, also, there's a free new report that provides valuable insights and key trends on AI adoption challenges and the overall impact of Gen AI across organizations. Bigidcom slash security now Check it out. All right, we are back from the break. I am Micah Sargent subbing in for Leo Laporte this week, and it's time once again for Steve to take it away.

0:43:16 - Steve Gibson
Okay. So we've got. That was pretty much the big news of the week, along with Rambo that we'll get to in a minute. I have a bunch of interesting listener feedback that I wanted to share because the GRC mail system has been working real, been working overtime, I should, I should say so.

Our picture of the week podcast before last was that signage which was intended to have its blank field proudly filled in with the date since there had last been any sort of accident on the job. But, as we'll remember, instead of that it's cited that they'd had no accidents since a specific person who everyone presumably knew had left the job. So you know this site has been accident-free. Yeah, there it is. You know, it said, since Joe left. So okay.

So I recalled at the time that we'd had a similar non-sequitur once before for our picture of the week in the form of a close-up photo of a smoke alarm that also had a blank space where its installer was expected to fill in a date. But during the podcast two weeks ago, I was unable to recall what had been written there when we showed that picture of the week before. One of our listeners, whose online moniker is Mr Nobody, nobody 2, was kind enough to remind me. Okay, so the smoke alarm had, as I said, had a field where its installation date was meant to be filled in by its installer. So it said installed on and you know, follow I blank space. In this case, the person filled the information in so that it read installed on the ceiling.

0:45:15 - Mikah Sargent
So, oh, that's great.

0:45:19 - Steve Gibson
It was wonderful. So anyway, I wanted to remind everybody of that similar repurposing of the original intent. Like you know, looking at it, you wouldn't know that your smoke alarm was installed on the ceiling, so yeah, Mine, unfortunately, I can see here.

0:45:38 - Mikah Sargent
It's just not. It doesn't have anything on it.

0:45:40 - Steve Gibson
Well, and I'm not really sure because you know these things start to beep when the batteries get low. So maybe technically you're supposed to replace them every 10 years or something Like.

Maybe the battery isn't the only problem, maybe the smoke sensing sensor could go bad, so like oh well, replace it when you need to change the batteries, but after a decade you should just really go get a new one. Anyway, just in case anyone was wondering, the smoke sensor is on the ceiling, if you weren't secure what surface that was. So anyway, as I said, there was not a huge amount of news and I got caught up in the terrific listener feedback that I've been receiving. And I got caught up in the terrific listener feedback that I've been receiving. As our longtime listeners will remember, many years ago we used to deliberately alternate episodes between security news and listener feedback, where we would do a pure feedback episode. We dropped that approach over time in favor of always doing some of both, which is our normal routine, as we are this week, but a little more feedback this week. And now I should note how pleased I am with the way GRC's email system has worked out. The nature of the feedback by email is completely different from Twitter, and having it coming into my own email client makes it significantly easier to manage. So I'll just remind everyone that, in order to send feedback directly to me at the email address securitynowatgrccom and that's not listed anywhere at GRC because I'm intending this to be for podcast listeners, this to be for podcast listeners. So you know people say, hey, I looked around, I wanted to send you a note because I know you're talking about this all the time, but I couldn't find the address anywhere, right, because it's only for people who hear my voice and my voice says security now at GRC dot com. That's the email address. So, again, you need to register your sending email address with GRC. You do not need to subscribe to any of the three mailing lists that you'll find there. Just being registered allows my system to prevent all incoming spam from anyone sending to securitynowatgrccom who's not registered. And that's a blessing, because all I ever get there are actual listeners' email and it's wonderful. So, anyway, I'm also hearing from many of our listeners who really appreciate receiving the weekly show title summary picture of the week and the show notes link by mail every Tuesday morning before the podcast show notes link by mail every Tuesday morning before the podcast. So subscribing to the security now list will automatically make that happen for you.

Okay, so Angus McKinnon. He said Steve, I see, I see on WhatsApp all the time that your messages are encrypted. Is WhatsApp secure? I thought WhatsApp had Signal embedded Now, of course, last week's podcast was all about the fact that Telegram, which claims security and boasts of its reputation for security, encryption, with the single exception that two and exactly and only two parties, who were both online at the same time, could deliberately enable point-to-point encryption for their conversation. So I'm sure that Angus just wanted some assurance that WhatsApp's similar claim of encrypted messaging is actually legitimate. And, as he noted, since WhatsApp is based upon the open signal protocol, all messaging is always fully encrypted, even in multi-party groups, up to 1,000 people in a group. So you know, and in fact, since it's based on Signal, there's no way to use it or Signal in an unencrypted mode. That's all they offer. So 100% yes for WhatsApp.

Now, at the same time, andy Pasterzak shared some useful points which he feels favors Telegram. He wrote Steve, I'm a user of Telegram as well as Signal not being true, encryption would make a lot. All caps of services not encrypted, even outside the messaging space. He says there are almost no cloud providers that offer true end-to-end encryption. Dropbox, onedrive and Google Drive don't. Online calendar, to-do lists and note-taking apps don't really either, and the ones I find that do charge a lot for the privilege. Some of the end-to-end encrypted note-taking apps I looked at charge well over $100 per year for their basic plan. Telegram, he says, is obviously not all caps end-to-end encrypted, but it is encrypted in transit and encrypted at rest for the things I use telegram for. All I really need is encryption in transit. If I really need end-to-end encryption, then I use signal.

The other nice thing about Telegram is how group chats work. How many times have you been part of a group SMS text and asked to be removed from it? And that works great, until someone responds to an old message that you're still included on and then all of a sudden, you're part of the conversation again With Telegram. You leave a group chat or channel, you're gone until you rejoin, and Telegram fully supports Siri and CarPlay. I can easily say hey, siri, send a Telegram message to Joe while driving, and it will happily do that. Signal does not have Siri or CarPlay support yet. So if you want something better than SMS with Siri and CarPlay and Android auto support and you're aware of the encryption limitations, telegram is an excellent choice. Okay.

0:52:18 - Mikah Sargent
A lot of caveats. I agree, I said a lot of caveats there. Yeah, you want this, but you don't care about the yeah sorry, go ahead.

0:52:24 - Steve Gibson
Yeah, no, you're right. I agree with Andy that true end-to-end encryption is rarely needed or necessary. I use iMessage among my iPhone-using friends. As we know, its encryption is what Matthew Green described as modern state-of-the-art. You know true end-to-end encryption, but the messages I'm sending are about what time we're meeting for dinner or whether they saw some random piece of news hardly anything that would ever be of interest to anyone else.

Andy is obviously a sophisticated user who understands exactly what's going on. After all, he's listening to this podcast, so there's nothing to disagree with him about. One of the points of his sophistication is that he knows that when he truly needs end-to-end encryption, it's time to switch to Signal. For that he said so. But a big part of what Matthew Green wanted to convey although unfortunately it was only being read by people like us, so it didn't come as a huge surprise was that the typical Telegram user not Andy was extremely unlikely to have any such sophistication and thus appreciation of the distinction between telegram and signal or whatsapp. So matthew told us that what he was growing increasingly annoyed about as the years rolled by, with telegram not making any significant improvements to the security of their messaging technology was that they were essentially riding on the coattails of all of the other fully, truly end-to-end encrypted messaging platforms, while all the while claiming privacy parity with them, while choosing to not actually offer it. So, andy, I don't take issue with anything you said, except you're the exception, not the rule of among telegram users, of which there are, you know, a billion who don't understand all of this.

John Hicken said Steve, we rented an apartment in Paris where a sign was present in the elevator, but in French, of course. It was put up by owners who were annoyed when renters Airbnb forgot to close the outer door after leaving the elevator, thus rendering it stuck in place so nobody on any other floor could recall and use it. And he said cheers, john. Okay, so I enjoyed John's note, which related, of course, to last week's Picture of the Week, remember, which suggested that if the elevator didn't go, its occupants should try jumping up and down a bit, which you know should give anyone the willies.

Presumably, that would allow the elevator to know that they were present, although one would imagine that pressing a floor button would serve that purpose. Still to this day, they're using those quaint elevators where its user first closes an outer door on the floor and that door remains on the floor to close off the elevator shaft while the elevator's not there, and then the elevator itself is only responsible for closing the inner door of its own carriage. So, as John notes, if people leaving an elevator leave the outer door open, which is not under automation, then the elevator is unable to close that outer door, so the elevator's unable to move and anybody pushing for the elevator to go to their floor will end up having to take the stairs and be an extra annoyed Parisian, which may go a little ways to explain how they feel about Americans visiting Paris. So you know, american tourists are well not been loved.

Yeah, you can just leave that blank and it fills itself in, craig Taylor said hi, steve, long time listener. I wanted to provide you with some additional information on the article you cite for freezing credit after the NDP breach. The article you reference for freezing credit only mentions three of the four major credit bureaus at which you need to freeze your credit. Inovus is missing from that article. He says our article at CyberHoot has a collection of many of the primary and secondary credit bureaus, and I have a link in the show notes. And he finished saying great coverage and thanks for doing what you do. Okay, so Craig is a co-founder of CyberHoot and the page he linked to does indeed provide more comprehensive coverage of the various credit bureaus with links to each bureau's. What I thought it was it's not NDP as he had. He got those backwards or maybe I did. I transliterated them. Anyway, it's NPD for checking the NPD breach database. That shortcut, grcsc slash. Npd received the largest number of referring clicks ever of all time, and that was just a couple of weeks ago, so it hasn't even had that long to age. And GRC's credit link, grcsc slash credit to the Investopedia page is next in line, just behind it in second place runner-up position. The NPD was something like 10,000 plus clicks and the GRCSC credit link was 9,000 some. So I know this topic is not surprisingly of significant interest to this podcast listeners.

Since I want to make Craig's more comprehensive listing of Credit Bureau credit freeze links readily available, I've created another new GRC shortcut. This one is freeze. That points to Craig's excellent page about identity theft, so the link is grcsc slash freeze F-R-E-E-Z-E. Since I'd only previously frozen my own credit at the big three TransUnion, experian and the infamous Equifax I immediately used the new link to Craig's page to find the link to Inovus. I went there and froze my credit To Inovus's credit. Pardon the pun. It was the easiest of any of the freezing experiences. No need to create an account, you just fill out an online form which, by the way, contains all the data that's already been made public in the breach, so it's not news to anyone and your credit is immediately, from that moment, frozen against anyone's inquiry, moment frozen against anyone's inquiry. Inovus then sends by postal mail a credit freeze confirmation letter which contains a 10-digit PIN, so you'll want to hold on to that. That PIN can subsequently be used to then manage your freeze status at Inovus. It was so quick and easy that I cannot imagine why anyone who cares about this would not do it.

So again, the GRC shortcut to get to Craig's page at CyberHoot is grcsc slash freeze. And I should mention that Craig's quite comprehensive page mentions an additional five lesser known bureaus which also offer credit freezing. I didn't bother with them, but if you want to be fully covered you may wish to. I mean, like, why not? And, craig you know, thanks very much for bringing this additional major credit bureau and your page to our listeners' attention. That's much appreciated, you know, and I now send email out every morning with a summary of the podcast and a link to the show notes.

So I've already received feedback from a listener who read the show notes and asked me okay, what about these other five credit bureaus? Uh, I mean, they're there. Do we need to freeze them? So I don't know how to answer that. I I remember in novus so, and I remembered that when we talked about this years before there was a fourth bureau. I couldn't remember it when this came up again and and so you know I didn't take the time to dig into it it was in Novus, so they're at least in number four position, probably big enough to count that the the question about whether you should bother, like, how far down the list should you go? Essentially, I don't know. I know that when I needed to apply for an Amazon card, because I wanted my Amazon purchases to be on their card, because they gave you extra points, really, good deals.

1:02:42 - Mikah Sargent
yeah, yeah, gave you extra points.

1:02:43 - Steve Gibson
Yeah, I found out which of the major three they used and I did a temporary suspension of the freeze to allow Amazon to check my credit and then issue me a card, and then the freeze automatically snapped back on. So, um, I know that amazon uses one of the big three. Technically, anyone you know. So the question is you're freezing your credit because you don't want someone to issue to some bad guy to obtain credit in your name. Well, if they're querying a random, if the company granting the bad guy credit in your name is querying some random credit bureau that may not have the best information for you, then I guess anything's possible, right? So, yeah, if this is a concern for you, lock them all down.

My feeling is that none of these bureaus received my permission at any point to collect this information about me. You know they're just doing it and I do think that probably the top four covers, you know, virtually all of the use, presumably not absolutely all, otherwise these other five wouldn't be around. So I guess I don't really have a good answer to the question. But you know, if credit bureaus keep popping up, do we just run around freezing them all? I, I, I don't know. And besides, all the information is now public.

1:04:39 - Mikah Sargent
Yeah, exactly it's already out there because it's already hot. I wish that you know. Part of the requirements by the federal government involve providing the three major credit bureau reports. Every year you get one free from each of the three. I think that if they can network to do that, they should network to let you do security freezes all together with just one button and I know this is just wishful thinking, but they've proven that they can work together in that capacity. Let's let them work together in letting us freeze easily and unfreeze all at once, I mean.

1:05:21 - Steve Gibson
Well, and when we talked about this a couple weeks ago, the way the system should actually work is that all of the bureaus should always be frozen by default.

Buying a home, or buying a car, or making any large purchase Anyone who wants credit should do something like to specifically authorize that person to have access to their credit report.

So you receive a pin from the credit supplier that that entity is going to use. You give them this long access pin, which they are then able to use to obtain access to your report directly from the granting agency. I mean, there are ways we could make this work that don't even require fancy computers or being online or anything, because that's still an issue. Not everybody you don't want to like require that you have internet access in order to do all this, because all this predates the internet. But anyway, this system is broken and we're just sort of limping along as we go, limping along as we go, but I do think it was so easy to add a freeze to Inovus that I can't imagine why anybody who hasn't taken the time to freeze the other three would not go ahead and do number four, because it does round out the top four and I think that's probably worthwhile, agreed. It was very easy.

1:07:05 - Mikah Sargent
Yeah, I did it while we were talking perfect, nice, nice, um.

1:07:13 - Steve Gibson
adam tyler said hi, steve, I was curious if you or a listener have found a commercial version of the portable dog killer device. He says I'm not really looking for a laser gun, but something that could sit on the fence line to deter a barking dog, ideally automatically activated and a battery design that made sense. Lithium ion with a little solar panel would be sweet, he said. Anyway, love the podcast, glad you're going past 999. I also only had an X slash Twitter account to DM you and am very happy to see you've moved over to email. Regards Adam Tyler. Okay, so Adam is, of course, referring to one of this podcast's favorite past episodes, which we've re-aired a number of times through the years, because it tells a fun story which ends with a moral of the surprising benefits that can arise from being active rather than passive. I first shared that youthful adventure of mine on the occasion of the 50th anniversary of the laser. The device I designed and built when I was in high school was not a laser, though the beam of high-intensity directed sound energy it produced was likely coherent. Now, 12 years ago, back in 2012, when this podcast was only seven years old, I recreated that device after so many of our listeners commented that their neighbor's barking dogs were ruining their lives. Since I didn't have the web forum technology running that I have today, I created a Google group called Portable Sound Blaster for public discussion of this, and I published the final electronic design of the device, which I had created, on a page at GRC naming the project the Quiet Canine. If you're curious, you can find it under GRC's website menu under Other, and down at the bottom is the Quiet Canine. I think you can also just Google the Quiet Canine and it comes right to my page Now. On that page I wrote the good news is that we arrived at an extremely simple, inexpensive and easy to build design for a small, lightweight and painfully loud handheld sound emitter. And then the page shows the design, but then under the caption, the bad news I wrote. Many of these final tqc, as in the quiet canine version 2.2.2 devices were assembled and tested by those following and participating in the portable sound blaster group at Google.

The devices were invariably incredibly it and at much greater distances, but in no event was this able to function as any sort of barking deterrent. Dogs heard it, and at great distance, but they didn't care. We soon came to appreciate that my own original point blank blasting of the original portable dog killer, as I named my first device when I was in high school, was required for the device's effectiveness, no dog next door, let alone down the block, will care about a high-pitched sound. It needs to be blasted directly into the dog's face at a very short distance. Now this means that while this device would not be useful for silencing dogs at a distance, it would likely be extremely useful and effective as a personal defense device for people walking, postal workers on foot delivering mail and joggers who are harassed and threatened by overly aggressive canines on the loose.

Although we cannot and do not offer any specific guarantees, it's difficult to see how any attacking dog would not be stopped in its tracks by a close blast of incredibly loud and high-pitched sound. That's what the website says. So the bottom line is my particular use case, which I described in that story, turned out to be unique. I specifically designed and used that first device back in the early 1970s to train an incredibly aggressive I mean really rabid dog not to jump on the fence which bordered the sidewalk, which was terrifying passersby, causing them to fall off the sidewalk into the street. I saw it happen a number of times and that's what motivated me to basically train the dog not to run at strangers by blasting it in the face several times, point blank when it did that to me, and after a couple days it just kind of peered around the side of the house to see who was there it became, it completely changed its behavior.

But anyway, unfortunately, what we learned was that a lot of people have a problem with dogs barking, and I wish there was a solution for that, but this isn't it. You know, I don't know that there is one, except to try to talk to the dog's owner and unfortunately, many dog owners who have loudly barking dogs are strangely unsympathetic to the complaints of neighbors. So I don't know, I don't have a solution for it. I wish there was one. Sorry, but many of our listeners, due to this story, have occasionally sent me links to commercial devices that do this. They do exist. Unfortunately, based on all the experience of those who built these devices and these things really did they were super loud and they really did work None of them stopped dogs from barking. So I doubt that any of the commercial devices do that.

1:14:09 - Mikah Sargent
Well, they're probably just, you know, weak imitations of what we originally had I want to say I think it depends on the dog, because I have actual experience with um. So when? So when I first moved to California back in 2019, I have two small, small dogs. One is a pure Chihuahua, the other is a Chihuahua-Fox Terrier mix Really small dogs.

And I had in the past when I lived in a home in Missouri where there wasn't anyone attached directly next to me. I could leave them in the home during the day. They would hang out on the sofa, they would eat, they would drink their water, I'd come home, everything would be fine, and I was not cognizant of the fact that being attached to others in this townhome meant that they would hear sounds through the walls that would frighten them and they would bark at them. So I would go off to work and I didn't know this was happening, but they were barking while I was gone. Uh, the way that I found out was I was. I can remember the day, cause it had my anxiety up, cause I got an email from the townhome. Uh, people, and they said, hey, we've had complaints about your dogs barking and I thought, oh, my God, I'm going to get kicked out. This is awful. What am I going to do?

I ordered this little it looks like and it's probably what you've seen. It looks like a little tree house and it was intended to be used outdoors and you like, hang it and here's the dog's bark and it lets out a series of high pitched but they're. The sound that I'm making is not whoops. The sound that I'm making is not whoops. The sound that they make is much different, much higher pitched, and what it's intended to do, on a sort of scientific level, is to disrupt the dog's central nervous system, to cause the dog to take its attention off of whatever is causing it to bark and focus on that instead.

And if that happens enough times, it will break them of the pattern of choosing to bark at whatever they're barking at. That's why some animals or some manufacturers make little devices you wear around the neck they're not shock collars, but they actually put out a spray of citronella and the same thing happens that spray whenever they're barking. They suddenly sniff that it breaks their pattern of paying attention to whatever it was they're barking at. Anyway, all of that's to say it actually did work for my small dogs and I actually in the place that we live. Now we're back in a home that's not attached to other people, but there are on the other side of us. We have neighbors that because there's plants and stuff in the way, the dogs can't see, they can only hear, and so it has been a little frightening for them at first, and so I actually pulled those out of storage, hung them in the yards, and that has significantly reduced the barking as well.

1:17:08 - Steve Gibson
Okay, so your mileage may vary, your mileage may vary.

1:17:11 - Mikah Sargent
yeah, nice, exactly.

1:17:12 - Steve Gibson
I think it depends.

1:17:13 - Mikah Sargent
Yeah, if you've got a big dog that's maybe prone to some aggressiveness and doesn't quite react as quickly to, because I think it depends also. Because I think it depends also, you know, if you've got, if you're more of a prey animal than you are a predator, then those small sounds are going to draw your attention more than if you're a bigger dog. I think.

1:17:32 - Steve Gibson
Yeah, it'll just eat the little tree house.

1:17:34 - Mikah Sargent
Yeah, exactly, I have tree houses like this for breakfast.

1:17:42 - Steve Gibson
I think we should take another break at this point. We'll continue with some feedback afterwards.

1:17:47 - Mikah Sargent
Sounds good. I am very excited to say that our I use this sponsor all the time Episode of Security Now brought to you by Melissa, the data quality expert since 1985. Whether you need the full white glove service or just the nuts and bolts, melissa is the best for your enterprise. White glove service or just the nuts and bolts? Melissa is the best for your enterprise. Melissa now offers transparent pricing for all its services so you can eliminate the guesswork when estimating your business's budget. You can join the 10,000 businesses worldwide that have benefited from Melissa's industry-leading solutions.

You can clean data, which, of course, is crucial to your business operations, and Melissa makes it easy for you to cleanse and standardize your data within popular platforms that you're already using to help improve ROI, optimize business efficiency and elevate the customer experience. Melissa offers integrations and apps and platforms and spreadsheet editors such as Microsoft 365, google Sheets, dynamic 365, esri, stripe and Shopify, so you can improve address data quality to save money and keep customers happy. Improve payment processing and deliverability with clean, standardized data. Keep customer records accurate with out-of-the-box data cleansing tools. And the way that I use it, I go to their website and on their website. Now, the way that I use it, I go to their website and on their website now they have a Melissa lookups portion of the website and anytime I get a call from a weird number. You know, just doing a Google search doesn't usually turn something up, but I can see through Melissa's online lookups platform who it is, what it is or, in many cases, that the number has been disconnected right after they placed the call. So I know it's a robocall.

G2 continues to recognize Melissa as a leader in data quality and address verification for summer 2024. Melissa is committed to the security and privacy of all client data in its care through responsible use. It has a 38-year history of establishing and refining controls to secure data and it's SOCTU, hipaa, hitrust and GDPR compliant. So get started today with 1,000 records cleaned for free at melissacom slash twit. That's melissacom slash twit and we thank Melissa for sponsoring this week's episode of Security. Now I believe we are back and ready to continue on with the wonderful feedback from listeners.

1:20:15 - Steve Gibson
Actually, I just got some feedback by email which was written to securitynow at GRCcom while you were sharing the news about Melissa. Apparently the lesser known Security Bureau links. Many of them are broken. Two are broken. One goes to a Wix page that doesn't go anywhere and another one is a subsidiary of Experian. So you've already got that covered among the top four. So it looks like Craig, who is the co-founder of CyberHoot, will want to click on those links himself and get them fixed up or remove them. I mean, and if you've got something calling itself a credit bureau that's going to a Wix website, I don't think we need to worry about freezing anything there.

And you may not want to give all your personal and private information to those people either.

So, and that was from Joey. I think it was Joey Albert who just sent me email and I just saw yeah, joey Albert. So thank you, joey, for that. And we got everybody informed during the same podcast. Okay, so John wrote hey, steve, I stumbled across this very cool-looking hexadecimal clock, face with ticking hands showing the time in the venerable eunuch's time, and thought you, leo, and the rest of the listeners would love to see it too. Check it out at. And then he's got a URL that I could read, but it's in the show notes and I've got something better coming up. He said all the best to 999 and well beyond, john. Okay, so we've previously encountered this wonderful version of the Unix clock. I'm thinking that I would probably have created a GRC shortcut for it previously. Sure enough, I searched for and found it created almost exactly two years ago, on September 18th of 2022. And the shortcut itself is, not surprisingly, 2038. So go to GRCsc, slash 2038.

Unix time is represented by a 32-bit signed integer, which has been incrementing once per second since midnight of January 1st 1970. In what's known as signed twos complement format. The most significant bit of a number's binary representation is reserved for the number's positive or negative sign with the bit set to one, meaning that the number is negative. Now, this works out naturally when doing two's complement binary math, which is the system used by all contemporary computers. For example, subtracting 10 from 5 should produce negative 5. And that's what happens if negative values have their high bits set. So the system works beautifully. However, unix time could, and arguably should, have been defined as an unsigned 32-bit integer, since it was meant to be used for timekeeping into the future, not the past. But as it is the result of Unix, time, being a signed value means that negative values represent times before 1970, extending back to 1901, which is not highly useful for things like time stamping, database entries and so forth, which is what we use this for. The good news is that all modern Unix-like systems and even some of the Unixes themselves well, all of the Unixes themselves have long ago switched to 64-bit time representations.

But, as we always see, there are surprising corners of technology that are slow to update, so it's entirely foreseeable that there will be some breakage somewhere when we finally get to 2023, 14 years from now, I'm sorry 2038, 2038, 14 years from now. Okay, now, this specific clock sight is very cool and very nerdy and thus, you know, very appealing, since those 32 bits are broken into four 8-bit bytes, with each of the four bytes determining the position of each of the clock's four hands. Since each 8-bit byte can have any one of 256 values, the clock has 256 ticks around its face, and since trouble begins once the high byte represented by the red hand reaches its halfway point, because we're only able to use the positive half of all the values in a 32-bit signed integer when that red hand is pointing straight down, something's going to break somewhere. So this graphic makes it very clear that we're well on our way toward the Unix apocalypse. Now I have to say I would dearly love to still be doing this podcast 14 years from now and to be able to cover and discuss the events of the end of 32-bit Unix time. I'm not sure I'll still be doing this in 14 years, but I would not be surprised if something didn't break. So we'll see what happens.

Norbert shared Baba Verse. Book number five came out on September 5th, so five days ago. The book is titled Not Till we Are Lost. I just wanted to let everybody know the Babaverse series has been a big hit among our listeners, and so Norbert, who said thanks for the podcast. I will say thanks for the notification that there is now a fifth Babaverse book.

1:26:37 - Mikah Sargent
The Babaverse is unique for me in that I very rarely enjoy and I know this is kind of weird among nerds, I very rarely enjoy science fiction, epics or anything like that science fiction books. In general I like science fiction shows, but when it comes to books I typically if I'm going to read fiction it's going to be high fantasy or some sort of fantasy. Bobaverse really hooked me from the get-go and again I was surprised myself and went into it expecting that I wouldn't keep listening to it, and so it caught me off guard and really enjoying it. So I was very pleased when September 5th rolled around and I was able to get the next one. Oh, cool, so you already knew. Yeah, I did, because I had it in my wish list, ready to get it as soon as it was available.

1:27:29 - Steve Gibson
Nice. So I wrote here in the show notes I said the Babaverse books are pretty easy to breeze through, but for anyone who's interested in really sinking their teeth into something that promises to be far more substantial, sinking their teeth into something that promises to be far more substantial our listener, simon Zarafa, sent me a note that one of this podcast's favorite sci-fi authors, none other than the great Peter F Hamilton, is releasing his next novel next week. Now, that's the good news. What may be bad news, depending upon your need to achieve immediate closure, is that this is book number one of a two-part novel series. The good news is there's only two of them In the past, as with, for example, pandora's Star, which left us hanging quite a while for the story's conclusion in Judas Unchained, and later, you know, it was the same with Peter's Dreaming Void series, which had a number of books. You know Peter's famous for laying down a lot and I mean really a lot of foundation in his novels, so that things are really finally, you know, they really get moving just as the first novel ends and it's like oh so you know that may not bother everyone, I get it, but it bugs the crap out of me. So I'm sure I am going to patiently wait for the publication of the series' second and concluding book, because then I'll be able to purchase both books at once, and I'm sure I'll do that in order to read them back-to-back.

The first book's title is Exodus, the Archimedes Engine, and the synopsis probably taken from the back cover of the hardback just to give its reader a sense for what's to come while not being a spoiler. It reads 40,000 years ago, humanity fled a dying Earth. Traveling in massive ark ships, these brave pioneers spread out across the galaxy to find a new home. After traveling thousands of light years, one fleet of ark ships arrived at Centauri, a dense cluster of stars with a vast array of potentially habitable planets. The survivors of Earth signaled to the remaining Ark ships that humanity had finally found its new home among the stars. Thousands of years later, the Centauri cluster has flourished.

The original settlers have evolved into advanced beings known as Celestials and divided themselves into powerful dominions. One of the most influential is the Crown Celestials, an alliance of five great houses that controls vast areas of centauri as ark ships continue to arrive. Right, they remember they were all called by the by now the announcement that we found a great place. So as the ark ships continue to arrive, the remaining humans and their descendants must fight for survival I don't know why, against overwhelming odds, I don't know why, against overwhelming odds, I don't know why or be forced into serving the crown dominion. Okay, so it sounds as though the crown dominion has become old and corrupt and, you know, bad. So this thing says among those yearning for a better life is Finn, who probably becomes the focus of this, for whom Earth is not a memory but merely a footnote from humanity's ancient history. Born on one of the crowned dominion worlds, finn has known nothing but the repressive rule of the celestials, though he dreams of the possibility of boundless space beyond his home when another ark ship from Earth previously.

Okay, so at this point this is not any sort of recommendation, because I haven't read, you know, that first book. I'm certain that I said as I said, I'll read both of them once they both become available. So if anyone listening, I mean it sounds like another fun Hamilton adventure and you know, boy, when Hamilton gets going with a series, they could really be a lot of fun, lots of new, you know, brain-stretching tech in there. So if anyone listening does decide to jump on the first book, knowing that they may be left with a classic Hamilton cliffhanger. Please do send your review to me at securitynowatgrccom and I'll share what you think without any spoilers.

Hadrian said Hi, steve, long time reader, then listener, then viewer. I recently bought Spinrite, not yet needed for recovery, but I now have a burning question. But I now have a burning question. Am I the only one who looks at the raw data display and then suddenly says, hey, I know which file that was? So I got a kick out of Hadrian's note because, though no one else has ever specifically mentioned it that I can recall, I too will often see something I recognize flash past on Spinrite's real-time activities display. Of note is that Spinrite did not always show that.

Back before mass storage drives were able to manage their own defective sectors, spinrite needed to, and did, handle all of that itself. This meant that sectors which were embedded in clusters that had been found to be defective would need to be relocated, then replaced by good clusters. So that region of Spinrite's real-time activities UI page once was used to track all of those changes and show totals, by counts and by bytes, of everything that Spinrite had done in moving things around within the file system in order to knit the file system back together after making those changes. But at some point, once all drives became able to handle defect relocation autonomously although Spinrite would still induce a drive to perform the needed relocation Now that would happen below the level of the file system. That meant that I was able to remove all of that logic from Spinrite. But that also meant that I needed to remove all of the tracking, totaling and displaying of that work, which Spinrite no longer needed to do, and that left a big empty display region in Spinrite's user interface. So I decided to fill that hole with an updating snapshot of the data that was passing by, so Spinrite's user could literally see the data that Spinrite was working on. It's ended up becoming one of Spinrite's more popular user interface features.

So, hadrian, you're not alone in staring at the screen and saying, hey, I know what that was. That just went by. And I should tell you that I bought during the work just last year on Spinrite 6.1, I realized from one of our other testers that it was possible to buy bad drives in bulk from eBay sellers. I thought what? But I thought that was great, I need those. So I bought several boxes of bad drives. They're not very expensive because they're bad. Mostly they're just heavy, so it costs a lot to ship them. But I did that and I'll just say drives you buy from eBay have not been wiped, and so I was, since I needed these bad drives to test Spinrite. I was doing that and you know I would switch to the real-time activity screen and I would see other people's data flashing by on the screen Other people's?

1:36:04 - Mikah Sargent
data flashing by on the screen, other people's data, uh-huh. Oh my, I've seen their data.

1:36:10 - Steve Gibson
Yes, so one of my announced and planned products, which I will be doing not immediately but next to immediately, would that be? What's that next?

1:36:25 - Mikah Sargent
What does that? No, anyway.

1:36:27 - Steve Gibson
Anyway, it's a product that I've already got the trademark on it. I'm ready to go. It's called Beyond Recall and it will be a high-speed secure drive wiping utility which you can use for USB thumb drives or spinning drives that you connect to the computer. Anyway, clearly a need to make secure data removal quick and painless, as I have a feeling it'll be very popular among this podcast listeners.

1:36:58 - Mikah Sargent
Beyond recall, not to be confused with your upcoming freeware to get rid of recall.

1:37:06 - Steve Gibson
Yes, and that's a very good point. I've noted that there is a collision of the name recall and beyond recall, so I like calling something that is a secure drive wiper beyond recall.

1:37:22 - Mikah Sargent
Yeah, that makes sense. Yeah, secure drive wiper beyond recall.

1:37:23 - Steve Gibson
Yeah, that makes sense. Yeah, but so I think once you hear the name that I've got for the recall product, everyone will agree, we got to stick with that one.

The final piece of feedback leads us nicely into this week's topic. The feedback was sent by a UK listener named Laura, who wrote Hi Steve, my name is Laura, from the UK. As I have a master's degree in cybersecurity, I came across this article and hope you would be interested in talking about this, both for me and everyone else. She said I love the show and I'm so glad you're going past 999, as I have a standing appointment with you and Leo and in this case me and Micah every Tuesday evening that no one is allowed to interrupt. And then she says in parens, my ex tried.

Oh no, so don't know if that was the deal breaker with the ex Laura, but okay. So she said I've included the link below. Don't know if that was the deal breaker with the X Laura, but okay. So she said I've included the link below, and this particular link is one to cybersecurity news, and in the URL I can see that it says Rambo attack air gapped systems. So thank you again, laura. Oh, and she also said PS Leo loved the new attic. So she's apparently a video watcher of the podcast, and I don't know what time zone is in the UK. I'm not sure where that would put her, but obviously if she's Tuesday evenings she already has the video available.

1:39:03 - Mikah Sargent
So I don't know what that means relative to us making it tuesday afternoon slash oh, that's gonna be because it's, I think it's like six hours plus well, I guess it's more. Yeah, yeah, they're definitely ahead. Um back when I was in central time, it was six hours ahead of me. Now I'm not in in Central.

1:39:22 - Steve Gibson
Hold on, so it's two or four, or would it be?

1:39:29 - Mikah Sargent
It's 11.41 pm right now in London, so they're plus eight hours 11.41 pm, so that's really late yeah.

1:39:40 - Steve Gibson
Maybe that's what happened to the X.

1:39:42 - Mikah Sargent
Yeah, Maybe Laura watches live and then that way at least it's only until like midnight that she's watching us.

1:39:51 - Steve Gibson
Oh, that would make much more sense, wouldn't it? Yes, yes, yes, yes, of course, in that case hi.

1:39:56 - Mikah Sargent
Laura, happy to read your feedback.

1:40:01 - Steve Gibson
Okay, we're at an hour and a half. Let's take our last break.

1:40:17 - Mikah Sargent
Then we're going to plow into Rambo, solution that can drastically increase your chances of staying safe online. Bitwarden just announced the fifth annual Open Source Security Summit, which will take place on September 26th so just around the corner. This year's headline speakers include security analyst Karen Elazari, journalist-slash-author Kim Zetter and NFL CISO Thomas Maldonado. You can register at bitwardencom slash open dash source dash security dash summit. So that's bitwardencom slash open source security summit, with dashes in between, hyphens in between and learn about the future of open source security solutions. The holidays are quickly approaching and peak security is a must-have for online shopping.

Bitwarden has announced the expansion of inline autofill capabilities within the Bitwarden browser extension, including those cards and identities. That's nice to speed through that. This enhancement benefits all users, enabling a more secure interaction with web forms for payment details, contact info, addresses and more. Bitwarden empowers enterprises, developers and individuals to safely store and share sensitive data. With a transparent, open-source approach to password management, Bitwarden makes it easy for users to extend robust security practices to all of their online experiences. Get started with Bitwarden's free trial of a Teams or Enterprise plan, or get started for free, across all devices, as an individual user at bitwardencom slash twit. That's bitwardencom slash twit. All right back from the break. I'm Micah Sargent subbing in for Leo Laporte this week, and it is time to talk about Rambo with Steve Gibson.

1:42:06 - Steve Gibson
So thank you, micah.

Many of our listeners forwarded news to me of this latest side channel attack, brought to us by none other than another clever researcher at you can probably guess Israel's Ben-Gurion University of the Negev. These guys are the ones who have brought us so many bizarre ways of exfiltrating data from computers through the years that no one would be surprised that we have another one. It was easy to see how much attention this latest bit of research drew from the security press, since the many links I received from our listeners and thank you all, by the way, for sending them. Basically, you all voted for this week's topic by informing me of like hey, steve, did you see this? Did you see this? Did you see this? Yes, they were from widespread security-related publications. Before I dug into what it was all about, I was hoping that the reason for all the attention was not only because the new attack was named Rambo, and I was not disappointed. So I decided that Rambo should be this week's main discussion topic, and also everyone knows that I have a difficult time ignoring access to raw research. The worst case is having to decipher something that some public relations person wrote that doesn't contain any of the really good nitty gritty, good nitty-gritty, but in this case we have 18 pages of pure delicious research written by the researcher himself, mordecai Goury, which explains his new attack in detail. So the abstract of Mordecai's research says air-gapped systems are physically separated from external networks, including the Internet. This isolation is achieved by keeping the air gap computers disconnected from wired or wireless networks, preventing direct or remote communication with other devices or networks.

Air gap measures may be used in sensitive environments where security and isolation are critical to prevent private and confidential information leakage. In this paper we present an attack allowing adversaries to leak information from air-gapped computers. We show that malware on a compromised computer can generate radio signals from memory buses, thus RAM and Rambo. Using software-generated radio signals, malware can encode sensitive information such as files, images, key logging, biometric information and encryption keys. With software-defined radio hardware and a simple off-the-shelf antenna, an attacker can intercept transmitted radio signals from a distance. The signals can then be decoded and translated back into binary information. We discuss the design and implementation and present related work and evaluation results. This paper presents fast modification methods to leak data from air-gapped computers at 1,000 bits per second. Finally, we propose countermeasures to mitigate this out-of-band air gap threat.

Okay now, the first thing I'll note is that, while a thousand bits per second will not allow you to send Windows, or even a Windows update, over the air, a modern, state-of-the-art cryptographic private key is only several kilobits in length. Cryptographic private key is only several kilobits in length, so the keys to the kingdom could be broadcast from just such a compromised machine over and over every few seconds. And since it would just appear as random RF noise, no one would ever be the wiser. And unlike most malicious code whose purpose is readily revealed through inspection, any code that's being used to generate radio signals from memory buses will just be puzzling for any forensics researchers. They'd stare at it and scratch their heads and never have any idea what the heck such code was doing. They couldn't even be certain it was doing anything that was malicious. It wouldn't appear to be doing anything at all, since the designers of this code are using a far-fetched side channel of normal data processing to get their message out of the machine.

The second thing to note is that one of the consequences of today's heavy use of encryption is that we've grown to rely upon it completely. What this means practically is that today we're far less worried about storing our sensitive encrypted data in far more accessible places, such as in the ubiquitous cloud. It's. Who cares if it's in the cloud, it's encrypted, right? Sure thing. That's true Right up until the time someone figures out how to exfiltrate the comparatively tiny secret key that's protecting the otherwise far less secure data. So my point is thanks to the application of cryptography virtually everywhere today, we now concentrate vastly more value into a handful of bits. So, whereas a thousand bits per second cannot be used to transfer a massive database, those few thousand bits are the secret that's protecting a massive database in the cloud. Then a few seconds worth of transmission is all that's needed to crack that database wide open, reminding us that air-gapped and air-gapping exploits have a significant and deep history, mordecai explains. He writes enforcing an air gap in a computing or networking environment involves physically and logically isolating a system, network or device from external networks or communication channels.

This can be done by disconnecting network cables, disabling wireless interfaces and disallowing USB connections. In addition, it must be ensured that the isolated system has no direct link to any external communications infrastructure. Despite air gap networks being considered highly secure, there have been incidents demonstrating that air gap networks are not immune to breaches. Stuxnet is one of the most famous air gapped malware Discovered back in 2010,. Stuxnet was a highly sophisticated worm that targeted industrial control systems, particularly those used in nuclear facilities. It exploited zero-day vulnerabilities and used several methods, including infected USB drives, to jump the air gap and spread across isolated networks. The Agentbtz worm was another type of air gap computer worm with advanced capabilities and targeted type. It was specifically designed to spread through removable media such as USB flash drives and infiltrate computer networks, including those highly secure or air-gapped. According to reports, that worm affected the US Department of Defense classified networks, which is not easy to get into. It did, he said, notably more than 25 reported malware in the past, targeted highly secured and air-gapped networks, including USB Stealer. Agent BTZ, stuxnet, fanny, mini, flame, flame, gauss Project, sauron, easy Cheese, emotional, simeon, usb Thief, usb Fairy, retro and Ramsey. So plenty of them.

And then Mordecai discusses his new air-gapped attack. He writes in order to exfiltrate information from an infected air-gapped computer, attackers use special communication channels known as air-gap covert channels. There are several types of covert channels studied in the past 20 years. These attacks leak data through electromagnetic emission, optical signals, you know, like leds, blinking, acoustic noise, like changing the the, the noise of the fan of the computer. Uh, thermal changes, actually like ramping the CPU up, which generates more heat. Now those are extremely low data rate changes, but they are changes and he says, even physical vibrations. In this paper we show how malware can manipulate RAM to generate radio signals at clock frequencies. These signals are modified and encoded in a particular encoding allowing them to be received from a distance away. I'm actually going to focus on the encoding, but that's the really cool part of this. He says the attacker can encode sensitive information key logging documents, images, biometric information, et cetera and specifically secret keys, and exfiltrate it via these radio signals. An attacker with appropriate hardware can receive the electromagnetic signals, demodulate and decode the data and retrieve the exfiltrated information.

Attacks on air gap networks involve multi-phase strategies to breach isolated systems by delivering specialized malware through physical media or insider agents, imitating malware execution, propagating within the network, exfiltrating data using covert channels or compromised removable media, establishing remote command and control, evading detection and covering tracks. And finally, in the context of the Rambo attack, he says the adversary must infect the air gap network. In the initial phase. This can be done via a variety of attack vectors. An attacker could plant malware on a USB drive and physically introduce it into an air gap network. An unsuspecting insider or employee might connect the USB drive to a computer within the isolated network, unknowingly, activating the malware and allowing it to propagate and exfiltrate data through the same USB drive or via covert channels. An insider with access to the air gap network might intentionally introduce malware or provide unauthorized access to external parties. This could involve transferring sensitive data to personal devices using covert communication methods like stetonography to hide data within innocent-looking files. An attacker could also compromise hardware components or software updates during the supply chain process.

I'll interrupt to note that the particular power of this attack is the degree to which its effects would be unsuspected and undetected. I mean, the computer is working fine, right, but you know, and it's not connected to anything, nothing is going out. So an adversary, for example, might introduce their Rambo-enabled malware into a device driver that's known to be used and needed by the targeted system. Since no one would ever imagine that a device driver update could suddenly turn a PC into a covert short-range transmitter, the updated drivers might be delivered as part of a very careful and very clean offline CD or DVD carried update. In other words, you can't infect a CD or DVD and that's all that would be required. Mordecai continues once these components are installed within the air gap network, hidden malware might activate and communicate with external parties. Note that APTs advanced persistent threats in the past have targeted highly secured and air gap networks. Recently, in August of 2023, researchers at Kaspersky discovered another new malware and attributed it to the cyber espionage group APT31, which targets air-gapped and isolated networks via infected USB drives. So that's still going on.

In the second phase of the attack, the attacker collects information key logging files, other files, passwords, biometric data and so on and exfiltrates it via the air gap covert channel. In our case, he writes, the malware utilizes electromagnetic emissions from the RAM to can receive the information, demodulate it, decode it into its original binary or textual representation. Okay for the actual generation of the Rambo RF signals. He explains. When data is transferred through a RAM bus, it involves rapid voltage and current changes, mainly in the data bus. These voltage transitions create electromagnetic fields which can radiate electromagnetic energy through electromagnetic interference EMI, or radiofrequency interference RFI. The radio frequency range of the electromagnetic emanation from the RAM bus mainly depends on its specific clock speed, measured in megahertz or gigahertz. This clock indicates how quickly data can be transferred between the CPU and memory. The emanation levels are influenced by other bus characteristics, including its data width, clock speed and overall architecture. Faster RAM buses, such as DDR4 and DDR5, having wider data paths, can lead to quicker data transfers with increased emissions. He said. When data is read from or written to memory, electrical currents flow through the RAM chips and the associated traces on the printed circuit board. These electrical currents generate electromagnetic fields as a byproduct, which radiates electromagnetic energy.

To create an electromagnetic covert channel, the transmitter needs to modulate memory access patterns in a way that corresponds to binary data. For instance, they could alter the timing or frequency of memory access operations to encode information. The sender and receiver must establish rules that define how memory access patterns translate to binary values. For example, reading or writing an array to the physical memory at a specific timing interval might represent a zero, while another interval represents a one. The receiver detects and decodes the EM emissions caused by the modulated memory activity. This could involve sensitive radio frequency receivers or electromagnetic field sensors. Okay, so he says one algorithm used, ook, which is his abbreviation for on-off keying modulation. On-off keying modulation, he says a basic form of digital modulation used in communication systems to transmit data over a carrier wave, in our case, the OOK modulation involves turning the carrier wave on and off to represent binary data. Where the presence of the carrier wave generated by memory activity corresponds to one binary state a 1,. The absence of the electromagnetic carrier wave corresponds to another binary state 0.

Note that to maintain the activity in the RAM buses we used the MOV-NTI instruction, which is an Intel instruction, which stands for Move Non-Temporal Integer. It performs a non-temporal store of integer data from a source operand to a destination memory location. This instruction is primarily associated with optimizing memory operations for certain types of data transfers, particularly in cases where the data is not to be reused immediately. For the beginning of the transmission, we use the preamble sequence 01010101, allowing the receiver to be synchronized with a transmitter. And I'll just interject to say that essentially, what they discovered was that that particular instruction, move NTI, generates the most noise. They found a specific Intel instruction that was a noisy instruction in terms of the amount of radiation it produced.

And he finishes saying for the fast transmission we used Manchester encoding. In this encoding, each bit of the binary data is represented by a transition or change in signal level within a fixed period. Manchester encoding ensures a constant number of signal transitions, making it useful for clock synchronization and error detection. Okay, now I smiled when I saw that Mordecai had chosen to use Manchester-encoded signaling, since it's extremely simple and straightforward and it's likely the best solution for his need. Manchester encoding is actually still in wide use today due to its simplicity and robustness, though it dates back to 1948, where it was invented and first used to store and retrieve data on the magnetic storage drum for the University of Manchester's Mark I digital computer. So this thing's been around for a while. Because Manchester encoding provides such an elegant solution to a common problem it's so common in fact, as I noted, it's still being used today. For example, it's the way our consumer IR remote controls send their data to our television sets and stereos, and even RFID tags use Manchester encoding. And since it provides another interesting dip into pure communications engineering and abstract computer science, I want to take some time to explain how it works.

The problem Manchester encoding beautifully solves is known as clocking. If you have a single bit channel, as with Rambo, where we have a radio signal that's either on or off, or a wire that's either carrying a current or not, you know the current's being switched on and off or a remote control's infrared LED that's either on or off. A significant problem arises when a long series of some numbers of ones or zeros occurs in a sequence, because the question quickly becomes exactly how many zeros or ones was that? If some time passes without anything happening for example the radio is off or on for a while how is the receiver to know precisely how many bits were just transmitted? If the sender and the receiver both had perfectly and exactly equal knowledge of time passage, it would theoretically be possible to just count the elapsed time between a change from on to off or off to on, then divide that time by the time per bit to determine exactly how many bit times had elapsed. The guys at Manchester may have initially tried that back in 1948, but in their case slight variations in the speed of their drum storage rotation rate would have quickly shown them that they needed some system that would be far more tolerant of slight timing variations. And even today two clocks are never precisely synchronized, nor are they ever running at precisely the same rate. Communications designers have solved this problem by creating systems known as self-clocking encoding. Self-clocking encoding systems ensure that something always happens, often enough for the receiving end to stay synchronized with the sending end, even if their timing is not precise. And Manchester encoding, first used 76 years ago, does exactly that. Here's how it works. Exactly that. Here's how it works.

The key to understanding any encoding is to recognize that the signal is no longer the data. Mordecai mentioned simple on-off keying, which is an unencoded system. With simple on-off keying, the signal is the data. But that's where we run into trouble if many zeros or ones are sent in an uninterrupted sequence. So any encoding that we employ breaks this simple relationship between the signal and the data that the signal is intending to send.

Okay, to talk about this, we'll refer to the signal as being low or high, whereas the data bits are a zero or a one. So low or high in the case of Rambo would mean the RAM transmission is either on or off. The transmitter is sending or it's not off. The transmitter is sending or it's not. A one data bit is encoded as a low, followed by a high, whereas a zero bit is encoded as a high followed by a low. In other words, rambo transmits a one bit by having its RAM transmitter first not transmitting anything, then having it transmit, and it sends a zero by having its RAM transmitter first transmitting a signal, then switching it off and not sending any signal.

The best way to think of this is that in Manchester, encoding a one bit is encoded as a transition from low to high, whereas a zero bit is encoded as a transition from high to low. This means that a so-called bit cell, which is the period of a single data bit, always contains two opposite states, both a low and a high, and the direction of the transition between those two states is the bit cell's data a 0 or a 1. If the bit cell contains a transition from low to high radio off to radio on that's Rambo sending a 1. And if the bit cell contains a transition from high to low, that's Rambo sending a 0.

Okay now, if you think about this for a second, you'll see we have a problem. In order to send a pair of 1s we need to have back-to-back low-to-high transitions, in other words, rambo radio off to Rambo, radio on transitions. But at the end of that first bit the radio will already be on and the next 1 we're sending requires the radio to start by being off. We solve this problem by completely ignoring any inter-bit cell transitions, in other words only the transitions occurring in the middle of a bit cell carries any data, the transitions occurring in between are ignored. Okay, so now, assuming that you've been following along, you're wondering how the receiver can tell the difference between the data transitions occurring in the middle of the bit cells and the transitions we're supposed to ignore, which may or may not occur in between the bit cells in order to get ready for the next bit.

Manchester encoding provides the answer, because every bit cell must always contain a transition, whereas there may or may not be a transition in between two bit cells. Now, if you doodle with a piece of paper, with a pencil and paper for a bit, you'll quickly see that any receiver can perfectly lock onto the location of the bit cells the very first time a transition is missing. Since that can only be the period in between bit cells, that means that the next transition must be in the exact center of a bit cell as far as the transmitter is concerned, of a bit cell as far as the transmitter is concerned. So if the receiver knows only approximately the rate at which the transmitter is sending bits, that's now sufficient to allow it to judge whether an inter-cell transition opportunity has passed and when the next guaranteed to always be present transition occurs and when that happens, the receiver updates its self-clocking lock, which prepares it to judge whether the next transition occurs quickly meaning that it's an inter-cell transition or not, until it's expecting the next data bit transition.

This simple system works so well that it was used in the earliest Ethernet physical layer standards and, as I mentioned earlier, is still used today by consumer home entertainment, infrared, remote controls, as well as RFID and near field communications. Mordecai had considered both simple on off keying and Manchester encoding, he wrote. Our analysis shows that the Manchester encoding is more relevant for the requirements of the Rambo covert channel due to two main reasons. One, the encoding aids in clock synchronization between the sender and receiver and, to the frequent transitions, make it easier to detect errors caused by signal loss, interference or distortion. However, it's important to note that Manchester encoding doubles the required bandwidth compared to direct on-off binary encoding, as each bit requires two signal states within the bit interval.

Okay, so how did all this turn out? Key logging, he wrote, can be exfiltrated in real time, since Unicode is only 16 bits per keystroke. A 4096-bit RSA encryption key the keys to the kingdom that you don't ever want to get loose can be exfiltrated in 4.096 seconds. And biometric information and small files, as his JPEGs and small documents require a few seconds at the system's fast speeds. They conclude, quote this indicates that the Rambo covert channel can be used to leak relatively brief information over a short period, and they were also able to receive this information.

Get this at a distance of up to 700 centimeters. For those of us who grew up using the imperial system of measurement, as I did, 700 centimeters is 23 feet, so this is useful and impressive. And for those who remember the days of using the Pringle can to get increased Wi-Fi range, I would imagine that if you got yourself a well-tuned and well-aimed Pringles can, you might be able to significantly improve on that performance distance. For at least this first round of research they seemed less focused upon distance than feasibility. They've certainly shown that their Rambo system is feasible.

It's been known for a long time that electronic devices generate and radiate electromagnetic interference while they're in use. The somewhat strained acronym TEMPEST stands for Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions. So tempest-hardened devices are those which incorporate specific countermeasures designed to block or mask any useful information-carrying emanations from electronic equipment disconnected from any traditional form of data communications will have also been shielded so that none of the noise generated by the system's motherboard is able to find its way into the surrounding environment. It would be necessary, of course, to first infect that machine with Rambo technology malware, but if that could be accomplished, any otherwise unprotected machine could be turned into a Rambo transmitter.

2:14:30 - Mikah Sargent
Wow, this is what I have to say about all of this. I was able to follow along with every bit of this and that is what I really appreciate is that I actually got what was going on here and was able to piece it together. So I always appreciate that about what you do, because, as much as sometimes this security research can seem to go over one's head, you really did a great job with explaining what is going on here and I just I think it's amazing. We talked earlier about the person who made the fence right and wanting to get into the heads of the person, or the people who made that fence with the hole in it shaped like an apple. I want to know what was going on that they were able to what was it?

Mordecai, uh yeah, mordecai was able to even come up with this idea. Was he sitting there? Was mordecai sitting there? It was like I wonder if I keep this antenna next to the, you know the device and I'm looking at the rf signals coming by and then you isolate those rf signals, or if it was like I'm thinking about ram one day and then I think maybe we could do something. It's just so cool just to conceive of this stuff. It's amazing.

2:15:50 - Steve Gibson
Yeah, it is really fun.

2:15:53 - Mikah Sargent
Wow, wow. This is what you get when you tune in every week to Security. Now at twittv, slash SN. That is one place that you can go to get the show, subscribe to it in audio and video formats. You can also head over to Steve's website, grccom, where you can get the show as well as human written transcripts a rare thing in this AI world. Very awesome to have those at GRCcom. I always think about that whenever I'm cutting in. I'm going okay, this is going to be different from the notes that Steve has, so we'll have to pay attention to that part of the transcript Done by Elaine Ferris, if I remember correctly, who is not a person who puts shoes on horses. I also learned that.

She's not a farrier, you are correct. For some reason I thought she was a farrier. Of course you should head over to GRCcom and get your own copy of Spin Right, so you can also buy drives on eBay and watch weird things fly by, or you know fix your own drives Other people's scary data yeah. Anything we're missing there, Steve, that you want people to know about?

2:17:09 - Steve Gibson
I think you got it. Just remember that I've got an email list and you can get all of this in advance of the show. I received a piece of feedback from someone this morning who did receive it. He said hey, you know, it would be more useful if you didn't send these out until after the show was available, and I guess he was excited and he wanted to listen to it immediately and it's like well, OK, but everybody else likes getting them as soon as they can.

So yeah, I think you know and it's not like I'm including links that are broken to the, to the audio or video. I'm just saying here are the notes for the that's I'm about to record.

2:17:44 - Mikah Sargent
So anyway, I'm going to keep doing that, so you can sign up to GRC's email list.

2:17:49 - Steve Gibson
There's a little envelope at the top of of GRCcom. Click it, provide your email address, confirm it and then you can. You don't have to join any lists, but if you at least join the security Now list, you'll get the show notes on Tuesday mornings before we record this.

2:18:05 - Mikah Sargent
Absolutely, so be sure to head there, check it out, and I would also like to invite you all to join Club Twit if you are not currently members of Club Twit. Twittv slash Club Twit. If you head there, it's $7 a month for our subscription. Our subscription and joining it gets you access to ad free versions of all of our shows, plus access to the twit plus bonus feed that has extra content you won't find anywhere else. Behind the scenes before the show, after the show, special club twit events get published there. You also get to check out the club twit discord, a fun place to go to chat with your fellow club twit members and also those of us here at twit, and, of course, access to the video versions of many of our shows uh, our club twit exclusive shows, including ios today, hands on mac and more so head there. Twittv slash club twit steve. Thank you so much for your time once again, and you've got something.

2:19:02 - Steve Gibson
I got my finger up because I want, just want to let everybody know we have you one more week. You'll be back with us next week covering the latter part of Leo's trip, and so I look forward to another couple hours with you, micah, absolutely.

2:19:16 - Mikah Sargent
I look forward to it myself. Thanks so much, steve. See ya, bye everybody. 

All Transcripts posts