Security Now Episode 873 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for Security Now, Steve Gibson is here. Lots to talk about. Australia's ridiculous digital driver's license. That's completely insecure. Whether you hear the details a zero day in Microsoft office, the Microsoft denies, and then we'll talk about duck, duck go. And the controversy surrounding Microsoft tracking built in. Steve breaks it down. It's all ahead. Next on security now podcasts you love from people you trust. This is TWiT. This is Security Now with Steve Gibson episode 873 recorded Tuesday, May 31st, 2022. Duck Duck Gone. Security now is brought to you by Melissa. Make sure your customer contacts data is up to date. Try Melissa's APIs in the developer portal. It's easy to log on, sign up and start playing in the API sandbox. 24 7. Get started today with 1000 records cleaned for free at melissa.com/twit. And by Zentry Security. Remote work is here to stay Zentry Security.
Leo Laporte / Steve Gibson (00:01:14):
Zero trust private access solution is a modern cloud hosted alternative to a VPN. Enhance your security posture today. Try XRY trusted access with a 30 day free trial by visiting zentrysecurity.com/twit and by Kolide get endpoint management that puts the user first. Visit kolilde.com/securitynow to learn more and activate a 14 day free trial today, no credit card required. It's time for Security Now the show we protect your security, your privacy online. Thanks to the good offices of Mr. Steve Gibson. The man about SG GRC. Hello, Steve. Hello, Leo. Good to see you. Great to be with you again this last day of may. I, I meant to squeeze in that it was our penultimate episode last week of penultimate as like of the month. You just like to use that word don't you <laugh> well, now that I know what it means, it comes in handy.
Leo Laporte / Steve Gibson (00:02:16):
Very handy. Yeah, yeah, yeah. So, okay. The winner of the most tweeted, what do you think about this? Steve question was what's this about duck? Duck go, oh yeah. Like, like doing some sneaky business behind the scenes, under the covers out the back door, whatever turns out it's not probably such a big deal, although, well, one could argue, they just screwed up the communications. That's the big deal they should have told us if they wanna be a privacy browser. You gotta tell us that you're letting Microsoft track us. Yes. I, in fact it reminded me so much of that. What was behind my original, you know, how, you know, used to say that I coined the term spyware because I found some before there was that term on my computer. It was this orientate was the name. Oh yeah.
Leo Laporte / Steve Gibson (00:03:15):
And they were, wow, there's a blast from the past. Oh my God. And, and it, the, the, it was not a good thing, but it wasn't really that bad, except that it was a secret. And so when people learned that this had been going on behind their backs, it was much more the fact, right. That, that, that felt sneaky and like wrong. Well, it's, it's like this catastrophe in Texas where the sheriffs got the facts so wrong in the beginning that now everyone's like, well, you know what really happened? Right. You keep change, changing your story. Right. So nobody knows. Right. Anyway so we're gonna talk about that. That as a consequence, this episode is titled duck, duck gone. <Laugh> but we're going to first examine the difficult to believe in 2022 design of Australia's new south Wales, digital driver's license, which was sold to the public as being quite difficult to counterfeit.
Leo Laporte / Steve Gibson (00:04:20):
It's just, you know, it's the perfect topic for this podcast, cuz it is so bad at just, it's just unbelievably like some guys, some dip, some bureaucrats, nephew designed it or something he said here, you know, you know, design as a digital wallet or a dig, you know, a digital driver's license is so bad. Anyway, we're gonna look at that. Then we're gonna examine the latest. And unfortunately once again, fumbled extremely pervasive Microsoft office zero day remote code execution, vulnerability, which if I didn't already say this is really bad. We look at the first instance of touch screen, remote touch manipulation, like FA like spoofing touches on a touchscreen without actually touching the screen. They've done that now. And also at Vodacom Vodafone and dos, telecom's difficult to believe yet already being piloted plan to further monetize their customers by somehow. And how is a real question we'll get into this somehow injecting persistent, super cookies into their customers, connections at the carrier level.
Leo Laporte / Steve Gibson (00:05:43):
Then after sharing some feedback from our terrific listeners, we'll dig into the discovery. As I had mentioned that duck, duck go the, the duck, duck go privacy browser. Of course it's called that. Apparently carved out a privacy exception for Microsoft. So fascinating. I think another great podcast for our listeners. And we do have a picture of the week that any coder will appreciate. <Laugh> all right. Before we get to that, let's talk about our sponsor for this segment of Security Now a name you by now. I hope if you've been listening to the show. No. Well, Melissa, Melissa, you know, we always talk about them as the address experts really it's about data quality, right? Poor data, quality costs, organizations and average of $15 million a year. And the longer poor quality data stays in your system, the more losses you accumulate. So to ensure your business is successful, you, your customer information needs to be accurate.
Leo Laporte / Steve Gibson (00:06:43):
And that's what Melissa does. They're a leading provider of global data quality and address management solutions. There's another side to accurate data customer service. If you address someone with the wrong name or you verify the wrong address, oh, you live in in Peoria, Illinois right now, Poughkeepsie New York. You know, now you've lost just like, just like you were saying, Steve, you've lost their confidence. And especially if you're already dealing with a frustrated customer, things can get pretty awkward. You need. Now I think, you know, Melissa's identity solutions. Melissa's real time. Identity verification, service includes identity ID and document verification. She's more than just address completion. I mean, verification, age authentication, global watch list screening to establish the identity of a customer or satisfy AML or KYC compliance. You can easily tailor the service to your specific signup process and risk management requirements.
Leo Laporte / Steve Gibson (00:07:45):
So you can ensure fast onboarding or e-commerce checkout while still protecting your organization against fraud and adhering to your compliance requirements. You know, compliance has gotten more and more arduous, especially if you're international. When Melissa you reduce risk, you ensure compliance. You keep customers happy. You can protect your data with decay. From 2.1 billion clean validated records, you can ensure compliance in areas of anti-money laundering, AML, politically exposed persons, P E P, and the bank secrecy act BSA. You could score and target customers with detailed demographic and firmographic data appends you can complete customer records, add missing names, addresses, phone numbers, email addresses, correct. Those that have changed or are mistyped. And of course, Melissa treats your data with absolute security. They undergo continuous independent security audits. They are SOC two compliant, fully HIPAA and GDPR compliant. So you don't ever have to worry that your data is in untrustworthy hands.
Leo Laporte / Steve Gibson (00:08:54):
You can trust Melissa. The address experts, their global address verification service verifies addresses for 240 plus countries and territories. And they can do it in real time at the point of entry, thanks to their amazing API, actually their variety of ways. You can use a data matching with Melissa, eliminate duplicates, increase the accuracy or database, reduce mailing costs to addresses that don't exist or duplicate mailings to the same customer. You can do it with batches batch address cleaning. In fact, you, they have a secure FTP site. You can upload a list to and download the cleaned list. There's identity verification. That may be very important for your compliance requirements, geocoding, enrichments. They can convert addresses into latitude and longitude coordinates down to the meter email verification, which will remove 95% of bad email addresses from your database. They have apps now on iOS and Google.
Leo Laporte / Steve Gibson (00:09:48):
You might wanna check out the lookups app cups, app, Android and iOS, which will let you search names, addresses, and more at your fingertips. And again, you can deploy it as SAS as an API. You can do it. On-Prem, it's your choice. Melissa's available in all those forms and more so bottom line, make sure your customer contact data is up to date. Try Melissa's APIs in the developer portal. You'll be impressed. It's easy to log on, sign up and start playing in the API sandbox 24 7. And we'll get you started with 1000 records clean free. When you go to melissa.com/twit, Melissa M E L, I SSA melissa.com/twit. We thank of so much for all they do to keep our data clean and for supporting Security Now we thank you for supporting security now, and you do that when you go to that address. So they know you saw it here, melissa.com/twi.
Leo Laporte / Steve Gibson (00:10:43):
Steve. So ha our picture of the week is a three frame cartoon. And I gave her the title been there because yeah. So the first frame is shows is happy. Coder he's tap, tap, tapping away on his keyboard, big smile on his face, and all's going well, second frame he's he he's pushed. He kind of pushes away from his computer, leans back in his chair, same big smile on his face. And we see him saying, perfect, I'll finish this on Monday, looking at the code that he's just written last frame of the cartoon Monday morning. Well, the chair's been knocked over. He's grabbed his computer and he's shaking it in the air saying, what does this mean? Meaning that yes, over the weekend he lost the flow. He lost the mindset. He lost the context that code that made perfect sense to him Friday evening when he finished.
Leo Laporte / Steve Gibson (00:11:53):
Yep. Not quite sure what it does Monday morning or five minutes later, frankly. Well, and, and, you know, and, and I've yeah, I I've, I've referred to this through the years. What my term, my own term for it, I call it switching cost. It's mm-hmm <affirmative> for, for me, it, it it's that there's a significant cost associated with switching from one project to another. And, and over the years, you know, with the wisdom of, of age, I've, I've grown to appreciate that. And, and in fact, what I have been doing for the last maybe week has been going back into spin rights source and carefully documenting why I did the things that I did because you know, it's as always is the case. And I'm sure anyone who's done much coding knows this. When, when you first write the code, you, you create comment blocks and you explain, you know, your theory and, and so forth, and then something doesn't work.
Leo Laporte / Steve Gibson (00:13:01):
Right? So you go, oh, okay. Let me just try this. And so you make a change and age and oh, it works, but then something else, some is like needs fixing somewhere else. So you go over there and you, you, you work on that. And so what's inevitably happens is you're jumping around in the code and, and often trying things for the moment to, to see if this is going to do it or not. Now, of course, you know, this may be more specific to spin, right? Because in this instance I've got, I don't know, a hundred people testing the code against hardware, sending back feedback about yes. That fixed the problem or no, that didn't. And I said, okay, let's try this again. I mean, so it's hugely dynamic and interactive, but what inevitably happens is, and what did happen was I ended up with code, which works perfectly for everybody in every instance.
Leo Laporte / Steve Gibson (00:13:58):
And I'm very proud of it. Well, at this moment in time, I still know what it is. I, I know what it does. I know why I made those changes. I from experience, I absolutely know that six months from now, like whenever it is that I have to come back to it, I will have no idea what it is. I mean, and, and it's weird to say that because to, at this moment, I, I embody that code. I know. I mean, I know what every single line does, why there's like some weird exception here that does something funky, you know, and why it was necessary, but, you know, and so it's difficult to imagine that at some point in the future, I am gonna be a different person who, who looks at that and goes what the <laugh>, what heck. So what I've learned is that, that it right now is the time to capture the knowledge that I have before I switch.
Leo Laporte / Steve Gibson (00:15:04):
Because I'm about to, as I've talked about switch to working on the back end of this, which uses all that code, but through a layer of abstraction, specifically to I to insulate the back end, or I guess, wait the front end, rather the front end that uses the code on the back end to, you know, you can't even remember which end the code comes out. <Laugh> ha anyway, I love that somebody created a cartoon for this because yes, it does capture that. The, the, the essence of, I, I think it, the reason coders like us love to code is that it, it really can tax our brain more than anything else. It, it is like, as much as I can give it, it will take, and I love that about it, but, you know, it'll take it back. If you're not, if you're not careful to hold onto it, this is why as I get older, I like functional code better and better.
Leo Laporte / Steve Gibson (00:16:06):
Cuz you write small routines that always produce the same result. You know, when the same stuff goes in, the same stuff comes out. You can document in lisp is nice. Cuz you can have a code string, I guess. You could do that in Python too, where it's the second line of the function you say, this is what this function does. And even if I don't understand why the function works, I've tested it. I know it works. I know it does what it says it'll do. So I know that component and that's, I guess the same idea between behind encapsulation and object oriented coding is that you, once you make an object, it's a black box and, and you don't have to remember how it works as long as you know, and can trust that it works, right? Yeah. But you're doing an assembly. I don't even know how you <laugh>.
Leo Laporte / Steve Gibson (00:16:46):
You could, I guess you could write in that style on assembly. People do. And actually my, as, as I've often been observed, my assembly code is, looks like much more like high level language than most assembly code. I see. Use macro code. Well, yes I use macros and also Microsoft's macro assembler has if then else loop while, I mean it's got high level language control, flow constructs. They have zero overhead. That, that is that the, if is just an a branch instruction, except that you're a, but, but it will, it will intelligently do the ex like build an, an expression for doing compound testing in a single line. So, so I I've seen other people's assembly is just like op codes running down the left hand margin of the pay. That's that's a recipe for disaster. Yeah. And you, I, you know, you just look at it and it's like, what is this?
Leo Laporte / Steve Gibson (00:17:54):
I mean, it's ugly looking who could be proud of that. Yeah. But some jocks think that that's, you know, Hey, it works, man. It works <laugh> well, that's why. Yeah. See, and that's exactly. I think sometimes older coders probably are better, not just from experience, but because they can't trust themselves to remember the complex spaghetti that they wrote. So they have to rely on, they learned not to they've learned not to. Yeah. Yeah. Yeah. So anyway, love, love that cartoon. Okay. So get a load of this. This piece was stiff competition for this week's main story, but as I said, it lost out to an explanation of what was discovered about the operation of duck, duck go's privacy browser. So I decided to lead with this one as the runner up because wow, it's just perfect for this podcast. A penetration testing and secure app development group known as D V D V O L N recently took a close look at the somewhat new.
Leo Laporte / Steve Gibson (00:19:04):
It was, it was released in 2019. So three years ago, new south Wales, government's digital driver's license DDL and <laugh> and putting it mildly. They found its security to be wanting. They documented the system's various troubles in a blog posting, which was titled it's a service NSW that service NSW is, is, you know, NWS, new south Wales. They said service NS, W's digital driver's license security. <Laugh> a, since security appears to be super bad. So okay. To set the stage, they explain in their posting in November, 2019, the new south Wales government service NSW introduced the digital driver's license or DDL for short as a means to make it easy for people to access a digital version of their driver's license. Upon the launch of service NS W's digital driver's license. There were multiple security researchers who publicly reported a number of security issues, including, but not limited to the ability to manipulate digital license data and create fraudulent digital identities.
Leo Laporte / Steve Gibson (00:20:30):
What <laugh> they, they said as far as we can see there, there appears to be no formal public response from service NSW regarding the acknowledgement or remediation of these issues. As of February, 2022, according to the minister for customer service, there have been 3.9 million people who have opted in for the digital drivers license to put this into perspective, we can assume around 70% of people in new south Wales use and trust the digital driver's license as a means of identification and verification in their day to day lives. Meaning that 70% is of, you know, 3.9 million people is 70% of the population of new south Wales covered by this DDL. They said during dev or I'm sorry, during D V's analysis of the service NSW mobile application, it's for iOS. We discovered that due to the existence of several security design flaws, it is still possible. Meaning today for malicious users to generate fraudulent digital drivers' licenses with minimal effort on both jail broken and non jail broken devices without the need to modify or repackage the mobile application itself.
Leo Laporte / Steve Gibson (00:22:11):
So of course that would be one thing, right? To, to create a fake digital driver's license app, which would, could show anything you wanted to show, but no don't have to do that. Use the real app and just change the data and it doesn't care. Okay. So <laugh> so back in 2019, not long after this DDL, the digital driver's license first appeared during a security conference, a security researcher as part of his conference presentation on, on sort of on a larger topic of digital identity security. He demonstrated to the audience in public, his ability to modify this new south Wales digital driver's license details locally on his mobile device, causing it to display false information and displaying accurate information is the whole point because you know, you you'd like, you know, show your phone to somebody and they go, okay. Yeah, that's you and oh look, you're 21 years old, go, go, go ahead.
Leo Laporte / Steve Gibson (00:23:19):
You know, buy alcohol, go into the club, whatever. And although during his talk, he mentioned that he had reported these troubles to service NSW, you know, the new south Wales government. There were no apparent public updates on the matter since then. So it's unclear whether these bugs were considered an accepted risk, which, okay, this is 2022. Everybody that's insane if that's the case or if any sort of remediation was ever attempted by the presiding government. So now we jump forward three years to 2022, where there are rumors circulating regarding underage people using false digital licenses. Ugh, no, the, you know, underage kids could, could be spoofing their digital identities. No, the Dal posting contained an authentic appearing Twitter posting made on November 25th, 2021, where the poster is annoyed that a bouncer at a club denied access to one 18 year old when others using fake digital licenses are apparently regularly admitted.
Leo Laporte / Steve Gibson (00:24:43):
I have the tweet in the show notes for anyone who's interested. This was posted by Sydney 2100 is the Twitter name. And, and this was sent to the, the atten hotel and the Twitter reads 18 year old, went there last night with three forms of ID. And you wouldn't let him in because you don't count a physical new south Wales driver license as valid ID. Really. He says, I know 10 kids that you let in regularly with fake digital licenses because they are easy to make no idea. Meaning, you know, you have no idea what you're doing. So apparently someone at this 18 year old had a PHY had a physical real world like old school, you know, plastic, new south Wales driver's license. And the guy said no and actually Leo completely off topic. I may have mentioned this before. It seems familiar that Laura and I were renting a car I don't know, a couple months ago to, to move some stuff out of her parents' condo in LA.
Leo Laporte / Steve Gibson (00:26:07):
So we got the biggest, it was a Yukon or something, you know, thing we, that we could rent. And it turns out in order to do that, I had to have a banking application on my phone, which showed my name. And, and, and I, I mean, I had, like, I had driver's license. I think I may have even had my passport with me, but, you know, I mean, I had, I had a wallet full of credit cards. I had, you needed this Hawaiian driver's license for MC loving. If you'd had this, everything would've been simple. Unbelievable. I, I actually, and I said to this, you know, this, the most young gal at the terminal, she said, oh, we had, we need one. Like, everything was fine. She said, we need one more thing. You, you need to show me a banking app, like, you know, chase or whatever visa or something for that, you know, your account with your name on it.
Leo Laporte / Steve Gibson (00:27:09):
They don't, they don't, they didn't tell you that ahead of time. That's bizarre. No, didn't tell me ahead of time. It was apparently new and, you know, and as it happened, I, I think I had one, or I have an account with chase, but I didn't have their app. So I had to install it. Oh, chase log in. Then I had to go to last pass and, and go get last pass to log me in to chase, you know, in order I was like, oh, my anyway point is, you know, apparently no, now we're believing digital over. That's bizarre, real world, old school, physical, you know, anyway. Wow. Okay. So that's good to know. I'll make sure to keep my banking app on, on my phone phone. Yeah. Yeah. And, and it's funny too, cuz it, oh actually she finally just said, okay, nevermind.
Leo Laporte / Steve Gibson (00:27:56):
I was making such a Valiant effort to do this. And like kept getting stuck by for my, for reasons that my, like my own security was getting in the way she said, okay, nevermind, crying out loud. So, so as we're walk, as we're walking, you must be Steve Gibson <laugh> as we're walking to the car, she says, you know, and I'm saying to her, I said, well, you know I guess I'm just old. And that's why I don't have, like, I don't do, I don't do, I don't do banking on my phone. Like ever, I'm not gonna do banking on my phone. And she says, yeah, well you are old because she said, all everybody I know has like banking apps on their phones. Yeah. And I said, well, okay. Yeah, yeah, yeah, yeah. Okay. So not having seen the IDs themselves that, that, that is this particular Twitter and, and what the guys were referring to.
Leo Laporte / Steve Gibson (00:28:51):
The, the Dal guys wrote about this, this Twitter posting, they said we cannot firm whether or not they were exploiting the poor security design or similarly using a static photoshopped image. Cuz again, if you're just showing like a screenshot, it could be faked, right? You like, you know, just Photoshop, what, what the, this digital ID is showing and that's what you present. So there are clearly, there are problems with the whole concept of like so many ways you could do a digital ID incorrectly. So anyway, he says at the same time, although due to ease of exploitation, it is entirely possible that these kids were using the same method detailed in this blog. Okay. So the Dal guys quoted one of the security claims made about the new digital driver's licenses say said according to a press release from the new south Wales government, the digital driver's license implemented is hostage securely on the new service NSW app locks with a pin and can be accessed offline and will provide additional levels of security and protection against identity fraud compared to the plastic driver's license <laugh> and the Dal guys explain that.
Leo Laporte / Steve Gibson (00:30:25):
In fact, real world physical driver's license counterfeiting is actually far more difficult than spoofing the content of a physical that of, of spoofing the content of a physical's driver's license. They wrote given the digital driver licenses, current state of security, and by which they mean as we'll see in a minute shocking lack of security, they said, we believe it would be far more difficult for an average fraudster to obtain the equipment necessary, to produce high quality plastic, new south Wales driver's licenses, a fraudster would need to source and obtain hardware such as, but not limited to a card printer, new south Wales, holographic security, foil, and other security features developed uniquely for the new south Wales identification cards, such as the middle green layer, none of which are commercially or legally available outside of the printing hardware. So yeah, like, you know, if you've looked at your driver's license, you know, it's got all kinds of wacky stuff going on now, you, you know, you weird reflective angles and things embedded in different layers and stuff.
Leo Laporte / Steve Gibson (00:31:55):
That's shiny. And it's, it's like, okay, you can imagine duplicating that physically is not gonna be easy compared to what, taking a screenshot of the secure ID on the phone. Okay. So what are the specific problems with new south Wales digital driver's license? Okay. First off, the DDL stored license data is encrypted, but not very well on iOS. The digital driver's license data is stored in adjacent formatted file, which is encrypted using AEs 2 56 CBC. So 2 56 bit AEs cipher that's state of the art cipher blockchaining mode, CBC, that's fine. And then that's combined with base 64 and coding nothing wrong with any of that. The encryption will turn anything, even if it was AKI textual content to begin with, into binary data. So the base 64 and coding converts that back into AKI text so that it can be stored in adjacent text format file if, if desired.
Leo Laporte / Steve Gibson (00:33:18):
But here's the problem. The encryption key is the four digit pin that's initially set during onboarding when the user first installs and sets up the app, that's it a four digit pin. Believe it or not. That's the password. A four digit pin since a four digit numeric pin can be anything from 0 0, 0, 0 to 9, 9, 9 there's gee, let's see <laugh> 10,000 possible pin combinations. One of those will correctly decrypt the Jason file and the use of the correct decryption will be readily apparent because what's not decrypted correctly with the wrong that is with the wrong pin guess will be gibberish. In other words, if an attacker is able to obtain the encrypted data, either through accessing an iPhone backup, direct access to the device or a remote compromise, it will take only a few minutes to brute force the correct four digit key to that encryption.
Leo Laporte / Steve Gibson (00:34:38):
There's not even any password based key derivation function. You know, a PD, a PB KDF to slow down the guessing. Nope. Just use that four, the four digit pin. See if that decrypts the, the, the blob in, you know, back into something that looks correct. And if not try the next one during Dal's testing, their brute force process took only a few minutes to decrypt the digital license data, which could then be edited Reen, encrypted, and used to change the digital driver's license details on the mobile device. In other words, no sign of any authentication, no digital signature or anything else to protect against user tampering and manipulation of the stored and then display data. The only protection was this four digit pin. And when you use it, it decrypts the data making it you know, bringing it back into plain text, which could be modified unbelievable.
Leo Laporte / Steve Gibson (00:35:52):
The, again, this is 2022 next <affirmative>. Next problem is a lack of any client side validation. As they said, the digital driver's license data is never validated against the backend authority, which issued the license. So not only is there no local like authentication, it's not signed nothing, but there's no there's no ongoing periodic or ever verification with the original issuer. They wrote that this means that the application has no native method to validate the digital driver license data that exists on the phone and thus cannot perform further actions, such as warn users or anyone relying on this data. Anybody else, when this data has been modified since the digital driver's license data is stored on the client's device, validation should take place to ensure the local copy of the data matches the digital driver's license data that was originally downloaded from the service NSW API, or I would add locally verify a signature, no such verification takes place. An attacker is able to display the edited data on the DDL app without any prevention. Okay. Now, presumably whatever moron designed this system figured that since it was encrypted with military grade 2 56 bit AEs encryption, and thus could never be modified, there would be no need to verify it.
Leo Laporte / Steve Gibson (00:37:44):
And one and one of the features they boasted was that it could run completely offline, right? No verification needed. And speaking of verification, one of the key verification features of the digital license is its so-called pull to refresh functionality, which is used to ensure that anyone relying on it is viewing the most current license information. However, the Dal guys noticed that refreshing the applications, driver license data only updates the QR code, which is displayed on the license and that the QR code only contains the license holder's name and whether they are under age of 18 or not. That's the only thing in the QR code. So if a fraudster had modified their license details and photo by decrypting it modifying, and then reencrypt the data. This fraudulent data would remain visible on the screen. Even after the QR code date and time had been refreshed and updated and not surprisingly instill another example of incredible sloppiness.
Leo Laporte / Steve Gibson (00:39:06):
The license data is indeed exported in iPhone backups, making its modification outside of the phone. Trivial. As we know, when a secured mobile device is jail broken, it's reasonable to assume that any security features and application may, you know, have, could be bypassed because an attacker has obtained root level access to the device's storage and various services. But conversely, as long as a secured mobile device is not jail broken app should be able to be reasonably secured that there, that cured that they're, that their users are protected against misuse and various types of client side vulnerabilities. However, in the case of service NS W's application, the digital driver's license data is included in device backups, which means that attackers or anyone wanting to commit fraud can obtain and modify their license details without ever needing to jail break the device.
Leo Laporte / Steve Gibson (00:40:20):
There is no way that this system was ever reviewed by any competent security expert. These days we've got competent security experts coming out of our ears. Anybody who had any training in digital application security would immediately see what an embarrassment this thing is. And the publicly known problems with it are now three years old with rumors that these digital driver's licenses are being readily spoofed. Of course they are. So we have to ask ourselves, how did this happen? Was it created by some government bureaucrats, unemployed nephew, and why doesn't anyone appear to care? It seems likely that someone will be caring very soon, thanks to the bright light that the Dal guys have finally aimed at this mess because the tech press has picked this up and run with it. So this is gonna be an embarrassment to new south Wales and, you know, whatever clown wrote this thing. Okay. So because this is the security now podcast we can ask. So what's the answer? How do we solve this problem? Since I've been called a competent security expert, I'll take a stab at it. How about this? All that's needed is a certificate, a standard X 5 0 9 format certificate.
Leo Laporte / Steve Gibson (00:42:03):
This has all been worked out already certificate fields can contain binary data. They already do like they have a public key in them. So the certificate owner's photo can easily be contained within the certificate as can dates of starting and ending validity. And anything else that might be needed like a timestamp for when the certificate is signed, the owner's legal name, their physical address, their date of birth and so on. What makes a certificate special is that its entire contents is signed by a recognized and trusted authority. As we know the process of signing is that the certificate's contents are hashed to create a digest of that content. Then that hash is encrypted with the signers private key. Anyone wishing to later verify this the, the, the certificate's authenticity, meaning the contents of everything in the certificate simply creates their own hash of the certificate's contents then uses the signer's public key to decrypt the hash that came with the certificate, if the new hash and the decrypted hash match, then we know that not one single bit of the certificate's contents have been modified since it was signed.
Leo Laporte / Steve Gibson (00:43:39):
So to build a simple and practical system, an existing, trusted root authority, a certificate authority, you know, any existing certificate authority, that's already trusted by the mobile iOS and Android platforms, you know, take my favorite one and chosen certificate authority, digit cert issues, an intermediate certificate to the new south Wales administration, which is itself permitted to sign the special purpose and DDL, you know, the digital driver's license certificates, anytime someone out in the world like a DDL license holder's DDL application wishes to update, and re-verify their license. That app sends a request to the government's server. The server pulls together all of the relevant data. It has for the individual from its database, including their latest photo, their date of birth that driver's license initial and expiration date and builds a new certificate, which also contains a current timestamp. They use the private key that was obtained from digit cert.
Leo Laporte / Steve Gibson (00:45:02):
In this example, to sign the resulting certificate, they then bundle that certificate with their intermediate certificates, public key and send the package back to the DDL application. Since the bundle contains a short certificate chain whose intermediate certificate is already trusted by the route certificate store in the mobile device. And since that intermediate certificate can verify the DDL end certificate, any iOS or Android device has everything, it needs to verify the authenticity of the DDL end certificate. And there is no way for that DDL license certificate to be modified or tampered with in the field without breaking its signature in this system. There's no need for a pin to decrypt the certificate's data because there's no need for any certificate encryption in the first place at all. And as for that QR code that apparently only contains the user's name and age. That's also frankly, ridiculous.
Leo Laporte / Steve Gibson (00:46:20):
If it's data can be spoofed, if you wanna have some sort of verification reader that that reads the QR code, then the QR code can simply contain the individual's driver's license number. And, and we know that that's, that that cannot be spoofed. And if it were, it contains the driver's license number. So the reader obtained the QR code reader obtains the license number that is being claimed on the, on the screen makes a query to the government server to obtain their signed DDL certificate and displays the user's name, age, photo, and everything else. So you can make queries on the fly. And if the QR code system needs to work offline, which was apparently a feature of the current system, then the QR code can simply contain a signed subset of the user's information, like only their name and date of birth, which is separately signed by the government's intermediate certificate.
Leo Laporte / Steve Gibson (00:47:23):
The QR code reader then scans the QR code itself, which is itself a tiny certificate. It, it uses the government's intermediate certificate to verify the QR code certificate and could then trust that the data contained in the QR code certificate, subset has not been tampered with, again, none of this is rocket science. As I said, many times, we now have an incredible toolkit of technology components that can be applied individually and collectively to solve any of these sorts of problems. Nothing needs to be vetted anymore. And the beauty of this system is that all of the well tested and Bulletproof crypto libraries already exist. In fact, the iOS and Android platforms already contain down in their kernels, all of the required crypto machinery APIs, none of that needs to be created. So hopefully when this ridiculous new south Wales digital driver's license disaster fiasco finally comes to light.
Leo Laporte / Steve Gibson (00:48:31):
The existing ridiculous system will not be salvaged. It is UN salvageable. It needs to be entirely scrapped and replaced with a simple Bulletproof system. You know, like the one I just described, there's nothing to, it seems simple. Yes, Leo unbelievable that in like this was designed three years ago, this all existed three years ago. This is not new. This is just the obvious way to solve this problem. Did I, did I hear you correctly? That the data is unencrypted with the four digit pin? Yes. You enter your pin and now I can modify my driver's license. Yes. Well that's I mean, anybody <laugh> looking at that was the problem. It's it's insane. It would, it just assumes that. Well, why would anyone wanna modify their driver's license? Yeah, I can't imagine why. Why an 18 year old? Why would they would wanna modify spoof their age?
Leo Laporte / Steve Gibson (00:49:32):
Yeah, no one's ever no one's ever that one's ever done that before. No, that's, that's just bizarre. <Laugh> I will time for a break. Yes. Yes. While we, when we ponder <laugh> the bizarreness of the world around us. Oh my God. Please save me from the government who, who thought that was a good idea. That's just hysterical our show today. And of course let's talk about no trust zero trust because really that's what it takes in a lot of environments. You don't <laugh> I mean, oh, well they would never want to change their driver's license. These days the key to security and many agree is zero trust and the best way to do it. XRY Z E N T R Y. The zeros right in there, remote works here to stay when the pandemic started office is emptied. Of course, in a sudden all of a sudden everyone knew what a VPN was, but the problem with a VPN is it just hardens the perimeter.
Leo Laporte / Steve Gibson (00:50:34):
And the presumption is once somebody is in the company network, well, they should be able to access anything going on in there. And we realize, you know, what a problem that is. I guess that comes from an earlier <laugh> more trustworthy era. When the only thing you had to worry about was, I guess, internet worms, the times have changed threat actors are now specifically targeting your remote or hybrid workforce, sophisticated fishing attacks. They' exploit vulnerabilities. As we talk about all the time in things like RDP, VPNs offer of course, broad network level access controls, which allows east west propagation for authorized users, but also unauthorized ones. So you probably heard this idea of zero trust. Zentry Security is a perfect zero trust solution. It's better than a VPN. It only allows authorized users to access authorized applications in the cloud and data center.
Leo Laporte / Steve Gibson (00:51:36):
You don't need VPN clients. That's much simpler than that. You don't need a lot of configuration. There're not a lot of headaches, employees, contractors, third parties, by the way, that's another reason you need this. It's not just employees. How many breaches have we heard about where a third party contractor had access to the network? Cuz well, they had to, but then they, that, that, that vulnerability was exploited by bad guys. This way you give everybody contractors, employees, third parties to application level access, to specific apps and resources, and you can set up those policies easily, globally applied natural language policies. It admins define this way. Everybody's happy your streamlined access for your dispersed workforces. They don't have to jump through hoops and run complicated VPN clients and stuff. They just use a browser on their preferred device. The stuff they want access to is they're in the browser.
Leo Laporte / Steve Gibson (00:52:37):
They're on the application through the browser, every connection of course, end to end encrypted, which is of valuable in reducing the attack surface and increasing your organization's security profile. Everybody wins. Users love it. Everyone's more productive, more collaborative. It has less to support and, and you've eliminated this threat of people warming their way in using your employees access. It's really clever. I want you to take a look at XRY trusted access, enhance your security posture today. XRY trusted access Z E N T R Y. You can get a 30 day free trial go to zentrysecurity.com/twit Z E N T R Y. Security.Com/Twit. The easiest way to implement zero trust and and get the job done. It's really brilliant. Zentrysecurity.Com/Twitt. We thank him for supporting Steve and the work he's doing here, and you support us by using that address. Make sure you go the slash twit part zentrysecurity.com/twitt.
Leo Laporte / Steve Gibson (00:53:41):
Steve. So we had the latest Microsoft office zero day remote code execution, vulnerability of the week <laugh> oh my God. This is a head buried in the sand quite pervasive problem in Microsoft office. By far the best researcher on this has been Kevin Beaumont. As we've we've talked about Kevin from time to time he's a great security researcher. He tweets using the handle, goy the dog for some reason. And he even Kevin tracked down a bachelor's thesis offered by a guy named Benjamin alt Peter on August 1st, 2020. So nearly two years ago on page 29 of his thesis of his bachelor's thesis. Benjamin writes windows includes the Ms. Hyphen, Ms D T colon, you know, slash slash. So it's a U it's a URL scheme protocol that opens the Microsoft support diagnostic tool, which provides the troubleshooting to diagnose wifi and audio problems.
Leo Laporte / Steve Gibson (00:55:01):
And the, like this protocol directly passes the string. It is given to the MSDT dot exc program. The attacker now needs to find an included wizard that allows the execution of arbitrary programs, preferably even remote ones. The program compatibility wizard fits this description. Luckily for the attacker, all user input can also be prefilled from the command line. Okay. Now this S D T thing was new to me at that point. I opened my own command line window on my windows machine entered S D T and hit enter. And sure enough up popped a Microsoft support diagnostic tool dialogue, which I had never encountered before. So this MSS D T thing is alive and well and living in all of our windows machines right now, it turns out you can access this, which is to say bad guys can access this through an office document using the Ms.
Leo Laporte / Steve Gibson (00:56:12):
Hyen, Ms D T colon slash slash protocol, and use it to remotely execute code. Okay. So back to Kevin <laugh> Kevin's name for this exploit has stuck. It's now semi officially known as the Lina F O L L I N a, the Lina exploit because Kevin spotted a reference to 0 4 38 in the sample exploit file. And 0 4 38 is the area code of the city of Lina Italy. <Laugh> okay. Hey, as good, a reason as any that's the way we name these things, these days, folks hysterical. So Benjamin Benjamin's bachelor's thesis was nearly two years ago. The reference in it was obscure. It was on page 29, and we'll never know whether someone saw it and recognized its significance as he did, or may have independently invented an attack. Given the nearly two year interval. I'm inclined to think that this was an independent discovery because these sorts of things happen all the time, but either way last month on April 12th, the leader of shadow chasing one, an advanced persistent threat, you know, an a P T hunting group reported the active exploitation of this vulnerability in the wild two Microsoft's Ms C you know, their Microsoft security response center.
Leo Laporte / Steve Gibson (00:57:54):
That's April 12th, the shadow chasing one report provided a copy of the, in the wild real world, Microsoft office document exploit, which was targeting Russia themed as a Russian job interview. Nine days later, nine days go by on April 21st Microsoft's RC blew it off and closed the ticket saying that it was not a security related issue. <Laugh> I have a picture in the, on the, in the show notes of the, of screenshot of this. It reads it's signed by Ms C. So it's written in the first person. It reads, I finally had time this after nine days, I finally had time to look at this critically and have decided it is not a security related issue. S D T is indeed executed, but it requires a passcode when it starts. And the one provided in this sample does not work for me. I will be closing this case, but appreciate you submitting it regards Ms.
Leo Laporte / Steve Gibson (00:59:16):
C. Okay. Now I'm not sure what the phrase looking at this critically means exactly, but apparently it doesn't mean closely examined and worked to understand what the underlying problem might be. And, you know, this might represent another sample of the pattern that seems to be emerging, where Microsoft increasingly seems to be needing the external security research community to solve all of its problems for it and handed everything on a silver platter, apparently saying, Hey, have you considered that allowing words, remote template feature to retrieve an HTML file from a remote server, which in turn uses the Ms. MSDT colon slash slash U I scheme slash scheme to load some code and execute some power shell. Even when office macros have been disabled and even able to bypass protected view by giving the document and RTF extension is no longer sufficient to get Microsoft's attention. Now, in fairness, that provided exploit sample apparently did not work instantly for the overworked Ms.
Leo Laporte / Steve Gibson (01:00:47):
C guy, and we don't know how many false negative reports they Ms. The RC guys might be fielding every day. Perhaps they faced a constant deluge of bogus reports, but we do know about economics, and we do know about incentives. So we know that if this sort of behavior is never met with consequences, it will continue and even be de facto encouraged. And Microsoft has arranged to completely insulate themselves from any consequences ever. So all we can ever do at this point is hope for the best, since we're apparently on our own, what do we do? Kevin reports that the vulnerability has been proven to work against office 20 13, 20 16, 20 19, 20 21 office pro plus, and office 365. In other words, all of them, it also applies to windows itself because this thing, this exploit can be invoked from believe it or not our old friend, the LNK link file.
Leo Laporte / Steve Gibson (01:02:11):
Yep. <Laugh> that hasn't gone away. So there are two different issues office itself using the Ms. Hyphen Ms D T colon scheme protocol while allowing loading unfiltered, HTML, word templates and outlook links. And the fact that the Ms D T executable allows code execution, all flavors of windows defender, also completely mist detecting this, except yesterday, that changed, which is not surprising given that Microsoft decided last month, this was not a security issue. So that was true until yesterday. Now defenders awareness had been updated and I'm sure other AV companies are on, on this also.
Leo Laporte / Steve Gibson (01:02:59):
And Microsoft released a workaround in the meantime, in the form of a registry script. Also yesterday, that registry script simply deletes the Ms. Hyphen S D T protocol handler reference from the registry. I have it as a it's you run the command, you run the command prompt as a, as admin, and then you do a reg delete H key classes route slash Ms. Hyphen MSS, D T space forward slash F. But, you know, get this from the show notes. If you want to try it and as always as good at back your, your registry beforehand. So Kevin wonders out loud how this might evolve. He says, we'll see Microsoft are going to need to patch it across all the different product offerings and security vendors will need robust detection and blocking. Microsoft will probably point towards protected view. However, protected view also applies by default to all macros and office.
Leo Laporte / Steve Gibson (01:04:14):
Macro malware is most definitely a major problem, regardless then in an update to Kevin's original posting, he added Microsoft have indeed pointed to protected view saying it prevents the attack. He says, I, Kevin writes, I think this is stretching the truth. For example, if the document is a dot RTF file and is opened by preview in Explorer, protected view does not apply. And it becomes a zero click exploit. Microsoft knows this, they just aren't mentioning it to customers. And then Kevin provides a tweet from our well known cert CC guy will Doman and will agrees, will tweets. This language is a BI is a bit misleading in not really describing what calling application means. If you preview a file in Explorer, which uses office to render the document protected view, doesn't do a damn thing says will. The very latest is that Microsoft, as I said, has finally awoken to this threat.
Leo Laporte / Steve Gibson (01:05:27):
A CVE has been assigned and windows defender's detection signatures have been updated, but the underlying trouble is that the use of Ms. Office protocol is extensive and pervasive. So it cannot be shut down without breaking all sorts of other things that depend upon it. It's a bit like last year's printer, spooling catch 22 fiasco. It's another of those problems that isn't really a bug that can be patched because it's the abuse of a deliberately designed in feature. And, you know, this is what results from systems that become too complex. It begins to be impossible to understand and anticipate every possible interaction among components when there are just so many different components. So it's the world we are in today. Anyway defenders updated. Other AVS are, are being, if they're not already updated we've got now the maximum time for Microsoft to create a patch because tomorrow, because today is the last today.
Leo Laporte / Steve Gibson (01:06:48):
This Tuesday is the last month, the last day of the month, which puts the first on a Wednesday, meaning that patch Tuesday will be the 14th, the latest date it could possibly be in the month. So Microsoft has a full two weeks. Maybe they'll be able to get a patch out for office across the board by then, we'll see. Okay. Huh? Ghost touch get a load of this one. This is not yet a real world threat due to the potential attacks, very short range, which is currently around 40 millimeters or just over an inch and a half. But as we know, impractical is how many eventually practical attacks began. Here's the abstract of the 17 page exploit research paper describing this new and very clever ghost touch attack, which was invented by a team of Chinese and German security researchers. They explain quote, capacitive touch screens have become the primary human interface.
Leo Laporte / Steve Gibson (01:08:05):
I'm sorry, primary human machine interface for personal devices, such as smartphones and tablets. In this paper, we present ghost touch the first active contactless active attack against capacitive touch screens. Ghost touch uses electromagnetic interference, EMI to inject fake touch points into a touch screen without the need to physically touch it by tuning the parameters of the electromagnetic signal and adjusting the antenna. We could inject two types of basic touch events, taps, and swipes into targeted locations of the touch screen and control them to manipulate the underlying device. We successfully launch the ghost touch apps on nine smartphone models, art phone models. We can inject targeted taps continuously with a standard deviation of as low as 14.6 by 19.2 pixels from the target area, a delay of less than half a second, and a distance of up to 40 millimeters. We show the real world impact of the ghost touch attacks in a new proof of concept in a few proof of concept scenarios, including answering an eavesdropping phone call, pressing the button, swiping up to unlock and entering a password.
Leo Laporte / Steve Gibson (01:09:53):
Finally, we discuss potential hardware and software counter measures to mitigate the attack. Okay, so a little bit of background, a capacity of touchscreen turns out is a surprisingly sophisticated and highly sensitive device, which we now pretty much take for granted. And the technology is known to be quite susceptible to local and environmental noise. It's easy to make a touchscreen malfunction when it's placed near a source of electromagnetic interference. There are switching regulators used in some phone chargers, which are known to generate so much short range, high frequency, electromagnetic interference that nearby touch screens will not function if they are nearby. So what these clever researchers have done is turn electromagnetic interference into electromagnetic touch signals to deliberately spoof. What are essentially the receivers in, in capacitive touch systems to generate spoofed touch events. And they made it work at this point, it's only of academic interest, but we should not be surprised to learn of it being applied in some way in the future.
Leo Laporte / Steve Gibson (01:11:18):
Okay. There's something new that might be coming known as trust P I D if it ever actually happens and Vodafone and Deutsche telecom are reportedly both now in pilot testing of this new trust P I D system in Germany, the technology creates a deliberately. I mean, it's designed to create a persistent static, super cookie, which being somehow injected into a user's communications at the carrier level by the cellular carrier cannot be seen, managed or blocked by end users. The only reason I can see for any cellular carrier to be doing something this clearly privacy invasive is that they've decided that it's more important for them to get in on the internet advertising revenue, boom, by arranging to monetize their customers anonymous. And that's in air quotes, online identities. Here's what the trust P I D website says under the tired banner of keeping the internet free, right?
Leo Laporte / Steve Gibson (01:12:50):
So that's what they're this, this is how we're gonna keep the internet free kids. They, you know, and it's by if anyone's interested, trust P I D I think it was.com. It reads consumers appreciate the idea of a free internet, but this comes with a trade off. Publishers need a sustainable revenue model, meaning that it becomes essential to add subscription paywalls or rely on advertising to maintain free access to high quality content with a growing trend of digital information shared in the ecosystem. Consumers concerns about privacy and the amount of information passed into the free internet have been raised. No kidding by things like this. Apparently trust ID they wrote is a technology solution that enables consumers to enjoy free content and the benefits of the open internet whilst retaining control over their privacy Uhhuh trust P I D is a secure, yeah, like that digital driver's license, unique digital token generated by assigning random numbers to you, which reduces the risk of you being directly identified.
Leo Laporte / Steve Gibson (01:14:16):
Whilst I like that word, still enabling advertisers and publishers to provide you with a personalized experience across their sites, with your consent, you can find more information on how we generate and manage your trust. P I D in the privacy notice I went there. There was none your consent. That's funny. <Laugh> good luck finding it. <Laugh> that's right. Your consent for trust P I D is collected by advertisers and publishers via their consent management platform. And then they have here Perens cookie banner. When you visit their sites, the consent will apply only to those websites. Trust P I D service gives consumers complete control over how their trust P I D is used by enabling them to manage their consent via a central privacy portal. At any time in the privacy portal, consumers are able to track which advertisers or publishers they have allowed to provide them with personalized online marketing in their websites, based on their trust P I D in one central place, the possibility to withdraw consent at single website level and the ability to turn off the trust P I D service entirely preventing any further use of the token.
Leo Laporte / Steve Gibson (01:15:56):
If you wanna understand more about how the trust portal works, I'm sorry, the privacy portal works, or if you wanna man manage your consent, please visit the dedicated privacy portal page. And I should meant that only customers of Vodafone and Deutsche telecom who are involved in this have access to the portal. You've gotta validate by using your, your cellular device. Okay, so I have many questions aside from the fact that this will assuredly be an opt out service where all users will be by default opted in. Otherwise it would never get off the ground, right. You know, apples and their attempt to re you know, require advertisers to get explicit permission showed that people just say, no, thank you. I don't want that. Okay. And thus, enabling, tracking without their consent. And we need to know whether this system will respect the user's GPC, the global privacy control setting, presumably the websites at the other end have to.
Leo Laporte / Steve Gibson (01:17:07):
So we'll see how that goes. As I said, though, aside from that, how exactly can identifying tags be injected at the carrier level into encrypted HTTPS web sessions? This is really a concern. The only way I can see that this can be done in 2022 is by having the carrier in this case, Vodafone and Deutsche telecom, actively intercepting, and proxying all of their customers, encrypted TLS connections. We saw this years before when some carriers were offering cashing and data compression services, remember that cellular carriers would offer, like, we're gonna speed up your internet connection. You lowly cellular users by, by compressing the data for you, sending it to you compressed, and then will decompress it on your phone. But that was back in the pre HTTPS everywhere days, where most connections were still unencrypted, but in 2022, as we know nothing is unencrypted anymore, a carrier can see the IP addresses that their users are connecting to, but IP addresses no longer reflect the website properties behind them.
Leo Laporte / Steve Gibson (01:18:47):
Since SNI server name indication is now being heavily used during TLS handshaking to identify the domain being connected to, and thus the TLS certificate, which should be sent to the client. This is allowing many websites to reside at the same IP. So there's no way to disambiguate them from the outside. So this means that a persistent identifier is either somehow injected into the user's connections by their smartphone's browser before entering their TLS encrypted connection, or the user's smartphone must accept a Vodafone certificate authority style route certificate into its route store to allow Vodafone and Deutsche telecom, to function as a sanctioned, active persistent cookie injecting man in the middle, neither of these seem likely or possible, or even remotely feasible in 2022. So I'm stumped. I mean, I really am without being on the inside, Vodafone and Deutsche telecom cannot see who their customers are connecting to and cannot alter the content of their data, injecting something into the flow and cellular carriers are explicitly and deliberately on the outside, their carriers of encrypted content.
Leo Laporte / Steve Gibson (01:20:33):
I followed every link I could find looking for any technical documentation. There's none that I could see since I don't read German. My digging was somewhat limited. Maybe I'm missing something obvious, but even if there's some way to pull this off, technically, you know, why the hell are our carriers getting in on the, identifying their customers to advertisers game? My feeling is this is a monster that needs to be strangled in its crib immediately before it has a chance to grow. I, I, this just, I just I'm, my mind is boggled by the idea that, that, that Vodafone and Deutsche could be experimenting with this, with something like this, and clearly it's to sell the information. Right. I mean, why else? Wow. Okay. A couple of closing the loop bits Michael, he said, hi, Steve at SG GRC and Leo at Leo Laport, he said listed and he meant listened.
Leo Laporte / Steve Gibson (01:21:42):
I'm sure to S said 8 72. So that was last week. And you said there were no good ad blockers for Mac OS slash iOS. He said I've been using one blocker for years and it works great in with safari on all of Apple's platforms, one blocker.com. And actually I was reminded of that bill Larky. He also tweeted saying at SG GRC heard the conversation on ad blockers for safari at one blocker app, which you recommended an I love, he says on iOS also has a Mac version. Might wanna look at that best part, is that since it's a universal app, if you purchase on the, on one platform, you get both, I guess it depends on what you call good. <Laugh> okay. <Laugh> if fair enough. If by good you mean blocks all ads, it's not then no. So the problem is, I don't think it's one blockers.
Leo Laporte / Steve Gibson (01:22:39):
I also use Firefox focus. I use a variety of different, or I've attempted to use variety of different ad blockers on iOS. And the problem is because of the architecture and this is what we were talking about. It's very hard for an AdBlocker to work as well as you block origin gore Hills. So I'm looking at ior.com great site using one blocker, all of the blocking turned on, and then using gore Hills you block origin on my desktop and on the one blocker on iOS, I see an ad for mint, best buy K jewelers. This is with the blocker turned on and on and on and on. There's quite a few ads. And I don't think that that's one blocker's fault. I just think that it's hard to do with this stricture, that apple places on it.
Leo Laporte / Steve Gibson (01:23:25):
So yep. Good. That's the problem. That's what we're talking about. There isn't any, any full ad blocker available in iOS, right. And, and I, as I have said, because I am such a fan of you block origin. When I go to a machine that doesn't have it, I'm like, oh my Lord, but this, you forget, this is what people put up with on the internet. Yeah. Oh my, I, I pay not to have that. So if you wanna, if you want a comparison put one blocker on your Mac or your iOS, and then look at it with you block origin on Firefox on your Mac. And you'll, I mean, I don't any of those ads with you block or any of 'em. So I, and I, again, I don't blame these blockers although this is not a free blocker, so you're paying for something that ostensibly blocks ads, but doesn't, I mean, it's not mean Firefox focus, which is a free ad blocker from the Firefox folks does as well.
Leo Laporte / Steve Gibson (01:24:20):
I think it's more, the safari issue is really Dallas. George PFI said, just heard your discussion on quantum computing and cryptography. Perhaps we can adapt new crypto for quantum computers, but Bitcoin, Ethereum and many cryptocurrencies are based on very old crypto rules. He says, and I don't believe the algorithms can be changed. So people who wanna keep their wealth protected for a long time will be at risk. As quantum computing evolves better to stick to gold and silver, which have worked for thousands of years. It says old George and okay. The only issue I would take with that, first of all, there are several aspects of using cryptocurrencies. One is passwords, and I would not never disagree that because passwords may be using public key crypto, they're gonna be in trouble. But for example, we know Bitcoin well, because we talked about it low as 11 years ago or something when it was worth dust.
Leo Laporte / Steve Gibson (01:25:32):
And, you know, there was a Bitcoin fot where you could just get free, free pieces of a Bitcoin by going there. And so we know that it uses the a 2 56 bit hash and hashes are strong even against quantum crypto. It's specifically the public key aspect of today's crypto that has people worried, not the symmetric crypto or the hashes. So, and, and that's the essence of you know, hashing is, is, is the essence of these various cryptocurrencies. They're gonna be safe. Their design probably does not need to be changed, but George makes the point, which is valid, which is they can't be changed. You know, they, where they are an embedded, an embedded crypto technology that is here forever. Okay. I guess you could just stop mining if you stopped all mining then I don't know. I have to think about that.
Leo Laporte / Steve Gibson (01:26:39):
Anyway, oh, anyway random is his handle with a, as a four and O as a numeric O he said, Hey, at SG GRC, I was thinking about the layer one attack against the unlock function of the various apps using Bluetooth low energy. And it occurred to me that a prompt in the app at unlock time should be a feature they add to help mitigate the demonstrated weakness. Of course the user experience will suffer, but this should defeat the attack. And I just wanted to share that cuz he is like a absolutely right. So what he's saying is if you had to touch the lock and the U and then the use of the app was not autonomous, but you had to then, you know, get your, take your phone out of your pocket and tap to acknowledge that solves this problem, right?
Leo Laporte / Steve Gibson (01:27:37):
Because it wouldn't be done autonomously. Unfortunately, the, on this, on this site that I visited when I was putting the story together last week, the, the homepage shows this lady with her arms full of groceries, you know, like, so her like the whole point being, she can't do anything except managed to like, you know, hit the lock with her elbow in order to re register her presence. And then, oh, look, the door unlocks that she's able to get in. So, you know, exactly as he says, the user experience, which is so magical by just, you know, touching the lock and you're, you're able to enter, well, that's a lot less magical. If you have to acknowledge it on your phone, but it would solve the problem. And Bryant McDermid says, Hey, Steve, quick question. If I encrypt a file with a 2 56 bit encryption three times with three different passwords, what is the resulting bit strength?
Leo Laporte / Steve Gibson (01:28:42):
Is it 2 56 plus 2 56 plus 2 56 or 2 56 times 2 56 times 2 56. And Bryant, the answer is plus to it's the equivalent on the, on the it's it's the equivalent on the symmetric key side of 768 bit encryption. But the real strength is the, is the entropy in the keys, which are turned into the 2 56 bit encryption keys. That's what really limits you. But to answer your question, you are adding the, the equivalent bit lengths rather than multiplying them. And of course adding is virtually no value compared to multiplying, right? Yeah. Shall I do an ad for you, sir? Please. I'm gonna thank you my whistle. And then we're gonna talk about whether duck duck go is gone. I just did an informal test using the Firefox focus plugin. And actually that does seem to block all the ads. So they, there is a way with Apple's strictures on iOS to still use safari.
Leo Laporte / Steve Gibson (01:29:59):
So maybe one, maybe one not use block blocker, which is not free use Firefox focus, which is, and, and maybe they've sold out maybe, or, you know, the thing it's a moving target. One of the reasons I stopped using one blocker is there's literally 10 different blockers. You have to turn on <laugh> and it's complicated. Firefox focus is a browser, but it also works as an extension. So you could turn it on as a safari extension, which is what I do. Yeah. Our show today, my friends let's get let's more importantly, well, wait. And that's what he wanted. And he, he wanted a good safari extension. Yes. For his math. That's the issue on the map Mac because is okay. Everything is using web kit anyway. So you, but you've solved the problem. Then focus, you use that. That's what I've been using.
Leo Laporte / Steve Gibson (01:30:46):
And I didn't realize how, how, how well it did I had see a problem is I have next DNS. So I have to turn that off. I got through a lot of hoops to see if I'm gonna really get ads or not. Leo it's like me trying to get a banking app to run on my phone. <Laugh> it's just, I it's too many. I need, I need a week. I need a week in order to shut down all the security. You want me to have a banking app on here? Really? Actually, you know, it's, if you think about it, what she was really asking for is biometric. Right. Well, I unlocked my phone, so she, oh yeah, that should be sufficient, but, but, well, she wants to unlock the phone and show it's your phone <laugh> so I mean, in a way, that's that isn't a bad idea for additional sec.
Leo Laporte / Steve Gibson (01:31:32):
It's a way of kind of ad hoc, biometric security. Can you unlock your phone and prove it it's yours mean? I think I did that. I, I do have some, my credit cards registered with the phone and so, you know, I should bring up sufficient. Yeah. I have the apple pay on there. That's yeah. Gotta that's better than banking. Yeah. Well, anyway, she lets you have the car. <Laugh> that's the important point. Our show today, my friends brought to you by coli and I've talked about them before we are, as you may know, we use slack as our meshing system, many, many businesses do. If you use slack, you really ought to check out Kolide. K O L I D E what is it? It's security. But with a very interesting slant, you know I think a lot, we, in the early days of ransomware, the it department, the security folks came in hard and I don't blame you at all.
Leo Laporte / Steve Gibson (01:32:23):
You know, to the point they were actually super gluing USB ports closed probably cause they listened to this show. They were doing all the things. The problem is it's not, it's kind of leaving the users out of the equation. It's just, it's it's authoritarian. It's saying you're gonna do this. You don't even know why you're just gonna do it. And I understand the desire to do that. But what happens is users, you know, users they'll start using their own devices. They'll start using their phones, their laptops. And now you're in a much worse situation, especially if they then take those dice devices into work and put 'em on the network. And it's like, you have no security at all. What you really wanna do is, is make users part of your security. They're not the enemy make 'em your allies. And that's what Kolide does.
Leo Laporte / Steve Gibson (01:33:09):
It's really in an interesting new take on endpoint security that asks the question, how can we get users more involved? It's built by like-minded security professionals. Look, they understand your challenges. They're they're on your team, but they realize how much MDM is disrupting end users and, and how that's throwing a monkey wrench into your plans. Instead of locking down a device, Kolide takes a user focused approach that communicates security recommendations to your employees directly on slack in a friendly way that teaches them and then walks them through the process of locking it down. It all starts actually, when you first get Kolide with that first message to the user saying, hi, I'm Kolide, let's install my endpoint agent and, and the user does it. And I can't tell you the difference that makes being on both sides of this as a user. I like to be involved.
Leo Laporte / Steve Gibson (01:34:04):
Right. So I install it now. I feel good. Yeah, I'm locking it down. And then from then on, they'll continue to get messages addressing issues in their security, for instance oh, I see you have a screen lock on good job, but you don't have a password protected. That's a problem. Let's turn on some password protection, that kind of thing. Or even something a little more tricky. I mean, it covers a lot of different issues. The, the you'll see examples on the website. One of them is I see you've downloaded your two-factor backup codes. Good job. But they're still sitting in your download folder in plain text. So let's put those somewhere safe. <Laugh> and this is great because you're teaching users a lot about how security works. They wanna know this, you're get it, you're enrolling them into it saying here, BR allies help us keep the company safe.
Leo Laporte / Steve Gibson (01:34:59):
And that really works much better. Collides, educating your employees about policies, how to keep your devices secure using real examples. It's not theoretical cause it's talking about something going on right now and they're gonna go home by the way, apply those security policies to their home computers too. So it's good for the whole ecosystem Kolide. I just love this. K O L I D E cross platform endpoint management. Yes. It's on Mac. Yes. It's on windows. Yes. It's on Linux. It's everywhere. Slack runs get endpoint management that puts a user first visit Kolide K O L I D e.com/Security Now learn more and activate a 14 day free trial right now. You don't even need a credit card. K O L I D e.com/Security Now today and by the way, take a look at the goody bag. You get some nice Kolide swag just for us signing up for that new trial.
Leo Laporte / Steve Gibson (01:35:54):
Just as a way of saying thank you. So you could put 'em on your, the stickers on your laptop and all of that Kolide. K O L I D e.com/Security Now thank you Kolide for, I think doing something really important and besides supporting this show <laugh>, which is also important. All right, Steve let's let's talk about the matter at hand here. Ah, so the winner, as I said at the top of the show of this week's most tweeted news of concern was the widely reported surprise that the explicitly privacy centric and privacy protecting duck, duck go enterprise had struck a previously secret backroom deal with Microsoft to enable user tracking from Microsoft own domains, including bing.com and linkedin.com when using the so called duck dot go privacy browser. It was further revealed by duck, duck go's founder Gabriel Weinberg that duck duck go's non-disclosure agreement with Microsoft prevented them from any further disclosure of their agreements terms.
Leo Laporte / Steve Gibson (01:37:06):
And I have the show notes and it's on screen. Two of Gabriel's tweets, he said for non search tracker blocking EEG in our browser, we block most third party trackers. Unfortunately, our Microsoft search syndication agreement prevents us from doing more to Microsoft owned properties. However, we have been continually pushing and expect to be doing more soon than the, his follow up tweet was. We've been working tirelessly behind the scenes to change these requirements though. Our syndication agreement also has a confidentiality provision that prevents disclosing details. Again, we expect to have an update soon that will include more third party Microsoft protection. Okay, so let's back up a bit and see what happened. Tech crunches headline D D G has a tracker blocking, carve out linked to Microsoft contract bleeping computer reported duck duck go browser allows Microsoft trackers due to search agreement nine to five Mac headlined duck duck go caught giving Microsoft permission for trackers, despite strong privacy reputation and Android police headline.
Leo Laporte / Steve Gibson (01:38:32):
Duck duck goes supposedly private browser caught permitting ad tracking. Okay. The first thing for us to clear up about all this is that this all refers to the use of duct duck. Go's own browser, not to the use of the duct duck go search engine. On the other hand, anyone could be forgiven for missing this distinction. When you go to duck, duck goes homepage. You're greeted with a bold headline, tired of being tracked online. We can help then below that are three big topics, privacy for Chrome private search engine and privacy browser app and explaining their privacy browser app. They say quote, our private browser for mobile phones. I'm sorry for mobile comes equipped with our search engine tracker blocker, encryption enforcer, and more available on iOS and Android. And as we previously mentioned, actually there is one coming for Mac OS and apparently one for windows is also planned.
Leo Laporte / Steve Gibson (01:39:40):
So all of this bruh haha began when security researcher, Zach Edwards took the time to audit the data flows to and from one of duck duck go's mobile browser platforms and given a screenshot we'll have later, it looks like he was using the Android browser early last week. He tweeted quote. Sometimes you find something so disturbing during an audit, you've gotta check recheck because you assume that something must be broken in the test, but I'm confident now the new at duck duck go browsers for iOS and Android don't block Microsoft data flows for LinkedIn and Bing.
Leo Laporte / Steve Gibson (01:40:37):
So this is mostly I think a story about expectations as Leo, you and I were saying up at the top, Zach was so surprised and disturbed by what he saw specifically because it wasn't what he ever expected to find from duck, duck go. His next tweet. He said, duck, duck go has browser extensions and their own browsers for iOS slash Android at duck, duck go.com/app. Then he got links in his tweet for the iOS version and the Android version. He said both versions of the D D G browser claim to use tools which quote automatically blocks hidden third party trackers. Then he's got two question marks. And to back that up, Zach attached a screenshot of the clear statements from duck dot go and I'll reread them quickly. It says tired of being tracked online. We can help duck dot go is the all in one privacy app.
Leo Laporte / Steve Gibson (01:41:44):
Now the app meaning the, the exactly what we're talking about. The browser app, duck dot go is the all in one privacy app that helps protect your online activities. With one download, you get a, a new everyday browser that offers seamless protections from third party trackers while you search and browse and even access to tracking protections when receiving email and using other apps on your device with duck, duck go, privacy can be your default. Then it's got five call outs, search privately escape website tracking, enforce encryption, block, email trackers, and protect your privacy and other apps. I'll just expand on that second one escape website tracking where it explains tracker radar automatically blocks, hidden third party trackers. We can find lurking on websites, you visit in duck dot go, which stops the companies behind those trackers from collecting and selling your data. It doesn't say except for Microsoft's advertising trackers, which our contract with them prevents us from blocking or disclosing.
Leo Laporte / Steve Gibson (01:43:05):
And that's the problem because that's the truth. Zach's next tweet was I tested the duck. Duck go so called private browser for both iOS and Android yet neither version blocked data transfers to Microsoft's LinkedIn and Bing ads while viewing Facebook's workplace.com homepage. He says, look at DDG bragging about stopping Facebook on workplace. No mention of Microsoft and, and in the show notes, you got it on screen. Zach posted a photo showing his Android phone at Facebook's workplace.com site with a duck, duck go popup. Sure enough. Bragging about the wonderful job it's doing saying Google Facebook. We're trying to track you here. I blocked them exclamation point. You can check the URL bar to see who is trying to track you when you visit a new site. And then there's a big high five button, which the happy user can presumably press has to pressed <laugh> oh, that's how you get rid of it.
Leo Laporte / Steve Gibson (01:44:20):
I don't wanna do a high five <laugh> ah, no. So you know the fact that this browser specifically singles out other tracking properties while silently permitting Microsoft owned domains to track feels at best disingenuous in an attempt to clarify the mess that arose from this Gabriel appeared to attempt to explain what's going on over on Reddit. You'll hear for yourself in a moment why I'm wording this as provisionally as I am, because although I've read what Gabriel wrote several times slowly and carefully, and it sort of sounds like he's explaining something. Now I, I wrote, I still have no idea what he said. Although I think it was on the fourth reading that I, it finally sunk in and then I explain it. So we assume that he knows what he's trying to say, but he sure doesn't communicate it very clearly. Here's what Gabriel wrote in Reddit in this posting on Reddit, he says, hi, I'm the CEO and founder of duck dot go to be clear.
Leo Laporte / Steve Gibson (01:45:38):
Since I already see confusion in the comments and boy confusion and what he's gonna write here. He says, when you load our search results, you, you, when you load our search results, you are anonymous, including ads. Also on third party websites, we actually do block Microsoft third party cookies in our browsers. Plus more protections, including fingerprinting protection. That is, this article is not about our search engine, but about our browsers. We have browsers and he says Perens really all in one privacy apps for iOS, Android, and now Mac in beta. He says, when most browsers on the market talk about tracking protection, they're usually referring to third party cookie protection and fingerprinting protection and our browsers impose these same restrictions on all third party tracking scripts, including those from Microsoft. We also have a lot of other above and beyond web protections that also apply to Microsoft scripts and everyone else.
Leo Laporte / Steve Gibson (01:46:48):
For example, global privacy control, first party, cookie expiration, referer hitter, trimming new cookie consent handling in our Mac beta fire button, one click data clearing and more. What this article is talking about specifically, he, he keeps telling us, but he never really gets to. It is another above and beyond protection that most browsers don't even attempt to do for web protection, stopping third party tracking scripts from even loading on third party websites, because this can easily cause websites to break, but we've taken on that challenge because it makes for better privacy and faster downloads. We wrote a blog post about it because we're doing this above and beyond protection where we can and offer many other unique protections. For example, Google amp, fledge topics, protection, automatic HT DPS upgrading, tracking protection for other apps in Android, email protection to block transfers for emails sent from your way, regular inbox, et cetera, users get way more privacy protection with our app than they would using other browsers.
Leo Laporte / Steve Gibson (01:48:11):
Okay. So he's sort of deflected a little bit here. He's like, oh, look at all, look over here. And all these other things you get, he says, our goal has always been to provide the most privacy we can in one download. So he still hasn't told us in the third paragraph yet what it is now. Fourth paragraph the issue at hand is while most of our protections like third party cookie blocking apply to Microsoft scripts on third party sites. He says, again, this is off of duck.go.com. I E not related to search. He says, okay, whatever that meant. He says, we are currently contractually restricted by Microsoft from completely stopping them from loading. And he says, Perens the one above and beyond protection explained in the last paragraph, but he didn't really explain it on third party sites. We still restrict them though, for example, no third party cookies allowed.
Leo Laporte / Steve Gibson (01:49:20):
The original example was workplace.com, loading a linkedin.com script. Nevertheless, we have been and are working with Microsoft as we speak to reduce or remove this limited restriction, which I maybe he just explained, except not really. He says, I understand this is all rather confusing Uhhuh still because it is a search syndication contract that is preventing us from doing a non search thing. That's because our product is a bundle of multiple privacy protections. Okay? And this is a dis distribution requirement imposed on us as part of the search syndication agreement that helps us privately use some Bing results to provide you with better private search results. Overall, he says, while a lot of what you see on our results page privately incorporates content from other, from other sources, including our own indexes, for example, Wikipedia, local listings, sports, et cetera. We source most of our traditional links and images privately from Bing.
Leo Laporte / Steve Gibson (01:50:43):
He says, though, because of other search technology, our link and image results still may look different. He says really only two companies, Google and Microsoft have a high quality global web link index. He says Perez because I believe it costs upwards of a billion dollars a year to do so. And, and so literally every other global search engine needs to bootstrap with one or both of them to provide a mainstream search product. The same is true for maps, by the way, only the biggest companies can similarly afford to put satellites up and send ground cars to take street view pictures of every neighborhood.
Leo Laporte / Steve Gibson (01:51:31):
Anyway, he says, I hope this provides some helpful context taking a step back. I know our product is not perfect and will never be nothing can provide 100% protection. And we face many constraints, platform constraints. We can't offer all protections on every platform to do limited AP due to limited APIs or other restrictions, limited contractual cons constraints like this one breakage constraints, blocking some things totally breaks, web experiences. And of course the evolving tracking arms race that we constantly work to keep ahead of. That's why we've always been extremely careful to never promise anonymity when browsing outside our search engine, because that frankly isn't possible. We're also working on updates to our app store descriptions to make this more clear holistically though. I believe what we offer is the best thing out there for mainstream users who want simple privacy protection without breaking things.
Leo Laporte / Steve Gibson (01:52:43):
And that is our product vision. Ah, okay. So here's what I think Gabriel said. He said, and I'll, I'm paraphrasing. This is written in his voice. So imagine that this is what he said. We want to provide a robustly privacy enforce <affirmative> privacy enforcing search engine service. But to do that, we first need to have a search engine service and no one other than Google and Microsoft can do that on their own. So if we wanna provide search, we need to purchase access to the big, to a big search index. And we chose Microsoft's because we're able to sanitize and purify the link results we provide. We are able to offer tracking free search, and we do next paragraph making this up, but completely aside from and separate from web search, we also wanted to provide a privacy enhancing web browser. We wanted to do this because offering clean search results is only part of the problem.
Leo Laporte / Steve Gibson (01:54:07):
A privacy centric web browser could do so much more. And one of the so much more things a browser can do is not only block cookies, being set and read by third parties, but also block their third party JavaScript code from ever being run in the user's browser. And we're able to do that to whatever degree we can for everyone. Other than when a Microsoft property is that third party <laugh> in that case, we must allow their JavaScript to run. This is not because we wanna make an exception for Microsoft it's because the completely unrelated agreement we have, which allows us to have access to their being search engine index explicitly requires that we not block the execution of their scripts in our browser, because this has all come to light. Now we're planning to amend our duck, duck, go browser description pages to say something about this end of my attempt to say what Gabriel should have said, that's fair.
Leo Laporte / Steve Gibson (01:55:33):
Do you think if they used Google, it would they would have the similar issue. I have no idea. You don't know. And, and, you know, I can't imagine why, like Microsoft's agreement said, you know, you can't ever block our third party JavaScript, you know, maybe it's just because Microsoft can set the terms that they wish because they're one of only two games. This is a dly. Yeah, yeah. And so it's like, take it or leave it. And the, so that's why he was talking kind of like apologetically about the fact that, well, you know, we can't provide search unless we have search and you can only get search from two places. You know, and so he's very proud of their search and I, and so, you know, maybe this is just, you know, the way it is, it might, might be. I mean, if, if he's right, there's really only two search engines and there is no way at this point for anybody to catch up.
Leo Laporte / Steve Gibson (01:56:32):
Oh my God, no, it would be interesting to know like what it costs Microsoft and Google to maintain. He says a billion a year. I mean, that doesn't sound unreasonable. They certainly make much of it's a lot of bandwidth. I mean, I got spiders crawling all over's me all, all the time. Yeah. I mean, others have said we are, I think brave has a search engine. They say we're trying to create our own search index index, but nobody, everybody, I mean, I think now we know, and I always suspected this, that everybody's either using Bing or Google. Yeah. Yeah. So I think their heart's in the right place. You know I don't think they would be making an exception to allow Microsoft's domains to run third party scripts. If, you know, if their search index syndication contract did not require it. Yeah. They're not happy about it either.
Leo Laporte / Steve Gibson (01:57:26):
You know, on the other hand they didn't disclose it. And that was the mistake they made. Well, they couldn't, apparently they were, they were enjoying for saying anything. Oh, right. You're right. Yeah. You're right there. There wasn't a, which really, I mean, this all reflects poorly on Microsoft, to be honest, it's creepy, it's creepy. Microsoft says you have to allow our trackers and you can't tell anybody you're doing it. Yeah. And, and I have to imagine, although I don't know, and I will hope, I hope that security researchers are now looking that any other so-called privacy, you know, protection browser is offering what it claims. Yeah. I mean, they must all be doing this. I imagine Google's got even more draconian terms. So I think that's the whole point of duck do go is, well, we're doing the best. Anybody can do given the situation.
Leo Laporte / Steve Gibson (01:58:15):
Right, right. Nobody's gonna be able to do better and just put you block origin on duck, duck go's browser. If you can. I don't know if you're able to run extensions on it, but well, that's a good question. Yeah. Yeah. I I mean, start everybody says, when this came out, everybody said, oh, I'm gonna use start page. But it's, I'm pretty sure it's either Google or B. I think it's Google. They say we anonymize it. So my question is maybe Google doesn't have such draconian terms. Maybe Google says, oh, go ahead. You can anonymize your search queries to us. I don't know. I presume people are, are working on that. Certainly I would think they will now. Yeah. And now our listeners know that duck dot go is not duck do gone <laugh> unless this really upsets you in which case.
Leo Laporte / Steve Gibson (01:59:05):
Okay. Right. Luck. But, but you're not gonna be able to use any search engine then. No, no browser, unless, well, that's, again, there's some, there are some questions maybe Google is maybe Google's like beneficent and says, no, go ahead. Use our stuff. You don't have to, the Microsoft was cheaper then they maybe, well, and the, they, they no doubt. I mean, we know that the duck, duck go search engine, the, the search service predates the browser by many years. Right. So they probably signed that thinking, Hey, that's not a problem. We don't have any problem with Neil being forced to run third party JavaScript. You know, we're not a browser. We're a, it's not gonna be an issue. Yeah. Yes. So really, and then it became one, what their mistake was releasing. And this just happened a privacy browser and implying that it's somehow yep.
Leo Laporte / Steve Gibson (01:59:56):
Somehow protected. Yeah. Okay. As always, Steve opens our eyes to the situation surrounding us. That's why you listen to this. Joe, you can get copies of security now for your friends and for you share it around, please do@grc.com. Steve has a couple of unique versions, the 16 kilobit audio the smallest audio version we have, he also has transcripts text written by humans, not a computer. So it's very good. And then he also has a 64 kilobit audio version, all@grc.com that's Steve's website. It's where you'll find all the freebie stuff. Steve, Steve does besides this show, like shields up. But it's also where you'll find his bread and butter, which is the world's finest mass storage, maintenance and recovery utility spin, right? 6.0 is current. He's working hard on six one, as long as he doesn't forget what he did last weekend. <Laugh> <laugh>, I'm, I'm writing it down before I do.
Leo Laporte / Steve Gibson (02:00:57):
Cause I, no, I document <laugh>. Wow. say you will, if you buy six, now get six one. When it comes out and you can also participate in its development, grc.com. He's on Twitter at SG GRC. And that's where he tweets the show notes, but also where you can tweet him, his DMS are open. So if you wanna leave a message, give him a hot tip quibble, all of that, just at SG GRC on Twitter. You know what you should do, huh? Go to G grc.com. Grc.Com. Yeah. Slash dev. Yeah. Slash spin. Right?
Leo Laporte / Steve Gibson (02:01:41):
Okay. Look at that. Okay. So what is there are there are, if you scroll down a bit, there are the, the most, oh my God. Look at all this. This is like your clippings. Well, those are down there a little bit lower. Those are some of the most recent of the test Xes. Oh, look at that the way. But go to up higher previous releases, click on previous releases. This will give you some idea of the, of these were all test releases that were developed. Holy cow, holy cow. That is a long list HCI. So you're all these a HCI drives. Yep. Holy cow. And then we, we get into the Reed speed. The Reed speed work, the innit disc work. Oh geez. On a knit disc. Look at you. I mean, this is like, this is heavily tested. Good for you.
Leo Laporte / Steve Gibson (02:02:42):
This is how you should do it. And I love it that you put this on online. Yep. Well, that's the way all of our testers get it. Cause it's just right there. Makes nice. Yep. Well there you, you have it. That's one of many, many wonderful things about grc.com. It's kind of a rabbit hole. You can't resist going down and that's right. Bring food and water cuz you'll be there for a while. We have 64 kilobit audio versions. Of course on our site. We also have video at twi.tv/sn that's all available a couple hours after we finish the show, you can subscribe in a podcast player that that way you get it, you know, automatically whenever it's ready, audio or video video versions are also at YouTube. There's a full YouTube channel devoted to this and club TWiT members get AU ad free versions of this show.
Leo Laporte / Steve Gibson (02:03:31):
Don't forget that for seven bucks a month, you can get add free versions of all of our shows plus access to our great discord community, all the fun things going on in there. And the TWiT plus feed, you can also though go to iTunes and buy individual shows add free. So I think 2 99 a month for security now, ad free. If you just want that show. I think we're doing that with Spotify. I don't know if that's set up yet or not, but check it out. And so, so, you know, we figure if you've given us three bucks a month minus apples take and all of that you just shouldn't have to hear ads. So we don't put 'em in Steve have a wonderful week. If you wanna watch us do it again next week, it's into Wednesdays at a about right about Tuesdays, Tuesdays. This is Tuesday, right around one 30 to 2:00 PM Pacific time. Thank you for the correction. I'll make sure to be here Tuesday, four 30 to 5:00 PM. Eastern 20, 20, 30 UTC. And you can watch it@twilivedottwi.tv. And here comes June. Oh my God. Have a great week. We'll see you next time on security now, Steve. Thanks buddy. Bye. Bye.
Ant Pruitt (02:04:43):
Did you spend a lot of money on your brand new smartphone? And then you look at the pictures on Facebook and Instagram and you're like, what in the world happened to that photo? Yes you have. I know it happens to all of us. Well, you need to check out my show hands on photography, where I'm going to walk you through simple tips and tricks that are gonna help make you get the most out of your smartphone camera or your DSLR or mirrorless, whatever you have. And those shots are gonna look so much better. I promise you so make sure you're tuning into twit TV slash hop for hands on photography to find out more.