Security Now Episode 876 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security. Now, Steve Gibson is here. He is raring to go. We're gonna talk about pass keys and what the password managers last pass and bit warden have to say about it. We'll also talk about Firefox's new total cookie protection, which seems to be something less than total and Microsoft. It's attitude sort security is shall we say a little casual? It's all coming up next on security. Now, podcasts you love from people. You trust this it's TWI. This is security. Now with Steve Gibson episode 876 recorded Tuesday, June 21st, 2022. Microsoft's patchy patches. This episode of security now is brought to you by Privacy. Privacy lets you buy things online using virtual cards instead of having to use your real ones, protecting your financial identity on the internet. Right now, new customers will automatically get $5 to spend on their first purchase.
Leo Laporte / Steve Gibson (00:01:08):
Go to privacy.com/securitynow to sign up now. And buy NewRelic that next middle of the night call is just waiting to happen. Get NewRelic before it does, and you can get access to the whole NewRelic platform and 100 gigabytes of data per month. Free forever. No credit card required. Sign up a newrelic.com/securitynow and by ExpressVPN, if you don't like big tech tracking and selling your personal data for profit, it's time to fight back. Get three extra months free with a one year package by going to expressvpn.com/securitynow. It's time for security. Now the show we protect you, your loved one's your privacy online with this man right here. Mr. Steven Tiberius Gibson, the host of our show. Hello Steve. Hey Leo. Great to be with you again. Once again on a Tuesday, I don't think we ever miss a, our podcast.
Leo Laporte / Steve Gibson (00:02:11):
I, someone was saying about holidays and talking about that and days off. Oh, I know what it was. It was our neighbors talking about how, if a, if a holiday occurs, then the trash pickup gets skewed by a day, right? Yes. And what would normally be like on a Saturday when we get our leaves picked up, that becomes Monday. And I said, I, we once were doing the podcast on Mondays and it used to really bug me when we'd have like, you hated that the holiday. Yeah. And now we're protected. We're on protected Tuesday because you know, you might have your day on holiday as, as we did yesterday with a federal holiday, of course it was Juneteenth. And, but the podcast goes on Tuesday. I do have to warn you let's see know, I guess independence day is on Monday this year.
Leo Laporte / Steve Gibson (00:02:59):
So we're right. Remember last year was it last year? It was one year and you hated it. We <laugh>, we said there's no show and you hated that. So no, no day off for you. In July, the 5th of July, we will be here. Good. Yeah. So we're on episode 8 76, which I titled Microsoft's patchy patches <laugh> for reasons that will be made clear, it turns out that for, I, I just sort of the alignment of the planets, there were several completely unrelated stories in this past week of other security firms saying, you know, Microsoft's really not doing the job like they used to. And of course that's not, not news to anybody who has listened to me rant about that over and over and over. But it, it like, okay, it's not just me. So I thought that was interesting and not there wasn't really that much else that happened this week.
Leo Laporte / Steve Gibson (00:03:58):
Lots of other sort of interesting tidbits, but nothing that see like wanted to grab the title away from that. So that's where we ended. We're begin. Begin to begin it. We're gonna begin this week by answering last week's double decryption strength puzzler. Then I take a look at, what's currently known about Fido two S upcoming support in both the last pass and the bit warden password managers, which I know pretty much covers our listener base. We look at last week's Mozilla's announcement of total cookie protection and Firefox and wonder about why it doesn't appear to be working at least for me. And I'll invite everyone to test their own browsers because there we have a simple way to do that. Ddos attacks have broken yet another stunning record. We have another NT LM, you know, land an NT land manager relay attack uncovered in windows, apple messed up safari five years ago, which sat that way until it was just found at the beginning of the year by Google's project.
Leo Laporte / Steve Gibson (00:05:12):
Zero interesting story there more than a million WordPress sites were recently force updated to resolve a very bad problem they had. And we have another high severity flaw, which was fixed in a popular Java library. Of course, of course, log for Jay was famous earlier this year. Then after sharing a bit of miscellaneous and a bunch of fun closing the loop feedback, we look at the awareness, the rest of the security industry is sharing regarding the apparent deteriorating quality of Microsoft's security management. So I think another interesting podcast for our listeners and a very apropo picture of the week. And of course you probably heard us talk on Mac break weekly about the wonderful Microsoft defender, which is being added <laugh> to iOS <laugh>. Even though all I can do is make recommendations because apple won't let it to anything else.
Leo Laporte / Steve Gibson (00:06:12):
<Laugh> right. I love it. Let me tell you right now about our sponsor of the hour, something I use all the time and highly recommend. I know you like the idea too, of credit cards that you only use. Yep. Once per merchant or once, and then their burner cards, it's privacy.com. And I think this is such a great idea for anybody. I use it exclusively for online purchases. I never use my regular credit cards. I always create a card with privacy.com that way I completely control the transaction. First of all, it's private. Obviously you, you know, when you sign up for privacy.com, you're giving them your name and address and you know, your bank account information and stuff like that to set up the card, but you don't have to give that to the merchant and you can use anything you want, which is fantastic because your privacy is protected, but it's not just privacy.
Leo Laporte / Steve Gibson (00:07:09):
It's security. When I use a card, let's say I create a privacy card for Amazon. Only Amazon can use it. If that card gets leaked or stolen, the bad guys can't use it anywhere else. I'll get an immediate alert. If I want, I can destroy the card. I can, I can pause it or pausing. It's a great feature too, by the way, for subscriptions, you know, when you sign up for subscriptions, a lot of times, it's, it's really easy to sign up for the subscription and good luck trying to find out how to cancel it, right? No problem use a privacy card whenever you've decided I've had enough. You pause it and that's it. It's done. Every transaction's declined. And it's very fun sometimes to watch these companies really desperately charge you again and again, and again, trying to get some money outta you. Nothing.
Leo Laporte / Steve Gibson (00:07:54):
Eventually they give up, they go away. I wish I'd had this. You know, I signed up for a gym membership some years ago and canceled the gym membership. But what I didn't know is that the trainer that I was paying for through the gym was a separate transaction. And they said six months later, after six charges on my card. Oh no, you have to cancel that separately. And well, good luck getting your money back after six months, by the way, from the credit card companies. Now with privacy, I would've just paused it and not be done so much easier, so much simpler. It's time to clean up your digital hygiene. <Laugh> with privacy, protect your personal information online. They have a great interface that lets you track your spending habits. You can add tags to anything so, you know, immediately, oh, it's also great for sharing cards.
Leo Laporte / Steve Gibson (00:08:42):
So it's not unusual for instance for me to give a credit card for a specific Abby was just in Portugal. I wanted to give her a credit card for the train travel. So I shared it with her. You created online on the privacy.com account, give them her email. They handle the rest. You're not sending credit card numbers through the mail or via text. You're not sending any information. She doesn't have to have an account. She just says, okay, enters it in. She's set. I love that. And of course I completely control that card. And as soon as she's got the train ticket, I turn it off. And that's that there's a Chrome extension on Firefox extens, which makes it very easy to create new credit cards with privacy.com. I mentioned the tagging, the account summary, the, that I didn't mention single use cards.
Leo Laporte / Steve Gibson (00:09:29):
I don't use these that often, but if you know, you know, you're only gonna buy one thing once from this person create a single use card it's destroyed the minute you use it, that's it. One time only great way to protect your financial identity online, protect yourself from excess charges from credit card stuffing from subscriptions that never terminate virtual cards from privacy.com go to privacy.com/security. Now sign up for an account. New customers automatically get $5 to spend on their first purchase. It's free for really, for most uses you would never pay for this. I actually pay there's a, there are different tiers and I pay for the next tier up, which is, I think, 10 bucks a month, cuz then I get cash back and that I use it so much and more than pays for itself. I make money on it.
Leo Laporte / Steve Gibson (00:10:17):
So, but check that out. When you go privacy.com/security. Now make sure you use that address. So they know you heard about it here. Thank you, privacy for a great product. The other, you know, credit card companies used to do this for the most part. They've stopped as far as I know I don't know why. But thank God there's privacy. It's easy way to probably cuz they didn't have to do it. Right. And, and also, you know, I, I imagine that within our audience there's a great interest for this, but probably most people nobody ever used it just yeah. They're like, eh. Yeah, exactly. So it was a, it was a neat feature that went unused and they thought, okay, this is not worth the cost of just, you know, maintaining it for privacy.com a hundred percent of their users are obviously yeah.
Leo Laporte / Steve Gibson (00:11:03):
You know, excited about it. So yeah. I mean it's a, it's a great solution I think. Right. And speaking of not using it Leos yeah. Our picture of the week <laugh> I love it. Now, you know, in this day and age of, of virtual reality modeling, you see a picture like this and you just, you can't tell if it was something, someone whipped up algorithmically or if it was a, is like an actual photo of something that exists in the physical world it looks absolutely authentic. And in fact, there's even a reflection of the person who appears to be taking the picture in the polished black headstone. You can sort of see him holding with his left hand, holding his, his phone, taking this picture. But regardless this is a headstone for or Memorial, I guess maybe for internet Explorer, we've got the big modernized, you know, E globe sort of logo and then a little Japanese, you know, something character and then internet Explorer.
Leo Laporte / Steve Gibson (00:12:20):
And we get, you know, the, the date of birth and the date of death <laugh> 19 95, 8 17. So August 17th, 1995 through June 15th, 2022. And the best part of this whole thing, the, the, the, this, you know, this beautiful stone, you know, head headstone, sitting on a granite slab is the, the, the sort of the, the, you know, off, off and on headstones, there there's a little slogan or something about who this person was or what they meant to people. This one says he was a good tool to download other browsers <laugh> and indeed many people launched it exactly. Once. That's the only reason yep. To, to go get a copy of Firefox or go get a copy of Chrome. I love it. And yes. Get EPIT for window or internet Explorer. Put it to rest. Yes, finally. Okay. So last week's key strength, puzzler. The question that we left our listeners with, and boy, did it get a lot of response through Twitter and our security now feedback, it reduces to whether a divide and conquer attack can succeed way back in 2011, the w P S we talked about this at the time, the WPS, the so-called wifi protected setup protocol was found to be vulnerable to this style of attack.
Leo Laporte / Steve Gibson (00:14:06):
Remember that the way it was supposed to work was that a user would press a button on their wifi access point to enable this feature. Then they would enter a preset eight digit pin into a device. They wished to connect to their router since, and technically since the eighth digit was a check digit, which was so dumb, like what a dumb way to, to waste a digit, because if it didn't work, you could just enter it again. You didn't need a check digit. Anyway, the eighth digit was a check digit. So only really seven digits were important because the eighth could always be calculated from the first seven. Okay. Since seven digits can have 10 million combinations brute forcing those 10 million combinations was deemed impractical in 2011, you know, within the timeframe that WPS would be enabled and so forth. So it was thought, okay, great.
Leo Laporte / Steve Gibson (00:15:07):
You know, a 10 digit guess is strong enough, but two researchers Stephan Vock and Craig Hefner, who we talked about at the time discovered a flaw in that wifi protocol, because all eight digits were not set at were not sent to the access point at once. The first four digits were sent before the second four and worse, the router's behavior would change if the first four were not correct. Now how this ever got passed, the almighty wifi Alliance will forever be a mystery, but then again, it was only one of many mistakes that made, made it pass the wifi Alliance through the years in any event, the fact that the router's behavior would change if the first four were wrong, meant that it wasn't necessary to guess all seven or eight digits at a time, it was possible to divide and conquer. It was possible to guess just the first four of which there are only 10,000 combinations then having found the first half separately brute force.
Leo Laporte / Steve Gibson (00:16:35):
The final three, since the last digit can be calculated from the preceding seven, since that's a thousand maximum for the second three, we have a grand total maximum of only 11,000 possible guesses reduced from a previously believed 10 million. Okay. So Eric homes puzzler from last week amounts to the same question, a cipher text is encrypted with an effective 512 bit key length by first encrypting the original plain text with a 2 56 bit key, the first half of the, the whole 512 bit key. Then by encrypting it again with another 2 56 bit key, that is the second half of the five, 12 bit key.
Leo Laporte / Steve Gibson (00:17:36):
And of course he was asking, why is that not only twice as strong, rather than exponentially stronger? So if we can brute force decrypt that second encryption in, you know, X time then brute force decrypt, the first encryption also in X time, what Eric asked is why isn't this strength just two X rather than X times X and the correct answer, which all of our many listeners who wrote in answered correctly amounts to whether it's possible to perform the same sort of divide and conquer attack as was possible, which broke the w PS setup protocol. Remember that the weakness that was exploited by the WPS attack was that there was some affirmative feedback after the first half of the guests was made about whether or not that first half guess was correct. And that's, what's missing from Eric's double encryption thought experiment. Here's how I would phrase it formally the result of any encryption by a high quality cipher, such as A's Rhind do is indistinguishable from entropy.
Leo Laporte / Steve Gibson (00:19:11):
Therefore the result of the first encryption will be indistinguishable from entropy. So when following Eric's suggestion and, and question and performing the first decryption, how can the attacker who is using brute force key guessing know when their decrypted guess is correct when both a correct guess and all other incorrect guesses appear equally random. In other words, it is not possible to divide and conquer the only way to divide to the only way to decrypt the double encrypted plain text would be to make a first guess at the outer key, then the attacker would need to try all possible inner keys. That is to say all two to the power of 256 of them to see whether any of them worked, assuming that none did all of that work would then be discarded. The next outer key would be chosen. And again, all two to the 256 possible inner keys would need to be tried.
Leo Laporte / Steve Gibson (00:20:37):
In other words, only when both the first 2 56 bit key, and the second 2 56 bit key were simultaneously correctly applied, would the correct site would the correct plain text be restored? So this is indeed two to the 2 56 times two to the 2 56, which is two to the 512 maximum possible brute force guesses needed. And thus, Eric, the answer, your question and the answer to the teaser that I, I got a lot of great feedback about, and a lot of people enjoyed the idea of us having that fun. Okay. I just turned the AC up. <Laugh> getting a little warm in here. So third party authenticators in the aftermath of the Apple's Google's and Microsoft's announcements of their forthcoming support for 5 0 2 and PA key's authentication. We've been talking about what all this means, and I believe that we've settled into exactly the right understanding.
Leo Laporte / Steve Gibson (00:21:47):
It's relatively quick and easy for those three major publishers to add this support to their clients, as they've all announced they're going to, and when they've done. So everyone will be just one software update away from having that client side technology in their hands. But it's a bit like creating the first short way radio, you know, there's no one else to talk to yet. So the existence of all those clients, won't be very useful. Initially the heavy lift will be getting the millions of individual web servers updated to support the web often standard at their end, since any use of Apple's Google's and Microsoft's clients will require that too. And I believe that we've also identified that the biggest usability hurdle for the practical use of five oh, two's private pass keys is the need for their dynamic synchronization. And now that the world it's been interesting to watch now that the world has sobered up after the intoxicating pass keys announcement, parties, others are realizing what we immediately saw as a problem.
Leo Laporte / Steve Gibson (00:23:09):
A story in fast company is titled there's a big problem with apple and Google's plans to Nick's passwords and nine to five max headline read a world without passwords could further lock users into apple and Google ecosystems. Yeah, like we've been saying those stories note that Fido's current proposal has no mechanism for bulk transferring pass keys between ecosystems. If you wanna switch from an Android phone to an iPhone or vice versa, you won't be able to easily move all your past keys over and they didn't mention windows, but we know the same problem will exist there. Quote, we don't really have a batch export method right now says Fido Alliance, executive director, Andrew Shakar. He said, I think that's probably a future iteration unquote. Wow. <Laugh> so those phyto guys were really not thinking through the usability angle of all this, you know, saying we'd like you all to adopt this half baked solution today, and we'll worry about exporting your locked in keys later.
Leo Laporte / Steve Gibson (00:24:43):
The re the reports that have been published also explain the fear is that if users can easily move all their past keys between providers, hackers may try to exploit this capability for now, it's unclear when or how Fido might address that problem. And then they quote the president, the president of the Fido Alliance Sam STR Navos Google's product management director for secure authentication. Who's also the president of the Fido Alliance says, quote, it's very hard to do it safely from the get go, because if we give a mechanism without great care for someone to export all these keys, you know, who's going to show up first for that. That's a good point. That's actually a really good point. I hadn't thought about, he says, cause it would have to export that in clear, right? In the clear, right. It's it's got to do it.
Leo Laporte / Steve Gibson (00:25:54):
Well, no, I mean, no, you, cause your input's gonna be a secondary fi oh two server, so, right. I mean, it's, it's clear, there are ways this could be done. They, but again, because this, it was like the Fido concept was never meant to scale this way. They, they, it was scaled by force because it didn't go as 5 0 1. It just didn't ne it never got off the ground. So they did one without really thinking it through anyway. So in other words, we're gonna be quite happy. They're saying with lock in, and we're gonna tell users that it's too dangerous to allow them to move their keys around themselves. That's a huge problem problem now. And of course it is, you know, and as a cross vendor user myself, I need apple and windows to sync. And I don't see that happening without either a third party synchronization vendor, which is a thing that could exist, or third party 5 0 2 pass keys being supported by a password manager, which brings us to two password managers, which I've been looking into and wanna briefly discuss last pass and bit warden, as everyone knows.
Leo Laporte / Steve Gibson (00:27:21):
Last pass was previously a many years sponsor of this podcast and of the twit network. And bit warden is currently a sponsor and offers a compelling array of solutions. So the question I had was where do those two fit within this new and evolving era? As I believe I mentioned last week, I was annoyed with last pass because their most recent blog posting from Monday before last, which I was hoping would provide some clarification, left me feeling more confused than I was before everything they say feels sort of coy and blurry. You know, nothing they say just tells us what is going on. Here's an example, direct quote from an announcement of an upcoming webinar that they'll be hosting two days from now, this coming Thursday, they wrote it's time to envision a world without passwords, a world that removes the password related friction that prevents users from securing and managing their passwords easily and automatically true Fido, two compliant passwordless access to every device browser website and app will take years to develop.
Leo Laporte / Steve Gibson (00:28:43):
Okay. Right. But last pass can get you there sooner. What? Huh? <Laugh> yeah, right. Okay. How join us to learn how last pass is enabling an end to end passwordless experience for the last pass vault and all sites stored within, okay. What will this enable you to do reduce password related friction for employees increased usage and adoption set stronger policies and increased security, fewer lockouts for employees and resets for it here from last pass CTO, Christopher Hoff, as he demonstrates a passwordless login experience and discusses future plans for 5 0 2 authenticators like biometrics and security keys. Okay. Well, first of all, 5 0 2 authenticators.
Leo Laporte / Steve Gibson (00:29:46):
That's not past piece, right? It's it's like, it's, it's just, it's all a big blur. So as I said, you know, this is like their recent blog posting, which doesn't actually say anything. And, and, and you could, you could, I guess you could sort of forgive them here because they're teasing their webinar in two days. But the blog posting was the same. It just left. It was like, it, it, you made up new terms and used them in weird ways. Like what does a, an authenticator have to do with biometrics? That those are two different things, but they use them together. So anyway, for what it's worth, I did wanna let our listeners know that there will be a webinar in two days. I I've got the link to it in the show notes. I made it, this week's shortcut. So grc.sc/ 8 76, we'll bounce you over to a signup page.
Leo Laporte / Steve Gibson (00:30:43):
I'll be watching to see what we learned from Christopher. You know, we know Christopher, you and I have met him. Leo. We were on stage together a couple years ago just before COVID. Oh yeah, no, that's not the guy we were on with. Oh, it isn't. No. Oh, okay. I think this is a new guy, you know, they've gone through some ownership changes. <Laugh> well, yeah, they're owned now by a, an equity. No, they were. Oh, and now they're spun off <laugh> from, from the private equity firm. Yeah. That didn't, that didn't take long. No. So it's, it's unclear. It's really unclear what's going on with with them and the people that were well and we know were gone pretty much. Okay. Yeah. Okay. Well, we know that Joe is long since gone. Yeah. Yeah. Joe egres the creator is gone.
Leo Laporte / Steve Gibson (00:31:30):
His his nephew, his niece was there. I think she's gone. And then we knew we were with the CISO. I figure the CTO on that panel, but I think he left as well in Boston. Yeah. Yeah. I think he left as well. So it's kind, I don't know who these people are, but we should watch. So I did, I did. I, I, I wanted to watch, because I know that just for inertia's sake, a lot of our listeners are still there. The good news is bit warden is a member of the Fido Alliance. Well, that's a good sign. Yes, it is. Yeah. So of course, bit warden bit warden is a, our current password manager sponsor. So answer. So I, I think the problem that any third party log on system reasonably has had is the chicken and egg problem, which makes it difficult for them to invest in any system, which cannot actually be used until it's supported by the world's servers.
Leo Laporte / Steve Gibson (00:32:30):
So the flip side of that is that the clear and obvious need for cross vendor Pasky synchronization, which is more and more clear every week, you know you know, it, it's now very clear Fido and Google, both just throw up their hands and, you know, saying, yeah, that's a problem. And that creates the biggest need and push for third party pass key managers that there's ever been. So I wanted to understand where bit warden stood. I did some digging around and found some dialogue in their community forum under the title bit warden, Passkey Peren how does bit warden fit into the new Microsoft Google apple pass key initiative? So the person posting this wrote the question, Microsoft, Google, and apple have announced support for the 5 0 2 passwordless initiative that media are calling pass keys because PA keys creates a new key pair for each website login.
Leo Laporte / Steve Gibson (00:33:40):
There is the issue of moving all these key pairs among devices. He, he says, I'm sure that Google will do that for Android and clone Chrome, and apple will do it for their iPhones and max. But what about between Android and apple or Linux? And, you know, not to mention windows, would he asks bit warden, be able to support the new pass keys, cross platform like it does with current passwords. He says, I want to sync Android to Linux desktop. And I will wait for bit warden to support this if the feature will be added. So, and that's how I think a lot of us feel, you know, you do, you do not wanna get stuck, could with, with non exportable Paske could a third party like pit warden do Paske and become, you know, like, I mean, it's still not exportable. So if you decided you didn't like bit warden, you'd be stuck there, but at least it would let you use an Android phone or an iPhone or windows or Mac.
Leo Laporte / Steve Gibson (00:34:44):
Yeah. I mean, that would be a big advantage. So could they, could they do this? They'd keep the database, they'd have to have some sort of biometric, ideally some sort of biometric login, right. Or you could use a UBI key. I mean, I can use a UBI key. I do in fact, use a UBI key with my bit warden. Well it, as we know, it's now possible for any apps on those platforms like Android and iOS to leverage the built in biometrics on the device. True. So in fact, they do that when I open bit warden on those devices, it does a face recognition and we're in on my, on my computers, when I set up a new account, I have to use the UBI key the first time on a new system. Right. And so, so for security, they might want to enforce the use of some affirmative device, right.
Leo Laporte / Steve Gibson (00:35:35):
In order to, to protect. Right. But there is, but they could synchronize pass keys in the cloud exactly. As they synchronize. Right. Usernames and passwords right now. And so I, I think that's gonna be the solution. I don't think apple is gonna address this. I don't think Google are gonna address it. They're both saying, I mean, turns out the president of Fido is the Google guy and he's saying, oh, <laugh> no, I thought, and I guess I was wrong. I, I was told that apple had said there is a way to get these out, but maybe key at a time. Oh, one key a time. Well that's yes. In order to share a past key. And, and so, so the problem is when you lo when you authenticate to a new site, you want all of your ecosystem to be, be brought up to speed so that you can then go somewhere else, like to a, to a different computer and log into that site.
Leo Laporte / Steve Gibson (00:36:29):
You don't wanna have to manually send that pass key to each, you know, like cross ecosystem into the other world, or you, you, you are, those two are never gonna be sync or be, be synchronized, it need. And that's why I've been using the term dynamic Passkey synchronization. It needs to be done for you on the fly. And that is exactly what, what bit warden supporting this, you know, pass keys 5 0 2 style PA keys would mean anyway, the answer, I think maybe, and this is a complete conspiracy theory. This will open the idea to, you know, maybe there's a better way and you know, maybe somebody's gonna come across squirrel and say, actually there is a better way, and let's just do this, cuz it is better in every respect. Yes, it would be good. It would be good if that happened. So the answer in the forum is bit warden does currently support 5 0 2 web off N for multifactor authentication in addition to your master password for vault unlocking.
Leo Laporte / Steve Gibson (00:37:42):
In other words, when you use, and, and this has been in there for a while, and, and again, they are already a member of the Fido Alliance. So they're, they're actually being a web authentic server to accept a fi oh two clients authentication as a very strong factor. When you, you log in to unlock your bit warden vault, and this guy says bit warden and there's, I have a, a picture in the show notes, but there is a, a bit warden blob says two step log in via 5 0 2 web off bit warden, help and support. So that's been in bit warden for some time. So this guy finishes bit warden does not support using these past keys to log in, in lieu of the password manager yet, but there is a current similar feature request for this to be supported. And you gotta know that the wizards at bit warden are, you know, understand, they've got an opportunity here to, to get going on this.
Leo Laporte / Steve Gibson (00:38:51):
This is one advantage you have is a open source project. Somebody could issue a pull request and implement it. I mean, you know, if the community wants to support it, they can, they can add it. I mean, it sounds like in addition to your master password for vault unlocking, that's just for basically that's one password. It supports web often for one password, your master password. Exactly. Yeah, exactly. Which is nice. In fact, you could use a pH oh two, there are 5 0 2 UBI keys that you could use for that purpose. Right. And, and it does. And so what this does mean is that the bit somewhere in bit warden, there are already people who are fully Fido aware and what we need is for them to reverse roles. Right now there're being a web authentic provider for a Fido two authenticator. We need them to become a 5 0 2 authenticator talking to web end providers at websites.
Leo Laporte / Steve Gibson (00:39:58):
And that would be awesome that doesn't yeah. And that doesn't seem like that big a reach to me. So anyway, their, their, their roadmap page has a great deal of discussion of this. So I'm sure it's something that they're aware of now. And again, you really can't fault any password manager for not doing it preemptively. I mean, I did, but I just did it as a proof of concept to demonstrate this is the way we can solve this problem. And I knew that only, you know, two sites or three or four in the world were gonna be able to use squirrel. But my hope was that by showing how it could be done, you know, that would get the world going. So, and, and it may be that showing that there's a better solution, as you said, Leo may, may still get the world to think, to say, Hey, you know why don't we just do this?
Leo Laporte / Steve Gibson (00:40:49):
And, and it's not that big a reach because the, the web authentic protocol ly supports the crypto that is key to squirrel's operation. That is, that allows it to use deterministic keys rather than keys that are completely random. So, anyway, we'll see. And wow, we're at 36 minutes in, let's take over holy cow. How does it, how does that happen? It's amazing. Well, thank goodness. Thank goodness. We have advertisers so we can pause and give you a pause that reflects yes, they rehydrate. Yes. You you're gonna get that thing that Alex Lindsay was talking about too. I did go do some shopping except that little tempting, huh? Except, except that Lori and I both use soda streams that carbonate and it looks like it. Doesn't like to have a carbonated beverage. So you're drinking fizzy water. When you, when you drink water, I am.
Leo Laporte / Steve Gibson (00:41:41):
Ah, yeah. In fact, you prefer that the seal, I just cracked the seal and, and it went, yeah. You prefer that. Yeah. I like the taste. I like the taste a lot. I guess it's slightly acidic. Right. So it's, it's slightly acidic. Yeah, yeah. Yeah. I remember when you tried cold brew coffee and you said, I like a little bite in my coffee. You must you're right. It was too smooth. It was too smooth. Yeah. You like a little, little Tang. Hey, let's talk. I know one thing, no one likes the middle of the night phone call the server's down. The app's not running. The cloud's broken. If you're the person who gets those calls, you know, that's the worst feeling. And of course you're scrambling around, you've got your team scrambling around. They're loading up dozens of different tools, trying to correlate the results they get.
Leo Laporte / Steve Gibson (00:42:34):
Is it the back end? Is it the front end? Is it a global outage? I'm sure the CloudFlare folks were doing some of this last last night when the entire internet went down. Thanks to CloudFlare. Is it the network? Maybe it's, you know, I mean the, the, the people were down cuz of CloudFlare, did they even know it was CloudFlare? Is it the cloud provider? You know, it's hard to know that stuff. You know, why are we down specifically? Maybe there's a slow one running query or the databases locked up or, well, the worst feeling, did I introduce a bug, a regression in my last deploy? Oh, that's just the worst. And of course, you know, if you're using multiple tools, you don't have a single pane of glass. You don't really know what's going on. It's, it's the fog of war, my friends and NewRelic to study.
Leo Laporte / Steve Gibson (00:43:21):
And they found that only about half of all organizations globally have some form of observability for their networks and systems. Only half. That means half of the world is like, I don't know what's happening. Do you know what's happening? You will. If you have NewRelic, NewRelic is one tool that does it all combines. 16 different monitoring products. You'd normally you'd buy 'em separately. This way engineering teams can see across the entire software stack in one place you get, for instance, distributed tracing. You're not tracing ones, Z twosy, all the different places. Your data can go. You're gonna get all the traces without silos, without management headaches, you get network performance monitoring that tells you where the slow downs are. A system wide correlated view. With that alone, you could say, yep. It's CloudFlare down. Oh, well it's not us anyway. Right? you use Kubernetes.
Leo Laporte / Steve Gibson (00:44:20):
You'll love pixie. Pixie is instant Kubernetes observability there's application monitoring, APM, unified monitoring for your apps and your microservices. That's just four of the 16, so much more. And, and more importantly, you can pinpoint issues down if it's, if it's this to the line of code. So you know exactly why it happened. You can fix that regression, push the fix, go back to bed. That's why the big teams use NewRelic, the dev teams and the ops teams at DoorDash at GitHub, epic games. Can you imagine if one of their game servers goes down that the hu and cry across the land, more than 14,000 companies use NewRelic to debug and improve their software. And it doesn't matter if you're a startup or a fortune 500 company, it'll take five minutes to add NewRelic to your environment. And here's the best part.
Leo Laporte / Steve Gibson (00:45:16):
It's free Leo. That can't be true. Well, you get the whole NewRelic platform. It, they do limit the amount of data, a hundred gigabytes of data per month, free forever, no credit card required. That's more than a trial. That's like, that's pretty good. Right? So you don't have to get permission. Install it. Now, go right now to new relic.com/security. Now, if you need more data, you can get more. But honestly, that next, you know, 3:00 AM call is just waiting out there. And why should you have to get up and suffer for hours? Miss, miss all the best part of sleep. <Laugh> all the good dreams go to new relic.com/security. Now w R E L I c.com/security now, and try it at least try it free forever. The whole platform and a hundred gigabytes of data a month. That's a lot of data, new relic.com/security.
Leo Laporte / Steve Gibson (00:46:16):
Now we thank him so much for supporting Steve and his his hydration bottle habit. <Laugh> we tried by the way. And, and I was, I, I bought, remember I bought the tank. I was gonna do that whole soda stream thing. Yeah. Bought the tank and we couldn't find anybody to fill it. So I've I basically pushed it. I palmed it off on Micah <laugh>. I said, the tank is still under his desk. I said, here's the tank. Here's the nozzle. You figure it out. So he's gonna fi cuz he also, he was said, well, let's share that was his mistake. He said, let's share, well, leave the tank at work. And then we can just bring in our bottles. Yeah. Yeah. So that's a good idea. If we can just find somebody to fill it. That's the problem. So for me it, it it's a home brewer.
Leo Laporte / Steve Gibson (00:47:01):
We have a little, yeah, we have plenty of those, but they don't, they want to use their bottles. Oh, which would be fine, I guess. So, so it has to be one with siphon in it. It's gotta have the siphon tube. Yeah. Because it needs to be, you don't want the gas off the top. Yeah. You want the actual liquid off the bottom. Yeah. Yeah. Yeah. We'll have to figure it out. Yeah. Huh? Yeah. I couldn't. So anyway there, so you want a non cranky home brewer. Yes. Is what you want. One who doesn't mind refilling my bottle, but see, yeah. Who's had some of his own brew and is relaxed about it now. <Laugh> yeah. That's it. Yeah. We're surrounded by breweries. Everybody here makes wine and beer. I mean, that's what you do in this town. Yeah. So got grapes, but we couldn't find anybody.
Leo Laporte / Steve Gibson (00:47:49):
But we'll keep looking. We'll find it anyway. Okay. So last Tuesday Mozilla's headline read Firefox rolls out total cookie protection by default to all users worldwide. Woo. I know. And the big word that's so easily missed as we know is default that's what's changed until last Tuesday, sequestered third party cookies were optionally available. I had them enabled in my Firefox instances or I guess I should say disabled, which I had to do manually. As I imagine, many of this podcasts, Firefox users also did after we talked about the option quite a while ago. But until now it's been an option, which means of course that the majority of Firefox users would not have had this enabled since it wasn't the browser's default setting. Now it is what's most shocking is that to me, is that it took us this long to get here because it is such an easy place to get to this.
Leo Laporte / Steve Gibson (00:49:02):
This change does not disable third party cookies. That's the secret. It merely divides the single massive global cookie jar into individual per domain. Or, you know, as web engineers would say same origin, cookie jars. And you know, in that matter, any third party is welcome to set a cookie in anyone's browser. But when that user goes somewhere else, the, the cookie jar will be switched to a new jar for that new domain. And again, any third party will be welcome to set their cookie into that jar. But what they will not be able to do is to see the cookie that they had previously set into the same users, same browser when they were visiting that previous domain. And that simple measure kills cookies whose primary purpose had been cross domain tracking. You, you just do per origin, cookie jars, a again, such a simple measure.
Leo Laporte / Steve Gibson (00:50:15):
You know, the idea that it took this long for it to happen is to me astonishing, but it finally happened. This is the number, this is the problem with cookies, right? I mean all of these cookie banners and all this missed the point, cookies are fine. They're necessary. It's third party cookies that are the problem. It's actually it's third party cookies that, that cross, that can be red on a first party site. Yes. It's the Facebook like button, which gives Facebook a view into that site and who's visiting it. Right. And all, all, you know, if, if even in the original Mozilla or Netscape specification for cookies, they said only the site that created the cookie can read it, but they didn't anticipate this loophole that people would embed little bits of other people's sights on their, on their web. Exactly. Yeah, exactly. And, and so, so this is, I mean, this is such an easy change, so okay.
Leo Laporte / Steve Gibson (00:51:17):
Now all that said it's not working for me under Firefox version 100 and one.zero.one. Oh no. Which appears to be the latest, oh no. Chrome is wonderful as I have it set currently. And I I'm sure I went in and tweaked something, but Firefox under its so-called standard privacy and security, enhanced tracking protection is doing nothing. I said it to strict and still nothing. I said it to custom. And then I had to tell it to block. I, then I told it to block cross site tracking cookies. It still wasn't. It was necessary for me to turn off all third party cookies in order to get cross domain third party cookie blocking to work. Now the question is, how do I know a piece of technology? I spent a great deal of time developing many years ago. In fact, I think it was in oh eight.
Leo Laporte / Steve Gibson (00:52:20):
If I, the, the, the pages have, have dates on them. So, I mean, this is, I I've been focused on this third party cookie problem for a long time. Anyway, it's, it's GRCs cookie forensics. If you Google GRC cookie forensics, it's the first link that comes up, cuz it's been there since the big Dawn of the internet. And if you click it, it does an instant test of your browser's current cookie handling. And we'll show you green for good and read for bad. And and, and like, and like blank. If you're not, if, if there's no cookie transaction going on my Firefox, unless I turn off, as I said, all third party cookies, it's not blocking third party cookies. I, I actually maintain a separate domain, GRC tech.com just for this purpose. I created a third party so that I could, I could experiment and, and then automate that testing in order to show people what their browser was doing.
Leo Laporte / Steve Gibson (00:53:31):
So anyway, I just, I wanted to say that great news that Firefox says they're doing this, but it, it doesn't seem to be working. And you know, so anyway, GRC cookie forensics for anyone who is who is interested and hopefully they'll get it working at some point maybe. And, and they did say they're rolling it out. So maybe that's what's going on is that I'm not, I've not been rolled on <laugh> it hasn't been rolled out to me yet. Or, you know, maybe they're tiptoeing. I don't know. So, but boy, Chrome looks great the way I've got it set up. It, it just comes back com you know, completely happy. And in fact, I have a different page it's slash cookies, grc.com/cookies/stats.htm. And that shows a series of bar graphs. Again, you could see it's, it's been a long time since I've been there since I have I E version five and I E version six <laugh> and I E version seven that I'm tracking and a bunch of others, but I also have Chrome.
Leo Laporte / Steve Gibson (00:54:37):
And boy, it used to be the bars used to be all the way at the top now. And these are GRCs visitors. Grcs visitors all have Chrome, they're Chrome blocking third party cookies. Maybe that's the default now in Chrome. And I've once talked about that and I've forgotten it. I don't know. Yep. So now you're showing the, the cookie forensics on the, on the site. And if you, and see all those red, if you scroll down into that second group of red, that's all bad that tho those are, those are third party session and persistent cookies that were just, you can see, it says oldest cookie was one second old. So that way they were just set. Is this my pay? Is this my browser? Yes. Oh, funny. I'm on Firefox. Yeah, I know. And it's not good. Hmm. Yeah. Huh. Huh. And if you were to go under if you go in, in, in the, the hamburger menu to settings and let's see, what is it?
Leo Laporte / Steve Gibson (00:55:39):
Settings. Oh yeah. Lemme see what I'm doing here. Privacy and security, and then enhance. Then you get there and then yeah. Privacy and security. I'm on standard. Usually I'll run under custom. Okay. Now do that now. And normally you, it tells you, you need to refresh your page. It didn't tell you that you have to do that. So all third party cookies, they don't wanna block those. And I know why sometimes third party cookies are from image servers that are really first party, but they're on a different URL or different IP address. So, which would I want on this? Well try just instead of doing custom try doing so first of all in strip should do it, right? Yeah. Let's strip should do it. Yeah. Oh, and that does say re reload tabs. Refresh your cabs. Yep. Okay. Now go back to GRC.
Leo Laporte / Steve Gibson (00:56:33):
So social media trackers, cross site cookies in all windows. Okay. Good. All right. Yeah. Now let's go back. We should work refresh. Now you scroll down. There is a button that I have, or, or, or you can do that. Yep. Oh, still bad. Worse did not. I know it, it did not. There's one more red dot than there was last time. Yep. The icons. Yeah, exactly. And so now go back over and if you go to strict, I'll go back to I'll. I'll I'll make it even stronger. Custom is more than strict, right? If I do custom, yes. Then I can say let's block a lot of crap here. <Laugh> so what should I, what should I block? I had to turn them all off. I and see all cookies. No, I had to, well, no, no, no. Third, third party parties. Third party cookies, but that's extreme.
Leo Laporte / Steve Gibson (00:57:24):
And the point is that should no longer be necessary. Yeah. Let me refresh. Yep. And well, I still have icons are, are gonna always be a problem, I guess, icon, but, and now these are empty. What does that mean? Yes. No third party cookies. I mean, no third party session cookies were received from your browser browser. Okay. Yeah. So it's, it's not green. It's empty. That means there was no cookie at all. Correct. And, and, you know, green would be okay. Right. First party and, and orange that an orange meant that an older cookie was received. Right. But that's not that big a problem. Right. But, but it was necessary for you to go all the way. Yes. To blocking all third party, not, not the default that they say they're gonna be supporting and not even only black blocking tracking cookies, but as you said, Mozilla was maintaining a list of sites that they were blocking, which I thought was unfortunate, but they're still not doing the right thing generally at home. You know, I think I turned this to standard only because of the show cuz right. Because generally at home I run custom, but I don't turn, I just do. I just do cross site. I do like this setting. But okay. So now cross site tracking cookies, block, cross site tracking, cookies and isolate other cross site cookies. Yeah. You would think that would be enough. That should be enough. Yes, but it's not no. So re refresh the page. Okay. All right. Let's see what we got here.
Leo Laporte / Steve Gibson (00:59:00):
<Laugh> yep. Okay. I guess I'm, I'm gonna I'm because this is the problem is that I think everybody's scared off when they do this. Cuz it says this is gonna break stuff. This is gonna BR make cause websites to break. And as my experience is it does something well. Yeah. And, and, and yes. And the other problem is that, you know, when Mozilla announces this, we just assume, oh good. It's all good now. Well, you know, as they say, it's try to trust. Yeah. But verify so and grc.com/cookies. That's very valuable. Yeah. Will that get me there? Do I have to type in forensics as well? No. I think grc.com/cookies probably takes you. I think the first page has a cookie monster. Yes. Saying delete cookies, cookies. <Laugh>. And then this could, because it's an explainer, which is a good thing. Yes. Yeah.
Leo Laporte / Steve Gibson (00:59:53):
You know, me back in those days, I was doing a lot of explaining. Yeah. Yeah. Now we keep you busy with a show. You don't get to <laugh> that's right. So that and spin. Right. And then this is it. The bottom link is the web cookie operation. Actually it's the third link there in that block of links. There's a whole forensics. There it is. Okay. Cookie forensics. Yep. Yep. Nice. This is a great tool. Thank you for, I knew about it, but I forgot. So thanks for reminding me. Yeah. Yeah. Very nice. So we will see if they're gonna roll it out and eventually get it right. And the cookie forensics page lets us find out real quickly. Yeah. Okay. So DDoS in the news, we keep breaking DDoS attack records. We're pretty much at the point where our eyes just glaze over now at the size of these attacks, you know, gigawatt bits per second and all that.
Leo Laporte / Steve Gibson (01:00:42):
It's like, okay, you know, my wires melted, you know, I guess I should have, you know, cut the, cut the wire where it says engage firewall. So once again, CloudFlare has reported that last week, it stopped and mitigated the largest HTT PS DDoS attack on record that attack weighed in at 26 million requests per second, and was aimed at a website of a protected cloud flare customer. So a attacks of this size no longer originate from individual compromised hardware devices because they just don't have the speed or connectivity. Instead, most of the attacking IPS, it turns out were owned. And this was in Cloudflare's analysis by other cloud service providers whose virtual machines and their powerful servers had been hijacked to generate the attack. Since HTD PS query attacks cannot be spoofed. Cloudflare was able to trace the attack back to a powerful botnet of 5,067.
Leo Laporte / Steve Gibson (01:02:04):
That's not approximately that's exactly 5,067 IPS. Each of which generated approximately 5,200 requests per second at peak, a CloudFlare spokesperson said that to put the size of this attack in perspective, they'd been tracking another much larger in agent count, but less powerful inquiry rate botnet consisting of over 730,000 devices. Now, rather than letting that number just wash over us, let's stop and think about that for a second. A single identified botnet consisting of more than 730,000 compromised devices, nearly three quarters of a million somethings all participating in coordinated attacks. Now, however, those devices are apparently, you know, things like light switches and $5 outlet plugs since that botnet while large in number generated fewer than 1 million requests per second, overall, thus roughly 1.3 requests per second, on average per device, 1.3 request per second per device, pretty much classifies the device as a $5 light switch or plug, but individually they're still able to generate some internet traffic.
Leo Laporte / Steve Gibson (01:03:53):
You know, the ones I have at home all phone home to China since they live behind a Soho Nat router, actually two series connected Nat routers. It's exceedingly unlikely that anyone got into them from the outside. It's far more likely that if they have been up to some mischief lately, they've been sold into slavery by their original producer. I'll say again that no one should have O T gadgets attached to their primary home network. It takes deliberate work to set up and maintain a secondary O T network. But I cannot think of anything more important for residential security, the entity they are phoning home to may not be friendly. And how would you ever know? Now the good news is that most recent O T routers, you know, wifi routers support one or more isolated guest networks. Thank goodness. You know, that's what you want to use for those unknowable IOT widgets.
Leo Laporte / Steve Gibson (01:05:07):
This makes the establishment of a secure perimeter, far more easy and stable. Anyway, as for Cloudflare's latest finding that recent attack was on average 4,000 times stronger due to which use of virtual machines and powerful infrastructure servers, CloudFlare also notes that HTT PSD dos attacks are more costly to produce than others because these days they require more computational resources needing as they do to bring up a secure TLS encrypted connection for every attacking query. The bottom line is DDoS attacks are no longer survivable unless the target is isolated behind an attack, mitigating bandwidth provider if you're not, and your organization is being attacked, just declare a holiday and send everyone home until the attack has passed. You know, that's another reality of today's internet.
Leo Laporte / Steve Gibson (01:06:18):
Okay. <laugh> as for another reality of today's internet, we have, we have Ms. Hyphen DF, S N M as we've all learned, complexity is the sworn enemy of security in any complex environment, consisting of complex interacting components. The addition of another component requires an understanding of that new components, potential interaction with all other existing components in the same way that adding each bit to a key doubles that key's total complexity, adding components to a system creates exponential complexity growth. And this is one of the biggest dilemmas which we keep seeing that Microsoft has stumbled into. Now, we have a newly uncovered type of window of windows. NTLM, you know, NT land manager relay attack, which has been named DFS coerced, DFS coerce leverages the distributed file system, thus DFS name space management protocol. So we have Ms. Hyphen DFS N MP, and that allows the attacker to seize control of a domain.
Leo Laporte / Steve Gibson (01:07:53):
You know, when we hear the phrase, a new form of NTLM relay attack at this point, our eyes roll because you need to wonder just how many different forms of NTLM relay attacks. There can be. If new forms are still being discovered and uncovered in the year 2022 NTLM relay attacks are a well known method that exploits Microsoft's original half baked and never sufficiently robust challenge response mechanism. We've talked about this so many times before, rather than simply discarding it decades ago as being too broken to fix, they've kept this sickly patient on life support by continually attempting to patch it and wrap it in additional layers of gauze. As a result today's NTLM relay attacks work the same way today as they did back then a malicious party sits between clients and servers, intercepts and relays validated authentication requests to gain unauthorized access to network resources effectively allowing it to gain an initial foothold in active directory environments, Philippe Dragovich who, who has been a, a prolific discoverer of problems.
Leo Laporte / Steve Gibson (01:09:23):
We've mentioned him before. Also discovered this latest wrinkle in the rich NT L M attack surface. He tweeted spooler service, disabled RPC filters installed to prevent petite Potta and filer server a file server VSS agent service not installed, but you still want to relay. And he says, domain controller authentication to active directory certificate services. Don't worry, Ms. DFS. Mm. Has your back meaning yes. There's a way you could still do that. What is DF D MSDF SMN? Well, it appears to be another of those things that some random Microsoft engineer added in one of those, oh, here's what we need to add to get that done. Won't it be neat? You know, one of those fits of protocol designed 15 years ago, back in 2007, that's when it first appeared it went into windows and now it can never be removed for anyone who's curious.
Leo Laporte / Steve Gibson (01:10:40):
It provides yet another remote procedure call interface for administering distributed file system configurations to give everyone a taste for this. Here's what Microsoft's first paragraph of their overview of this protocol explains. Microsoft says the DFS name, space management protocol, DFS, and MP is one of a collection of protocols that now listen to this, that grew it's one of a collection of protocols, not the only one. This is a, a part of a collection that group shares that are located on different servers by combining various storage media, into a single logical name space. The DFS name space is a virtual view of the share. When a user views, the name space, the directories and files in it appear to reside on a single share. Users can navigate the name space without needing to know the server names or shares hosting the data. DFS also provides redundancy of name space service.
Leo Laporte / Steve Gibson (01:12:08):
Oh yeah. And this is, and DFS NMP is one of a collection of protocols for doing that. So, okay, sure. That sounds neat. And I guess 15 years ago, when there was nothing better to do than, okay, let's add that. So this is a perfect example of what appears to be complexity for its own sake, and nothing could be more antithetical to security. 15 years ago, the danger of this should have been appreciated, but apparently it wasn't in any event, we're stuck with it. Now, the discovery of this particular DFS coerce attack follows the related petite Potta attack, which is an abuse of Microsoft's encrypting file system. Remote protocol that was Ms. E Fs RRP C to coerce windows servers, including domain controllers into authenticating with a relay under an attacker's control, letting threat actors potentially take over an entire domain sound familiar. Yeah, same exact attack using an entirely different protocol, but don't worry.
Leo Laporte / Steve Gibson (01:13:22):
There's lots more of those protocols where those came from the cert coordination center noted in detailing this attack, quote by re by relaying an NTLM authentication request from a domain controller to a certificate authority, web enrollment or certificate enrollment web service on an active directory certificate server system, an attacker can obtain a certificate that can be used to obtain a ticket granting ticket, a T G T from the domain controller. And yes, if that makes your head spin, it probably should. So here's my advice. If any of our listeners are offered a job given responsibility for managing and securing any significant windows enterprise installation, first, you should start off being single because you will wind up being single and you should be sure to get a lot of money because you're gonna be trading your life and your sanity for that thankless job to mitigate NT landman relay attacks.
Leo Laporte / Steve Gibson (01:14:44):
Microsoft recommends enabling protections like extended protection for authentication EPA S M B signing and turning off HTTP on active directory servers. Again, those are all mitigations, not cures or solutions. Just wrap it up in some more gauze. Wow. although I didn't set out with this goal, this did wind up being a pile on Microsoft episode. It's not that it's not deserved, but it does feel somewhat redundant. So I'm happy to be able to report that apple screwed something up too. Oh, whatever. <Laugh> <laugh> in a, in a somewhat predictable way and WordPress I'm sure at some point, but okay. Keep going. Yes. We're about to get to them as a matter of fact. Okay, good. Yes. Google's project zero discovered that a security flaw in Apple's safari was found being exploited in the wild earlier this year. What was interesting about this particular flaw was that it was originally fixed back in 2013, then inadvertently reintroduced in December of 2016 and only just fixed last month.
Leo Laporte / Steve Gibson (01:16:10):
The issue tracked now today as CVE 20 22, 22, 6 20 and bearing a hefty CVSs of 8.8 is another use after free vulnerability in web kit, that was being exploited by a piece of specially crafted web content to give its exploiter arbitrary code execution on the machine. That's never good. Early in February of 2022 apple shipped patches for the bug across safari iOS, iPad OS and Mac OS. While acknowledging that quote, it may have been actively exploited Uhhuh, and the sun may rise in the morning Google's project zeros, Mattie stone wrote in this case, the variant was completely patched when the vulnerability was initially reported in 2013. However, the variant was reintroduced three years later, during large refactoring efforts, the vulnerability then continued to exist for five years until it was finally fixed when it was discovered as an in the wild meaning. Yes, actually being exploited zero day in January of this year, 2022 Mattie explained that both the October, 2016 and the December, 2016 commits one of which reintroduced the original bug from 2013 were very large.
Leo Laporte / Steve Gibson (01:18:00):
The commit in October changed 44, 0 files with 900 additions and 1,225 deletions. The commit in December changed 95 files with 1,336 additions and 1,325 deletions it sea lesions. It seems untenable for any developers or reviewers as code reviewers to understand the security implications of each change in those commits in sufficient detail, especially since they're related to long lived semantics. So whatever it was that was happening at the end of 2016, it was apparently a major revamp of some core safari system. And it appears that you get bit either way on the one hand, if you leave crappy old code alone under the theory of, if it's not broken, don't fix it. You wind up eventually with even older, crappy old code <laugh> right. Yep. But, but if you bite the bullet to make huge sweeping revamping code modernizing changes, you get bit by the introduction of brand new bugs, which might be the same as some very much older bugs that were previously found and fixed.
Leo Laporte / Steve Gibson (01:19:43):
Now, given a choice, I think I would do what apple apparently did code, as we know, really doesn't evolve very well. If enough time passes the assumptions that were once baked into the original code base no longer hold true. And they really can begin to chafe and things can begin to crumble. If the problem code was rewritten to, to, to solve, you know, the problems of a strong new future, it can be best to scrap a large previous investment, no matter how solid it now is. And just start over with all the benefit of the knowledge acquired through the intervening years. That seems to be what apple did. Okay. So not perfectly, but this got fixed. So yep. They did mess up. But I would say probably for the right reasons and Leo speaking of WordPress, <laugh> 1 million, 1 million WordPress press. I, I looked ahead.
Leo Laporte / Steve Gibson (01:20:57):
I, I had a feeling go ahead. 1 million WordPress sites were just force updated. The WordPress security guys at word fence identified and exploited in the wild zero day bug in a widely used more than 1 million installations, WordPress plugin called ninja forms, which is a customizable contact form builder. The severity of the bug earned at a CVSs of yes, 9.8. And it affected many versions of ninja forms starting with version 3.0, word fence explained that the bug made it possible for unauthenticated attackers to call a limited number of methods in various ninja forms classes, including a method that de serialized user supplied content. And that resulted in an object injection, which could allow attackers to execute arbitrary code or delete arbitrary files. That's never good. Although the update was supposed to be automatic and forced any ninja forms, users listening to this are advised to definitely check their WordPress installations to verify that they are now running the latest release of ninja forms.
Leo Laporte / Steve Gibson (01:22:22):
So in other words, you know, if you know, you're a ninja forms user and 1 million plus installations are hopefully they all got fixed, but if you're, if you know, you're such a user, make sure that you're running an updated, an updated version and in a sort of a related decentralization problem, there was another vulnerability and taxed on a very popular Jason library known as fast. Jason that has a CVSs of 8.1 and was recently found and fixed. It was patched at the end of may and affected all Java applications that rely on the fast Jason versions, 1.2 0.80 or earlier. And I'm not gonna go into detail. It, it was it was a, an issue where a user provided content could be de serialized into a Java class. Now that's obviously bad a user. If a user can provide a blob, then Des serializing, it turns it back into Java code, which then gets instantiated and run.
Leo Laporte / Steve Gibson (01:23:43):
So obviously that's a remote code execution, vulnerability, the guys who, who had this realized that this was dangerous. So unfortunately they created a block list of objects that they did not want to be allowed to be de serialized. Well, that's obviously a bad idea. It's like having a firewall where you close the ports for known attacks. Okay. We tried that in the beginning that didn't work. So the, they should have done a deny all and then an allow white list. Anyway it's been fixed the, the, the, and the function that was enabled by default called autotype is no longer enabled by default. Things have been cleaned up. If you have any connection to anything known as fast, Jason, then you'll wanna make sure that you are running the latest version. Okay. Finally, some bits of miscellaneous a few weeks ago, I mentioned that I had appeared as a guest of one of our own listeners on his own Trek profiles podcast.
Leo Laporte / Steve Gibson (01:24:57):
Last Wednesday, John tweeted, he said, now comes episode 66 of Trek profiles. In this one, we speak with Steve Gibson about his star. He's famous about his star Trek, fandom, his history with the show. And we endeavor to discover why we all love Trek so much. He says, plus, you'll get to meet the mysterious bun ons, get it wherever you get your audio. And I, so it's called Trek profiles for anyone who's interested. And one thing that John did, and I didn't know he was going to, he, he took the recording. He had made of me saying, we are the bun ons, surrender your ship, or be destroyed. Yeah. And our listeners will remember that that is backwards. That's, Yohi, Bero destroy your narrow Sana. Bani <laugh> he? And I said that on the podcast. Well, he reversed the audio. Oh, good for him.
Leo Laporte / Steve Gibson (01:26:06):
And it worked. Now the timing on the, we are the bun ons part. I got a little bit off, but after all, it was 50 years ago and I, you know, still remember those words, but the rest of it was intelligible as to under your ship or be destroyed. So God iHow, I really have to listen to this. <Laugh> it's on for some reason's on Amazon music. I maybe that's, it can't be the only place it is. I think he, he said, get it wherever you listen to oh, God podcast. So the link you, he showed us goes to Amazon music, but yeah, that's the link that he had provided. Got it. And so I just put it in, in the show notes for anybody who has it. Nice. Nice. Okay. Closing the loop first was from JVs tech. He said, Hey, Steve, I'm sure you've had several others already mentioned this, but USB type a connectors, remember which we've talked about last week as how they, they demonstrate that we're in a simulation because they're always wrong.
Leo Laporte / Steve Gibson (01:27:04):
The first time you try to plug 'em in USB type a does not break probability. It is in fact, and this does explain it actually in a state of quantum super position, the connector exists in both the correct and incorrect orientations simultaneously until observed at which point, the wave function collapses and a single orientation manifests. This is why it often takes three tries to plug it in correctly. And he says, thanks for the amazing podcast, by the way. And there was an unrelated tweet that I <laugh> actually showed that saying it's a well known fact that you must spin a USB three times before it will fit from this weekend, gather that a USB has three states up position, down position and super position. So apparently a lot of people have had fun with this sort of thing in the past bill Tillman tweeted.
Leo Laporte / Steve Gibson (01:28:14):
Here's the question I have suppose I have an account with some service and they decide to support squirrel, how do I get my squirrel identity associated with an existing account? And so I wanted to share Brian's question since I'm sure PI that Fido's pass keys will be working the same way. So it actually has a future practical application. In all cases, an additional method of authenticating is simply added to an account. So you would log on first through your traditional means, presumably a user name and password. Then under your account settings, you would choose to add a squirrel or more likely a Fido pass key that would trigger an authentication transaction from the website you would authenticate with your client, which would synthesize a pair of Fido keys. And the client would provide the website with your specific public key for it to keep on record.
Leo Laporte / Steve Gibson (01:29:28):
In the case of Fidos pass keys that's as far as it goes. But with squirrel, since we thought through the entire paradigm, we realized that since a system security is limited by the security of the weakest link, adding a super secure means of authenticating doesn't actually increase security unless, and until you also eliminate the possibility of using all weaker links. In other words, if the site still you allows you to log on with username and password, it could still get hacked and you could still lose control of your password, just like you always have been able to. That's why squirrel goes a step further and is able to request that a website disable all non squirrel authentication. Once a user's become familiar with squirrel and is confident in its use. They're able to set a switch in their squirrel client, which when they then visit any websites, causes their squirrel client to request that sites no longer honor, their traditional username and password or any other non squirrel means of authentication, which at that point actually does elevate your security to the level of a true, you know, web authentic style squirrel or Fido style authentication.
Leo Laporte / Steve Gibson (01:31:07):
Again, another example of what squirrel does that the Fido people just, you know, didn't bother with Jose C. Gomez tweeted. Hi, Steve, I'm the owner slash host of squirrel OAuth that Leo uses on the forum. I had wandered off onto other things. I got alerted by Jeff Arthur. Jeff of course, is the author of the iOS squirrel client. He says, thank you, Jeff. And everything is back up and running. I have added some monitoring tools to keep a better eye on it. I honestly thought nobody was using it, which may have been the case. He says, I wish I it would get more adoption. He says, squirrel in general, but alas, with all this new Fido, cetera, I suspect it isn't gonna happen. Nevertheless, I have fixed the issues, brought the site back up and even did some bug fix. So the TWI community should be back up and running for those that want to use it. Thanks for the heads up. And thanks again to Jeff for reaching out cheers.
Leo Laporte / Steve Gibson (01:32:18):
And David lair said, hi, Steve, listen every week and always enjoy the show, but I'd like to suggest you use as careful a definition Fort as you do for zero day, you often point out how Microsoft's use of the term. Meaning zero day, is it really appropriate? Indeed. He said, well, N you know, I S T has a definition for an I O T device in I S T IR 82 59, which has also been adopted into us public law in the cyber security improvement act of 2020. It says such devices that his IOT devices have a network interface for interacting with the digital world and a sensor or actuator for interacting with the physical world. I bring this up because you often use routers as examples when you talk about O T but by the N definition, which is pretty well accepted a router isn't IOT, because it lacks an interface to the physical world.
Leo Laporte / Steve Gibson (01:33:39):
I know you like to be precise about things. So I thought you'd want to know about the N definition. So David, thank you. Yes. And I think that's interesting. And I think that we do have a problem here with a weak definition, O T is weekly defined my original feeling about the use and definition of IOT devices was actually more along the lines of what David sites, as NS, formal definition, things like light switches and plugs and internet connected thermostats, all which qualify under that definition. But my original definition has been broadened, I think, useful and appropriately to now include what I would call unattended devices as the primary distinctive feature, which determines their OT nest for the purposes of concerns about security and their abuse, you know, is a router, an O T device. Increasingly the internet security community is adopting that definition.
Leo Laporte / Steve Gibson (01:34:47):
So I don't know what to do. If something like a router is not an IOT device, then it would be nice to have some broadly agreed upon term for the class of internet connected and often quite powerful devices that you know, can have firmware flaws, allow 'em to be them to be remotely subverted. I think we're stuck with OT and we need to call those things something. So I think it's probably OT. And finally, Chuck 3000, he said re SN 8 75. Here's a reason for an electronic pet door. He said, apparently this is common in Florida. And I've got a photo in the show notes that shows an alligator entering someone's home through the swinging flap, which was insufficient. Right, right. Remember repelling the alligator. I imagine he's gonna, he's looking for the, the, for the pet cat Myers cat is the Floridian, the Florida man who had the intestinal fortitude to stand there and take that picture.
Leo Laporte / Steve Gibson (01:35:59):
Cuz I would've been good point. Someone took that picture. I would not have stood there. The alligator's mouth is wide open and he's, you know, a foot or two away. And those things move fast. Apparently they don't turn rapidly. Oh, okay. Oh good. Lori spent a lot of time in Florida and she told me that the, what you learn is to zigzag. Ah, be because they can run in a straight line, but they're not good at turning. See, you've learned something on security now today. How to, how to run away from an alligator. <Laugh> that's wild. What a picture. Oh yeah. Okay. That's a good reason to have a a chipped cat door. Yeah. And here it comes in my water. Yep. Have it's by the way. Oh, here's a weird one. So I went to your cookie forensics site in Microsoft's edge with default settings.
Leo Laporte / Steve Gibson (01:36:57):
Yeah. Nothing. Whoa. It's actually better than Firefox no icon issues. Now I find that <affirmative> now it's I find that hard to believe it's chromium based and Chrome did the same thing for me. It behaved itself. Although I had assumed it's cuz I'd turned on a bunch of stuff, but it's just default. I think I don't, I didn't mess with this. Yeah. So, wow. That's cool. Yeah. well, yeah, it's on basic tracking protection. Wow. And if you turn off tracking protection, I don't even have it turned on. I don't even have it turned on. So which of course is Microsoft. So it's off by default. <Laugh> send, do not track request. No. Hmm. Yeah. Wow. It seems to me maybe they've got sneaky ways of getting cookies outta there. That's interesting. Well, I know I's weird. Don't doubt that our listeners are gonna dig into that given this tool.
Leo Laporte / Steve Gibson (01:38:01):
Yeah. And they'll they'll let me know what's going on. Yeah. Weird. All right. We are gonna pile on Microsoft in just a second <laugh> before we do, let's talk about our fine sponsor ExpressVPN. We know you know, about ExpressVPN. In fact, they're in the news a lot lately because they just do it right. And nobody can seem to get any private information out of them. I, I read a really good piece on express via VPN, which I should explain is, is my preferred VPN and our sponsor. It was all about how they do their trusted server technology. It was on bleeping computer and it was amazing if you Google bleeping, computer and ExpressVPN, you'll find it. They run a custom form of Debbie and Lenox distro that completely reinstalls itself daily. So, you know, erases the drive and starts over daily, kind of one of those, you know, secure vault like systems, it's amazing. The server runs in Ram. Can't run to it's sandbox. Can't run to a hard drive, all of this to give you the reassurance that they do not log anything you're doing on their VPN.
Leo Laporte / Steve Gibson (01:39:24):
It's a shame that we have to use stuff like this. And for years we recommended VPNs just simply as a security thing, right? If you're in an open wifi access point, it encrypts your traffic and so forth. But increasingly it's really been about protecting your privacy to prevent profiling and surveillance and data harvesting. You know, this is, this is something that the, the tech giants just, you know, seem to have decided is, well, they, they call it surveillance capitalism, right? It's the way they do business. What do you actually do about it when you rely on so many of their products, you can't Dego your life. And we don't all have $44 billion to go buy and up Twitter. So the good news is you don't have to be a, an Ola Gar, a billionaire to take a stand use ExpressVPN it's less than seven bucks a month.
Leo Laporte / Steve Gibson (01:40:14):
This is one way to fight back against big tech ExpressVPN. You know if you don't wanna be tracked, if you wanna be private, if you wanna watch videos in, in, on Netflix or other services all over the world, there's no better way. Express VPN helps you anonymize much of your online presence. It's not your IP address. That's out there, it's theirs. And that IP address is one of the ways big tech keeps track of you. And it's really easy to use ExpressVPN it's on everything. Every platform you use, iOS, Android, Mac, windows, Linux. You can even put it on smart TVs. You could put it on some routers, which I think is a really clever way. And express pian is so fast. It, it, you could play back HD video, which means when you put it on your router, nobody's gonna say, Hey, what happened to the internet?
Leo Laporte / Steve Gibson (01:41:05):
It's not, it's just, it's just invisible. When you have it on your phone or your computer, you just tap that big button and ExpressVPN is on. That's all it takes to keep big tech outta your salad. If you don't like big tech tracking you and selling your personal data for profit, it's time to fight back. Visit expressvpn.com/securitynow right now get three months of ExpressVPN for free. You can use ExpressVPN to fight surveillance. Capitalism. At least we have one tool, right? Express vpn.com/security. Now use that address though. So they know you saw it here, cuz I am a capitalist. We gotta pay the light bills and all that. It's 101 degrees outside. Steve. He's outside Steve, but it's wow up there. Yes. Whoa. Yes. Express. We gotta pay for the air conditioning. My friends expressvpn.com/securitynow it's a nice 70 degrees in here, but where you go outside, it's like an oven.
Leo Laporte / Steve Gibson (01:42:05):
It's an oven out there. Blast furnace. When, when you open the door. Yeah. Is that weird feeling right? You've had yeah. He hits you. Yeah. All right. On we go with the show today. Today's podcast title Microsoft's patchy patches was chosen after encountering a number of separate and independent pieces in the tech press, all decrying Microsoft's recent vulnerability and patch handling. Since this has been something that we know I've been observing and repeatedly noting here, it was somewhat comforting to get a bit of a reality check that my perceptions are not coming out of left field. Dan Goodin writing for ours, Technica published a piece headlined, botched and silent patches from Microsoft. Put customers at risk critics say case in point it took five months and three patches to fix a critical Azure threat and Jonathan GRE writing for the record separately published debate rages over Microsoft vulnerability practices after Lina and Azure issues.
Leo Laporte / Steve Gibson (01:43:18):
Since Jonathan's reporting contained some new information from interviews he conducted across the industry. Some from veteran Microsoft is I'll start by sharing some of what was Jonathan found. Microsoft finally released a patch for the much discussed Lina vulnerability. We've talked about it a number of times that was CVE 20 22 31 90 amid fixes for 55 other issues last Tuesday. But Microsoft's initial response to the issue as we know, and several others has stirred debate among security experts who questioned Microsoft's recent handling of vulnerabilities. Microsoft initially claimed Lina. Wasn't a security issue after being sent evidence by the head of advanced persistent threat hunting organization, shadow chaser group, they eventually acknowledge the issue, but several security experts have aired concerns about Microsoft's responses to a number of vulnerability reports. Last Monday, Amit Joran the CEO of the cybersecurity firm, tenable published a lengthy Bo blog post criticizing Microsoft for its recent response to two disclosed vulnerabilities affecting the Azure synapse service and his blog posting Amit wrote quote.
Leo Laporte / Steve Gibson (01:44:49):
After evaluating the situation, Microsoft decided to silently patch. One of the problems downplaying the risk. It was only after being told that we tenable were going to go public, that their story changed 89 days after we initially notified them of the vulnerability. When they privately acknowledged the severity of the security issue to date, Microsoft customers have not been notified. This is a repeated pattern of behavior. Several security companies have written about their vulnerability notification interactions with Microsoft and Microsoft's dismissive attitude about the risk that vulnerabilities present to their customers on Joran went on to say that Microsoft's frequent reticence to notify customers of issues was a grossly irresponsible policy in response to questions about Jo's comments. Microsoft told Jonathan grie reporting for the record that it, that it only assigns CVEs to issues that require customers to take action. What, so now they're not vulnerabilities.
Leo Laporte / Steve Gibson (01:46:16):
If Microsoft handles them secretly equally, the Microsoft spokesman said we addressed the issue that tenable reported to us and no customer action is required. This apparently is Microsoft's news, sweep it under the rug policy. And really when you think about it, isn't this exactly what a behemoth that's unanswerable would do. If it's unable to act responsibly, nothing to see here, what CVE Aaron Turner CTO at the security company vector said, he understood both sides of the debate. As a long time, former Microsoft security team member, Microsoft wants to have the freedom to manage their cloud services the way they see fit. Turner said, he said I was at Microsoft in the worst of times from 1999 through 2006, when the company had to go from some of the worst security management policies to eventually leading the industry in predictability transparency. And one of the best supporters of responsible disclosure Turner explained that he knows and respects Joran personally, but did not think that Tenable's blog post was constructive.
Leo Laporte / Steve Gibson (01:47:43):
The rules around responsible disclosure do indeed need to be updated according to Turner, but he noted that both sides have room for improvement. Well, I'd like to hear more, but he didn't offer it at least for this article. And I'll note that if Turner left Microsoft in 2006, when things were going great, according to him then he will have missed the events of the past 16 years when things have definitely taken a turn for the worst. In a few minutes, I'll be sharing some thoughts from someone who once tested windows before Microsoft decided that actual testing was no longer needed. Anyway, Turner said there needs to be clearer rules around research into core platform as a service and infrastructure as a service technologies. In other words, how to deal with cloud stuff as well as easier ways for cloud platform operators to provide testing capabilities, to researchers and clear responses to respo, to responsibly disclosed vulnerability information.
Leo Laporte / Steve Gibson (01:48:52):
And you know, that's what tenable wants. Several other researchers were less forgiving of my Microsoft pointing out that more than 33% of the vulnerabilities added to the CS, a, you know, the cybersecurity infrastructure, security agencies list of known exploitable bugs 33% more than came solely from Microsoft. One third of all, Microsoft had the most vulnerabilities added to the list in every month this year. And those are known exploited bugs, Andrew grotto, former white house director for cybersecurity policy. Who's now a cybersecurity professor at Stanford university argued that Microsoft's market dominance was part of the problem. Uhhuh. Yeah, no kidding. As we know, one of my theories has been that they just don't need to do anything since there are no consequences when they do not. Anyway, Grano explained quote, the data speaks to an outsized representation of Microsoft products. Having the most critical vulnerabilities on some level, it may reflect the sheer prevalence of Microsoft products, but it's not like there aren't other vendors whose products are constantly being poked and prod and tested.
Leo Laporte / Steve Gibson (01:50:19):
No other vendor appears with the same frequency and level of severity in terms of vulnerabilities that Microsoft's products seem to said, Gato does the market force Microsoft to remedy this problem or not? What worries me he says is right now, there is not a ton of competition. So I'm a bit pessimistic about this trend. Changing Steven Weber, professor of the graduate school of information at UC Berkeley said procurement is the best way to drive positive changes in security practices. Government procurement practices right now are making the government less secure, but also hurting the private markets as well. Weber explained because it is not creating greater demand for better security. He said, it's important to keep in context that the widespread market penetration of a company's products is no explanation for why its products are also the most vulnerable. Amen to that. What we ought to be asking is given that we know and are shown again and again, that Microsoft's products are highly vulnerable.
Leo Laporte / Steve Gibson (01:51:40):
Why do they remain so prevalent in the market? Well, we know, and Dan Goodens reporting added some additional depth to this topic reporting in ours, Technica Dan observed blame is mounting on Microsoft. For what critics say is a lack of transparency and adequate speed. When responding to reports of vulnerabilities, threatening its customers. Microsoft's latest failing came to light on Tuesday in a post that that's last Tuesday in a post that showed Microsoft taking five months and three patches before successfully fixing a critical vulnerability in Azure. And, and I'll just say that part of the problem here is that everyone wants those people finding these problems want to behave responsibly. You know, they want Microsoft to fix this yet. Microsoft is under no pressure to fix it because these companies will wait until they do. Maybe that's the mistake that they're making. Anyway, Orca C O R C a Orca security first informed Microsoft in early January of this year of this very critical flaw, which resided in the synapse analytics component of the cloud service Azure, and also affected the Azure data factory.
Leo Laporte / Steve Gibson (01:53:11):
It gave anyone with an Azure account, the ability to outsource, to access the resources of other customers. From there, Orca explained an attacker could gain authorization inside other customer accounts while acting as their synapse workspace. They wrote, we could have accessed even more resources inside a customer's account, depending on the configuration. It would leak customers CR credentials stored in their synapse workspace. Communicate with other customers integration run times saying we could leverage this to run remote code execution on any customer's integration run times and take control of the Azure batch tool, managing all of the shared integration run times we could run code on every instance. In other words, this was a horrible, critical vulnerability yet or said that despite the urgency of the vulnerability, Microsoft responders were slow to grasp its severity. Microsoft botched the first two patches. And it wasn't until ju just this past Tuesday in June, you know, patch Tuesday's Jo June's patch Tuesday that Microsoft issued an update that entirely fixed the flaw and Orca finally felt it was safe to talk about this.
Leo Laporte / Steve Gibson (01:54:43):
A timeline provided by Orca shows just how much time and work it took them to shepherd. And CO's Microsoft through the remediation process on January 4th, the or security research team disclosed the vulnerability to the Microsoft security response center, RC, along with keys and certificates, they were able to extract. So that was part of the vulnerability was the ability to extract keys and certificates, which then empowered to do this a month goes by February 19th, another month, March 4th, RC requested additional details to aid its investigation each time Orca each of those two times on February 19th and March 4th, Orca responded the next day. Now we're in late March, Ms. C deployed the initial patch. March 30th. Orca was able to bypass the patch. Synapse remained vulnerable March 31st, Azure awards Orca $60,000 for their discovery. Oh joy. But Azure remains vulnerable April 4th, 90 days after disclosure, Orca security notifies Microsoft, that keys and certificates are still valid.
Leo Laporte / Steve Gibson (01:56:12):
Orca still had synapse management server access three more days, April 7th, or commit with Ms. C to clarify the implications of the vulnerability and the required steps to fix it in its entirety. Three more days, April 10th, Ms. C patches, the first bypass and finally revokes the synapse management server certificate Orca was able to bypass the patch yet. Again, synapse remained vulnerable five more days. Now we're at April 15th, RC deploys, the third patch fixing the R C and reported attack. Vectors May 9th, both Orca security and Ms. C published blogs outlining the vulnerability, mitigations and recommendations for customers. End of may. Microsoft deploys more comprehensive tenant isolation, including ephemeral instances and scoped tokens for the shared Azure integration run times in the end, the fix was silent with no notification ever provided to Microsoft customers that they had ever been in this danger and had been for five months. And this account from Orca followed 24 hours after the previously mentioned security firm, tenable related a similar tale of woe of Microsoft, failing to transparently fix vulnerabilities that also involved Azure synapse.
Leo Laporte / Steve Gibson (01:57:51):
And this is wonderful in a statement, Microsoft officials wrote, we are deeply committed to protecting our customers and we believe security is a team sport. What, what are you guys smoking up there in Redmond? <Laugh> the sec secur, the security of your proprietary uniforms. The, yeah, the security of your proprietary software is a team sport. They said, we appreciate our partnerships with the security community of, although of course we don't act as if we do, which enables our work to protect customers. Right? Cause we're not doing security in house anymore. Apparently we're relying on outsiders. Whoa. The release. They said the release of a security update is a balance between quality and timeliness. Yeah. Right. We wouldn't wanna rush it out and get it wrong. Oops. We did three times. Oh well nevermind. And we've considered the need to minimize customer disruptions while improving protection.
Leo Laporte / Steve Gibson (01:59:03):
Oh. So we don't wanna notify them. That must might be disruptive. Right? Wow. So I recalled that a few years ago, Microsoft laid, laid off their large and they're large and expensive testing teams. So I went looking for and found a description of exactly what changed and how and why today's system has become so badly broken, at least in part why Martin Brinkman writing for gacs.net had a piece a few years ago titled former Microsoft employee explains why bugs in windows updates increased how the number of bugs and windows updates increased in the past couple of years. If so, what's the reason for the increase in bugs. What might it be? That's the question that former senior S D E T, that stands for senior software development engineer in test, Jerry Berg recently answered Berg, worked for 15 years at Microsoft, where one of his roles was to design and develop tools and processes to automate testing for the windows OS.
Leo Laporte / Steve Gibson (02:00:30):
He left the company after windows 8.1 shipped to the public. Microsoft changed testing processes significantly in the past couple of years, Berg described how testing was done in the late 2014 and early 2015 period. And how Microsoft's testing processes changed since back in 2014 and 15 Microsoft employed, many teams that were dedicated to testing the operating system, builds updates, drivers and other code. The teams consisted of multiple groups that would run tests and discuss bugs and issues in large daily meetings tests were conducted manually by the teams and through automated testing. And if tests were passed and, and if tests passed would give the okay to integrate the code into windows, the teams ran the tests on real hardware in labs, through automated testing. The machines had different hardware components, you know, processors hard drives videos and sound cards and so forth. And other components to cover a wide range of system configurations.
Leo Laporte / Steve Gibson (02:01:53):
Then Microsoft, Microsoft laid off almost the entire windows test teams and it moved the focus from three different systems, windows, windows, mobile, and Xbox to a single system. The company moved most of the testing to virtual machines, which meant according to Berg, the tests were no longer conducted on real and diverse hardware configurations. For the most part, they were tested on generic VMs. Microsoft employees could self host test releases of windows, which would mean that their machines would also be used for testing purposes. The main idea behind that was to get feedback from in-house Microsoft employees when they encountered issues during their work days, Berg notes, that self-hosting is not as widely used anymore as it was before, right? Because who wants to be a tester when that means that one's main machine will be crashing during their day. So now today, the primary source of testing data, apart from the automated test systems that are in place running on VMs, comes from outside Microsoft, from Microsoft's users through telemetry and windows, insiders windows, insider builds are installed on millions of devices.
Leo Laporte / Steve Gibson (02:03:25):
And Microsoft collects telemetry from all of those devices. If something crashes, Microsoft gets information about it. Unfortunately, one of the problems associated with the collecting of telemetry is that most bugs are not caught by it. If something does not work right, Microsoft may not be able to discern the relevant bits from telemetry data while it is in theory possible that users report issues many don't additionally, while insiders may report bugs, it is often the case that necessary information is not supplied to Microsoft, which poses huge issues for the engineers tasked with resolving these problems. Back in 2014 and 15 Microsoft's testing team would be tasked with analyzing bugs and issues and supplying engineers with the data they required, you know, patches to resolve these nowadays bird notes. All of that is gone. And it's telemetry that the engineers look at to figure out how to fix these issues and fixes are then pushed to customer devices running insider builds again, to see if the issue got fixed, or if it created new bugs.
Leo Laporte / Steve Gibson (02:04:52):
One of the main reasons why Microsoft stopped pushing out new feature updates to everyone at once was that issues that were not detected by that previous process could potentially negatively affect a large number of customers. Yeah, no kidding. To avoid total disasters like the windows 10 version 1809 launch gradual rollouts were introduced that would prevent feature updates from being delivered via a windows update to the majority of machines in the early days of the release. So Microsoft exchanged that dedicated in-house testing team for remote telemetry data that it gathers from insider builds that it pushes to consumer and business devices and replaced much of the PCs that it once used for testing with virtual environments, all of that has led to an increased number of issues and bugs that customers face on production machines when installing windows updates or feature updates. And it appears to have created disconnection throughout various major arteries of Microsoft.
Leo Laporte / Steve Gibson (02:06:10):
I have no doubt that individual Microsoft employees are doing the best they can with what they have, but management appears to have royally screwed the pooch when they decided to disband serious pre-release testing in favor of collecting outside telemetry from windows insiders. And we've already talked about what Microsoft plans to do next by further automating the windows update system to dynamically back out when things go wrong and to learn from its mistakes. This essentially broadens its telemetry collection from windows insiders to include all other commercial windows users stepping back to look at the big picture. It becomes clear that what Microsoft has essentially done by disbanding serious internal testing on real hardware, switching to limited testing on virtual machines and outsourcing its software testing first to windows enthusiasts, and then to all windows users is to turn us all into their unpaid beta testers. And as we've seen an example, after example, the external security community becomes their thankless security research arm.
Leo Laporte / Steve Gibson (02:07:36):
So someone hearing this says to me, okay, Gibson, what OS are you using? And we all know the answer to that. I'm sitting in front of windows. I've always been sitting in front of windows. And before that I was sitting in front of dos. I also often sit in front of free BSD Unix, which runs several of my most important servers. And I spent a lot of time in front of Debbie and Linux when I was working to recover that Lenovo laptop's weird acting bit locker encrypted in Vme drive that had died in a mysterious way and would no longer boot the one. You know, that's the one that I managed to get finally working by hooking it to an external P C I E Thunderbolt port. I use Debbie and then thanks to the powerful command line tools that Linux offers, but the fact remains, I am most comfortable sitting in front of windows. The tools I prefer using are hosted only there and the tools I'll be using for spin right. Seven when I move away from Doss are only hosted on windows. My failure to preemptively show Microsoft the folly of shipping, a consumer OS with user land access to raw sockets taught me that Microsoft had become a blind behemoth. So I have no illusions that we can change Microsoft, but understanding the path and the trajectory that Microsoft's policies have put it on remains valuable. And so I think we can predict the future.
Leo Laporte / Steve Gibson (02:09:16):
Terrible. It's not good. Yeah. Which is why, you know, I hear, I hear Paul and Mary. I know you need to, but I hear Paul and Mary Jo, you know, on Wednesdays just saying, we don't understand what's going on. I mean, they, they, they don't they're as, you know, as inside as you can be. And they're just like, yeah, we don't, we don't know what happened. Yeah. I have a windows machine sitting in front of me. This is the only one I have just because I guess I have to help people figure out what to do. Yes, you do. <Laugh> yep. It's no fun. It's a love, hate relationship, you know, I mean, most operating systems are kind of the same and do the same thing. There certainly has been sort of an aggregation around they're very the right way to do things.
Leo Laporte / Steve Gibson (02:10:05):
Yeah. Yep. And I think anybody uses windows if they picked up I wouldn't say Debbie and maybe tu, which is based on Debbie and or pop OS or Manja Linux, which is what I use would feel pretty much right. At home almost right away using GNO Katie way using Ghanim and KDE. You know, I, I, I still baffles me but you know, nobody ever got fired for buying the Microsoft windows machine. That's exactly right. The Microsoft has become the IBM of, of yester year. Yeah. Yeah. Yep. Thank you. My friend as always you'll find steveGibson@grc.com. That's the Gibson research corporation that's of course the home of spin, right? The world's best hard drive or mass storage, maintenance, and UT recovery utility. You'll also find a lot of other good things there, including this show. He has a unique couple of unique versions, a 16 kilobit audio version, which sounds a little scratchy, but is small, smaller than that bottle.
Leo Laporte / Steve Gibson (02:11:08):
And <laugh> and wow, that's a lot of water. And and he also has transcripts, which are great for reading along. And I guess you said the transcripts are not as popular as the show notes, but I, I think for searching, they may not be downloading them, but for searching, they're very, very valuable. Oh, no comparison. Yes. Yeah, yeah. Yeah. Super valuable show notes are the kind of thing you almost would wanna subscribe to. Like it's a newsletter every week with the, with the contents and the images and the links from the show, which I think is fantastic. That's also at grc.com. We have video oddly enough of the show. If you wanna see Steve's giant bottle <laugh> that's, that's at twi.tv/sn there's also of course, a YouTube channel dedicated to it. We also have audio versions of twi.tv/sn or you can subscribe in your favorite podcast player and, and get it automatically.
Leo Laporte / Steve Gibson (02:12:06):
If you don't like commercials, there are commercial free versions of this show either from Apple's iTunes for 2 99 a month or you can for seven bucks a month, get all the shows add free. That's the club, TWI price, all shows add free that the club TWI discord, which is a lot of fun. I just found out two of our club TWI members hung out Golia who is Alia G rather from Israel went to visit John Arnold in Britain, and they hung out for a few days, which is kind of sweet. That's, that's kind of what the club's all about. And you also get the twit plus feed, which has stuff that doesn't make it to the shows, including our Linux show which is quite good. The untitled Linux show, the GIZ fizz with Dick D Bartolo Stacy's book club.
Leo Laporte / Steve Gibson (02:12:55):
We just did Neil Stevenson's book. That was a lot of fun. And other things there's a new show coming. And that's one of the things club twit does for us. It gives us a revenue stream so we can produce shows without an advertising base. And that's I think that's really important for our growth. So you help out a lot. It's a mere seven bucks a month, twi.tv/club TWI. We you can watch us record this show Tuesdays at about one 30 to 2:00 PM Pacific that's four 30 Eastern 2030 UTC. The stream is@livedottwi.tv. The chat room is going it's hot and heavy irc.twi.tv. That's open to all. And of course the discord is also chatting away. Discord features, features animated jifs, which I would show you, but I forgot I can't I have the windows machine hooked up anyway. Thank you, Steve. And we will see you next time on security. Now. Sounds great till then,
Ant Pruitt (02:13:58):
Did you spend a lot of money on your brand new smartphone? And then you look at the pictures on Facebook and Instagram and you're like, what in the world happen to that photo? Yes, you have. I know it happens to all of us. Well, you need to check out my show hands on photography, where I'm going to walk you through simple tips and tricks that are gonna help make you get the most out of your smartphone camera or your DSLR or mirrorless, whatever you have. And those shots are gonna look so much better. I promise you, so make sure you're tuning into TWIT TV slash hop for hands on photography to find out more.