Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
It's time for security. Steve Gibson
0:03
is here with a faux pasary
0:05
of security stories The
0:07
end of a famous caller ID
0:10
spoofing service taken over by
0:12
the feds now, a funny
0:14
little scam involving
0:16
misplaced decimal points, a
0:18
web surfer from the dark
0:20
ages that's unfortunately still being
0:23
widely used And
0:25
when pesky is not really
0:28
pesky. It's all coming up next
0:30
on security now.
0:34
Podcasts you love. From
0:36
people you trust. If
0:39
is true. This
0:44
is security now with Steve Gibson. episode
0:47
eight hundred ninety nine recorded Tuesday,
0:50
November twenty ninth twenty twenty
0:52
two, Freebie bots,
0:54
and evil cameras. This
0:57
episode of SecurityNow is brought to you
0:59
by Collide. Collide
1:02
is an endpoint security solution. that
1:04
uses the most powerful untapped
1:06
resource in IT. End users.
1:09
Visit kolai dot com slash
1:11
security now to learn more and
1:13
activate a free fourteen day trial
1:15
today. No credit card required.
1:18
And by flex track. the
1:21
premier cybersecurity reporting
1:23
and collaboration platform. With
1:25
PlexTrak, you'll streamline the full
1:27
workflow from testing to reporting
1:30
to remediation. Visit plexetrack
1:32
dot com slash Twitter to claim your
1:34
free month of the plexetrack platform
1:36
today. and by
1:39
nord layer. Nord layer
1:42
is a secure network access solution
1:44
for your business. join more than
1:46
seven thousand fully protected organizations
1:48
by going to nord layer dot com
1:51
slash tweet to get your first month free
1:53
when purchasing an annual subscription. It's
1:56
time for secure. And now, the show we cover
1:58
your security and privacy online, TWiT
2:01
the hero of the hour, mister Steve Gibson.
2:03
Hello, Steve. This is the podcast
2:06
which is just has a boring start
2:08
every week because everything works.
2:10
We're not spending half an hour trying
2:12
to like, stuff
2:15
on screen or the lighting
2:17
rock. You just don't see that part. I
2:19
want no. In the old days, we did that all
2:21
the time, didn't we? Yeah. I mean
2:24
well, and I mean, like, with different hosts,
2:26
soon, like, juggling things and
2:28
and all that. But it is easier to do a
2:30
one on one podcast -- Oh, I see. -- and
2:32
this is the thing you're doing. Oh, I see.
2:35
you saw these the rocky
2:37
start of our previous program. Yeah.
2:39
And it's generally, like, half an hour before
2:41
things. Yeah. No. It's a little weird. TWiT It
2:43
can't go weird. I don't know. Speaking
2:46
of which -- Yes. -- this is episode
2:49
eight ninety nine -- Oh
2:51
dear. -- for Oh, do I know?
2:53
And this is the birthday episode for
2:55
those who don't know. Leo is celebrating.
2:59
Number sixty six. Look at that. Route
3:01
sixty six. Route sixty six.
3:03
And on his for those who don't have video,
3:06
he just held up and old sign that won't
3:08
mean anything to anyone much
3:10
younger than us. Cookie cookie. Lend me
3:12
your comb. That's all I have to say. So --
3:14
Yes. -- so this was one of those weeks
3:16
where nothing really stood out, but a
3:18
lot of interesting things happened. So
3:20
I grabbed two of the items we're
3:22
talking about as the title, basically
3:26
from the typical naming of your
3:28
other podcast, Leo, where
3:30
you think, okay, what do we talk about? Let's
3:32
you know, come up with something about that. So this is
3:34
Freebie bots and evil cameras
3:37
for eight ninety nine. which
3:40
and and during this podcast, we're gonna answer
3:42
a few questions. What happens
3:45
when you run a caller ID
3:47
spoofing service, or
3:49
when you miss list and under
3:51
price online goods or
3:54
click on a phishing link for a cryptocurrency
3:57
exchange. or consider
3:59
working for an underworld hacking group.
4:02
Or, oh, no, this is a great podcast. Use
4:06
a web server from the dark ages
4:08
in your IoT device. This
4:10
is not all one story. These are
4:12
multiple stories. Oh, yes. Oh,
4:14
yes. Yes. Yes. Okay. Or,
4:17
otherwise, that would be one Really confusing. Yes.
4:19
Yeah. Or rattle your
4:21
sabers while attempting to sell closed
4:24
network systems to your enemies,
4:27
or decide whether or not to continue
4:29
to spread your Twitter at
4:31
to to to to suspend
4:33
your Twitter ad buys or
4:36
log in to Carnival Cruises with a
4:38
passkey -- Yes. -- or use hardware
4:40
to sign your code. This
4:42
week's podcast answers all of
4:44
those questions and more.
4:48
Now that's a tease. You
4:50
are you are absolutely now finally
4:52
after eight hundred and ninety nine episodes conforming
4:54
to the TWiT Way. It
4:56
only took seventeen years, my
4:58
friend. And we
5:01
were we were gonna we were heading your way
5:03
and you headed our way. So we've met And then we're
5:05
gonna defrag a zebra. just
5:07
to know. Oh, wait till you see this. That is
5:09
our picture of the week and a good one.
5:11
That's TWiT is. Our show today
5:14
brought to you by collide I
5:16
love this idea, I think you will,
5:19
to collide is user
5:21
centered cross platform endpoint
5:24
security for teams that Slack, but
5:26
let me explain what that all
5:28
means. See, collide came
5:31
along at a time
5:33
when we are all, you know, every security
5:35
professional, every IT
5:37
person dealing with this idea that
5:39
Work is for forever now gonna be
5:41
hybrid. Some people are gonna be in
5:43
the office. Some people are being home on the
5:45
road Leo over the place. which
5:47
means endpoint security has gotten much more
5:49
complex. Of course, we live in an
5:51
era of BYOD, which
5:54
means not only do we have to manage our own
5:56
Steve, but we've got this, you know, this shadow IT
5:58
to worry about. And I think the
6:00
tendency of a lot of security
6:02
professionals is lock it down. Whether
6:04
communicated explicitly or implicitly,
6:07
the message is the
6:09
users are your enemy, and
6:12
you have to wrangle them
6:14
to make sure they don't do anything bad.
6:18
You know, treat every device like Fort Knox,
6:20
put glue, crazy glue in the USB
6:22
ports, that kind of thing. here's
6:25
the problem with that, and you might already be
6:27
sensing. There's a problem with that old school
6:29
device management tools like MDMs,
6:31
force you these disruptive agents
6:33
onto employees' devices. They slow performance.
6:36
Employees know they no longer have any privacy.
6:38
Right? They they're being spied upon. They
6:41
know they feel the enemy. So
6:44
by doing it this way, IT admins and
6:46
end users are are are
6:48
now at each other's, you know, kind of
6:50
like pushing one
6:52
against the other. And that creates its
6:54
own security problem because users, what do they do?
6:56
They got their own laptops. They got their own phones. They
6:58
turn to shadow IT. to do the
7:00
jobs, just to protect their privacy, just to get
7:02
performance, it's just not
7:04
working. You probably already know this. Right? It's
7:06
kinda not the ideal situation. Kalei has a
7:08
better way, and I think it's just really clever.
7:11
Instead of forcing changes on users,
7:13
Kalei sends them security
7:15
recommendations via Black DMs.
7:18
Colli will automatically notify your team
7:20
when devices are insecure and
7:22
give them step by step instructions on
7:24
how to solve the problem. For instance,
7:27
an employee saves their private SSH
7:29
key in a publicly
7:32
viewable folder. This is obviously a
7:34
bad idea. you know this, the employee
7:36
doesn't, or maybe there's
7:38
anything about Collin automatically, vise,
7:40
like, sends them a DM saying,
7:42
hey, you know, this is why this is a problem.
7:45
Here's what's happening, and here's how to
7:47
fix it. And the employee fixes it.
7:49
And suddenly, they're on the team. because
7:52
it turns out employees, you know, want your companies
7:54
succeed. They wanna they wanna be secure. They wanna
7:56
be, you know, private. They they it
7:58
to work. So Kaleit
8:00
is is actually helping them, giving
8:02
them step by step instructions on how to
8:04
solve the problem, educating
8:07
them about company policies, and
8:09
helping you build a culture in which
8:11
everyone contributes to security because
8:13
everyone understands how and why to do
8:15
it. Now as an IT admin, you'll love
8:17
collide because it provides a single dashboard,
8:19
lets you monitor the security of the
8:21
entire Leo, whether Mac,
8:24
Windows, Linux, completely cross
8:26
platform. You could see the Glance Witch
8:28
employees, for instance, have their disks encrypted
8:30
or or up to date with their patches
8:33
or are using a password manager and more
8:35
importantly, which ones aren't. Making
8:37
it easy to prove compliance to your auditors,
8:39
your customers, your leadership getting
8:42
employees to do the right thing because
8:44
it's the right thing. Now they
8:46
know. So that's Clive.
8:48
Again, users centered cross platform endpoint
8:50
security for Teams, Slack.
8:52
You can meet your
8:54
compliance goals by putting users first, and I want
8:56
you to try it. go to collide, K0LIDE
8:59
dot com slash security now,
9:02
to to find out how,
9:04
If you follow that link, they're gonna hook you up with a goody
9:06
bag, including these great collide
9:08
t shirts. They've got
9:12
beer coasters dot com on the other
9:14
side. I love this one. There's there's several
9:16
of them, but this is the one I like. It's got
9:18
pinocchio's with their noses. going
9:20
out. And then on his security with a
9:22
pinocchio without his nose out. It's just a great
9:24
t shirt. Feels nice too. There's
9:26
the the Clyde stickers for your
9:28
laptops. We put them on our refrigerator at
9:30
work, things like that. And
9:32
all that just for trying a free
9:34
trial, no credit card needed KOLID
9:39
dot com slash security now.
9:42
User end point security.
9:45
Done
9:45
right. Kaleid.
9:46
the mind Thank you
9:48
Kaleid for supporting security
9:50
now, and Steve appreciates
9:52
it. And I appreciate you as a
9:54
listener supporters when you go to that address so that they know
9:56
you saw it here, go live dot
9:58
com slash security. Now,
10:00
I feel like this is almost a dad
10:03
joke. This is
10:05
really good. And I I think we've
10:07
we've used it before. I
10:09
mean, it looks familiar to me. But if
10:11
so, it's kind of fun
10:13
anyway. So for those who are not
10:15
seeing our video stream,
10:17
the caption on
10:19
this I know. It's really good.
10:22
It says, I defragged
10:24
my zebra. And
10:26
What we have is what looks like a horse
10:29
with the front half, black, and the
10:31
banding, and rear half white.
10:33
You know? It's different. It's obvious.
10:35
It's different. Yeah.
10:37
All of the in used
10:39
clusters got pushed to one end and
10:41
the the free space is on the other.
10:43
And, anyway, Steve very clever.
10:45
So It got us talking about diffragging.
10:47
You don't you don't really do that
10:49
anymore. Right? I'm I'm most modern operating
10:51
systems that's handled. Correct.
10:54
Well, actually, you would the the
10:56
argument that Microsoft has always
10:58
made, although this is not
11:00
really as true, is that
11:02
there is no they were always saying there was no need
11:04
to defrag NTFS file
11:06
systems. It was clear that
11:08
over time, fat thirty two
11:10
file systems became fragmented. And
11:12
as what we were saying before, we we got in
11:14
the air, was I was posing,
11:17
notoriously, the question, how
11:19
many user centuries
11:23
of time were
11:25
lost. Watch with us just staring
11:27
at the defrag screen. Mhmm.
11:29
While the little squares jumped around,
11:31
it was just wonderful. And,
11:33
I mean, it served no constructive purpose
11:36
whatsoever. But, you know, it was
11:38
really fun. Maybe it was a way of
11:40
for a geek to have a time out. It was TWiT time.
11:43
meditative. Exactly. Yeah. Yeah.
11:45
But not necessarily anymore. That's
11:47
right. Right? So well,
11:49
okay. So Windows says
11:52
that it diffrags, like,
11:54
automatically in the background --
11:56
Yeah. -- which may be the case,
11:58
that the one
11:58
place it
11:59
can be useful is for
12:02
data recovery. If your if
12:04
your files have been de fragmented
12:06
and you lose somehow
12:09
some catastrophe the
12:11
entire meta structure
12:13
of your file system,
12:16
and you really desperately have to have
12:18
some file back But basically, if
12:20
you've lost all of the metadata,
12:22
there's no directory hierarchy,
12:24
no directories anything, somewhere
12:27
out on your drive, is
12:29
a blob of
12:31
space that a file occupies.
12:33
And if it's contiguous,
12:35
if it's if it is defragmented,
12:38
you can find it. I mean, it's there
12:41
in whole. But if it's
12:43
if it itself is scattered all
12:45
over the place, and it was dependent
12:47
upon the file system's Pointer
12:49
structure in order to reconstruct
12:51
that file on the fly you're
12:54
probably you're really not gonna be in
12:56
such great shape. So, you know, it
12:59
it but in the
13:01
old days, reason we, of course, defragmented
13:03
was TWiT if because it seek
13:06
times were so long that if if pieces
13:08
of a file were scattered
13:10
physically around the drive, the
13:12
the drive's head would have to go
13:14
jumping back and forth around in
13:16
and out on different cracks grabbing
13:18
little pieces of the file in order to get the
13:20
whole thing. If the file was defragmented,
13:23
the head would just go to the beginning
13:25
and just maybe tick over sequentially
13:28
a few tracks depending upon how
13:30
large the file was. But
13:32
so TWiT was less wear and
13:34
tear on the drive. because it wasn't having to
13:36
jump all over the place just to get one
13:38
file red, and it was a
13:40
lot faster because you weren't
13:42
embedding all these seeks in
13:44
in the middle of a a file read.
13:46
Of course, there's zero seek time on
13:48
SSDs. So you Right. And
13:50
so that's what changed. It's when we went to
13:52
solid state suddenly all of that head
13:54
seeking disappeared and and
13:57
and, you know, it made no difference
13:59
in terms of
13:59
performance. Although Microsoft
14:03
quite cleverly, I think. Instead
14:05
of defragging SSDs, if you
14:08
issue the defrag command because you still have
14:10
a defrag. I believe you still have to
14:12
frag. Yeah. Microsoft says, yeah, we'll
14:14
just trim the SSD. It's a
14:16
way to invoke TWiT. And so Alan
14:18
Malverna, Oi said, you should still be
14:20
diffragging because you're now trimming your SSDs.
14:22
Although, I think modern SSDs do trim as
14:24
well in the background. It's kind of, yeah, that's
14:26
that's kind of necessary to keep the speed
14:28
up. Yeah. Well, it it's actually
14:30
an OS level thing because the SSD
14:32
has no knowledge TWiT doesn't know. Date?
14:34
Oh. Right. But it could be the controller. I
14:36
thought it maybe was in the controller. No.
14:38
It's gonna be in the OS. Oh, so
14:40
so the idea is that that
14:43
that that the
14:45
drive itself has no knowledge
14:47
of the file system. It's file system
14:49
agnostic. But all of the operating
14:51
systems now, Linux does and
14:53
and Windows does it. In fact, it it
14:55
came up relative to spin right recently
14:58
because if you were to
15:00
do a a
15:02
right level, like, if we're
15:04
just level three or four in
15:07
in spin ride six one, that
15:09
leads the drive to believe, the
15:11
SSD to believe, that the in its
15:14
entire space
15:16
is now in use because
15:18
when you write to something, basically,
15:20
it flags that area as in
15:22
use. So what you
15:24
can then do is under
15:26
Windows, there is a way to say,
15:28
please trim this drive and
15:30
under Linux, it sort of does it more
15:32
easily, but but you're also able to force it.
15:34
And so that is one sort of a
15:36
power user tip that we'll be getting to at
15:38
some point in with with
15:40
spin right is is once
15:42
you do a something
15:45
on an SSD that writes to
15:47
the whole thing, you then need to put
15:49
a back into the operating system
15:51
to let the OS say, okay,
15:53
calm down here. These
15:55
these are the areas that are actually in
15:59
active use and all the rest of this
16:01
know that that's just completely
16:03
free. And and and the point is it's hard
16:05
drive garbage collection. We've been talking, like, about a
16:07
memory garbage collection. It's a memory grab
16:09
garbage collection. Yes. Yeah. Yeah.
16:12
Okay. so So
16:14
I asked the question at the
16:17
beginning of the show. What
16:19
happens if you run a
16:21
commercial caller
16:24
ID spoofing site. Well,
16:26
well you
16:27
get the your site turns
16:29
into the top of this podcast.
16:31
It's on the second page here.
16:33
Yes. It's it's and anybody
16:35
who's interested can go there now or I
16:37
went there yesterday, I presume it hasn't
16:39
changed. i spoof dot
16:42
c c is this the
16:44
domain name ISP00F
16:47
dot c c And
16:49
what you get is a
16:51
big page that says, this website
16:53
has been seized. And
16:56
the various emblems of of
16:58
global law enforcement,
17:00
and it says this domain has been seized by the
17:02
Federal Bureau of Investigation and the United
17:04
state's secret service in accordance with blah
17:06
blah blah blah. Anyway, then we got it.
17:08
Euro poll and London city
17:11
police and cyber police and you
17:13
know, everybody's involved. Yeah. So
17:15
okay. Get a little bit of this interesting
17:17
bit of happening. You're a poll. and
17:20
law enforcement agencies from several countries, including
17:23
the FBI, have seized the servers
17:25
and websites of
17:28
ICE spoof. which was a
17:30
service that allowed users to
17:32
make calls and send SMS
17:34
messages using spoofed
17:36
identities. Leo, if you were curious
17:38
oh, actually, I have a link on on the
17:40
page below to the to
17:43
the web archive way
17:45
back machine of ice spoof from
17:48
before it was seized. And
17:50
it's quite interesting. Anyway,
17:52
so the service launched in
17:54
December of twenty twenty and
17:57
advertised itself as a way for
17:59
users to, quote, protect
18:01
their phone numbers and
18:03
identities online. But
18:05
Europe poll said that ice spoof
18:07
was widely abused yet no
18:10
kidding. For fraud, because
18:12
it allowed cybercrime gangs
18:14
to pose as banks and
18:16
other financial organizations.
18:19
An investigation into ice booth began in twenty
18:21
twenty one after Dutch police
18:23
identified the service during one
18:25
of its fraud investigations
18:27
The Dutch police said they linked the
18:30
service to a web host in
18:32
Almirror where they deployed a
18:34
wire that allowed them to
18:36
map the sites reach and
18:38
learn the identities of its
18:40
registered users and administrators. Officials
18:42
said ice spoof had more than
18:44
get this fifty nine
18:47
thousand registered users
18:50
before it was taken down just
18:52
earlier this month. UK Metropolitan
18:55
Police said that one
18:57
hundred and forty two
18:59
suspects were detained
19:01
throughout the month of November, so
19:03
they did a big sting operation globally
19:05
with more than a hundred
19:08
individuals to trained in the UK
19:10
alone, including ice spoofs
19:12
administrators. Europe poll said
19:14
ice spoof was being used to place
19:16
more than one
19:19
million spoofed calls each
19:22
month that administrators more
19:24
than three point seven million
19:27
euros and that the service has been
19:29
linked to fraud and losses
19:31
of more than a hundred and fifteen million euros
19:34
worldwide. The UK police
19:37
said they plan to notify all
19:40
UK users who
19:43
received spoof calls made
19:45
through ice spoof, which is
19:47
nice of them. So anyway, as as I said, I was
19:49
curious to see what the site looked like before the
19:52
global takedown, which displayed
19:55
that, you know, that site that site
19:57
seizure page above. So
19:59
I turned
19:59
to Internet
20:01
archive projects way back
20:04
machine And I found, you know, what I
20:06
found was just sort of, you know,
20:08
head shaking. The top of the
20:10
sites, very modern looking
20:12
home page, which has sort of has
20:14
a floating iPhone there
20:16
on the right. Proclaims, protect
20:19
your privacy, with
20:21
custom caller ID, and it
20:23
says, you can show any
20:25
phone number you wish on call
20:28
display, essentially faking
20:30
your caller ID. And
20:32
then down in their features, they
20:34
said, get the ability
20:37
to change what someone sees
20:39
on their caller ID display
20:41
when they receive a phone call from
20:44
you. They'll never know it was you. You
20:46
can pick any number you want
20:48
before you call. Your
20:50
opposite will be thinking you're
20:52
someone else. It's easy works
20:54
on every phone worldwide
20:56
exclamation point. So,
21:00
yeah, you could imagine that,
21:02
you know, all kinds of
21:05
bad people with with ill
21:07
intent would be abusing this
21:09
thing. I mean, like, you know,
21:12
ex boyfriends or
21:14
stalkers or spouses or whomever,
21:16
you know, whose calls you are not accepting
21:18
would just, you know, figure out whose call you
21:21
were accepting and then spoof it
21:23
in order to get you to answer the
21:25
phone. I mean, it's it's awful. Anyway,
21:28
we've talked a lot about how insecure
21:30
all of this is, you know, the the what
21:32
is it? SS seven, the current signaling
21:35
system seven is
21:37
still allowing this to go on.
21:39
I finally gave up and disconnected.
21:41
Actually, I had three. I had A1A fax
21:43
line and two landlines. because all I was
21:45
ever getting was just junk
21:47
calls. They were just, you know, it was
21:49
awful. So for
21:51
me, The most disturbing thing
21:53
about this story is that
21:55
the site was up and running
21:57
for nearly two years
22:00
before it was brought down. You know,
22:02
that was a ton of damage to
22:04
be done. And, you know, you can
22:06
imagine how the word-of-mouth of this
22:08
was known out spread, you know,
22:11
and, you know, among the world's
22:13
shadier types as this thing was allowed
22:15
to continue. So for what it's
22:17
worth, I hope there are not alternative
22:19
sites that are already up and going.
22:21
I would be surprised, frankly, if there
22:23
weren't, I should have done a Google and looked around.
22:25
It didn't occur to me until just now.
22:27
But just, you know,
22:29
sad that it took that long to get this
22:32
down. And, you know, we're
22:34
hearing about about
22:37
the encryption and the tightening of
22:39
the inter that
22:41
the intercarrier communications.
22:44
It it's one thing for a carrier to be secure
22:47
within itself, but it it is
22:49
the it's the gap between
22:51
carriers where we need security.
22:53
And, you know, they're just not in a hurry. It's
22:56
like why, you know, we have
22:58
to make them do this, and
23:00
they're so far that hasn't happened.
23:03
Okay. What
23:05
is a freebie bot?
23:07
You ask. A new
23:10
class of bot has
23:12
been identified. And this
23:14
one does something that would be difficult
23:16
to predict, but once you hear
23:18
what it does, you think,
23:19
Is
23:20
that
23:22
illegal? Last Tuesday,
23:24
the anti bot research and
23:26
security provider, Casada, who we've
23:29
spoken of before, shared the
23:31
results of their latest threat
23:33
intelligence, which detailed the
23:36
growing prevalence of so
23:38
called bots. Freebie
23:41
bots automatically scan
23:44
and scrape retail websites
23:47
searching for and
23:49
purchasing mispriced
23:51
goods and services. purchasing
23:54
these discoveries at
23:57
scale before the error is
23:59
found and fixed.
24:01
Casada can hold of this. Casada research
24:03
has found that more
24:05
than two hundred and
24:07
fifty retail companies
24:09
recently being targeted by bots,
24:13
with over seven million messages
24:15
being sent monthly, monthly,
24:18
within freebie communities.
24:20
Okay. Now just Just this is
24:22
an illegal. Right?
24:25
No. No. Well, this is capitalism,
24:27
baby. strap.
24:30
So just just to be
24:32
clear, these are not furry communities.
24:34
These are freebie communities.
24:37
You know, nor are they furbee communities, but
24:39
that's something else. Members
24:42
within one popular Freebee community
24:45
used Freebee bots to
24:47
purchase nearly one hundred thousand products
24:50
in a single month with
24:52
a combined retail value
24:54
of three point four million dollars.
24:57
But Casada's research revealed that
24:59
due to significant under
25:02
pricing, the total purchase
25:04
cost of the goods for
25:06
the for the Freebie users
25:08
was eight hundred and eighty
25:10
two dollars. This allowed
25:12
some individuals to realize a
25:15
month profit of over one hundred thousand dollars.
25:18
Top items purchased
25:20
using freebie bots during this
25:22
period of time included
25:24
off brand sleeveless halter
25:27
neck mini dresses,
25:29
get this Apple
25:32
MacBook Air laptops, and
25:34
deep cleansing facial
25:37
masks. Well, many pricey It's
25:39
an interesting Glenn diagram. That's
25:42
right. What's your overlapping
25:44
customer matrix? Many
25:46
pricing errors were the result of a
25:48
decimal point misplacement. granting
25:51
discounts as large as ninety nine
25:53
percent. Using the speed
25:55
and scale of a
25:57
bot attack, To
25:59
rapidly purchase as much
26:01
stock of these erroneously
26:03
priced goods as possible, actors then
26:05
turn around and resell the goods
26:07
at the price they should have been reaping
26:10
a large profit. So you can
26:12
you can see how this could happen. Right?
26:15
Someone keying in a
26:17
new item's retail listing,
26:19
gets into the habit of
26:21
entering a decimal point before the
26:23
last two digits of the price.
26:25
But then, they encounter
26:28
a price formatted as a
26:30
whole integer number of
26:32
dollars without any sense.
26:34
And without thinking, they place
26:36
a decimal point before the
26:38
last two digits. Thus,
26:41
inadvertently reducing the
26:43
listings price by a fact of one
26:45
hundred. And it turns
26:47
out that at scale across
26:49
the entire Internet, these
26:51
mistakes happen enough to
26:54
have spawned the creation of
26:56
a new class of bot,
26:59
automated, retail, mistake
27:01
finding bots, which will
27:03
instantly purchase as much of something
27:05
that's been mispriced as they're
27:07
able to. So
27:10
Human ingenuity knows no bounds.
27:12
I suppose that while this might
27:14
not be technically illegal, you
27:16
know, it certainly is unethical and
27:19
dishonorable. Is it? Well
27:22
No. I mean, you I'm buying it at the
27:24
listed price. You know
27:27
when the Mac book air is
27:30
offered for fifty bucks.
27:32
Some of my problems
27:35
something something wrong. That's a good deal.
27:37
Take care. How many could
27:39
I have? I just I guess
27:41
it depends. If this is happening to, you
27:43
know, your local goodwill store,
27:45
that's terrible. and that's probably more
27:47
likely where it is. Apple probably never makes
27:49
a mistake like this because they have good
27:51
software. But still.
27:54
You're right. It's probably taking advantage of
27:56
people who can call for call retailers.
27:58
Yeah. Yeah. Yeah. I mean, Apple's never
27:59
gonna miss prices back with
28:02
guaranteed sight. I have
28:04
seen oddly priced things on
28:06
Amazon. You probably too long. Yeah. Where
28:08
it's just like, what? That can't be right.
28:10
You know? I just you know, I mean,
28:12
it's it's for a left handed
28:14
screwdriver, so I don't need one. But
28:16
I I Steve. You know, I mean, I
28:18
I'm the kind of guy and I know you are too that probably would go.
28:20
That's a mistake. I'm I'm not gonna take advantage
28:22
of that. So maybe
28:25
it is unethical. I I wouldn't do that. But Steve,
28:28
depends, I guess, in the size of the company. The
28:30
promise As I said, once you
28:32
hear the idea, No one is
28:34
surprised. Oh, it happens all the time. Yeah. Yeah.
28:37
Yeah. Well, no. I mean, that
28:39
that a bot has been created -- Oh, yeah. --
28:41
to go scan -- Oh, yeah. -- for
28:43
these mistakes in real time --
28:45
Absolutely. -- and buy up the
28:47
inventory. Wow. Okay.
28:49
We have the anatomy
28:52
of a real time cryptocurrency
28:55
heist. The group, PIXM,
28:58
security, whose business is to
29:00
protect end users from credential
29:02
fraud, recently blogged
29:04
about the details of an attack
29:06
group they've been monitoring. The
29:09
lengths this group will
29:11
will and does go to
29:15
to circumvent you know, like, one of the
29:17
newer protections, the
29:19
the the the deliberate authorized
29:21
device protections were beginning to see
29:23
more and more were, like, if
29:25
you go use a new device, you log in with
29:27
some like somewhere you haven't logged
29:29
in before, there's like, whoa.
29:32
We haven't seen this device before, so
29:35
we're gonna jump you through it in
29:37
some extra hoops. So, okay, what's
29:40
interesting here. This is I think you're gonna find this
29:42
really interestingly Leo the
29:44
their
29:45
report in detail
29:48
of of what's behind a
29:50
true real life fishing
29:53
exploit. So
29:55
Okay. And just to give you a hint,
29:58
scammers will use in
29:59
browser chat to initiate a
30:02
remote desk top
30:04
session on a victim's device,
30:06
approve their own device as valid
30:08
to access the user's account, then
30:10
drain the cryptocurrency from their
30:12
wallet or wallets. So okay. Here here are
30:15
the details behind this. When
30:17
PIXM's threat research team first started
30:19
tracking the group, They were only
30:22
targeting coin base,
30:24
right, like the premier exchange.
30:26
Then over the past month,
30:28
The group has increased their coverage, as the
30:31
bad guys, has have
30:33
increased their coverage to add
30:35
support, if you call for
30:37
meta mask, crypto dot
30:40
com, and coupon
30:42
in a it's KUC0IN
30:44
in addition to coinbase. So
30:47
now four. The
30:49
spoofed domains are
30:51
the typical slightly misspelled
30:53
in this case, sub domains of
30:56
Azure websites dot
30:58
net. So that's the the hub of where they
31:00
are, and so it'll be like,
31:02
you know, commbase
31:05
dot Azure websites dot com
31:07
or dot net or something like
31:09
that. The group employs
31:12
working effective second
31:15
factor relay interception when a
31:17
user is spoofed into going to
31:19
a lookalike site. regardless
31:21
of the credentials the user
31:24
enters, whether they're legitimate or
31:26
not, since the
31:28
spoofing site cannot determine that initially, the
31:30
user will be moved to a
31:32
two step verification page
31:35
after clicking log in,
31:37
where depending upon the platform in question,
31:40
they'll get what they're expecting, which
31:42
is either prompted for
31:44
a second factor code
31:47
or their phone number is prompted
31:50
and used then to receive a two
31:52
factor code. The criminal
31:54
group will first attempt to
31:56
relay the credentials they've been
31:58
given and second factor
31:59
codes to the legitimate
32:03
login portal which is associated with a
32:05
platform they're spoofing. Once
32:07
the user clicks verify, they
32:09
will be presented with a message
32:11
no matter what happens. telling
32:14
them unauthorized activity
32:16
has occurred on their account.
32:18
Well, it turns out it's true
32:21
actually, but you know, this
32:23
is the bad guys trying to reel
32:25
them in further. As
32:27
with the original coinbase attack,
32:29
This group which this group
32:31
started TWiT, this will initiate a
32:33
chat window to keep the
32:35
user on the phishing page in
32:38
the event the two factor
32:40
code should fail, which, of
32:42
course, the bad guys don't know yet because they're they'll
32:44
get re they'll get prompted for that after they
32:46
attempt to log in. And The
32:49
threat actor needs to start oh,
32:51
and should the threat actor need to start
32:53
a remote desktop session
32:55
with the victim to continue
32:57
with his attack? PIXM wrote that in
32:59
their experience, regardless of
33:02
whether the victim enters legitimate credentials
33:04
or not, the group will
33:07
chat the victim
33:09
to keep them in contact, should
33:11
they need to resend a code
33:13
or proceed to the second phase of the
33:16
attack? The criminal gang's willingness to do
33:18
this significantly increases
33:21
I'm sad to say
33:24
end user engagement. you
33:26
know, and their belief that, like, they're talking
33:28
to the real guys. Right? Because there's someone
33:31
there. For the majority of
33:33
the attacks, which this group
33:35
carries out, they engage in
33:37
direct interaction with the
33:39
user. Their spoofed login and
33:41
verification portals will
33:43
by default return a
33:45
login error as I mentioned
33:47
regardless of the actual standing
33:49
of the user's account or
33:51
you know, on the the
33:54
actual exchange and the
33:56
wallet. Of course, this process is
33:58
intended to initiate a chat session with a
33:59
member of the criminal group posing as a customer
34:02
support representative from the
34:04
exchange, the criminals will
34:06
use this interface to attempt to
34:08
access the
34:10
users if their initial credential relay failed
34:12
or if it might have time
34:14
expired. Right? Because we know that these one
34:18
time passwords only are limited to thirty seconds, and then
34:20
they change, so it may have
34:22
expired. If so, they'll
34:24
prompt the
34:26
user for their username, password, and second factor
34:28
authentication code again directly
34:31
in the chat window. The
34:33
criminal will then take this directly to a browser on their
34:36
machine and again try to access
34:38
the user's account. Should this
34:40
also fail, For any number of
34:42
reasons, most common of which is that
34:44
the device the attacker is using
34:46
to access the victim's account
34:48
or wallet is not, as I
34:50
mentioned before, an authorized device in the user's
34:52
profile, which probably means unknown
34:56
IP or it doesn't
34:58
have a persistent cookie,
35:00
which the the user's
35:02
browser would
35:04
have even if they've they've said, I don't wanna remain logged in,
35:06
they would still have a you know,
35:08
that would be a session cookie
35:11
Separately, they'd have a persistent cookie which says
35:14
browser has it logged in
35:17
in the past. In that
35:19
case, the attacker will proceed to phase three with the
35:22
victim. The group uses
35:26
the talk TAWK dot t
35:28
o, the talk to
35:30
chat plugin on all
35:32
the sites each
35:34
with the same customer support
35:36
representative named Veronica.
35:38
So, you
35:39
know, be
35:40
be wary if Veronica is talking to
35:42
you. if previous efforts
35:44
have not succeeded in giving the criminal
35:46
group access to the victim's wallet.
35:48
They'll instruct the victim to
35:51
download the TeamViewer
35:53
remote access control app.
35:56
They instruct the victim that this is
35:58
to help them diagnose the issue with
36:02
their account directly on the user's machine. Once the
36:04
victim is installed TeamViewer on their
36:06
device and entered the code
36:08
provided by the group, right to initiate
36:10
the session, The
36:12
criminal now has full control of
36:14
this poor user's device and
36:16
will guide them through the
36:19
steps required to authorize their
36:22
device that is, you know, their own
36:25
machine wherever they are to
36:27
the victim's account and
36:29
hijack their session. The
36:32
criminal has the user navigate to
36:34
their email inbox associated
36:36
with the Crypto Exchange or
36:38
wallet account? They'll instruct the user to log in to their
36:40
account on the Exchange or Wallet
36:42
site. While the user's logging in,
36:44
the attacker who has control of the
36:46
victim's device
36:48
will enter a random character while the
36:50
victim is entering their password. Right?
36:53
Like, interject AAA
36:56
character mid
36:58
stream, which will which will force
37:00
it to fail. The attacker will
37:02
then will click into the TeamView
37:06
chat box with the victim's knowledge and asked them to
37:08
enter their password again, which is
37:10
just, of course, sending the password
37:12
now to the criminal in
37:14
plain text. When
37:16
the user re authenticates, the
37:19
attacker will simultaneously log in
37:21
to the user's account on
37:23
their own device, which will prompt a
37:26
new device confirmation link
37:28
to be sent to the user.
37:30
The criminal then takes over the user's desktop
37:32
desktop session and sends them
37:34
self via the TeamViewer chat
37:38
feature the device confirmation
37:40
link. They can now
37:42
use this link to validate their
37:44
own device to access the
37:47
user's account. The final draining of
37:49
the user's cryptocurrency funds may then
37:51
be initiated during,
37:54
you know, like, will be initiated
37:56
during any of the previous
37:58
attack
38:00
phases as
38:02
soon as the bad guys have access to
38:04
the wallet. It's, of course, only contingent
38:06
upon the attacker finally being
38:08
able to successfully authenticate to
38:11
the Vic account from their own machine
38:13
being recognized as an
38:15
authenticated machine if it
38:17
hasn't already been. And, of course, once
38:19
the criminal is in victim's account, they'll immediately begin
38:22
transferring a cryptocurrency held in any
38:24
of the victim's wallets to
38:26
their own. and
38:28
they keep the victim engaged
38:30
and waiting as they
38:32
steal their funds in in the
38:35
background on their own machine in
38:37
the event that the service they're draining funds
38:40
from might require some
38:42
sort of email or
38:44
additional phone confirmation
38:46
transfer. If that's the case, the
38:48
attacker will assure the victim that
38:50
this is normal. An
38:52
expected activity related to their
38:54
account restoration. Once all
38:56
the funds have been sent from the victim
38:58
to the criminals' wallet, they end
39:00
the communication with the victim having emptied
39:03
the target's wallet. So that
39:06
that should give everyone a sense
39:09
war for how much
39:10
much how much
39:13
effort bad guys in
39:15
some sort of, you know,
39:17
big cyber farm you
39:20
know, cryptocurrency exchange
39:24
farm are willing to do
39:26
to to
39:28
fish people who have cryptocurrency and
39:30
relieve them of that
39:32
burden. Amazing.
39:34
I wonder if they'll move on now that
39:37
crypto's gotten less and less
39:40
valuable. I don't know. It's
39:42
nicely anonymous. It's a great thing to
39:44
steal because -- Yeah. --
39:46
target tank. Yes. And toward the end of the podcast,
39:48
I'm gonna talk briefly about
39:50
my own experience with
39:52
having an
39:54
a an open web server where anyone is
39:56
able to create an account. Right. Leo,
40:00
the Internet has become
40:02
a sewer and and
40:04
and I know from
40:06
my experience in trying to
40:08
prevent that that there are and in
40:10
fact, from from talking to some of
40:12
the anti forum spam people, who I
40:15
struck up a dialogue with, that
40:17
there are rooms full
40:20
of people
40:22
sitting at screens and keyboards who
40:24
do nothing but that
40:26
all day long. And there
40:28
are different
40:30
rooms full of similar people who do nothing but
40:32
respond to phishing cryptocurrency
40:35
link clicks and then
40:38
perpetrate all
40:40
of this. draining people individually of
40:42
their cryptocurrency. So, you
40:44
know, it cost I mean, if they're willing
40:46
to do that to create an
40:48
account against
40:50
all odds on a web forum, they are certainly
40:52
willing to do something not that much
40:54
more in order to get a hold
40:56
of someone's cryptocurrency wallet that
40:59
may have a bunch of money in
41:01
it. Unbelievable. Okay.
41:06
Let's take a break. Yes. And I'm gonna sip
41:08
on some water, and we have to tell everybody why we're here. Why
41:10
why I ask you, why why
41:14
why are we here? I'll
41:16
tell you We're here for you, Steve. There's no question about
41:18
that. But while you're listening to the
41:20
show, we like to throw
41:22
in mentions of some of our
41:24
fine advertisers because
41:26
there are almost always products that people who listen to
41:28
show might be able to use like plex
41:32
Trac, which is the premier
41:35
cybersecurity reporting and
41:37
collaboration platform transforming the
41:39
way cybersecurity gets
41:42
done. communication is
41:44
essential in every bit of everything we
41:46
do. Right? You've got to be able to communicate it.
41:48
It's all the more true if you've got a
41:50
red team and a blue team and the red
41:52
team is doing the pen testing and comes up with the problems and the
41:54
issues and the things that need to be fixed
41:56
and the blue team does the remediation.
42:00
communication between the two is
42:02
vital. PlexTrak makes that
42:04
easier. Are you ready to
42:06
gain control of all your tools and
42:09
data to to build more actionable reports
42:11
more easily to focus on
42:13
the right remediation. Are
42:16
you working now to mature your
42:18
security posture, but struggling to
42:20
optimize efficiency and facilitate
42:22
collaboration within your Steve, FlexTrac
42:25
is the perfect solution for
42:27
you. It's a powerful but
42:29
simple centralizes all your
42:31
security assessments, all your
42:33
pen test Laporte, all
42:36
your audit findings and vulnerability tracking in one place.
42:39
It transforms the risk management
42:41
lifecycle, allowing security teams to
42:43
generate better reports, more
42:46
easily, more quickly, aggregate and visualize analytics.
42:49
It's nice to have those
42:51
pictures and to collaborate on
42:53
remediation in real time. How
42:56
does it do this? The PlexTrak platform addresses pain
42:58
points across the spectrum of security
43:00
team workflows in world's PlexTrak. Second
43:03
and none, for example, in
43:05
managing offensive testing and reporting security findings, codes you
43:07
can embed drag and drop, put
43:09
in code sample
43:12
screenshots, videos in
43:14
any finding. You can import findings
43:16
from all the tools you use, the, you
43:18
know, Nessus burp, all the major scanning
43:20
tools. You can export to
43:23
custom templates with a click of a button. Analytics and service
43:25
level agreement functions help you
43:27
visualize your security posture, so
43:30
you can quickly assess and prioritize and ensure your tracking remediation
43:33
efforts to show progress over
43:35
time. It's got
43:38
built in compatibility with all the leading industry tools
43:40
and frameworks, all the vulnerability scanners,
43:42
pen testing as a service bug
43:46
bounty tools, adversary emulation plans.
43:48
And that's always a problem because you have all these tools.
43:50
Right? But they don't talk to one other. PlexTrack is
43:53
the in between It's the glue
43:56
that puts it all
43:58
together, easily, quickly. You can have
43:59
templates, you can have
44:02
automated reporting, You've got robust integrations with Jira and
44:04
ServiceNow. So you're always closing
44:06
the loop on the highest
44:08
priority findings. TWiT just
44:10
it just makes sense. It's the piece of the puzzle
44:12
that's been missing. You've got all these tools.
44:14
Now you've got a way to synthesize,
44:16
to act upon it, to remediate
44:18
it promptly. Leo very important
44:21
to show the boss, the board,
44:23
the c suite, the compliance
44:25
auditors, what you've done,
44:27
what you're doing. Enterprise security teams use PlexTrak to
44:30
streamline their pen tests and security
44:32
assessments, their incident response reports and
44:34
much more. Laporte clients
44:36
report up to a sixty percent
44:38
reduction in time spent reporting.
44:40
That's the templating. You know, that's
44:43
sitting there, typing this stuff in by hand, doing
44:45
TWiT all manually. Thirty percent increase
44:47
in efficiency. And this is
44:49
probably important to your boss. five
44:52
x ROI in year
44:54
one. All in all, PlexTrak
44:56
provides a single source of truth for all
44:58
stakeholders transforming the cybersecurity
45:00
management life cycle. I I really
45:02
think you want this. Book a demo today to see
45:05
how much time Flex Track could save you team.
45:07
Try it free for a month. But
45:09
I gotta warn you do that. You're never gonna wanna give it up. See how much
45:11
it will improve the effectiveness and efficiency
45:13
of your security team. By the
45:15
way, this is great. because
45:17
it's very fast to get up and running. It's easy
45:19
to learn. Simple. But,
45:22
boy, the it is it is the lever
45:24
that you want. to
45:26
move what you're doing
45:28
ahead. Go to plex track dot com slash
45:30
tweet, claim your free month, PLEXTRAC
45:35
dot com slash TWIT
45:38
This is a must have tool
45:40
for everybody in the security
45:42
business plex track dot com slash tweet.
45:44
We thank TWiT so much for supporting
45:46
security now. And you you
45:48
support us too, but you gotta go to that
45:50
address so they know you saw it here. plex
45:53
track
45:53
dot com slash twitch. Now
45:55
TWiT to you,
45:56
Steve. So if
45:59
any of our listeners, are
46:01
looking for something to do.
46:04
The caracurt group
46:06
with
46:07
known ties to
46:10
former Conte gang members and known for its hack and
46:12
leak extortion operations announced
46:14
this week that they are
46:18
recruiting people to
46:21
breach networks, code
46:24
malware, socially engineer people,
46:26
and Laporte companies for payments.
46:28
of course, I'm not serious about any of
46:30
our listeners wanting a job there, but their
46:33
their their online posting
46:35
was wonderful. So Just
46:37
to little bit, the caracurt,
46:40
KKARAKURT
46:42
caracurt, gets his name for a
46:44
my type of black widow spider. It's
46:47
not a ransomware gang. They don't bother
46:50
with encryption. They're known for
46:52
extortion and for
46:54
demanding ransomoms between
46:56
twenty five thousand and as much as
46:58
thirteen million payable in
47:00
Bitcoin. They don't target
47:02
specific sectors or industries
47:04
are an equal opportunity,
47:09
you know, Denizen. The gang backs up their claims
47:11
of stolen data using screenshots and
47:14
copies of extra exfiltrated
47:16
files as proof that they've been in
47:18
someone's network.
47:20
and they threatened to sell or leak the data publicly if they
47:23
don't receive a payment. And
47:25
they're not very patient. Kara
47:28
Kurt typically sets a one week deadline to pay.
47:30
Until they're paid, they bully
47:32
their victims by harassing their
47:34
employees, business partners, and customers with
47:37
emails and phone calls, all aimed to
47:40
pressure the company into paying the
47:42
ransom. So not nice
47:44
people.
47:45
okay Okay. Their site on
47:46
the dark web is a tour hidden
47:48
surface. So, you know, it's a
47:51
dot onion domain. TWiT
47:54
contains several terabytes worth
47:56
of previous victim data along
47:58
with press releases naming organizations
48:01
that had not paid
48:04
up in terms of, you know, getting ransom and
48:06
instructions for buying victim's
48:08
data. The site surfaced
48:11
in May. The miscreants usually
48:13
break into networks by
48:15
either purchasing stolen login
48:17
credentials, using third party initial
48:19
access brokers that we've spoken
48:21
about extensively previously. You know, of
48:24
course, those are brokers
48:26
that sell access to compromised
48:28
systems or by abusing
48:30
security weaknesses in the network's
48:32
infrastructure. Okay. So this
48:34
brings us to their so called
48:38
great recruitment. posting
48:40
recently last week on the dark
48:42
web. Since it was interesting
48:44
and somewhat entertaining, I thought
48:46
it would be worth sharing. Now,
48:49
they're Russians, but I
48:51
found myself thinking, wow. Okay. They're not
48:53
having a translation problem into
48:56
English in this instance. the
48:58
the the posting is well translated in
49:00
English. They they wrote in this
49:02
posting. The cara carte
49:04
get the cara carte team
49:06
is glad to announce some news, more than
49:09
a year in private mode, but
49:11
now we open the
49:14
great recruitment. You
49:16
can join our honorable mission to make
49:18
compute to make companies pay
49:21
for the existing
49:24
gaps in their cybersecurity and for the inaction
49:26
of their IT staff.
49:28
So our dear hack
49:32
lovers What we
49:34
have for you,
49:35
colon? Are you
49:37
an experienced pen tester?
49:40
And for some reason, do not
49:42
want to work With ransomware operators, we
49:44
could find a better place in our
49:46
team, meaning they don't do
49:48
ransomware. Otherwise, their their every bit
49:50
is evil. Do
49:52
you work for a company that you hate with
49:55
all your heart? Or maybe
49:57
your boss fired your boss
49:59
fired you you but forgot to
50:01
turn off your network access. You can find
50:04
solace in
50:06
our arms. You are
50:08
a bearer of a sacred
50:10
knowledge of malware coding,
50:12
disassembling, exploit
50:14
developing, The Kara Kurt team is ready to set interesting and
50:16
non trivial tasks for research,
50:18
implementation of specialized software,
50:21
and modification of
50:24
tool kits. Are you from the financial
50:26
industry? Do you know how to make money on
50:28
quotes of companies whose
50:30
shares are in
50:32
poor condition? Know how
50:34
to sell data in a specific
50:36
market. We will hug you and
50:38
love you more than anyone has
50:40
ever loved
50:42
you before. Are you from a data recovery company and
50:44
know us? Let's be
50:46
friends. Maybe even
50:48
best friends. Do you
50:50
have social engineering experiences?
50:52
There is also a vacancy.
50:54
Wanna take revenge on
50:57
capitalism through cyberspace? We will find you both
50:59
a vacancy and a psychologist. Perhaps
51:02
you're a crazy researcher.
51:05
We're really wanting really wanting We're
51:07
really waiting for you, bro.
51:10
The best hacker group, Kara
51:12
Kirk, is waiting for you,
51:14
our dear
51:16
hack lover. So
51:18
the good news is,
51:20
the that's
51:22
not being seen by most people
51:24
who are not visiting the dark web
51:26
and I assume if you're visiting the dark web, you're either a security
51:28
researcher who is not interested or
51:31
you're a bad guy who
51:34
might be. Anyway, now you know. Cara Kirk has
51:36
their why has their arms wide
51:38
open ready to love
51:40
you more than you've ever been loved.
51:44
Okay. It's speaking of job
51:46
offers over the summer.
51:48
The the US government
51:50
held what they called a
51:53
cybersecurity apprenticeship sprint. As a result
51:55
of that, seven
51:58
thousand apprentices
52:00
were hired in official cybersecurity
52:02
roles with around a
52:04
thousand of the new hires being
52:06
sourced from the
52:08
private sector. The Sprint was launched in July by the White House
52:10
and the Department of Labor as a way to
52:12
boost the government's
52:14
cybersecurity workforce.
52:17
Okay. I mentioned
52:20
a web server
52:23
from the dark ages. The
52:26
security firm, recorded future,
52:30
found that a Chinese advanced
52:33
persistent threat actor had leveraged
52:35
a vulnerability in an
52:38
IoT device
52:41
to gain access to
52:43
an electrical grid operator
52:46
in India. And in
52:48
a report last week, Microsoft said
52:50
that they had identified the entry
52:52
point for the attack. It was a
52:55
tiny, somewhat obscure
52:58
web server known
53:00
as boa. It's WWW
53:03
dot boa Leo
53:06
dot org. And actually, I was
53:08
surprised that there was a three
53:10
letter dot org. Those are
53:12
rare. And it's only due to the fact
53:14
that it's been around for a
53:16
long time. BOA,
53:18
which is said to be widely used
53:20
across the IoT and ICS,
53:22
that's industrial control system
53:26
space. Okay. As we all
53:28
know, it could be very handy to have
53:30
a nice simple and
53:32
tight little web server. you
53:36
know, so tiny that it
53:38
could even be considered a component.
53:40
Although Boa is written
53:42
for UNIX like operating systems,
53:45
doesn't use the traditional UNIX fork and
53:47
spawn approach of creating multiple
53:50
instances of
53:52
itself to handle individual incoming connections.
53:54
I didn't study Bo long enough
53:56
to determine whether it's multi threaded.
53:59
the thus
54:00
spawning a new thread for each request. It
54:03
might be purely serializing.
54:05
Since the UNIX Berkeley
54:07
Socket Leo IP
54:10
stacks supports a queue of waiting connections,
54:13
BOHA! might simply
54:15
accept one connection after
54:18
another using a single thread of execution that
54:20
would indeed make it quite lean.
54:23
And apparently, Bo
54:25
is also quite fast. Of
54:27
course, you get that until you overload
54:30
it by a an
54:32
HTTP server that is so
54:34
simple. Okay. All of that
54:36
is okay. But here's the
54:38
problem. It's it's not
54:40
that boa was first written
54:43
and released twenty
54:45
seven years ago in nineteen
54:48
ninety five, that's fine.
54:50
The problem is that the last
54:52
attention its source code
54:55
received was seventeen years ago back
54:57
in February of two thousand
55:00
five. And
55:02
looking through Bo's development history,
55:05
I noticed some website.
55:08
Yes, my friend. It
55:10
was very
55:12
That makes mine look more. It's very
55:14
TWiT last updated February
55:17
two thousand five. Uh-huh.
55:19
And it's you know, I couldn't pull it up because it's not
55:22
HTTPS. I had to just oh,
55:24
no. No. NOR is the web
55:26
server, Leo. Yeah.
55:28
Uh-huh. Okay. So if if
55:30
you click on news,
55:32
that that first link Steve,
55:36
click on and then if
55:38
you scroll down to the the two
55:41
thousand two developers conference Oh, yeah.
55:43
The big folk developer
55:46
conference. Who could forget? I of developer
55:49
conference attendees. party
55:51
in the show notes. I
55:55
noted some interest, and it
55:57
was just two of them.
55:59
On
55:59
October fourth
56:02
and fifth. Of two
56:02
thousand two, the BOHA! developers conference
56:05
was held. The official
56:07
minutes of the event
56:09
noted, quote, Larry, and
56:11
one of his sons stayed at John's
56:14
house October fourth and
56:16
fifth two thousand two. While the
56:18
reasons were unrelated to Boa development,
56:21
And in fact, Larry and John spent only a
56:23
few hours discussing BOHA!
56:26
Computers and the World
56:29
seemed appropriate to refer to the event as a developer's
56:32
conference. Here is a
56:34
picture team. Steve is
56:36
the the entire team in one location. Here
56:39
is a picture of Larry
56:42
and John at John's
56:44
house. Left to right,
56:48
John, Larry.
56:49
Now, my
56:52
goodness.
56:53
This
56:55
this web server is
56:57
in the
57:00
is is in an IoT device,
57:02
which is being used by
57:05
the grid operators of what was it that
57:07
I said? Israel -- India.
57:09
-- India. Yeah.
57:12
India. Right? So,
57:14
you know Well, the price was right, I guess. How it
57:17
certainly was. I have no
57:19
doubt that these two have their hearts in
57:21
the right place. if
57:23
they're still beating. If they're around. Yeah.
57:26
But a but a web server,
57:28
they wrote twenty seven years ago,
57:30
and last tweaked seventeen
57:32
years ago, which has no support
57:34
for secure connections, is
57:37
currently in use. and apparently widely so because
57:39
it's apparently very popular
57:42
among other places, the
57:44
operation of an electrical grid
57:46
operator in
57:48
India. Lord only knows where else this boa constrictor
57:50
might be lurking. There
57:52
are a lot I mean,
57:55
you know, there are a lot of mini specialty
57:58
web servers. That's a simple thing.
57:59
Yeah. TWiT takes it
58:02
after two, the right one these days. Yeah.
58:05
But,
58:05
wow.
58:06
Why they chose this
58:08
one as a baffling? Well, it's
58:10
tiny. Right? So it's like, well, we're
58:13
gonna put it in rum. who got the
58:15
smaller server? Oh, look, BOHA! Oh, and you you didn't pick
58:17
up bring up their logo page
58:19
on that site. Leo, it's
58:22
pretty good. These are if you want to put a
58:24
logo on your home
58:26
page when you've used
58:28
the BOHA!
58:30
constrictor In order to
58:32
serve your pages, you
58:34
can pick from any of these.
58:37
I wanna put
58:39
this on my website just for fun.
58:42
Howard by Boa, the hyper
58:44
form. When you feel the need
58:46
for speed, I like the
58:48
one with the colored scales.
58:50
Oh, yeah. Yeah. That's good.
58:52
That's nice. Yeah. And look good on
58:54
my site.
58:56
Oh. Anyway, unfortunately, IoT devices
58:58
on the net are powered by BOHA!
59:00
And that we there was
59:02
Microsoft didn't specify the way in
59:06
but China found a way in. And it's not surprising. I
59:08
did a search on their on
59:10
their erratic page for no.
59:14
And I found lots of null pointer problems in the past, so
59:17
presumably not all of them.
59:19
But good news, it's Y2K
59:22
compliant. Yes.
59:24
Yes. Your concerns from
59:26
twenty two years ago about
59:29
Y2K
59:31
have been addressed. Larry and John did it by phone. They
59:33
did they decided not to have a developer's conference
59:36
for that because and there
59:38
actually is they go on at
59:40
some length. on their
59:42
explanation page about YTK
59:44
And while the underlying OS may have a
59:46
problem with it, at least their code doesn't.
59:50
Yeah. So Rest assured, if your clock is set wrong, you'll be
59:52
okay. They I noticed they
59:54
copied their their Y2K
59:57
statement from the Apache project.
1:00:00
So I guess
1:00:02
they were aware of your other little
1:00:04
web server out there. No. Yeah. No need
1:00:06
to reinvent the wheel. No. That's right.
1:00:09
Unfortunately, they didn't copy their
1:00:12
their TLS support from
1:00:14
Laporte. -- Wow. -- they don't have any.
1:00:16
Wow. Wow. Okay. So
1:00:20
the dilemma of closed
1:00:22
source Chinese networking products.
1:00:25
I dislike the idea
1:00:28
the idea. of and I know you do to Leo, of banning foreign
1:00:30
companies from selling their products
1:00:32
to whomever wants to
1:00:34
purchase them. And the idea
1:00:36
that networking and surveillance
1:00:38
cameras of Chinese origin might
1:00:40
incorporate designed
1:00:42
intrusion capability
1:00:44
It does seem a little bit far fetched to
1:00:46
me. Presumably, such cameras
1:00:48
are not phoning home to China, but
1:00:51
are networked locally. So the first
1:00:53
instant unexplained data was caught
1:00:56
transmitting the wire, there would be hell
1:00:58
to pay. But
1:01:00
at the same time, we cannot prove the
1:01:02
negative. Right? We have no way
1:01:05
of proving that there isn't. any
1:01:08
backdoor Trojan capability
1:01:10
present in Chinese network
1:01:13
and surveillance cameras. So I
1:01:15
suppose that the actions from the US and the
1:01:18
UK are
1:01:20
understandable. Last Friday,
1:01:22
November twenty fifth, both the
1:01:24
US and UK governments banned
1:01:28
the use of Chinese networking and surveillance
1:01:30
equipment citing national
1:01:32
security related fears as
1:01:34
the grounds for their decisions.
1:01:38
The US Federal Trade Commission has banned
1:01:40
the import and sale of
1:01:42
networking and video surveillance equipment
1:01:45
from Chinese companies Dau
1:01:48
Wau, Gibson, Huawei,
1:01:51
and ZTE. And I
1:01:53
know that at least Dau
1:01:55
Wau and Hick Vision
1:01:57
our state owned companies.
1:01:59
And and we
1:02:01
talked about Hikvision not
1:02:03
long ago with regard to
1:02:05
some badness that they were caught with. So
1:02:07
in the UK, the parliament has
1:02:10
instructed government departments to seize the
1:02:12
development of
1:02:14
security cameras I'm sorry, the deployment
1:02:16
of security cameras from Chinese companies on,
1:02:18
quote, sensitive sites, unquote, such
1:02:22
as government buildings and military bases. British
1:02:24
officials said the Chinese made security
1:02:27
cameras should not be connected
1:02:29
to core networks and that
1:02:32
government departments should also consider
1:02:34
removing and replacing existing
1:02:36
equipment even before
1:02:38
scheduled upgrades. US and
1:02:40
UK bands come after
1:02:42
both countries' intelligence agencies
1:02:44
warned against the use of
1:02:46
equipment from Chinese companies cautioning
1:02:50
the Chinese equipment could be
1:02:52
used for digital surveillance, digital
1:02:56
sabotage, and
1:02:58
economic espionage. Again, of course, they're not
1:03:00
wrong,
1:03:00
but we already
1:03:01
do lots of even dumber things
1:03:04
like deploying
1:03:06
proprietary design closed
1:03:09
source voting machine technology in critical elections.
1:03:11
You know, how do we know what those
1:03:13
machines are doing? Both
1:03:17
Dawau and Hikvision
1:03:19
had already lost a large chunk
1:03:21
of their market in the US after
1:03:23
the US treasury department sanctioned
1:03:25
the companies for providing the Chinese
1:03:28
government with facial recognition
1:03:30
and video tagging solutions in
1:03:33
the government's efforts to impress the
1:03:36
Uighurs. And I recall,
1:03:38
as I mentioned, that Hikvision was on our
1:03:40
radio Leo on
1:03:42
our radar separately for something that they were
1:03:44
doing maybe six months ago or
1:03:46
so. We've talked about this a lot in the
1:03:48
past. I noted that
1:03:51
it was hard to believe that Russia
1:03:54
was still using the American
1:03:56
made closed source
1:03:58
Windows OS when
1:04:00
hostilities between the US and Russia have
1:04:02
been so aggravated. And it's
1:04:04
also amazing that until
1:04:06
now, the US has
1:04:08
been deploying Chinese made
1:04:10
networking gear while having
1:04:12
absolutely no idea what's
1:04:14
inside the box. In the past,
1:04:17
we've even discussed the existence of
1:04:19
counterfeit Cisco networking gear. Since Cisco
1:04:22
equipment is all manufactured
1:04:24
in China, both the
1:04:26
real and the clearly
1:04:28
counterfeit equipment all
1:04:30
comes from the same place. How do
1:04:32
we know what the counterfeit systems
1:04:34
are gonna do? And
1:04:36
the
1:04:36
burden of
1:04:37
trust is really not
1:04:40
symmetrical due
1:04:42
to Chinese massive manufacturing and
1:04:44
fabrication capability, they
1:04:47
receive Western technology
1:04:50
from us. and
1:04:52
the west purchases the resulting Chinese
1:04:56
products from the east.
1:04:58
Thus, more trust is required from
1:05:00
the rest than
1:05:02
is from the east.
1:05:04
So I suppose my point
1:05:06
is, we
1:05:07
cannot
1:05:08
discount such
1:05:10
concerns as being, you know, purely
1:05:12
hyperbolic and inflammatory. Our dependence upon
1:05:14
our networks and digital infrastructure
1:05:18
has slowly Leo surely
1:05:20
been growing through the last
1:05:22
several decades. So it's
1:05:25
only natural that at some
1:05:27
point someone at the national government
1:05:30
level is gonna wake up one
1:05:32
morning and pose
1:05:34
the big But what if? Question to their
1:05:36
staff. You know, it's that
1:05:38
but what if TWiT was
1:05:41
the driving factor behind the
1:05:43
recent decision to just say
1:05:46
no to Chinese networking
1:05:48
and video equipment.
1:05:52
And unfortunately, their protectionism that results, I
1:05:54
think, is both sane and
1:05:56
rational. Even if you can't prove
1:05:58
that anybody's doing anything
1:05:59
wrong, anything wrong you
1:06:02
know? what
1:06:02
if? And, you know,
1:06:03
the the equipment we're buying is
1:06:06
just a black box. We plug it
1:06:08
in and we assume it's gonna be
1:06:10
okay, but
1:06:12
We have no ability to prove that that's the case. It really
1:06:14
is a dilemma that we've gotten ourselves in.
1:06:16
And all I can see is
1:06:19
that over time, between
1:06:24
countries where there are
1:06:28
clear hostility we're
1:06:29
just not
1:06:30
gonna be able to trust equipment
1:06:32
from each other. And, you
1:06:34
know,
1:06:35
I think that's what's that's
1:06:37
what has to happen. Until
1:06:39
and unless open
1:06:42
source ultimately wins as I
1:06:44
argue and I know you agree Leo.
1:06:46
Wow. It ultimate it
1:06:48
ultimately should. Oh, I didn't realize you were you were a complete
1:06:50
fan. Oh, yeah. Good. Yeah.
1:06:52
I am too. Yeah. I absolutely I
1:06:54
think we're really learning
1:06:56
that and over and
1:06:58
over and over, frankly. Yes.
1:07:00
Yeah. Yes. MIT recently published
1:07:02
its rankings of national cyber
1:07:06
defense by nation. Interestingly, at the top of the
1:07:08
list for the best defense,
1:07:10
cyber defense,
1:07:12
is Australia. In
1:07:14
second place is the Netherlands, third place
1:07:16
goes to South Korea, and we
1:07:19
here in the US, we we
1:07:21
just eke out Canada
1:07:24
a little bit. We're in fourth place with Canada's in fifth.
1:07:26
So those are the top five.
1:07:30
Australia, Netherlands, netherlands South
1:07:32
Korea, US, and Canada. Then
1:07:34
the way the way MIT so
1:07:37
they did the top twenty.
1:07:40
So the way they organized it is five is
1:07:42
green, then the middle
1:07:46
ten, they
1:07:48
lumped together, That's Poland, the UK, France, Japan,
1:07:50
Switzerland, Italy, China, Germany,
1:07:52
Spain, and Saudi Arabia in
1:07:56
descending order. And then the bottom they separately
1:07:58
as red, and that's in
1:08:00
order of descending security, Mexico,
1:08:04
India, Brazil,
1:08:06
Turkey, and Indonesia. So
1:08:08
anyway, just sort of an interesting
1:08:11
ranking. And it's interesting
1:08:13
that Australia, you know,
1:08:15
is And got a seven point
1:08:17
eight three. This was all
1:08:20
ranked out of ten. So
1:08:22
they got a seven point eight
1:08:24
three. The US is seven point
1:08:26
one three. So a bit of a drop.
1:08:28
Although Indonesia at the
1:08:30
very bottom of this twenty,
1:08:34
is three point four six, so it's
1:08:36
possible to be doing a
1:08:38
bad job. I just wanted to make
1:08:41
a quick note. for
1:08:42
the our
1:08:43
listeners to be
1:08:45
careful about Docker Hub
1:08:48
images. It turns
1:08:51
out that The
1:08:51
security
1:08:52
firm, SISDIG, scanned
1:08:55
the
1:08:57
official
1:08:58
Docker
1:09:01
and identified sixteen hundred
1:09:03
and fifty two malicious Docker
1:09:08
images which have been uploaded, as
1:09:10
I said, on that official Docker Hub portal. More than a third contained
1:09:15
Crypto Mining Code, you know, making somebody some
1:09:17
money. If if you just run that Docker and don't pay any attention to what it's
1:09:20
doing, while others
1:09:22
contained hidden secret tokens, that
1:09:26
the attacker could later use a into server running a
1:09:29
a Docker and
1:09:32
exposed publicly. other
1:09:35
docker images contain proxy malware
1:09:37
or dynamic DNS tools.
1:09:39
So anyway, just be
1:09:42
careful. They are seductively
1:09:44
easy to grab and deploy. They're
1:09:46
very cool. But not everyone
1:09:48
who's creating and making
1:09:50
them, available for everyone is doing so out of
1:09:53
the goodness of their heart. So,
1:09:55
a word of warning.
1:09:57
the We've
1:09:58
been tracking zero days for a
1:10:00
while. I wanted a note that
1:10:02
Google just fixed Chrome's eighth zero
1:10:04
day of the year. So they're doing
1:10:07
better than they were last year.
1:10:09
They updated Chrome to eliminate
1:10:11
CVE twenty twenty two
1:10:13
forty one thirty five,
1:10:15
which No surprise was a heap buffer
1:10:17
overflow. It was found
1:10:19
and exploited in
1:10:22
Chrome's GPU component The vulnerability was discovered by one
1:10:24
of Google's tag researchers
1:10:26
and is now history.
1:10:30
So eight for Chrome, for that 8080 days
1:10:32
for twenty twenty Leo. And, you
1:10:34
know, they'll I imagine they'll
1:10:36
get through
1:10:37
the rest of the
1:10:39
year. We'll see. Cisa,
1:10:40
caesar the, you know,
1:10:43
cybersecurity information security administration,
1:10:47
the is now on Mastodon, Leo,
1:10:48
after a fake account
1:10:50
was spotted for SIS' director
1:10:54
director Jen Easterly on Mastodon,
1:10:56
Cisco now has an
1:10:58
official account on this on
1:11:01
the platform. The account is at
1:11:03
the very popular infosec
1:11:05
dot exchange server, which is turning out to be where most of
1:11:07
the industry's security
1:11:12
researchers have been
1:11:14
hanging out and hanging their
1:11:16
hat. So info sec dot
1:11:18
exchange forward slash at sign Cisa
1:11:22
Cyber is the handle, CISACYBER
1:11:26
They
1:11:29
need to add a a
1:11:32
icon and some verification.
1:11:34
And they did not
1:11:36
gonna follow them till they put
1:11:38
a little more effort into their
1:11:40
account. They didn't do very well. It's
1:11:42
one of the nice things about Mastodon, by the way, fourteen hundred people already do follow, is that
1:11:47
it's very easy to verify that you are
1:11:49
who you say you are. All the SISAA has to do is put a Mastodon link in
1:11:51
the SISSA homepage. Even can be
1:11:54
hidden. It doesn't have to be
1:11:56
visible. and and
1:11:58
they would be verified, but they have very cool. So far, not posted anything. not every
1:12:00
cool so far following
1:12:04
anybody. they haven't put in
1:12:06
an icon or they verify their links. But I'll take your word for it. They're the real you seen
1:12:09
this posted,
1:12:12
it says, site or something? Or
1:12:14
No. I did I picked up a news blurb about it in in the InfoSec community.
1:12:16
So Yeah. That is a good server,
1:12:18
by the way. If you're an InfoSec
1:12:23
It's a good one to follow. So,
1:12:25
Sister Jen is not
1:12:28
real. Correct. That
1:12:30
account has been suspended. but sisah,
1:12:32
which is sisah cyber -- Yep.
1:12:34
-- info sec dot exchange is
1:12:37
a pair of the real guys.
1:12:39
I'll follow him. I'll let you know if they're if anything And you're right. Let's let's hope
1:12:41
they they go the next step because come
1:12:43
on guys. Come on. It's
1:12:46
blocked. All you have to
1:12:48
do. Follow one very
1:12:50
soon. That's very cool. Yeah. Very cool. It's good to do that. You know, InfoSec, Exchange,
1:12:52
has a lot
1:12:55
of really good people
1:12:58
on it. And I should mention that Alex Stamos speaking of Infosec will
1:13:01
be on
1:13:04
twig TWiT. Oh,
1:13:06
cool. Yeah. He is, of course,
1:13:09
was in charge of Infosec at Yahoo.
1:13:11
And then at Facebook, left over
1:13:13
the Cambridge Analytica scandal, not his fault he left because they weren't doing the
1:13:15
right thing. And he is part of the Krebs
1:13:18
Stamos Group. He's working with Chris Krebs
1:13:20
now. doing
1:13:23
cyber security. So he'll be a great guest tomorrow. Yeah. Alex was
1:13:25
first and then he and they added Chris
1:13:27
-- Yeah. -- to it --
1:13:29
Yeah. -- to the group. Yeah. It's really good.
1:13:31
And in fact, he was involved with Zoom in
1:13:33
the early -- That's right. --
1:13:35
move it Leo. He was
1:13:37
the first person they went to when that people got
1:13:39
mad at We're we're not doing
1:13:42
it right. During encryption
1:13:44
right, we're kind
1:13:47
of misrepresenting their encryption. He's also
1:13:49
a professor at Stanford. So I think
1:13:50
he will be a good guess. Nate.
1:13:53
Yeah.
1:13:56
Tomorrow. Yeah. I have a one piece
1:13:58
of miscellaneous, not directly security related or privacy, but everyone's talking
1:14:02
about Twitter. and its uncertain future under
1:14:04
the reign of Elon. I
1:14:07
stumbled upon something that I thought
1:14:09
our listeners might find interesting and I
1:14:11
think you might Leo. as I
1:14:13
did because it appears to contain some actual facts. This
1:14:15
is a note written by an unnamed executive director
1:14:18
at an unnamed business to
1:14:21
business organization, but it looks authentic. I presume it's anonymous because he would prefer
1:14:23
not to have Elon Musk retaliate
1:14:27
against his firm. Steve title
1:14:30
of his posting was I told
1:14:32
my team to pause our seven hundred
1:14:35
and fifty thousand per month So
1:14:38
three quarters of a million dollar per month
1:14:41
Twitter TWiT budget last
1:14:43
week. So here's what
1:14:46
he wrote. He said, I've seen a lot of technical
1:14:48
and ideological takes on
1:14:51
Elon TWiT. And
1:14:53
I I gotta kick out of that. I I
1:14:56
wonder whether it was a play
1:14:58
on Tim Apple. Anyway, and he
1:15:00
said, but I wanted to
1:15:02
share the marketing perspective. For background, I'm a
1:15:04
director at a medium
1:15:06
sized B2B tech company,
1:15:09
not in financial
1:15:12
services anymore. running a team that
1:15:14
deploys about eighty million dollars in ad spend per
1:15:16
year. Twitter
1:15:19
was
1:15:19
eight to ten
1:15:20
percent of our media mix,
1:15:22
and we have run cost per
1:15:26
engagement. i e, download a white paper,
1:15:28
register for an event,
1:15:31
etcetera, campaigns successfully
1:15:33
since twenty sixteen.
1:15:35
I had my team keep our Twitter
1:15:38
campaigns live for two
1:15:42
weeks post takeover on the
1:15:45
bet that efficiency would
1:15:47
improve with fewer
1:15:50
advertisers and that the risks were managed and
1:15:53
probably overblown. I was
1:15:56
wrong. And I think the
1:15:58
things we saw in these last two weeks
1:16:00
means many more advertisers
1:16:02
will bail on the platform
1:16:05
in the coming weeks. and he says,
1:16:07
perence, for non ideological or virtue
1:16:10
sign virtue signaling
1:16:12
reasons. So
1:16:14
then he has some four
1:16:15
bullet points, he says, performance
1:16:18
fell significantly.
1:16:21
CPMs
1:16:24
didn't drop. meaning same number of eyeballs.
1:16:26
He said, but our engagement went way down.
1:16:28
Maybe
1:16:28
it's a shift
1:16:30
in users on the form,
1:16:33
maybe it's ad serving
1:16:35
related. Second point, serious brand
1:16:36
like and point
1:16:37
safety
1:16:40
issues. He said our organic
1:16:42
social and CS teams got dozens of screenshots
1:16:44
of our ads
1:16:47
next to awful content. Replies
1:16:50
to our posts
1:16:52
with hardcore antisemitism and
1:16:55
adult spam remained up
1:16:58
for days even after being flagged.
1:17:00
Third, our entire
1:17:01
account
1:17:02
team at Twitter turned
1:17:05
over multiple times
1:17:07
in two weeks. We had
1:17:10
multiple people. He said, AEAM analyst, creative
1:17:13
specialist, supporting
1:17:16
our account, and they
1:17:18
all vanished without so much as an email. We finally got an email with a name
1:17:20
for an Leo guess
1:17:23
that means account manager, last
1:17:26
week, but they quit, and we
1:17:29
don't have a new one yet.
1:17:31
And finally, he said,
1:17:33
ads UI is
1:17:36
very buggy. and log in with
1:17:38
single sign on and two factor authentication broken. One of my campaign
1:17:41
managers logged in
1:17:44
last week and found
1:17:46
all our paused creatives from the past six years
1:17:51
had been reactivated. campaign changes
1:17:54
don't save. These things cost us real money.
1:17:56
things cost us real money
1:18:00
Anyway, I thought I wonder if
1:18:02
they put any prices with the decimal point in the wrong place up.
1:18:04
Excellent. Now that
1:18:07
could cost you. you
1:18:09
know, I since I hadn't encountered
1:18:12
anything as substantive as that, I thought that
1:18:14
it was interesting to see and and I
1:18:16
understand a bit about
1:18:18
what's going on from the perspective of,
1:18:20
well, one of Twitter's advertisers who's who, you
1:18:22
know, who who views the service dispassionately Leo
1:18:26
doesn't care one way or another, who's
1:18:28
doing what, except he dislikes
1:18:30
the idea of their ads
1:18:32
appearing, you know, appearing to endorse
1:18:34
horrific content, which it's now appearing
1:18:37
next to or in in in
1:18:39
the comments that that
1:18:41
follow an ad, you know, for
1:18:43
him, Twitter is just either an ends
1:18:45
to a means. Wait, a means
1:18:47
to an end or
1:18:50
maybe not. So Yeah. I thought that was business
1:18:52
person. Right? Yeah. Yeah. Oh,
1:18:54
and in a related piece, in
1:18:58
a security newsletter I recently
1:19:00
scanned, the statement was made, quote, some
1:19:02
threat intelligence companies are telling their customers
1:19:06
that they can no longer guarantee takedowns
1:19:09
of malicious or reputation
1:19:12
damaging content from
1:19:14
Twitter as there is nobody in Twitter's
1:19:16
abuse team to respond
1:19:19
to requests anymore. So another
1:19:22
data point from a a different
1:19:24
direction. And for what it's worth,
1:19:26
tweet deck is behaving weirdly now.
1:19:28
Leo know, I
1:19:30
always go in in order to
1:19:32
pull feedback from my largely
1:19:35
my DMs, although I scan public
1:19:38
feed, you know, the at SGGRC
1:19:41
postings. And and I it it
1:19:43
was definitely not working
1:19:46
the way it used to and not in a way that I liked. So something changing
1:19:48
or has changed. And I,
1:19:50
you know, I don't know. I
1:19:54
don't care to know what that
1:19:57
is. Did
1:19:58
we do our
1:20:00
last spot? I don't think
1:20:02
we have one more if you'd like to. I think I
1:20:04
think we need to us. Definitely. It's we're an hour and eleven minutes
1:20:06
in, and I need I'm I need some
1:20:08
ne i'm i need water.
1:20:12
This episode of SecurityNow is brought
1:20:14
to you by Nord Lair. Nord
1:20:17
Lair safeguards your companies
1:20:19
network and data. And it does in a very clever and I
1:20:21
think a very useful way. A lot of
1:20:23
companies really will appreciate
1:20:27
what Norton layered does. With the surge of ransomware
1:20:29
attacks, employees choosing to remote
1:20:32
work, businesses have become more
1:20:34
vulnerable than ever. That's kind of
1:20:36
that's kind of what every ad says these
1:20:38
days. I mean, it's clearly the case. And if you're working in network security, it's tough. Now
1:20:40
Nord layer is a really nice tool
1:20:43
for all of this. It's cures
1:20:46
and protects remote workforces, as well
1:20:49
as business data, and TWiT can
1:20:51
help you ensure security compliance with
1:20:53
nor layer it's easy to
1:20:55
start. you'll take less than ten minutes to onboard your entire
1:20:58
business onto a secure
1:21:00
network. So that's where it
1:21:02
starts. Right? The Nord layer pure network. You can easily add new members.
1:21:04
You can create teams, private
1:21:06
gateways. You can even do
1:21:08
things like IP,
1:21:11
white lists, allow lists. site
1:21:13
to site connection. Network segmentation is possible, setting
1:21:15
up secure network access. Right
1:21:17
now, what I
1:21:20
would say If you're
1:21:22
at all interested, go to nord lair, N0RDLAYER com slash
1:21:24
twit. You can get
1:21:26
one month free right now.
1:21:30
with the purchase of an annual subscription.
1:21:32
It's easy to combine.
1:21:34
It's easy to combine
1:21:37
with other tools. It's hardware free. It's
1:21:39
compatible with all major operating systems. It
1:21:42
allows you to implement
1:21:45
security features across all teams. We're gonna
1:21:47
talk about security as being layered. This is an important layer. You can add two factor authentication,
1:21:49
single sign on. You can
1:21:51
even require biometrics. Threat
1:21:55
block smart remote access, Nord layer scales
1:21:57
easily as you choose a
1:21:59
plan unique to your business
1:22:01
requirements and your rate of growth,
1:22:03
You'll have everything centrally in one place where you can check server usage,
1:22:06
monitor connections to your gateways, view
1:22:08
the activity
1:22:11
log, one Nord layer user said, quote, we were looking
1:22:13
for an easy way to securely connect
1:22:15
our remote workforce to our
1:22:17
infrastructure. This is it,
1:22:20
awesomely quick. friendly, efficient support, cut us
1:22:22
up and running in no time. Another said, simple to
1:22:24
install and Laporte,
1:22:27
no funny business. and so
1:22:29
fast that our teams don't notice they're using it. That's pretty important too.
1:22:31
With most modern businesses already
1:22:34
adopting network solutions like Sassy
1:22:39
Zero Trust Hybrid Work Security.
1:22:41
Nord Lear does that, all of
1:22:43
that and more. Built in, don't
1:22:45
lead your business as vulnerable.
1:22:47
Tri Net Leer today joined the more
1:22:49
than seven thousand fully
1:22:51
protected organizations, Nord
1:22:54
Leer, If you wanna secure your business network, go to
1:22:56
nord layer dot com slash TWiT. Get your first
1:22:58
month free when you buy an annual subscription.
1:23:01
N0RDLAYER
1:23:04
nord lair dot
1:23:05
com slash twit. Thank you so much
1:23:07
for support
1:23:07
and security now. And
1:23:10
we thank you for support and security now by going
1:23:13
to nord layer dot com slash tweet. That's
1:23:15
important. That's slash tweet part. So
1:23:17
they know you saw it here. back to Steve.
1:23:19
As otherwise, they think that their ads on the shopping channel
1:23:21
-- They don't know. -- because they don't know how would
1:23:24
they know. They
1:23:26
don't know. You came in the door, you got the stuff.
1:23:28
We just want them
1:23:29
to know that you heard it
1:23:31
here. That's all.
1:23:32
Okay. So,
1:23:35
Carrie, on Anon, is his name.
1:23:37
It's doctor or mister
1:23:40
Indigo is
1:23:40
his
1:23:41
Twitter handle. He's at,
1:23:44
hi, Steve. Finally, listening to the
1:23:46
last I'm sorry, latest episode eight ninety eight. And I started
1:23:49
wondering, is
1:23:52
quantum computing going
1:23:54
to be just a faster way to guess passwords? Or is there another attack
1:23:57
vector? In
1:23:59
other words, is it
1:24:02
just gonna be a faster
1:24:04
way to brute force
1:24:05
attack passwords? Okay. Interestingly enough, once
1:24:08
we get
1:24:08
quantum computing, assuming
1:24:10
that we ever
1:24:11
get quantum computing, it won't be
1:24:12
we ever get quantum computing
1:24:15
any faster at
1:24:17
brute forcing passwords. In fact, it
1:24:19
would likely be far slower and vastly more expensive than
1:24:24
conventional hardware accelerated,
1:24:26
hash based password root for sale. Interesting. That's not the problem.
1:24:28
No. There's just a
1:24:30
class of things it's good at
1:24:33
Steve rest,
1:24:35
it's really crappy at. You know, it's like, you
1:24:37
know, it's like weather prediction. That's it
1:24:39
it can do that,
1:24:42
but it can't tell you where a specific drop of rain is gonna
1:24:44
land, and that's what you
1:24:46
need for symmetric crypto and
1:24:48
hashing is, you know, is
1:24:51
that kind of exact operation.
1:24:54
The important thing to understand here is that some
1:24:56
of today's crypto, but
1:24:59
only some of it, depends
1:25:03
upon the traditional time proven
1:25:05
difficulty, a factoring a
1:25:08
very large number
1:25:10
into its two half
1:25:12
as large prime number components.
1:25:14
That's it. That's all that
1:25:17
the you know, fervor surrounding quantum computing
1:25:19
is about. The ability to do that to
1:25:23
do, you know, a
1:25:26
couple of things quickly
1:25:28
that are
1:25:29
entirely insurmountable, that
1:25:32
is this factorization
1:25:34
problem. but it's only the asymmetric key
1:25:36
crypto, the quantum computing might
1:25:39
be able to someday
1:25:42
weaken. None, of the
1:25:43
other crypto that we also depend upon today
1:25:45
will be affected. symmetric key
1:25:48
crypto, like
1:25:50
our beloved AES Ciphers, or today's strong hashing algorithms
1:25:52
will not be affected at
1:25:54
all, and they don't need
1:25:56
to
1:25:59
be changed. I was thinking about quantum
1:26:00
computing after I've read
1:26:02
this guy's note. And
1:26:04
and I was looking for a
1:26:07
good analogy of the effort. you
1:26:09
know, it's promise and the difficulty that it presents. And what
1:26:11
popped into my head
1:26:14
as being an almost
1:26:16
Leo, in in
1:26:19
almost every way similar power generation at was our
1:26:21
generation scale
1:26:24
via nuclear fusion. It's
1:26:27
a useful analogy. It
1:26:28
requires
1:26:28
crazy
1:26:31
way out there new physics and
1:26:34
new materials and new
1:26:36
technologies. And
1:26:39
like quantum computing, Fusion has
1:26:42
been chased for decades, driven by the promise of,
1:26:44
driven by the promise of what
1:26:47
if what if, just like quantum computing
1:26:49
has, and incredible amounts of ingenuity and money have been
1:26:51
sucked into it. Many different approaches
1:26:53
have been tried and discarded.
1:26:56
And yes, we
1:26:58
are creeping forward little by little inch by inch tantalizingly
1:27:00
just enough to keep
1:27:03
the investment cash flowing. But
1:27:07
boy, is fusion a difficult
1:27:09
nut to crack? In order
1:27:11
to fuse matter, we
1:27:14
must create, contain, and compress
1:27:17
the hottest plasmas humans
1:27:20
have ever handled. hotter turns
1:27:22
out than the sun. And at this point, it's as much art as science. You
1:27:25
know, will we get
1:27:27
there someday? Maybe
1:27:28
get there someday
1:27:30
maybe Maybe not.
1:27:31
It's still not clear. But
1:27:32
as with quantum computing, we do
1:27:35
appear to be making some
1:27:37
progress year after year
1:27:39
learning as we go.
1:27:41
So as for quantum computing, my feeling is that there's
1:27:43
no reason not to replace that small
1:27:47
but crucial portion of
1:27:50
our large Crypto library of algorithms, which are believed to be currently
1:27:56
unsafe If quantum
1:27:58
computing ever happens, we we can replace it with algorithms which are believed to be quantum
1:28:00
safe. We just don't
1:28:02
want to make any mistakes
1:28:06
with our replacements, and there's no reason to
1:28:09
believe that there's any big hurry. We
1:28:11
might well have free
1:28:15
electricity once we figure out
1:28:15
how to burn water before quantum
1:28:18
computers threaten
1:28:18
our current dependence on
1:28:23
today's asymmetric
1:28:24
crypto. So, not
1:28:26
to worry. Another listener who requested
1:28:28
anonymity,
1:28:32
and I'll explain why in a
1:28:34
second. He said, hi, Steve. In the last episode of SecurityNow, you talked about dot
1:28:39
directory, which lists web applications
1:28:41
that support pass keys. I wanted to share my observations with
1:28:44
you. First,
1:28:46
the website owner
1:28:50
chose to manage it with no transparency.
1:28:52
When I saw it, I
1:28:54
thought there must be a git
1:28:56
repo where I could open an
1:28:59
issue for a change request. surprisingly, they chose
1:29:01
to use Google Forms, which masks all the
1:29:03
review and approval process. and
1:29:07
he's talking about, you know, paseke's dot directory. Second, he
1:29:09
said, I've noticed that many
1:29:12
companies in this
1:29:14
list are also customers of own
1:29:16
ID, which is listed
1:29:18
as the authentication provider, including
1:29:22
Charitable Cruises. Interesting. Yes.
1:29:24
Yes. It's they did not do
1:29:26
it natively. And he says and
1:29:29
then investigating the own ID flow. He said
1:29:31
when Leo pressed the fingerprint button, the QR
1:29:34
code encoded a URL that
1:29:39
sent his iPhone to password list dot
1:29:41
carnival dot com with a
1:29:44
session identifier. that
1:29:47
he performed a web authentication
1:29:49
on his iPhone. Once
1:29:51
completed, the session got
1:29:53
updated on the server and
1:29:55
the browser owner's laptop logged in. The
1:29:57
flow is using web
1:29:59
authentication's pass keys,
1:30:01
but not like the way it was designed to
1:30:03
be used. Mhmm. Web off
1:30:06
end fishing resistance mechanism works.
1:30:10
in a way that a JavaScript
1:30:12
API called on the
1:30:15
browser triggers the
1:30:17
underlying underlying library and matches the domain
1:30:19
key sorry, matches
1:30:22
matches the
1:30:24
domain a
1:30:27
key was registered in and the
1:30:30
domain asking to authenticate.
1:30:33
By implementing web often,
1:30:35
as it is incarnival, the phishing
1:30:37
resistance mechanism suffers from
1:30:39
a flaw. As an
1:30:42
attacker, you can spoof Carnival's
1:30:44
login page, so the user sees the same
1:30:47
page, only a different domain. When
1:30:49
you click the
1:30:52
biometrics button, The attackers
1:30:54
back end will send a request to Carnival to get a QR code,
1:31:00
which encodes the password list
1:31:02
dot carnival dot com. Then the phone would ask you for your face or fingerprint
1:31:04
to authenticate with
1:31:07
a pass key which
1:31:10
will update the session on the back end and the attacker gets Mhmm.
1:31:12
Actually, this is the thing that I
1:31:14
spent a lot of time on squirrel
1:31:19
solving completely and, you know,
1:31:22
it's crucial. He says,
1:31:24
the right way
1:31:26
to implement is by
1:31:28
calling the web authentication API on the
1:31:31
laptops browser. He says, instead of
1:31:34
presenting the QR, that will open a browser on mobile phone,
1:31:37
and letting the browser
1:31:39
do its job, presenting native
1:31:43
web often screens, including a
1:31:45
QR which is scannable from
1:31:47
a mobile phone. This
1:31:50
way, the domain you're authenticating
1:31:52
to is passed in a
1:31:54
side channel that is, you
1:31:57
know, push versus BLE, Bluetooth low energy, you know, from
1:31:59
the browser to the phone. He says
1:32:01
to the mobile phone directly
1:32:03
from the browser and
1:32:07
a phishing site will be blocked as the
1:32:09
credential on the phone was
1:32:11
registered under the original
1:32:13
domain. Okay. So first
1:32:16
of all, our listener who
1:32:18
wrote this to me is a hundred percent correct. And by the way, he's a
1:32:21
developer
1:32:21
the way for
1:32:22
an authentication provider.
1:32:26
who asked for anonymity. Another
1:32:28
way to say this is
1:32:30
that rather than doing the
1:32:33
work of upgrading
1:32:35
their own servers, to become a
1:32:38
first party, Passkey's provider, Carnival Cruises,
1:32:40
and unfortunately, a
1:32:43
lot on that list has
1:32:46
outsourced their authentication responsibility to a third party provider, in this
1:32:48
case, own ID.
1:32:51
But in doing so, in
1:32:54
doing so by punting in this way,
1:32:56
they've bypassed past keys
1:32:59
phishing protections. This gives
1:33:02
their users the false
1:33:04
belief that they're getting
1:33:06
the hack proof benefits of pass keys without actually getting them. This
1:33:11
could be transient, We
1:33:13
can hope not.
1:33:14
But on the other hand, own ID is in the business of
1:33:15
doing this, so
1:33:19
they're gonna presumably Leo selling
1:33:22
their instant onboarding services, and most websites will simply want easy
1:33:28
login without really caring about
1:33:30
their visitors security. So we've seen the first way that
1:33:32
pass keys will fail,
1:33:34
and that is it is
1:33:36
is it is When implemented
1:33:39
like this, you can be fished.
1:33:41
And that was a big deal. It
1:33:43
was supposed to be anti fishing. It
1:33:45
was only anti fishing if you don't
1:33:47
turn the responsibility over to a third party.
1:33:49
And if you do and this page
1:33:51
of people have, You're
1:33:54
not getting the benefit of past dues. All
1:33:56
you're getting is listening, but, of course,
1:33:58
needs to be predicted. Yeah. Exactly.
1:34:01
Yep. Christopher Erich, he said s n topic
1:34:03
request, hardware security modules. He
1:34:06
said you said you had
1:34:08
one. Besides
1:34:11
the technical crypto, can you describe how you interact
1:34:13
with it in practice to sign your
1:34:16
code? Sure.
1:34:18
Just as there are EV,
1:34:21
you know, extended validation
1:34:23
TLS certificates for
1:34:27
web servers there are EV code signing certificates.
1:34:29
I have no idea whether
1:34:31
any bet whether they
1:34:33
are any better or
1:34:36
more trusted the non EV code
1:34:38
signing certificates. But I'll take every advantage I can get.
1:34:40
And one
1:34:43
requirement of EV code siding is
1:34:46
that they must, without
1:34:48
exception, be protected
1:34:50
by a hardware security
1:34:52
module. so that
1:34:54
the EV private key can only ever be used for signing
1:34:56
and cannot possibly
1:34:59
escape into the wild. The
1:35:03
EV code signing key, which I
1:35:05
purchased from Digi cert, was
1:35:07
packaged in a
1:35:10
Gemalto USB be dongle dongle,
1:35:12
which is paired with
1:35:15
the Safnet authentication client. Somehow,
1:35:17
when I use the same authentic code code signing
1:35:19
command in Windows, as
1:35:23
I've always used, that
1:35:26
SAFETET client is invoked. The hash of the file
1:35:28
I'm signing is
1:35:31
sent to the key and
1:35:35
signed inside there and
1:35:37
it returns assigned blob.
1:35:39
So it's just a
1:35:42
matter of having a free USB port
1:35:44
and installing a hardware
1:35:46
interface client. Part of
1:35:48
the effort which I'll be we're
1:35:51
all engaged in toward the end of the work to publish the final spinrite six
1:35:56
one code which will
1:35:58
be like six zero is, a hybrid DOS and Windows app,
1:36:00
hybrid dos and windows
1:36:02
and will be
1:36:04
automating This code signing
1:36:06
process, server side. Since each owner's copy of
1:36:09
Spin Right embeds
1:36:11
their license information, which
1:36:14
makes their executable unique, each
1:36:17
one needs to be
1:36:19
individually code signed on
1:36:21
the fly by the
1:36:23
server as it's downloaded. What's gonna
1:36:25
be really annoying is that Windows Defender
1:36:27
will always be complaining
1:36:30
for every single user
1:36:33
that the user specific custom spin
1:36:35
right file is not commonly downloaded unquote,
1:36:40
thus needlessly warning and alarming its users.
1:36:42
You know, we've seen that no degree of reputable
1:36:45
signing is able to
1:36:47
bypass this alarm. I
1:36:50
discovered that when I, you know, signed, you
1:36:52
know, the final version of squirrel,
1:36:54
when I when I updated the
1:36:58
the DNS benchmark, you
1:37:00
know, people said, hey, Windows Defender is
1:37:02
not happy. I said, I know. No
1:37:04
matter doesn't if you sign
1:37:06
and those were EV certificate signed.
1:37:09
Windows Defender says, I haven't seen
1:37:11
this a lot before. And,
1:37:14
yeah, and you can understand it's
1:37:16
gonna take a hash of the things that you
1:37:18
you want to download, and it's obviously sharing those
1:37:22
in the cloud, and when it sees
1:37:24
enough of those and no
1:37:26
complaints, then it goes, okay,
1:37:28
it must be okay. and stops,
1:37:30
you know, bringing up warning messages. Unfortunately, spin rights users just gonna
1:37:33
have to
1:37:34
get used to that.
1:37:37
because every one of those that they download is gonna
1:37:39
be unique.
1:37:43
Two people,
1:37:45
Dan
1:37:45
Guard asked, Steve, how can I get access to to test
1:37:47
the pre release version of
1:37:51
SpinRite six one? feel free to email
1:37:53
me or just respond here. Thanks so much for your work on spin right. I have drives
1:37:55
waiting for six point
1:37:59
one. and SD
1:37:59
Holden asked, hey,
1:37:59
Steve, not sure the best way
1:38:02
to reach you about the Git
1:38:04
Server for Spin Right?
1:38:06
So I thought I'd start
1:38:08
here. When I try to create
1:38:10
an account, I get a dialogue box asking me to sign in instead
1:38:12
of allowing me
1:38:15
to create a registration. he
1:38:17
says dot dot dot question
1:38:20
mark. Okay.
1:38:20
So to both
1:38:21
listeners and everyone else, in case some
1:38:23
of you hadn't noticed, the
1:38:27
Internet has sadly become a
1:38:29
sewer, full of both
1:38:32
bots, trolling
1:38:35
constantly and even human labor farms paid, you
1:38:37
know, being paid for creating
1:38:39
accounts online. I've been
1:38:41
running two web form
1:38:43
servers for years. despite having all
1:38:45
manner of entrance barriers erected, like even
1:38:48
requiring the correct
1:38:50
answer to the question, What
1:38:53
software is Steve best known for? In order to create
1:38:55
an account, five
1:38:59
out of six, of
1:39:02
the account registrations were bogus in those forums.
1:39:05
Like, how
1:39:08
how did How does
1:39:10
a bot How hard is that? You know, bot wouldn't know. But No. know.
1:39:12
At one point,
1:39:15
we had sick sixty
1:39:17
five hundred users registered in GRC's forums and I was thinking,
1:39:20
wow, I haven't even
1:39:22
talked about it that much.
1:39:24
Okay? TWiT that
1:39:27
number is a bit over eleven
1:39:29
hundred after I spent
1:39:31
several days working to get that
1:39:33
under control. Yeah. fifty five hundred of
1:39:36
those were registered in
1:39:38
Afghanistan and Turkey and
1:39:41
Indonesia. I mean, it's just
1:39:43
like and And, know, what what it just it just
1:39:46
it was so a spammer's love forums.
1:39:48
They really Oh
1:39:51
my god. Yes. So I've erected
1:39:53
much tougher barriers since, and I've mostly gotten it under control.
1:39:56
And since I
1:39:58
erected those stronger barriers, twenty
1:40:02
thousand two hundred and four additional account creation attempts
1:40:07
have been thwarted. So
1:40:09
I'd have an additional twenty thousand bogus users on top of the fifty five
1:40:11
hundred I had before. The reality
1:40:15
is that today, as
1:40:18
you said, Leo running any sort
1:40:20
of open web service results in a torrent of
1:40:22
bogus registrations. And even with all that in place,
1:40:25
Steve wonderful
1:40:27
volunteer moderators I have who make
1:40:29
time to read everything are still
1:40:32
removing users
1:40:34
who attempt to to suddenly pollute our content.
1:40:36
So, here's
1:40:38
the problem.
1:40:39
GRC's forums
1:40:42
need to be open.
1:40:45
So I have no
1:40:47
choice other than to erect the strongest account creation barriers I
1:40:49
can, but apologize
1:40:52
to those who
1:40:54
we mistakenly reject as false
1:40:57
positives and also weed out those
1:40:59
who do slip past the barriers
1:41:01
due to false negatives. But GRC's
1:41:04
GitLab server has no
1:41:05
need
1:41:06
to be open,
1:41:09
so it's closed.
1:41:11
its account
1:41:11
creation page is protected
1:41:14
by a magic incantation. which
1:41:19
must be provided before the
1:41:21
troll that guards the bridge
1:41:23
will allow newcomers
1:41:26
to pass. It requires insider
1:41:28
information, which can only
1:41:30
be obtained by participating
1:41:33
in GRC's old
1:41:35
school blessedly, wonderful, text only,
1:41:37
NNTP
1:41:39
news groups. Once someone shows
1:41:41
up there and is able
1:41:44
to post, they can ask
1:41:46
how to satisfy our Contankerous GitLab troll. But also note
1:41:48
that we're not using
1:41:50
GitLab for any social interaction.
1:41:54
we're only using it for issue management. At
1:41:57
this point, what I
1:41:59
what I need is
1:42:02
feedback. from people who are testing SPINRAID six
1:42:04
one. Since we have a
1:42:06
handful of known issues to
1:42:09
fix, and I'll get to that in a
1:42:11
moment. It's best for newcomers to join and
1:42:13
catch up on all the various threads in the
1:42:16
news group in order to
1:42:18
eliminate duplicate postings of already known problems. So if anyone
1:42:21
is really and
1:42:24
truly interested, in participating in
1:42:26
Spinrite six one's testing. You're invited to head over to
1:42:31
GRC's discussions page That's the page
1:42:34
at GRC If you google GRC dot com space discussions, it'll take you there
1:42:36
and create a connection
1:42:39
to our new server Find
1:42:42
the GRC dot spinrite
1:42:45
dot dev group and
1:42:47
say hi. And
1:42:50
speaking of spinrite, It's working.
1:42:52
As I planned, I updated
1:42:54
GRC's primary server to handle
1:42:56
downloading of pre
1:42:59
Freebie versions of Spinrite. And
1:43:01
last Friday morning, after Thanksgiving, I posted the
1:43:03
information in GRC's spinrite dev
1:43:06
News Group about where any
1:43:10
existing spin right owner could
1:43:12
go to grab their own
1:43:15
copy. I'll share three
1:43:17
news group anecdotes which I've edited just a
1:43:19
bit for podcast clarity. A few
1:43:22
hours after my first release
1:43:24
announcement, someone
1:43:26
whose handle is Dark TWiT X
1:43:29
posted on Friday at
1:43:31
two forty four
1:43:33
PM. Well, I can
1:43:34
already report success with
1:43:36
a USB. In my race
1:43:38
to find something to eagerly
1:43:41
test on, with the short time
1:43:43
I had, I grabbed an old
1:43:45
USB I received with the purchase
1:43:47
of Starcraft two. I figured
1:43:50
I'd reformat it with a knit disk and run spin right from there. So I put
1:43:52
it in the computer
1:43:54
and started a knit disk.
1:43:57
TWiT
1:43:59
waited and waited
1:44:00
for about
1:44:01
thirty seconds. Eventually, the
1:44:03
USB was recognized by
1:44:05
windows and showed up. so
1:44:07
I could nuke I tried it again, and it
1:44:10
still took around thirty seconds to
1:44:12
load. the load
1:44:15
so i figured So I figured Maybe not the
1:44:17
best USB to run Spinrite from. So I
1:44:19
found another. I thought, why
1:44:22
not run Spinrite on the problem USB as
1:44:24
a target. So that's what I
1:44:26
did. After a level two
1:44:29
scan without finding
1:44:32
anything wrong, I rebooted,
1:44:34
plugged it in, and instant success. That USB now loads
1:44:37
inside windows instantly
1:44:40
every time. Looking
1:44:42
forward to testing some more.
1:44:45
Second comment, Saturday morning,
1:44:47
eight thirty nine, Mark
1:44:50
Ping posted. finished the level two
1:44:52
in two hours for a
1:44:54
one terabyte. Then ran level
1:44:56
four and it took nine
1:44:59
hours thirty seven minutes for one
1:45:01
terabyte compared with one hundred and fifty
1:45:03
hours before. And then he
1:45:06
finished spin ride his back,
1:45:08
baby, And
1:45:10
finally, Leo f, Saturday
1:45:12
evening at ten twelve PM,
1:45:14
posted I have a five
1:45:16
hundred megabyte laptop drive that
1:45:18
I put in a Sabrent portable
1:45:21
enclosure. After I
1:45:22
dropped it about two
1:45:25
years ago, it
1:45:26
could not be recognized by any PC or by six point zero.
1:45:29
So I said
1:45:32
to myself, Just
1:45:34
have to wait for six
1:45:36
point one. On Friday, I ran a level two
1:45:38
with Spinnerife's first alpha release and one hour later.
1:45:41
Leo was
1:45:43
good
1:45:43
as new. Thanks, Steve.
1:45:45
Steve. So frankly,
1:45:48
SpinRite's first functional
1:45:50
pre Freebie debut could have much and it
1:45:52
went far better than it might
1:45:54
have. Over the weekend, using the
1:45:56
feedback provided by the large
1:45:59
group of Avid testers, we
1:46:01
moved Spinrite through three more releases to its fourth alpha release by
1:46:03
mid afternoon on
1:46:08
Sunday. And with only
1:46:10
a few exceptions, it is now working well for everyone. Overall,
1:46:12
it's a hundred percent functional
1:46:14
in every way that matters. There
1:46:18
are a number of things that I need to fix like
1:46:20
spinrite's various clocks are not
1:46:23
continuing to operate while it's
1:46:25
in deep while it's
1:46:27
deep into data recovery, I recently re
1:46:29
rewrote that entire data recovery system, and I just
1:46:31
forgot to periodically update the
1:46:33
clocks while I was
1:46:36
in there. So actually, I'm
1:46:38
gonna change the entire way that works so that it's much better. Another example is that spin right's
1:46:44
predictions of its remaining time
1:46:46
to run is not working right when it started midway
1:46:48
into a drive rather
1:46:51
than at the beginning. you
1:46:53
can start it wherever you want to. Anyway, it was working once
1:46:55
and something I did broke that. So I'll fix that. So
1:47:00
right now, The News Group
1:47:02
Gang is continuing to pound away on the fourth alpha release, logging everything
1:47:04
they encounter in
1:47:07
our GitLab instance While
1:47:10
that's underway, my own now highest
1:47:13
priority is to make a decision
1:47:15
about that next operating system
1:47:17
that I'm considering purchasing and
1:47:19
moving to Its licensing as I mentioned before, is the
1:47:21
end of the year. I it's either
1:47:23
by then or never.
1:47:26
So I expect that to take that's what I'm gonna be doing
1:47:28
this evening. I'll start that. I only think it'll
1:47:31
take a couple days. I just
1:47:33
wanna make sure that I can boot something, you
1:47:35
know, the classic Hello World app, both
1:47:37
from a BIOS and from a
1:47:40
UAFI based
1:47:42
machine. then I'm gonna then then that says, yes.
1:47:44
I'm gonna go with this OS. Then
1:47:46
I'll return to and get spin
1:47:48
rights Leo us
1:47:51
executable completely finished. I
1:47:52
should mention, I told you
1:47:54
list Leo before we began recording today. One thing happened this morning
1:47:56
that completely caught
1:47:59
me off guard. I hired Greg,
1:48:02
who's everyone has heard me refer to through the years. Thirty two
1:48:08
years ago, tomorrow. Tomorrow is his
1:48:10
thirty two year anniversary of employment with GRC.
1:48:15
That means that tomorrow, he will have been providing
1:48:17
technical support for spin right for
1:48:19
thirty two years. Yesterday, yesterday
1:48:22
He fired up the latest pin right six one alpha,
1:48:25
and he had never seen it before. I
1:48:27
haven't he's seen nothing until you
1:48:30
know, III had been keeping him and
1:48:32
sue a page of what was going on. I
1:48:34
sent them both an email saying, well, it
1:48:37
works. Some to my amazement.
1:48:40
So he fired up the latest spin right
1:48:42
six one alpha, ran it on a
1:48:44
bunch of drives he had around.
1:48:46
He said that he ran it on a
1:48:48
one terabyte spinner, which took
1:48:50
about two hours. Ed, that's
1:48:53
about right. remember, I've I've thought about
1:48:55
half a terabyte per hour is is good
1:48:57
performance for spinning drive, you know, and that certainly
1:48:59
beats two weeks. Leo know,
1:49:03
and still it wasn't instantaneous because
1:49:05
it was a spinning drive. Then
1:49:07
he said he scanned a
1:49:09
one twenty eight gig SSD
1:49:12
in five minutes, and he
1:49:14
was stunned. So he
1:49:16
told me
1:49:17
on the phone.
1:49:19
this morning that he knows. The number
1:49:21
one question, he is
1:49:24
certain people are
1:49:26
gonna be asking. Once Spinrite's previous
1:49:28
users start using six one
1:49:30
is how Spinrite six one
1:49:33
could possibly be
1:49:35
so much faster. It was like it's
1:49:37
like the difference is is too much to believe. You know, either
1:49:40
six was
1:49:43
like way slow or is six one
1:49:45
actually doing anything? On the other hand, I should also mention that a number a whole bunch
1:49:47
of people in the news
1:49:50
group have actually had it
1:49:53
recovering data, recovering drives, things that could never be copied
1:49:55
before. We're we're we're we're
1:49:57
seeing green r's on
1:49:59
the map showing
1:50:03
data was problematical and was
1:50:05
recovered. So anyway, I'm very
1:50:07
excited that I will be
1:50:10
able to soon Stop talking about it and Steve
1:50:13
it in
1:50:15
everybody's hands. Yeah.
1:50:17
who
1:50:18
very, very good news. Thank
1:50:21
you for the hard
1:50:24
work. Well, thank thank everybody
1:50:26
for their support. Laporte appreciate
1:50:29
you said an NTP, your news group's written
1:50:31
NTP. I thought it was Zenforo or does Zenforo use NTP? Is that why? No. Zenforo
1:50:33
is the web is
1:50:35
a web forum. Oh,
1:50:38
you have news groups in addition to the web forums.
1:50:40
I get it. Yes. I get it. News groups I've had forever --
1:50:42
Yeah. -- and I and I love them. They're a little back
1:50:46
water. Yeah. They're just we we
1:50:48
we get real serious work done. Where
1:50:50
how do you read a news
1:50:53
group these days? Thunderbird is a really
1:50:55
good news group reader. Okay. It does a
1:50:58
good job of it. On the discussions
1:51:00
page, I list we I
1:51:02
I asked the question of of everybody.
1:51:04
like six months ago, and there's like
1:51:06
a list of maybe thirty different news NNTP
1:51:11
clients. There's there's only one for iOS,
1:51:13
which is called news tab.
1:51:16
It's a great little new
1:51:18
a little news reader for Leo.
1:51:21
There's a bunch of news readers for
1:51:23
Android and a bunch for Linux and Mac and and then so You
1:51:25
you go to you
1:51:27
you host it. TWiT
1:51:31
on your GRC site. Right. It's it's news
1:51:33
dot GRC dot com. Nice. And
1:51:35
that's it. It's been one of
1:51:37
the things I've had,
1:51:38
you know, Well, okay.
1:51:39
So here here's the reality.
1:51:41
Spin Right six one will
1:51:44
ship.
1:51:45
It will
1:51:48
be perfect. The news groups are
1:51:50
why. Right. It will be perfect. Right. In this day and age, once
1:51:54
upon a time, back two or three
1:51:56
or four, I could write a program
1:51:59
and it would
1:51:59
work everywhere. TWiT
1:52:03
is those days are gone. Yes. I I
1:52:05
could never do I could never
1:52:07
do this if it weren't for
1:52:09
for the guys in the news group. And
1:52:11
as I said before, I've got, like, all these motherboards
1:52:13
around now and all these old hard
1:52:15
drives because it
1:52:18
was, like, Steve, The Asus Cranox
1:52:20
3270
1:52:22
isn't working? So I go
1:52:25
into eBay. Asus Cranox 3270
1:52:27
yeah. There it is. And I buy it. You
1:52:29
know? So Laurie is saying, do we
1:52:32
still need
1:52:34
all these Just just a little
1:52:36
bit longer. A little bit longer. A
1:52:38
little bit longer. Yeah. Used to
1:52:40
be the all the browsers could
1:52:42
handle news groups, but they've slowly stripped that out
1:52:45
of every browser. So I'm glad that Of course,
1:52:47
FTP has gone out too. It's gone too. That's
1:52:49
right. They take all reasonably so, if nobody uses
1:52:51
But it's a good generic a
1:52:54
good generic news reader is Thunderbird.
1:52:56
It's it's multi platform and
1:52:58
it's it's pretty good for getting the job done. I have to check out the news groups. I for some reason,
1:53:00
I I spaced that you have
1:53:02
a news group. I thought it was
1:53:06
all forums, which forums
1:53:08
are fairly old fashioned. News groups
1:53:10
are positively any diluvian. That's
1:53:13
good. And and the forum the
1:53:15
forums are where support will be for spin right.
1:53:18
I'm gonna engage community support, but I'm never gonna
1:53:20
allow you
1:53:22
know, I mean, the like, the news groups are
1:53:24
my sanctum, sanctum. Is that the right? Do
1:53:26
you still does it do
1:53:29
you use UCP and TWiT it off
1:53:31
and everybody in in the world gets
1:53:33
to see it or is it just hosted
1:53:35
on your site? Actually, we block it
1:53:37
going anywhere else. Yeah. Okay. Because
1:53:40
Google groups would like to be pulling
1:53:42
from an NNTP server,
1:53:44
the problem is people
1:53:46
were responding to to postings that Google had
1:53:48
had sucked out and nobody was ever
1:53:50
seeing their response. Right. Right. So
1:53:53
it is closed. I actually have a
1:53:56
technology where the the
1:53:58
the IP address of
1:54:01
the entity which
1:54:03
pulls the article is added to
1:54:05
the headers. So if we ever see postings out in public,
1:54:07
we can look at
1:54:10
the headers and see the
1:54:13
IP address that is pulling them
1:54:15
and then I block them. Oh, so smart. So
1:54:20
there. Wow. So it's
1:54:22
really I mean,
1:54:24
to call a news
1:54:26
group is really Not exactly right. because
1:54:28
those the whole idea was news groups were
1:54:30
federated, and they would be copied every night
1:54:34
from University to University. I've I've written a whole bunch of extra code.
1:54:36
You just use the NNTP
1:54:39
protocol for your server. four
1:54:41
years server We we have something called
1:54:43
a CECL ID, which is also added to a
1:54:45
posting -- Uh-huh. -- which is a hash
1:54:48
of the person's
1:54:50
username and password. which allows which allows the the
1:54:52
postings to be owned by them. Right.
1:54:54
Nobody else can delete them, but they
1:54:57
can delete their own. Perfect. And and so
1:54:59
there's and there's a whole bunch of other, you
1:55:01
know, benefits that we've added over time. So
1:55:03
very much It's it's I just
1:55:05
you know, I will that's
1:55:08
what I'll be using. Like, when somebody comes when somebody
1:55:10
comes along to turn off the servers after I'm gone.
1:55:15
they'll be shutting down the news groups.
1:55:18
Oh, that'll be sad. Alright,
1:55:23
Steve. Always a pleasure. He is a he he
1:55:25
does is the old the old fashioned way.
1:55:27
He does it the
1:55:29
old way. But the old ways are often still the best. Steve
1:55:32
at GRC dot
1:55:34
com. Along with his news
1:55:36
groups, along with lose newsgroups
1:55:38
that is the the Gibson Research Corporation, you'll
1:55:40
find spin right there, the
1:55:42
world's best mass storage recovery
1:55:47
and maintenance utility. now faster than
1:55:49
ever, it really it's really working. It is. It's really doing
1:55:52
something honest. Leo you
1:55:56
have if you don't have a copy, get six point
1:55:58
o now, you'll have a free upgrade to six one when it comes out. You can also participate
1:56:01
in Leo development and
1:56:03
all of that. as he's as he
1:56:05
said, GRC dot com. While you're there, you can get a copy of this show. Security now
1:56:07
is hosted at to that Steve,
1:56:10
but also at GRC dot
1:56:12
com. Steve
1:56:14
has two unique versions, a sixteen kilobit
1:56:16
audio version. For the bandwidth impaired,
1:56:18
he's always done that from day
1:56:21
one. And for
1:56:24
his transcriptionist, actually
1:56:24
Lane Ferris because she rides us all out and
1:56:26
she's living in the country with a lot of horses, doesn't have a lot
1:56:28
of bandwidth. You
1:56:31
can get the transcripts there as
1:56:33
well, GRC dot com as a sixty four
1:56:35
kilobit audio. File, we have audio and video at our website
1:56:37
with dot tv slash
1:56:40
s n There's
1:56:42
a YouTube channel for security now. That's a great way to introduce somebody to it or, you know, if you hear something on here,
1:56:45
you wanna
1:56:48
share with other IT professionals,
1:56:50
your boss, or friends, your spouse, then just clip it at
1:56:52
YouTube. That's probably the easiest way to do it.
1:56:54
They make that a fairly simple thing to do.
1:56:59
Of course, subscribing in your
1:57:01
podcast client might even
1:57:03
be the best way
1:57:04
to get it. That way, you'll get
1:57:06
it automatically the minute it's available. You can build
1:57:08
your collection of all eight
1:57:11
hundred and ninety nine episodes. That's a lot of episodes.
1:57:12
Steve, we
1:57:15
will be back here next Tuesday, one thirty Pacific,
1:57:18
four thirty eastern twenty I'm
1:57:20
sorry.
1:57:24
Yeah. Twenty twenty one thirty
1:57:26
UTC had to do the
1:57:28
math. You can watch
1:57:30
this live live TWiT dot Chat live you fortunate
1:57:36
enough, to be in the
1:57:38
club. You can do it in the
1:57:39
club twist discord. Actually, you should join the club
1:57:41
if
1:57:41
you don't Leo how I
1:57:43
remember. It supports Steve's efforts,
1:57:45
plus everything we do here, seven dollars a month for ad free versions of the show, access
1:57:48
to the Discord.
1:57:51
You also get
1:57:52
also get them stuff
1:57:55
that we don't put out in public, like hands on Mac and
1:57:57
dash, hand on windows, the entire Linux show
1:57:59
and all of that. on
1:58:01
Thank you, my friend.
1:58:03
Yes. Happy birthday again. you. For your sixty six, I want
1:58:05
you to hold on to that sign so
1:58:07
that in thirty three
1:58:09
years you can turn
1:58:12
upside down. And celebrate
1:58:15
ninety ninety nine. Good
1:58:21
thinking, Steve. I'll save the I bet you save old
1:58:23
calendars too, don't you? No.
1:58:26
Steve, every great
1:58:28
week. We'll see you
1:58:30
next time on two. Bye. Hey, we should talk Linux. It's the operating runs the
1:58:33
Internet, but to
1:58:36
game consoles, cell phones, and
1:58:38
maybe even the machine on your desk. You already knew all that. What you may not know is that now
1:58:40
is a show dedicated to
1:58:42
it, the untitled Linux show. whether
1:58:46
you're a Linux pro, a Virgin incisive man, or just
1:58:49
curious what the big deal is, you should
1:58:51
join us on the TWiT Discord
1:58:54
every Saturday afternoon for news, analysis, and tips sharpen your Linux
1:58:56
skills. And then make sure you
1:58:58
subscribe to the ClubTwit exclusive
1:59:03
untitled Linux show. Wait. You're not a club
1:59:06
twist member yet. We'll go to twit dot tv slash club twist and sign up.
1:59:09
Hope to see
1:59:12
you
1:59:12
there. security
1:59:17
now.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More