SN 1002: Disconnected Experiences - 'Nearest Neighbor' Attack, Repo Swatting, the Return of Recall
02:32:04 Share

It's time for security. Now, Steve given is here. He's in love with these chinese cranes that they use, IT container ports.

But he says there is a problem. Apparently there is a chinese back door. Oh, no.

We're also to talk about the nearest neighbor attack and a warning about a new feature of microsoft windows they call connected experiences. Steve says it's a recipe for disaster. All of that more coming up next on security now.

Podcasts you love from people you trust.

This is White. This is security. Now is Steve gibson, episode one thousand two, recorded tuesday, november twenty six, twenty twenty four.

Disconnected experiences. It's time for security. Now, the joy we talk about, your security, your privacy, how the internet works. I puter work a little bit of a size. I thro one in maybe some video d and at all, because of this guy, the man in charge are very own. Steve gives and high, Steve.

you know what when you're saying?

So you you're leaving back and I get .

kind of a nice, like the, that's right, a little double shift .

defect there. I learned that from a dell is so funny because I realized now I we'd had a photo meet up in new york city couple months ago, couple months ago, september, and I would look back at the pictures and there were a bunch of people doing the live, long and prosper son. And I realized that has become not just the security now thing, but everybody.

Now it's it's early.

That's it's quid hands sign.

That's very cool.

Thanks to you. good. What's going? Not everybody can do IT. No, I know I know. Didn't they have to tape uh letter in moist fingers because he in fact could not do IT anything and they had IT. I believe there's an an anecdote of how they when they first he was a guy came up with IT but he couldn't do IT maybe that maybe with somebody else couldn't do but I but yeah, anyway, I go so that we.

as I was said, I was saying you before we begin recording, every time I look at these four digit episode numbers I taken, wow. I mean, that really doesn't my what accomplishment .

IT is should be very proud. Yeah.

well, we're at one or two, one, two, one thousand and two. See.

there is a problem right there. Yeah, brain can only do three digits, or at one .

thousand and two. And the software didn't collapse. I did spend some time updating G, R, C system so that IT also would not freak out when four digits were presented to IT and that that experience was smooth. Uh, emAiling continues to go well.

I was thirteen thousand, two hundred and nineteen subscribers received the shown notes, the picture of the week, uh various links and things yesterday evening so uh that's that's turn out great and we're gonna have a lots of feedback because there was also lots of news um but my my discussion of what I titled disconnected experiences wasn't half of the podcast as some of our main topics have been in the past. I have something like thirty eight hundred pieces of feedback from our listeners. So I have plenty to choose from.

I want I I feel a little bit badly that i'm getting so much feedback that I can't even begin to put a det in IT. But thank you, everybody for for sending me your thoughts. And as I said, the the quality of the feedback has a very different flavor since we were able to switch to email and people didn't have to try to squeeze into two hundred eighty characters. So big benefit um we're going to talk about um at the end of this, something that microsoft calls their connected experience, which is an interesting turn of phrase, will understand what that is, why they sort of slipped in under the covers and why IT may not be what everyone wants. And if so, how can turn that off, thus disconnecting your experience from microsoft.

And it's not what that sounds like either because I mean, it's not at all that we're first gone to talk about something known actually in this was probably the most sent to me topic for the show and IT happens that is what I had chosen myself already by the time I saw that uh, the nearest neighbor attack uh and wow, IT just sort of goes to show you how clever bad guys can be. What do we like IT or not? We also have let's encysted just turning ten.

We're going to take a little bit of a retroactive cor. Look at the changes that IT has brought also. Now the coast guard is worried about chinese built ship to shore claims.

Turns out eighty percent of the big crane s that we use for offloading, uh, containers are are made by china. And what could possibly go wrong there? Uh, also, pakistan becomes the first country to block blue sky.

Going to talk about that. There is also a new way to get get repos swatted and removed from their responses. I know again just just incredible how clever bad guys can be um who's to blame for pale to networks, serious new zero day vulnerabilities.

And if you have any of six specific older dealing VPN routers, the advice would be to unplugged them immediately. We'll see why IT turns out that, speaking of VPN, they are against a law. So says some legislators in pakistan. So we will touch on that also. We have the return of windows recall.

Uh, what are we learning from that? And how many of todays ys systems remain vulnerable to last year's most popular exploited? So after sharing then a butcher of feedback from our our listeners, we're gona talk about disconnecting your experiences from microsoft. So I think another interesting podcast for our free thanksgiving listeners.

Yeah, shatner, according to A A patch gilla handy, is unable to do this salute. So we would have to push figures in physician, and then he would have, or he would .

hold up behind. And did he actually do IT often? Obviously, spock was the orig was .

the IT was a walking hand sign. IT was a jewish hands ah that meant roughly was a jewish addiction and IT wasn't in the script um but the moi thought, well, you know and he asked the directory c is that OK if I do this and the direction idea that I work very well and IT became, of course, it's a trademark shatner joked that IT took years of diligent practice itself, denial for him to be. He was on conon. Do IT be able to do IT because he could not, could not.

Do they live on? And there are people who can't. The best man a at my wedding was unable to do IT you you .

had this that you're wedding.

of course. At what point did you only live in prosper?

Was this sort of kissing the bride?

Gary got up for the best man's toast and said, too, you know, was holding the microphone to said, yeah, now gibson may be promise that I would not do anything to embarrassing. Oh, so i'm just gonna say. Then he held his hand up and said.

live log, that's beautiful.

But he had two, he had two orth dunch braces beans around these figures, because he also was unable to do that.

I can do with my life. I can only do with the right some assistant.

yeah, well.

you didn't like this that effect, but I will play one long and prosper and continue on now.

So thank gary for keeping his toasts quite quick and to the point .

is a perfect toast. IT says IT all yes yes all right we're going na get to the picture of the week and just a moment but first award from our first sponsor, mister gibson a today it's experts exchange. You listen this show because you've got a real live expert who talks about the things you care about the most on the show, will imagine having that kind of expertise available to you any time, day or night.

That's what experts exchange has been doing for. I think it's almost twenty years now. I know I started using them early on when I needed in the answer, and I couldn't find IT anywhere else. Network upper experts has changed the network of trustworthy and talented tech professionals. You can go to them to get industry insights, to get advice.

And it's not just advice from some stranger on the street is from somebody is actually using the products in your stack that sure beats pain for expensive enterprise level tech support as the tech community. For people tired of the AI sell up experts exchanges, ready to help Carry the fight for the future of human intelligence, then you might say, well, there's got to be a future. But remember, A I is started to creep into all of these know intelligence things, these these questions and answers sites.

Worse, it's using the answers humans give on these sites, scraping them and then adding IT to their own LLM body of knowledge, not that experts exchange. Experts exchange is about human intelligence. Experts exchange gives you access to professionals and over four hundred different fields.

We're talking coding microsoft as AWS device and more. And unlike some of these other places, there's no snark. Duplicate questions are encouraged.

There are no dumb questions. You don't get the snarky oh, well, I wouldn't do IT that way kind of an answer. You get real help because the contributors are are serious tech enthusiast who love graciously answering all questions.

In fact, I I would go in a step further to say these are experts who believe that the best thing that can happen, the best way to celebrate your expertise, is to graciously share IT with others, help other people to pay IT forward. That's what experts exchange is all about. So let's talk a little bit about IT.

One number said, i've never had ChatGPT stop and ask me a question before, but that happens on E, E, all the time. It's a dialogue. It's a conversation.

Experts exchange is proudly committed to Fostering community where human collaboration is fundamental. Their experts directory is full of experts to help you find what you need. One of them listening right now, rodney, hello, roddy barnard's, a vm where expert in the security now.

Fan, are there people like Edward? Vod, bill, john, maybe you seen the Edwards youtube video. He's a microsoft MVP and an ethical hacker who really knows his stuff.

He's on experts, exchange plus s good design professionals, executive IT directors. Yes, you can get management questions answered and a lot more. But here's the most important thing.

Other platforms betray their contributors by selling the content on the platform to train AI models linked in. Does that they just announce step read IT does IT h so many sites do. But you know that experts exchange your privacy is not for sale.

They stand against the portrayals of contributors worldwide, and they have never and will never sell your data, your content, you're likeness. They block and strictly prohibit AI companies from scraping content from their sites to train their L, L, ms. And the moderators and experts exchange strictly forbids the direct use of L, M content.

Their threats s really, it's humans talking to humans. And that's the best kind of expertise, the best kind of conversation. Experts deserve a place where they can confidently share their knowledge without worrying about some company is stealing IT to increase shareholder value.

Humanity deserves a safe haven from A I and you. You deserve answers, real answers, useful answers to your questions. Now they are so confident you're going to appreciate experts, exchange and love IT and get value out of that.

They're offering you ninety days free, no credit card required, just three months free to try IT out. So at the very least, I want you to go to e dash, e dot, come slash to IT sign up. You don't want, have to give my credit card.

Try IT for three months if if you don't get anything out of IT. No harm, no file. But I have a feeling you're gonna appreciate the community that experts exchange has built.

Really amazing e dash that come slash to IT the tech Q N A for people tired to the AI. Sell out real humans with real answers, to real questions. Thank you. Experts exchange for supporting this real human, Steve gibson, and his ever, never ending quest to make the world a safer place. Or I have the picture of the k, shall I look at IT?

Yeah, i'm going to grow up here. I I gave this the caption. What's wrong with this picture? Oh, I love IT. I do. okay.

So for those who aren't seeing IT, uh, we have um the entry to a facility where there's A A big staircase sort of front and center in the middle and and you could imagine the parking lot is on a lower level. So these stairs are leading up to the entrance to this facility. And to make things easier for the people who wish to come and go, they are at the extremes.

The far left and the far right of the staircase are escalators. One, no, an up escalator, the other of the down escalators, which would all be fine. But the sort of the non sector of this whole thing is that the facility is twenty for our fitness and nobodies on the stairs and the people are taken the escalera or .

I have to go to stair master, I .

can't. So and of course, the show notes went out uh, yesterday evening and so i've already had feedback from saying, how do you know they're not going up the down escalator, which is actually giving them exercise rather than if the stairs we feel. And there is that or what about for people who are there for physical erp y you know P T.

And so they're not able to climb the stairs. They know they need to be gentle on the ice. Yes, of course, thank you very much to be accessible those alternative possibilities.

Anyway, I always I we I think we showed this once before. I know i've seen that before, and I just always get a kick. I have just sort of the like, okay, where we're going to twenty four, our fitness, but we're not ready to start working out just yet. We're going to take the escalator or up rather than taking the stairs.

Well, let's equality of searching for the closest parking space too, right?

In fact, yes, somebody also wrote to me and using executive analogy, how many times in fact at at his gym he seen people circling waiting to get a close parking place rather than .

walking from exercise and they're .

just work you know okay. So uh wow last friday twenty on the twenty second, the security firm um oxide publish the details of a somewhat astonishing and successful attack being several years old, predating rushes invasion of ukraine. This story is not about a threat any of us will ever face, at least almost certainly not.

But I wanted to share IT since IT presents a perfect example of my periods ity theory of security, where the security of today's stems is best viewed as being porus to varying degrees. I like this model of a poor system, which I think fits best, because while the amount of effort an attacker may need to exert to obtain access to any specific system may vary, most systems can or or yeah, i'm and a and and look at systems. In the broadest sense, most systems can ultimately be breached by a sufficiently motivated and determine the attacker.

Okay, that might mean, you know, arranging to install a subverted employee into the organization who can right, right playing the long game. Or IT might mean, you know, subjecting employees to fishing attacks of increasing complexity until you finally make IT happen. The point is our systems are not infinitely secure there.

You know kinda secure. We are kind of varies. So deal the the the term absolute security is more of a concept than a reality today.

okay. So here's how flexi opened their disclosure of this astonishing attack, which they're now able to talk about. They wrote in early february of twenty twenty two, notably just ahead of the russian invasion of ukraine. And that ends up being significant. As will see, relaxed made a discovery that LED to one of the most fascinating and complex incident investigations we'd ever worked.

The investigation began when an alert from a customer detection signature, the laxity, had deployed at a customer site and and they said he will refer to them as organization a because they're still gonna anonymous even today, indicated a threat actor had compromised a server on that customers network. They said, while relaxing, quickly investigated the threat activity, more questions were raised than answers do the way very motivated and skilled advanced persistent threat, you know, A P, T. Actor who was using a novel attack vector flexi, had not previously encountered at the end of the investigation.

Relaxation would tie the breach to a russian threat actor. IT tracks as grum large, publicly known as and by many names, one is best known, I like A P T. Twenty eight.

There's also force blizz, sophy, fancy bear and among other names, in other words, the russians. They said flexi further determined that gruesome large was actively targeting organization a in order to collect data from individuals with expertise on and projects actively involving ukraine. Okay, so what if the relaxed investigation uncover?

Strange is that might first seem, despite being thousands of miles away in russia, this, this well known A P, T, twenty eight group of russian state sponsored actors breached an unnamed U. S. Company, this organization, a, by gaining access through its enterprise wifi network.

But wait where thousands of miles away in russia, how's that possible? If I told you that the attack had been dumped, the nearest neighbor attack you'd start to get the idea is right. A P. T, twenty eight pivoted to their ultimate target after first compromising an organization in a nearby building that was in wifi range of their target. A P, T, twenty eight has this level of expertise.

They are part of russia's military unit twenty six one sixty five in the general staff, main intelligence director, the gru, and they're known to have been conducting offensive cyber Operations dating as far back as two thousand four. So for the past twenty years, A P T, twenty eight initially obtained the credentials to the targets enterprise wifi network through password spring attacks targeting a victim's public facing service. But the presence of multiple tor authentic ation prevented the use of those credentials over the public web so they couldn't use the web.

Although connecting through the enterprise wifi did not require multifaceted diction, as flexi phrase IT quote being thousands of miles away and an ocean apart from the victim present the problem. So the hackers got creative and started looking at organizations in buildings nearby that could serve as a pivot to the target wireless network. The idea was to compromise another organization and search its network for a wired accessible device containing of a wireless adapter.

no. So a dull home of both wired and wireless such a device, whether be a laptop, a router or access point, would theoretically allow the hackers to use its wireless adapter to connect to the targets. The yld organization, a that targeted organizations, enterprise wifi flex rotis. They said flexi now determined the attacker was connecting to the network via wireless credentials they had brought forced from an internet facing service. However, IT was not clear where the attacker was physically that allowed them to connect to the enterprise wifi.

To begin with, further analysis of data available from organization is wireless controller showed which specific wireless access points the attacker was connecting to after overlaying them on a map, a physical map that had a layout of the building and specific floors foxy could see, the attacker was connecting to the same three wireless access points that were in a conference room at the far end of the building, near windows along the street. This gave relaxed the first evidence that, as they put IT quote, the call was not coming from inside the building and growth. Could this be an attacker conducting a close access Operation from the street outside? Nothing was ruled out, but flexi was not too far off from discovering, discovering the real answer.

Okay, so what they discovered was that A P. T. Twenty eight had compromised multiple organizations as part of this attack. They daily chained their connection using valid access credentials. Ultimately, they gained access to a device, a containing a wifi radio, that was able to connect to those three access points near the, the, the windows of the victim's conference room.

Then, using a remote desktop connection, you know, rdp, from an unprivileged account, the threat actor was able to move laterally within the target network to search for systems of interest and to x filtrate the data which have been their target. All along, the attackers generally used living off the land techniques as they're now referred to, which rely on mostly on already present native windows tools in order to minimize their footprint and thus reduce the chance of being detected. And one of the things that have that happened in windows through the years is the the number of of already present built in utilities you think you just don't even realized there have really expanded.

So for for attackers who have a full knowledge of just how much available utility is in windows for them to repair pose, um there's a lot they're able to use. Even with all their research, flexi was working from forensic data and was unable to trace the attacks back to the the original attackers. Attribution at that point was still impossible, but a microsoft report just this last April provided them with the missing clues.

The relax saw clear overlap in indicators of compromise, as we call them I O seas that clearly matched and pointed to the russian advanced persistent threat group based on details in microsoft report is very likely that A P T twenty eight was able to escalate privileges before running critical payload by exploiting a zero day vulnerability back in twenty twenty two C V E twenty twenty two thirty eight zero twenty eight that existed in the windows print school or service. Remember, we talked about that a lot a couple years ago within the victim's network. So are unsettling.

Take away from this is that close access Operations is their known that typically require proxim mity to the target, such as from an A J, and parking lot sometimes is used, can also be conducted from great distances by compromising something nearby you know that makes an otherwise attack an an otherwise impossible attack possible um and has the benefit of eliminating all the risk to the attacker of being physically identified and caught on site. Nobody can get them the other. And this is the most significant takeaway, I think, for our listeners, is that everything should be logged.

The mantra should be log everything. It's crucial to appreciate that IT is inherently impossible to know which logs will be needed after the fact and nothing brings an investigation to a grinding halt more quickly than running up against the oh, we don't have logs of that. Today's storage is so inexpensive that is no longer a factor.

Logs don't take up much space. They contain so much redundant information and formatting, which is repetitive that they compressed down to nothing. And they serve as a form of time machine that later allow forensics investigators to venture far back into the past, to view what happened when and to retrace the previously unseen footsteps of unknown network users.

And law s are not only useful for tracking russians, large corporations cannot be certain about the changing motivations and loyalties of their own employees. So an I T culture of logging and letting IT be widely known within the enterprise that everything within an organization is being loved is a bit like planting a sign on the front lawn to let would be burglars know that the premises is being monitored by such as such a company. IT could be announce of prevention.

IT reminds me of the warning that I always get when I do an S, U, do and this type the administrated a password and then he says, you or give the wrong name is, as you're are not allowed to do this, your presence will be loved. They back in the day they knew this stuff, you know.

The other lesson, though, is also important, which is that we are not Operating on our own, that we are in a community, and our security impacts other people's security, right? This is this is not just our machine that we're securing or not securing. We could be a vulnerability happening. Your neighbor yeah well.

And in fact, you know often times now you you you go and look at the available wifi access points within rain.

it's a stop is really, yes.

we're living in .

the community and yeah, we all have a response IT.

IT is the case that one wifi network is able to see another one. And if the hackers are good, they can get near you and then use that wifi link to jump across the air gap. So wow, the world we live in today, okay, let's encrypt has turned ten. Leo and you and I have been here the entire time.

Yep.

watching IT last tuesday was the tent anniversary of let encrypt, and its statistics page shows that its certificates are now being used to encrypt the connections. I'll get this five hundred million domains, half a billion domains, wow. And the rate of certificate issues I have that that chart and the radar certificate issuance, both in the show notes for anyone who is interested, the rate of certificate issue that tells the story.

This shows that the number of certificates issued per day has now touched six million. Now that's, of course, because these certificates have are short lived right there, ninety days. So that's one of things that lets encysted has been able to do is to reduce certificate life by automating the process.

Twenty years ago, when we began this podcast, most websites used unencrypted and unauthentic ated HTTP. Those sites which needed to obtain private and confidential information from their users, even if IT was only their user name and password to log in, would typically switch to an H, T, T, P, S connection only during the transmission of that information. And then we switch back.

We later learned the, the, the, the problem with that, because during that that that secure negotiations, user name and password, the browser would be given a cookie. But then when the browser switch back to HTTP non secured, non encysted connections, that cookie would be transmitted in the clear, which we had a lot of fun with in under the name fire sheep, which was A A means of very easily capturing that credential from an unsecured wifi network and immediately impersonating a log in user. The good news the good news is those days are gone.

Um but as the world began to grow ever more dependent upon the internet for everything, IT became clear that this original trust by default model was not gna take us where we needed to go in the future. The industry needed a future where the privacy provided by encrypt tion could be available to everyone, not just those who are willing to pay to purchase a certificate. Because the trouble was that encryption required certificates and certificate authorities had made a lucrative business out of verifying the identity of website owners and signing their certificates, which attested to that verification having been performed and since performing.

This verification did require significant work certificates Carrying those attestations were not free. The I S R G, the internet security research group, was formed to solve this problem. Two engineers from mozilla, a guy from the E, F F, and one from the university, michigan, incorporated the I S R G and set about solving the problem.

The group decided that the inherently expensive and scaling resistant verification of domain ownership could simply be bypassed in favor of reducing the test to anonymous domain control, and if that was done, web and DNS servers would be able to verify the domains they were serving, and the entire process of certificate issuance and maintenance could be automated, thus the alchemy automated certificate management environment protocol was born. And today half a billion domains later. By any measure, this has been a huge success, thanks to let's equipt any website that wishes can now have every connection encrypted for privacy for free um have lesson cyp s free certificates has been abused.

Of course they have. That's what happens on the internet. When anything is free.

Look at email spam and today's social media. No, it's abuse frenzy. Both are an other catastrophe because both are free.

But this was not the problem let's encrypt was trying to solve or prevent. Their clearly stated goal was to offer equal opportunity privacy through encryption for all bad guys. And fishing sites were every bit as welcome to have lesson cyp certificates as anyone else.

At least the communications of the people they were scamming would now also be private and encrypted. And that really was all that the I S. R. G. Intended to provide. So ten years, and thanks to these guys, you know, as as we've see, we have we had of a pie chart, remember of a couple months ago that showed. They they just taken over, yeah yes.

Why everybody uses them? We did just patrol lahey has sent me the link. This is our episode almost exactly ten years ago, I ever twenty fifth twenty fourteen, where you introduced let's egypt to the world security in a four eighty three. And Grace and petty, who is very sharp IDE point IT out that you had at the time, three pdps. You will do what happened to the other one.

Maybe I moved them up. There is one above .

the egg of the shot change. That's all Grace and the thing no no pd piece have died in the making of this.

Ah okay, leo, let's take a break. Then we're going to talk about oh, the latest concern of stuff coming from china and a little a bit of a sticky wicket in this case and all, deal, I want one of these cranes. Oh, way to you. See.

I have a picture. What would you do with the crane? Steve?

H, wait to you. see. You just have.

Take your upload your hard drives .

or so I don't.

Well, if you lived in a container, you could use the crane to move your house around every once. And that's true there you, that would work well, right? We will come right back.

I want to find out about these hackable cranes. But first, a word from our sponsor, bit warden. And if you listen the show, you know, you know without any question in your mind that you need to have a password manager.

Unfortunately, there are lots of places. I don't know that maybe your business does not yet have a password manager, maybe your friends and family. In fact, this would be a great thing to talk about around the turkey.

So on thursday, bit warden, the only password manager I recommend and trust because it's open source. IT is also trusted by thousands of businesses. Yes, they have a business plan.

Of course, what bit warden does you know perfectly well as generating auto feels strong, unique loggins. You don't have to remember them so you don't have to make them easy to remember. And that means they're harder to crack.

Bit warden takes care of all of that. But the important word in there is auto fill. And I think we don't maybe emphasizes enough if you're using the bit word in extension and you go to a site, you fill in the password bit words, protecting you in more ways than you might know.

For instance, IT will not auto fill the password d on a spooked site. If you go to T V V I T T E R dot com, it's not going to fill in your twitter dot com password, right? Actually, that made a problem for me when that changes the same to extend com, I to change my best word, extend com.

But that that is a great thing. IT means auto fill only works on the legitimate sites. And autor file is not just for passwords.

It's also for credit cards, for identities. It's even for pass keys. And that is really nice to have that in the inline auto film menu.

So you don't leave the page and and IT will also protect you if it's not the page. You think IT is bit warden is really great for business. IT works with all the tools you already use. They continue to expand their integration ecosystem across key platforms to support seamless Operations and elevated security.

They just this is so cool, they are just integrated with microsoft into, you know the into is there is there you service to keep your windows machine safe now with bit warden in in to and enhances device security and user identity management, IT enables secure bit warden of deployment on any in to managed end point. That's great for the IT department, including desktop s and mobile devices. The hr total rippling simplifies employee on boarding and off boarding by integrating with bit warden, which means the IT team can assign a revoke access as employees join or leave.

It's built in. Here's another one van, a long time sponsor here. Vana combines vana compliance audit and reporting with secure password management, which helps your organization meet soc to and I saw twenty seven oh, one and other standards.

Rapid seven insures improved threat detection and response by all this is so clever correlation credential usage with security events. You're talking about logging earlier, Steve. Automatic logging, right?

That lets you know, hey, you had a security event and look who was logged in where this really helps you strength in your product of monitoring and your intelligence for enterprise security teams. And it's automatic. But those are just a few of the many, many integrations bit warden can do in your business.

These integrations increase flexibility. The centralized security management across existing technology stacks and employee devices and IT helps you maintain control over sensitive information. I think it's really we talk about, but weren't a lot as being a great tool for individuals.

And this is free forever for individuals, which is great. It's open source, but it's really important to remember that bit warden has a great enterprise story as well. Bit warden users can seamlessly connect the tools for IT management, for compliance, for security, which helps you improve and standardize the diplomat of enterprise credential management throughout your organization.

Is not just saying to your employees here, this is our passage manger use IT. It's so much more than that your business deserves a cost effective solution that can dramatically improve its chances of staying safe online. And that's bit warden.

It's easy to set IT up. They support importing for most password management solutions. So I should just take a few minutes.

And of course, I emphasize this, I think is so important. Any crypto tool should be open source so that you are, but expert can verify. There are no back doors.

IT does what he says IT as is using good strong encryption, is not using out of date technologies. And all of that bit warden is open source. As we talked about last week, it's or remembers with two weeks ago, it's gpl.

It's true. Open source IT can be inspected by anyone. So right, they aren't github and they regularly get audited by third party experts.

But even more importantly, they publish the results of those audits without fear of favor. They guarantee they're going to put them online. So you know, you're always using a passport manager. You can trust i'm going to on i'm a big fan, as you can tell, and maybe a little bit of a bit word and nerd, get started to day with bit words. Free trial of a teams or enterprise plan.

And if you're an individual or you're sitting across the the table at thanksgiving with a member of your family says, oh no, I know we're about passwords and you see my Kitty cat's name and my birthday and my mother's made name, and i'm so clever about how I smushed those together. No one i'll ever guess that you need to tell them about bit word. And if they say, well, I want to pay for a passport manager, you tell him bit word is free for individuals forever.

Bit word that come slash, quit. Now I haven't to pay ten dollars a year, ten hours a year for the premium plan. Did I want to support them but you don't have to and if in a functional joe says I don't want to pay for IT you tell hey don't worry joe, it's free and and leo says, is the best bit warden dog com slash to IT we thank you so much for supporting they find work Steve does to protect you and uncle joe on security now, Steve?

okay. So last wednesday's report in gov. Info security was titled coast guard warns of continued risks in chinese port cranes comes an issue actually when it's accompanying by the news.

Get this, leo, eighty percent of all heavy lift gentry cranes used to load and unload container ships at american ports were manufactured by a single company, Z P, M C, A state owned company in china. Eighty percent of these cranes and, and I know why. Oh my god, they are just the most lovely thing you've ever seen.

They're going, this is the problem. They're the best in the business.

right? Like the D, J, I, drones, which are the best drone there, right? right? yes.

So okay. The report explains that the U. S.

Coast guard is warning that chinese made as a called ship to shore s ts. Cranes come with an, and this is unspecified. But that said, with quote .

built in .

vulnerabilities OK, enabling remote access and control. Consequently, the coast guard has begun urging Operators across the country to adopt enhances security protocols. Okay.

these the cranes you're talking about.

oh i've got one in the show notes so down another pager to oh um so that so um in their notice that the coast guard wrote additional measures are necessary to prevent a transportation security incident unquote and the coast guard cited quote threat intelligence related to the P R C S. Interest in disrupting U S.

Critical infrastructure now the notice instruct owners and Operators of chinese made s ts you know shift to shore cranes um to obtain a copy of the official directive from their local coast guard officials stating that the materials contain sensitive security information. In other words, we're not telling you what we know in this public notice. Get this get the official directive from your local coast guard, they'll tell you more.

Um A A congressional ort published in september warned um a chinese company with a major share of the global market of S T S port craye post quote significant cybersecurity and national security vulnerabilities for the united states. According to the report, the chinese stayed wed company A Z P M C supplies eighty percent of all ship to shore cranes in the U. S.

Market and has significant involvement in militarizing. The south china c lawmakers warned that the company and its cranes could serve as a trojan horse, allowing beijing to exploit and manipulate U. S.

Maritime equipment and technology at their request. What remains unclear is what measures the coast guard could implement to restrict the remote functionality of ship to shore cranes, which are integral to port Operations nationwide. Okay, so here we add another example, a new example to the chinese made D J, I, drones and chinese made security cameras, which those in the us.

Have been likely purchasing and plugging in everywhere for years because as u said, leo, they're the best. The answer to the question of what are we to do about these cranes is the same as for the D J. I.

Drones and cameras. I think in theory, we could purchase the hardware and independently source the firm are or software for these devices. But nothing prevents firm where vary deeply within the hardware from being similarly compromise.

So not just flash memory in obvious firm where so you know, the real truth is in any instance where we've seriously and firmly determined that we cannot trust the supplier of equipment, that equipment cannot be used anywhere. It's physical or cyber. Compromise might lead to other damage.

And imagine if beijing could do nothing more than cause, and I say nothing more than cause eighty percent of all U. S. Ship to shore, port crain's to self destruct.

IT would instantly, in irreversibly cripple all major U. S. ports.

And at the bottom here of page six, I have a picture of this thing 啊。 Oh my god, look at that thing. IT looks like something out of star wars. You know, you definitely don't want to have that thing walking in your direction.

Well, doesn't walk IT does roll back. And for one of the things I love about going on cruizers, which you do a lot of, as you get to see these are these ports and you get to see these cranes in Operation.

well, is beautiful. But then then, to give you a sense of scale, look at the easy beauty size of the standardized containers next to, my god, it's just amazing. yes. So any IT is a beautiful 时。 And it's a pity that we apparently we can't trust IT.

I mean, we don't know what what is known that you know says what was that preinstalled vulnerabilities? What does that mean? Yeah mean like a little have to have they discovered that they reverse engineered the firm where and actually found back doors that. China knows are there that would .

be a and service there is probably a back door.

right? I mean, well or IT ought to be a documented front door. And like Z P M, C is able to update the the software in order to print o, handle the new type of shipping a container which is thirty percent bigger.

This is a universal issue. We've talked about how the chinese, what what they call this attack, they're in the phone systems. They're listening.

The phone calls are taking advantage of the legitimate wire tapping capabilities that the law enforce were put in in, in twenty years ago to listen to. I mean, they are in our power grid. We know that they are.

They're just sit there. They're not doing anything. But honestly, this sounds as if the chinese government has infiltrated pretty much all of our infrastructure.

X we're buying all of our stuff from china is the didn't have to even try, right? I mean, we we said, oh, we like those cameras, will take a million of them. They're taking .

adventure of flaws. And S S. Seven has been there since thirty, forty years ago, right?

So so, so on the one cars.

there are vulnerabilities .

in the technologies that that we are using. But the but on on the flip side, we don't know that there is no evidence, for example, that D, J. I actually was ever used in a covert surveilLance effort.

We just know that could happen. And we know that they that they are a chinese base company, so everyone is not. And now we're looking at these cranes saying, oh my god, what if, you know, no crane has ever gone crazy? Excuse anything wrong.

Is there any reason that crane is online? Should that crane not be there? Gibt.

my switches are online. My funds are online. You know, your blender is online.

The microwave is online. The coffee maker is online. Everything is online. Yeah, at a look, I mean, that's really what has happened is we've gone online happy, right? And so you betcher, you know you I mean, who knows how those crazy even get installed?

I'm sure a whole bunch of people who are it's and installing them, you know, erect them and then you've gotta stall. The software k is, again, it's gonna a all be software controlled. Once a point of time there was a guy city in a cab with big levers. There still is now now you got the same controller, the whole thing. Yes.

that's one of my favorite. The serious um seasons of the .

wire is ever watch the wire oh, leave one of the best shows ever produced.

absolutely. And one and one of the seasons, they're down at the shipyards talking to the guys who Operate those big cranes and they have lots of scenes of them in there and how fast they can move on and so forth is pretty cool. But that was that was alone.

go. Sure, it's even cooler now now. And chinese infiltrated.

So I, I I know I I feel really mixed about this. A, I know we have a lot of chinese listeners. I'd love them.

There's no nothing against them. And we don't know that china has has ever misbehaved. We do know that there are are that we're being attacked. We even know that we know but commercial companies. But there is no evidence that i'm aware of a misbehavior yet because it's possible you know, I don't know.

i'm going to throw this out here. I think this narrative is a little disturbing to me because where IT leads as well, you just don't have anything that's made or but from china which could probably still secure you, right? Because correct, we still are using S S seven.

So yeah, i've gripped to replaced all the while away equipment in my network, but I still have software. This got massive holes in IT, and i'm not willing to replace that. But let's say that's the road we go down.

Let's get rid of all the chinese stuff. I think that makes us more vulnerable because china no longer is economically dependent on us, is no longer and twine with us. I think we are less vulnerable if we trade with our enemies, I know, and they are economically tied. Their fate in our fate are economically linked. That to me is a Better strategy for for keeping the peace than putting up a big wall and say we're not going to buy any chinese stuff then IT doesn't that .

they have no g right economic right for keeping their number one customer right.

So I don't have as I mean, look, by the way, we are in filtering their stuff. We know this from the award, snowden, the lakes, the sa, as plenty of tools to do the same thing back. And they buy american stuff, probably not as much american stuff as we buy chinese stuff. But I think IT IT makes me nervous to think of the direction we seem to be heading with these reports that, well, let's just not have anything from china at all because that could be a prey lude have .

be Better for us all got along. And you know what we've got there is.

by the way, there is this mutually assured destruction, because we do have stuff in their gear as well. And there is there infected these? Were they even bill clinton even made the an obama made these agreements with china.

Okay, you're gone to have your stuff in there, but we're going to have our stuff in your stuff. And we will only go so far in this espino age game. And these are the rules.

And you know that's I don't know how good a way to do that. That's a very good way to do things, but that is kind of worries right now. So i'm i'm just nervous about the idea of, well, let's cut off all chinese stuff, no chinese stuff, maybe the other direction, be safer and .

look at the crane it's and .

they make good stuff. Oh, I mean, probably it's also cheaper than the amErica can made to the german made cranes. I don't know german. I'm sure germany makes equally good cranes.

I bet, I bet. And who's to say though that if we start we switched to those, there wouldn't be some vulnerabilities even, even a didn't intend to. That's the problem. There still be vulnerabilities that, that the chinese cyberhomes could get into.

They're still supply chain issues. They're still software of vulnerabilities. I know, is perfect security possible?

No, I wonder what the dream and crane is look like. I might.

whatever are you going to put this grain as if you talk to Lorry about your great little.

a little model? I want a model model.

But you and you, you could have little model containers. There are little model ships.

You go one of the best things about my wife. If SHE loves trains, like trains, I could have model trains running around the house.

Well, there's a very small driver in a mode train in a model crane.

That's what i'm saying. That's what I ve said.

I think this would .

probably work. I ve IT. okay. So after a phenomenal surge in new users, blue sky has received its first country level block and the winter is pakistan.

congratulations. For those who don't know, blue sky was originally conceived as a project with twitter uh by back in the twitter days at twitter by jack dorsey. IT was designed to create an open, decentralized standard for social media.

IT was launched in twenty twenty one as an independent entity. After that, blue sky quickly evolved into a strong competitor to x, offering a more customizable and transparent U I. And you know user experience ux.

Blue skies overall popularity been soaring recently. And in pakistan specifically, this is being driven by increasingly or or increasing accessibility issues with x to the government restrictions and the growing need for A V P, N to access x. Many pakistani users have turned to using blue sky as an alternative.

Unfortunately, now IT appears that within pakistan, blue sky is quickly hitting the same barriers as x. As I mentioned that i've received twitter dms from our listeners asking when i'll be moving to blue sky. I'm not moving anywhere. Uh, for me, x is being, you know it's just kind of slowly allowed to fade. I'm still posting the weekly show notes to x because i've been doing over years and some of our listeners who hang out there continue to appreciate that. But you know a nice your presentation of today's showing notes as as I said earlier, emailed to more than thirty third thirteen and a quarter thousand of our listeners yesterday and every one of those listeners is able to email directly back to me at security now at G R C dot com um and all of that works even for our listeners in pakistan .

there so ale male, I was in china. I used male to post on my blog, facebook and twitter because I could email IT. Yeah, yeah. By the way, I get some for you, Steve, actually, should I send a link to Lorry? Is the lego city seaside harbor with cargo ship, toy, model, container train and but with eight many figures, Steve, this is what you want.

You know, we don't need to train running around the Christmas tree. You need a great. We can set this puppy up. wonderful.

This is yours, man.

Great rise before Christmas.

Thank you to a chocolate milk mini sip. As you know, i'm all holder in our chat for providing us with that.

So under this section of what will they think of next? We now have what's being called rio swatting attacks. Rei know rio is a core short for a repository, which is the unit of organization employed by github.

And get lab to get a lot of this threat. Actors have been abusing a hidden feature to cause get hub and get lab accounts to be taken down. The technique allowed that you'll this really strike home.

H, for you lio with the problems, twit. Haz, with anything, you know, copyright ded. The technique allows users to open issues against a targeted ripple, upload a malicious file, and then abandoned the issue without publishing IT on both github and get lab. The file remains attached to a victim's account then, and the pesky threat actor reports the hidden nonpublic file for breaking the services terms of service, which forces the repo to be removed for hosting malware. Apparently, this is just one more reason why we can't have nice things.

I hope we do that. The administration, this is the problem with the MC a takes down. You're right on youtube. The process is so efficient, works so fast, you have no virtually no time to defend yourself. One would help the book get, well, get, haven't get lab wood, start to understand this attack .

and figure out this is what's going. Yes, that's a visible, not so quick. Yeah, yeah. A couple of weeks ago, I touched on two recently announced zero day flaws that had been discovered to affect palo alto networks, enterprise firewalls that LED to my quite predictable rent about the proof of impossibility of protecting any form of remote management access to internet facing services.

Even firms like palo networks, whose business is security and security appliances, still don't know how to do that. As this know, two recent zero day flaws demonstrate in this case, to say that pala to's internal architecture seems somewhat wanting would be an under statement. An analysis by watch tower labs that spell T O W R theyve dropped the e reveals that this vulnerable appliance, uh, and it's actually a family of them, is implemented in what they declare with talk and cheek to be the absolutely Stellar P H P language unquote, which is served by a patchy fronted by an engine x reverse proxy.

They are note that the system implements its authentication layer by using A P H P feature known as auto prepare file, which pretends the file U I E N V as an environment, U I, environment set up that PHP to anything P H P loads, which is just such poor design. I get even begin. Okay, this is implemented by the line auto prepare file equals U I E N V set up that P H P and P H P that any file which they prefer by saying, quote, take a look at this gym of a hack in the P H P dead any file um and I could not agree more they introduced used by noting we guess auto prepare file actually has legitimate ses besides writing P H P exploits I mean, it's just the bottom line is that this is all quite dispiriting.

I don't know why I always imagined that parallel networks would be doing things right. I suppose I wanted to give them the benefit of the doubt. The U.

I, environment P, H, P, text file, which provides front end of the ation by redirecting to authenticate access to the log in page, actually contains the comment. This is their own source code. Their own P H P code contains the comment, could these are horrible hacks? This whole code should be removed and only made available to a few pages. Main common debug comment sala, in other words, their own codes know this was awful.

That's exactly what you'd expect some engineer to look at at this code is to put in the comment this is .

a hack is I don't know why i'm doing this. I'm hungry. They just delivered to the conference room. Oh my god.

Anyway, I couldn't agree with the with the quota's own comment, and I would never say that palo alto networks deserves to have been hit by these vulnerabilities, especially since it's their customers who will be taking the hit for this. But a design that is this slip shot can only be called asking for IT. It's unquestionable that this is the other crap they're shipping.

And in order to see any of this because it's not out for public display, the watch tower guys needed to first jail break this palo alto network appliance, which they did. But this means that this extremely poor design is locked away out of sight. So that is only visible to entrap ID researchers.

Her go to the effort to create a jail break. But even if IT cannot be seen, every palo alto networks customer remains reliant upon IT. We all know the rigid line I dropped between bad policies, which are deliberate and true mistakes, which anyone could make.

None of this is an example of a mistake anyone could make. You know, these are policies. There are developers inside palo alto networks who know this is what they are shipping. Those people should be looking for a new job far away from anything having to do with security.

And so today we have the news from the shadow server foundation of evidence that at least two thousand of these palo alto networks firewalls have been compromised using those two recently disclosed zero days, two thousand of pale to networks, enterprise customers have been penetrated as a result, once they've been compromised, the firewalls contain a PHP web shell, which allows attackers to return later at their leisure. The presence of this web shell is one indicator of compromise. The shadow server foundation said that their number was a conservative estimate since IT relies upon a limited set of ioc s released by palette networks last week.

Now to their credit, palelo networks had warned of a possible zero day earlier this month, which is what I talk, which is what I talked about IT back then. And their communication throughout this has been Stellar. So there's much to command palo to networks about their response to this trouble. Unfortunately, this stands and start contrast to who never is developing their devices.

Did they fix IT?

They probably patch ched IT, and it's probably largely the same. Not maybe if a bright enough light is shine on this, they'll say, wow a what gives you just said true is what? What does anybody know? Is that true? You and don't blame .

PHP because you can code security in PHP. But the promise that makes me very easy to code insect.

thank you for furnishing the sentence I was about to with IT doesn't IT .

doesn't exactly get your way.

I guess. Yeah, if they had developed IT in interpreted basic, you would wonder about the level of the programmer expertise that chose the basic language to do the work. And PHP is similar.

It's a very nice language. You know, we know what PHP the initial stance for, right? Yeah.

personal home page, do not write your security planet. Front ends in personal home page. no.

Exactly right. wow. okay. So a responsible security research are going by the handle. Dell plott, who reportedly answers email at dell ploy ed at gmail dot com, has privately and responsibly disclosed their discovery of a terminally serious stack buffer overflow vulnerability across d links past V P N routers. I characterize this as being terminally serious because this now known to exist vulnerability allows unauthentic ated users, also frequently referred to as anyone, anywhere to remotely and at their wim, execute their remote code on the victims targeted d link, V, P and rider.

The concerns are that the links announcement of this sobering reality last monday contains a field for link to public disclosure, which is currently filled in with the aviation T, B, D, as in to be determined, which strongly suggests that this deal ploy character is being responsible with his or her knowledge and is giving deep link some time to respond. But there's a problem with that. All six of these vne able and vulnerable dealing V, P and routers have gone well past their end of life.

There are no longer being supported by dealing unus will not now and not ever be receiving updates to correct this most critical vulnerability. No cvs tracking designation will be assigned to track this vulnerability because it's never gonna be fixed. And as if A C V, S were to be assigned, IT would be Carrying a flashing red C, V S S score of nine point eight, perhaps our baby, even the rarest of ten point zeroes.

Okay, now this vulnerability is as bad as they come, because this otherwise lovely family of routers offers a standard S S L V P N, which runs a simple web server at the standard H T D P S port. For four three. I have a screen shot in the show notes of what you get when you, when you use your H, T, T, P.

Brothers to connect to these things. Part four, four, three. This looks like a web page asking you for your user name and password. From the standpoint of almost actively solicitating attackers, this could not be any worse.

The page that displayed to any device connecting to port four, four, three of an of an affected rather prominently displays the devices model number. And both the hardware and firm are version numbers. This thing effectively shouts, please exploit me so you know where they are on the internet will never be any mystery.

And I have no doubt that the lists of their I P addresses have long ago been assembled. okay? So now everyone knows the situation.

The two oldest affected writers are the D S. R. Five hundred and and a thousand, and which both went end of life nine years ago, back in september twenty fifteen.

The more recent four V P N routers are the D S R one fifty, one fifty and two fifty and two fifty, and all four of those when end of life, just a few months back in may of this year. But as the same goes, close only counts in hornes and handle ades, meaning in this case, that end of life is end of life. And the dealing formally states in their disclosure that these now known to be seriously vulnerable d, link V, P, N routers will never receive updates.

Long time listeners of this podcast know what will come next, assure as the sun rises every morning. Many tens of thousands of these devices are currently sitting on the public. Internet number may be around sixty thousand, six hundred thousand.

I haven't seen an exact count, but i'm sure that either show down or senses would have that number and be able to provide their I P addresses. Since every one of them, as I said proudly, presents its log on page to any passer by. There's been no public disclosure of the details of the vulnerability that dell ploy ed found, but the link has confirmed IT.

And at some point delpo yt is going to want to have their day in the sun and bragging rights about having discovered this vulnerability. So it's gonna be published and no one can really falt dell ploy for eventually disclosing the vulnerability they discovered because that's the way the game is played these days. You wait long enough to give the impacted parties a reasonable amount of time to respond.

And after that, no matter whether or not they have and regardless of the consequences, the entire hacking elite is that informed of exactly how to bypass the internet facing authentic, which protects tens of thousands of networks that are currently behind every one of these VP and routers. There's nothing any of us can do other than protect ourselves and those we have responsibility for and care for. So make absolutely double.

They am certain that nowhere with your spheres of influence do any of this six dealing V P N routers currently exist, because we all know exactly what's gonna happen next in their disclosure. Dealing eventually recommended that this hardware should be replaced. We know that most of the owners of these devices will never receive any sort of notice of this and probably wouldn't pay at the attention that deserves, even if they did.

We are all being so indicted by all of our software, being constantly updated. That is easy to become num to IT. But if anyone is in the market for a replacement, I would now stay, I would now say, to stay well clear of dealing.

They have a long and still growing history of very serious, remotely exploited able vulnerabilities being discovered after the fact in their past end of life products. This happened earlier this month with sixty six thousand of d legs internet connected nas devices. Their response was effectively, well, we're sorry, we don't make nurses any longer.

And even if we did those sixty six thousand internet connected, remotely exploitable network attached ed storage devices, we once made or now past their end of life. So I wouldn't matter even if we still made them. It's true that hardware is not forever and that he would not be unreasonable to expect an aging mass or router that's past its end of life to be rotated out of service in favor of something new.

But we all know, we all know that, that doesn't happen often. Given their track record, I would be disinclined to give dealing any more commercial support if you really like the brand. Okay, you know, I get IT. IT is truly nice looking hardware, but you should be aware that end of life or end of support probably means end of secure service life, after which point a device, a dealing device, should be rotated out of service, and if you have any existing inventory of dealing devices, you should be very certain to have a current subscription to their security bulletins and other notifications and really pay attention when you get one.

It's too bad they used to be a good company, right? I mean, I had a lot of the link right .

did to 对 right did too。 But you know they're having problems. And I mean, again, it's not it's not unreasonable to say, okay, well.

it's it's the and we're not support anymore.

Yeah I mean, you know all the other companies do that too. But but even microsoft has gone back and like fixed a really bad windows problem after windows was end of life because they recognized they didn't want to hurt their own users. The problem .

really is that the link was a consumer dominant consumer brand for a long time. And so there are a lot of people who aren't that sophisticated who have dealing here and their not paying attention and always this show, right? So they'll never know that there's a problem with their router or actually not .

a rit was a nh well, IT is a yet IT is a uh the the earlier this month, IT was sixty six thousand masses. And now we've got, uh, we have six different models of of S S L V P N rotors and and S S V P N router is sitting there listening for incoming S S L connections on four, four, three. right? So I mark my words, a month or two from now, we will have account of how many systems have just been over. Yeah, as I said.

at least in S, S, L, writer is not a consumer product that's not not a grandma's hands.

I actually I don't know. I would say that's a bigger problem because that means that is hot to a valuable network, jack. It's not a gRandy's land, right? You know it's on know some small businesses network that can be and will have all their systems encrypted and then held for ransom.

Yes, some IT guy twelve years ago installed IT in a lawyer's office and nobody y's thinking about IT. IT just works. And security is not a concern.

Except I had sort of a relative story IT turns out that um uh as as many people know sharia is a religious law that governs uh some aspects of the lives of muslims based on the teachings of islam and the koran. Um we were just talking about pakistani unhappy with pretty much all things internet.

I should note that pakistan's religious advisory board recently ruled that the use the VPN apps is against surreal law apparently because surely law is whatever they want IT to be yeah uh, the council of islamic ideology said that VPN technology was being used in pakistan to access contempt, prohibited according to islamic principles or forbidden by law, including, quote, immoral and porn websites or websites that spread energy through this information. Um and this gave me pause to wonder leo whether they might be in client to change their minds if they were able to get a really good deal on some used deal. Link VPN rice. Yeah.

that's the ticket. H lord, what a world. What a world. Well, this is. yeah. I mean, yeah.

so i'm we have the return of recall. Let's take a break. Yeah and I we're going talk about recall now being put back into windows insiders uh, to begin testing yeah .

congratulations. We talked about IT on sunday and twitter and all four of us said, yeah, but we would love to have something like recall. In fact, my problem with because this doesn't IT should be on every device, it's me and everything.

But of course .

that would be a security name, but will let you talk about that. Second, our show they brought to you by threat locker. This is the opposite of recall.

This is basically zero trust is the opposite. What you are talking about earlier, which is, you know kind of allow everybody and then filter out the bad guys? No, no, it's quite the opposite.

If a zero day exploited and supply chain attacks are keeping you up at night, and I think they probably are if you run a business, here's a solution, you don't have to worry. You can harden your security affordably and easily with threat locker. I mean, worldwide, companies like jet blue trust thread lock to secure their data to keep their business Operations flying high.

But even small businesses can benefit with threat lockers, easy to implement, zero trust solutions, very affordable. Imagine, and this is the kind of the the of the how IT works, are taking a proactive deny by default approach to cyber security. Deny by default, that's what zero trust is.

You don't assume just because somebodies in your network that they're good guys that they should have access to everything unless unless you give them explicit approval. Every action is blocked, every process is blocked, every user is blocked. And IT will continue to be blocked until authorized by your team.

And even further than this, you were talking about logging earlier thread locker, which will will make IT easy to do. This also will give you a full audit for every action, fully logged. So that's great for risk management, for compliance to you can demonstrate your security posture if this is how I should be done.

This is done right? And they're twenty four, seven us. Based support team.

We're fully support you getting started, getting on board at and beyond. Stop the explosion. This is so cool.

Talk about ring. One of the things they do called ring fending. Stop the exploit of trusted applications within your organization.

Keep your business secure, keep you protected from ransome where organization s across any industry can benefit from threat lockers, ring fencing, that's what they call IT into great name for IT because you're in a sense, fencing stuff in. You're isolating those critical and trusted applications from unintended uses from weapon zone. You're limiting attackers lateral movement within your network thread lockers.

Rain fencing work so well was able to foil a number of attacks that were not stopped by traditional ea, including the solar windin attack. We talked about IT for many years. IT was foiled by ring fencing because you couldn't move laterally in the network.

Oh, a threat locker works for max two, get on precedent visibility, control of your cyber security quickly, easily and cost effectively. Thread lockers zero trust and point protection platform offers a unified approach to protecting users, devices and networks against the exploitation ation, even of zero day vulnerabilities. When we first talked about these guys, I went out, I looked at reviews, I was blown away.

But the people who use thread lock, love, IT and IT really works, and it's very affordable. You could get up thirty days free trial right now, learn more how threats locker can help mitigate threats no one's ever heard about before, and ensure compliance. Visit threat locker dot com.

Visit threat locker that com. That threat locker that com. We thank you so much for supporting the good works of mr. Stephen tiberias gibson and and you support us when you go to threat locker to come and if they ask, tell them you saw on Steve show that while okay, Steve.

So last friday, yes, the windows insider blog announced the return to recall to windows eleven. They wrote, hello, windows insiders. Today we're releasing windows eleven insider preview build two six one two zero that two four one five or one of my employees would have once said started um which I thought always was funny.

He said that they said to the dev channel. With this update, we welcome wince windows insiders with snap dragon and powered copilot plus PC to join the debt channel to try out recall preview with click to do preview, which is a new feature that there that they are now gonna testing. So anyway, I have a have a link to the link, the roll out text in the show notes.

Anyone who wants more so nice to say that microsoft is not exactly what they had promised to do. The set up experience, of course, promote recall as a wonderful and really secure feature. It's unclear from the few screen shots microsoft provided what the users decision tree looks like and how readily the user is able to decline to receive the recall experience.

But presumably, after all the backlash a the backlash microsoft received and their commitment to disabled recall until an message user explicit enabled IT, that's what they've done. I do know from reporting that recall can mostly be removed from windows through that turn windows features on and off dialogue. One security researcher noted that if you recall, related dls do remain under the windows system apps directory, specifically microsoft windows dot client that A I X.

But this researcher noted that the core functionality is removed. So that's good. Uh, a few items of note from their blog posting, where could the quote?

Recall preview will begin to roll out on snapdragon powered copilot plus pcs with support for AMD and intel powered copilot policies coming soon as we gradually roll out recall in preview, recall is supported on select languages, including a simplified chinese, english, french, german, japanese and spanish content based and storage limitations. Apply recall is not yet available in all regions with expanded availability coming over time. So there were anodos reports of researchers being able to get the first shot at recall running on pcs without any fancy A I G P.

U. support. So IT might be that recall will be made more widely available over time, you know. And so this might also mean that for now, no one without co pilot plus PC will need to worry about removing IT since IT may never be present and again, not yet in the main channel.

This is all just insider preview um also of interest in the posting for their enterprise customers, they said. As announced at night for our enterprise customers, recall is removed by default on pcs managed by an IT administrator for a worker school as well as enterprise versions of windows eleven. I T.

Administrators fully control the availability of recall within their organization. Empty employees must choose to up in to saving snapshots and enroll their face or fingerprint with windows hello offer snapshots to be saved. Only the same user can access descript recall data theoretically, so although enterprises cannot access employee recall data, they can prevent recall from being used altogether and prevent any saving of specific apps or sites.

So essentially there they're saying that that um you know group policy settings that the IT admin controls can can prevent recall use. But if recall is allowed, then employees will IT is still have a one or a one to one relationship between the machine and the employee that under no circumstances does the enterprise have access to the data that recall is is collecting for that employee. So that's good.

And of course, that was not the case when this was first rolled out in know that very what many people feel was a premature mode because none of the data was encysted IT was just all there in in a user or directory. So just for the record, microsoft is also previewing a recall feature, which they call click to do, uh, and they write with click to do in recall, you can get more done with snaps, shots and improve your productivity and creativity. Click to do recognizes text and images in step shots and offers A I powered actions you can take on these, saving you time by helping complete tasks in line.

And we're quickly getting you to the APP that can best complete the job for you. That then show that um that the user uh is able to mark and highlight to select text in an image on a recall snapshot which is cool. And then once selected you, you got a context menu with copy, open with search the web, open website and send via email.

And if the user would happened, the right click on a recalled the image as opposed to text at a block of text, then the context menu commands are copy, save as share, open with visual search with being, blur the background with photos, IT raised objects with photos, and remove the background with paint. So some things you can actually do with images up that that are recalled, and apparently soon with things that are not recalled, they said, in this update, click to do only works within the recall experience and about the way that we're going to have a lot of experiences with windows, apparently in microsoft, that's their new favorite ite word. They said, in a future update, you'll be able to effortless engage with click to do by simply pressing windows logo key plus windows logo key plus q through the snipping tool menu and printing screen, or searching click to due to the window search box of, in other words, it'll be pervasive in windows, they said.

These methods will make IT easier than ever to take immediate action on whatever catches your eye on screen. We're also working on introducing more intelligent text actions to enhance your experience even further. Just like with recalled noted above, click to do preview is available only on snapdragon powered copilot lus PC support for intel M D P copa P C is coming soon.

So okay, uh uh for for people who have those again, not yet mainstream, not yet released, but clearly coming um I was talking earlier about the fact that we absolutely know that very, very few of the now known to be vulnerable dealing V, P, N routers will be removed from the internet as a result of dealing announcement of their serious vulnerability. How do we know? Well, all of the history that we've talked about on the podcast shows that in this case, sisa maintains a list of the most exploited security vulnerabilities by year.

We know that at least sixty six, zero known threat actors exploit vulnerabilities from crs list of the most exploited bugs last year, and we have details, according to the security firm vone check V O L N jack, the north korean group silent uh column was the most active in this regard. They targeted nine out of fifteen cvs from crs list. China and russia groups were the most active among the sixty known threat actors, with china's sponsoring fifteen groups of those sixty and russia's supporting nine groups.

And here's the most distressing news that gets back to why we know that few of those d link routers will be removed from service. Hopefully, all of our listeners will there's any intersection between those dealing routers and our listeners ers. They know the action will be taken.

But one check reports that over four hundred thousand systems that are currently online at this moment are vulnerable to attacks using one of last years most popular vulnerabilities. Four hundred thousand systems online now are vulnerable to at least one of twenty, twenty three most popular and I you know, popular, most exploited vulnerabilities. So wow, do we have to do Better as an industry? We really do somehow need to do Better.

Okay, just shows you how hard IT is to do so.

I mean, yeah well and and you know i'm sure that notices are going out. As I said, you know we all just get um um injured to them. Essentially you we just stop paying attention to every one of them because it's like, oh my god, oh my god, all my god and finally say all well, we keep hearing that but nothing ever bad happens until something bad happens.

Um okay, some great feedback from our listeners, Thomas wrote on a recent episode. You mention the device that actually like a bluetooth keyboard and connects via a dongle between a phone or other bluetooth device and a computer or basically anything you could plug a USB keyboard into IT sounds to me like an input stick, and that's HTTP colon slash flash input stick dot com. He said, a device that I used frequently as a hardware tech when replacing hp motherboards.

After you replaced the motherboard, you had to enter a set up command string. There was about thirty characters long and case sensitive since I was entered before slashed during BIOS, you could not copy IT into the field from the web. IT was a nightmare.

Okay, right? Thirty characters of upper, lower case jewish. Yeah, he said, but with the input stick, so cool. So I immediately ord one. I so IT .

is very.

very cool. And the apps kind .

of like a ubique, but you could program IT to do whatever you want.

It's exactly what IT is and not only keyboard, but also mouse.

wow. So you you .

able to to remotely control, I know, like do mouse functions, so he said, but with the input stick, you can go to H, P, S website on the phone, copy the string lasted into input sticks software, and send IT slash input IT directly. The first time he said Better while since i've done that, mostly IT now works as the control to turn my computer down when i'm going to sleep, he said. And because they have also complete multi media control.

he said, as any keyboard does, of course, yes.

exactly. He said, still one of my favorite toys, though, even though i'm no longer in the biz, I still keep up with the news via security. Now, Thomas, as as I said, Thomas is one hundred percent correct.

The gizmo that is the gizmo that another listener mentioned, which I immediately purchased. Since that looks clever and interesting, I think IT was thirty nine dollars U S pu shipping from poland and they immediately shipped IT. I got ta notice of IT being shipped like hours later.

I'll report again once i've had a chance to play with IT. Its creator appears to have done quite a lot with the capability. Um it's able to simulate both the keyboard and a mouse.

And as I said, it's able to simulate multimedia control keystrokes. It's got macro capabilities and the works. So you know, i'm constantly annoyed that despite my decades long loyalty to all things apple for everything other than.

Max offer integration features that apple refuses to bring the windows. You know, I would, oh my god, would I love to have eye message for windows? I, but no, no, I don't get that.

And I was wondering if this would somehow allow me to bridge that gap. But it's actually it's going in the wrong direction probably unless I would do, I guess I could know it's going in the wrong direction. So uh, I guess at the same time, if they they brought us something that was like itunes for windows, that i'm probably Better off without IT, you have a solution? No.

i'm just i'm trying to think of how you would use IT. So your your goal is to be .

to do what ah I guess my goal would be OK. So I I it's it's burden some writing a long message on the horrible touching yard keyboard and then just send that yes yeah and i've like i've detail me myself messages and then gone the email on the iphone open IT copied IT gone the messages tasted IT and said, said IT, it's like that what .

this is how apple keeps people in the apple ecosystem. If you're all if it's easy to do, if you're an apple, yes, you're all apple.

I know otherwise yeah.

you know, you might buy other people's computers and we can't let that happen.

right? Geno greedy, who signed his note, the network ninja earns his title, he wrote, Steve was listening to the episode where you had a listener ask about how to capture the command and control, you know, c to traffic when it's using a hard coded IP. The solution you offered would absolutely work.

I think the more elegant solution would be to just net the destination, are not entirely familiar with P F center or O P N cents, and I use untangle and Powell to at home. However, if you have firewall software that supported, you could create a that rule that changes the destination from the hard coded I P to a host of your choice. You won't even need additional interfaces.

If you can figure the rule correctly, IT will renege IT back for return traffic. The malware will have no idea that IT isn't actually talking to that I P. The additional advantage is that you wouldn't have to change the I P or add additional IP onto the machine you're sending that the command and control traffic too.

You could easily create as many of those net rules as you want, which I think would make IT more robust long term. I appreciate the podcast and hope to be listings for other one thousand episodes. H okay, this suggestion makes sense.

okay. So given that a router firewall supports IT, I think it's a brilliant solution that's clearly superior to the more complex approach that I propose. So I like you a lot. Okay, let's think this through. As I understand, IT IT would require routing software that's able to perform nt translation for packets traversing the routers internal land in her face that's different from typical consumer router net, which is generally applied to outbound packets crossing the reuters when interface. So this would definitely require some third party routing software, you know, higher end routing software like P F sensor, O P M sense.

Applying net to the internal interface would cause any packet sent from any machine on the land, such as the malware infected machine, which is addressed to a specific external public I P, to have its destination I, P changed to another host machine on the land, the one that serving as the command and control server, so that packet source p would remain, the source I P would remain unchanged. The I, P, which would be the IP of the infected machine. So on its way out from the malware infected machine, the outbound packet crosses the lands selective net translation, which would give IT a local destination land I P address.

This would cause the router to send IT back out the same line interface now addressed to the command and control server, and since that packet arriving at the command and control server would still be Carrying the local source p of the mware infected machine, the spooked command and control server would return its replies directly to the mare infective server. So we is an elegant solution and I can see why IT wouldn't work. Um I haven't tried IT but it's a sup a certain interesting concept um I replied with this to our network ninja geno who who sent me a following link um that referring to this using the term aerion net so this thing that is a known technique and you can see a heroine, right it's like bin it's like IT doesn't immediate one eighty.

So it's called a herpes net where you net across your local interface, your your your land interface as opposed to the van in order to perform these sorts of tricks. So very cool. Thank you.

Um up, he rw A, B H, I rw a, driving his kids, his kids to school in charta, north CarOlina. I wrote high. If i've been listening for the past twelve years, your podcast has been a constant on my drive to work and dropping my kids tune from school.

My kids have grown up listening to your voice sorry about that and more security conscious because of you. So thank you. Yeah I guess the kids are always on edge now um he said in your last show, episode one thousand and one, you mentioned cloud flared tunnel as an option for accessing home networks.

One main clarification I would like to make, which you did not mention, is that although a cloud flare tunnel is simple to set up and use, IT does not provide true end to end encryption. While IT encrypt traffic between your origin server and cloud flares, network cloud flair can descript and inspect the data in transit as IT terminates the T, L, S connection at its age network, meaning IT is not fully encysted from start to finish. And he says, what we all know for true and end encryption and overlay network like tail scale, can be used for more detail comparison.

And he gives a link that I haven't seen before, a tail scale dot com slash compare slash cloud flare hyphen access. He says, I looked into cloud flare tunnel myself base, uh, to access myself hosted bit warden running on my home 3 ology， but I decided to use tail scale instead. For this reason, love the show to two thousand and beyond leo, which appears to be everyone's new goal for us since we did past nine, nine, nine unscary. Um so happy up with .

a hand gesture.

He provided a link as I he provided a link which I have in the show notes to to tail scale tail scale versus cloud flare tunnel side by side feature comparison um and I tend to agree with abb his feelings. I think that the best way to think of IT is that these two solutions, cloud flared tunnel on one and an overlay network like tail scale on the other.

They have a some overlap in in their capabilities, which allows either one to solve the remote access problem, but they are also very different. Cloud flared tunnel has a large range of features that go far beyond what's needed for remote access to a users. Land is really aimed at secure remote access to servers and an overly networks.

True full end to end encryption is really what we want for remote network access. And if its sort of tips me in its favor, um Stephen low water reminds of an even simpler solution writing, hey Steve, congrats on hitting one thousand plus episodes. Thanks for all the thoughts content you have shared.

I wanted to share an observation about remote access to home labs, he said, having tried cloud flare tunnels and various V P N clients. For those who don't need the features of an overlay network like tail scale wire guard is worth considering. IT offers simple, lightweight light layer three connectivity, modern olympic curve, cypher and straight forward set up.

While tail scale builds on wire guard for robust overlay features, a standalone deployment keeps things minimal and widely supported across platforms like linux, P, F sense and open sense. What is kept me using wire guardy rights is how IT handles I O S sleep cycles, meaning the wireline ard client on I O S. He said, ensuring apps can reliably access data when waking from sleep V P S, like open V P N C F, warp and I K E V two, often struggle with APP level connection failures because their clients cannot wake up properly in the selective sleep process.

IOS has or renegotiate stale connections before a TCP time out. Wire guards, small kernel footprint and fast connection renegotiation allows you to reconnect on demand without timeouts, he said. I started using wire guard in twenty twenty to twenty twenty one while setting up a self hosted email server.

I needed a reliable way to fetch me to that mail on my phone while keeping port exposure to a minimum. Since then, it's become a core part of my set up, enabling reliable email fetch cycles, isolated ubiquity cameras and sink files and sinking files via sink thing on my phone. Just thought i'd share in cases helped anyone expLoring options best.

And he signed off another Steve because he's Stephen closure. So I really glad Steve reminded us of the many benefits of just plain old wire guard. We originally discussed why our guard, which was, you know, at the time viewed as a replacement for open VPN, which had grown very old and stale back when they first appeared on the scene about five years ago in episode seven forty four.

I first talked about wire guard after meeting and being very impressed by the founders of the mulva VPN service and learning that they were already adopting wire guard, and recall that not long after that, linus torvalds incorporated wired guard natively into the linux kernel, which is saying something for IT, because he would never do that casually. The only downside to running, for example, why are guard on A P, F sense or or opium sense router? Is that the first thing you need to do is open a static port through the while the routers wan in her face to the wire guard service running on the router.

And from then on, that port is open facing the outside world. And you're relying on wire guard not to have any critical vulnerability that would allow an authentic ation bypass. If you're okay with that, then why? Our god is likely the lightest weight and most secure solution available.

And I loved with Stephen, shared about its compatibility with IOS. But running with the statically open port, which is never required when using any of the overlay networks, would tend to bend me away from wire guard, much as I would otherwise love to be able to use IT. What I would consider as an option would be adding some sort of port knocking solution that would allow a remote I P to be authenticated so that that I P and that I P only could then connect to the wire guard V P, N running in the home based router.

You know, since, for example, and I C M P pink packet can contain plenty of payload, a simple and secure chAllenge response, a mechanism that incorporate the end point, I P addresses and some crypto would do the trick, you know, and I would write one. I would create IT if only there were more hours in the day but maybe somebody has or will uh, in rio gave his note the subject E P, nine eighty nine back door or incompetence and he said, happy one thousand i'm still a bit behind i'm listening to episode nine eighty nine where you talked about the chinese R F I D bad chip that was found to have a back door. We've heard plenty of reports about vulnerabilities found where the manufactured left some debugging dentists in.

We've also heard lots of reports about back doors and products. I'm curious, in general, how does one determine if something is a back door or incompetence? How can the researcher in fur intent, perhaps the eternal company memo gets leaked that shows IT was on purpose? IT is still hard to tell if this was Mandated by the government, unless top secret governments get leaked.

Is IT just based on the country that manufactured the device and whether they're friendly to the U. S. I also heard about the guy that has done some back that that has gone back and started listings to your podcast from episode one.

I wanted to do this too. However, i'm already over ten episodes behind, so I just fall even further back. Only listen to pot cash while driving.

Maybe I need to plan some long road trips. okay? So I think in rio makes a very valid point. Controversy is inherent when attempting to a scribe intent.

The question of the windows metafile escape, which I talked about last week as another perfect example, why was IT there? Why had had been faithfully copied and reimplement ted through many editions of windows, even jumping from windows three ninety five ninety eight N M E over to the brand new windows N T who had had to be reimplement ted? Was all that an accident?

The original intent of its designers has been lost to history, and we will probably never know. And remember about ten years ago when cco kept discovering hidden back door credentials in one appliance after another, month after month. You know, when I have discovering in quotes, because, you know, these are their own systems, how difficult could have be to discover an undocumented logging account in software that they wrote and for which they have the source code, they just had to look.

So I guess they just looked and is like oopsy. Anyway, since cisco is not evil and never was, and since they were confessing over and over to what they kept finding in their own machines, I think, you know, that's the case of poor judgment and changing times twenty years ago. Just as that may have been acceptable to design and a scape patch in the windows, IT may have been acceptable for developers to just kind of lazily leave their development accounts in cco appliance firm, where back then, IT may been no big deal.

But as we've seen, times change, as does our expectations. My feeling is that in nearly all cases, is just a mistake. For one thing, no clever developer would implement something that was meant to remain a secret by leaving a user name and password in the firm, where that's way too obvious.

If someone told any compete developer, okay, not somebody using P. H. P. I did say competent developer to design in a back door, IT would be far more well hidden. For example, IT would be necessary to first bounce an ICMP pink packet off the device with a particular payload length.

This would leave an insignificant trace that that would be done again with a different specific length, and that pair of events would prime the device to then accept anything original ating from the same source p only without requiring any automation or something like that. My point is nothing as dumb and obvious as leaving a user name and password account burned into the firm, where there are an infinite number of ways to bury a true back door in today's insanely complex systems. And there is something that keeps people awake night because these thing could be really difficult to find.

Yeah, I guess IT doesn't the intent doesn't really matter, is the fact that is exist period fictious.

right? And I guess the real point is who else knows about IT? Eventually.

everybody knows everything. Don't think you can hide anything, but really the .

truth exactly there. No back, David, in the U. S. route. Hello, Steve. I'm a long time listener but haven't reached out before. I credit you in large part from my career in info sec.

I was unable to get formal education in the field, so I self taught using resources, including your podcast. It's spent many years since I started my first job in the field, but I still listen regularly and learn a lot. Thank you for all your efforts.

I'm sure this is an edged case, but regarding your reMarks about SOHO rounds in security, now nine ninety five, I was recently treated to an experience with a new nokia. They still exist. SOHO router slash access point.

I changed I, S, P, S. And they provided one for free with a wifi and access point ready to use. They came out and installed IT for me and plugging what they thought was my computer into IT.

He says, parents, as if I had only one, haha. He said, after they left, I plugged my entire home infrastructure into their router. As a result of your recommendation some years ago, my main firewall is P F sense running on a protective unit, you know, P R O T E C T I that I mentioned recently.

He said I didn't bother to reconfigure the new nokia box for a couple of days because I didn't consider IT an important layer of security. However, I finally got around to logging into IT and was stunned by what I found for some unfavorable reason, the firewall was set to light filtering mode. Apparently, IT had a short, self described, non disruptive blocked list IT was using to black list certain things.

However, IT was not performing net services for the either net. IT was a pass through mode by default, giving my public I P address to my P F sense firewall. Behind IT, there was an option on the nokia device to enable nt, but IT was disabled.

While I would like to think that perhaps IT detected the firewall behind IT and switched itself off, I said, no doubt that was that smart. If I was a typical user, whatever I plugged into that either net port would have been immediately exposed to the internet. The wifi did seem to be using net.

So perhaps they thought that was good enough for most users. okay. So this was really interesting to me. The thing that occurred me first after thinking about what David wrote was that, albeit almost no typical internet user today ever plugs anything into their routers, wired either net ports. I know that many of us who listen to this podcast do, but we are far from typical internet users. Wifi really has overtaken wired ether net um and that's the only way I can think to explain what David experienced is that you know just everyone uses wifi so that was what was set up in order to you know share as a single .

I P maybe maybe that nokia just wants to say, you know I think you're plugging in his dmz and maybe that you know wonder if even says that if you're gona hook up a web servers to this put IT on the ethernet ork because it'll be dmc IT is directly connected the internet, right?

Yeah as you .

can tell, not a recommend .

a recommend solution. Um I have a couple inches at the bottom of this final page before we switched today's main topic, so I wanted to answer the many questions i've received from listeners who've ve take a note of the fact of the remarkable probos on the bookshelf behind me. You can see IT right there over my my life shoulder it's a right uh it's there are pointing at IT.

Um they've wanted to know what I think of IT. I very much wanted to love IT. But I don't.

I wanted to like this. I don't I wanted to like its support for color. It's slightly higher pixel density, is larger size and its reputed high stylist tracking rate.

But I don't its support for color feels like it's not ready for prime time. The display goes through all sorts of connections when using color. I mean, it's almost comical.

What the thing has to do with with things flashing and switching back and forth and blinking is, you know, it's clearly not easy to pull off color and I don't think IT was worth the effort. Also, the front thing is heavy. I mean, IT is really heavy and it's stylist now requires charging, which the remarkable, the remarkable two doesn't by comparison, its processor, they're remarkable too.

I really love, you know, I do wish I could get the cool cover for the pro, which much more securely captured the styles then then on the remarkable too. But at least for the time being, IT appears that that cool cover is only available for the pro. So anyway, to answer everyone's s questions ah, I was hoping I would like to pro as much as I love my remarkable tools. I have a couple of them but that does that really make the grade?

You tried the amazon scribe, right?

yeah. Well, yeah I I don't only because the remarkable is just, I mean, yeah, I I don't I don't do IT in reading honor. I don't do I don't repeat F, I just use IT as a replacement for my engineering pad, right and and a soft number two .

pencil is nice to have unlimited graph paper is.

yeah and I now have, uh, you're able to sink three devices through to a single account and because I purchased one in the old days, i'm grandfathered in to the the no charge I cloud connectivity. So if I do, if if I do, uh, in one location when I turn IT on on the other, it's it's synthesized multiple .

location doodling. What more could anybody .

as I got everything .

I want yeah the advent of code is coming up in just .

five days, right?

And that's one where it's very often handy to .

sketch out big alga bits .

sketcher. Yeah, just understand. And the event of code is all about text problems. And so to even understand the geometry, some of you have to draw because otherwise is like, yeah, in fact, there were people couple of years ago cutting up paper and making paper .

cubes so they can understand the relationship. And it's all those off one problems you want to make make exactly sure yeah that that do you mean greater than or greater than or equal, right? And so I just I I quickly jump to a little sketching out of a little simple example of A, A or more the same.

I do exactly the same thing.

Yeah, we do all of our.

we have one more. Would you like .

to do one more and think about disconnected experiences?

Whenever that is, we'll find out just a moment why .

you may want to be disconnected from some .

of these experiences.

Yes, please.

Here's you know, you listen to the show, i'm sure, because that gives you i'm right here. No, no, you do. I can do our final audience. yes. yeah.

I was lodging the f one race on sunday was in last vegas and they talked to one of the drivers, long time f one driver, and they said, you ever watch your races that he said, no, I was in IT. I don't need to. I don't need to watch IT.

I know what happened. Yes, we don't .

listen to on pop. Yes, we were in them, but i'm talking to you, your dear listeners are wonderful listeners who listen to this so far information, right? It's they get intelligence out of the governments, have intelligence agencies.

Why know companies? Well, now you can with flash point this episode, security now brought you by flash point. For security leaders, this year has been a insane.

It's like no other year cyber threats match with physical security concerns and they're both increasing. And now you got geopolitical instability, adding a new layer of risk and uncertainty. And how important is that for you and for your business to know ahead of time where are the threats lie? Let's talk numbers.

Last year, there was a staggering eighty four percent rise in ransom attacks, almost doubled a thirty four percent jump in data breaches that should give you chills. Nobody wants a data breach. The result, trillions, trillions with A T of dollars in financial losses, threats to safety worldwide.

Well, okay, that's where our sponsor flash point comes in. Flash point empowers organizations to make those mission critical decisions that will keep their people in their assets safe. And IT does IT with information. That's what you need information.

By combining cutting edge technology with the expertise of world class analyst teams and with the knight flash pots, a word with threat intelligence platform, you get access to critical data, finished intelligence, you get alerts, you get the analytics, and you get, all in one places, a dashboard to the world out there. And what's happening IT helps you maximized you're existing security investments. Some flash point customers say they avoid a half a billion dollars and fraud losses every year and have a four hundred eighty two percent re in six months.

That's probably one of the reasons flash point earned frost and Sullivan twenty twenty four global product leadership award for an arrival threat data and intelligence. Here's an example of seeing your vice president of cyber Operations and a big, I can say, the name, but you would know A U. S.

Financial institution, he said, then this is the quote. Flash point saves us over eighty million dollars in fraud losses every year. Eighty million doll.

There are proactive approach and sharp insights are crucial in keeping our financial institutions secure. They're not just a solution. There are a strategic partner helping us stay ahead of cyber threat.

Wouldn't you like a partner like that? No one to flash point is trusted by both mission critical businesses and even governments worldwide. Not everybody has their own intelligence service.

Well, now you do with flash point to access the industry's best threat data and intelligence is flash point that I O today. This flash point F L A S H. Flash point P O I that, and it's that I O.

Okay, flash point that I O the best data for the best intelligence. We thank you so much for supporting security now really is a good match, right? Because we're both in the same business and we thank you for supporting secure you now by telling them what they ask.

Yeah, I heard on security now. Yeah, I was on Steve. Ha, that helps us that way. We because I see see, we're saying the traffic are I Steve, you've got to explain that the title.

okay. So um the way things are going IT looks like i'll be needing to set up, I guess what I would call a sacrificial lamb oh, i'm so sorry. Yeah a running the current, which is to say the latest windows ah the last thing I would use for myself would be such a machine because microsoft really does appear to be pushing well past the limits of what is acceptable practice for me. You know, windows recall was A A perfect case in point.

If if the industry had pushed back so loudly and quickly, they may have deliver that first disaster, who knows? But IT occurs to me that if this podcast is gonna continue to be as relevant as IT has been in the past, it's becoming clear that i'm going to need to have a machine that's running what the rest of the unwashed masses are running, which is to say, you know, the latest versions of windows. There was a time when creating a sacrificial lamb, P, C, met, exposing the machine to the internet without protection.

As we know, the half life of such machine is best, is best measured in seconds. Uh, and not many of those. But the way the window's desktop environment has been evolving today, the creation of a sacrificial al lap c means just exposing a machine to microsoft.

The need for such a machine became clear when I encountered the news that microsoft has silently enabled the use of its users microsoft office word and excel document content for training its A I models, rather than being straight forward and calling this something like, I don't know, uh, about A I training. They obscure IT behind the title microsoft connected experiences. Now how the hell would anyone ever know that? That means that they're training A I models, connected experiences.

And that's my point. This is what windows has become at the moment. I'm reporting this blind because I have no way to verify the reporting that i've seen. Uh, the moment I don't have a windows eleven machine and that's gonna have to change. Uh, but okay, so here's what we know in microsoft documentation for their so called connected experiences under the topic, connected experiences that analyze your content, they write connected experiences that analyses content, are experiences that use your office content to provide you with design recommendations, editing suggestions, data insights and similar features.

The key phrases are analyzed, your content and connected, but connected to what underwear that appears to mean what they are reporting on this states, which is that the connection is to some A I, which is doing the analyzing and being trained against windows users office document data. Now add this, the fact that it's been reportedly enabled by default because, of course, IT has and I should say since this, uh, the show notes went out last night, I have heard back from listers who found this stuff enabled by default. So this reporting is confirmed and they turned IT off.

Okay, IT seems clear that just as a great many people are made uncomfortable by the idea of having windows recall suddenly collecting and analyzing everything they do on their computers, some windows users may not be interested in having microsoft A I being trained on the content of their otherwise private word and office excel documents. Um first one note where this connected experiences setting is located, since they clearly want their windows users to have ready access to this potentially significant privacy setting. So under file in her office application, you choose options.

Under options, go to trust center. In the trust center, select trust center settings. There, you'll find privacy options which you need to select in order to get to the privacy settings. And on the privacy settings page, there's a section for optional connected experiences where you should find a checkbox labeled turn on optional connected experiences, which all regular users will reportedly find and a bunch of our listeners have has been thoughtfully enabled for you.

By default, users whose machines or microsoft accounts are managed by their organization may not have these options showing, and microsoft appears to confirm this on their own website, where under the topic, choose whether these connected experiences are available to use they right, you can choose whether certain types of connected experiences, such as connected experiences that download online content, are available to use. How you make that choice depends on whether you signed into office with a microsoft account, such as a personal outlook, come e mail address, or with a work or school account. If you're signed in with a microsoft account, open an office APP so just word and go to file account, account privacy, manage settings.

Okay, now note that, that is very different path from what I had first shared from the reporting on this IT. Turns out, and i've heard from our listeners, both are correct. You can get to the proper setting either way.

And microsoft is a shorter path file account, account privacy manage settings, although maybe once you get to manage settings, then you go to privacy settings. Ah I don't know anyway. If if if if you ve got IT， you'll be able to find IT.

And they said, under the connected experiences section, you can choose whether certain types of connected experiences, such as experiences that analyze your content, are available to use. If you don't go to manage settings, all connected experiences are available to you. In other words, all your content gets analyzed.

So here IT is um what's apparent nowhere is that connected experiences is the uprising m for we're going to share all of your office documents to train an A I in the cloud in order to make office smarter for you and of course, for themselves. So talking about content retention, they write most connected experiences, don't retain your content after performing their function, although I should tell you, there's about fifty of them to help you accomplish a task, but there are a few exceptions. In those cases, microsoft retains the content for as long as your account exists and is used to support, personalize or improve that connected experience.

Now as I write this, part of me wonders whether i'm just becoming an old coumadin. Why not just, you know, enjoy all of the many benefits of having microsoft watching everything I do on my P. C, that allowing me to scroll back in time and ask questions about things I did in prior years and sending my document content to the cloud to train their a eyes, so that I can provide me with more relevant stories on edges home page, more relevant search results in being, and more relevant advertising on my windows start menu.

And of course, i'm not being physicist. What I say that many windows users might actually want all of that I get IT, you know, just as there many may a bit and having Candy crush, soda, soccer or whatever all that puppy tile nonsense is under windows ten, along with xbox crap that refuses to be removed. I've never owned the x box, but IT is taken up residence on my start menu.

Nevertheless, IT seems clear that an alternative view of windows is apparently and all encompassing, deeply connected entertainment portal that also has some productivity applications. And really, that's fine. It's just not for me. I mentioned a while back about the eventual move I would make to windows ten when I finally decided to retire this windows seven machine that still works great. I was briefly thinking that a server edition might allow me to avoid all of this commercial crap.

Before I remember that I had tried that years ago when I wanted my to be running the identical code as G R C servers, but I had encountered many instances of desktop software refusing to install to install on server editions. Some of our listeners have since suggested that I take a look at the enterprise editions of windows ten, explaining that unlike even the professional editions, the enterprise editions are also free of x box and other on wild nonsense. As I was digging around the microsoft documentation, I was encountering all of the places where microsoft has been and is installing A I.

Microsoft is essentially A I ising every note and crane of windows eleven and their office sweet. I have no doubt that a memo went out a year two ago stating that A I was coming and that IT was the future, and that once he had arrived, IT was here to stay. Therefore, every single microsoft product manager and product planning team within microsoft was hearing by being tasked with figuring out anything and everything that adding A I to their offerings could do and then to get going on implementing all of that immediately.

Well, that will turn windows into you. What I have no idea. I know that IT won't be any machine that i'm sitting in front of while I produce these weekly security now podcast, nor while i'm working on code for the D N S. Benchmark that beyond recall product or spin rights, seven, eight and nine and beyond. But it's also clear that I need to stay in touch with a frontier, or as many I have called IT, the bleeding edge. For now, I want to be certain that those listeners of hours, and I know there are many of them who may also dislike the idea of microsoft sharing their office content with their a is in the cloud, while acknowledging that this is being done by default and that in many cases, the data is being retained indefinitely, will at least be informed of this new behavior. I would know that they have the option of deliberately disconnecting their windows experiences from microsoft.

Are you just before we got move on? Because I know you want to finish this up, but it's not. I think you're implying that this is being used for training elms for other people to use. I don't think that's what disease. No, this is asking permission just as a spell against your own data.

right, so that they can. So a spell .

checker tells you where you've miss spell the word. In order to do that, IT needs to actually look at the words you're typing. A grammar checker needs to look at the words you're typing. Believe that's what is doing.

If this comes back to your original assessment of A I, right, it's just a spell checker.

Well, yeah I mean, so what microsoft offering you with these things is you're designing a power. It's kind of clippy on steris are designing a power pointless. Hey, you know I I see what you're trying to do here.

Would you like this image? It's that kind of thing will have to check in this. I don't think it's sending IT to their you know a lot of content is linked in content being sent to train.

And the new york times has been issuing because they say open, I used IT to train L L. ms. I don't think that's what this is off to check more in more .

detail about how much containment of the data they say .

they'll retain IT because that information you've provided that you just like a cookie is that might be useful down the road.

Well, all of your previous document that have been used to train and A I model that they maintain, I guess yeah but it's .

but that the real question is, is that the AI model is going to used by others, which I don't think this is because that would immediately be a problem in all businesses or is in the A I model that you will then be able to use for yourself?

Yeah, probably we need to look at the terms of service and like actually read the fine print.

I'll ask paw in rich tomorrow, but my sense is it's not you know going to send IT out to their own LLM servers and train their own servers that would actually trade your own data. IT is IT is basically for your use just as a spell checker or grammar checker is for your use.

Well, they're retaining something and they're saying that they're retaining. So IT is being sent to them yeah .

after performing they don't do there are after performing function to help you accomplish the task, but there are few exceptions. They retain your content for as long as your account exists, implying that it's a attached to your account, right? And it's used to support personalized or improve that connected experience.

Your experience? no. Right, right? Not for other people. But but I will check into that because I think there's an important distinction.

It's like clippy, a clippy if in the day would have asked the same permissions. Hey, i'd like to keep track of everything you're doing so I can offer you suggestions. It's like that except it's on still right, right?

And anyway, I was done. I just wanted to wish all of our listeners who celebrate thanksgiving, and I know leo and all of the twit crew h join me in wishing everyone the best holiday and, you know, with this particular opportunity to spend time, which is precious with your family and friends .

and no argue about things and IT.

we'll be back in december .

for more and tell to use a passion venture. thanks. You'll have a great thanksgiving, all our love and best wishes to you and luri and have a great time. And we will see you in december.

Yes, only a week away. Next.

concerned about that, we'll see next next week. Thank Steve. You can watch security now we do alive every tuesday right after mac break weekly.

That's roughly one thirty p pacific for thirty eastern, twenty one thirty UTC. We stream live on, yes, eight different channels. Now our club twp members can watch in chat a along with IT with us in a discord.

But there's also a youtube channel dedicated to twitter life. That's youtube dot com slash twitter slash life. You can chat there too. We have chat there too as we do on x tot com, as we do on facebook dot come we stream live and you can chat with us live there. I see tiktok occasionally, tiktok commenting coming through kick tok com.

All of these have chats associated with the video and I have a unified chat that I can see all of IT um have I left anybody out? Tiktok x kick facebook linked in youtube or witch that TV left them out. You can also chat.

That's if you're watching live now most people don't watch live. They like to watch after the fact. That's why we put copies of the show on our website without TV slash sn.

We have audio in video. Steve also has a show on his webs like G, R, C dom. He has an unusual version, a quarter band with sixteen killed, bit version for the band with impaired.

He also has human written transcripts of very good length. Rest does those, so you can read along as you listen or Steve talk about last week. You can use IT to search any as a sixty four killed bit audio. That's all gc that come you chick out spin right version in six point one. The world's best mass storage performance and hanczyc very utility and maintenance utility says all of that.

And if you have a earlier copy, you can get six point one for free if you don't get IT now, because if you've got mass stored, you need spinning lot of other free stuff at the site, including shields up, which is a great way to test your router. Um i've really love his new valid drive, which test USB thun drives that you buy on amazon to make sure they actually have the storage capacity that that is claimed to surprisingly often they do not valid driver will do that. That's absolutely free plus lots of other their free bees.

Fun information, Steve. Sites really great grc dot com. One more thing on our site.

Actually two more things. One is we're doing the best of Anthony for the show. I think we are for the holidays. Yes, we are.

So if you have a moment on this show that you thought was from twenty, twenty four years, we got to redo that. We're looking for little clips to put in our year. And best of security.

Now all you have to do go to the website, twitter TV slash. Best of give us as much information as you know, but don't get don't get thrown by the the form because we're asking for everything. But you don't have to give us everything even just say, hey, that time when Stephen leo to do the vulcan solute, I remember that I was great even that's a good start.

If you remember red the day, the time a year, the climate, whatever, help us do the best of it's a lot of work, but our team likes to put those together or well, we don't know if they like IT. We make them put those together at the end of every year so we can give the staff the holidays off, help us do that. The other thing i'd like you to do go to our club twit page, twitter, that TV slash club twit.

There are some new things in club twitter. If you're not a member, we now offer a two week free trial, which is a great way to see what you get for your seven dollars a month. You can also, when you sign up, you'll be getting a code that is a reference code in every single person signs up using your code gives you every months.

Do they get anything? They get like a discount, anything for using your code. Hey, IT doesn't matter.

They get the excitement, the thrilled, the satisfaction, the deep root is satisfaction of knowing their, a member of club twit, the best podcast network in the world, seven books and months, gets you add three versions of all. This shows extra content we put anywhere else. We don't put anywhere else.

Cries from my cat down the hall. Actually, everybody gets that. Please join the club. IT helps us financially.

So IT looks like twenty twenty five is going to be even rock you than twenty twenty four was. The good news is the club now pays about a half of our payroll, which is fantastic. Thank you.

Help us out twitter that TV slash club twit seven books of mod is worth IT for the great content, right? Thanks, dancing. I nielson is filling in today for a benedek anos is taken some time off for the holidays. Appreciate your work, Anthony. Thanks to everybody for a joining us and I hope you will tune in next time next week for security now oh.

I. So you really now.