SN 1002: Disconnected Experiences - "Nearest Neighbor" Attack, Repo Swatting, the Return of Recall
Security Now (Audio)
Deep Dive
- APTs like APT28 use password spray attacks to gain credentials.
- Attackers compromise nearby organizations to pivot to the target's network.
- Logging everything is crucial for forensic investigations.
Shownotes Transcript
It's type of security. Now, Steve given is here. He's in love with these chinese cranes that they use, IT container ports.
But he says there is a problem. Currently there is a chinese back door. Oh, no.
We'll also to talk about the nearest neighbor attack and a warning about a new feature of microsoft windows they call connected experiences. Steve says it's a recipe for disaster. All of that more coming up next on security now.
Podcasts you love from people you trust.
This is. This is security. Now is Steve gibson, episode one thousand two, recorded tuesday, november twenty six, twenty twenty four.
Disconnected experiences. It's time for security. Now the show, talk about your security, your privacy, how the internet works.
Computers work a little bit of size. I thrown in maybe some vide in d and at all because of this guy. The man in charge are very own Steve gives and high Steve.
hello you know what when you're think so .
you you're leaning back .
and I get kind of a nice like, that's right, a little double er .
shift effect there. I learned that from a dell is so funny because I realized now we'd had a photo meet up in new york city couple of months ago, couple months ago, september, and I would look back at the pictures and there were a bunch of people doing the live, long and prosper son. And I realized that has become not just the security now thing, but everybody.
Now it's it's early. That's it's a quid hands time. That's very cool.
Thanks to you. good. What's going? Not everybody can do IT. No, I know, I know. Didn't they have to tape uh letter nee moist fingers because he in fact could not do IT anything and they had IT I believe there's an the anette of how when they first he was a guy who came up with IT but he couldn't do IT maybe that maybe with somebody else who couldn't do but I but yeah, anyway, I go so that as .
I was saying you, I was saying you before we begin recording, every time I look at these four digit episode numbers I taken, wow. I mean, that really doesn't mike and what accomplishment .
that is should be very proud.
Yeah, well, we're at one, two, one, one, two, one thousand and two.
See, there is a problem right there. Yeah, his brain can only do three digits or .
at one thousand and two. And the software didn't collapse. I did spend some time updating G, R, C system so that IT also would not freak out when four digits were presented to IT. And that experience was smooth. Uh, emAiling continues to go well.
I was thirteen thousand, two hundred and nineteen subscribers received the shown notes, the picture of the week, uh various links and things yesterday evening so uh that's that's turn out great and we're gonna have a lots of feedback because there was also a lots of news um but my my discussion of what I titled disconnected experiences wasn't half of the podcast as some of our main topics have been in the past. I have something like thirty eight hundred pieces of feedback from our listeners. So I have plenty to choose from.
I want I I feel a little bit badly that i'm getting so much feedback that I can't even begin to put a det in IT. But IT, thank you, everybody, for for sending me your thoughts. And as I said, the the quality of the feedback has a very different flavor since we were able to switch to email and people didn't have to try to squeak something into two hundred eight characters. So big benefit um we're onna talk about um at the end of this, something that microsoft calls their connected experience, which is an interesting turn of phrase, will understand what IT is, why they sort of slipped in under the covers and why may not be what everyone wants and if so, how you can turn that off, thus disconnecting your experience from microsoft.
And it's not what that sounds like either because I mean, it's not all that, but we're first going to talk about something known actually in this was probably the most sent to me topic for the show and IT happens that is what I had chosen myself already by the time I saw that uh, the nearest neighbor attack uh and wow, IT just sort of goes to show you how clever bad guys can be. What do we like IT or not? We also have let's encysted just turning ten.
We're going to take a little bit of a retroactive ec tive. Look at the changes that IT has brought also. Now the coast guard is worried about chinese built ship to shore claims.
Turns out eighty percent of the big cranes that we use for offloading, uh, containers, uh, are made by china. And what could possibly go wrong there? Uh, also, pakistan becomes the first country to block blue sky.
Going to talk about that. There is also a new way to get get repos swatted and removed from their responses. I know again, it's just just incredible how clever bad guys can be.
Um who's to blame for pale to networks, serious new zero day vulnerabilities. And if you have any of six specific older deal link V P N routers, the advice would be to unplugged them immediately. We'll see why IT turns out that, speaking of VPN, they are against the a law.
So says some legislators in pakistan. So will touch on that. Also, we have the return of windows recall.
Uh, what are we learning from that? And how many of today's systems remain vulnerable to last year's most popular exploited? So after sharing then a butcher of feedback from our listeners, we're going to talk about disconnecting your experiences from microsoft. So I think another interesting podcast for our free thanksgiving listeners.
Yeah, shatner, according to A A patch geller handy, is unable to do this salute. So we would have to push his figures in position. And then, right, he would hold up behind.
And did he actually do IT often? Or obviously, spock was the orig. IT was a vulcan hand sign.
IT was a jewish hanson has seen. Ah, that meant roughly, he was a jewish by addiction and he wasn't in the script, but me, moi thought, well, you know and then he asked the directory. C is that okay if I do this and the director idea that I work very well and IT became, of course, of a trademark, shatner joked that he took years of diligent practice itself, denial for him to be. He was on conon do IT to be able to do IT because he could not, could not do they live on.
And there are people who can't. The the best man, uh, at my wedding was unable to do IT you .
you had this that you're wedding.
of course. At what point did you don't live all in prosper?
Was this side of kissing the bride?
Gary got up for the best man's toast and said, too, you know, was holding the microphone. I said, yeah, now gibson may be promise that I would not do anything to embarrassing. Oh, so i'm just gonna say. And then he held his hand up and said, live log.
and that's beautiful.
But he had two, he had two orthodontic braces beans around his fingers, because he also was unable to do that.
I can, with my lifetime, I can only do with the right.
without some assistant.
Yeah, you didn't like this that effect, but I will play one, prosper and continue on now.
So thank gary for keeping his toasts quite quick. And to the point.
it's a perfect toast, IT says IT all yes, yes, all right. We're going to get to the picture the week in just a moment. But first award from our first sponsor, mister gibson, today it's experts exchange.
You listen this show because you've got a real live expert who talks about the things you care about the most on the show, will imagine having that kind of expertise available to you anytime, day or night. That's what experts exchange has been doing for I think it's almost twenty years now. I know I started using them early on when I needed an answer, and I couldn't find IT anywhere else that ork upper experts changes the network of trustworthy and talented tech professionals.
You can go to them to get industry insights, to get advice. And it's not just advice from some stranger on the streets, from somebody he's actually using the products in your stack. Not sure beats paying for expensive enterprise level tech support as the tech community.
For people tired of the AI sell up experts, exchange is ready to help Carry the fight for the future of human intelligence. Then you might say, well, there's got to be a future. But remember, A I is started to creep into all of these, you know, intelligence things, these these questions and answers sites worth.
It's using the answers humans give on these sites, scraping them and then adding IT to their own LLM body of knowledge. Not that experts exchange. Experts exchange is about human intelligence.
Experts exchange gives you access to professionals and over four hundred different fields. We're talking coating microsoft as AWS dev s and more. And unlike some of these other places, there's no snark.
Duplicate questions are encouraged. There are no dumb questions. You don't get the snarky, oh, well, I wouldn't do IT that way kind of an answer. You get real help because the contributors are are serious tech enthusiast who love graciously answering all questions.
In fact, I I would go in a step further, say these are experts who believe that the best thing that can happen, the best way to celebrate your expertise, is to graciously share IT with others, tell other people to pay IT forward. That's what experts exchange is all about. So let's talk a little bit about IT.
One member said, i've never had ChatGPT stop and asked me a question before, but that happens on ee all the time. It's a dialogue. It's a conversation.
Experts exchange is proudly committed to Fostering community where human collaboration is fundamental. Their experts directory is full of experts to help you find what you need. One of them listening right now, rodney.
Hello, roddy barnards, a vm where expert in the security now fan, are there people like Edward vd, bill john, maybe you're seen Edwards youtube videos, sees a microsoft MVP and an ethical hacker who really knows his stuff. He's on experts, exchange plus s good design professionals, executive IT directors. Yes, you can get management questions answered and a lot more, but here's the most important thing.
Other platforms betray their contributors by selling the content on the platform to train A I models linked in. Does IT they just announce step read IT? Does IT so many sites do IT, but you know that experts exchange your privacy is not for sale.
They stand against the portrayals of contributors worldwide, and they have never and will never sell your data, your content, your lightness. They block and strictly prohibited AI companies from scraping content from their sites to train their lives. And the moderators and experts exchange strictly forbidden direct t use of L, M.
content. Their threats, really, it's humans talking to humans. And that's the best kind of expertise, the best kind of conversation.
Experts deserve a place where they can confidently share their knowledge without worrying about some company is stealing IT to increase shareholder value. Humanity deserves a safe haven from A I and you. You deserve answers, real answers, useful answers to your questions.
Now they are so confident you're going to appreciate experts exchange and and love IT and get value out of that. They're offering you ninety days free, no credit card required, just three months free to try IT out. So at the very least, I want you to go to e dash, e dot, come slash ed wit sign up.
You don't have to give a credit card try for three months if if you don't get anything out of IT. No harm, no foul. But I have a feeling you're gone to really appreciate the community that experts exchange has built, really amazing idashe.
I come slash to IT the tech. Q, N A. For people tired to the AI sell out real humans with real answers to real questions.
Thank you. Experts exchange for supporting this real human, Steve gibson, in his ever never ending quest to make the world a safer place. Or and I have the picture of the actually, I look at IT.
yeah, i'm to score up here. I I gave this the caption, what's wrong with this picture? Oh, I love IT. I do. okay. So for those who aren't seeing IT, uh, we have um the entry to a facility where there's A A big staircase sort of front and center in the middle and and you can imagine the parking lot is on a lower level. So these stairs are leading up to the entrance to the facility.
And to make things easier for the people who wish to come and go, they are at the extremes, the far left and the far right of the staircase art escalator ors. One, you know, an up escalator, the other of the down escalators, which would all be fine. But the sort of the non sector of this halle thing is that the facility is twenty for our fitness, and nobodies on the stairs and the people are taken the escalator .
I have to go to stair master.
I can just so and of course, the show notes went out, uh, yesterday evening and so i've already had feedback from saying, how do you know they're not going up the down escalator, which is actually giving them exercise rather than if the stairs with and there is that or what about for people who are there for physical therapy? You know P T. And so they're not able to climb the stairs.
They know they need to be gentle on the ah yes, of course, thank you very much to accessible those alternative possibilities anyway. Ji always I I think we showed this once before. I know i've seen that before and I just always get a kick out of just sort of the like, okay, where we're going to twenty four, our fitness, but we're not ready to start working out just yet. We're going to take the escalator or up rather than taking the stairs.
Well, let's equality of searching for the closest .
parking space too. In fact, yes, somebody also wrote to me and using executive analogy, how many times in fact, at at his gym he seen people circling, waiting to get the close parking place rather than walking .
from experts and they're are just work.
you know okay so uh wow. Last friday twenty on the twenty second, the security firm um oxide publish the details of a somewhat astonishing and successful attack, being several years old, predating rushes invasion of ukraine. This story is not about a threat any of us will ever face, at least almost certainly not.
But I wanted to share IT, since IT presents a perfect example of my porosity theory of security, where the security of today's stems is best viewed as being porus to varying degrees. I like this model of a poor system, which I think fits best, because while the amount of effort an attacker may need to exert to obtain access to any specific system may vary, most systems can or or yeah, i'm and a and and look at systems. In the broken sense, most systems can ultimately be reached by a sufficiently motivated and determine the attacker.
Okay, now that might mean, you know, arranging to install a subverted employee into the organization. You are right, right. Playing the long game or IT might mean, you know subjecting employees to fishing attacks of increasing complexity until you finally make that happen.
The point is our systems are not infinitely secure there, you know, kindly secure. We are kind of varies. So the, the, the, the term absolute security is more of a concept than a reality today.
okay. So here's how flexi opened their disclosure of this astonishing attack, which they're now able to talk about. They wrote in early february of twenty twenty two, notably just ahead of the russian invasion of ukraine. And that ends up being significant. As will see, relaxed made a discovery that LED to one of the most fascinating and complex incident investigations we'd ever worked.
The investigation began when an alert from a customer detection signature, the laxity, had deployed at a customer site and and they said, I will refer to them as organization a because they're still gonna anonymous even today, indicated a threat actor had compromised a server on that customers network. They said, while relaxing, quickly investigated the threat activity. More questions were raised than answers do away.
Very motivated and skilled, advanced persistent threat, you know, A P, T, actor who was using a novel attack vector, molex I had not previously encountered at the end of the investigation. Relaxation would tie the breach to a russian threat actor. IT tracks as gruesome, large, publicly known as and by many names, one is best known, I like A P. T.
28。 There's also force blizz, sopa, fancy bear and among other names, in other words, the russians. They said flexi further determined that gruson large was actively targeting organization a in order to collect data from individuals with expertise on and projects actively involving ukraine.
Okay, so what if lexi's investigation uncover? Strange that might at first seem, despite being thousands of miles away in russia, this is well known. A P, T, twenty eight group of russian state sponsored actors breached an unnamed U.
S. company. This organization, a, by gaining access through its enterprise wifi network. But wait where thousands of miles away in russia, how's that possible? If I told you that the attack had been dubbed the nearest neighbor attack, you'd start to get the idea that's right.
A P, T, twenty eight pivoted to their ultimate target after first compromising an organization in a nearby building that was in wifi range of their target. A P T twenty eight has this level of expertise. They're part of russia's military unit twenty six one sixty five in the general staff main intelligence directorate, the gru. And they're known to have been conducting offensive cyber Operations dating as far back as two thousand four.
So for the past twenty years, A P, T, twenty eight initially obtained the credentials to the targets enterprise wifi network through password spring attacks targeting a victim's public facing service, but the presence of multiple tor authentic ation prevented the use of those credentials over the public web so they couldn't use the web. Although connecting through the enterprise wifi did not require multifaceted diction, as flexi phrase IT quote being thousands of miles away and an ocean apart from the victim presented a problem, so the hackers got creative and started looking at organizations in buildings nearby that could serve as a pivot to the target wireless network. The idea was to compromise another organization and search its network for a wired accessible device containing of a wireless adapter.
So a dull hold of both wired and wireless such a device, whether be a laptop, a router or access point, would theoretically allow the hackers to use its wireless adapter to connect to the targets. The dot organization a that targeted organizations, enterprise wifi flexi rotis. They said flexi now determined the attacker was connecting to the network via wireless credentials they had brought forced from an international net facing service.
However, IT was not clear where the attacker was physically that allowed them to connect to the enterprise wifi to begin with further analysis of data available from organization A S wireless controller showed which specific wireless access points the attacker was connecting to after overlaying them on a map, a physical map that had a layout of the building and specific floors foxy could see the attacker was connecting to the same three wireless access points that were in a conference room at the far end of the building, near windows along the street. This gave relaxed the first evidence that, as they put IT quote, the call was not coming from inside the building and growth. Could this be an attacker conducting a close access Operation from the street outside? Nothing was ruled out, but flexi was not too far off from discovering, discovering the real answer.
okay. So what they discovered was that A P. T. Twenty eight had compromised multiple organizations as part of this attack. They daily chained their connection using valid access credentials. Ultimately, they gained access to a device, a containing a wifi radio, that was able to connect to those three access points near the, the, the windows of the victim's conference room.
Then, using a remote desktop connection, you know, rdp, from an unprivileged account, the threat actor was able to move laterally within the target network to search for systems of interest and to x filtrate the data which have been their target. All along, the attackers generally used living off the land techniques as they are now referred to, which rely on mostly on already present native windows tools in order to minimize their footprint and thus reduce the chance of being detected. And one of the things that have that happened in windows through the years is the the number of of already present built in utilities.
You think you just don't even realize her there have really expanded. So for for attackers who have a full knowledge of just how much available utility is in windows for them to repair pose. Um there's a lot they're able to use even with all their research, the laxity was working from forensic data and was unable to trace the attacks back to the the original attackers. Attribution at that point was still impossible, but a microsoft report just this last April provided them with the missing clues.
Flex, I saw clear overlap in indicators of compromise, as we call them I O, C, S, that clearly matched and pointed to the russian advanced persistent threat group based on details in microsoft report is very likely the A P, T, twenty eight was able to escalate privileges before running critical payloads by exploiting a zero day vulnerability back in twenty twenty two C V E, twenty, twenty two, thirty eight, thirty twenty eight that existed in the windows print school or service. Remember, we talked about that a lot a couple years ago within the victim's network. So are unsettling.
Take away from this is that close access Operations is their known that typically require proximately to the target such as from in a jail and parking lot sometimes is used can also be conducted from great distances by compromising something nearby you know that makes an otherwise attack an an otherwise impossible attack possible um and has the benefit of eliminating all the risk to the attacker of being physically identified and caught on site. Nobody can get them the other and this is the most significant take away, I think, for our listeners is that everything should be logged. The mantra should be log everything.
It's crucial to appreciate that IT is inherently impossible to know which logs will be needed after the fact and nothing brings an investigation to a grinding halt. T more quickly than running up against the oh, we don't have logs of that. Today's storage is so inexpensive that is no longer a factor. Logs don't take up much space.
They contain so much redundant information and formatting, which is repetitive that they compressed down to nothing, and they serve as a form of time machine that later allow forensics investigators to venture far back into the past, to view what happened when and to retrace the previously unseen footsteps of unknown network users. And law s are not only useful for tracking russians, large corporations cannot be certain about the changing motivations and loyalties of their own employees. So an I T. Culture of logging and letting IT be widely known within the enterprise that everything within an organization is being logged is a bit like planning a sign on the front lawn to let would be burglars know that the premises is being monitored by such as such a company. IT could be announce of prevention .
IT reminds me of the warning that I always get when I do an S, U. Do and this type the administrated your password and then he says you or give the wrong name is, as you are not allowed to do this, your presence will be large. They back in the day they know this stuff, you know.
The other lesson though is also important, which is that we are not Operating on our own, that we are in a community and our security impacts other people's security, right? Yeah this this is not just our machine that we're securing or not securing. We could be a vulnerability happening to our neighbor .
yeah well and in fact, you know often times now you you you go and look at the available wifi access points within rain, it's a starship .
is really yes.
we're living .
in the community and yeah we all have a response IT.
IT is the case that one wifi network is able to see another one, and if the hackers are good, they can get near you and then use that wifi link to jump across the air gap. So wow, the world we live in the day. Okay, let's encysted has turned ten. Leo and you and I have been here the entire time. Yep, watching IT .
happened.
yeah. Last tuesday was the tent anniversary of encrypt, and its statistics page shows that its certificates are now being used to encysted the connections. I'll get this five hundred million domains, half a billion domains.
Wow, and the rate of certificate issues I have that that chart and the radar certificate issues, both in the show notes. For anyone who is interested, the rate of certificate issue once tells the story. This shows that the number of certificates issued per day has now touched six million. Now that's, of course, because these certificates have are short lived right there, ninety days. So that's one of things that lets encysted has been able to do is to reduce certificate life by automating the process.
Twenty years ago, when we began this podcast, most websites used on encysted and unauthentic HTTP, those sites which needed to obtain private and confidential al information from their users, even if IT was only their user name and password to log in, would typically switch to an H, T, T P S. Connection only during the transmission of that information. And then we switch back.
We later learned the, the, the, the problem with that, because during that that that secure negotiations, user name and password, the browser would be given a cookie. But then when the browser switched back to HTTP non secured, non encrypted connections, that cookie would be transmitted in the clear, which we had a lot of fun with in under the name fire sheep, which was A A means of very easily capturing that credential from an unsecured wifi network and immediately impersonating a log in user. The good news the good news is those days are gone.
Um but as the world began to grow ever more dependent upon the internet for everything, IT became clear that this original trust by default model was not gonna take us where we needed to go in the future. The industry needed a future where the privacy provided by eccritus tion could be available to everyone, not just those who are willing to pay to purchase a certificate, because the trouble was that encryption required certificates and certificate authorities had made a lucrative business out of verifying the identity of website owners and signing their certificates, which attested to that verification having been performed and since performing. This verification did require significant work certificates Carrying those attestations were not free.
The I S R G, the internet security research group, was formed to solve this problem. Two engineers from mozilla, a guy from the E. F, F, and one from the university, michigan, incorporated the I, S, R, G and set about solving the problem.
The group decided that the inherently expensive and scaling resistant verification of domain ownership could simply be bypassed in favor of reducing the test to anonymous domain control. And if that was done, web in DNS servers would be able to verify the domains they were serving, and the entire process of certificate issuance and maintenance could be automated. Thus, the alchemy automated certificate management environment protocol was born, and today, half a billion domains later.
By any measure. This has been a huge success thanks to let's equipped any website that wishes can now have every connection encrypted for privacy for free. Um have let's encysted certificates.
Tes been abused, of course they have. That's what happens on the internet when anything is free. Look at email spam and today's social media.
You know, it's abuse, fancy. Both are in other catastrophes. Both are free. But this was not the problem lets encrypt was trying to solve or prevent.
Their clearly stated goal was to offer equal opportunity privacy through encysted for all bad guys. And fishing sites were every bit as welcome to have lets encrypt title ates as anyone else. At least the communications of the people they were scamming would now also be private and encrypted.
And that really was all that the I S. R. G. Intended to provide. So ten years, and thanks to these guys, you know as as we've see where we had have a pie chart, remember of a couple months ago that showed they just taken over. Yeah yeah.
Why everybody uses them? Yes, we did just patrol lahai has sent me the link. This is our episode. Almost exactly ten years ago of over twenty fifth twenty fourteen, where you introduced lets encrypt to the world security.
Now, four eighty three, and Grace and petty, who is very sharp IDE point IT out that you had at the time. Three pdps. I'll do what happened to the other one.
Maybe I moved them up. There is one okay.
above the ego of the shot change. That's all Grace and it's everything is no, no pd piece have died in the making of this program.
Okay, leo, let's take a break. Then we're going to talk about, oh, the latest concern of stuff coming from china and a bit of a sticky wicket in this case. And all you, I want one of these cranes. H, way to you. See.
I have a picture. What would you do with the crane, Steve?
H, wait to you, see you just.
Take your upload your hard drives .
or so I don't.
Well, if you lived in a container, you could use the crane to move your house around every once. And that's true. There you, that I would work well, alright, will come right back.
I want to find out about these hackable cranes. But first, a word from our sponsor, bit warden. And if you listen this show, you know, you know without any question in your mind that you need to have a password manager.
Unfortunately, there are lots of places. I don't know that maybe your business does not yet have a password manager, maybe your friends and family. In fact, this would be a great thing to talk about around the turkey.
So on thursday, bit warden, the only password manager I recommend and trust because it's open source. IT is also trust by thousands of businesses. Yes, they have a business plan.
Of course, what bit warden does you know perfectly well as generating auto feels strong, unique loggins. You don't have to remember them so you don't have to make them easy to remember. And that means they're harder to crack.
Bit warden takes care of all of that. But the important word in there is auto fill. And I think we don't maybe emphasizes enough if you're using the bit word in extension and you go to a site, you fill in the password, bit word's protecting you in more ways than you might know.
For instance, IT will not auto fill the password on a spoofed site. If you go to T V V I T T E R dot com, it's not going to fill in your twitter 点 com password, right? Actually, that made a problem for me.
When that change the same to extend come, I to change my best way to extend come. But that that is a great thing. IT means otto phil only works on the legitimate sites and autopilot just for passwords.
It's also for credit cards, for identities. It's even for pass keys and that is really nice to have that in the inline auto film menu. So you don't leave the page and and IT will also protect you if it's not the page you think IT is bit warden is really great for business.
IT works with all the tools you already use. They continue to expand their integration ecosystem across key platforms to support seamless Operations and elevated security. They just, this is so cool, they just integrated with microsoft.
You know, the intern is there. Is there you service to keep your windows machine safe? Now with bit warden in in to and enhances device security and user identity management, IT enables secure bit warden of deployment on any intone managed end point.
That's great for the IT department, including desktop es and mobile devices, the hr told ripplings simplifies employee on boarding and off boarding by integrating with bit warden, which means the I T team can assign a revoke access as employees join or leave. It's built in. Here's another one vant, a long time sponsor here.
Vantine combines vana compliance audit reporting with secure password management, which helps your organization meat sock to and I saw twenty seven o one and other standards. Rapid seven insures improved threat detection and response by all this is so clever correlation credential usage with security events. You're talking about logging earlier, Steve.
Automatic logging, right? That lets you know, hey, you had a security event and look who was logged in where this really helps you strength in your product of monitoring and your intelligence for enterprise security teams. And it's automatic.
But those are just a few of the many, many integrations bit warden can do in your business. These integrations increased flexibility, the centralized security management across existing technology, text and employee devices and IT helps you maintain control over sensitive information. I think it's really we talk about but weren't a lot as being a great tool for individuals.
And this is free forever for individuals, which is great. It's open source, but it's really important to remember that bit warden has a great enterprise story as well. Bit warden users can seamlessly connect tools for IT management, for compliance, for security, which helps you improve and standardize the diplomat of enterprise credential management throughout your organza.
It's not just saying to your employees here, this is our passive manager use IT. It's so much more than that your business deserves a cost effective solution that can dramatically improve its chances of staying safe online. And that's bit warden.
It's easy to set IT up. They support importing for most password management solutions. So I should just take a few minutes.
And of course, I emphasize this, I think is so important. Any crypto tool should be open source so that you are expert, can verify there are no back doors. IT does what he says IT, as is using good, strong encysted.
It's not using out of date technologies in all of that bit. Warden is open source. As we talked about last week.
It's or maybe was two years ago, it's gpl. It's true open source IT can be inspected by anyone. So right? They aren't get hub and they regularly get audited by third party experts.
But even more importantly, they publish the results of those audits without fear of favor. They guarantee they're going to put them online. So you know, you're always using a password manager you can trust. I go on and on. I'm a big fan, as you can tell, and maybe a little bit of a bit word and there d get started to day with bit word's free trial of a teams or enterprise plan.
And if you're an individual or you're sitting across the the table at thanksgiving with a member of your family says, oh no, I know we're about passwords and you see my Kitty cats name and my birthday and my mother's made name, and i'm so clever about how I smushed those together. No one i'll ever get that you need to tell them about bit warden. And if they say, well, I want to pay for a password manager, you tell him, bit warden is free for individuals forever.
Bit world that come slashed. Twitter, now I happened to pay ten dollars a year. Ten dollars a year for the premium planets.
Did I want to support them? But you don't have to and if in a functional joe says I don't want to pay for you, don't hey, don't worry, joe, it's free. And and leo says, is the best bit warden that come slash to IT. We thank so much for supporting the fine work Steve does to protect you and uncle joe on security. Now, Steve?
okay. So last wednesday's report in gov. Info security, he was titled coast guard warns of continued risks in chinese port cranes comes an issue actually when it's accompanies by the news.
Get this, leo, eighty percent of all heavy lift gentry cranes used to load and unload container ships at american ports were manufactured by a single company, Z P, M C, A state owned company in china. Eighty percent of these cranes and, and I know why. Oh my god, they are just the most lovely things you've ever seen.
There are good. This is the problem. They're the best in the business.
right? Like the D, J, I, drones, which are the best drone there, right? right? yes.
So okay. The report explains that the U. S. Coast guard is warning that chinese made as a called ship to shore s ts. Cranes come with and this is unspecified.
But that said, with quote built in vulnerabilities OK, enabling remote access and control. Consequently, the coast guard has begun urging Operators across the country to adopt enhances security protocols. okay.
Are these the cranes you're talking about?
Oh i've got one in the show notes about another pager to ora e. Oh um so that so um in their notice that the coast guard wrote additional measures are necessary to prevent a transportation security incident unquote and the coast guard cited quote, threat intelligence related to the P R C S interest in disrupting U. S.
Critical infrastructure now the notice and structure owners and Operators of chinese made s ts you know ship to shore cranes um to obtain a copy of the official directive from their local coast guard officials stating that the materials contain sensitive security information. In other words, we're not telling you what we know in this public notice. Get this get the official directive from your local coast guard, they'll tell you more.
Um a congressional report published in september warned um a chinese company with a major share of the global market of S T S port cranes quote significant cybersecurity and national security vulnerabilities for the united states. According to the report, the chinese state owned company um Z P M C supplies eighty percent of all ship to shore cranes in the U. S.
Market and has significant involvement in militarizing. The south china c lawmakers warned that the company and its cranes could serve as a trojan horse, allowing beijing to exploit and manipulate U. S.
Maritime equipment and technology at their request. What remains unclear is what measures the coast guard could implement to restrict the remote functionality of ship shore cranes, which are integral to port Operations nationwide. Okay, so here we add another example, a new example to the chinese may D, J, I, drones and chinese made security cameras, which those in the U.
S. Have been likely purchasing and plugging in everywhere for years because as you said, leo, they're the best. The answer to the question of what are we to do about these cranes is the same as for the D J.
I. Drones and cameras. I think in theory, we could purchase the hardware and independently source the firm ware or software for these devices, but nothing prevents firm where vary deeply within the hardware from being similarly compromise.
So not just flash memory in obvious firm where so you know, the real truth is in any instance where we've seriously and firmly determined that we cannot trust the supplier of equipment, that equipment cannot be used anywhere. It's physical or cyber. Compromise might lead to other damage.
And imagine if beijing could do nothing more than cause, and I say nothing more than cause, eighty percent of all U. S. Ship to shore, port crain's to self destruct.
IT would instantly, in irreversibly cripple all major U. S. ports.
And at the bottom here of page six, I have a picture of this thing 啊。 Oh my god, look at that thing. IT looks like something out of star wars. You know, you definitely don't want to have that thing walking in your direction.
Well, doesn't walk, does roll back. And for one of the things I love about going on cruise es, which you do a lot of, as you get to see these are these ports and you get to see these cranes .
in Operation is beautiful. But then then, to give you a sense of scale, look at the ety beauty size of the standardized containers. Next ge is, my god, it's just amazing. yes. So anyway, this is a beautiful 时, and it's a pity that we apparently we can't trust IT.
I mean, we don't know what what is known that you know says what was that preinstalled vulnerabilities? What does that mean? Yeah mean like this car litter have to have they discovered that they reverse engineer the firm where and actually found back doors that china knows are there that would be A.
Makes and service, there's probably a .
back door right? I mean well or IT ought to be a documented front door. And like Z P M C is able to update the the software in order to print o handle the new type of shipping uh container, which is thirty cent picture.
This is a universal issue. We've talked about how the chinese, what what they call this attack, they're in the phone systems. They they're listening.
The phone calls are taking advantage of the legitimate wiretapping capabilities that the law enforce were put in in, in twenty years ago to listen to. I mean, they are in our power grid. We know that they are.
They're just sit in there. They're not doing anything. But honestly, this sounds as if the chinese government has infiltrated pretty much all of our infrastructure. Leo x.
we are buying all of our stuff from china. Is the bitten they have to even try, right? I mean, we we said, oh, we like those cameras, yeah. Will take a million of them.
They're taking a range of flaws. And S S has been there since thirty, forty years ago, right?
So so so on on the .
still there are .
vulnerabilities in the technologies that that we are using. But the but on on the flip side, we we don't know that there's no evidence, for example, that D J, I actually was ever used in a covert surveilLance effort. We just know that could happen.
And we know that they that they are a chinese base company. So everyone is. And now we're looking at these cranes thing. Oh my god, what if, you know, no crane has ever gone crazy? Is used anything wrong?
Is there any reason that crane is online? Should that crane not be there? Gap.
my, my switches are online. My lungs are online. You know, your blender is online.
The microwave is online. The coffee maker is online. Everything is online.
Yeah, I look, I mean, that's really what has happened is we've gone online happy, right? And so you betcha you know you I mean, who knows how those crates even get installed? I'm sure a whole bunch of people who are it's and installing them, you know erect them and then you've gotten install the software is again, it's gonna all be software controlled.
Once a point of time there was a guy city in a cab with big levers. There still is. Now you're got a game controller, right? 对。
that's one of my favorite series.
Seasons of the wire is ever watched the wire leave one of the best IT shows ever produce.
absolutely. And one of and one of the seasons they're down at the shipyards, talking to the guys who Operate those big cranes and have lots of scenes of them in there and how fast they can move on and so forth is pretty cool. But that was like that was a long time. I'm going sure it's even cooler now now and chinese infiltrated.
So I I know I feel really mixed about this. A I know we have a lot of chinese listers. I'd love them.
There's you know nothing against them. And we don't know that china has has ever misbehaved. We do know that there are are that we're being attacked. We even know that we know but commercial companies where there's no evidence that i'm aware of a misbehavior yet because it's possible, you know, I don't know.
i'm going to throw this out here. I think this narrative is a little disturbing to me because where IT leads as well, you just don't have anything that's made or but from china which could probably still secure you, right? Because correct, we still are using S S seven.
So yeah, i've group replaced all the wall way equipment in my neck. K, but I still have software. This got massive holes in IT, and i'm not willing to replace that.
But let's say that's the road we go down. Let's get rid of all the chinese stuff. I think that makes us more vulnerable because china no longer is economically dependent on us, is no longer into trying with this.
I think we are less vulnerable if we trade with our enemies know and they're economically tied. Their fate in our fate are economically linked. That to me is a Better strategy for for keeping the peace than putting up a big wall and say we're not going to buy any chinese stuff that doesn't .
that then they know the for keeping their number one customer.
right? So I don't have as I mean, look, by the way, we are in filtering their stuff. We know this from the award, snowden, yet leaks or the nsa as plenty of tools to do the same thing back. And they buy american stuff, probably not as much american stuff as we buy chinese stuff. But I think IT IT makes me nervous to think of the direction we seem to be heading with these reports that well, let's just not have anything from china that because that could be pry lude.
I would be Better for us all. Got along, you. And you know what .
we've got there is, by the way, there is this mutually assured destruction, because we do have stuff in their gear as well. And there is there infected these? Were they even bill clinton even made the an obama made these agreements with china.
Okay, you're gone to have your stuff in there, but we're going to have our stuff in your stuff and will only go so far in this espino age game. And these are the rules. And you know that's I don't know how good a way to do that.
That's a very good way to do things, but that is kind of worries right now. So i'm just nervous about the idea. Well, let's cut off all chinese stuff. No, no chinese stuff. Maybe the other direction, be safer and .
look at the crane. It's and .
they make good stuff.
Oh.
I mean, probably it's also cheaper than the american can made to the german made crain's. I don't know german i'm sure germany makes equally good cranes.
I bet, I bet. And who's to say though that if we start with switch to those, there wouldn't be some vulnerabilities even even if didn't intend to, that's the problem there. There still be vulnerabilities that that the chinese cyber ops could get into.
They're still supply chain issues. They're still software vulnerabilities. I don't. Is perfect security possible?
No, I wonder what the dream and cranes look like. I might.
Whatever are you going to put this grain as if you talk to .
Lorry about your grain? A little model. I want a model, model.
But if you, you could have little model containers. There are little model ships.
You could go one of the best things about my wife, as he loves trains, like trains. I could have model trains running around the house.
Well, there's a very small different in a mode training .
a model crane. That's what i'm saying. That's what I said.
I think this .
would probably work. I love IT. okay. So after a phenomenal surge in new users, blue sky has received its first country level block, and the winter is pakistan.
congratulations. For those who don't know, blue sky was originally conceived as a project with twitter uh by back in the twitter days at twitter by jack dorsey. IT was designed to create an open decentralized standard for social media and was launched in twenty twenty one as an independent entity.
After that, blue sky quickly evolved into a strong competitor to x, offering a more customizable and transparent U I know you user experience U X blue guys overall popularity been soaring recently. And in pakistan specifically, this is being driven by increasingly or or increasing accessibility issues with x to the government restrictions and the growing need for A V P N to access x. Many pakistani users have turned to using blue sky as an alternative.
Unfortunately, now IT appears that within pakistan, blue sky is quickly hitting the same barriers as x. As mentioned that i've received a twitter dms from our listeners asking when i'll be moving to blue sky. I'm not moving anywhere. Uh, for me x is being, you know, it's just kind of slowly allowed to fade. I'm still posting the weekly show notes to x because i've been doing over years and some of our listeners who hang out there continue to appreciate that. But you know a nice your presentation of today's wn notes, as as I said earlier, emailed the more than thirty, thirteen and a quarter thousand and of our listeners yesterday and every one of those listeners is able to email directly back to me at security now at G R C dot com. Um and all of that works even for our listeners in pakistan.
So male, anyway, male works. I was in china, I used male to post to my blog and facebook and twitter because I could email IT. Yeah, yeah. By the way, I got some for you.
Steve, actually, should I send a link to Lorry? Is the lego city seaside harbor with cargo ship, toy, model, container train? And but with that many figures, Steve, this is what you want.
You know, we don't need to train running around the Christmas tree. You need a great. We can set this puppy up. wonderful.
This is yours, man.
H great rise before Christmas.
Thank you to a chocolate milk mini sip. As you know, i'm all holder in our jet for providing us with that.
So under the section of what will they think of next, we now have what's being called rio swatting attacks. Rei know rio is a core short for a repository, which is the unit of organization employed by github and get lab to get a lot of this thread to actors have been abusing a hidden feature to cause get hub and get lab accounts to be taken down. The technique allow that you'll this really strike home.
H for you lio with the problems. twit. Haz, with anything you know, copyright ded. The technique allows users to open issues against a targeted ripple, upload a malicious file, and then abandoned the issue without publishing IT on both github and get lab. The file remains attached to a victim account.
Then then the pesky threat actor reports the hidden non public file for breaking the services terms of service, which forces the ripple to be removed for hosting male. Apparently, this is just one more reason why we can't have nice things. I hope we do that. The administration.
this is the problem with the MC a takes down the right on youtube because the process is so efficient, works so fast, you have no, virtually no time to defend yourself. One would help the book get us get, haven't get lab woods, start to understand this .
attack and figure out this is what's going on. Yes, it's visible. fine. Not so quick. Yeah, yeah. A couple of weeks ago, I touched on two recently announced zero day flaws that had been discovered to affect palo alto networks, enterprise firewalls that LED to my quite predictable rent about the proof impossibility of protecting any form of remote management access to internet facing services.
Even firms like palot o networks, whose business is security and security appliances, still don't know how to do that, as this, you know, two recent zero day flaws demonstrate. In this case, to say that paletots internal architecture seems somewhat wanting would be an under statement. An analysis by watch tower labs that spell T, O, W, R, they've dropped the e reveals that this vulnerable appliance, uh, and it's actually a family of them, is implemented and what they declare with tung and cheek to be the absolutely Stellar P H P language unquote, which you served by a patchy fronted by an engine x reverse proxy.
They the note that the system implements its authentication layer by using A P H P feature known as auto prepare file, which pretends the file U I E N V as an environment U I environment set up that P H P do anything, P H P loads, which is just such poor design. I get even begin. Okay, this is implemented by the line.
Auto prepare file equals U I E N V set up that P H P and P H P. That any file which they prefer by saying, quote, take a look at this gym of a hack in the P H P dead any file um and I could not agree more, they introduced used by noting we guess auto prepare file actually has legitimate users besides writing P H P exploited. I mean, I just know the bottom line is that this is all quite dispiriting.
I don't know why I always imagined that party alto networks would be doing things right. I suppose I wanted to give them the benefit of the doubt. The U.
I environment. P, H, P, text file, which provides front end of the ation by redirecting to authenticate access to the log in page, actually contains the comment. This is their own source code.
Their own P H P code contains the comment, could these are horrible hacks? This whole code should be removed and only made available to a few pages. Main common debug comment sa, no. The was their own codes know this was awful.
That's exactly what you'd expect some engineer to right look at at this code is to put in the comment, this is a hack.
This is Terry, please. I don't know why i'm doing this. I'm hungry. They just delivered to the conference room. Oh my god, anyway, I couldn't agree with the with the quota's own comment.
And I would never say that palo alto networks deserves to have been hit by these vulnerabilities, especially since it's their customers who will be taking the hit for this. But a design that is this slip shot can only be called asking for IT. It's unquestionable that this is the other crap they're shipping.
And in order to see any of this because it's not out for public display, the watch tower guys needed to first jail break this parallel network appliance, which they did. But this means that is extremely poor design is locked away out of sight. So that is only visible to entrap ID researchers.
Her go to the effort to create a jail break. But even if IT cannot be seen, every palo alto network's customer remains reliant upon IT. We all know the rigid line I drop between bad policies, which are deliberate and true mistakes, which anyone could make.
None of this is an example of a mistake anyone could make. You know, these are policies. There are developers inside palo alto networks who know this is what they are shipping. Those people should be looking for a new job far away from anything having to do with security.
And so today we have the news from the shadow server foundation of evidence that at least two thousand of these palo alzo networks firewalls have been compromised using those two recently disclosed zero days, two thousand of palo alto o networks enterprise customers have been penetrated. As a result, once you've been compromised, the firewalls contain a PHP web shell, which allows attackers to return later at their leisure. The presence of this web shell is one indicator of compromise, the shadow server foundation said that their number was a conservative estimate since IT relies upon a limited set of ioc s released by palette networks last week.
Now to their credit, palelo networks had warned of a possible zero day earlier this month, which is what I talk, which is what I talked about IT back then. And their communication throughout this has been Stellar. So there's much to command palo to networks about their response to this trouble. Unfortunately, this stands and start contrast to who never is developing their devices.
Did they fix IT?
They probably patch ched IT and it's probably largely the same. Not maybe if a brighter of light is shine on this they'll say, wow, uh, what gives you just said true is what what does anybody know? Is that true? You and blame .
PHP because you can code security in PHP. But the promise that makes me very easy to code insect.
thank you for furnishing the sentence I was about to with IT doesn't IT .
does not exactly get in your way.
I guess. Yeah, if they had developed in interpreted basic, you would wonder about the level of the programmer expertise that chose the basic language to do the work. And PHP is similar.
It's a very nice language. You know, we know what PHP the initial stds for, right? yeah. Personal .
homepage. E do not write your security planets. Front ends in personal home page. No.
exactly right. wow. Okay, so a responsible security research are going by the handle. Dell plott, who reportedly answers email at dell plott at gmail dot com, has privately and responsibly disclosed their discovery of a terminally serious stack buffer overflow vulnerability across the links past V P. N routers. I characterize this as being terminally serious because this now known to exist vulnerability allows unauthentic ated users, also frequently referred to as anyone, anywhere to remotely and at their wim, execute their remote code on the victims targeted d link, V, P, and rider.
The concerns are that the links announcement of this sobering reality last monday contains a field for link to public disclosure, which is currently filled in with the aviation T, B, D, as in to be determined, which strongly suggests that this delpo yed character is being responsible with his or her knowledge and is giving the link some time to respond. But there's a problem with that. All six of these vulnerable and vulnerable dealing V, P, and routers have gone well past their end of life.
There are no longer being supported by deal unus will not now and not ever be receiving updates to correct this most critical vulnerability. No cvs tracking designation will be assigned to track this vulnerability because it's never gonna be fixed. And as if A C V S were to be assigned, IT would be Carrying a flashing red C, V S S.
Score of nine point eight. Perhaps our baby, even the rist of ten point zero oes. Okay, now this vulnerability is as bad as they come, because this otherwise lovely family of routers offers a standard S S L V P N, which runs a simple web server at the standard H T D P S port.
For four, three, I have a screen shot in the show notes. H, what you get when you, when you use your H T, T P browser to connect to these things. Por, four, four, three. This looks like a web page asking you for your user name and password from the standpoint of almost actively solicitating attackers, this could not be any worse.
The page that displayed to any device connecting to port four, four, three of an of an affected rather prominently displays the devices of model number and both the hardware and firm ware version numbers. This thing effectively shouts, please exploit me. So you know where they are on the the internet will never be any mystery.
And I have no doubt that the lists of their I P addresses have long ago been assembled. Okay, so now everyone knows the situation. The two oldest affected routers are the D S R five hundred and and a thousand, and which both went end of life nine years ago, back in september of twenty fifteen.
The more recent four V P N routers are the D S R one fifty, one fifty and two hundred and two fifty. All four of those went end of life just a few months back in may of this year. But as the same goes, close only counts in hornes and handle ades.
Meaning in this case, that end of life is end of life. And the dealing formally states in their disclosure that these now known to be seriously vulnerable delink V P N rounds will never receive updates. Long time listeners of this podcast know what will come next.
Assure is the sun rises every morning. Many tens of thousands of these devices are currently sitting on the public. Internet number may be around sixty thousand, six hundred thousand.
I haven't seen an exact count, but i'm sure that either show down or senses would have that number and be able to provide their I P addresses since every one of them, as I said proudly, presents its log on page to any passer by. There's been no public disclosure of the details of the vulnerability that dell ploy ed found, but the link has confirmed IT. And at some point dells plott is going to want to have their day in the sun and bragging rights about having discovered this vulnerability.
So it's gonna published and no can really falt dell ploy for eventually disclosing the vulnerability they discovered because that's the way the game is played these days. You wait long enough to give the impacted parties a reasonable amount of time to respond. And after that, no matter whether or not they have and regardless of the consequences, the entire hacking elite is that informed of exactly how to bypass the internet facing automation, which protects tens of thousands of networks that are currently behind every one of these V, P.
And routers. There's nothing any of us can do other than protect ourselves and those we have responsibility for and care for. So make absolutely double.
They am certain that nowhere with the your fears of influence do any of this six delink V P N routers currently exist, because we all know exactly what's gonna happen next. In their disclosure, dear lin c. Ineffectually recommended that this hardware should be replaced.
We know that most of the owners of these devices will never receive any sort of notice of this and probably wouldn't pay at the attention that deserves, even if they did. We are all being so initiated by all of our software, being constantly updated. That is easy to become num to IT.
But if anyone is in the market for a replacement, I would now stay, I I would now say, to stay well clear of dealing. They have a long and still growing history of very serious, remotely exploited able vulnerabilities being discovered after the fact in their past end of life products. This happened earlier this month with sixty six thousand of d legs internet connected nass devices.
Their response was effectively, well, we're sorry, we don't make masses any longer. And even if we did those sixty six thousand internet connected, remotely exploitable network attached storage devices we once made or now past the end of life. So I wouldn't matter even if we still made them.
It's true that hardware is not forever and that he would not be unreasonable to expect an aging mass or router that's past its end of life to be rotated out of service in favor of something new. But we all know, we all know that that doesn't happen often. Given their track record, I would be disinclined to give dealing any more commercial support if you really like the brand. Okay, you know, I get IT. IT is truly nice looking hardware, but you should be aware that end of life for end of support probably means end of secure service life, after which point a device, a dealing device, should be rotated out of service, and if you have any existing inventory of deal link devices, you should be very certain to have a current subscription to their security bulletins and other notifications and really pay attention when you get one.
It's too bad they used to be a good company, right? I mean, I have a lot of delink.
right? Did two right? Did too. But you know they're having problems. And I mean, again, it's not it's not unreasonable to say, okay, well.
it's in the world and we're not supported anymore.
Yeah I mean, you know all the other companies do that too. But but even microsoft has gone back and like fixed a really bad windows seven problem after windows was end of life because they recognized they didn't want to hurt their own users.
The problem really is that the link was a consumer dominant consumer brand for a long time. And so there are a lot of people who aren't that sophisticated who have dealing here and their night paying attention and all. Isn't this show right? So they'll never know that there's a problem with their router or actually not a router.
IT was a mass um well, IT is A A yet IT is a uh the the earlier this month, IT was sixty six thousand masses. And now we've got uh we have six different models of of S S L V P N router s and and S S L V P N. Is sitting there listening for incoming S, S, L connections on port four, four, three, right? So I mark my words, a month or two from now, we will have account of how many systems have just been take over yeah I mean.
at least in S S, L, writer is not a consumer product that's not not a grandma's hands.
I actually I don't know. I would say that's a bigger problem because that means that to more it's not a granny's land, right? You know it's on some small businesses network that can be and i'll have all their systems encysted and then held for ransom yes.
some IT guy twelve years ago installed in in the lawyer's office and nobody y's thinking about IT IT just works and security is not a concern expected.
I had sort of a relative story IT turns out that um uh as as many people know, sharia is a religious law that governs uh some aspects of the lives of muslims based on the teachings of islam and the koran. Um we were just talking about pakistani unhappy with pretty much all things internet.
I should note that pakistan's religious advisory board recently ruled that the use the VPN apps is against surreal law, apparently, because surely law is whatever they wanted to be. Yeah uh, the council of islamic ideology said that VPN technology was being used in pakistan to access contempt, prohibited according to islamic principles or forbidden by law, including, quote, immoral and porn websites or websites that spread energy through this information. Um and this gave me pause to wonder leo, whether they might be in client to change their minds if they were able to get a really good deal on some used dealing VPN. Rs, yeah, that's the ticket.
Oh lord. A, what a world. What a world. Well, this is. yeah. I mean, yeah.
So um we have the return of recall. Let's take a break. Yeah and then we're going talk about recall now being put back into windows insiders, uh, to begin testing. Yeah .
congratulations. We talked to bit on sunday and twitter and all four of us said, yeah, but we would love to have something like recall effect. My problem with recall IT doesn't IT should be on every device. It's me on everything.
But of .
course, that would be a security name, but will let you talk about them. The second our show they brought to you by threat locker. This is the opposite of recall.
This is basically zero trust is the opposite of what you are talking about earlier, which is, you know kind of allow everybody and then filter out the bad guys. No, no, it's quite the opposite. If zero day exploited and supply chain attacks are keeping you up at night, and I think they probably are, if you run a business, here's a solution.
You don't have to worry, you can harden your security affordably and easily with threat locker. I mean, worldwide, companies like jet blue trust thread lock to secure their data to keep their business Operations flying high. But even small businesses can benefit with thread lockers, easy to implement, zero trust solutions, very affordable, imagine, and this is the kind of the not of the how IT works, are taking a proactive deny by default approach to cyber security.
Deny by default, that's what zero trust is. You don't assume just because somebody dies in your network that they're good guys, that they should have access to everything unless unless you give them explicit approval. Every action is blocked, every process is blocked, every user is blocked.
And IT will continue to be blocked until authorized by your team. And even further than this, you were talking about logging earlier thread ker, which will drill, make IT easy to do. This also will give you a full audit for every action, fully logged.
So that's great for risk management, for compliance to you can demonstrate your security posture if this is how I should be done. This is done right? And they're twenty four, seven U.
S. Based support team will fully support you getting started, getting on board at and beyond. Stop the explosion.
This is so cool. Talk about ring, one of the things they do called ring fending. Stop the exploitation of trusted applications within your organization.
Keep your business secure. Keep you protected from ransome where organization s across any industry can benefit from thread lockers, ring fencing. That's what they call IT into great name for IT because you're in a sense fencing stuff in.
You're isolating those critical and trusted applications from unintended uses from weapon zone. You're limiting attacker's lateral movement within your network thread lockers. Rain fencing work so well was able to foil a number of attacks that were not stopped by traditional ea, including the solar winds.
Orion attack. We talked about IT for many years. IT was foiled by ring fencing because you couldn't move laterally in the network. Oh, a threat locker works for max two, get unprecedented visibility. Patrol of your cyber security quickly, easily and cost effectively.
Thread lockers zero trust and point protection platform offers a unified approach to protecting users, devices and networks against the exploitation of zero day vulnerabilities. When we first talked about these guys, I went out, I looked at reviews, I was blown away. But the people who use thread lock or love IT and IT really works, and it's very affordable.
You could get up thirty day free trial right now. Learn more how threats locker can help mitigate threats no one's ever heard about before, and ensure compliance. Visit threat locker dot com.
Visit threat locker dot com. That threat locker, that com. We thank you so much for supporting the good works of mr. Stephen tiberias gibson and and you support us when you go to threat locker to come and if they ask, tell them you saw on Steve show that while okay, Steve.
So last friday, yes, the windows insider blog announced the return to recall to windows eleven. They wrote, hello, windows insiders. Today we're releasing windows eleven insider preview build two six one two zero that two four, one five or one of my employees would once said, started, uh, which I thought always was funny.
He said that they said to the dev channel. With this update, we welcome with windows insiders with snap dragon powered copilot plus PC to join the dev channel to try out recall preview with click to do preview, which is a new feature that there that they are now gonna testing. So anyway, I have a have a link to the link for you.
Roll out text in the show notes for anyone who wants more surprise to say that microsoft is done exactly what they had promised to do. The set of experience, of course, promote recall as a wonderful and really secure feature. It's unclear from the few screen shots microsoft provided, what the users decision tree looks like and how readily the user is able to decline to receive the recall experience.
But presumably, after all the backlash of the backlash microsoft received and their commitment to disable recall until in a message user explicitly enabled IT, that's what they've done. I do know from reporting that recall can mostly be removed from windows through that turn windows features on and off dialogue. One security researcher noted that if you recall, related dls do remain under the windows system apps directory, specifically microsoft windows dot client that A I X, but this researcher noted that the core functionality is removed.
So that's good. Uh, a few items of note from their blog posting or could the p recall preview will begin to roll out on snapdragon powered copilot plus PC with support for A M D and intel powered copilot policies coming soon as we gradually roll out recall in preview, recall is supported on select languages, including a simplified chinese, english, french, german, japanese and spanish. Content based and storage limitations apply recall is not yet available in all regions with expanded availability coming over time.
So there were anecdotal reports of researchers being able to get the first shot at recall running on pcs without any fancy A I G P. U. support. So IT might be that recall will be made more wild ly available time, you know. And so this might also mean that for now, no one without copilot plus pcs will need to worry about removing IT since IT may never be present and again, not yet in the main channel. This is all just insider preview.
Um also have interested in the posting for their enterprise customers, they said, as announced at a night for our enterprise customers, recall is removed by default on pcs managed by an IT administrator for a worker school as well as enterprise versions of windows eleven. I T. Administrators fully control the availability of recall within their organization.
Empty employees must choose to up in to saving snapshots and enroll their face or fingerprint with windows hello offer snapshots to be saved. Only the same user can access and decrypt recall data theoretically, so although enterprises cannot access employee recall data, they can prevent recall from being used altogether and prevent any saving of specific apps or sites. So essentially there they're saying that that um you know group policy settings that the IT admin controls can can prevent recall use.
But if recall is then employees will IT is still have a one of a one to one relationship between the machine and the employee that under no circumstances does the enterprise have access to the data that recall is is collecting for that employee. So that's good. And of course, that was not the case when this was first ruled out in know that very what many people feel was a premature mode because none of the data was encysted.
IT was just all there in in a user directory. So just for the record, microsoft is also previewing a recall feature, which they call click to do, uh, and they write with click to do in recall. You can get more done with snapshots and improve your productivity and creativity.
Click to do, recognizes text and images in step shots and offers A I powered actions you can take on these, saving you time by helping complete tasks in line. And we're quickly getting you to the APP that can best complete the job for you. That then show that um that the user uh is able to mark and highlight to select text in an image on a recall snapshot which is cool.
And then once selected, you get a context menu with copy, open with search the web, open website and send via email and if the user would happen, the right click on a recall, the image, as opposed to text A A block of text. Then the context menu commands are copy, save as share, open with visual search with being, blur the background with photos, IT raised objects with photos, and remove the background with paint. So some things you can actually do with images up that that are recalled and apparently soon with things that are not recalled.
They said in this update, click to do only works within the recall experience and about the way that we're going to have a lot of experiences with windows, apparently in microsoft, that's their new favorite word. They said, in a future update, you'll be able to effortlessly engage with click to do by simply pressing windows logo key plus mouse. Like windows logo key plus q through the snipping tool menu and printing screen, or searching click to do through the windows search portion.
In other words, it'll be pervasive in windows, they said. These methods will make IT easier than ever to take immediate action on whatever catches your eyes on screen. Were also working on introducing more intelligent text actions to enhance your experience even further.
Just like with recalled noted above, click to do preview is available only on snap dragon powered copilot lus PC support for intel M D P copa P C is coming soon so okay, uh uh for for people who have those again, not yet mainstream, not yet released, but clearly coming um I was talking earlier about the fact that we absolutely know that very, very few of the now known to be vulnerable dealing V, P N routers will be removed from the internet as a result of dealing announcement of their serious vulnerability. How do we know? Well, all of the history that we've talked about on this podcast shows that in this case, sisa maintains a list of the most exploited security vulnerabilities by year.
We know that at least sixty six, zero known threat actors exploited vulnerabilities from crs list of the most exploited bugs last year, and we have details. According to the security firm phone jack V O L N check, the north korean group silent uh column was the most active in this regard. They targeted nine out of fifteen cvs from ccs list.
China and russia's groups were the most active among the sixty known threat actors, with china's sponsoring fifteen groups of those sixty and russia's supporting nine groups. And here's the most distressing news that gets back to why we know that few of those d link crowds will be removed from service. Hopefully, all of our listeners will know there's any intersection between those dealing roughness and our listeners.
They know the action will be taken. But one check reports that over four hundred thousand systems that are currently online at this moment are vulnerable to attacks using one of last years most popular vulnerabilities. Four hundred thousand systems online now are vulnerable to at least one of twenty, twenty three most popular and I you know popular, most exploited vulnerabilities. So wow, do we have to do Better as an industry? We really do somehow need to do Better.
okay. Just just you how hard IT is to do so?
I mean, yeah well and and you i'm sure that notices are going out. As I said, you know we all just get um um injured to them. Essentially you we just stop paying attention to every one of them because it's like, oh my god, oh my god, all my god and finally say all well, we keep hearing that but nothing ever bad happens until something bad happens.
Um okay, some great feedback from our listeners, Thomas wrote on a recent episode. You mention the device that actually like a bluetooth keyboard and connects via a dongo between a phone or other bluetooth device and a computer or basically anything you could plug A U. S, B keyboard into IT sounds to me like an input stick.
And that's HTTP Colin. Flash, flash input stick dot com. He said, a device that I used frequently as a hardware tech when replacing hp motherboards. After you replace to the motherboard, you had to enter a set up command string.
There was about thirty characters long and case sensitive since I was entered before slashed during BIOS, you could not copy IT into the field from the web. IT was a nightmare. Okay, right? Thirty characters of upper, lower case gish, yeah, he said, but with the input stick, so cool. O, O, I immediately ord one, yes, so that is very, very cool. And the apps kind of like a ubique.
but you could program IT to do whatever you want.
It's exactly what IT is. And not only keyboard, but also mouse. wow. So you able to to remotely control, I know, like do mouse functions, so he said, but with the input stick, you can go to H, P, S website on the phone, copy the string lasted into input sticks software, and send IT slash input IT directly. First time he said Better while since i've done that, mostly IT now works as the control to turn my computer down, what i'm going to sleep, he says. And because they have also complete multimedia control.
he said, as any keyboard does, of course. Yes.
exactly, he said, still one of my favorite toys, though, even though i'm no longer in the biz, I still keep up with the news via security. Now, thus, as as I said, Thomas is one hundred percent correct. The gizmo that is the gizmo that another listener mentioned, which I immediately purchased.
Since that looks clever and interesting, I think IT was thirty nine dollars U. S. Plus shipping from poland and they immediately shipped IT.
I got a notice of IT being shipped like hours later. I'll report again once i've had a chance to play with IT. Its creator appears to have done quite a lot with the capability.
Um it's able to simulate both the keyboard and a mouse. And as I said, it's able to simulate multimedia control keystrokes. It's got macro capabilities and the works.
So you know i'm constantly annoyed that despite my decades long loyalty to all things apple for everything other than pcs max offer integration features that apple refuses to bring the windows. No, I would. Oh my god, what I love to have eye message for window.
I, but no, no, I don't get that. And I was wondering if this would somehow allow me to bridge that gap. But it's actually it's going in the wrong direction probably unless I would do, I guess I could know it's going in the wrong direction.
So uh, I guess at the same time, if they they brought us something that was like itunes for windows, i'm probably Better off without IT. So you have a solution. No.
i'm just i'm trying to think of how you would use IT. So your your goal is to be to do .
what ah I guess my goal would be OK. So I I it's it's burden some writing a long message on the horrible touch screen keyboard so I like to do on my keyboard and then just send that yeah and i've like i've detail me myself messages and then gone the email on the iphone open IT copy IT gone the messages tasted IT and then set IT. It's like that what .
this is how apple keeps people in the apple ecosystem if you're all if it's easy to do, if you're in an apple, yes, you're all apple.
I know otherwise .
yeah you know you might buy other people's computers and we can't let that happen.
right? Uh, geno, a greedy who signed his note, the network ninja earns his his title, he wrote. Steve was listening to the episode where you had a listener ask about how to capture the command and control you know c to traffic when it's using a hard coded IP.
The solution you offered would absolutely work. I think the more elegant solution would be to just net the destination, are not entirely familiar with P F S or O P N sense. And I use untangle and Powell to at home.
However, if you have firewall software that supported, you could create that rule that changes the destination from the hard coded I P to a host of your choice. You won't even need additional interfaces. If you can figure the rule correctly, IT will renege IT back for return traffic. The malware will have no idea that IT isn't actually talking to that I P.
The additional advantage is that you wouldn't have to change the I P or add additional IP onto the machine you're sending that the command and control traffic to you could easily create as many of those net rules as you want, which I think would make IT more robust long term. I appreciate the podcast and hope to be listings for another one thousand episodes. H okay.
This suggestion makes sense. okay. So given that a router firewall supports IT, I think it's a brilliant solution that's clearly superior to the more complex approach that I propose. So I like IT a lot. Okay, let's think this through. As I understand, IT, IT would require routing software that's able to perform nt translation for packets traversing the road internal land in her face that's different from typical consumer router net, which is generally applied to outbound packets crossing the writers when interface. So this would definitely require some third party routing software.
You know, higher end routing software like P F sensor, O P M sense, applying nt to the internal interface would cause any packet sent from any machine on the land, such as the mware infected machine, which is addressed to a specific external public I P, to have its destination I P changed to another host machine on the land, the one that serving as the command control server. So that packet source I P would remain, the source I P would remain unchanged. The I P which will be the I P of the infected machine.
So on its way out from the malware infected machine, the outbound packet crosses the lands selective nt translation, which would give IT a local destination land I P address. This would cause the router to send IT back out the same land in her face, now addressed to the command and control server. And since that packets arriving at the command control server would still be Carrying the local source p of the malware infected machine, the spoofed command and control server would return its replies directly to the mail where infective server.
So it's an elegant solution and I can see why IT wouldn't work. Um I haven't tried IT but it's a sup ascertain interesting concept um I replied with this to our network ninja geno who who sent me a follow on link um that referred to this using the term and helping net so this thing that is a known technique and you can see a heroine, right it's like but it's like IT doesn't immediate at one eighty. So it's called a herpes net where you net across your local interface, your, your, your land interface, as opposed to the van in order to perform these sorts of tricks.
So very cool. Thank you. Um up, he raw, A B H, I raw, uh, driving his kids, his kids to school in Charlotte, north CarOlina, wrote high.
I've been listening for the past twelve years. Your podcast has been a constant on my drive to work and dropping my kids to win from school. My kids have grown up listening to your voice, sorry about that, and more security conscious because of you.
So thank you. Yeah, I guess the kids are probably on edge now. Um he said in your last show, episode one thousand and one, you mentioned cloud flare tunnel as an option for accessing home networks. One main clarification I would like to make, which you did not mention, is that although a cloud flared tunnel is simple to set up and use, IT does not provide true end to end encryption. While at encrypt traffic between your origin server and cloud flares, network cloud flair can descript and inspect the data in transit as IT terminates the T, L, S, connection at its age network, meaning IT is not fully encysted from start to finish. And he says, what we all know for true and end encryption and overlay network like tail scale can be used for more detail comparison. And he gives a link that I haven't seen before at tail scale dot com slash compare slash cloud flare hyphen access he says, I looked in the cloud flare tunnel myself base, uh, to access myself hosted bit warden running on my home 3 ology, but I decided to use tail scale instead for this reason, love the show to two thousand and beyond the o which appears to be everyone's new goal for us since we did past nine, nine, nine unscaled. Um so happy we need to come .
up with a hand gesture.
He provided a link as I he provided a link which I have in the show notes to to tail scales, tail scale versus cloud flare tunnel side by side feature comparison um and I tend to agree with abb his feelings. I think that the best way to think of IT is that these two solutions, cloud flared tunnel on one and an overlay network like tail scale on the other.
They have a some overlap in in their capabilities, which allows either one to solve the remote access problem, but they are also very different. Cloud flare tunnel has a large range of features that go far beyond what's needed for remote access to a users. Land is really aimed at secure remote access to servers and an overly networks.
True full end to end encryption tion is really what we want for remote network access. And if its sort of tips me in its favor, um Stephen low water reminds of an even simper solution writing, hey Steve, congrats on hitting one thousand plus episodes. Thanks for all the thoughtful content you have shared.
I wanted to share an observation about remote access to home labs, he said, having tried cloud flared tunnels and various VPN clients. For those who don't need the features of an overlay network like tail scale wire guard is worth considering. IT offers simple light weight layer three connectivity, modern lipt curve cyp to and straight forward set up. While tail scale builds on wire guard for robust overlay features, a standalone deployment keeps things minimal and widely supported across platforms like linux, P, F sense and open sense.
What has kept me using wire guardy rights is how IT handles I O S sleep cycles, meaning the wide guard client on I O S, he said, ensuring apps can reliably access data when waking from sleep V P S, like open V P N C F, warp and I K E V two, often struggle with APP level connection failures because their clients cannot wake up properly in the selective sleep process. IOS has or renegotiate stale connections before A T C P tit wire guards, small kern nel footprint and fast connection renegotiation allows IT to reconnect on demand without timeouts, he said, I started using wire guard in twenty twenty to twenty twenty one while setting up a self hosted email server. I needed a reliable way to fetch to fetch mail on my phone while keeping port exposure to a minimum.
Since then, it's become a core part of my set up, enabling reliable email fetch cycles, isolated ubiquity cameras and sink file and thinking files via sink thing on my phone. Just thought i'd share in cases help with anyone expLoring options best. And he signed off another Steve because he's Stephen close water.
So I really glad Stephen reminded us of the many benefits of just plain old wire guard. We origin discussed why our guard, which was, you know, at the time, viewed as a replacement for open VPN, which has grown very old and stale. Back when I first appeared on the scene about five years ago in episode seven forty four, I first talked about wire guard after meeting and being very impressed by the founders of the mulva V P, N service and learning that they were already adopting wire guard.
And recall that not long after that, linus torvalds incorporated wire guard natively into the linux kernel, which is saying something for IT, because he would never do that casually. The only downside to running, for example, why are guard on A P, F sense or or opium sense router? Is that the first thing you need to do is open a static port through the while the routers wan interface to the wire guards service running on the router.
And from then on, that port is open facing the outside world. And you're relying on wire guard not to have any critical vulnerability that would allow an authentic ation bypass. If you're OK with that, then why our god is likely the lightest weight and most secure solution available.
And I loved with Stephen, shared about its compatibility with IOS. But running with a statically open port, which is never required when using any of the overlay networks, would tend to bend me away from wire guard, much as I would otherwise love to be able to use IT. What I would consider as an option will be adding some sort of port knocking solution that would allow a remote I P to be authenticating so that that I P and that I P only could then connect to the wire guard V P, N.
Running in the home based router, you know, since, for example, an I C M P pink packet can contain plenty of payload, a simple and secure chAllenge response, a mechanism that incorporate the end point I P addresses and some crypto would do the trick, you know. And I would write one, I would create IT if only there were more hours in the day but maybe somebody has or will uh, in rio gave his note the subject E P, nine eighty nine back door or incompetence and he said, happy one thousand. I'm still a bit behind.
I'm listening to episode nine eighty nine where you talked about the chinese R F I D bad chip that was found to have a back door. We've heard plenty of reports about vulnerabilities found where the manufacturer left some debugging dentists in. We've also heard lots of reports about back doors and products.
I'm curious, in general, how does one determine if something is a back door or incompetence? How can the researcher in fur intent, perhaps the eternal company memo gets leaked that shows IT was on purpose? IT is still hard to tell if this was Mandated by the government, unless top secret governments get leaked.
Is IT just based on the country that manufactured the device and whether they're friendly to the U. S. I also heard about the guy that has done some back, that, oh, that has gone back and started listening to your podcast from episode one.
I wanted to do this too. However, i'm already over ten episodes behind, so I just fall even further back. Only listen to pot cash while driving.
Maybe I need to plan some long road trips. okay? So I think that rego makes a very valid point. Controversy is inherent when attempting to describe intent.
The question of the windows metafile escape, which I talked about last week, as another perfect example, why is IT there? Why had had been faithfully copied and reimplement ted through many editions of windows, even jumping from windows three ninety five ninety eight N M E over of the brand new windows N T who had had to be reimplement ted? Was all that an accident? The original intent of its designers has been lost to history, and we'll probably never know.
And remember about ten years ago when cco kept discovering hidden back door credentials in one appliance after another, month after month. You know, when I have discovering in quotes, because, you know, these are their own systems, how difficult could have be to discover an undocumented loggin account in software that they wrote and for which they have the source code, they just had to look. So I guess they just looked and is like oopsy.
Anyway, since cisco is not evil and never was, and since they were confessing over and over to what they kept finding in their own machines, I think, you know, that's the case of poor judgment and changing times twenty years ago. Just as that may have been acceptable to design and a scape patch in the windows, IT may have been acceptable for developers to just kind of lazily leave their development accounts in csco appliance firm, where back then, IT may be no big deal. But as we've seen times change, as does our expectations.
My feeling is that in nearly all cases, it's just a mistake. For one thing, no clever developer would implement something that was meant to remain a secret by leaving a user name and password in the firm, where that's way too obvious. If someone told any compete developer, okay, not somebody using P.
H. P. I did say competent developer to design in a back door, IT would be far more well hidden. For example, IT would be necessary to first bounce an ICMP pink packet off the device with a particular payload length.
This would leave an insignificant trace that that would be done again with a different specific length, and that pair of events would prime the device to then accept anything original ating from the same source p only without requiring any authentic or something like that. My point is nothing as dumb and obvious as leaving a user name and password account burned into the firm, where there are an infinite number of ways to bury a true back door in today's insanely complex systems. And there is something that keeps people awake at night because these things could be really difficult to find.
Yeah I just IT doesn't the intent doesn't really matter. It's it's the fact that exist period is efficient.
Yeah right. And I guess the real point is who else knows about IT? eventually?
Everybody knows everything. Don't think you can hide anything, but really the truth exactly there.
No back, David, in the U. S. route. Hello, Steve. I'm a long time listener but haven't reached out before. I credit you in large part from my career in info sec. I was unable to get formal education in the field, so I self taught using resources, including your podcast.
It's been many years since I started my first job in the field, but I still listen regularly and learn a lot. Thank you for all your efforts. I'm sure this is an egg case, but regarding your reMarks about SOHO routers in security, now nine ninety five, I was recently treated to an experience with a new nokia.
They still exist. SOHO router slash access point. I changed I, S, P, S. And they provided one for free with a wifi and access point ready to use. They came out and installed IT for me and plugging what they thought was my computer into IT. He says, parents, as if I had only one, haha.
He said, after they left, I plugged my entire home infrastructure into their router as a result of your recommendation some years ago, my main firewall is P F cents running on a protest unit. You know, P R O T E C T I that I mentioned recently, he said I didn't bother to reconfigure the new nokia box for a couple of days because I didn't consider IT an important layer of security. However, I finally got around to logging into IT and was stunned by what I found for some unfavorable reason, the firewall was set to light filtering mode.
Apparently, IT had a short, self described, non disruptive block list IT was using to black list certain things. However, IT was not performing net services for the either net. He was a pass through mode by default, giving my public I P address to my P F sense firewall.
Behind IT, there was an option on the nokia device to enable net, but IT was disabled. While I would like to think that perhaps IT detected the firewall behind IT and switched itself off, I said, no doubt that was that smart. If I was a typical user, whatever I plugged into that either net port.
Would have been immediately exposed to the internet. The wifi did seem to be using net, so perhaps they thought that was good enough for most users. okay. So this was really interesting to me.
The thing that occurred me first after thinking about what David wrote was that all bet almost no typical internet user today ever plugs anything into their routers wired either net ports. I know that many of us who listen to this podcast do, but we're far from typical internet users. Wifi really has overtaken wired ether net. Um and that's the only way I can think to explain what David experienced is that you know just everyone uses wifi. So that was what was set up in order to you know share as a single I P.
Maybe the maybe that nokia just wants to say, you know I think you're plugged in as dmz and maybe that, you know wonder if even says that if you're gona hook up a web server to this, put IT on the ethernet ork k because IT it'll be dms IT is directly connected the internet, right?
Yeah.
as you can tell, not a recommend with a recommendations .
um I have a uh couple inches at the bottom of this final page before we switched today's main topic. So I wanted to answer that many questions i've received from listeners who've take a note of the fact of the remarkable probos on the bookshelf behind me. You can see IT right there over my my life shoulder.
It's a right uh it's there are pointing at IT um they've wanted to know what I think of IT. I very much wanted to love IT, but I don't I wanted to like this. I don't I wanted to like its support for color.
It's slightly higher pixel density, is larger size and its reputed high hair stylist tracking rate. But I don't its support for color feels like it's not ready for prime time. The display goes through all sorts of connections when using color.
I mean, it's almost comical what the thing has to do with with things flashing and switching back and forth and and blinking. It's you know it's clearly not easy to pull off color. And I don't think IT was worth the effort. Also, the dt thing is heavy. I mean, IT is really heavy, and it's stylist now requires charging, which the remarkable, the remarkable two doesn't, by comparison, its processor, they are remarkable too.
I really love, you know, I do wish I could get the cool cover for the pro, which much more securely captured the styles then then another remarkable too, but at least for the time being, IT appears that that cool cover is only available for the pro. So anyway, to answer events questions ah, I was hoping I would like to pro as much as I love my remarkable tools. I have a couple of them, but IT doesn't really .
make the grade you tried the .
amazon describe, right? Yeah well, yeah I I don't only because the remarkable is just, I mean, yeah I I don't I don't do IT in reading honor I don't do I don't repeat F I just use IT as replacement for my engineering pad, right? And a soft number .
two pencil is nice to have .
unlimited graph paper yeah and I now have, uh, you're able to sink three devices through to a single account. And because I purchased one in the old days, i'm grandfathered in to the the no charge eyes cloud connectivity. So if I do, if if I do, uh, in one location, when I turn n IT on on the other, it's synchronised multiple .
location doodling. What more could anybody as .
I got everything I want?
Yeah, the advent of code is coming up .
in just five days.
and that's one where it's very often handy to sketch .
out a big alga bits sketcher.
yes. Yeah, just to understand. And the event of code is all about text problems. And so to even understand the geometry, some of you have to draw a because otherwise it's slike yeah in fact, there were people a couple years ago cutting up paper and making paper .
cubes so they can understand the relationship. I think it's all those off by one problems you want to make make exactly sure yeah that that do you mean greater than or greater than or equal, right? And so I I just I I quickly jump to a little sketching out of A A little simple example of of a or .
more do I do exactly the .
same thing? But we do all of our .
we have one more.
Would you like to more? And I talking about disconnected experiences.
whenever that is, we'll find out just a moment why .
you may want to be disconnected from .
some of these experiences. Yes, please. Here's know you listen to the show, i'm sure because he gives you i'm right here.
No, no, you do. I going to our final audience? yes. yeah. I was lodging the f one race on sunday was in last vegas.
And they talked to one of the drivers, long time f one driver, and they said, you ever watch your races? He is, no, I was in IT. I don't need, I don't need to watch IT.
I know what happened. Yes, we don't .
listen to own pot. Guess we were in them, but i'm talking to you. Your dear listeners are wonderful listeners who listen to this show for information, right? If they get intelligence out of IT, governments have intelligence agencies.
Why not companies? Well, now you can with flash point. This episode of security now brought you by flash point for security leaders, this year has been a insane.
It's like no other year cyber threats match with physical security concerns and they're both increasing. And now you got geopolitical instability adding a new layer of risk and uncertainty. And how important is that for you and for your business to know ahead of time where are the threats lie? Let's talk numbers.
Last year, there was a staggering eighty four percent rise in ransom ware attacks, almost doubled a thirty four percent jump in data breaches that should give you chills. Nobody wants a data breach. The result, trillions, trillions with A T of dollars in financial losses, threats to safety worldwide.
Well, okay, that's where our sponsor flash point comes in. Flash point empowering organizations to make those mission critical decisions that will keep their people and their assets safe and IT does IT with information. That's what you need information.
By combining cutting edge technology with the expertise of world class analysts teams and with the igi flash pots award with threat intelligence platform, you get access to critical data, finished intelligence, you get alerts, you get the analytics, and you get all in one places, a dashboard to the world out there. And what's happening IT helps you maximize your existing security investments. Some flash point customers say they avoid a half a billion dollars and fraud d losses every year and have a four hundred eighty two percent re in six months.
That's probably one of the reasons flash point earned frost and sulfate twenty twenty four global product leadership award for unrivaled threat data and intelligence. Here's an example of a senior vice president of cyber Operations and a big, I can say, the name, but you would know A U. S.
Financial institution. He said, then this is the quote. Flash point saves us over eighty million dollars in fraud losses every year, eighty million doing their proactive approach and sharp insides are crucial in keeping our financial institutions secure.
They're not just a solution. There are a strategic partner helping us stay ahead of cyber threat. Wouldn't you like a partner like that? No wonder flash point is trusted by both mission critical businesses and even governments worldwide.
Not everybody has their own intelligence service. Well, now you do with flash point to access the industry's best threat data and intelligence is flash point that I, O today. This flash point F, L, A, S, H.
Flash point, P, O, I, dot and is that I O okay? Flash point dot I O, the best data for the best intelligence we think of. So for supporting security.
Now I really is a good match, right? Because we're both in the same business and we thank you for supporting secure you now by telling them what they ask. I heard on security now yeah was on Steve show that helps us that way. We because I see see, we're saying the traffic. Are I Steve, you ve got to explain that the title okay.
So um the way things are going IT looks like i'll be needing to set up, I guess, what I would call a sacrificial .
lam oh i'm so sorry.
Yeah running the current, which is to say the latest windows uh, the last thing I would use for myself would be such a machine because microsoft really does appear to be pushing well past the limits of what is a acceptable practice for me. You know, windows recall was A A perfect case in point.
If, if, if the industry had pushed back so loudly and quickly, they may have deliver that first disaster, who knows? But IT occurs to me that if this podcast is gonna continue to be as relevant as IT has been in the past, it's becoming clear that i'm going to need to have a machine that's running what the rest of the unwashed masses are running, which is to say, you know, the latest versions of windows, there was a time when creating a sacrificial lamp, c met, exposing the machine to the internet without protection. As we know, the half life of such machine is best, is best measured in seconds.
Uh, and not many of those. But the way the windows desktop environment has been evolving today, the creation of a sacrificial lap c means just exposing a machine to microsoft. The need for such a machine became clear what I encountered, the news that microsoft has silently enabled the use of its users microsoft office word and excel document content for training its A I models, rather than being straight forward and calling this something like, I don't know, uh, about A I training.
They obscure IT behind the title, microsoft connected experiences. Now, how the hell would anyone ever know that? That means that they are training A I models, connected experiences and that's my point. This is what windows has become at the moment i'm reporting this blind because I have no way to verify the reporting that i've seen.
Uh, the moment I don't have a windows eleven machine and that's gonna have to change uh, but okay, so here's what we know in microsoft documentation for their so called connected experiences under the topic, connected experiences that analyze your content, they write connected experiences that analysis content are experiences that use your office content to provide you with design recommendations, editing suggestions, data insights and similar features. The key phrase are analyzed, your content and connected, but connected to what underwear that appears to mean what they are reporting on these states, which is that the connection is to some A I, which is doing the analyzing and being trained against windows users office document data. Now add this, the fact that it's been reportedly enabled by default because, of course, IT has, and I should say since this, uh, the show notes went out last night, I have heard back from listers who found this stuff.
Enabled by default. So this reporting is confirmed and they turned IT off. okay. IT seems clear that just as a great many people are made uncomfortable by the idea of having windows recall suddenly collecting and analyzing everything they do on their computers, some windows users may not be interested in having microsoft A I been trained on the content of their otherwise private word and office excel documents.
Um first one note where this connected experiences setting is located, since they clearly want their windows users to have ready access to this potentially significant privacy setting. So under file in her office application, you choose options. Under options, go to trust center.
In the trust center, select trust center settings. There, you'll find privacy options which you need to select in order to get to the privacy settings. And on the privacy settings page, there is a section for optional connected experiences where you should find a checkbox labelled turn on optional connected experiences, which all regular users will reportedly find.
And a bunch of our listeners have has been thought fully enabled for you by default users whose machines or microsoft accounts are managed by their organization may not have these options showing, and microsoft appears to confirm this on their own website. Where under the topic, choose whether these connected experiences are available to use. They write.
You can choose whether certain types of connected experiences, such as connected experiences that download online content, are available to use. How you make that choice depends on whether you signed into office with a microsoft account, such as a personal outlook, outcome, email address, or would they work or school account. If you're signed with a microsoft account, open an office APP such as word and go to file account, account privacy, manage settings.
okay. Now note that that's a very different path from what I had first shared from the reporting on this IT. Turns out, and i've heard from our listeners, both are correct.
You can get to the proper setting either way, and microsoft is a shorter path file account account privacy manage settings. Although maybe when you get to manage settings, then you go to privacy settings. Ah I don't know anyway.
If if if if you got IT, you'll be able to find IT. And they said under the connected experiences section, you can choose whether certain types of connected experiences, such as experiences that analyze your content, are available to use. If you don't go to manage settings, all connected experiences are available to you.
In other words, all your content gets analyzed. So here IT is um what's apparent nowhere is that connected experiences is a upedes m for we're going to share all of your office documents to train an A I in the cloud in order to make office smarter for you and of course, for themselves. So talking about content retention, they write most connected experiences, don't retain your content after performing their function, although I should tell you there's about fifty of them to help you accomplish a task, but there are a few exceptions.
In those cases, microsoft retains the content for as long as your account exists and IT used to support, personalize or improve that connected experience. Now, as I write this, part of me wonders whether i'm just becoming an old coumadin. Why not just, you know, enjoy all of the many benefits of having microsoft watching everything I do on my P.
C. This allowing me to scroll back in time and ask questions about things I did in prior years, and sending my document content to the cloud to train their a eyes so that I can provide me with more relevant stories on edges home page, more relevant search results in being and more relevant advertising on my windows start menu. And of course, i'm not being physicist when I say that many windows users might actually want all of that.
I get IT, you know, just as there many may a bit, and having Candy crush, soda, soccer or whatever all that flippy tile nonsense is under windows ten, along with xbox crap that refuses to be removed. I've never owned the x box, but IT is taken up residence on my start menu. Nevertheless, IT seems clear that an alternative view of windows is apparently and all encompassing, deeply connected entertainment portal that also has some productivity applications.
And really, that's fine. It's just not for me. I mentioned a while back about the eventual move I would make to windows ten when I finally decided to retire this windows seven machine that still works great.
I was briefly thinking that a server edition might allow me to avoid all of this commercial crap before. I remember that I had tried that years ago when I wanted my dest to be running. The identical code is G R C servers, but I had encountered many instances of desktop software refusing to install, to install on server editions.
Some of our listeners have since suggested that I take a look at the enterprise editions of windows ten, explaining that unlike even the professional editions, the enterprise editions are also free of x box and other on wild nonsense. As I was digin around the microsoft documentation, I was encountering all of the places where microsoft has been and is installing A I. Microsoft is essentially A I ising every note and crane of windows eleven and their office sweet.
I have no doubt that a memo went out a year two ago stating that A, I was coming and that IT was the future, and that once I had arrived, IT was here to stay. Therefore, every single microsoft product manager and product planning team within microsoft was hereby being tasked with figuring out anything and everything that adding A, I to their offerings could do and then to get going on implementing all of that immediately. Well, that will turn windows into you.
What I have no idea. I know that IT won't be any machine that i'm sitting in front of while I produce these weekly security now podcast, nor while i'm working on code for the D N S. Benchmark that beyond recall product or spin rights, seven, eight and nine and beyond. But it's also clear that I need to stay in touch with a frontier, or as many have have called IT the bleeding edge. For now, I want to be certain that those listeners of hours, and I know there are many of them who may also dislike the idea of microsoft sharing their office content with their a is in the cloud, while acknowledging that this is being done by default and that in many cases, the data is being retained indefinitely, will at least be informed of this new behavior. I would know that they have the option of deliberately disconnecting their windows experiences from microsoft.
I just before we got move on because I know you want to finish this up, but it's not. I think you're implying that this is being used for training elms for other people to use. I don't think that's what this is. No, this is asking permission just is a against your own data, right?
So that they can so a spell .
checker tells you where they've miss spell the word. In order to do that, IT needs to actually look at the words you're typing. A grammar checker needs to look at the words you're typing. Well, that's what is doing.
If this comes back to your original assessment of A I, right, it's just a spell checker.
Well, yeah, I mean, so what microsoft offering you with these things is you're designing a power. It's kind of clippy on steroid are designing a power points. Ces, hey, you know what? I see what you're trying to do here.
Would you like this image? It's that kind of thing. I will have to check in this. I don't think it's sending IT to their you know a lot of content is linked in content being sent to train lls.
The new york times has been issuing because they say open, I used IT to train L L. ms. I don't think that's what this is off to check more in more .
detail about how much containment of the data they say .
they'll retain IT because that information you've provided that you just like a cookie is that might be useful down the road.
Well, all of your previous documents that have been used to train and A I model that they maintain.
I guess yeah but it's but that the real question is, is the A I model is going to used by others, which I don't think this is because that would immediately be a problem in all businesses? Or is an AI model that you will then be able to .
use for yourself? Yeah, probably we need to look at the terms of service and like actually read the fine print.
I'll ask paul and rich tomorrow, but my sense is it's not you know going to send IT out to their own LLM servers and train their own servers. Well, that would actually trade your own data. IT is IT is basically for your use just as a spell checker or grammar checker is for your use.
Well, they're retaining something and they're saying that they are retaining. So IT is being sent to them yeah.
after performing they don't do there are after performing function to help you accomplish the task, but there are few exceptions. They retain your content for as long as your account exists, implying that it's a attached to your account, right? And it's used to support personalized or improve that connected experience.
Your experience another right, not for other people, but but I will check into that because I think it's important distinction. It's like clippy, a clippy if in the day would have asked the same permissions. Hey, i'd like to keep track of everything you're doing so I can offer you suggestions. It's like that, except design still, right, right?
And anyway, I was done. I just wanted to wish all of our listeners who celebrate thanksgiving. And I know leo and all of the twit crew. H join me in wishing everyone the best holiday and you know, with this particular opportunity to spend time, which is precious with your family and friends .
and no argue about things and IT.
we'll ll be back in december .
for more and tell me to use a passion venture. thanks. You've have a great thanksgiving, all our love and best wishes to you, murry, and have a great time. And i'll see you in december.
Yes, only a week away. Next.
concerned about that, we'll see next next week. Thanks, Steve. You can watch security now we do alive every tuesday right after mac break weekly.
That's roughly one thirty p pacific for thirty eastern, twenty one thirty UTC. We stream live on, yes, eight different channels. Now our club twp members can watch in chat a along with IT with us in a discord.
But there's also a youtube channel dedicated to twitter life that's youtube dot com slash twitter slash life. You can chat there too. We have chat there too, as we do on x tot come, as we do on facebook that come we stream live, and you can chat with us live there.
I see tiktok occasionally, tiktok commenting coming through kick tok com. All of these have chats associated with the video and I have a unified chat that I can see all of IT um have I left anybody out? Tiktok x kick facebook linked in youtube or twitch that TV left them out.
You can also chat. That's if you're watching live now most people don't watch live. They like to watch after the fact.
That's why we put copies of the show on our website with the TV slash sn. We have audio in video. Steve also has a show on his webs like gr c.
dom. He has an unusual version, a quarter band with sixteen killed, bit version for the band with impaired. He also has human written transcripts of very good link forest as those, so you can read along as you listen or Steve talk about last week.
You can use IT to search any as a sixty four kill a bit audio. That's all g C2Come all you the ir chi ck out spi n, right? Version six point one, the world's best mass storage performance enhancer recovery utility and maintain utility does all of that.
And if you have an earlier copy, you can get six point one for free if you don't get IT now, because if you've got master ward, you need spinner, lots of other free stuff at the site, including shield ds up, which is a great way to test your router. Um I really love his new valid drive, which test USB thun drives that you buy on amazon to make sure they actually have the storage capacity that that is claimed to surprisingly often they do not. Valid driver will do that.
That's absolutely free, plus lots about their free bees. Fun information, Steve. Sites, really great.
G R C dot com. One more thing on our site. Actually two more things.
One is we're doing the best of Anthony for the show. I think we are for the holidays. Yes, we are. So if you have a moment on this show that you thought was from twenty twenty four, thought was all we gotta redo that we're looking for little clips to put in our year. And best of security, now all you have to do go to the website, twitter TV slash.
Best of give us as much information as you know but don't get don't get thrown by the the form because we're asking for everything. But you don't have to give us everything even just say, hey, that time when Stephen leo to do the vulcan solute, I remember that I was great. If even that a good start, if you remember red the day, the time a year, the climate, whatever, will help us do the best of its a lot of work.
But our team likes to put those together. Or when we don't off, they like IT, we make them put those together at the end of every year so we can give the staff the holidays off, help us do that. The other thing i'd like you do go to our club twit page, twitter, that TV slash club twit.
There are some new things in club tweet, if you're not a member. We now offer a two week free trial, which is a great way to see what you get for your seven dollars a month. You can also, when you sign up, you'll be getting a code that is a reference code.
And every single person who signs up using your code gives you every months, do they get anything? They get like a discount, anything for using your code. Hey, IT doesn't matter.
They get the excitement, the thrill, the satisfaction. The deep root is satisfaction of knowing their, a member of club twit, the best podcast network in the world, seven books a month gets you add three versions of all. This shows extra content.
We put anywhere else. We don't put anywhere else. Cries from my cat down the hall. Actually, everybody gets that. Please join the club.
IT helps us financially, so IT looks like twenty twenty five is going to be even rock you than twenty twenty four was. The good news is the club now pays about half of our payroll, which is fantastic. Thank you.
Help us out twitter that TV slash club twit seven books of mod is worth IT for the great content right? Thanks to Anthony. Nelson is filling in today for a benedek ano was taken some time off for the holidays. Appreciate your work, Anthony. Thanks to everybody for a joining us and I hope you will tune in next time next week for security now.
Oh, why? So you really now.
Growing your business can mean big time logistical questions like how we're going to, to keep up with all these local deliveries. Let uber direct offer you a helping hand with uber direct. You take orders on your website, APP or byte one, then drivers who are part of uber Carrier network pick them up from your store and deliver them to your customers doorstep. Some simple right delivery just got Better with uber direct. Learn more at uber direct dot com.