SN 996: BIMI (up Scotty) - NPD Goes Broke, Firefox Under Attack, .io
02:32:24 Share

It's type for security. Nasty gibson is here. He realizes as we all have, that you black origin is the greatest extension ever for your brother er he's come up with some really interesting additional uses for IT debunks the widespread story heard here and everywhere else about the dot IO top level domain disappearing and gets into this whole new thing called mimi. A new email authenticating standard even walks us through setting up.

and i'll come back up next podcasts you love from people .

you trust. This is twit. This is a security now is Steve gibson episode nine hundred and ninety six, recorded tuesday, october fifteen, twenty, twenty four bime up scot, it's time for security now. The show we cover your security, your privacy. Eighty, the internet science fiction and anything steep wants to talk about vami d this guy right here, Steve gives son of gr c.

that calm high, Steve. So it's great to be with you a middle of october.

It's exactly in the air and beautiful airlines.

Three weeks from now.

there may be a chill shes don't bring that you know how much anxiety I have over november fifth. It's I can feel that the pit of my stats .

gonna be really fun.

We will either be cheerful on the wednesday or not.

I'm a spectator. I have no control. We're both in california.

so I don't get a choice really.

Is that annoying? It's like they're just focusing on three or four states, and those are the ones on other hand, I don't miss all the ads that those poor people in those states are getting buried by.

I don't know about you, but I am buried by text messages five or six a day. Now, do you not get a lot?

Lory made the mistake of giving money. Once .

that never forget.

they come back and say, well, if we got five books.

there's gonna be another five, right? And it's always an emergency. Oh yeah.

it's always panicking. It's end of, end of the world. Yes, you do. You have your snorkle to fill your bathtub with water and .

kind of amazing.

And being drawn yourself.

oh my god, literally made my text messaging unusable for the past months yeah and you .

think about how the male man feels too suddenly. He they had to increase the size of the truck in order to to get all of those ridiculous is bad. He's good. He's bad. He's good. She's bad. She's good.

Like really, it's actually a wind fall for both postal service and your local news and TV and radio stations because all the political spending, you know goes right into them in the postal service if a word for junk mail would not exist.

no. And I said, you know, every month I I collect my receipts and send them to sue IT used to be fifteen cents. Now it's two dollars and forty three cents. So no ikes.

Well, I got my ballot and i'm ready to you. I presume you ve got everybody in california gets a male ballet, which is tremendously convenient. And so i've got mine. If you are watching and you are not yet registered or you're not sure, check, make sure you're registered and then get out and a vote either by male now or in person on.

The good news is in california, the baLance come with the I voted sticker in them. So I mine right my forehead yeah in three weeks if you go to .

vote dot or I believe I think that's the URL, you can check your registration. They have A A little registration checker. You have twenty days in most states to twenty days election day in many states.

You only have a few more days to register. All right? This has been a political announcement. Lets to move on to the reason people are here. security?

What's up? So a great deal more this week about u block origin, which IT. Turns out we've pretty much all actually, there are some exceptions within our listener base, but we've pretty much been underutilized.

What I can do, I like your emergency email midweek. I did that .

immediately. I, yes, yeah. Everybody who has subscribed to the security now email listing received a unplanned. I didn't even plan IT, but saturday morning, when I made this thing work, I thought, oh, I have to share this news. And since it's easy for me to do now, at eleven ten thousand, four hundred and forty two people received a surprising because of their security now subscription, explaining how to easily turn off those increasingly prevalent and thus annoying when they're unwanted, which they typically are.

Log in with google pop up and and I I think IT was because I went to stack exchange, I was doing, I was doing some coding and I thought, and I I did a google search and I click the link to stack exchange up, IT came and I looked at IT and I realized, you know, i've been getting so many of these and they are so annoying and then I thought, we a minute we have you black origin. I wonder if you could help anyway, we will we're going to start by talking about that. Also the question of will the dot I O top level internet domain be disappearing?

There's some talk that IT should, but I don't think I should. Also, last week was patched tuesday. What did we learn from that? Firefox had a bad remote code exploit that was being used to attack tour users on their firefox based tour browser. I realized why the server edition of windows does not substitute for a desktop.

We talked about this a couple of weeks ago, and i've been meaning to bring a back up today the day um also we're going to look back and thanks to a question or an observation or an actually discovery from one our listeners at a fabulous multiplatform puzzle game that we'd got all hot and bothered over back in twenty fifteen. Uh also I do have some uh a couple pieces of feedback from that surprise mAiling on saturday. Uh, we've got a little bit more on what's the best router and then I titled today's podcast b me up Scotty bimi. Actually it's apparently supposed to pronounced .

to bemi, but I like B I I, M I I talking about.

We're going to answer the question, what in the world is b me for email? What IT does, what IT promises? And if it's GTA actually happen, it's trying to. And then I just I will end by noting that we're going next week because IT just happened yesterday and I didn't have a chance to get up to speed.

We have the fighter the group has just announced the credential exchange protocol C X P for parkies, which when implemented, will give us the one thing we've really been needing, which is a means of backing up and transporting pass keys between providers. So oh, and I didn't get into the shown notes also, i'll talk about next week. But I, like all of our listeners, started sending me the news that a RSA crypto had been broken by chinese searchers who figured out how to use the d wave quantum computer.

And it's like, oh my god, as like, well, I O what was that we left off at was at thirteen bits. That they good factor. The breakthrough is twenty two. Now we are running at two thousand and forty eight. So so and .

they broke a weak RSA password.

They know they didn't even break are they didn't break the the leading bit of of thought of the R I mean twenty two bits. And you can't decompose factorization, otherwise we would have a long time ago. So the fact that they got they cracked ool, they they factor at a twenty two bit number.

Good going. Keep back. Keep at IT. And meanwhile, R A is alive and well. I mean, actual R S A IT never had as A A weaker key than ten twenty four. I don't think there was a five twelve bit be in the early .

for a while. Remember, the U. S. Government wanted us to use very small past codes. That camera who was one .

twenty eight, or those were the symmetric keys where IT was a small IT IT. IT was disturbingly small. Yeah yeah, back in the early T A.

Well, IT wasn't T L S S L. Right back then. And the idea was if you didn't export IT, you could have a useful strength.

But if you, oh, you couldn't leave the country, well, websites left the country ah so IT was necessary for them to all be neuter. But you know it's not like we were doing anything important back then. They were all using HTTP. So like, yeah not not a big deal. So anyway, we have a picture of the week after our first an announcement break, and we'll share that and get into a bunch of fun podcast stuff.

exciting. Thank you, mr. g. But before we do that, may I interrupt with a commercial for one of our great sponsors.

You get the best sponsors in this show. They are also almost all security sponsors. Here's a name I know you know one password, but i'm not talking about the consumer version of their password manager.

I'm talking about something new from one password. They call extended access management. And let me ask your question, do your end use.

I've talked to businesses now do your end users always work on company oil devices and IT approved apps? right? If only right.

So so how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices? One passd has the answer to that question. That's why they created.

This is something brand new, extended access management, one passport. Extended access management helps you secure every signing for every APP on every device that solves the problems traditional I A, M and m dm. Just can't touch.

Here's how you can visualize this. Imagine your company is security, like the quad of a college campus. Of course you have, there's lovely brick PaaS leading of place to place between the buildings of on that beautifully manicured lawn.

Those are the company owned devices, the IT approved apps that managed, employ identities. But you never can leave IT there. These are college kids. There are the pads.

People actually use the shortcuts warn through the grass, the actual straight line from point to be, you've got him in in your network though. The unmanaged devices, this is what real people are used, right? Shadow I tps, non employ identities like contractors.

The problem is most security tools only work on those happy brick ads. A lot of the security problems take place on the shark cuts, right? One password extended access management is the first security solution that brings all those unmanaged devices, apps and identities under your control, ensures that every user credential is strong and protected, every device is known and healthy, and every APP is visible.

In other words, is security for the way we work today. It's great. Is now generally available to companies that use octave or microsoft intra, and it's in beta for google workspace customers.

If that's you, you've ta go check IT out now one password cm sledge security. Now that's the number one P A S S W O R D. One password dot, come slash security.

Now extended access management from one password is is an idea as time has come, check IT out one password dot com slash security. Now we thank them very much for their support. And of course, we thank you for supporting us by going to address so they know you thought on security.

Now, one password that count sesh security. nasty. I have the picture of the week queued up and ready. Should we look .

at IT together? So I gave this one the caption when your message interferes with your message.

I get IT right away because I like to ride my biker around town.

So for those who don't have to show notes or are not watching the video, we have a one of those a large sort of a mobile road signs which is lit up. They often have like a bunch of batteries on them. Sometimes they have a little generator keeping them alive. Anyway, this sign brightly says on three lines, give cyclists space. Unfortunately, IT is right in smacked deb in the middle of, and completely blocking the cyclist lane, which is telling everyone you need to .

give give space please. That's right. That's really difficult. Our civic there.

others there's there no broken bicycles and and mam bodies lying around there. But anyway, yes, when your message and reference with your message and OK, so everyone is annoyed, but we know this because we've talked about IT often by the pervasive cookie permission banners, which compliance with the european and unions GDP r has forced upon the world. I recently realized that I had become similarly annoyed by another increasingly pervasive website feature, which is the proactive offer to sign into whatever website I may be briefly visiting the example .

that you gave on stack overflow. And there IT is up in the upper right hand corner, or stack exchange, signing the stack exchange with google. I know what.

right? And and so okay. So I just addressed to the listeners of this podcast, who, for whatever reason, have not yet subscribed to this, the weekly security now mAiling.

You think you may think, oh, well, fine, you know, i'm gonna hear anyway. Well, when I realized I had a solution to this saturday morning, I thought, let's tell everybody. So help me do this .

on this machine because I haven't done IT on this machine. Yeah okay, there I am in the upper right hand corner. I've gone into the you block origin settings and i'm to click the gears.

Actually what we should probably do ah is wait until I update you and everyone with the Better solution.

Oh, you ve got a Better one.

You got a Better one.

Okay, because I did the manually entering in a filter thing. Yes.

and that that works for most people. There were some people for whom I didn't work. Okay, so i'm getting head of myself. So okay, so just to be clear, I I want to I don't want to have people misunderstand my annoyance here.

I often choose to sign into websites using my google account identity because google provides very secure implementation of o off my primary email. Um you know everyone knows my my main email is going to be a grc mail box. So my google email is my generic catch all throw away account that most of us to have one or two or more of these days.

So signing in with google gives me, you know, convenient one click log in at any site that offers IT. And guess we know being o off means that google knows where I am, where i'm signing in and what i'm doing, but google almost certainly knows that anyway. And the truth is you I don't really have time to care.

You know, all other things being equal. Yeah, I would choose privacy. Who wouldn't? And I get IT that there are people, many of them are our listeners ers, who make a hobby out of the rigorous enforcement of their online privacy.

I respect that, but that's not me. I'm in a hurry. And since I have no way of gauging my actual success at privacy enforcement due to the myriad sneaky y ways in which you can and is being violated, it's not something i'm willing to invest in heavily.

So okay for for the sake convenience, I use logging in with google when I met some site where I do want to log in for some purpose. And that's not a problem. I like having the option to sign in with google. And at that point, it's not the source of my annoyance.

The source of my annoyance is that what we are seeing and I I can now speak for our listeners because I heard a by mid afternoon on saturday, I had one hundred and thirty five pieces of email from my listeners, say, oh my god. Thank you. Thank you.

Thank you. Sum said I was life changing. I mean, in the clearly, I was not alone in this really bugging me. So the source of the annoyance is that this trend has been developing to proactively push signing in with google on us wherever we go and whenever we visit a participating website, even if we have absolutely zero interest in or need to sign in there.

No, I don't want to sign in to every website on the internet, and I believe that's the case for most of us know. If I want to sign into a website, i'll click the sites, sign in or log in link and be taken to a page to do that. Thank you very much.

I don't need to have signing in, suggested to me or pushed on me. And what happened saturday morning was a finally IT was like to draw that that I finally realized, okay, i'm really being annoyed by this. okay.

So i'm skipped over a little bit in my note a that i've already covered. so. This occurred to me, thanks to last week's discussion of u block origin.

My original solution, the one that I came up with saturday morning and shared, was very specific, and IT has the advantage of only doing exactly that one thing. However, IT did not work for everyone. Some people needed a somewhat broader solution, which turns out is easy. And IT also turned out that this sort of annoyance blocking is also built into some of you block origins already existing filter lists. That's what I .

was wondering if there's a checkbox.

Yes, there is and we are gonna there in a minute. Ah so so if they're not turned on by default, well, for our listener's, probably they are for me and i'm happier even though I was saturday afternoon yeah okay, so that the way we got into this is yes, as you were gonna leo, if you open the the, open the u block origin drop down and then click on the little gears, you get taken to a series of web pages that have tabs across the top.

The my filters tab is initially empty. Mine was empty. I didn't have any you know, custom filters there and then the instructions that I gave were to first put in a comment line so that you when you come back to this in a year, no, he did. Is that .

you know anyone .

who's done any coding by the time you're R A leo, we have we've become humbled. We've realized, no matter how sure we are, that we will never forget this, a wonderful code that we've just created you a week could go by and we look at and go, what the heck is that know who wrote that? You look at a road of anybody else is like, do I do that anyway? So this so any line that begins with an exclaim tion point is a comment.

So I said, extreme tion point block side in with google eyes, frame in top right corner of websites. And then the the filter phrase to do that is two vertical bars, which is sort of IT, sort of stains in for the, for the Normal forward slash, forward slash anyway, that the vertical bars tell the the easy filter list syntax, which is what gore hill has adopted, that what follows is a domain name. So a vertical bar, vertical bar accounts dot google dot com, forward slash G S I, forward slash I frame okay, so that says when the browser attempts to to load something from a URL that begins with this just step over IT.

Just say, ah these are not the joyed. You're interesting. So nothing happens. Now IT turns out that a couple of people wrote back and said, well, that did not work, but if I put client instead of I frame, then IT worked.

Or even broader, if you do an asterisk, k, astrid, K, A sort of the generally accepted wildcard character. So if you did forward slash, gsi, ford, flash, asterix c, then that generally works for more cases. Now you might think, oh, wait a minute, maybe a wild cards more than I want.

Well, okay, you could put one line with I frame and then another line below IT that with client and and block those two um but gsi so where where account dot google dot com forward slash gsi, that's certainly stands for google sign. So IT seems like safe to follow that with an ask risk and just know that you're gonna nuke anything that tries to pop up on your screen to do that. okay.

But after the email went out, I started getting some feedback from people. One of them said, well, i'm not getting those and I think I know why. So rather than the my filters tab, we click the proceeding tab, which is filter lists.

Down near the bottom, you'll find a group of three filter lists under the heading annoying ces. Couldn't afraid to Better myself, open up the list of three and you'll see easy list ad guard and you block. Now it's so easy to get to get one of those annoying google sign in pop up.

Just go over the reddit that com, for example. Uh, that IT was easy for media experiment with enabled ling and disabling these three lists. I discovered that enabling either of the first two easy list or ad guard would suppress the criteria. yes. And look at the how comprehensive .

that is back one.

yes, oh, okay. And an easy listen and add guard are are similar. Either of those two suppresses that gratitude.

Is google side in pop up? In other words, people have been here before us, and they've already fixed this for us. We just didn't tell them fix this.

I think one of these also blocks the cookie banner.

If I remember, that's the one h actually yes, okay. So the the under the we have some documentation for the ad guard list and and so under ad garage list, under the annoyances filter, they said annoyances filter blocks irritating elements on web pages, including the following ad guard filters. All of them can be enabled separately from the annoyances filter.

In this case, cookie notices blocks, cookie notices on web pages, pop ups blocks, all kinds of pop ups that are not necessary for websites, Operation mobile APP banners, blocked banners that promote mobile apps of websites, you know, thank you. Anyway, wigeon blocks, third party widgets, online assistance, live support chats, all that nonsense, other annoying ces blocks, elements that do not fall under the popular categories of annoyance. At that point, I thought, okay, I am all .

in to all.

Yes, and mine are if I got .

to turn on all the u black filters. But I have to point out occasionally, i'll be on a website where they do things in a pop up that this could break. So you have to be aware you've done that. And whenever I had trouble on sites .

I just disabled, you block on that site and and don't .

forget to click ly changes when you do this .

correct so so well actually you want to update now, which does both so so um okay. So I also just want to mentioned the other thing that i'm sure people are seeing and being annoyed by are those those you know would you like some .

help sliding up from the up?

No, no, I don't want any help. I want you to stop distracting me and leave me alone. So that's god. Now to and while we're here, i'll just mentioned that the section above annoyances is social wigeon. So we have the easy list, the ad guard and the fan boy. Social widgets, and that is described as social media filter, removes numerous like and tweet buttons and other social media integrations on popular websites. That may not be something everybody wants, but I betcher .

that there anybody wants. IT .

exactly.

The thing is, this is why we're really sad about google exactly disabling. What is the easily the most important tool on the way I said?

Yes, yes. So so those are turned on on mind. And as I said, after you've done that, you'll want to click the update button, which will down what will refresh, download the latest instance of those lists, and then bring them current.

And life has been sweet. Ever said this happened. It's like you. Thank you. Thank you.

Thank you. A relief. No longer do I see on reddit the pop up saying .

you want to use, go goal, come on, know you I know that I know so anyway so I want to thank everybody who did take the time to say, hey Steve, take a look over here because that allow me to get this into, uh, today's podcast and state everyone with what I think is a superior solution. And you know, the cool thing about this is that these lists are being constantly created by people who do really enjoy this. They are chasing these things down.

Some of the expressions on these things. I mean, they're also professional filter list builders because these things are hair curling. But so they're going in with a scope le and saying, okay, exactly that I don't want and we don't want to break anything else, just stop doing that to me and and so this does that now uh, the other thing that is different about this from the u block origin light is that and gore hill mentioned this and we talked about her last week there.

The the v two manifest is able to independently update its lists. That's not something that wants to promote going forward. It's not available in manifest v three.

So you'll need to be up you need like a new version of the a of the entire add on extension rather than the extension being able to reach out and update the lists on its own behalf. So that's another as you said, leo, it's why we are annoyed with google. Now i'm sure that chrome has thirty seven million users of u block origin compared to firefox es seven.

That gore hill IT will be incentivized to do everything you can to make the light version as powerful as possible. And as we know from last week, we do have nine months more until we until chrome users lose access to the to the v to manifest h thanks to the the policy tweet at that, that we found and shared last week. So a lot can happen in nine months. You know we've seen chrome uh back off on terminating third party cookies when IT turns out they couldn't. So maybe there will be sufficient pressure on them to reconsidering no to v two or maybe they'll just turn off for most people, but they'll give us a little back door where if we really must have IT, we will be not be able to like maybe have A A policy that that, that says i'll make a registry trick if I can keep my v to manifest.

they're going to do something about IT. Because, as you point out, brave in many of the people in your charm has all these lists and built in, by the way, that I ve used arc from the browser company, which I love. It's also a chroma and based browser.

And what art is, what the brazen coup is already said, is, yeah if ece, once v three is in our browser because it's gonna be is IT will be in any chromium browser, we're going to have to write our own blocker and put IT in the browser that way as brave has done. So that's, I think, IT chromes at great risk of losing a huge number of people by forcing this. So we'll see what happens. You write IT may not happen. I wouldn't be surprised.

So i'll just say that after enabling these six additional filter lists for you block origin, i'm more happy than i've ever been that i'm using firefox, which shows no sign of getting rid of v two compatibility and u block origin. And we have A A bit of feedback that i'll share down in our our feedback section. But this is sort of brought me to the awareness that we've been underutilized.

This marvellous tool yeah because you know, I could have had these turned on a long time ago and save myself a lot of clicks of, you know, the other thing, the this thing, this unsolicited signing prompt for a side I don't want to sign into covers up. Regions of the screen that that like I have to see sometimes. So it's like it's annoying you can't move IT you can have to close IT I .

find IT most annoying like I read IT. We're already have a log in. I don't want to use the google log because already have a log in, and he covers up the part of the screen .

where you clicked the log in.

It's incredibly frustrating. It's terrible, terrible design.

okay. So anyway.

I want good on your mAiling less, though i'm glad that you set that out as a burst and nobody complained about that.

right? Not I did not get a single complaint. In fact, I said at the end, I said, I hope you don't mind me interfering, you interrupting your weekend for um I was a little I felt I did feels a bit self conscious because I was you know I was unscheduled and the security.

Now this subscribers did explicitly sign up to that list to receive weekly podcast summaries, the show notes in the pictures of the week. Everyone said they loved IT. Okay, and it's the system that I built makes IT so effortless to send these sorts of announcement males to what we now I think we're now at ten thousand, five hundred plus subscribers.

I would like to formally expand the mission of that list. I am announcing IT here to include things like this in the future. I don't know what they might be, but i'll make sure that whatever IT is will be a you know that has a high probability of being of interest to everyone, just like this one certainly appeared to be. So thank you for our subscribers, and i'm glad that I was able to bright everyone's a weekend because you .

certainly did that. You're right. We underutilized what of the greatest things in the world. And now that we are about to lose IT.

yeah if you know we're appreciating we're appreciating IT, i'm sorry, honey, I didn't mean. Come back.

All right, let's take a little break more to come in just a little bit with Steve gibson and security. Now our showed they brought you by a great company that does something we've talked about the foreign security now zero trust that they make zero trust easy for you to implement your company threat locker if zero day exploits in supply chain attacks are keeping you up at night and if they're not, they probably should you no more worry, you can harden your security with threat locker.

The companies that use threats locker, i'll feel safer companies like jet blue trust threat locker to secure their data to keep their business Operations flying high. If you will imagine taking a proactive this is the key deny by default approach to cyber security, blocking every action, every process, every user, unless authorized by your team, thread like her, helps you do that and provides a full audit of every action for risk management and compliance. This is fantastic and the great support from there.

Twenty four, seven us based support team, they're there to help you with the on boarding and beyond. So here's how you stop the explosion of trusted applications within your organization. Here's how you keep your business secure and protected from around somewhere.

Organizations across any industry can benefit from threat lockers, ring fencing by isolated critical interested applications from unattended uses, web ization, limiting lateral movement from attackers across your network. We know this happens as what we talk about all the time as these threats. I'll give you a perfect example of this threat locker is ring fencing was able to foil a number of attacks.

The traditional edr could not stop because they were zero days as as an example, the solar wins a yan attack. A yan was completely foiled by ring fencing. And here's another great thing, doesn't matter for your PC or mac.

IT works for max to get unprecedented possibility in control of your cyber security quickly, easily and cost effectively. Thread lockers zero trust and point protection platform offers a unified approach to protecting users, devices and networks against the exploitation of zero day vulnerabilities. You want this, get a free thirty day trial.

Learn more about how threats locker can help mitigate completely unknown threats completely out of nowhere and ensure compliance because you've got a complete audit trail threat locker out condo or more thread locker dot com. We thank you so much for supporting Steve and security now. We thank you for supporting security now by going to that say, and if they ask you say you heard of on secure you now thread locker that com. Thank you. Thread locker. Now back to mr.

g. So under the heading IT couldn't happen to a nicer guy. Last wednesday, the register reported that everyone's favorite massive data liquor, national public data IT, is his npd, the organization which first collected the personal data on pretty much everyone, then had their collected data stolen, sold first on the dark web and finally released publicly, has not surprisingly filed for bankrupcy.

The register wrote the florida business behind the data, broken ridge national public data has filed for bankrupcy, admitting hundreds of millions of people were potentially affected in one of the largest information leaks of the year. Now just to recap a bit. Last june, as we know, the hacking group U.

S. Dod put a two hundred and seventy seven gigabit file of data online that contained the information on about two point nine billion individuals and asked three and a half million dollars for IT. The data came from national public data.

They wrote a broken age owned by generic pictures, which offered background checks to corporate clients via its A P I N P D. Confirmed IT had been hacked in an attack on december twenty, twenty three and initially said just one point three million people had lost personal details, you know, such as name, email address, phone number of security number and mAiling addresses. But in the court documents filed for bankrupcy, the business concedes the total is much higher.

The bankrupcy petition from jar from general picture states, quote, the deal is likely liable through the application of various state laws to notify and pay for credit monitoring for hundreds of millions of potentially impacted individuals as the deter schedules indicate the enterprise cannot generate sufficient revenue to address the extensive potential liabilities, not to mention defend the lawsuits and support the investigations. The details insurance has declined coverage, you bet they have. According to the filing, the organization is facing more than a dozen class action lawsuits over the data loss and potential regulatory chAllenges.

In quotes from the ftc, more than twenty U. S. States, any plaintiff s will have a hard time getting paid any money out of jErica since the documents state the business has, should we say, very limited physical assets in the accounting document, the sole owner and Operator, salvor vini junior, Operated the business out of his home using two H P.

Pavilion desktop computers valued at two hundred dollars each, a sink pad laptop estimated to be worth one hundred dollars, and five dell servers worth an estimated two thousand IT lists if the company lists thirty three thousand one hundred and five dollars in its corporate checking account in new york as its assets, although the business pulled in one million one hundred and fifty two thousand seven hundred and twenty six dollars in its last fiscal year and estimates its total assets are between twenty five thousand and seventy five thousand. All told, IT also lists twenty seven internet domains with the value of twenty five dollars each. These include the corporate website, which is now defunct, as well as a host of other areas, including criminal screen dot com records, check dot net and, as seen in porn, that com.

So yes, we have another example of legislation running far behind the consequences of technology. At some point, it's gonna become clear that the aggregation of large quantities of personal data, along with its emerging well, along with its merging rather into comprehensive profiles itself, that is, just the aggregation and consolidation present an inherent danger. But today there's no regulation over this. Anyone who wishes to can a mass such data to create essentially a latent data bomb. On the one hand, it's free enterprise and capitalism, which no one wants to stay fall, but allowing fly by night Operations of this sort to do this is clearly a problem.

The solution may be to require any such information aggregator to have a substantial bond posted, plus a verifiably effective insurance policy in place to cover the losses and lawsuits that would follow any egregious breach of responsibility this would niche serve to privatize the risk so that the investors who would be required to create and post the bond, and the insurance company who will be collecting insurance premiums and would be on the hook for their losses, would both be motivated to assure that the enterprises, I, T, staff, its procedures and security are adequate to protect their investment. The only way I can see that this makes sense moving forward, we're going to have to have some legislation which says anybody who does and know aggregate data and you know the atterley can figure out what exact language to use but the idea being anyone who is warehousing quantities of data affecting over some number some minimum number of individuals must have the ability to pay for the consequences of the loss of that data um otherwise sorry, you you know you can collect IT. Um maybe we'll get there someday just going take legislation okay.

Uh, many of the top level domains that we have today, we have because they are associated with countries, you know the the Billy service that I used to use bit, not L Y. You know that L Y is the country code for libya. That's why that L Y existed and why IT was possible.

Forbid ly to get the domain. B I T in libya. Country code dl y. And when I left there, of course, I created G R C dot sc. Well, dot sc is the country of, say, shells. So I got G R C D S C, because, say, shells has its own top level domain, dot S C. And as we know, there are lots of top level domains that are created independently, you know dot com dot or dot net dot edu, the original big four um but when a top level domain belongs to a country, it's tied to that country.

This has recently created some concern because a couple of weeks ago on october third, the british government announced that he would be releasing its claim of sovereign over a small tropical, a toll in the indian ocean, and that these islands will be handed over to the neighboring island country of, uh, looks like, uh, more dius, which lies about eleven hundred miles off the southeast coast of africa. Now remember that I said the island nation being dissolved was the indian ocean. Well, that country's top level domain is that I O as an indian ocean.

And the presumption is that, as has happened a few times in the past, when the country controlling its top level domain is dissolved for any reason, so too is its top level domain. And given the strong interest in and use of the dot I O domain, that presents a problem. What's supposed to happen is that once britain signs the new treaty with uh maritus the british island ocean territory, i'm sorry, the the british indian ocean territory will formally seize to exist, so various international bodies will update their records, in particular the international standard for organization.

The I S O will remove country code I O from its specification list the I A N A, the internet assigned numbers authority, which creates and delegates the top level domains, uses the I S O S specification to determine which top level country domain should exist once I O removed. The I A N A is supposed to refuse to allow any new registrations with a dot IO domain, and it's supposed to automatically begin the process of retiring existing domains within the dot I O top level. What's not known at this point is whether this will actually be allowed to happen.

You know, humans make the rules, and humans can change the rules that we've made. And so, you know, if the rules are causing too much trouble, that may be what happens. You know, we certainly have no lack of non country T L S. You know, in addition til those original big four, there's, for example, dot X Y Z and not L O L and not online, which are not country domains.

So I for one see no reason why that I O cannot you know similarly be repurposed, you know, just adopted as a valid non country T L D um people who are writing online are saying that IOS gonna go away, but I find that hard to believe. But again, again, i'm not the I A N A who ultimately decides these things. So we'll see what happens.

I should note in passing, the last tuesday, october eight, was the second tuesday of the month, which meant that microsoft and many others used the occasion to release their monthly patches. Nothing was particular notable. This month, microsoft released updates to fix a total of one hundred and eighteen vulnerabilities across its software offerings, two of which were being actively exploited in the wild.

So of the hundred and eighteen flaws. Three were rated critical, one hundred and thirteen are rated important and two were rated moderate. And as is the case these days, that count does not include the twenty five additional flaws that microsoft previously updated in its chromium based edge browser over the past month.

So you know, good update as usual after the second tuesday and restart your machines if you tend to leave the running all the time. Also, firefox, as I mentioned at the top and the firefox, based to our browser, had been warning everyone of the discovery of a serious attack, which was levy against tour users. The flag Carries an attention getting cvs s of nine point eight and IT affects both firefox and the firefox extended support released products is a use after free bug that has been found in the animation timeline component.

Mozilla, a reported in a post last friday or to a bra levant that IT had received from asset, an exploit sample containing a, quote, full exploit chain that allowed remote code execution on a on a user computer just by causing their browser to go to a web page. So yeah, that will qualify is a nine point eight uh you know under anyone's scoring system. Mozilla also noted that the fix was shipped within twenty five hours of its responsible disclosure, so one day and one hour two days is previous to that.

On wednesday, mozilla said an attacker was able to achieve code execution in the content process by exporting a use after free in animation timing lines and then added, we have had reports of this vulnerability being exploited in the wild. So the issue has been addressed in firefox one thirty one zero two is that the extended support release is one twenty eight got three, that one N E S R one one five, that sixteen, that one. The tour project has also released an emergency update to what they're calling version thirteen point five point seven of their tour browser.

So if certainly if you are a tour user, you'll want to make sure that your tour browser is updated to thirteen point five point seven. Since those were the targets of this attack, but the vulnerability did affect everyone. And as I mentioned at the top next week, um this just happened um we will be talking about the credential exchange protocol. Um uh so I don't I haven't not had a chance because I ve been working on this podcast to dig into IT, but I will have and unless something really very significant happens, I have a feeling that, that will be the title of next week's podcast because that's something we're going to want to take a close look at and understand exactly what IT is. What what IT doesn't have works.

But this is big news because this was something you could not do yes, and that's what kept Frankly, kept people kind of frozen in place. I think with parkies.

many of I took a quick look at at leo. Many of the password manager people were participating in the development as was google. I did not see apple.

an apple there. See, this is a perfect example. They don't have any incentive to let you move your package off your iphone because they want you to be stuck there forever. Wo yeah.

that was annoying. I doesn't mean they are not gonna dopp.

right? They might have to a fight out. Does I mean, don't they kind of want to keep full capacity ability with the standard? I would think we'll see that depends what the alliance says. Is that require or just optional?

Well, IT will be optional, unfortunately to be. But then maybe at some point, to get the next level of certification, you'll need IT and then apple will like, I mean, it's really IT would be IT would be very short sighted, I think for them to to like, I mean almost punitive for them to say no, if you use our you can take them anywhere else.

right? right?

okay. Several weeks ago, I mentioned that a listener of ours had suggested that when I moved my windows seven workstation over to windows ten, I choose a windows server version in order to have a simplified experience um at the time, that sort of called me by surprise and I thought I was a great idea, since microsoft will presumably have exercised far greater restraint against including all of the unwanted xbox, Candy crush jewels, android phone integration and all that other crap that they force on regular desktop windows users.

But then I remembered that I had that idea a long time ago. IT may have been back in the windows X P. Era that I did try running. And I did run for a while a server edition of windows as my desktop machine, probably because I wanted to be using exactly the same build of windows that my servers were using back then. But I hit a big problem.

The installers for many of the best top applications I wanted to run would complain and refuse to proceed when they saw that I was running on a server release of windows. I fought against that and put up with that for a while. I remember looking around, seeing if there was like some way I could create my own hack to to make the server edition look like the window that like the desk top version.

I I didn't end up doing that. I just ended up learning my lesson and deciding to go to the top. And in fact, for example, now the window seven workstation version is essentially server no windows server two thousand eight r two.

So it's essentially the same code anyway. But I just wanted to close the loop on that. In the case, anyone else we're thinking, hey, that sounds a great idea. I've going to run server. I'll just caution you that um in some cases, apps just would not install.

In other cases, they said, well, if you're a server version, you're gonna have it's gonna cost you this much money you know like way more than IT was for the equivalent desktop version. So I just said, no, thank you. Um okay, touching on signifie briefly.

I am fifteen percent into the book. I said I would not read until its companion novel was also ready though as I recall, my position on that was noticeably softening recently. Anyway, yes, I now know a lot about Peter f hamiltons exotics the our committees engine.

However, I don't know nearly as much as john seller are jama b, who is already well into his second read through. He noted that the second pass is more fun for him, because by then, you know who all the players are, and boy, the players are somewhat disease. The book begins with a chronology which is stunning in its sweep and scope of humanity near and far future.

And knowing Peter, I know I knew not to over that, I figured this was important. So I read all of that. Then IT runs through and introduces a vast ray of characters. And as I said, the historical summary was engaging.

And I did forced myself to sit still and at least take the time to read through all of the names of the entities whose roles were described mostly in relation to each other in that vast list. And then the book began. So I can well understand why john, you know, upon finishing at once, would immediately reset his e book to the beginning and go again so anyway, I don't know if I read the second time immediately.

Maybe i'll wait for who knows how long for that the its its second half of the whole story to be finished and I just didn't want to mention that yeah I mean, I was rereading the frontiers saga like for the fourth time and was getting a little boring actually. So I thought, okay, i'll try something new so i'm there. Um okay.

A bit of closing the loop with our listeners, brian Henry ricks wrote. He said he, Steve, I was looking for a new puzzle game to play on my tablet, and I saw that the sequence plus was released a couple of weeks ago. I haven't tried IT yet, but surely enjoyed the sequence at your recommendation a few years ago.

I tried the sequence too when that came out, but I did not enjoy IT as much. He says, hopefully this new game lives up to the original happy security, knowing to four digits and beyond. Okay, so I agree with brian completely.

Whether I loved the sequence, I was disappointed by the sequence too, and I never bought thee to spend much time with that. Once I saw that, in my opinion, and I guess his and others IT missed the mark IT turns out that is not a simple matter to create a truly terrific puzzle game, which the original was. So I agree that more of the original would be welcome.

So I went looking for IT. IT is nowhere that I was able to find IT in apples notoriously, horribly indexed APP store. So I dropped back to searching the net, and I found something called the sequence to in the google play store.

I have a link to IT in the show notes for anyone who's interested. I replied to brian asking whether he might be an android person playing the sequence to on an android tablet and he confirmed that he was. So i'm hoping that IT isn't you know that it's just you know that just hasn't yet surfaced in apple's APP store since the author, who is an outfit by the name one man band uh um uses the unity framework.

Uh, IT could also be available for IOS, i'm hoping is just delayed. So anyway, I should note that also when brian said a few years ago, he actually meant nine years ago, back in twenty fifteen. So I wanted to tell all of our listeners, there is a big treat awaiting any of our listeners who have joined us since then, who enjoy extremely well crafted puzzle recreation and who are not yet familiar with what we've been talking about.

The sequence created, as I said, by one man band, is a sort of graphical, sequential programing environment, is that perfect blend of progressively, increasingly difficult chAllenges where you required to discover new tricks and problem solving techniques as you progressed forward through the games levels. You build machines composed of individual functional blocks with each block having a single, very simple and very clear function, and then you turn IT loose to loop through its Operation four or five times. Since another requirement is that each iteration leaves the machine you've built in a stable state, ready to do IT again.

And what a final comment for those who may have heard of things like this before, only to be then disappointed, I have to. We haven't talked about my affection for puzzles for years, but i've i've often tried other things that sound exactly like what I just described, and I have been disappointed, so I would never recommend them. This one I recommend without reservation.

I have a link in the show notes to its author's website. Its O M B, as in one man band, O M B games dot com. And note that is H T T P only, not H T T P S um so if you if your browser resumes as it'll complain one where the other you want HTTP call in slash lash O M B games that come.

I also have a link to the author's official youtube video in the shower notes and IT earned this week's grc shortcut of the week so you can get a quick sense for what i'm talking about by opening any browser and going to grc dot sc slash nine nine six, which is this week's episode number grc dsc slash nine nine sex IT is available for a few dollars without any ads or any in APP purchases, thank god. From the windows store, steam, apple's APP store and google play, if anyone discovers the sequence plus in apple's APP store, please let me know. I'll be over.

I'll be all over that one. And as I was preparing these show notes, I spent some time poking around the authors one man band side on his context page. He had both a gmail and a twitter handle. So I first went over to twitter, and I was surprised when twitter said that he was following me. The only way that was possible was that back in the day, I had made such a fast over .

the course. I be following you too. My biggest fan.

yeah, you know. So I figured that this podcast must have come to his attention, and he decided to follow me. He had not posted anything recently over on his twitter feed.

So I shot him a note asking about the status of the sequence plus. And not long after, I received a reply from him, his first name is maxed and he wrote, hi, Steve. I'm glad to hear that everything is going well for you.

I'm grateful to you and you're podcast for giving my little known game a loving audience back in twenty fifteen. As for the sequence plus, I can say that IT is a slightly improved version of the sequence with some twigs in the controls and fixes in certain levels. IT is free and contains ads, so IT might not be suitable for everyone. Let's just say this is my attempt to bring the game to a larger audience as IT is currently very difficult to promote paid games.

Yeah, apple doesn't let .

you do demos or anything, he said. That's a big problem. Yes, for now, it's only available on google play as an experiment, he said.

I can't say for sure if I will released IT on IOS, but for all lovers of logic puzzles on IOS, my three games are still available, the sequence, the sequence to and unit four or four. He said, best regards, maximum. okay.

So now we know, and apparently he understands me, since I would gladly pay to not have any sort of advertisements in a good puzzle game, I mean, we're only talking a couple of dollars for many hours of engaging mystery. I've been driven nuts by the prevalence of advertising in IOS puzzles, where again, I would gladly pay for their removal and to have a quiet and puzzling experience. I hate ads.

So IT does not sound like the sequence plus would be anything I want, even if I were available for IOS, you know, as maxim said, is largely just the sequence as IT used to be. But we named and made free, but with ads. So anyway, if you're someone who enjoys puzzles, my advice would be to follow G R C short cutters of the week as leo you did and and you you played as little fifty second sample to give you a sense for what this is.

And if IT looks appealing, lay down a couple of bucks on maximum, either on IOS or android to purchase or or actually windows or steam to purchase the sequence and get ready to have some fun. I really think you will. Um Parker Stacy wrote, dear Steve, thank you for this extremely helpful tip he's referring to saturday is email.

He said, you have saved me time. You have saved me frustration. You have saved me from the repetitive irritation felt on so many sites these days. These annoyances on websites around the globe are more than just little nps to be swallowed. They divert our attention and more importantly, they divert our focus.

When i'm researching something online, i'm usually trying to follow a train of thought, a thread, a path, a stack of ideas, something so seemingly mild as a cookie policy or sign in with me box can interrupt my flow and completely unwind the stack, and I can take an unreasonable amount of time to rebuild IT. I know you know this, and I am grateful that you take the time to share these types of countermeasures with us. This type of special notification email is greatly welcomed, and I look forward to more in the future with gratitude and kind regards Parker.

And i'll just note that his his is a placeholder for the hundred and thirty five replies i've received and read so far following saturday's special mAiling. So I wanted to say thank you to everyone who took the time to mostly express their other joy over the knowledge that IT would be possible to suppress these unsolicited and unwanted login push pop ups from appearing IT. Turns out they're quite unpopular, and I was glad to learn that IT wasn't just me being cranky that that that all about and and as we know now, by turning on those preparations lists, we are getting rid of a whole host of other stuff.

But leo, your point is very important. If you go to a site where something seems broken, something doesn't work, IT could be that u block. Origin has been overprotective, in which case it's a matter of just of of of opening IT up and and disabling IT for the site or briefly turning that off. And then you know you'll get the full site in all of its glory.

and you can wait, be sorry.

wait through all the pop ups and ads and nonsense. yes. And finally, Frank, for the netherlanders wrote, dear Steve, I want to report a feature of u block origin that I don't see other people using, but that significantly improves my productivity in addition of blocking ads, I use u block origin to clean up clustered user interfaces.

Many web applications today include more features than I need or aggressively promote new ones. For example, click up is now filled with AI buttons and banners. I hide all these distractions to restore a clean interface that helps me focus on my work.

Hope IT helps other listeners best regard Frank from the netherlands. So that's interesting. There are still features of u block origin that we're not using. Frank is I just haven't spent any time with IT, and i'm beginning to feel like I miss in a bet here you block origin has like a dropper and I think you're able to use IT to go like click on something, which allows you to identify the something on the page to IT and maybe you're able to say I don't want this anymore.

Anyway, I have IT looked, but I I want to share Frank's note to to note that again, most of us, certainly myself, have been grossly underutilized. The power of u block origin IT is an extremely capable general purpose web experience filter. And you know, I think the reason that it's been underutilised is probably a case of, you know that old uh, a story about cooking the frog in the pot of water where you slowly increase the temperature so the frog never thinks to jump out IT just gets cooked for us.

You know, this incursion into our browsers has been very gradual and incremental. You know, at first, only a few sites were pushing that log in pop up for google. So you know, we put up with a few of those unwanted appearances.

But over time, that number grew and grew until IT was something some of us we're seeing and tolerating throughout our day. And those google pop ups were just one symptom. What's happening is that little by little, our online experiences have been increasingly leveraged and we're being increasingly coerced.

Nobody likes being coerced. So anyway, thank you, Frank. From the netherlands who is using u block origin more fully. And I will invite others to consider doing the same. And leo, we're an an hour in, let's take a break now and I will finish up with two final pieces of feedback .

thinking I almost stopped you and I thought, well, now is he's put in these breaks. He knows what he wants but okay.

god, I did.

Let's talk about a very appropriate, speaking of bother, some annoying, intrusive companies, a very useful tool if your data was in the national public database. Yeah I think one was too. But you know who was wasn't my wife because he uses our sponsor.

Delete me if you've ever searched for your name or address birthday online, I bet you didn't like how much of your personal information was available. I wouldn't recommend doing this, by the way, unless you don't believe me, then please biome es search for your name, see, see what you get. But maintaining privacy is not just your concern, is your whole families affair.

And I think delete my family plans mean you could make sure everyone in the family feels safe online, believe me, helps reduce risk from identity theft, but also but harassment, but more cyber security threats because, and this is why this is a proud delete me customer. Bad guys were able to figure out who SHE was, what her phone number was, what her direct reports were, and put together a of a fishing, a spearfishing campaign that had our employees not been very smart, and probably most of them listeners to this show, we would have been badly bit by where do they get all the information? Data brokers.

Data brokers are collecting this stuff like crazy. And delete me is your weapon against data brokers. Delete me. experts.

It's human, by the way, which I love, will find and remove your information from hundreds of data brokers. There are not literally hundreds of data brokers. One includes your family.

You going to sign a unique data sheet to each family member, tailed to them. And with these use controls as the account oer, you can munch privacy, settle for the whole family, delete me. And this is really important.

Even after IT does that first, initial deletion will continue to scan and remove your information regularly. Because new data brokers pop up all the time. Frankly, data brokers, are they not the most honorable of people? And they're going to start rebuilding your doc, even if you told them not to.

And i'm talking everything, addresses, photos, emails, who your relatives are, your phone numbers, your social media, your property value and more. Protect yourself. We claim your privacy.

What we did go to join delete me dot com slash twit, if you use the overcoat twit, you'll get twenty percent off that's join delete me to come slashed to IT offer code twit gets you twenty percent off. I think I don't really to explain to the Steve gibs and audience why you want to do this. In fact, you're probably have already been thinking about IT.

This is the way to do IT join delete me dot com slashed to even get that offer code for twenty percent off. Now back to mr. G. O. Two router discussion here.

Yes, two pieces of feedback from our listeners about routers. Just a long route. Steve had to throw in my two cents about routers for parents.

Ero, full stop. Do not pass go. Do not collect two hundred dollars. Leo mentioned its great mesh networking capabilities, but there's one thing that makes IT a perfect router for parents, the ability to configure IT without having to be at their house.

I do that with my mom. I can actually look at her set up exactly.

He said that all ero devices are configured via a smartphone APP. This means when you get, quote, the internet stop working call, you can pick up your phone, which you're probably already holding, and see what's going .

on without having to drive to their house, which is good.

Yeah, he is across the country. Ah you can add multiple ero networks to one account so you can switch between your own network and theirs for administration. Another benefit is ero plus, which is their monitoring software that blocks access to sites that host malicious content.

Botnet fishing sites. Etta, if you have multiple networks on the same account, one ero plus subscription covers them all for the same Price, he said, currently I have hours, my parents and my in laws. Another added bonus, there's no way for dad to attempt to fix something by blindly clicking around the rutter's U.

I. They don't have access to IT at all as far as they're concerned. It's just the magic box that allows them to complain about things on facebook.

I will add one more thing I don't, if you're very used, wave forms buffer blow a test, which is a really useful speed test i've done on all of my abroad outers from time to time because is IT really much Better than a regular speed test? IT IT shows why late IT shows whether latency goes up when you're doing other things like uploading and downloading.

And but one of the things you'll find there is their recommendation for reuters that don't have buffer blow and among others, the next your nightlife and the I cute writer in the ubiquity edge router you've recommended so many times the ero process. I think all the ero writer are well designed and they're also I think they pay a lot of attention to the latest thinking in terms of configurations. And so fourth, and I think that's one of the reasons they do such a good job with with buffer bloat. So another good reason, I think there, we've recommended them for all ever since they started to coming out. And as far as I can tell, if amazon's ownership has not made the Morris may.

amazon bought them. I was working. I said amazon ero .

yeah they bought up some years .

ago ah and another listener took Michael horowitz advice about the peeling router fill rote. Hi Stephen. I'm glad you pointed out Michael router security website again, remember that was router security dota org.

He said, I recently replaced my verizon fios router with his recommended p link router pep lk pep p link router, and was able to go over his short list as well, and I could not be more happy. He's even been very responsive and answering my questions that I may um have had in configuring the router and anything relating to what to expect when you ditch your isps router. Not only that, but pep link themselves have been responsive in replying to email inquiries about any issues for which there have been none.

He said, when I do my monthly tech talk at the library where I work, one of the topics is router set up in security, and I recommend the pep link patrons will come back saying how IT was pretty simple to set up and micros instructions were very straightforward. So he says, thanks, fill. And I just mentioned that the pet link writer is what router security sites author Michael horowitz recommends.

I have no experience with IT, so I can't weigh in either way, but I wanted to share phillip's positive experience and invite our listeners ers to consider these alternatives. As I said on this topic earlier, unless someone deliberately chooses an insecure configuration and with just a few tweak, any modern consumer router should be safe. Though, you know, I won't argue that security is relative and you can certainly spend a lot of time securing router.

But generally what you get unless you you know turn on lots of remote serving features, you're probably okay, okay. So b me up, scot, B, I M, I, that stands for brand indicators, for message identification. For this week's main topic, I want to share an adventure of mine.

From last week, IT will introduce some new email authentication technology while touching on the chAllenge of thwarting north korean and A I identity spooky, and ending with the fact that several recent d dos and network penetration attacks have left the world's internet archive offline. And that, as a consequence, something I was trying and hoping to do last week has been paused until the internet archive is back up. And last night, IT seemed to be Better.

This morning, IT was slow and sluggishness. Later this morning, IT was Better. So just .

by by as something yeah and and I was supposed to up read only this morning, but i'm maybe it's still having trouble.

I don't know. Yeah I did see that. And and in fact, the only the way back machine portion was up in read only apparently it's able you're able to to like manually submit pages to IT for archiving. And that feature is not currently .

kind of low. Life would attack the internet archives beyond me. Apparently, when I was an iranian hackers and .

I heard I saw the same thing that there some attribution given to some, you know, something about, know, some of the mess going on in the middle was supposedly behind IT. But okay, so this adventure began when I checked my email last after last tuesday's podcast and found a new feature notification from my favorite certificate authority, digit IT said. We're writing to let you know that common market certificates are now available.

Common mark certificates allow an organization to place a brand logo in the center field of outbound emails confirming the organizations d mark status. And they are authenticating identity and helping uh and helping protect against fishing and spooky attacks, they said. Common mark certificates are similar to verify mark certificates, but do not require a registered trademark for usage.

This allows a, brought a range of centres to add an additional layer of security to emails and help the recipient feel comfortable that the emails come from a legitimate source. They said to qualify for a common mark certificate, and we've got a few bill points. First, the corresponding emails domain must be configured to enforce d mark. The corresponding brand logo must either have at least a year of previous public usage on a domain controlled by the applicant, or be an acceptable modification of a registered trademark, and may say c section three point two point sixteen of the bi groups minium security requirements for issuance of mark certificates for more details and finally, the logo file used for the certified mark certificate must be an svg file that add here to the svg hyphen p slash s profile then they said they, they finished saying, note, currently, most image editing tools do not support the svg hyphen peace lash s profile.

H, that's hy.

yeah. I I said I had an adventure. And IT will require using a specific conversion tool or manually editing and svg file, they said cr guide for properly formatting the logo.

Okay, so first I should reiterate that be me is officially pronounced bii like bii bikey. Okay, yeah, by my, by my, not be my. But I was unable to resist the beat up, Scotty.

I so scot is just as good beating .

up with bad. It's quite in a hurry bing up because, you know because that we've lost a bunch of red shirts. And so how that goes? Ah okay.

So B M I, as I said, is the abbreviation for brand indicators for message identification. IT is a new relatively i'll see it's been around for theyve, been working on for ten years. And slowly, as in very slowly emerging email standard that creates what's interesting here is a secure means for incoming mail to Carry and display its senders.

Unspoken, able logo icon, email clients and online services that choose to support B I will be able to display these logos and will only display these logos if and when the emails senders have jumped through quite a large number of hoops to make that possible. This is all being managed by an industry bimi working group at bimi group dot org B I M I G R O U P at org. The members of this group are fast mall google male chip proof point send grid validity volume in yahoo.

The project began, as I said, of full ten years ago, back in twenty fourteen. And today, the display, a bimi logo icons, is supported by apple cloud, mark, fast mail, google, yahoo and SOHO. I want to do this.

We have a trademark. Yes, you do.

IT local. Yes, you do. yeah. So what this group is managed to design and achieve finally wide consensus on is the rough equivalent of the web server tls certificates we rely heavily on to prevent interception and spoofing of the domains our web browsers visit.

This bimi system provides a means for senders who care to to strongly authenticate that they are the center of their email. I don't have to tell anyone that email is a mess, whether one is on the sending or the receiving end. Everyone knows this yet.

Everyone needs email. IT is, as we know, the internet, lowest common denominator for communication. As we've observed here, we could not have user names and passwords without email because no other authenticating system is viable without some reliable backup.

Lowest common denominator fallback means for ultimately authenticated users when they forget their password or don't have their second factor authentication or handy or whatever. IT always comes down to email. So for the past decade, and effort has been underway to allow email centers who choose to and email services who choose to, to display strongly authenticated visual graphic logos in email recipients in boxes.

And I have a picture in the show notes showing what you Normally see for you male timer. And so there's just a generic m in a circle and e mail marketing news and e in a circle, and as opposed to their actual logos, which the email client is able to show. And I confirm that at my IOS devices are showing those where they're in use.

Now if I okay, so I have my picture as a gravitational and most female clients will pick that up as as the, as the icon and put in next to the email. How can I distinguish A B, my official trademark from a gravitate tr? That's a good that .

is a good point. A gravitate AR if if IT is available or if you have a photo associated with the person's on apple.

if it's in the context.

that's right, right? yes. So we are seeing you collision kind .

of flimsy authenticate method. Is that all there is the the .

icon on the email? Yes, that's what this is for.

Okay, right? I mean, I use P G P oeta ation that none only verifies that I am the center, but that the message is unmodified.

but nobody knows how to receive that.

Nobody knows what to do with that. But it's there.

right?

You can use as my certificates to do that. Nobody knows how to use that either.

Yeah so what what I want is when grc email comes, people will see the that that ruby g logo that i've been using for forty years since before the internet existed. And and make no mistake, this has been slow to catch on. For one thing, as i'll explain in a minute, it's a serious paid in the bud.

It's almost comical for the center to get IT working and it's not for end users. It's intended specifically for use by bulk email. It's also not free since IT requires the use of an annually expiring certificate behind which is some truly world class of the fiction.

But I would argue that for this purpose, not being free is a benefit, since the entire reason the world is being buried in unwanted email is that IT costs nothing to send. And even in a world with high bimi adoption, email will still cost nothing to send. But only those centres who are willing to spend some money and take the time and trouble will be able to embrace sh, their incoming email with their company's unspoken able brand logo. And leo, for what it's worth, if this becomes adopted and becomes valuable, then apple could, for example, could certainly choose IT to to further enhance, sure.

somehow put a key on IT or something that says this, this is not a gravitate AR.

exactly. This is an authenticated piece of email. Okay, so um for for bulk male senders and even for me, I want that g to show up, it'll likely be worth something.

So how does all this new stuff work? The first gating requirement for any possible display of a bimi logo is that the senders email passes d mark validation. Okay, so let's briefly review these three email standards, which are all part of this, S P F, D kim and d mark.

S, P, F, which is the old stand for center policy framework IT, uses additional records in the apparent sending domains DNS to indicate which I P addresses are valid, original atoms of that domains. email. Since email is sent using the s tp protocol over TCP, the I P addresses of the n points can not be spooked.

Ed, so when a remote sending email server connect to a receiving server, the receiving server obtains the unspoken able I P address of the sending server. Then when the recipient receives an email claiming to be from a specific domain, the receiving server can issue a DNS query on the spot to request that originating domain S P F records, if any, those S P F records will specify which I P addresses are authentic centres for that domain. So if the IP of the center of the incoming email for that domain is not authorized by the domains S P F records, the connection will be dropped and the email will not be accepted.

This costs nothing to do and IT very nicely prevents spammers from spooky the domains of valid centres. For example, I have an S P F record for grc IT uses grc s DNS to publish the I P address of grc email server so when a random spammer generates email claiming to be from the G R C dot com domain, any receiver of that email is able to check the sander's IP see that it's not coming from the one IP allowed by gr c, and then then ignore the email. Note that S P F has no way of preventing the attempt to spook an emails origin.

But that does provide a zero cost means for a recipient to confirm the validity of the originator. And you can believe that apple and outlook and google and yahoo and everybody, they're using this because they want to block all of this that they can. While S P, F identifies the authorized center by I P address, IT does not protect the integrity of the email itself. IT offers no protection against anything that might alter the emails contents in transit. For that, we have D K, D, K, I, M, which stands for domain keys identified mail.

D kim allows sending email servers to digitally sign the email envelope headers their outgoing email has so that the receiving server is able to verify that signature, and once again, we have another use for DNS where additional d cam records in the servers DNS domain are used to publish the public key with which its d kim signed email enable headers can be verified. The receiving server sees the claimed from domain queried that domains DNS for its d km. Public key then uses that key to verify the signature contained within the incoming email.

The final piece of this triumph is the mark domain based message of application reporting and conformance D M A R C D mark is a policy which is also published in the sending domains. DNS IT allows the senders domain to indicate whether their email messages are protected by S P F and ord kim. And this demarch policy instructs a recipient what to do if either of those authentic ation methods, which the the site says must be enforced, fails, do they reject the message or quarantine IT, or send back a report, or what? So a crucial thing to appreciate is that even today, all of these layers of email integrity and anti domain spooky are completely optional.

There is no need for any of them to be present or applied. They benefit the center by preventing the sending domains reputation from being abused, and they benefit the receiver by providing a means by which the true center of any remark protected email can be verified. But all of this only works if both ends play if the center doesn't take advantage of these tools, or if the recipient doesn't bother to check against them, that neither end gets any benefit.

The other factor here is that all of this happens down in the plumbing of the internet smt p protocol. None of this is ever seen by any of the eventual recipients of the email. There's never been any obvious visual indication of whether or not any of these various tests pass or fail.

Until now, one of the key requirements for any display of a bbi logo is that the senders d mark policy must pass, which in turn requires S, P, F, N, D, came to be present and to both succeed. So the first thing bim's display will mean in the real world is that the email actually originated from the claimed center. And this brings us to the logo itself and the question of how bimi avoids the unauthorized or fraudulent use of organization logos.

What, for example, prevent somebody else from copying grc ruby g logo and using IT for themselves? To answer that question, let's see what the bimi group themselves have to say in their FAQ for this. They right, verifying a logo is authorized for use by a specific domain has been at the center of the debate since the idea for bimi was first disgust. In fact, that very issue is why IT has taken the past seven years to develop the specification.

And I should point out, by the way, that D, K, S P F and d mark are often now supported for this gmail or reject mail that isn't properly signed. So that's the good news, right? The things are getting Better in at least in network guard.

Maybe google policy is that if you send more than five thousand pieces of email a day, then you have to have d mark. Uh, OK.

But I talking about in bound, I think that you you have a chance of getting black hole if you are not this. Google said they, we're gona require d mark. But I might be I might .

be mistaken on that. The problem is there are still too many servers out there that do not support IT and they want to be able to send email to gmail people because that's about a half of the world. So right yeah but but bulk male senders sending more than five, five thousand pieces mail a day.

Google will say, you're right. He says bulk, says google in the yahoo as requirements of bulk centers must have demarch in place. Yeah, yeah, yeah.

I misread that. I thought I was everybody, but you're right. So few people have that.

right? So so one of the cool things about this, and again, anyone who IT is any email supplier like apple or google or whoever who chose to, could could use bimi to create a stronger indication that authentic ation was in place because that would be nice to know. So anyway, they said this issue was taken seven years to develop, and this thing i'm reading was written in twenty twenty one.

So it's been ten years. Oh my god. They said, since this was such a difficult problem to solve, we develop two different types of bimi records to get where we are today, self asserted records.

They said, in the first case, there is no veridication of the logo at all. IT was left up to the mailbox providers to decide whether or not to display the logo. And I should just mention, nobody does because IT doesn't provide what bimi wants to provide.

The second is records with evidence documents. As many pointed out, there needed to be some form of evaluation such such that a logo could be verified as being authorized for use by a domain. So they said, up until recently, the most broadly deployed by mmi records were self asserted.

Only a couple of mailbox providers accepted them, and those that did, for example, yahoo, carefully considered which domains they allowed to display logos. Then on july twelve, gmail announced support for bimi, which required an evidence document in the form of a verified mark certificate. In order to obtain a verified mark certificate, a company must provide evidence that their logo is a registered trademark, I, E, that a government agency recognizes its legitimate use.

The vmc also attests to the use of that logo in relation to identify domains. Mailbox providers can now retrieve and verify the vmc to ensure that the logo is authorized for use by that domain. And i'll note that they've actually soften this a bit for for that that common mark.

The common mark certificate just requires that you can demonstrate at least a years worth of use of that logo on your domain so they finish regardless of which bimi record D S. use. The situation collapses into a single requirement, reputational trust, while a self asserted record requires that the mailbox provider trusts the domain, for example, relying on their own reputation about the domain, a vmc moves the trust model from the domain to the V, M, C.

Issue there. And so now we're talking certificates, and now we're talking certificates authorities, which is why digit got into the game. In other words, we introduce the classic concept of a certificate authority.

We trust the certificate authority, so we trust the certificate author y's identity assertions, by extension. But now they have an FAQ, they said, at this time, there are two certificate authorities that are accepted as mark verifying authorities, m. VS, who can issue vmc for use with bimi and get this leo digit an interest.

And yes, it's that interest interest the interest from whom chrome will no longer trust certificates signed after the end of this month. And by the way, mozilla a has made the same decision, ending their new certificate trust of interest. One month later at the end of november.

Now I don't know whether interests hack to become a certificate intermediate work here. And I don't care because grc is bime certificate. If i'm never able to get one, will certainly be signed by digit more on that in a minute. The bimi fact continues.

So they said it's essentially the job of the m, va, the mark verifying authority to verify that the logos are authorized for use with bi, then accept to the mailbox providers to decide what M, V, S, they trust to issue vmc the verified mark certificates. And believe me, if everyone does what digit does, it'll be a cold day in arizona before any spammer is using grc s logo. okay.

Well, i'll explain a second. They said, and if you're curious about the steps the m VS perform when evaluating a request for a vmc, here's the current process the sea are following and then they provide at the vmc guidelines latest PDF. Now they said, if you've gone through the entire ninety four pages, congratulations, it's pretty dense and actually today it's one hundred twenty nine pages wow.

So they said, you'll see that the evaluation process is reasonably thoro. The C, S, are trying very hard to ensure that their vmc can be trusted as a checkup. If the email security community finds the C, A has improperly issued a vmc mailbox, providers will no longer accept vmc provided from that C, A, which would assist, essentially neutralize the ca vmc business.

So maybe interest shouldn't even bother. okay. So I know that listeners to this podcast would find that interesting to see grc s ruby g logo appear in the center field of their email client when, for example, they open email for me in gmail or yahoo or apple, and if the presence of a bimi logo and everything that went into obtaining one lend more credibility to G C S.

Email and helped them to be routed, not to spam or junk folders, that I would regard that as time well invested. And in fact, that's the other thing that is expected is that B I A bimi signed email will have a stronger reputation out of the gate. So last week, after seeing that email from, I headed over to their site to see what I needed to do on the request verified mark certificate page.

The first thing that needed is to create the logo you got ta created and upload IT for them to approve. But as I mentioned before, the uploaded format is quite specific and not readily created in this day and age of widely varying device resolution. IT makes sense for anything being newly defined to finally drop pixel and resolution in favor of vectors.

Vectors are the only way to go for the future and the world figured that out um um in the case of funds a long time ago. So the bimi specification, Normally nominal ally, uses the svg, the scalable vector graphics standard. But they really wanted to get this right, which creates a few road blocks since pretty much nothing currently supports the new deliberately constrained standard that they defined on their solving svg issues page, they wrote, there are many reasons why your svg might fail.

One of the online by my validators. And many of these issues stem from the requirement that all svg images conform to the tiny, portable secure, which is tiny hyphen P. S. standard. Uh, they said, the tiny, the svg tiny.

PS, where PS stands portable, secure, is a streamline profile of the svg scalable vector or graphic specification designed to provide a light weight secure important solution for displaying vector graphics, particularly in environment with resource constraints. IT retains the core functionality necessary for rendering scalable images while eliminating more complex features that may pose security risks or require extensive processing power. It's simply ity and focus on security.

Ensure the graphics are rendered consistently and safely across diverse platforms. When updating an svg filed to comply with the svg tiny P. S standard, additional considerations include ensuring device compatibility, maintaining performance efficiency and in hearing to the standards limitations.

Svg tiny PS supports a limited subset of svg elements and attributes. And I get to test to that. Basically, svg. The svg standard grew over time, as all standards of this sort do, to include all kinds of superfluous crap. In fact, you can even put a bit map in an svg, even though that contrary to the svg concept.

But of course, so what they've done is they've theyve stripped IT back to the things you really need, you know, curbs and rectangles and circles and filled patterns and gradients and things so you could do what you need. You just can't dump anything in. So IT ends up being constrained.

I think it's entirely reasonable, but IT does introduce a hurdle. After searching around the internet, the only tool I could find that would export an an svg file in the what's known as the tiny version. One point to format was adobe illustrator and have having bit an early fan of paint shop pro and coral draw.

I've never been over in a dobie camp, but I discovered that illustrator is available with a seven day free trial, doesn't only need a credit guard or anything IT also stop working after seven days. So I installed IT. I converted my simple ruby g uh bit map from the vector, from aster, the vector, and then used at the an illustrator and illustrator script, which I found over on digital be me help page to export a fully compliant svg, tiny P S.

format. I then uploaded that the digit who inspected the files and approved IT for baby use. So now what IT turned out, that was the easy part.

I'll explain what happened next. That was the easy part. Then we start having to prove things. So let's take our last brick, leo. And then the fun begins.

Ow, what fun this is down the beat trail.

Okay, yeah. Beat me up, Scotty.

Beat me up Scotty.

Um alright.

And you know that no Normal human is gonna know anything about this, or whether IT exists or anything. So our audience will. So that's good. We will continue the saga of Steve attempt to get him be me compliant logo in just a minute.

But first award from our sponsor, van ta, now this is a company I can get behind with your starting or scaling your company's security program. You know that demonstrating top not security practices and establishing trust with your customers is more important than ever. And Frankly, IT, you probably have a legal requirement too. Venta automates compliance for soc two I saw two, seven, oo one and more are saving you time and money while helping you build customer trust.

You're going to love IT too.

because you can streamline security reviews by automating questionnaire and demonstrate your security posture with a customer facing trust center looks great. All powered by vta AI. Over seven thousand global companies like at last in flow health cora, use vanted to manage risk and prove security in real time.

When you like to do that well, how about getting a thousand dollars of when you go to venter va nta dot com slash security now, va nta dotcom flash security now one thousand dollars off venta your age yourself to learn more about what venta can offer vantage come sash security now we thank you so much for supporting Steve. ExcEllent works here. Somebody's got to pay the bill while he's raster vector ing is .

ruby g before IT would be bimi user even begins the process. It's necessary for the organization to be certified at the EV level. Remember evs those extended validation certificates that fell out of favor when web browsers decided to stop showing extra fields of Green for EV certificate sites because end users didn't never really understand what was going on to your points all about the bme logos maybe know maybe we won't ever understand or maybe they'll be given special treatment once they know achieve critical mass who knows um and also since nothing prevented type squatting sites from obtaining their own EV certificates.

That was really the death nell because typo squatters were able to get evy search on their their missip domain names so users saw that and that all look at all Green IT must be safe now. So even though E V certificates are not coming back, the level of organization validation they once required is still going strong. What this essentially means is that any organization displaying a bimi mark in their email will have been validated at the same level as is required for E V.

certification. In this case, IT means that I had to have sue standing by at our corporate landline when someone from digit called the phone number that an organization such as done in bread street has listed in their corporate records for gibson research corporation to answer digits arch call and verified a bunch of information about our company and our website. SHE also confirmed that I, Steve gibson, would be serving as digital verified contact for this verified mark certificate order and that I was authorized to request and have a verified mark certificate generated.

Do you get a special hat?

No, but I got a special phone call. Once that was done, I received an email explaining what my role would be. I first needed to take photos of the front and back of an officially issued U.

S. Government photo ID and securely upload them to do dishart through their share point three sixty five account. Now, what might once have seemed intrusive is no longer any big deal since, after all, national public data has already posted all of that stuff publicly all out there already.

So who cares? On the other hand, couldn't all of that public data now be used to convincingly ly spoofs and uploaded identity? Maybe, but digit thought of that too.

The next step was to use an online scheduling APP to array to arrange an interview first by phone and then by online zoom, a video conference. Using the scheduling APP, I booked the first available thirty minutes slot, and at the appointed time, I received a phone call from a digital person. He identified himself as the person i've been corresponding with, and he instructed me to please upload photos of my ID to their share point three sixty five account.

I told him that I had already followed the link in the earlier email and done so. He thanked me and asked if I was ready to switch to zoom. I told him I was.

So we sent me a zoom link. Clicking the link brought me into a two way audio conference with a one way video. His camera was never enabled, so I only saw his name, but he had a clear view of me, just like our listeners do right now, because I used our same system.

Yes, he had told me that I would need to show the same ID during the video conference. So I went back, got out of my wallet. I had a handy. He first asked me to pose on camera so he could capture that. Then he asked me to hold the I D up next to my head, oh my god, so that both my face and my I D were on camera side by side at the same time. I did that.

This is not. This is more than you had to do for an E, V, sir.

Oh yeah. E, V, we left off on. So sit telling the guy to have a nice day. yes. So he asked me, he, then he asked me, while still holding the ID up next to my head to pass my other free hand, cross my face, and then both in front of and behind my I D, while still holding IT relatively, oh my god. I took a bit of henager ling to satisfy him.

But since I was neither an AI generated spoof nor a north korean posing a some old White guy, I was able to follow his instructions and satisfy him that I was indeed me. wow. And since this created an unbroken trust chain from grc s public corporate records through our offices to me and my identity, this was able to satisfy their need to confirm the authenticity of our logo submission.

I forgot. Imagine that earlier in the process, after I successfully created and uploaded and verified the tiny version one point two hyphen flash s svg logo file digital website had required me to post a specific text string in G C S DNS and then click OK once I had, so that I could prove ownership over the grc dot com domain. And this brings us to the final step where they verify that i've been using that logo on grc s website for at least a year since i've been using IT for the past forty years, since before the web came into existence, from the moment IT came into existence.

And every day thereafter, I figured this final step would be a slam dunk. So how do you imagine they verify my long standing use of this logo? Oh no.

Oh yes. They use the famous way back machine. Oh no.

At the internet archive. Over at archive. Dot argue. I was wonder .

the connection .

was there was a slight glitch last week, since for most of last week and all of the weekend and apparently until sometime yesterday, all of the internet archive was under attack and offline.

they were trying to keep you from getting your bimi.

Now we know why a kind of that, after everything I had gone through, the final step in the long process of obtaining a bimi certificate .

has been placed on hole the .

weakest link h my god, now that's fine with me. Sense of A G R G R C. Obtaining this certification is certainly not an emergency.

So whenever IT manages to happen will be fine with me. probably. You know, later this week, all of the required steps have been taken on my end. So once digital is able to look back in time at gc s historic use of that logo, which they will see on every single page that the that the way back machine has ever indexed.

Wait minute, if you worn on the internet way back machine, not every thing is right. That's true.

The heck.

that seems very in .

that case, you could if your logo was registered, then you would be in the us. Patent and trademark red logos.

Your logo is not registered.

I never bothered to register the logo.

yes. So that's why, because ours is this logo is in the trade.

And if you've got that trade market that no .

problem service market or what I rise you.

okay. So, uh, what happened was that a series of d dos attacks began less tuesday, october eight. And somehow mixed in with that was a java script library based site, defacement, which affected the internet archive, and a breach which leaked user names and email addresses and salted hashed passwords for thirty one million past internet archive users.

The archive's greatest concern was the reservation of the integrity of their archive. So they took everything offline while they worked to figure out exactly what had happened. Wikipedia a informs us that booster kale is an american digital library computer engineer, internet entrepreneur, an advocate of universal access to all knowledge.

In one thousand nine hundred and eighty two, he graduated with a bachelor's degree in computer science and engineering from M. I. T. And in nineteen and ninety six, kale founded the internet archive. In twenty twelve, he was inducted into the internet hall of fame.

and a year later, he was on triangulation. You ever want to see interview with him? quite. I love bursche amazing fellow.

He seems like one hundred percent. He's like what we wish we had more of, yes. So archi dt. Orgues has a master on instance, and bruiser has posted two updates there.

His first one said, what we know did also attack fend IT off for now, the facebook, our website via J. S. Library, breach of user names, email, salted encrypted passwords what we've done disabled the J.

S. Library scribing systems upgrading security will share more as we know IT. And then he said a little bit later, sorry, but d dos. Folks are back and knocked. Archive dot org, an open library dot org offline at internet archive, is being cautious and prioritizing keeping data safe at the expense of service availability. Will share more, as we know, IT.

So as I said, I checked this morning um and I saw I checked this morning online and saw a raft of articles about this, you know, headlines read from bleeping computer internet archive hacked data breach impacts thirty one million users, forbes wrote internet history hacked way back machine down thirty one million passwords stolen, verge wrote the internet archive is still down, but will return in days, not weeks, that some in the booster posted elsewhere, cyber news said international archive down after two day. D. S.

Attack, user info compromised and fast company more recently said the internet archive is back online after a cyber attack so i've observed some of the internet dialogue surrounding this event and this interruption in the availability of the internet archive has served a useful purpose. I think IT has served to remind people just how important this service has become. It's one of those things that easily take IT for granted until it's not available, at which point you realize just how important IT can be to have a way back machine that allows us to view earlier states of the internet.

Our listers may recall that I put the archives way back machine to extensive use back when we were examining the effects of that poly field that I O trouble, where we looked at the danger of a publisher of a widely used and publicly hosted java script library turning control over to another entity. I needed to look back in time to see how the poly field that IO site had grown and evolved since its earliest days. And this research was only possible because the way back machine have been quietly, dutifully and continuously taking and storing snapshots of the polyface ld dot IO site, along with all the other sites that IT crawls on the internet throughout its entire life.

The virtuous most recent reporting said this. They said, the internet archive is backend line in a real state. After a cyber attack brought down the digital library and way back machine last week, a data breach, indeed off attack, kicked the site offline on october night with a user authentication database containing thirty one million unique records stolen in recent weeks.

The internet archive is now back online in a provisional read only manner, according to founder booster kale. Safe to resume, but might need further maintenance, in which case IT will be suspended again, he said. And they wrote, why you can access the way back machine to search nine hundred and six teen billion one pages that have been archived over time.

You cannot currently capture an existing web page into the archive. Kill and team have gradually been restoring archive dot org services in recent days, including bringing back the teams email accounts and its crawlers for national libraries services have been offline so that internet archive staff can examine and strengthen them against future attacks. A pop up from a proportion hacker claimed the archive had suffered a quote, catastrophic security breach on quote, last week before have I been boned confirmed the data was stolen.

The theft included email addresses, screen names, hashed passwords and other internal data for thirty one million unique email accounts. The internet archive outage came just weeks after google started adding links to archived websites in the way back machine. Google removed its own cashed pages with links earlier this year, so having the way back machine linked in google search results is a useful way to access older versions of websites or archive pages.

This would be a good opportunity, by the way, for people to donate to the internet archive. Am a long time supporter. I give the money every month.

I M I yeah yes.

this is such an important more than a service. This is an important way to back up our history. And it's yes, god be supported.

And I don't know if an organization like cloud flare might be interested in being a benefactor here um you know nor what boosters requirements would be. They might know they might be in collision or even if it's you even feasible. But the internet archive, leo, as you said, it's a vital tool for researchers, academics and others and I is expected its value and importance will only increase over time.

In any event, IT now appears that the way back machine is limping back online and that before long digital will say that they have been able to use the way back machine to verify my decades long use of that g logo. At that point, they will approve an issue, A A bemi certificate, that will be valid for any newly minted certificates, maximum life of three hundred and ninety eight days. They seem eager to host the logo and a certificate from their servers.

You can do IT yourself, but their volunteering. So i'm fine with that. Um IT seems to me that you know they'll provide the URL s and that might add a little more credibility to IT that is coming from no digit dot com. Um so whenever a bimi supported email provider receives email from G R C, as you know, apple wild, gmail will, yahoo will and so forth.

In addition to verifying that emails authenticity by pulling R S P F D kim and d mark D N S records, they'll proactively check for and pull grc bimi record that will provide to you else you will tell them where to obtain the ruby g svg logo itself and where to find is validating certificate. I haven't looked into how the logo and the certificate are related, but since it's possible for me to host those files myself, they must be protected from tampering ing, assuming that the svg file itself is not altered, the certificate probably contains a hash of the approved svg logo file and the indication of the domain for which the logo is. So anyone wishing to support bimi logo embalmer shed on their mailboxes could look up the information hash, the svg logo they retrieve and check for the matching hash inside its matching mini certificate.

Since the certificate would be signed by digital's trusted route, this would established a chain of trust sufficient to authenticate the logos use for the indicated email domain, and the email provider could then confidently show that logo to its email users, but only if the email also passes d mark validation. So it's the first visible indication we've had on the internet of of email authenticity in the guys of a logo provided by the email center. Now for G, R, C, as i've said, that did not happen in time for this week's part cast mAiling to the security now subscribers, which went out this morning.

But having jumped, as I said, through all these hoops to get this far and with this now only waiting for the way back machine to be available to allow gz historical logo usage to be confirmed, i'm hopeful that everyone may see IT in their mail next week. So that'll be an interesting change for learning the gmail had adopted by my support some time ago. I went poking around in my own gmail inbox, though I did not dig too deeply.

And again, I don't get lots of valid email there. IT is my throw away detail account. I did see that paypal and disney plus both had been my logos for their email.

So by my logo, usage is around. But we're certainly you know, not seeing IT in you know in common use will IT become more common over time. It's too soon to tell since email providers have total freedom to decide which certificate authorities verified mark certificates they wish to support.

And having seen the costly rigor digit just applied to me to prevent any form of spooky, it's clear. But if the bemi group could be accused of anything that would be setting the bar for this too high. But in an industry that has repeatedly been in such a hurry that the bar is usually set to low, I consider this to be a change in the right direction.

Though obtaining this level of identity proof is difficult and costly, any organization that does this gets a year of extra strong identity for their email if anyone notices or understands. At this point, i'm pretty certain that most users have no idea that any other this is going on. I certainly didn't until I dug into this.

But if IT catches on, IT might begin to chip away at some of the catastrophe that completely free email creation and delivery has created. And IT only costs something to the center. Who's decided that they care enough to super authenticate the, the, the, the sending of their email to their its recipients.

Couple of questions.

That's a .

bimi one. Doesn't an E V cert cost quite a bit of money.

Yeah, they are not cheap k like thousands .

of dollars a year.

I don't think it's that much much. I think that's a multi .

year with an actually so yeah, okay, maybe it's not that expense, but it's expensive. It's it's not trivial to get IT. It's interesting that is required. Is that just a digit requirement or this eta baby require?

Um that's a good question. Um and as I said, I did not look through that one hundred and twenty seven paid document on on its partment. But what what is required is that IT is evy level certification and makes sense.

So I didn't .

actually get an E V third. I didn't mean to imply that I got an evy third. But but EV level certification don't have .

to have an E V. sir. You just know h you are just saying it's the same level of you. It's evy .

style certification where I mean, so it's back when we were doing E V search, sue had to do the same thing. SHE had to be standing by when the phone ring and answer .

IT and same thing yeah, yeah, yeah. And any company would be able to you jump through .

the yeah I pay pales got they pay people to stand around.

All right. okay. And the interest to see if this catches on, I feel like IT doesn't really go the full distance. And of course, you've got ta get all the email clients .

to display IT. true. If I was just .

looking at fast mail, I don't see any any provision and fast male display by me logos, the obvious ly gmail does fast male.

I named them either on the group.

They're in the group. That's why was surprised.

So are they in the group that they were supporting IT, displaying IT?

They were in the initial team putting IT together.

Okay, so but whether .

they I may maybe they do. I just was a curse .

is so you if you have paypal or disney, this is the only two that I know of.

I have a payment dedicated paypal folder.

me. And maybe if if this works, by next week you'll be able to look at my male.

that would be so cool. Yeah, yeah, I I would like that. Well, yeah, I don't see. I'm going to do .

IT and our listeners were who receive email for me. Will I mean like any time you get email from grc, it'll then have it'll be embarked shed with that ruby g logo.

Yeah i'm looking at a paypal emails and I don't see any logo. The other question .

was it's got their little double p leaning. This is logo .

and that's presumably stored not by paypal, right? IT is well.

paypal could source IT or digit could source IT. I don't like IT a paypal .

source IT because then that's a tracking pixel.

Oh, if it's not embedded, you're right. Um no. Well, so no no because google, for example, would download one copy of IT and then and then .

would use everywhere cash IT. Okay, right? That's fine. I would just I could see paypal going.

So so so it's not the email client that that reaches out and fetches IT. IT is the ear of provider IT is only if the the email passes d mark and there's a you have matching certificate for the logo, then the email provider adds that to your inbox.

Well, I don't mind the idea. We'll see what happens. I look forward to seeing a ruby g in my, in my email from that, making a lot easier .

to find you in that .

pile of trash. I call my email. Steve gibson is a grc. Come, you know, that stands for gibson research corporation.

That's where he does is his work, including creating spin, right? The world's best masters age performance in haner recovery tool, maintenance tool if you have mass storage, you need spin right now is spread butter six point once a current version. Everybody who has previous versions can get upgrade.

But if you don't, now would be a good time to purchase your own personal copy of spin right while you're at gr C2Come. He also has copies of the show, sixty four killed bit audio, kind of the traditional communal version, but he also has sixteen one six sweet sixteen killing bit versions for the band with impaired. He has transcript written by a human. And in first that's why they don't come out the same day as the podcast, maybe a couple of days later. He also has the show notes, which are very handy if you don't have the transcript t for reading along. Transcript is actually everything that was said, all of that grc 点 com。 And if you want the emails, I think I love this, you midweek email, this could make your emails even more valuable if you set out alerts and buttons s and things like that to get on that list or just to get validated so that you can send himself go to g rc that come slash email.

And we do need to remind people because they're always complaining and they go, I signed up for this and I can't find out anywhere is the address where I send IT to you and I go, I write back and as that, I know that's on purpose, because this is not for everyone. This is for people who actually listen to the podcast. So nowhere on gr.

C does IT say security. Now at G. R. C. Dot com. No, you know what?

You might guess that.

But I do the same thing.

People say, why not you? You really need to publish an email address. no.

And I watch the email, any email? We do have an email address, but good, like finding IT. Let's put IT down.

And I do want your email, but you've got ta sign up now and you have to sub you don't have to subscribe to the email, which this register that's my anti spam or leo, you would not believe the spam fest that is now at that address. Oh my god, none comes in because they're not really know the spams centres are not registered. But the reason I did this was to I knew spam what happen and boy IT is a hurry ane out there.

It's not it's really has not gotten any Better thing is gutting Better is our ability .

to filter IT out well. And when you have a big provider like gmail, they have such visibility that they're able to see crap coming in across their user base and go whittam in. This is just junk .

yeah my experience that was gmail filtering is .

it's not very no, you have to train .

IT more yeah maybe that's IT. yeah. I stopped using. I used fast.

You know, as I use fast, man, let me see what else. Oh, we have a copy. The show at our website took that TV flash. Sn, that's important. When you go there, you might will sign up for club to IT because that's the best way to support Steves work.

Twitter that TV slashed club to IT supports everything we do, gives you access to the club to a discord also that gives you access to a lot of extra content. We've got a coffee show coming up on friday. We're going to talk about beings being connected ship.

This will be very, oh, Steve, if you're not, pay attention of beans. So that'll be fun. And then the next week is, say, his book club with a really fun book.

Chases knows the best book of the year. It's called service model by Adrian cho kopf sky. I have finished IT, which means I now can move to the new Peter f.

hamilton. I'm very excited about that. Anyway, stay these book clubs on the twenty four four micros crafting corner.

There's a whole lot of stuff in the club. The club is very important to us. IT kind of helps us kind of smooth out the bumps. As you may have heard podcast monitise ation is not what I was.

And as a result, we really, we really need your help twitter TV slash club to IT or scan the Q R code in the upper left of the screen and join the club. It's a great place to hang all the fun people in and discard. You can watch us do the show live.

Thanks to the club and club members, we are able to put this up on, which puts in in not one, not two, but seven different streams as the discord stream for club members. But there's also youtube, youtube 点 com slash twitch slash live， twitch dot TV, facebook x 点 com linked in and kick seven different places。 You can watch a show live in the chats in all those places alive.

And I see all the chat posts from all the different places. So thank you. I appreciate that.

What else all you need to know when we do IT don't? It's two days right after my break weekly, which is usually around one thirty to two pm pacific time, five pm eastern, twenty one hundred ut. See at those various places after the fact, or you can get the show.

As I said at Steve sider, retta TV flashes and is also a youtube channel dedicated to the video. That is really handy because I know a lot of times you'll hear something on the show and say, oh, i've got to show this to my friend, my boss, my roommate, my mother, whatever. You can easily clip those things on youtube.

Everybody knows how to watch a youtube clip and use you as an ice clipping feature so you can take that little portion and show send IT to them. That helps us because it's a subtle way of of introducing new listeners. To fact, another way we're doing that now is a referable program.

If you're a club twit member and you invite somebody else to join and they join, you get a months free. So that can add up, that can make your whole membership for free just by spreading the word that's very important to us after the fact you can also subscribe, of course, in your favorite podcast player. And honestly, I know there's nine hundred ninety six episodes, but I think anybody is interest in this should have all nine hundred and ninety six on their hard drive.

Subscribe now, start your collection, then you go back the website, download all the rest, three away from nine, nine, nine. And then I don't we don't know what happens. Steve got a rewrite his entire system.

Do you have to update some code? Do you really you never .

thought that before digits? Who's would .

have thought that.

in fact, for years, you actively planned for there? Not to be, but thank this.

I said, oh, well.

to d too bad, so sad.

That'll be a good point. I'll be a good time to hang up.

There is no good time to hang up the security sport.

Not happy. Every not happy .

wear during the show. good. Yeah, we're all happy. Thank you. See, if you have a great week, go play your game and I will see you next .

time on security. Now we'll do and we will be almost certainly talking about the the the pi fighter, yes, exchange framework in detail next week. So everybody bring your propeller hat bis and get rid has been up the propeller.

And if you wanted a more about the internet archive issue, corry doctor o is gonna on twitter on sunday and we will absolutely go to in our and go have a great tasty I.

It's sk really now.