SN 997: Credential Exchange Protocol - DJI Sues DoD, Quantum Vs. RSA, Lost MS Logs
02:18:35 Share

It's time for security. Now, Steve given is here we have things to talk about. The chinese of researchers really crack RSA.

This might be a problem of headline confusion. The D, O, D is being sued by D, J. I. Over there. Drown ban. And a look at the new plan to allow you to move your package from one place to another, all that's coming up and .

a lot more in next unsecure now podcasts you love from people you trust.

This is quiet. This is a security now is Steve gibson episode nine hundred and ninety seven, recorded tuesday, october twenty second, twenty twenty four credential exchange protocol. It's die for security now the show we cover the latest security news, privacy issues, breach news, exploited cvs and science fiction.

And A, A.

A, yes, yeah, this guy right here, mr. Steve gibson of the gibson research corporation in.

hey Steve, here we are at nine, nine, seven. Yes, the IT hadn't occurred to me until you. We got closer after for to be obvious that nine, nine, nine is on election day.

Oh, that's appropriate. Holy cow.

IT might have been in the end of the podcast. We'll drive .

off the Cliff together.

Not bit clear that no, we're going to sail on through IT. And if they still .

might be if I moved to new zealand suddenly, but I don't think that's well.

Kevin rose, I heard him talking to you long time ago like a man a surprisingly long time ago saying that he was like pushing his VISA along. If you've got millions.

as Kevin does, it's good to have a highty hole. And the billionaire, apparently they did think new zealand was a place to go.

although the government .

has changed and they maybe not quite as as as open, organized, as welcoming .

with open arms. Yeah yes. okay. So ah here we are at the twenty second of october and as planned, we are gone to talk about the credential exchange protocol, which was announced eight days ago during the photo alliances conference. Held little bit south of me actually and carls bad southern california.

Um at first when I saw the spec, I thought, oh well, there's not enough here to talk about because it's get more of an outline actually we'll have some fun with of what the spect doesn't say in a minute. But when I got into IT more, I realized that the the meat of IT was present and we and then there's enough to to like make IT the podcast. So I first I first renewed the podcast credential exchange protocol preview, thinking that that's all we were going to be able to do. But no, we're going to be able to cover IT. But oh, we've got and and I actually also say that I was hoping that this week I would be able to share more feedback because i've getting just so much great listener feedback to security now at grc dot com from those who have registered their incoming email at with grc s email system that I was wanting to share IT.

But h is there.

There are some amazing news that worked really happened that they just took up too much.

We remember for a while we would do, we would alternate news episodes with q na episodes. But there is just too much going on the sea.

There is. So we're going to answer the question. We're that we touched on IT last week, but I wanted to give a little more attention whether chinese researchers did successfully break RSA encysted as all of the test press headlines covered at what we want, what did they do also what next level terror extortion is being powered by the N.

P. D. Breach data. But I actually had a buddy of mine send me something that he received. And IT was, it's worth talking about also, the eu is apparently gonna be holding software companies liable for their lack of security.

In other words, label for damages rising from software in a no fault fashion, meaning even if they weren't aware of the problem. So that's I mean, that's a sea change for for the software industry. Also, microsoft lost weeks of security logs.

How hard did they try to fix the problem? The chinese drone company D J I has sued the D O J over its ban on D J I drones um which is interesting also IT turns out that the D O J wishes to acquire deep fake technology to create fake people complete with identity. And this is where it's like, what could possibly go wrong? Also, microsoft has bots pretending to fall for fishing campaigns.

And then leading bad guys are their honeypot. So which is diabolical and brilliant. yes. So I just love this. And we've got a little bit of bi logo follow up from the two pieces of listeners feedback that I did manage to freeze in before we take a look at this Operation of the fighter alliances. Forthcoming credential exchange protocol, which as we know, will that the whole goal of IT is to create passi collection portability among passi providers. So another jam pact, I think, really interesting episode for our list.

Now I don't know about you, but I the new pig butchering scam is not just to say hello, although I still at those, and I got one with a picture of chinese girl saying, you remember meeting me and would you? So I get those in, of course, of me at at, but the latest ones. And I think these are probably very effective.

Lesa started to give him to our job, offers their head hottest. And now I obviously not looking for work. But I think if you are Young person looking for work, you might very well fall for these.

yes. So I am thinking that no head holder is gonna text message. You cold and say we have a job we think you'd like. If you do get that text message, I would really think twice before responding to IT because it's probably just pick birching. IT is for me, I know, because nobody .

y's trying to hire me and anybody who hire me would regret IT pretty. yes. What is either Steve are not well.

we're not well. So being employees, either, one of us are we we will have the picture of the week and the meat of the matter coming up. And just a little bit. But first, a word from our sponsor, the great folks at threat locker.

You've heard Steve talk about zero trust and IT was google was the first to really kind of start promoting this idea of just because somebody dies in your network doesn't mean their trustworthy, that you really should have a deny by default approach to access if zero day exploits and supply chain attacks are keeping you up at night. And if you listen to the show, I know they are, worry no more, the best way to heart your security with threat locker worldwide, companies like jet blue ferens trust threat locker to secure their data, aim, keep their business Operations flying high. So imagine taking a proactive, this is the key deny by default approach, ciber security.

In other words, you block every action, every process, every user, unless specifically authorized by your team. And the user doesn't get blanket permissions, you can completely control what that user can do. So that locker helps you do this and provides a full auto of every action for risk management and important for compliance as well.

They've got a great support team, twenty four or seven us based. They will help you get on on board, started up and of course, beyond. So here's how you stop the exploitation of trusted applications within your organization.

Yeah, the application is trusted. But as the person using a trusted here, how you keep your business secure and protected from ransome, where and one of the features of this is so cool, they call a ring fencing. Organizations across any industry can benefit from threats kers ring fencing by isolated critical.

These are the most important trusted applications from unintended users or weapon zone, limiting attackers lateral movement within the network. This works really well. Threats liker ring fencing was able to foil a number of attacks that just we're not stopped, ed, by traditional are most notably that twenty twenty cyberattack on solar windsor ryan, companies that were using a yan got burned unless they were using ring fencing IT worked at stopped IT cold.

That's exactly what you need. Threat locker works for max to get unprecedented possibility and control of your cyber security quickly, easily. And by the way, Price is because it's very cost effective as well.

Throughout lockers, zero trust and point protection platform offers a unified approach to protecting users, devices and networks against the exploitation of zero day vulnerabilities. This is zero trust done right? Get a free thirty day trial and learn more about how threats locker can help mitigate unknown threats and at the same time in your compliance visit.

Threat locker dot com is a great company with a really interesting product and IT really works. Threat locker dot common and surprisingly affordable to I could even afford that threat locker that come with. Thank you so much for supporting security. Now, Steve, I am prepared to demonstrate to show to the world the picture of the week i'm scratching up .

now a useful analogy about the whole zero trust. Yeah, change is just the the the evolution and thinking about how a firewall should work, that the first firewalls were open and they blocked known problems, right? And IT became pretty quickly clear that that was the wrong strategy. We needed to be closed by default for everything, and then then selectively open ports.

White less and black knew we wanted. It's really cool and it's such a simple concept and yet it's so effective. It's ah now right we have a title for the picture of the week.

So yes, I gave this a picture of the caption. Generic accessibility requirements may not always produce an appropriate outcome. okay?

Oh, my god.

So so what we have is a warning sign yeah that says hot surface do not touch and due to the need for excited people to be able to read the signage, also below IT is brail, which of course.

to touch them yeah .

for A A hot surface warning side. Now this sign actually has an interesting history, because once again, the email for today's podcast, I was able to, I got everything wrapped up at the end of the evening and send the email out last night.

So at this point, I think that was eleven thousand three hundred and fourteen recipients of the shows notes the summary of the podcast and and A A thumbnail of this picture that you could click on to get full size. They all received that last evening. So i'll just remind our listeners that that's available to anybody who wants to subscribe to the security now list. Um a couple people said, um I know what that's supposed to be but that's not actually brail and and so I know why um the this actually came from a listener who submitted a photo of this sign well a sign which had this IT was said, hot service, do not touch and then I actually had a line of true brail along the bottom the problem was IT was a photo taken off access in I in bright sunlight so IT was washed out and IT was the head like a big you shining reflection of the sun on IT it's .

pretty actually IT didn't .

make a well, didn't make a great a great stand alone photo. So I have this really cool perspective correction software. So I fix, I fixed the perspective and I looked fine, but I still didn't look great. So I thought, I wonder if A, I can .

come to my, this is A, I .

generated, yes, wow. So I, I and ChatGPT now has an, I am an image facility.

IT didn't used to be able to do text at all. This is remarkable.

know. So I said, could you take a sign and like, improve the contrast and make IT more eligible or something like that? And he said, yeah, happily. And so I thought about IT for a minute, and I came up with a completely different sign.

I mean, IT IT was like, like, like as if I said, here's an idea, run with IT, which is not what I said at all and so but i've learned from my friend that, you know, you really helps you to be polite so I said, wow, that's really great but that would make a lot more like the original one that I uploaded. Oh, sure. Be happy to do that well and well know.

And I got this, which is still not what I started with and is also not brail, but it's the concept. So although, leo, I have to say I am becoming astonished by what i'm seeing, this a eyes stuff. And i'm not a, i'm not a super experienced ed SQL coder, nor do I really program in P.

H P. But over the weekend, there was a chunk of code that I got from that, that is in the email system that i'm using. And you know, I mean, as we know, once you understand procedural languages, they all pretty much to look the same.

You need, if you know, know how you do not equals, which varies from language to language. Do I put some I called at the end of each line or not that that cut of stuff, but so I could see what IT is doing. But IT was, IT was, as always, you know, because I prefer to code and assemble.

I'm wanting a not just a solution, but like the absolute optimal solution. And IT was doing something with with SQL statements where IT was doing late binding to prevent against injection attacks. And I wanted to know how much of what I was doing. I could reuse for a for a subsequent query without having to do all of the early stage set up.

So yeah and again, and P A, I, I would have you know google right for like of, I don't know, half an hour poking around getting an understanding of each of these statements and exact what context they require and how much they leave behind the ba baba. I thought, okay, i'll just ask ChatGPT because IT also now has a coding and explicit coding assistant they call IT canvas. And so I went there and I I copied the statements that I wanted to understand, you know, in detail.

I removed some of the super fuel stuff and I said, I paced IT IT in. I said, could you explain to me, if I want to make another query of the same sort, how we know what this all does, and how much of IT I need to, how much of that does not need to be repeated? I just astonished is really remarkable.

I mean.

everything I mean IT was a IT was a course that that is just dumb ed doubt where everything single statement IT explained what is what I was doing and then and then answered my question, which was, of all of that, how much was set up that I did not need to repeat when I wanted to reissue the query with a couple different parameters. I mean, IT and I just thought OK this actually, no, i'm not asking IT to help me with my assembly code because i'm i'm fishing .

what you might be able to those Steve, I give you a little test just to see .

that not even interesting. But here, I mean, IT really, you know, this was where I wanted a quick answer without in depth studying. So like without without going and spending the time to to dig through all of the individual definitions.

I IT for a, for a regular expressions, and it's very good at interpreting regular Price. I would be good, very much like equal worries. But I did the key with eyes. You have to know what its limits are really doesn't work by itself, but when, in conjunction with the human IT can be very useful, you have to know what you're doing and know what these limits are in.

Yeah, I used the first vb script of couple months ago. Again, not not a language that I spend all my time in. And IT gave me something that looked good and did not work.

So but but I saw where the error was. Yes, I was starting and then I was able to fix IT. So anyway, IT is, I have to say it's for something things just is a time saver. So yeah and i'm Normally not looking to save time, but in this case is like guy, I just want to get this out of my way. So okay.

So um I know from having created and written infoworld magazines tech tok column for eight years that the way things work in publishing the authors of columns and news, Sarah les, have absolutely no control over the title given to their work. Why that is true is something i've never understood. I complained about IT back then when I was writing the column, and I was told, no, yeah, you don't do that.

We do that and it's like, okay. So as just the way IT is, and as I said, I can begin to tell you how many times I was distressed to see the headline, one of my carefully thought out and crafted columns was given after I left my control and and headed to the preter, turned out to have no IT often, I kid you not that the headline born no relationship to what I had written. I was just so annoying and and without understanding, I can forgive the well meaning author of a piece that appeared last monday, the fourteen th in C.

S. online. The headline of that piece could not possibly have been any more misleading than IT was.

So I can only imagine what it's author thought when they saw IT in print. The incredibly provocative headlining question, red quote, chinese researchers break R. S.

A. Encysted with a quantum computer. Did that happen? No, IT didn't even remotely happen. IT wasn't and still isn't even remotely close to happening. And there's no way to characterize what did happen as having broken RSA encryption. You know, breakage in cryptography has a very specific bone chilling meaning. And this isn't IT.

okay? So fortunately, to regain some sense of order to the universe, one only needs to read past that deliberately fictitious headline to the first sentence of the actual article, which says, quote, the research team LED by shanghai universities wang co. Found the d waves.

Quantum computers can optimize problem solving in a way that makes IT possible to attack encysted methods such as ra. Now, not nearly as catchy as quantum computers have broken our, say, encysted no, okay, go basically phrase another way, a team, which is what happened, a very clever red chinese researchers discovered a Better way to employ some characteristics of d waves. Quantum computers against the prime factory problem that lies at the heart of r, says encysted protection.

Unfortunately, you know, as I said, the truth of the discovery makes for a much less exciting headline. Through the years of this podcast, we've talked about a lot about the strength of ra encryption, which lies entirely in the still surprisingly and thankfully intractable chAllenge of factory, extremely large. And when I say extremely large, I mean humongous numbers into their two prime factors, the basis of our says extremely clever system is that we first choose a very large, as in four thousand ninety six bit large, you know, huge prime number at random, which turns out to be easier than you might expect.

There's lots of them out there. That's our private key. Then we hide the private key by choosing another similarly large four thousand ninety six bit prime number and then multiple those two primes to obtain a eighty, one hundred and ninety two bit and eight, one, nine, two, two times four, forty, ninety six bit product.

The product of those two primes is the public key, inside of which is hidden, the private key. So if you were possible for some computer system to factor that even more massive eight thousand one hundred and ninety two bit public key, then that original private key that was hidden inside the public key could be revealed. And r says protection would then actually be in trouble.

And we use this encrypt tion everywhere. So yes, I would kind of a be the end of the world. The chinese researchers explained in their paper, they said, quote, using the d wave advantage, we successfully factored a twenty two bit R S, A in the jar, demonstrating the potential for quantum machines to tackle cryptographic problems.

That's all they said. We successfully factor a twenty two bit in agger. So, you know, news flash, quantum computers can be used to factor images, very small energy at this point.

And if if memory serves, the last time we looked at this a few years ago, other researchers were announcing their breakthrough by factory. A much smaller number like I think it's like the factor thirteen or eleven or something, I mean like the number thirteen or eleven. So twenty two bits, that's a much bigger number.

I have no doubt that this represents a significant discovery and yes, another breakthrough in the application of quantum computer technology for for breaking crp, total phy. But at today's strength, where the public key that needs this, the thing that needs to be factored in order to to retrieve the, the, the privacy hidden inside IT eight thousand, one hundred and ninety two bits, is what you would need to factor. So the no practical R S.

A factorization protection still appears to be entirely safe. At the same time, these sorts of breakthrough um are what make cypher graphic researchers nervous, which is why it's a good thing that our industry has already designed and is already deploying so called post quantum algorithms that no longer rely upon the protection offered by the factorization problem and in fact or in fact what they do is believed to be in completely intractable table by quantum computing technology. And we talked about this before in the case of, for examples, the signal messaging application.

Um they're already quantum safe um but because these new quantum safe algorithms are still new and unproven, signal took the belt and suspenders approach of using both the old and time proven as well as the new and hopefully safe but still not yet time proven algorithms at the same time in that way, signals users are already protected because the the possibility of some true breakthrough in the use of quantum computers you know is there but they would but even if that happened, we would still have the fallback of traditional crypto um even even if quantum computers were able to to crack one family of of of crypto, they're using both new and old so anyway, I got swamped with email, not surprisingly, from our listener's who saw this headline. And of course, I got picked up and echoed around the industry. Oh my god, you know the chinese quantum computers researchers have broken our a crypt.

No, didn't happen. Um, you know this still. I mean, this is the way it's gonna go, right? It's gonna chipped away.

At next generations of quantum computers will be able to increase the the strength of this. Hopefully we will have moved. We will have migrated to post quantum technology by that time.

And so when that eventually does happen, nobody will be using this technology any longer. So it's certainly foreseeable that, that's the case. okay.

now. This happened over the weekend. A body of mine forwarded a scam, PDF, that had arrived in his email.

But the opening line of this particular scam is what caught my attention and thus made IT into today's podcast, although his email name that that all his email account does not have any aspect of his name in IT, the PDF was correctly addressed to him with this full correct first and last name. And i'm going to read like the first third of IT to give you a sense for. So IT was addressed to him, you know, first name, last name, comma and IT read. I know that calling, and then I had, he is accurate phone number, area code phone number, or I saw, I know that calling, and there's this phone number or visiting you at and then IT had his full current residential street address would be an effective way to contact you in case you don't act, don't try to hide from this. You have no idea what all I can do in and then the his city of residents.

I get exact .

email daily. Okay, I had not seen that before and .

it's a PDF that's attached to the email. I'm not sure why that is either.

but the exactly it's a PDF that is attached to this um he was terrified and and then and then IT goes on with years the standard you know how horrible you are all of your videos that you watching IT forward and blah blah but but what what's for me what's stood out if finally ends up telling him that the only way to prevent this from being sent to all of his friends and family and contacts and social media accounts, all of which this create alleges to have, is to pay two thousand dollars to a bit coin address. We actually.

I was actually making fun of IT because our local newspaper, the senators, a press democrat, had a three cenote. A residents have been fooled by this scam. But doesn't everybody get these emails all the time? I mean, you don't get these. I get him all the time.

I've never seen this.

Here's one i'll show. I'll show you. I can show you because it's the addresses and all address. I suspect this this whole thing now is prompted by the maybe the npd league.

That's exactly where I am. Head with this.

Let me show you mine. I mean, this is, this is and you could seek, because IT look at the email dress, sha nei x DFT. It's a completely fabricated email address, right? This this is I can show this because it's not my current address, right? And this is exactly what you are talking about.

That is the email you and .

I get .

this daily. Steve, okay, I had never seen IT. He had never seen IT and and the the the the for. So for me, this big new, what was very clear was that this was big, driven exactly, as you said, by by the fact that all of this data is now public. And and I guess for me, what really yanked my heart strings is the idea of how many people are truly good to be terrorized by this. And and again, obviously you you're not leo, but I I am absolutely sure that when people get this for the first time and they see their name, their phone number, their physical address, which they see mean they don't know about the national public data breach, they they still imagine they have this illusion of privacy that like.

they have any privacy .

now in the online world. And so they don't get IT that this is some creating in russia or north korea, who knows absolutely nothing about them that has no ability to physically intimidate them at their residential street address, which they do have as a consequence of these data breaches. And know I just think that that um i'm glad that the newspaper is talking about this.

We should all be .

yeah yes I really think that that you know you don't IT would be a public service announcement to to make sure that everyone understands that this is where we're headed, that our data as a cause. You know, you know, I suspect that the N P. D. Breach was an example of this, but this probably from street view.

google street view, I would guess this picture .

actually even had property. Yeah, those online tips about .

covering your camera aren't as useless as they seem. So here's a give away to me. This is the same verbiage is used in when chinese scammers say, I have your iphone and you Better take you off, find my iphone.

They also use this line. You have no idea of what i'm capable of in your test pet lima. And that, to me, is a little bit of a giveaway.

I'm going to say these are chinese scams, and this is the same bunch of people who do a bunch of this kind of pig butchering stuff. It's really too. But and yeah, I really fear for people like my mom, always .

exactly somebody who who who is, who has never seen before, who again, who has this illusion of of a Price the .

modern world is you?

Yeah.

very sad. Well, I guess, I guess we should. Too bad I don't do the radio show anymore. I made a habit of talking about these on the radio show.

hoping to reach good. Well, so obviously you were in touch them with you know with that kind of audience and i'm sure you understood. I mean, they called up and said, oh, my god and I mean, so this is what people are going to do when they see this and and like there's their phone number and their street address.

If you read IT, it's terrifying. Yes, IT is.

IT is. And there is no need to read IT because a lot of people have have seen these before. But IT is, IT is absolutely.

You go through this. IT is and you and again, IT IT is terrifying. So I was I had never seen, i'd never seen that that all of that information .

keeping tabs on your pathetic existence for a while now. It's just your bad luck. I discovered your bad deeds. yes.

And i've i've got footage of you've doing filthy things in your house. Nice set up, by the way. Yeah, no, I IT. If somebody read this, they would. And again, and and they didn't know Better.

Yeah, that's all problem. Unfortunately, this is the world we live in. Now that's what's really sad about this. This, this is just one of any somebody saying they sent IT as a PDF to evade emails.

That's when I was sort of thinking accepted, I thought, opening PDF and looking inside so we're half an hin leo. Let's take a break and then i'm of we're going to talk about what the european union just did, and it's big news for software product liability. And I feel like we've .

heard this that that we heard IT was coming. I feel like we've talked about this.

Well, this landed and wait to you here.

Wait to you here. Oh, boy, what they're .

gona try to do? Oh, baby, it's such a big deal. I can't believe it's going to happen. I mean, it's like it's too big a change. good.

Well, while we're getting ready for that, let me tell you about our sponsor for this segment on security. Now little company .

called flash come in in.

okay, because I don't from .

away and they know from.

I have these delicious japanese snack records.

neck records. You can continue decoded the rice bake to rice .

that I think they're just as, yeah, they have with subby sometimes. Yeah, no, I love them too much. Yeah, they're good for you, right? no.

Okay, here we go. This episode security now brought you by flashpoint. Now for security leaders, twenty twenty four has been a year like no other.

If you listen to the show, you know that, right? Cyber threats and physical security concerns have continue to increase. Now there's geopolitical instability adding a new layer of risk and uncertainty.

Let's talk numbers. Last year, this blew me away when I saw this, there was a staggers, eighty four percent rise in ransom AR attacks. That's almost double a thirty four percent jump in data breaches.

And that's probably under reported. The result, trillions, trillions of dollars in financial losses and threats to safety worldwide. Now, I know you listen to this show because you want to keep up on this stuff.

I've got another solution that's really great. It's called flash point. Now you figure a government has intelligence agencies, right? That's why we have intelligence agencies to keep their ears to the ground, to keep iron what's happening so that we can get advance warning.

What about businesses? That's what flash point does. Flashpoint in power's organizations to make those mission critical decisions, to keep their people and assets safe.

And IT does IT by combining cutting edge technology with the expertise of world class endless teams. And now with the night, which is flash points, award winning threat intelligence platform, you get access to everything. You need, critical data, finished intelligence.

You get alerts and analytics all in one place. IT helps you maximized your security, your existing security investments, and IT saves you money. Some flash point customers avoid a half a billion dollars in fraud loss every year and have a four hundred eighty two percent re just six months.

No wonder flash pointer, frost and Sullivan, twenty twenty four global product leadership award for an arrival threat data and intelligence. I didn't know this category existed, Steve, until I talk to these guys. It's really cool.

Let me give you a quote from I I can't say the name of the financial institution. You would know the name is the S V P of cyber Operations at a large U. S.

Financial institution. He said, quote, flash pots saves us over eighty million dollars in fraud d losses every year. Their proactive approach and sharp insights are crucial in keeping our financial institutions secure.

They're not just a solution. There is strategic partner helping us stay ahead of cyber threats. Information is everything in this right? It's no wonder flash point is trust by both mission critical businesses and governments worldwide.

Yet governments even use flash point to access the industry's best threat data and intelligence. Visit flash point that I O today. Flash point that I O the best data for the best intelligence to keep you say.

Flash point that I H what an interesting business. I no idea that these businesses, that this evil existed, but IT makes sense, right? Governments have intelligence agencies.

Business needs to do as I know why you listen this show. Same thing, right? All right. On we go. Mister gibson.

okay. So as our long time listers know, one of these podcasts longest standing observations has been over the distortion in the software industry created by software licence agreements that univerSally disclaim m any and all responsibility for any consequences of the use and Operation of the software.

The wheels don't fall off of cars, which we drive only because IT would be the end of any auto maker whose car wheels did fall off because, you know, the rigid enforcement of product liability would end that company's existence overnight. But that has never bizarre, been the situation in the software business, where software users have no choice other than to contractual sign away all of their rights in a software license agreement in return for the privilege of using the software regardless of its quality. It's like, oh, you don't want to use IT find don't sign this.

But if you agree, then you know we are not making any representations about the products quality or its fitness for any particular purpose that language is in all of those licences reems. So our listeners also know that I one hundred percent understand that mistakes happen and that know the perfect Operation of a complex software system can be impossible to achieve. But at the same time, through the years of this podcast, we've examined instance after instance of the consequences of deliberate policies, not mistakes, that can only be characterised as enabling continuing egregious conduct on the part of some software producers.

This conduct and the policies that enabled IT are explicit, protected by the license agreements under which software is used. And i've also often wondered here when and how this will change because IT feels like it's wrong, the way things are the day, well, change may be coming. I don't know what to make of this next piece of major earth shaking news because the changes that the european union proposes to make in its product liability laws to explicitly include software liability, while the same time eliminating software licensing exemptions, seems too radical to actually occur.

But IT is IT has actually happened, you know? So anyway, time will tell. And the fact that this is moving into law certainly means something, even if that doesn't happen immediately or at full strength.

And and I should know that IT doesn't come into effect for twenty four months. So that gives some time for something to happen. I'm not sure why they installed this.

No two years time delay, but we're going to find out. okay. So let's back up a bit and explain what's in the works.

The first clue that I had about this was from the first news item of in the risky business most recent news' letter. Here's what he describes and listen to this carefully because this is IT. They wrote, the european union has updated its product liability law to cover software and associated risks like security flaws and planned obsolescence.

The new eu directive on liability for defective products replaces one of the E. U. Oldest directives, and we will provide consumers with illegal tools to hold companies libeled in court if they sell defective products. The biggest change to the old directive is the addition of software products to the list of covered goods.

Companies that sell or want to sell in the eu will have to make significant changes to how they are currently doing business if they have failed to invest in proper software development and cyber security practices. The new directive extends liability to vendors for software that contains security flaws, wow, where those flaws lead to any damage to consumers. This includes both physical damage caused by defective or insecure software, but also material damage such as loss of functionality and features, loss of financial assets and others.

The directive also classifies the lack of a software update mechanism to be a product defect IT makes the vender liable. Software vendors are also forbidden to withhold information about a software updates negative impact, the only exemption in liability cover just when the software update requires the consumer to manually installed an update. But generally, the directive sees vendors liable as long as they have control over their product after a sale.

The directive also extends liability to vendors who use any type of planned obsolescence system to artificially reduce the lifespan of their products. And and I have to say some of this red like you know, touching on the fringe of some of the things that we've seen apple doing over time. They said this includes software designed to slow down a device hardware components engineer to fail after a certain period, or an update update that degrades a software performance.

It's only aid to apple.

yes. There, in order to entice users to move to a new service, teer or products, companies can also be held liable for misleading consumers about a product durability, reliability or expected lifespan. The director requires victims to prove a product defectiveness, but IT also adds a new legal mechanism to force vendors to make required evidence available.

The new rules exclude free and open source software from its requirements. The new directive was approved earlier this year by the E. U. Parliament and earlier this month by the eu council. IT is set to go into effect in twenty four months in the fall of twenty twenty six.

Okay, now I trust catalans reporting, but I needed to see this for myself, and our listers need to hear this so I found the sixty three page document from the you and i've got the link to IT there in the show note at the bottom of page five, leo. And as far as I can see, he did not get anything wrong. Um okay. So i'm just going to pick and choose a couple of paragraphs from the whole document to give everyone a taste of this. After a bit of explanation about how and why the very old previous directive is no longer useful, this new directive explains that rather than attempting to edit and amend the old one, IT is being replaced in its entirety by this new directive and that brings us to paragraph s six um um which says in order to ensure that the unions, your european and union, the unions product liability regime is comprehensive, no fault liability for productive products should apply to all movables including software, including when they are integrated into other movables or installed in .

in movables what's what is .

a movable .

like a .

phone a can they actually describe IT? I think IT was earlier and but but they were saying in including software, which is what I keep on. And just so everyone is clear about the legal definition of no fault liability, you an example I found online says no fault liability is the legal responsibility to compensate someone for an injury even if you were not negligent or at fault.

For example, if you own a dangerous animal and I hurt someone, you're responsible for their injuries, even if you didn't mean for that to happen. okay. So it's clear that from the standpoint of a software publisher, unintentional damage will not wave their liability under this new directive for any damage that may cause. Paragraph thirty explains products in the digital age can be tangible or intangible software such as Operating systems firm where computer programs, applications or AI systems.

And by the way, A I also figures heavily here, is increasingly common on the market and place an increasingly important role for product safety software capable of being placed on the market as a standalone product or can subsequently be integrated into other products as a component, and IT is capable of causing damage through its execution in the interest of legal certainty. IT should be clarified in this directive that software is a product for the purposes of applying no fault liability, irrespective of the mode of its supply or usage, and therefore, irrespective of whether the software is stored on a device, access through a communication network or cloud technologies, or supplied through a software as a service model. Information is not, however, to be consider a product a product liability, and product liability rules should therefore not apply to the content of digital files such as media files or e books or mere source code of software, a developer or producer of software, including A I system providers.

Should be treated as a manufacturer, and this is followed by paragraph fourteen, which fully exempt open source software. IT reads free and open source software, whereby the source code is openly shared and users can freely access, use, modify and redistribute the software or modified versions there of can contribute to research and innovation on the market. Such software is subject to licenses that allow anyone the freedom to run, copy, distribute, study, change and improve the software.

In order not to hamper innovation or research, this directive should not apply to free and open source software developed or supplied outside the course of a commercial activity. Since products so developed and so or supplied are, by definition, not placed on the market, developing or contributing to such software should not be understood as making IT available on the market. Providing such software on open repos, tories should not be considered as making IT available on the market unless that occurs in the course of a commercial activity.

In principle, the supply of free and open source software by non private organizations should not be considered as taking place in a business related context unless such supply occurs in the course of a commercial activity. However, where software is supplied in exchange for a Price or for personal data used other than exclusively for improving the security, compatibility or interrogation of the software, and is therefore supplied in the course of a commercial activity, this directive should apply. Then we have the question of products that are enhanced by or dependent upon external services.

Where does liability lie then? Paragraph seventeen says IT is becoming increasingly common for digital services to be integrated into or interconnected with a product in such a way that the absence of the service would prevent the product from performing one of its functions. While this directive should not apply to services as such, IT is necessary to extend no fault liability to such integrated or interconnected digital services as they determine the safety of the product just as much as physical or digital components.

Those related services should be considered components of the product into which they are integrated or with which they are interconnected. Were there within the control of the manufacturer of the product. Examples of related services include the continuous supply of traffic data in a navigation system, a health monitoring service that relies on a physical product sensors to track the users physical activity or health metrics, a temperature control service that monitors and regulators the temperature of a smart fridge, or a voice assistant service that allows one or more products to be controlled by using voice commands.

Internet access services should not be treated as related services since they cannot be considered as part of a product within a manufacturers control and IT would be unreasonable to make manufacturer libel for damage caused by shortcomings in internet access services. Nevertheless, a product that relies on internet access services and fails to maintain safety in the event of a loss of connectivity could be found to be defective under this directive. And finally, I was thinking about the exclusion that is always present in license agreements, which, as we know, has been a hobby horse of mine.

This addresses that directly, paragraph fifty six of legislation says the the objective of protecting natural persons would be undermined if I were possible to limit or exclude and economic Operators liability through contractual provisions. Therefore, no contractual al interrogations should be permitted for the same reason, IT should not be possible for provisions of a national law to limit or exclude liability, such as by setting financial ceilings on an economic Operators liability. Okay, now not being trained in the law, I cannot render any opinion about the eventual impact of what the european union has just done.

But I can read, and what should be abundantly clear is that A C change of some sort is coming to the product liability side of the software industry, at least as IT applies in the european union, even if this is met with a great deal of industry push back, and it's difficult to imagine that IT won't be IT appears that the past half century of software publishing, Operating with impunity in a world without accountability or consequences, maybe approaching its expiration date. Over the past fifty years, software and the internet have gradually grown to become truly mission critical, but many older aspects of the way things have always been done have remained in place due to you know, enertia. And no immediate forcing of change nor tools have been created that you know could enable software to be.

And we've talked about this significantly more robust, but IT is today. But programmes still choose to recklessly code in crazy, unsafe and unmanaged languages like see an assembly. Imagine that you know we've seen reports of major projects being deliberately in fast and safe languages, which will at least be able to deal with ridiculous ly persisted errors, you know, such as use after free, that keep causing problems and continue to plague today's code.

But these deliberate and expensive recoding efforts remain the that they are far and few between exceptions. IT needs to become the norm. So IT may be that legislation such as the E U.

Has just put in the place having a twenty four months Grace period before IT goes into effect will up the anti and finally induce serious consideration of how future coating should be accomplished to reduce the incidents that might subject its publisher to warranted product liability claims. And you know, I just I just dished two of my favorite languages. Let me let me be clear.

IT is entirely possible to write safe and secure code in c or assembly course. It's just far more expensive to really do so here. You know, the flight computers controlling both the american shuttle program and the two voyager space probes, they were hand coded in assembly language.

And they both proved to be extremely reliable accomplishments. IT all boils down to economics. We know, we know that I write everything in assembly language and that none of what I produce has ever had a problem with bugs.

I rarely revise my product, my final product um others to add new features, but I also have the unusual freedom of not having a bus and more importantly, not writing under any sort of delivery deadline. That's not a luxury most of the world's quoters enjoy. So for nearly everyone else, the thing that makes the most economic sense is using next generation memory safe languages.

That's the only strategy that makes sense for keeping uncaught errors from turning into exploitable security vulnerability. So i'm going to be keenly interested to see what comes of the eu's new software liability legislation. I mean, IT is a big deal. It's coming here too.

But this is part of the bind administration's national cyber strategy they announced last year with software liability. And that's for security reasons. As much as for liability reasons.

look at the problems we've had like microsoft of doesn't update that, that one old tenant and china gets in the us. Government yes, agency's email. I mean, i'll never forget .

the first shrink wrap license I saw, which was probably for an attar eight hundred in the eighties. And spreading the lines we make, no warranty that this software is usable for anything, will do anything, is going to do what we say it's going to do.

It's not our fault. Complete this clam of all response I .

was going to blow was like, wow.

really touching. yeah.

But I understand people don't have the confidence in software and they never have. Didn't the dog adopt ada as attempt to make have a secure programming language that would be reliable? And and what happened to that initiative.

I don't know. People were still programing in cuba.

and at the time I was supposed to be memory safe, memory hard. IT was very strongly typed. I think programmer didn't like IT because I was so strongly typed.

IT required a lot of boilerplate code, and they really like doing that. That was my sense of IT. But for whatever reason, it's not I don't think it's widely used anymore.

No, I I I think I think there's there's no question that, that we have so much computing power now that we can afford to sacrifice some strict level of efficiency in in, in, in trade for security and in trade for using a language that that protects the programmer.

And you know, if I were counselling people, and I know we have a listeners in college and and in in at you know, high school level who are or who are wondering what they should do, I would not. Everyone argues that learning assembly language, for example, you know, which is basically machine language, using memoirs to make IT more intelligible is useful to really understand what's going on down at at the hardware level in the computer. And I can't argue with that.

But if you want to get a job and and you want to be in demand, I bet you that the future is is in in being really up to speed on on secure, safe, a computer programing. I think that's that's where we're going ahead is I mean, you initiatives like this are going to change again, it's about economics. You know that's that's the driver and a lot of inertia too. And we know that you know the only way i'm going to quit programming assembly is what i'm buried .

yeah and you know people are mentioning in the chat room us, which is meters. what? Yeah yeah.

But there are other choices out there, there, there. I mean, this is definitely a movement among coating. People who write languages are definitely .

working on this. And and, and you, one of things that we see, leo, is these changes occurs. And so the industries has been dabbling around these things, and know IT all began in academia, where the where all kinds of wacked y languages exist.

To explore the idea, IT takes a long time to for them to actually move from their interpretation, and you have to have people who know them. So I I would seriously look at rust or another, another language. That entire purpose is security, because programming secure applications is coming good.

Sport time .

bleeping computer headline was microsoft warms IT lost some customers security logs for a month. S, H, and tech runs reported under the headline. Microsoft said IT lost weeks of security logs for its customers. Cloud products and it's going to the source is usually best.

I track down microsoft own report of this under that the section of that titled what happened, they wrote, this is microsoft routing, who wrote starting around twenty three hundred UTC on september second, a bug in one of microsoft in turtle monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform. Okay, no one knows what any that means, but sounds good. This resulted impartially in complete log data for the affected microsoft services.

This issue did not impact the uptime of any customer facing services or resources. IT only affected the collection of log events, which you know we call putting a good face on IT, they said. Additionally, this issue is not related to any security compromise, except as IT would have been nice to have logs so you could detect security compromises, which you can detect if you don't have logs.

But the next sense is the one that got me. The issue was detected on september fifth. Following detection, our engineering teams began investigating and implemented a temporary work around to reduce the impact of these failures beginning on september nineteen. Now okay, those dates caught my eye. They say that the issue was detected on the fifth of september and that their engineering teams began investigating and implemented a temporary work around to reduce the impact of these failures, beginning accept twenty nine.

In other words, two weeks lapsed between their initial detection of this issue, and they're beginning to investigate and implement a temporary work around IT sounds as though logging is not an urgent priority for them, though after all the problems they've had surrounding a lack of logging for their customers, one would really imagine that you might receive more attention. I guess not. okay. I, D, J, I sues the dog.

the g.

the, the dog.

not the D, O, J. They're so the .

defense that all, you're right, right? The department of defence starting, yes, yes. So D, J I, the chinese manufacturer of what are arguably the best small consumer drug everybody does, yes, has showed the united states department of defense over the deo.

The d ods, listening of them as agents of the chinese military voters news service Carry the news, which contains some interesting details, they wrote washington autobath teens voters. China based D, J, I sued the U. S.

Department of the U. S. Defense department on friday for adding the drone maker to a list of companies allegedly working with beijing's military, saying the designation is wrong.

That is, D, J, I is saying the designation is wrong and has caused the company is significant financial harm. Yeah, no, kid. D, J, I, right? Writers, the world's largest drone manufacturer that sells more than half of all us.

Commercial drones, asked the U. S. District judged in washington to order its removal from the pentagon list designating IT as a chinese military company.

Unquote saying IT quote is neither owned nor controlled by the chinese military unquote being placed on the list they write represents a warning to U. S. Entities and companies about the national security risks of conducting business with them, DJ s.

Lawsuit says because of the defense department quote unlawful and misguided decision on quote IT has quote lost business deals, been stigmatized as a national security threat and been banned from contracting with multiple federal government agencies. Yeah, that would happen. unquote.

The company added U. S. And international customers have terminated existing contracts with D.

J. I, and refuse to enter in the new ones. DJ. I said on friday, IT filed the lawsuit after the defense department did not engage with the company over the designation for more than sixteen months, saying cope IT had no alternative other than to seek relief in federal court amid strained ties between the world's two biggest economies.

The updated list is one of numerous actions washington has taken in recent years to highlight in restrict chinese companies that IT says may strengthened beijing's military. Many chinese firms are on the list, including aviation company A V I C, memory chip maker Y M T C, china mobile and energy company cn O O C. D G I is faced growing, facing growing pressure in the united states.

Earlier last week, D J I told reuters that customs and border protection is stopping imports of some D J I drones from entering the last states, citing the vigor forced labor prevention act, D J I said, no forced labor is involved at any stage of its manufacturing. Us lawmakers have repeatedly raised concerns. The D J I drones pose data transmission, surveilLance and national security risks, something the company rejects.

And finally, last month, the U. S. House voted to bar new drones from D, J, I, from Operating in the us.

The bill wates U. S. Senate action, the commerce department said last month that is seeking comments on whether to impose restrictions on chinese drones.

They would effectively ban them in the us, similar to propose chinese vehicle restrictions. okay. So we've talked about this previously. So this is not surprising.

And this is one of those situations, I think, where it's entirely possible to see the logic being applied by each side of this argument. IT cannot be argued that nothing could ever make a more perfect spying device than a camera equipped flying drone. You know, they are, by definition, flying cameras and D, J, I are among the best.

We previously talked about how D, J, I, drones are being actively used within military bases in the us. And even on secret military bases, N, D, J, I, drones receive software updates. So it's theoretically possible for, again, theoretically, for the chinese government to order D, J, I, A chinese manufacturer, to alter their firm where so as to turn their drones into active spying cameras and whether or not it's fair, theoretical or what keep our military planners and our generals up at night.

The only way I can see for this to work would be for D, J, I to essentially create a holy, separate U, S. Version of D, J, I. As an independent U.

S, based division. D, J, I, china could produce the drone chasa and all the hardware, which is where the majority of the cost and value lies. With the sole exception would be the drones circuit board, which would be manufactured using U, S, known components in the us, which have been sourced for that purpose.

And that U. S, D, J, I, drone control board would then be flashed with firm where that had been audited and and inspected by technical representatives of the united states. D, J, I would need to establish camera footage uploading cloud servers in the us.

Without any ties to china. And the only connection would be the receipt of you know, brainless drone chases from china. This would all obviously represent a huge burden and a cost for D.

J. I. But I can't see reaching any other compromise. It's not strictly fair.

But the danger, even if only theoretical, is so great that I think D, J, I will need to consider some sort of a solution along these lines. You know, if they want to keep the U. S.

Market, unfortunately, you know, we are a big market for them. And tensions are on the rise. And between the U. S. In china and not without cause. I mean, if you know how many times, leo, we talked about you know chinese sponsored cyber attacks on the us in in know inside the us. And so of course, tensions are going to be high and presumably we're giving as well as we get right.

I'm sure that chinese would have no hesitation in us drones in the chinese market if such things existed. That's one of the reasons we don't make him in the us.

That historically china has been a very has been very unfair for to U. S. importers.

One of these reasons, the drones took off shortly after the iphone came out. I remember going to see, yes. And I seen my first drones in the parking lot to see yes, in the late two thousands, two thousand, eight or nine.

And the reason was we taught chinese manufacturers had to make all these components. They start to make them in quantity like accelerometers and then started putting them in their own products. And I mean, that's ideally how things should work.

Frankly, it's really IT is is a real shame. Those DJ I drones are amazing. They just released a brand new one that's a two hundred x and impossible to crash. I mean, it's just it's very but I I also completely understand the concern because you're right. This be perfect.

Yeah yeah. And what .

Normally upload to the cloud? I mean, you you could disable that feature that's not critical that there functionality, I don't know if that would .

make IT Better well and of course the problem would .

be they could do IT anyway yeah well because they are .

not internet connected exactly in some way, arranging to make that verifiably right the case yeah it's change. Let's take a break. And that works to talk about um the the department of defense Operations command wanting to acquire sophisticated deep fake actually this is the D O J this time deep fake capability.

No no i'm not D O D IT. I was was stuck on the D, O, J for some reason. Well.

the all the D, S, overlap a little bit. So I understand we ll get right back to this fascinating topic in just a month. But first, a word from our sponsor for this segment on security.

Now look out. I just want to go look out, look out, look out. And when you listen the show, you might be saying, oh my god, look out.

Today, every company is in the business of managing data, right? That means every company is an increased risk of data exposure, data loss. That's what we talk about on the show. Th cyber threats, breaches.

leaks and everybody .

a cybercriminals are getting more sophisticated everyday modern breaches happened almost instantly. IT doesn't take a long time, minutes, not months, at the time when the majority of sensitive corporate data has moved to the cloud, traditional boundary no longer exists, and the strategies for securing that data fundamentally changed.

And her lookout from the first fishing text to the final data grab look out stops modern breaches as swiftly as they unfold, whether on a device in the cloud, across networks, working remotely at the local coffee shop, lookout gives you clear visibility into all your data at rest and emotion. You're monitor, assess and protect without sacrificing productivity for security. And with a single unified cloud platform, look out simplifies and strength that's reimagining security for the world that will be today.

Visit, look out dot calm right now. Learn how to safeguard data, secure hybrid work and reduce IT complexity. That's a look out dot com. Thank you. Look out for supporting the good work Steve does hear at security now. Thank you for supporting us by if they ask, say, hey, I heard of a security now if Steve gives a look out that com back to you, Steve.

the intercept reports that are U. S. Department of defense is in the market for sophisticated deep fake technology. The intercept headline was the pentagon wants to use A I to create deep fake internet users with the subhead the department of defense was technology so IT can fabricate online personas that are in distinguish from real people um and once again, I find the details of this quite interesting. Here's the start of the intercept coverage of this.

They wrote, the united states secretive special Operations command is looking for companies to help create deep fake internet users so convincing that neither humans nor computers will be able to detect their fake according to a procurement document reviewed by the intercept. The plan mentioned in a new seventy six page wish list by the department of defense joint special Operations command, or j soc, outlines advanced technologies desired for the country's most elite clandestine military efforts. The entry reads copped special Operations forces.

S, O, F are interested in technologies that can generate convincing online personals for use on social media platforms, social networking sites and other online content. The document specifies the j suc wants the ability to create online user profiles that, quote, appear to be a unique individual that is recognizable as human but does not exist in the real world. And quote.

With each features multiple expressions and government identification quality photos, in addition to still images of fake people, the document notes the quote. The solution should include facial and background imaging, facial and background video and audio layers, and j sac hopes to be able to generate self hie video from these fabricated humans. These videos will feature more than fake people.

Each deep fake self, I will come with a matching fake background quote to create a virtual environment undertaken by social media algorithms. The pentagon has already been caught using phony social media users to further its interests in recent years. In twenty twenty two, meta and twitter removed a propaganda network using fake accounts Operated by us central command, including some with profile pictures generated with message methods similar to those outlined by j soc. A twenty twenty four reuters investigation revealed a special Operations command campaign using fake social media users aimed at undermining foreign confidence in china's covered vaccine.

Last year, special Operations command or so come as o com expressed interest in using video deep fakes, a general term for synthesized audio visual data meant to be in distinguishable from a genuine recording for quote influence campaigns, uh, digital deception, communication disruption and disinformation campaigns such imageries generated using a variety of machine learning techniques, generally using software that has been trained to recognize and recreate human features by analyzing a massive data base of faces and bodies. This year's so come wishlist specifies an interest in software similar to style game, a tool released by NVIDIA in two and nineteen that powered the globally popular website. This person does not exist within a year of style games launch, facebook said he had taken down a network of accounts that use the technology to create false profile pictures.

Since then, academic and private sector researchers have been engaging in a race between new ways to create undetectable deep fakes and new ways to detect them. Many government services now require so called live ess detection to sort deep fake identity photos, asking human applicants to upload a cell, I video, to demonstrate there are a real person, an obstacle that so come may be interested in throwing. And of course, this struck home with me because, as I shared last week, I was asked to hold my idea up next to my head and then move my hand around behind that in front of IT, while talking to a digit person to verify my live ess. So, leo, we are nowhere near canvas, and we are also a long way from mayberry. Wow.

honestly, I mean, this is in response to the russians doing the same thing.

right? Well, exactly. And as we know north korea has been no a signing up their own Operators and and pretending to be uh you know domestic job seekers in order to infiltrate us enterprises .

yeah I think a lot of this is is for social networks, I mean twitter or access full of russian cut outs, pretending americans with fairly plausible identities. And I am sure that we're just trying to do the same thing right back mean, it's an inevitable.

I guess. And we live in a society where you know that the things that our government are doing like this is not top secret, is like where we are. We put out A A requisition saying, this is the technology that the department of defense need help .

are going to do this.

wow. okay. And I just love this next piece. Uh, well, we're on the subject of things being faked.

Microsoft is running a massive deception campaign that is providing fishing sites with fake credentials. The credentials lead to as your tenants for fake companies. So in other words, microsoft has bots which are reading email to detect fishing.

When such fishing is detected, these bots visit the fishing site on purpose, pretending to be actual people who have been fooled by the fishing campaign. But the fishing victim bots provide fraudulent log in credentials, which in turn lead to fake company sites, which have been established in as your cloud tenants. So basically, they're beating the bad guys that have created fishing sites by leading them to believe that a real person got caught up in this and then provides their credentials.

Microsoft said that threat actors then use the credentials to log into these as your honeypot, around five percent of of the cases, but that's still one in twenty, and that's sufficient. Microsoft then uses the data that they collect from the honeypot to learn of, discover and document new techniques that the bad guys are using. And I said, IT takes around twenty days for the threat actors to catch on to the deception and to stop logging into the accounts. But by then, microsoft has collected all the data they need.

good. So stay time, guys. yes.

So now I suppose if this is what they were doing, instead of fixing their problem with broken logging for a couple of weeks, I ought to cut them a bit of slack because this sure seems wonderful ly proactive.

It's a big company that they do two things.

maybe maybe three, just in long, wrote saying, hay, Steve, after listening to your coverage of bemi, the technology behind by my seems solid. However, I would never even tell a user about this, let alone have them rely on IT. IT is the kind of thing that gets simplified down to its easy.

Just look for the logo and you'll know it's safe. My fear is that the scammers will start including logo files in the body of the email with verified by bemi next to IT. Then he's as he said, as an example, gary in accounting sees a logo and thinks it's safe to click on IT.

In my opinion, he writes that me doesn't do anything to help the problem. If anything, IT provides a full sense of security to most, to most risky users. Is that thanks for everything you do. This podcast helps me every episode, Justin.

So this was my exact concern as well, is that, you know, how do you know it's real?

And for the record, I completely agree with Justin. I like the idea of having G R, C, S. Logo appearing in those boxes where anyone's bemi logo might appear. And while, as we saw last week, IT could be quite a royal pain on the, but to get IT to happen for grc weekly podcast mAilings and for our other much less frequent software update mAilings, for the moment at least, if only is an experiment, it's worth IT to me.

But I think it's clear that email is already so messed up that all this you that this is all that can ever be is just, you know, an opportunistic logo away. For those who care enough to make that happen, have their corporate identity represented in the in boxes of any recipients whose clients will do so and and nothing more now. And the reason that I believed these best, my guys created all of this almost nutty seeming over the top security.

And of the is that, is that anything we do moving forward? And this comes back to what language should you now learn? Anything we do moving forward should be as secure as we can make IT.

As I noted to the end of last week's exploration of bemi, our industry has continually set the bar too low out of a fear of low adoption. From setting the bar too high, we could argue that fight to the first fighter, which apps solute positively required, hardware tokens of, you know, separate physical dons. IT never got off the ground because that bar was set too high.

And IT turned out fighter was wrong. The world did not rush to go buy tokens for this, but as soon as they lose that up and allowed you know our smart folds and and biometric log in computers to also be fight to clients, then suddenly we got package and IT actually happened. So no mean, there really is something about that.

But in the case of email, I think this is the right thing to do. Um so anyway, if IT turns out that this also serves as another signal for spam filtering, then i'll be happy for grc to get the credit for having a an an officially approved bemi logo for those providers who care. But otherwise, I agree and I agree with with your point to is that it's it's just a little it's asking too much to put too much behind IT.

At the same time, our second listener, Kevin dish mdt, wrote, he said, oh, he's currently the head of technology at cure international but was earlier at the mail who is one of the participants participants in this whole bem effort so he is well acquitted with bemi. Uh, he said a sample and wrote, this is how mastercard emails appear in my google workspace email. He said, notice the blue checkmark and the text when hovering over IT.

And sure enough, in his case, there is a little, a little blue of seal with a checkmark up. And if you hover over IT, you get a low pop up that says, the center of this email has verified that they own master card dot com. And the logo in the profile image.

So and and then IT has a higher lighted lake label. Learn more where and if you click on and you get you get you have bemi explained to you. So google is surfacing more than just the the the logo, which as we've often seen, can just be a website's fave icon, you know just pulls the icon from there.

But here, uh, google is showing a little blue checkmark so will see where this goal um and that's IT for a feedback. As I said at the top of the show, I had initially planned to have more, but there were so much cool stuff to talk about that, that gets us to this point where we need to talk about credential exchange protocol that I didn't really have any time for more. So little.

Let's take our last break. okay? And then we are going to look at how it's being made possible for providers of package, no collections of package to move them between environments. excEllent.

We will get back to this most important topic of the credential exchange protocol in the just a moment. You know, Steve, the whole point of the question and answers is just to get your thoughts on things. So as long as I mean.

the whole show there so many.

We love, we love our beautiful community. They really are an amazing group. If you are in the security now community, thank you. If you're not yet a member of club trip, please join. We would love to have you in the the club seven dollars a month and that free version of this show, all the shows content, additional content is exclusive to the club access to the discord.

But mostly what you're doing is you're making sure that we get to keep doing the show and all the shows that we are IT does not go to my pocket IT goes to goes to our incredible and the equipment in all of that stuff. It's not cheap to do this. It's gotten cheaper.

We've tightened the belt, but we need your help to twitter TV slash club to IT, if you are interested. Our showed they brought you by another one of our favorite Steve bit warden, the open source password manager offering a cost effective solution free in many cases that can dramatically improve your chances of staying safe online. I think everybody this is secure now is probably pretty clear that a password manager is crucial to staying safe online.

But I also think a lot of you probably have friends and family who persist in making up their password ed on their pets name and their birthday and their mother's made name or whatever. Plus they reuse that again, again, everywhere we know how dangerous that are. Is is get bit warden, get him to get IT one free forever individuals because is open source, so at least they don't have the excuse.

Well, I don't want to spend any money on this. No, you don't have to. It's free.

And now is a good time to get them using IT because the big holiday shopping season is here, right? We just had prime days to get like friday, cyber monday. People can be going online and buying stuff.

And the bad guys know that. So the fishing schemes come out in droves. Peak security is must have for your online shopping, and bit warden has helped you with the expansion of their inline auto filled capabilities within the bit warden browser extension.

They've had this pretty much forever where your brows er extension the bit word browse extension fills in the password on the logging page. Now that's very helpful because IT won't do IT on a fishing page. You knows that's not the right page, so won't do IT well.

Now you can add to that capability, credit cards, charge cards, identities and package with the same kind of protection IT benefits. Everybody gives you a more security interaction with web forms. You're much less likely to get fished for your payment details, your contacting your addresses and more.

This is so important. I just I wish I get everybody just use bit organ and for business, it's not free, but it's worth IT. It's very affordable and you get all the features you would want in business, for instance, is unparalleled sso integration and very flexible.

You can quickly and easily safeguard all your business loggins using your single science security policies fully compared with saml to and dc bit warden will integrate beautifully, smoothly with all your existing and ceos solutions. This is a very easy upgrade to your security. Thousands of businesses, including some of the world's largest organizations, trust bit warden to protect their online information.

The bit warden open source code can be expected by anybody. It's on github. You can it's regularly audited by third party experts.

So you know, it's doing exactly what IT says. Switching a bit warning is easy. IT just takes a couple of minutes.

They support importing for most password management solutions. So if you already have a passenger manager, it's easy switch to try bit. Warden, you can do both.

By the way, before I moved a bit more than I had several effects. They still do have several password managers running. It's very easy to go back and fourth, but the one I use day and day out is bit warning.

I just love IT get started with bit wardens, free trial of the teams or enterprise plan or get started for free forever. Unlimited passwords across all devices IOS, mac, windows, linux, android as an individual user is free forever. You eve IT sports pakehas hardwork keys, those fido keys you're talking about bit warden dot com slash twit.

We use IT. We love IT. We recommend IT to everybody, especially those friends of yours who are still put in their passwords on posted notes on the side of the screen. Bit warden com slash to IT.

Thank you. Bit warden, I know .

you're doing important work and thank you for supporting the important work that Steve gives in is doing here on security. Now all right, let's talk about this were talking about yet passed portability.

So I should caution everybody, uh, that all we have so far is an outline of the protocol. The most recent version of the specification still has a long way to go before it's ready for the world.

For example, what I found in the most recent documents looks like, and I put a sample of A A snapshot in the show notes, an injection for under usage guidelines, IT says, offer guidelines for using the cx f format to import and export credential security with programme is called us tub that's right. And then four point one, importing credentials. Explain the steps and considerations for importing credentials using these cx f format ah and not surprisingly for a point two, exporting credential says provide instructions for exporting credentials .

to the cx f format s they they know .

what we're gonna say, but we ever got around of saying that yet. And I don't even know they've gotten around to working out the details. Yeah, that's the key. In other words, we have an almost come lack of meat on this particular bone.

Um I have no doubt though that the various percipient various participants are all rolling in the same direction and that they fully intend to turn this into an actionable specification document at some point. But at this moment, what we have is evidence mostly of good intentions, however scant, although IT may be, there is enough here to piece together a coherent picture of the systems Operation. We're far short of having sufficient information to create a working implementation.

I don't even know that exist yet, but we're going to be able to get a feel for how the system works. okay. So let's begin with the news coverage wired offered eight days ago. This is what we include us into IT last tuesday and had happened the day before on october fourteenth, which was the day of the big fighting alliance authenticate conference held in carles carls bad, california, wired wrote.

The password killing tech, known as pass keys, has proliferated over the past two years, developed by the tech industry association, known as they fight to alliance as an easier and more secure authenticating alternative. And although superceding any technology as entrenched as passwords is difficult, new features and resources launching this week are pushing pies toward tipping point. At the fighter alliances authenticate conference in carls, bet california researchers announced two projects that will make pies easier for organizations to offer and easier for everyone to use.

One is a new technical specification called credential exchange protocol cx p that will make pass keys portable between digital ecosystems, a feature that users have increasingly demanded. The other is a website called pass key central, where developers and system administrators can find resources like metrics and implementation guides that make IT easier to support for passy on existing, easier to add for past keys on existing digital platforms. Andrew um C K R C E O of the final alliance told wired to me, both announcements are part of the broader story of the industry working together to stop our dependence on passwords.

And when IT comes to cx p, we have all these companies who are fierce competitors willing to collaborate on credential exchange, he said. Cx p comprises a set of draft specifications, very draft, developed by the fighter alliances credential provider special interest group development of technical standards can often be a fraught bureau tic process. The creation of C X P seems to have been positive and collaborative.

Researchers from the password managers, one password bit, warden, dash lane, nord pass and in pass all worked on sea XP, as did those from the identity providers octo a as well as apple, google, microsoft, samsung, n sk telecom, which is all what we want. They said the specifications are significant for a few reasons. Cx p was created for and is meant to address a long standing criticism.

The pakis could contribute to user lock in by making IT prohibitively difficult for people to move between Operating system vendors and types of devices. In many ways, though, this problem already exists with passwords, export features that allow you to move all your passwords from one manager to another are often dangerously exposed, and essentially just dump Y A list of all your passwords into a plane text file. It's gotten much easier to sink, pass keys across your devices through a single password manager.

But cx p aims to standardize the technical process for securely transfering them between platforms so users are free and safe to rome, the digital landscape. Importantly, while csp was designed with paste in mind, IT is really a specification that can be adapted to security, exchange other secrets as well, including passwords or other types of data. Christian brand identity and security group product manager, a google told wired quote, in the future, this could apply to mobile drivers, licenses, say, or passports, any secrets that you want to export somewhere and import into another system.

We've got most of the rough edges sanded down with parkies, but one of the main pieces of negative feedback over the past year has been around portability and potential vender locking. I think with this, we are signaling to the world the past keys are growing up unquote. The goal of paki central, a resource repository, similarly, to help the ecosystem expand a mature product leads or security professionals who want to implement paces for their user base may need to make a business case use to executives to get budget for the project.

The final alliance is basically aiming to help them with the pitch, providing data and communications materials, and then support their roll out with preface materials like implementation and roll out guides, user experience and design guidelines, documentation around accessibility and trouble shooting fio c. Kr said, quote, we've made amazing progress on past keys. Usability and user experience are pretty much there, but we do have a punch list, and we're actively working on IT.

Portal ability is an important feature on that list. And while the biggest brands on the planet are now using package at scale, there's a very long tale of companies that haven't gotten started yet. So we want to offer resources and the assets they need to be successful. Crag crag newmark, l. Fu, do you .

to jingle? I play the jingle if you great.

New mark, who we all know, philanthropies, philanthropies. Thank you, leo. Cyber civil defense coalition provides some funding to advance pakis.

In an interview with wired, newmark said he believes the package can make a real difference both for the digital security of individual people and for internet security overall. And of course, we agree with them. Craig said, quote, there are a lot of vulnerable systems out there.

You need to make IT a lot harder for bad actors to defeat password schemes. You need to make everything more secure. And pasques is part of that. okay.

Now having noted that there was very little meat on this bone, there was some the specification we have today has a useful introduction to the problem and application space that this protocol is expected to feel. And IT turns out to be more than just past credential transport, as we said. So here's how the credential exchange protocol specification cx p introduces the problem.

It's just a few bullet of paragraphs. A bullpen ter, too. So they said, individuals and organizations use credential providers to create a manage credentials on on their behalf as IT means to use stronger authority factors.

These credential providers can be used and browse sers on servers and on mobile and desktop platforms, and often sharing or syn rony zing credentials between different instances of the same provider is an easy and common task. However, the transfer of credentials between two different providers has traditionally been in frequent to current, such as when a user or organization is attempting to migrate credentials from one provider to another. As IT becomes more common for users to have multiple credential providers that they used to create and manage credentials, IT becomes important to address some of the security concerns with regard to migration.

So they said, currently, and we have four bullet points, credential provider applications often export credentials to be imported in an insecure format, such as c sv, you know, comma separated values that undermines the security of the provider and potentially opens the credential owner to vulnerability to credential providers have no standard structure for the exported credential csp, which can sometimes result in failure to properly migrate one or more credentials into a new provider. Third, some credentials might be on allowed to be imported due to device policy or lack of algorithm capability on the importing credential provider. And finally, because organizations lack of secure means of migrating user credentials, often they will apply device policy that prevents the export of credentials to a new provider under any circumstances, opting to create multiple credentials for a service.

In other words, you know, there are just not exportable, which is what we've seen so far. The idea being, you know, no problem, create one over in the apple world and create another one over, you know, in the windows world. So they finished saying in order to support the credential provider in error ability and provide more secure means of credential transfer between providers, this document outlines of protocol for the import and export of one or more credentials between two credential providers on behalf of the user or organization in both an offline or online context using differ human key exchange.

This protocol allows the creation of a secure channel or data payload between to providers. okay. So that introduction paints a picture of a more generalized secret exchange protocol.

It's clearly useful and surprisingly, is also completely lacking in our industry today. Somehow, we've managed to come this far without a universal definition of how the owner of some secrets could move them elsewhere. The fact that this is finally being proposed demonstrates, I think, the arrival of so much needed maturity.

Up to this point, much of our industry has relied upon closed and propriety ecosystems. That closure was first pride, somewhat open by the promise and delivery of competitive open source software and open development. But the profit model of runs deep and we've seen how shaky some um of open source software foundations can be.

The C, X, P document noted that the name was subject to change. I note, for something that explicitly more generic than then credentials um maybe secret exchange protocol, for example, would be good anyway. So underscore they they briefly wrote, they said this protocol describes the secure transmission of one or more credentials between two credential providers on the same or different devices managed by the same credential owner capable of function in both online and offline context.

This protocol does not make any assumptions about the channels in which credential data is past from the source provider to the destination provider. The destruction of credentials after migration by the credential provider is out of scope as well. okay.

So that's good. They're keeping their explicit, keeping this extremely general and it's significant that IT can be an offline system. The spec does sketch an overview of how this protocol would work.

And Frankly, it's nothing special and that's not criticism. Quite the opposite, in fact, because we're past the point where a crypto should be surprising, we now have established and well proven ways of accomplishing pretty much anything we need. okay. So the sketch looks like this.

The planned recipient of the credential collection um is asked to create an export request so so the recipient of the the recipient of the collection is asked to create an export request, which will then be provided to the credential provider right the side of the end, which is gonna a be exporting the credentials that export request includes the necessary details, including a chAllenge, the details of the type of information that the recipient wishes to receive. The set of encryption schemes is able to use, and unless that has access to the credential providers, public key IT will also include and not get back to them, but later the public side of a duffy helman key agreement. Okay, I remember that what wit differ and Martin hellman invented was this brilliant scheme, which allows two parties to exchange public keys in full view of any attackers.

And upon receipt of each other's public duffy helman keys, each is able to construct and arrive at the same shared secret key. It's bizarre, counterintuitive, but IT works. And actually, I used that system in several places inside squirl.

okay? So the credential importer uses ecliptic graphic grade random number generator to create a unique differ helman key pair. IT stores the private half internally and includes the public half in this credential export request, which has been asked to generate if an end user or other authorizing party then approves and provides this export request.

The exporter uses the information to create an encrypted payload. What the exporter does, what is to similarly sense size its own defy helman pair, but IT doesn't need to retain any record of IT. IT will combine its own private half with the importers, public half, which was in the export request to create a secret. And that that that creates this automatically shared what they turn a migration key and IT uses that to encysted the payload using the other parameters that were provided in the importers export request IT signs the chAllenge provided by the importer and includes the public half of the differ helman key pair that IT just created in the exported response packet. So the exported response packet is then one where the other Carried or or through a network provided to the credential importer where you want the credentials to to go.

That includes the the obviously this blob of encrypted credential data designed chAllenge response and the public half of the credential providers duffy helman key pair, which was used to create the shared migration key the credential importer has been has been holding onto the secret half of the duffy helman key pair is generated as part of the export request. So IT validates the chAllenge, and i'll explain more about that in the second then, IT combines the secret it's been holding onto with the exporters public key that was provided in the exported packet. This will recreate the identical migration key, which is able to use to securely descript the contents of the exported package.

So what we have is a straight forward application of duffy helman key agreement where the two parties um created the same shared secret and used IT to exchange an encrypted packets a containing the users credentials and at every stage the the entire process was state of the art secure. That is, nobody getting hold of the packet would be able to descript IT. Nobody seeing the export request.

We'd be able to use that in any way to to developed the packet. When I was coming back to the to the importer side that that system is, is absolutely secure. What's currently missing from the specification is, well, everything else to make IT actually go as we saw a lot of a lot of empty paragraph, a heading ings, but empty paragraphs. But the overall mechanism is clear and it's been proven and IT will work. We have so far no idea what the user experience would be.

You know whether the internet will be used in some way uh for like both sides to randevous and and automatically exchange the packet uh or whether that might only be an option um IT would be possible to do all of this using a USB thun drive and so called sneaker net where you literally go to the side where you want to import IT you you you you say, please create an export request. Uh, the U S B key has that you take the U S, B key over to the to decide that currently has the credentials and you say here's an export request from the importer, please honor IT and export microgeneration and that would then add a blob to your U S, B, K. Then you take you back to the original side where you want this to be imported and say, here is the packed and that side with be able to develop that packet and import the credentials.

So the gist is that the user asked the credential recipient to create an export request for the credential center. That export request is then provided to the credential center, which uses IT to preparing encysted package and when that egypt the package is returned to the credential recipient, the residual information which the recipient retained on its side from the original export request allows you to securely descript the senders package. Um now a well known characteristic of duffy helman is any lack of protection for for man in the middle tacks while duffy helman brilliantly creates a mechanism for secret key agreement between two parties, IT has no mechanism for authentic ian.

Nothing i've described prevents an attacker who somehow able to interpose themselves between the parties from impersonating each end to the other because you'll notice there's nothing special about the ends at this point. They are they're just sharing keys that they assume the the actual other end point generated. But IT could be something that managed to inter pose itself in between.

So if that happened, doing that would allow the impersonator to decrepit the package as IT moved past. Now all we know from the specification is that the credential importer will include a chAllenge for the exporter to sign. That's all IT says, you know, that's all we know today. We do know that the signer of the chAllenge would need to use a private key and that the credential recipient would need to verify the signature with IT with a matching public key, but from where and how does the credential recipient obtain the credential senders public key? Maybe from DNS, uh maybe from some sort of central fido registry of of of know C, X, P users to be A P G.

Key at the key P, G, B key server IT .

exactly could be something, my god, IT needs to be some sort of source of of like like author ative source of public keys. So that and and that's the one missing peace. That way one end would be able to authenticate against you.

What would be I be able to authenticate the other. And that would completely cut out you any vulnerability for man in the middle. Okay, so that's the big first part. The other part is the announcement of this paki central website is that paste central dot org. Um and having read through the site, it's clear that more than anything else, it's intended to be paki adoption lubricant.

It's taken a few years, but pakis have matured to the point that if any sort of friction is holding an organization back, now might be the time, I would say, to apply some lubrication. In the early days, anyone could be forgiven for feeling that pakis were not there yet or we're not ready yet or had been proven or might turn out to be another fighter failure like the first attempt was which never achieved critical mass um or even that what we already had was well proven. And working well enough with multifactorial diction or with password agers that you make the use of super strong passwords effortless.

You know the argument could have been made that know this problem was solved well enough. The past I central site and its companion pak's dot dev developer site make a very strong case for past keys having arrived. And for those who do not get, you know, busy with its adoption being left behind, at some point it's gonna be regarded as doing IT wrong not to have some system for asia metric key public key authorization.

That's the big difference. As we we talked about recently, meta was recently expLoring ated for storing their users passwords in the clear without any hashing. The difference between the inherent insecurity of any traditional secret keeping authentic ation system such as static passwords or even one time passwords which are still asking the server to to keep something secret um you know that difference compared to the extreme security offered by an asem tric key authentic ation system like package which requires no secrets to be kept at all.

That means that at some point anyone who is not employing the free to use, widely available and increasingly ubiquitous pass keys, a system metric system, will probably similarly cause some eyebrowed to be raised as like weight. You're still using passwords that's you know they're not secure no matter how you store their hashes. So the poet is I am here to say it's been a couple years.

I think it's clear once this cx p specification happens and we actually see that apple is willing to allow us to move our collection you know over between password managers and where we're able to aggregate them, pakis will have made the grade. The benefits of the system have proven to be sufficiently strong that the question has moved from whether to when and when should be as soon as possible. What are you waiting for? Because there is no longer any rationally supportable argument to be made for waiting any longer.

The paki central site should now provide sufficient lubrication to help overcome any residual adoption friction. The parky's dot dev site provide sample code in rust type script, java dot net, go python and ruby and pass keys test sites are available at web often dot I O, web often dot M I, with uber and acoma also offering test facilities once past keys. Uh, a credential exchange protocol has been fleshed out.

And you know, make no mistake, IT does still have quite a ways to go, although its overall shape is quite clear. The last piece of the past y solution set will have been put in place. And given that all of the major players have signed on to supporting csp, the last road block to further pack's adoption, I think it's been removed.

Yeah.

yeah, we're .

there. Course you're squirl solution, which was similar, but Better may obviously, unless you get microsoft to suddenly say hi, you know squirl is Better than past, it's been replaced. But what are the things the package is missing that you wish you had that squirl had? Recoveries one right well.

that worked so differently. Now there you with squirl, you had one secret right .

are a collection .

of secrets. So it's it's so different yeah it's entirely different. And also um there was a way of there are still some vulnerabilities that if if your pies got away from you, you're pretty much screwed and squirrel provide a mechanism for getting that back yeah from recovering from the loss of your secret. So what that .

means that pakis is always going to have passwords as a fallback. I think I mean, if I guess probably IT right.

I think all authenticity is always going to have IT. I mean, this is a fundamental weakness, is that you will always say, me, my, the dog ate my homework, right?

A lot of people don't do passwords. They put in a random string at junk, and every time they go to this site, they say, I forgot. And they rely on their email as password. Ethically, anything wrong with that is a recovery method.

And as I said, a passwords need to be regarded as as a log in accelerator, right? Because we always have a fallback of I forgot my password. So that strong is that there. And in fact, that was one of the other things that I built into squirl was after you got comfortable on with that, you know how worked you could you could set a checkbox that, that put a beacon on your identity any time you went to a website. With that said, IT said, please disallow all fall back and so that if you, if a bad guy got a hold of your email, IT wouldn't help them, right?

So this is a really good example of sometimes the perfect is the enemy of the good, or the something like that, which is you you create a perfect system. But but maybe good enough is all we need.

I agree. Mean, i'm right now then foro the software that I used for my forums. I am a dot release behind because because we're using squirl there and I haven't asked a Thomas to change to support that.

The next dot the reason I bring that up is that the next dot release supports package. And I want passes for G R C forum, right? Because there there what the world is going to use. And I mean, and they they do work when they work.

they work amazing IT really is .

a great solution. They transparent the way should be. Yeah.

Steve gibson is the way that should be as we rapidly approach election day. Slash nine .

nine.

But the good news, for those of you who don't know, Steve has agreed to go for digits. We don't know how he's going to do IT. It's a mystery right now. He may not know how he's going .

to do made the change. I need to do that pretty soon. Um we're .

gona keep going because you know what, this is no time to stop. No, we need you more than Steve jobs. And if you enjoy the show, join the club twitter.

That TV slash club twitter to support IT support our sponsors is another way to support IT. You can buy the show individually on itunes. You can buy one e tusa think it's two ninety, ninety nine months.

I can't remember what I ve been a while. But you have to use itunes to do that or apple's podcast to do that. In any event, your support by just listening every week is appreciated.

Every tuesday right after meet brick weekly, that's roughly the two pm pacific, five pm a twenty twenty one hundred UTC. We will go. We're still on summer time.

We don't go until standard time until after halloween so that all the kids can get their sugar without going out at night. And so we will be we will be on summer time for, I guess, two more episodes. And on third episode, we will move.

But you to see does not. So we will then at that point, be at twenty two hundred UTC. Just little heads up.

You don't have to memorize all this stuff, but if you want to watch this live, that's what you need. We are streaming on eight platforms. Now, thanks to the club and retreat, extream makes IT possible for us to be on youtube.

We see the channel, youtube too. I have a combined twitch. Great to see you all there.

X stock comma. See you as well. We are also on kick where tiktok, I see the tiktok and kick chats.

I can't respond, I think, to some of them, but that's that's another issue we're working on that linked in facebook and of course, of your club member in our club to the discourse. That's eight different live streams right now. There are six hundred ninety eight people watching on those eight, nine live streams, and we appreciated.

But the vast majority of listeners, this is maybe ten percent of the total or no, not ten, one percent of the total. Thank you. So ninety nine percent of you listen after the fact there's a few ways to do that course.

You'd go to Steve's website, grc dotcom. He has sixty four killed bit audio, but he has two unique formats for those who want him. There's a sixteen killed bit audio version sads all scratchy, but it's small.

okay? So it's for people who are you pay by the bit. There's also a human written transcription from a link fair. SHE does a great job. So that is a grc to a come on here they're pick up spin, right? This is Steve spread, but is how he makes his living the world's best masters age mainland.

Performance enhancing and recovery utility if you have mass storage of any kind, including SSD, you really should have spin right six point once the current version just came out. Go there, get IT gr C2Come. Lots of free stuff there as well. Shield ds up is is of course eternal best seller. That's the one everybody .

uses when they first saw that another five hundred thousand uses had happened one hundred and seven million, five hundred thousand.

just mind boggling. And it's a free service. Thank you for providing that, Steve. Just for testing your router, making sure it's secure. There's lots of stuff there.

Go browse around, including if you want to send sd feedback, emails, pictures for his picture of the week. The best way to do that is to go to gc, that comes flash email and get verified. Once your email is in the verification pile, you can send him email.

At that point, you can also sign up, if you want for your newsletters. But but the boxes on check, you have to explicitly up in, of course it's Steve. I want this this newsletter, but that's worth that.

You get the shown notes and south, Steve also as a is this website. We have them at our website, along with a sixty four kilby's dio and video twitter TV slash sn for security. Now you'll find a link there to our youtube channel dedicated to security.

Now if you say, I really want to share this about, you know, memory, safe languages with my boss, something like that, you can do a clip on the youtube jail that's really easy to do and and it's universal. Everybody can play back at youtube video. So that's one way to do that.

I think the best way to get the show is to subscribe. It's a podcast. And if you subscribe, you have podcast catch.

You'll get IT automatically soon as it's available. So you always have IT and IT adds to your collection. You really want to own all nine hundred ninety seven episodes.

Honestly, it's a great collection. Just about this, about this be the podcast links are all at the website. Okay, you just open a podcast client search for security.

Now I think you'll find IT. We've doing this for nineteen years now. If they have a caught on yet, I don't know what, I don't know what to do. See, you have a wonderful week. I am sub started acidic the new Peter hamilton book.

i'm enjoying IT too. I end up about a of the way and I think it's it's beginning to come together.

So it's in the year is .

thirty five thousand. It's so far out there. Yeah i'm also reading the the .

chat book five of the bob averse and reading that too. It's a little confusing. I ve got to pick one and finish IT and go on to the next.

Actually, if you're size fan, you'll enjoy our Stacy's book club coming up this friday, two pm pacific, five pm esterton Stacy having about them. And I will discuss a really interesting brand news sipi book by Adrian chios tes called service model. It's about AI driven robots and what happens to the humans when the robots take over?

It's quite, it's quite told from the point of view of the robot. So that's really fun. Thanks, he've.

Have a great week, my friend. Next week, i'm sure, and more. Nine, nine, eight. Security now.

Today, the show has brought you by progressive insurance. Do you ever think about switching insurance companies to see if you could save some cash? Progressive makes IT easy to see if you could save when you bundle your home. And auto policies, try IT at progressive dot com, progressive casual insurance company affiliates. Potential savings will vary not available in all states.