SN 998: The Endless Journey to IPv6 - AI-Driven Encryption, Session Messenger, IPv6
02:53:56 Share

This week on security. Now apple wants to shorten the life of your S, S, L. Certificate, steps up in arms about that.

We'll talk about a very nice new messenger program that Steve says this may be Better than signal, and they will take a look at I P V six. Whatever happened to IT, IT looks like it's going to another twenty years. Steve explains why that's OK. I'll coming up next, a security now.

Podcasts you love from people you trust.

This is quiet. This is a security now with Steve gibson episode nine and nine eight recorded tuesday, october twenty nine, twenty twenty four the endless journey to IP visx as cybersecurity now the show we covered the latest security and privacy news keep you up to date on the legget's tax, and we get little sighed and health in there as well because mr. Steve given is what we call a Polly mass. He is fascinated by at all.

Hi Steve. Hello, my friend. Speaking of science fiction, it's not another show notes, but I am at forty percent into exist hamiltons acidic.

And I have to say i'm glad it's long because IT is, it's come together there. There are so many things. I mean, I could .

talk to john Selina.

I guess, because, wow, he shot through and he's reading IT again, he said the second time through he knows who the people are so because I mean it's hamilton doesn't write thin size I but there are so many really interesting concepts like and this is there's no spoilers here um. Faster than light travel is never invented. So we never have F, T, L.

But what we have is, well, okay, also, this is set like fifty thousand years in the future. So so there, so we're in an environment where there are the so called remnant wars that have left behind like dead planets and derrick like hugely up armored like technologies. And and we've gone so far in the future that we've lost some of the knowledge that was they are like during the the the peak war time.

So like so they're like finding this stuff that didn't understand, but they kind of like, you know give IT power and see see what he does. And but the other thing is cool is that there are this one elevated old old race created what's known as the gates of heaven. And they're like their their gates, which draw on a huge source of energy to bring their ships up to zero point nine, nine, nine, nine light speed.

I mean, like right up to sea, but not quite because you can't actually know, takes infant energy to get all the way there. But what that does is IT, of course, creates huge relativists time compression so that the people who are traveling at point nine, nine, nine, nine of sea, they, you know, IT was a one week trip for them. Meanwhile, four generations are gone.

So anyway, so I mean, but again, it's just, this is a whole another he did IT again, there's a whole another rich tapestry of really good hard size. I you know how hamilton style. And as I said, I made forty percent.

I have no idea. You can't even begin to guess what's going to have. I no idea what's going to happen, but as I do not wanted to end because it's just it's just really solid entertainment.

Oops, I pushed my meeting is like a local motive. I think where IT starts slow, maybe the first couple of pages that we will .

spin a little couple of of the but yeah, if you have to sisters or to hold your breath and you do want to read the early history, because because he, he, like somebody, is the history .

in a press. I listened to that, and then I got to the dramatic persona, and i'm listening.

Yes, well, on for a while. Oh, my god. And the problem is you don't have any there's no reference point. Everybody is defined in their relationships to each other. So .

spinning, but the time looking forward much, but I just got passed that. So looking forward to you.

let me tell you, I mean, since I don't listen, I read, I I don't I can't relate to that experience, but where we are is really good. I get .

the book version .

of this is just i'd at again, I wasn't onna start until that the number two was ready but I when john said the art finished IT, i'm reading and again, I think, okay, i'm we're talking about .

for those just joining us. Peter f. Hamilton, one of our favorite side fie authors.

he right this engine and .

called exists.

First of two is duologue. yeah. And oh, wow. okay. So we've got a great episode apple has whose a member of the C A browser form has proposed that over time we bring max maximum certificate life down to forty five days, at which I say, please, no, no, don't do IT. That's pretty cool. Also, the sec has found four companies for downplaying the the severity of the consequences of the solar winds attack on them, which is interesting.

Google has added five new features or will be a couple are in beta to messenger, the google messenger APP including inappropriate content warnings which is interesting because of course, apple did that a few years ago ah and this brought me to an interesting question and that is whether A I driven local device side filtering could be the resolution to the encryption dilema forever, that is solve the end to end encysted problem. Anyway, we will talk about that also. I I, I tripped over as a consequence of some news of them relocating, something i'd never been aware before.

A very nice looking messenger APP called session, which is what you get if you were to marry signal and union routing from tour. That's very interesting. I imagine our listeners are gonna be jumped on this.

Also, I just a quick look at uh the E U software liability moves there. A couple of other people h produce some commentary that we did. We talked about that last week.

We've got fake north korean employees actually found to have been installing male where in at some blockchain stuff also answering a listens question about whether he needed spin right to speed up in s sd. No, you don't all touch on that. Uh also are using ChatGPT to review and suggest improvements of code.

Another thought from a listener um and then I I want to spend some time looking at the internet governance that has been trying to move the internet to I P V six for, yes, low the past twenty five years but the internet just doesn't want to go. Why not will IT ever what's happened? The guy at a ap neck.

The asia pacific a network registry, has a really interesting take on the way the internet has evolved such that while first form, first of all, from some technology standpoints, we don't actually have the problem anymore that they were worried about needing I P V six to solve. And why getting to places is no longer about addresses. It's about names. So oh, and to cap all this off, I said we got, this is a great podcast, but this picture the week O M G IT is I just gave at the caption, their there really arent no words, but this is when it's a suit and luxury bro, you ve got to look at IT for a minute and just think, oh.

what have I haven't looked at yet? It's on my screen. It's ready to be screwed up into view. We will do that together in moments, and I can't wait.

It's always fun, but we should mention if you want to get the show notes, easiest thing to do go to Steve site, grc outcome, go to the podcast page. Every podcast has a very nice PDF of shown notes that include that image. Or go to G, C, to come flash email and sign up for his newsletter. That way you can get IT automatically .

you ahead of time. I don't know if you looked at the timestamp on the email that you got IT was yesterday afternoon.

So Steve's wife is making him do this. I think i'm convinced this Lorry, say, you got ta get this done. So we go out to dinner or so.

So I on by sunday, late morning, I had finished the project I had been working on, which is the ammal gamain of the e commerce system and the in the new emails system. I didn't have them communicating yet, and they had to. So they saw that we didn't have the, the, the data bases d synchronised, right? And so I thought, okay, i'm going to start working on the podcast.

And as IT turns out, that went well, that there is lots of material. And by yesterday afternoon, monday afternoon, I was done. And so I thought i'm just gonna. Actually, I was eleven thousand seven hundred and seventeen subscribers got IT a day ahead. Has been doing that more.

more lately. So it's worth subscribing yeah .

you do you really well. And in fact, I am not to step on IT, but one of our listeners mentioned a benefit of that, that I hadn't occurred to me before. So anyway, we got a great podcast and get ready for the picture the week after you tell us who is supporting this fine work, a sponsor .

for this first segment of security now and the name, you know, well, even with this for many years now, the thinks can ari, it's an honey pot. It's kind of appropriate because one of our very first shows was about honeypot, and we've interviewed built chez mark, who created the first honeypot. In fact, we did a panel with him in boston some couple of years ago.

He wrote the first honey pot. And IT was a big, massive effort. A honeypot is a system that looks like it's valuable, but really is just an attracted to hackers.

And when they go to the honeypot, they get drafted, you get notification or something happens. Well, you don't have to be an expert more to deploy very, very good honeypot from thinking ary. These are hy pots that can be deployed in minutes.

They can, they can impersonate anything from an essa lover to a windows server, the iis. They can be a skated device, minds a synod, gy nas. And they really go the extra mt.

To make these impersonates very realistic. They look identical to the real thing. My nas has a psychology mack address.

You know, the first few digital are correct for synod. Gy, so a widely hacker looking at this isn't going to say, oh, I can tell that's a funny. They don't look vulnerable.

They look valuable. You can also create lower files with their things, canary, little PDF or excells or doc exes or whatever. We have some excel spread sheet that say things like payroll information, employee addresses. I mean, we're not as blackness in social security numbers, but you could. The thing is, these aren't real.

If a bad guy, somebody accessing inside your network, accesses those lower files or tries to attack your fake internal ssh server, you're gone to get notifications, and they will tell you immediately you have a problem. Only real positive ert, no false alerts, and you get anyway, you want email, text, they support web hooks are in API slaw, whatever works for you. But but it's great because it's a way of knowing that somebody dies inside your network.

No, i'm sure you have excEllent premier offences. We all do. I do here. But if somebody penetrates or maybe you've got a malicious insider in your company, look at around, do you how would you know that they're there? That's the thinks canary.

Just choose a profile for your thinks kenner device register IT with a hosted console for monitoring and notifications and then you just sit back and relax. Attackers will break your network emotions, insiders or other adversaries. They can help but make themselves known.

They say, oh, I gotto get in that. And immediately you'll get a notification, just notifications that matter. This is a vital tool for your security.

On average, companies don't know that they've been reached for ninety one days. You want to know the minute somebody dies in there, that's why you need this incredible honeypot that thinks canary go to canary. Dot tools slashed to IT.

Ca, na, dut tools slashed to IT. You know, big companies might have hundreds of them spread out all over the globe. In fact, canaries are in Operation on all seven content ents.

So that tells you something. A smaller company like cars might just have a handful. Let's say you need five, seven thousand, five hundred dollars a year. You get five things can Carry. You get your own hosted console, all the upgrades, all the support, all the maintenance is included.

And by the way, if use the africa twit t wit and how did you hear about us box, that's not a commentary or on you, by the way, that's the name of our network. okay? Twit realized people want you secure, now may not know, but put twitter there and you'll get ten percent off the Price for life.

Now here's another thing it'll be assure you, if you're going, I don't know, do these things really work as they say they do? And I could watch for him, but you can always return your things. Can every day have eight, two months, sixty day money back here? And t for a full relief on every penny.

I have to point out though that during all the years, twitters partner with things kanary, although all the years we've been doing these ads, that refund guarantee has not been claimed, not once, not ever, because once people get this and once they have IT, they go all, yeah, yeah. You have to have this, this a canary, that tools slash twit and the code twit, and how do you hear about us? Box, we think, thinks canary supporting this show and all their users with excEllent security tool that everybody should have.

Now I am going to, how should I do this? Scroll up first. Before I show everybody else, I can scroll up.

consider what you see .

and and the caption is there really are no words. I see a fire truck. I see a fire, old dear. Okay, okay, that's good. I'm showing you the picture now, everybody, Steve, you wanted describe IT for .

our audio listening. So if you. If you if you had if you were a fire company and you needed to have a hose go across an area where cars would be driving over IT, you you might.

And and we've seen this like with electrical chords that that have to go across the across the the the floor, you put up a protector around IT, kind of like a little ramp up and down on either side so that, no, you can roll over IT. You won't get stuck on IT. Uh, you won, you want squash IT, you know you'll protect IT.

So we have that scenario here in today's picture of the week for security now number nine ninety eight um where a firehose is being protected with similar sort of a little kind of raps. The problem is they're not being protected from my car tires rolling over the hose. They're being protected from a train.

This is crossing a train track. And anybody you know who thought much about the way trains work, you know, they have they have wheels that have flanges on the inside, which are the things that keep the wheels on the track. And so the last thing you want to do is do anything to force those fields up out of the the groups.

They think, in all likelihood, there's the train to just go right over the top of that and cut and hat. I don't mean slice .

like right?

Yeah.

because those areas are sharp, just coped. I hope there are a short because you want that much, rather have your host cut than to have the train derail. Ed, which is the alternative.

have another emergency to attend to very quickly.

is unbelievable, unbelievable to me. This looks like maybe like england, I don't know why I to have an english feeling to IT like we don't have IT looks like there is a crossing gate and that the light is overall. I know why it's aimed away from us and it's on the on the right side. There will be on the left side if you are driving on the left side of the road yeah so and IT looks like like you see White water coming out of the back left.

I see that yeah what what is that?

We don't know what is going on, but it's not good if any train is going to coming down the tracks. A good holy moly.

Anyway, one of our Better pictures, I just would say with me, what could possibly go on.

go wrong? Actually, that would a bit, a much Better. That would have been a perfect at this picture. okay. So as our long time listeners know, many years ago, we spent many podcasts looking at the fisco that was, and sadly still is, certificate revoked, noting that the system we had in place using crs certificate revocation lists was totally broken and I put, I put g revoked that grc docs server online, specifically for the purpose of vividly demonstrating the lie we were being told that IT just does that work.

Now at the time, the O C S P solution online certificate status protocol seem to be the best idea, but if users browsers query for o csp status like real time, you know, the idea was that you could do IT online. The browser could ask the sea, is this certificate i've just received from the web server still good? The problem was, IT created both performance problems because of this extra need to do a query, and privacy issues because the C A would know, would know everywhere that users were going based on their queries back to to the A C A servers.

So the solution of that was O C S B stapling, where the websites own server would make the O C S B query you. Thus no privacy could certain there. And then as the term was staple, meaning, you know, it's in some means electronically attach these fresh o csp results to the certificate that IT was serving to the web browser, so the web browser wouldn't have to go out, make A A second request.

Great solution. But IT seems that asking every web server in the world to do that was too high a barter reach because while some did, mine was, uh, most weren't. So despite its promise and partial success, the C A browser form, which sets the industries of standards, recently decided, and we covered this a few, I guess, about a month ago, to a backtrack and return to the previous the earlier use and formal endorsement of the earlier certificate revocation list system, which would move all of the websites certificate checking to the browser.

This had the benefit of allowing us um to offer a terrific podcast explores ing the technology of bloom filters, which everyone enjoyed. And that technology very cleverly allows the users browser to locally and very quickly determine the revocation status of any incoming certificates for a fix. okay.

So so that's where we are. Now when you think about IT for certificate to be valid, two things must be true. First of all, we must be between the certificates not valid before and not valid after dates. And you know, there must be no other indication that this thus otherwise valid certificate has nevertheless been revoked for some reason. Doesn't matter why, is no longer good.

So the conjunction of these two requirements means that the certificate revocation lists, which are the things that will tell us if there's an exception to the validity period test, they only need to cover any certificates that would otherwise be voted right. This means that expired certificates will be automatically distrusted due to their expiration and can thereby be safely removed from the next update to the industry's bloom filter based C, R, L lists. okay.

So if we want to keep the sizes of our bloom filters carls down, shortening the lives of certificates is the way to do that. Or if you know if this still doesn't come to pass because we've been at this for a quite a while and we've never got any any form of revocation that actually works. So maybe just shortening as a good thing in general.

And this brings us to last week's news of a proposal by apple, who is, as I mentioned, the top of the show, an active, very active member of the C A browser forum. They're proposing to gradually reduce maximum web server certificate life from its current duration of three hundred and ninety eight days, basically a year plus a month, all the way down to just forty five days. If this proposal were to be adopted, certificates would have their lives reduced in four steps, starting one year from now and ending in April of twenty twenty seven.

IT would go this way. We're currently at three hundred ninety eight days. That comfortable three hundred and ninety eight days would be cut nearly in half to two hundred days one year from now in september of twenty twenty five, then a year actually a month ago, right? Because we're working october here in a second way than a year later in september twenty twenty six. IT would be reduced by half again from two hundred to one hundred days. And the final were just would occur seven months later in April of twenty twenty seven, which would see web service certificate maximum lifespans reduced to just forty five days.

Okay, now the only reason lets encrypt ninety days certificate lifetimes are workable is through automation, right? So apple must be assuming that by setting a clear schedule on the plan to decrease certificate life spans, anyone who is not yet fully automated their servers certificate issuance with the acai protocol, which is the, the the standard that the industry is adopted for allowing a web server to automatically request a new certificate. Anyone who hasn't already done that will be motivated to do so, because, you know, the is coming.

You know who wants to mand uly update their certificates with go short of forty five days? nobody. So the problem is this creates some potential edge case problems, since it's not only web servers that depend upon tls certificates.

For example, just I have one of personal interest that comes to to mind. Grc, as we know, signs its outbound email using a mail server that manually configured to use the same certificate files that are valid for the G R C document domain. That's what you have to do to get D K working.

And then D, K, N, S, P, F, F, as we talked about recently together, allows you to obtain d mark certification. And then the world believes that email coming from g rc, actually, because it's signed well, let's signed with the same certificate that digs created for me for G R C web server because it's from the G R C document domain at the moment. I only need to up update the emails, copy of those certificates annually.

So it's manageable to do that through the email service U I, which is what is the mechanism IT provides for that. I don't know what would happen if I were to change the content of the files out from under the email server without IT knowing, you know, using acai style updates. But for all I know, IT has private copies of the certificates, which IT might be holding open, you know, holding the files open to for to improve their speed of access, which would prevent them from being changed.

There's currently no programmatic way to inform the email server that IT needs to change its search, since this has never been a problem or a necessity until now. never. Once upon a time, there was three years, and way back IT was ten years that we had certificates life.

So you know, IT happens that i'm able to write code so I could see that I might wind up having to add a new customer service to watch for my web server autonomously changing its certificates, then shut down the email server, update its copies of the shirts and restarted. My point is, you know, that's what's known as a royal f clue, and IT is no way to around the world. And make no mistake, my email server is just a trivial example of the much larger problem on the horizon.

Think of all the non acme aware or non acme capable non web server appliances we have today that have deliberated in the past decade and which now also needs certificates of their own. What do they do? So you, perhaps this is the Price we pay for progress.

But I question, you know, this was brought to mind. I question why this should be imposed upon us. And upon me, it's my certificate.

IT represents my domain of gr c dot com. Why is IT not also my choice? How long that representation should be allowed to endure? okay.

If I am some big organization like amazon dot com, bank of america, paypal, where a great deal of damage could be done if a certificate got loose, I can see the problem. So such organizations ought to be given the option to shorten their certificate lives in the interest of their own security. And in fact, they can do that today.

When i'm creating certificates a digit, i'm prompted for the certificates. Duration three hundred and ninety eight days is the current maximum lifetime allowed, but there's no minimum and digital supports the acme protocol. So automation for short live certificates is available from them.

But why are short lived certificates going to be imposed? Upon websites by the ca browser forum and the industry's web browsers. And let's get real here.

As we know, revocation has never worked. Never it's always been a feel good fantasy. And the world didn't end when we only needed to reissue certificates once every three years with no effective ability to revoke them.

Now the industry wants to radially reduce that to every six weeks. How are we not trying to solve a problem that doesn't actually exist, while the same time creating a whole new range of new problems we've never had before? I'll bet there are myriad other instances, such as with my email server, where super short lives certificates will not be practical.

This year seems like a mess being created without full consideration of its implications. Do these folks at the C A browser forum failed to appreciate that web servers are no longer the only things that require T, L, S. Connections and the certificates that authenticate them and provide their privacy, and many of these devices that what needs certificates for domain may not be able to run the acme protocol because you, they are dv domain validation sets.

I dropped my use of E, V certificates because that became wasted money. Once browsers no longer awarded those websites using E, V certificates with any special U. I treatment, you didn't get little Green glow up there in the U.

I. bar. But i've continued using O, V. Those are organization validation certificates since they're one noch up from the lowest form of certificate. The domain validation dv search, which lets encroach uses because that's all it's doing is just validating yes, you're in control of that domain.

But if we're all forced to automate certificate issuance, I can't see any reason then why everyone won't be push down to the lowest common denominator or of domain validation certificates. The issuance of which lets encrypt has successfully automated. At that point, certificates all become free and today's certificate authorities lose a huge chunk of their recurring business.

How is that good for them? And the fact is, simple domain validation provides a lesser level of assurance, the organization validation. So how is forcing every went down to that lowest common denominator good for the overall security of the world? I suppose that apple, with their entirely closed ecosystem, may see some advantage to this. So fine, they're welcome to have whatever super short live certificates they want for their own domains. But more than anything, i'm left wondering why the lifetime of the certificates I I use to validate the validity of my own domain in all of its various applications, drab email and so forth, why that's not my business and why that's not being left up to me.

So if they were google saying this, I might worry because google has this power to enforce its for cut couples all the time. But it's apple who cares that. Is there any chance that the this is going to become the rule?

Yes, remember that apple, when we went to three hundred and ninety eight days, they said they would this honor any certificate that had a longer life because, well, the exactly all of their eye devices the certificate has, both are not valid before and are not let after. So if those two dates are further than three hundred ninety eight days apart, apple just says, sorry, this is not bilaterally .

impose a forty five day limit. They would want the brothers, the ca. Brothers form to agree.

yes. And so that's what's happened is that there's a thread in the earth, a thread discussing this, which is suggesting this timely for bringing IT down to forty five days. And I just I do not see the logic in that I see huge downside costs.

And why is there any of their business? How long I want my certificate to assert G R C dot comfort, I will take responsibility for that. It's in an hsm IT is safe.

IT is IT cannot be stolen and revocation. You know, it's maybe it's gonna coming back with bloom filters. We hope so if the worst happened, we could still revoke. But the idea that that that like I won't be able to purchase A A trust and certificate from A C A longer than forty five days, that's not a good place.

What is the rational what why does apple want to make IT?

So you can only be so that you are constantly having to reserve your your control over the domain and and the certificate.

And so for the the health of the internet.

then yes, and you see a big problem there. There is no big problem there when I used to be for three years and everything was just fine. We're still here and we never had revocation that worked IT wasn't a problem.

So there's solving a problem that doesn't exist with a solution that causes many more problem. I I think I .

think they're going to end up people just going to say, no.

I hope so because we just .

come down from three years to one year and know. And at the time I said, the only good thing I could see about this, leo, is that every three years i'd forgotten how to do IT. You know, there is so much time between, I was like, you know, I have to I have to run this through ssl. I mean, oh yeah, that's what with a certain weird command line to get A P fx format. And and every .

three years I got now.

every years I all OK, i'd got to do this again. But so IT has the advantage of O N. You know of course, how many times have we seen websites where that like whips are certificate expired because IT was that three years ago? You know, paul worked here. Well, paul no longer here and he was the guy who did the certain things right.

But we still see that lets encrypt has had real success with with the scripted oh my god.

they've taken over the tls market is like sick. It's like three quarters of or two thirds of of all certificates because but he wants to pay is like, wait, I can get IT for free.

I just and the scripturally automatically, you don't even have to think about IT and you don't have to wear about paul anymore because you just read up every body every what .

is at ninety days is ninety days for lets, for lets.

I don't see any reason though to make a half that that's crazy .

IT is I don't see IT either. And remember, you can still get a certificate even if you're using let's encysted for your your web browsers. You can still buy a one year shirt for other things. And so like so all the appliances that we have that want to do tls connections, you can still purchase a longer a lib certificate.

So let me and when I was thinking this through IT, one possibility would be to allow non web search to have a longer life, where because because in every such certificate, yeah IT does state what the what the uses of the shirt are. So so automation reissues could have a shorter life. But then IT doesn't solve the problem because if what you're worried about is this certificate being stolen, apparently there they are worried about anything with longer than forty five days being anywhere.

It's like I just I do not understand, I just and again, why is IT their business? This is we had three years. We had no problems except, you know paul leading the company.

Did paul .

leaves the company and worked half hour in leotard? Take a bake and talk about the sec levering fines for against four companies who lied oh.

shame on they don't want to do that to the, how dare they, those lion liars, our show that they brought you by experts exchange where the truth rains may remember I did when I met them, so I used to use you guys all the time. Well, we're still here, they said. And we want more people to know about IT, especially now when so much of the information on the internet is crap and so much of IT is AI generated.

When you have a question about technology, would that be nice to be in the network of trustworthy, talented at professionals who can answer your questions, give you advice and industry insights, people actually using the products in your stack instead of paying for expensive and honestly, sometimes not so good enterprise level tech support? That's what experts exchange is all about, is the tech community. For people tired of the AI sell out, experts exchange is ready to help Carry the fight for the future of human intelligence, because there is a bunch of intelligent humans, experts, if you will, on experts exchange, they give you access to professionals in over four hundred different fields.

I'm talking coating microsoft AWS dev up, cisco on on on. And unlike maybe those other sites, you say, well, you know I can ask questions. You know on other sites I want name names but because i'm in a slimmer unlike those other sites, there's no sark.

You know you go to those other side, you ask a question half the time. There was a duplicate question next another rest the time. I say, well, I wouldn't do IT that way.

Here's how I would do IT. Or you're a dummy or insult you, right? Not that experts exchange duplicate questions are encouraged. There are no dumb questions.

The contributors and experts exchange love tech, and they understand that the real reward of their expertise of knowing deeply, knowing how a cisco wouter works, for instance, the reward of that is, is being able to show your expertise to pass IT on, not to mark with somebody, but to say, let me help you to pay IT forward. They love graciously answering your questions. One member said, I never had gp.

T stop and ask me a question before. But that happens on E, E. That sort of friends call IT ee all the time.

Experts exchange is proudly committed to Fostering a community where human collaboration is fundamental. Humans, they're i'd love you. I love you. I mean, really, that's that's what you want to answer your questions or expert directory is full of experts help you fine what you need. Steve youll, be glad to know that roddy barn harder, a regular security alliston, is there.

He's a vm where v expert Edward one bijon, who's a microsoft MVP in an ethical hacker, was trying to get the precision of IT word's last name went to us. He's got out a lot of really great youtube videos. Of course, he's on experts exchange and know, says this is ed or this is ed where never says his last name.

So ed is there cisco design professionals in their executive IT directors? That's actually another thing is not just technical information. You can get you advice on how to run your company, you advice on how to handle employees, how to motivate.

There are really experts there who love talking about what they do and helping you do IT too. And here's something really important. Other platforms.

Most of the other platforms betray their contributors by selling their country to train AI models. Read IT. Does IT a linked in just started doing IT at experts exchange your privacy is not for sale.

They stand against the betrayal of contributors worldwide. They have never and will never sell your data, your content or your they block and strictly prohibited our company ties from scraping content from their site for training their allies. The moderators strictly forbid the direct use of allow them content their threads.

Experts deserve a place where they can confidently share their knowledge without worrying about a corporation stealing IT, in effect, to increase shareholder value. And humanity deserves a safe haven from AI, and you deserve real answers to your legitimate questions from true experts. That's what to get an experts exchange.

Now they know, you know there are people like me who have tried IT a while and they know that maybe you've never even heard of IT. So they're going to give you in ninety days free. You don't know.

You need to give credit at three months to try IT to see if it's what you're looking for. I think IT is ninety days free when you go to e dash e dot com slashed to IT, that's e dash e dot com slash to IT. You know, theyve been to around for a while.

They're got a three letter doc. Those are rare than hen's teeth. Visit E A E A com to learn more. Experts exchange, thank you.

Experts exchange for supporting our local expert here, mister Steve gibson, and thanks to you for using that address that they know you sight on security. Now, experts exchange e, ash, e, that come slash twit. On we go. mr. G.

mr. g. So one of the rules of the road is that companies that are owned by the public through publicly traded stock have a fiduciary, ty, to tell the truth to their stock holders.

a witness, be nice, yes.

When something occurs that could meaningfully affect the company's value, yes. For example, on december fourteenth twenty twenty, the day after the washington post reported that multiple government agencies have been breached through solar winds, horizon software, the company itself, solar winds, stated in ecc filing that fewer than eighteen viewer than eighteen thousand of its thirty three thousand or ryan customers were affected.

Still, eighteen thousand customers affected made IT a monumental breach, and there was plenty of fault to be found in solar wind's previous and subsequent behavior. But they fessed up. They said, okay, this is what happened. But I didn't bring us to talk about them. I wanted to share some interesting reporting by cyberwar.

P, whose headline a week ago was esc hits four companies with fines for misleading disclosures about solar winds hack, in other words, for misleading the public about the impact their use of solar winds or yon software had on their businesses and how IT might affect, you know, their shareholders value cyberspace p's, subhead was union is a via checkpoint and mindset. Ast will pay fines to settle charges that they downplayed in c filings. The extent of the compromise, this is the point that I wanted to make.

The management of companies owned by the public need to tell the truth. So he'll take a closer look at this cyberspace p rote, the securities and exchange commission, you know c, said he has reached a settlement with four companies for making materially misleading statements about the impact of the twenty twenty solar winds orion software breach on their businesses. The regulator charge the four companies union sis a via a, via holdings corp, checkpoint software technologies and mm cast limited with quote, minimizing the compromise or describing the damage to internal systems and data as theoretical despite knowing that substantial amounts of of information had been stolen.

In other words, they out right lie to their shareholders, cybersex roupy said, the acting director of the esc s division of enforcement said in a statement, as today's enforcement actions reflect, while public companies may become targets of cyber attacks, it's incoming upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered here. The esc s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of those incidents. As part of the settlement agreement reached, the companies have agreed to pay fines with no admission of wrongdoing.

okay. So first, in the first place, they're not having to say we lied. So okay, so there's that. But then I was unrepressed Frankly by the amounts. University will pay four million dollars a via one million checkpoint, nine hundred and ninety five thousand, and mm cast nine hundred and ninety thousand, according to the sec.

By december twenty 2， a via, for example, already knew that at least one cloud server holding customer data and another server for their lab network had both been breached by hackers working for the russian government. Later that month, a third party service provider alert of the company, that is, cloud email and file sharing systems had also been breached, likely by the same group. And through means other than the solar winds are yon software follow up investigation identified more than one hundred and forty five shared files.

Access to by the threat actor, along with evidence of the russian group known as A P T twenty nine A K A cozy bear, monitored the emails of the company's cybersecurity incident responders. So they were deeply penetrated and they knew IT. Despite this, in a february twenty, twenty one quarterly report a couple months later, a via described the impact in far more muted terms, saying the evidence showed the threat actors access only quote a limited number of company email messages.

Okay, that's a little gray. And there was quote, no current evidence of unauthorized access in our other internal systems. okay. So you could call into question the word current, right? They knew that those are representations were flatly false. Unius sis investigation uncovered that following the disclosure of a device running or yon multiple systems, seven network and thirty four cloud based accounts, including some with admin privileges, were accessed over the course of sixteen months. The threat actors also repeatedly connected to their network and transferred more than thirty three gig of data.

But the esc s season to this order state that university had quote, inaccurately described the existence of successful intrusions and the risk of unauthorized access to data and information in hypothetical terms, despite knowing that intrusions had actually happened and in fact involved unauthorized access and x filtration of confidential and or propriety information on quote. The company also appeared to have no formal procedures in place for identifying and communicating high risk breaches to executive leadership for disclosure anyway, and there are similar in instances at checkpoint in mind cast. The problem here is i'd like to be able to draw a clear moral to this story as IT sort of started out seeming, but given the extremely modest size of these settlements relative to each company's revenue, it's not at all clear to me that the moral of our story here is that they should have divulged more during the heat of the moment.

The short term impact upon their stock Price may have been more severe than these fines. And coming four years after the event, it's reduced to a shrug. So I doubt that this outcome will wind up teaching any other companies any important lessons and any companies that did the right thing at the time.

And we're then punished by their stock holders for telling the truth might actually take away the opposite lesson. Let's just lie, sweep IT all under the rug for now. And then if three or four years later, you know, after we're hit with a modest tax for having done that. You know the world will have moved on anyway, will happily pay IT and will have lost less money than if we had told the truth right up front. I mean, that's the takeaway .

from its the cost of doing business. These companies always say, yeah, the cost of lying door stock alters.

Wow okay. So last tuesday, google security blog posted the news of five new protections being added to their google messages APP. Although google postings are often a bit you know, too full of marketing hype for my own taste. Um I thought this one would be worth sharing and its not due long so google wrote and here's the long the marketing intro every day over a billion people use google messages to communicate.

That's why we've made security a top priority, building in powerful on device AI powered filters and advanced security that protects users from two billion suspicious messages a month with end end encysted rcs conversations, you can communicate privately with other google messages rcs users, and we're not stopping there. We're committed to constantly developing new controls and features to make your conversations on google messages even more secure and private as part of cyber security awareness month they're getting in, in just before halloween when IT ends. We're sharing five new protections to help keep you safe when using google messages on android.

okay. So that we've got enhances detection, protects you from package delivery and job scams. And i'm going to skip to paragraph describing because we all know what IT means.

You know there they're looking at the the messages coming in and they're gonna some filtering to recognize when this is basically spam and then flag IT war you whatever they have all number two intelligent warnings alert you about potentially dangerous links. Same thing there. They're a they're getting into your encrypted messaging using um device side A I powered filters to deal with that.

And but this was short, they said in the past year, we've been piloting more protections for google messages users when they receive text messages with potentially dangerous links. Again, incoming text messages being examined, they said, in india, thailand, malaysia and singapore, google messages warns users when they get a link from unknown senders and blocks messages with links from suspicious centers where in the process of expanding this feature globally later this year. So then there's not much of this year left so that i'll be coming soon to google messages for everybody else.

Uh, controls to turn off messages from unknown international centres. Another benefit. But IT was number four that most caught my attention. Sensitive content warnings give you control, overseeing and sending images that may contain nudity, they said. At google, we aim to provide users with a variety of ways to protect themselves against unwanted content while keeping them in control of their data. This is why we're introducing sensitive content warnings for google messages.

Sensitive content warnings is an optional feature that blurs images that may contain nudity y before viewing, and then prompts with a speed bump is the way they praised IT that contains help finding resources and options, including to view the content when the feature is enabled, and an image that may contain neutrality is about to be sent or forwarded. IT also provides a speed bump to remind users of the risks of sending nude imagery and preventing accidental shares. All of this happens on device to protect your privacy and keep end to end encrypted message content private.

To only center and recipient sensitive content warnings does not allow google access to the content of your images, nor does google know that neutrality may have been detected. This feature is opt in for adults manage via android settings, and is opt out for users under eighteen years of age. In other words, on by default for kids, sensitive content warnings will be rolled out to android nine plus devices, including android go devices with google messages in the coming months.

So i'll get back to that in a second. The last piece of the five was more confirmation about who who you're messaging. Basically, they're allowing an out of band explicit public key verification for messaging, which, you know, other messages, you know, notably three mh was what was a leader in this pack who were doing, you know, traditional standard style cripp graphs where we knew what a public key was and you verifying somebody y's shared public key was useful.

So that's the fifth thing. okay. But I want to get back, as I said, to that fourth new feature, sensitive content warnings. Apple announced ed their sensitive content warnings in IOS fifteen, where the smart phone would detect probably sensitive content and warned its user before displaying IT. Despite that potentially privacy invading feature, which is now but in place for several years, we are all still here, just like we are without certificate revocation. The world did not end.

Not only did not end, you know, when smart phones began looking at what their users were doing, IT didn't even slow down, so the idea of device side image recognition and detection has not proven to be a problem, and google has clearly decided to follow, but I believe there may be a larger story here. I suspect that this will be the way the world ultimately resolves that thorn end to end encysted dilema that we've been looking at for several years now. As we know, apple initially really stepped in IT by telling people that their phones would be preloaded with an exhaustive library of the world's most horrible known c sam.

No child's sexual abuse material, no one wanted anything to do with having that crap on their phone. And even explaining that that would be fuzzy matching hashes rather than actual images, did nothing to modify those. Who said, apple, thanks. Anyway, i'll go get an android phone before I let, I let you put anything like that on my iphone. Apple received that message loud and clear and quickly dropped the effort.

But then right in the middle of the various european governments, and especially the uk's very public struggles over this issue, facing serious push back from every encrypted messaging vendor, saying they would rather leave, then compromise their user security, A I suddenly emerges on the scene and pretty much blows everyone's mind with its capabilities and with what that means for the world's future. If there's been any explicit mention of what A I might mean to highly effective local on device filtering a personal messaging content. I've missed IT, but the application seems uteri obvious.

And I think this solves the problem in a way that everyone can feel quite comfortable with. The politicians get to tell their constituents that, quote, next generation A, I will be watching everything their kids smartphones send and receive. And we ll be able to take whatever actions are necessary without ever needing to interfere with or break any of the protections provided by full, true and end encysted unquote.

So everyone retains their privacy with full encryption, and the bad guys will soon learn that they're no longer able to use any off the shelf smart phones to send or receive that crap IT. Seems to me this really does put that particular in tractor problem to rest. And just in the nick of time, i'll know one more thing about this is foreseeable that the behavior recognition provided by A I based on device filtering will eventually and probably, excuse me, and inevitably be extended to encompass additional unlawful behavior.

We know that governments and their intelligence agencies have been incredibly arguing the terrorists are using inpenetrable encryption to organize their criminal activities, so I would not be surprised if future AI driven device side detection were not further expanded to encompass more than just the protection of children. This, of course, raises the spector of big brother, you know, monitoring our behavior and profiling, which is creepy all by itself, and are not suggesting that an entirely good thing, because IT does create a slipper slope. But at least there we can apply some calibration and implement whatever policies we choose as a society.

What is an entirely good thing is that those governments and their intelligence agencies who have been insisting that breaking encysted and monitoring their population is the only way to be safe. Well, we've had those arguments short circuit. By AI.

Those arguments will finally be put to rest with encryption having survived intact and arguably giving the intelligence agencies what they need. So anyway, I just had occurred to me, leo, before then, before now. But IT seems to me that that's a powerful thing that A I on the device can do, and I really can and should satisfy everybody. No.

well, i'm like google doing what they're doing. And I think that seems like a sensible plan. yes. And as you know, is opt in for adults and opt oublier kids, which is exactly how I should be. Yeah, yeah, great.

Yeah, okay. I stumbled on a surprising APP that I was never aware of. So what were on the subject? Encrypted, uh, encrypted apps.

An APP known as session. Anybody who is listening live wants to jump ahead, get session. That at org is the URL. An, a known as session is a small but increasingly popular encrypted messaging. APP session announced that he would be moving its Operations outside of australia, get this, leo, after the country's federal law enforcement agency visited and employees, residents and ask them questions about the APP and about a particular user of the APP as a result of that nighttime intrusion, session will henceforth be maintained by a neutral organization based what's are not good. Yes, that's appalling.

IT is IT was like, wow, you you know a knock on your door and there's, you know australia's federal and enforcement saying you work for this sessions company, right? So we need some information about one of your users. Well, wait to you here.

How impossible IT is for them to answer that question. Four or four media noted that this move signals the increasing pressure on maintainers of encrypted messaging apps, both when IT comes to government seeking more data on APP users as well as targeting messaging APP companies themselves. They cited the recent arrest of telegram CEO in france last August.

Uh, alex linton, the president of the newly formed session technology foundation, which will publish the session APP from switzerland, told four or four media in a statement, quote, ultimately, we were given the choice between remaining in australia or relocating to a more privacy friendly jurisdiction such as switzerland. The APP was still function in australia, but we won't okay. So I wasn't aware of the session messaging APP at all until I picked up on the news of this departure, but IT looks quite interesting, and I wanted to put her on everyone's radar.

IT appears to be what you would get if you were to combine the ultra robust and well proven signal protocol with session forked on github, with the distributed I P hiding or style union routing, which we briefly discussed again recently. And on top of all, that session is one hundred percent open source. And as I mentioned, all of IT lives on github.

So it's all of this peaked. My curiosity. I tracked down a recent White paper describing session from which was written in july of this year.

It's titled session end to end encysted conversations with minimal metadata leakage. And that's the key the White paper's abstract described session in a couple sentences. IT says session is an open source, public key based secure messaging application.

Which uses a set of decentralized storage servers and an unending ding protocol to send and and encrypted messages with minimal exposure of user metadata. IT does this while providing the common features expected of mainstream messaging applications such as multiple vice, sinking offline in boxes and voice slash video calling. Ah okay.

Well, I would imagine that the australian feds were probably left quite unsatisfied by the answers anyone knowledgeable of sessions design would have provided to them at during their visit in the evening, they would have explained that session messaging transport was deliberately designed like chores, to hide each n points I P address through a multi hop, globally distributed server network, and that the entire content of the messages used the editable signal protocol used by signal and WhatsApp to exchange authenticate messages between the parties. And if this did already sound wonderful, listen to the system's mission statement from the White paper 的 introduction。 They said over the past ten years, there's been a significant increase in the usage of instant messages, with the most widely used messengers each having a mask over one billion users.

The potential privacy and security shortfalls of many popular messaging applications have been widely discussed. Most current methods are protecting user data, are focused on encrypting the contents of messages, an approach which has been relatively successful. The widespread deployment of end to end encysted does increase the user privacy. However, IT largely fails to address the growing use of meta data by corporate and state level actors as a method of tracking user activity.

In the context of private messaging, meta data can include the I P addresses and phone numbers of the partitions are participants, excuse me, the time and quantity of sent messages and the relationship each account has with other accounts increasingly IT is the existence and analysis of this metadata that poses a significant privacy risk to journalists, protesters and human rights activists. Session is in large part a response to this growing risk. IT provides robust metal data protection on top of existing cypher graphic protocols, which have already been proven to be effective in providing secure communication channels.

Session reduces metadata collection in three key ways. First, session does not require users to provide a phone number, email address or any other similar identifier when registering a new account, in fact no identify, i've done IT instead. Pu dynamic public private key pairs are the basis of an account identity and this all basis.

Secondly, session makes IT difficult to link I P addresses to accounts or messages sent or received by users through the use of an onion routing protocol. Same thing toward does. And third, session does not rely on central servers.

A decentralized network of thousands of economically incentivize nodes performs all core messaging functionality for those services where desent realization is in practical, like storage of large attachments and hosting of large group chat channels. Session allows users to self host infrastructure and rely on build in encysted and meddle a protection to mitigate trust, trust concerns. And other words, wow, as we know, pull, derail.

The telegram guy freed himself by agreeing to were warranted, share I P addresses and whatever other meta data telegram collected with law enforcement. And we know that apple signal and WhatsApp all similarly keep themselves out of hot water with governments and law enforcement by CoOperating to the degree they're able to and they are able to, they're able to provide I P addresses and related party identifiers. They not may not be able to peer into the content of conversations, but the fact of those conversations and the identity of the party's conversing is notable, shared and sharing.

And I occurred to me, ah so since I put this down, another perfect example of the power of meta data is crypto currency and the block chain. Much was made of the fact they're oh, it's completely the anonymous to worry about this. It's just a little IT.

It's just a you you have your you have your your key in the black chain, all transactions anonymous. Well, we know how will that works, right? We're able to to see money moving and perform associations when IT comes out of the crypt to the currency realm. So again, we're not we're not able to see who but there's metadata that's been left behind. Session was created to to as to every degree possible, also private metadata leakage.

So I suppose we should not be surprised that the guys who married the signal messaging protocol with towards onion routing to deliberately create a hyper private messaging system saw the clear handwriting on the wall and decided after that visit from their local feds, that they would need to move from australia sooner later. So that might well be sooner. The messaging APP again is called a session and is available in several flavors for android and IOS smart phones as well as for windows, mac and linux desktops.

From here, IT appears to be a total win. Establishing an anonymous I did and you with a public private key pair is exactly the right way to go. And that's exactly what they do plus much more. And with all their source code being openly managed on github, in addition to the thirty four page technical White paper, there's also a highly accessible five page light paper as they called IT, which Carries their slogan, send messages, not mea data. So the URL once again is get session dorg, where you'll find a software download page as that get sessions that or slashed download as well as links to both that five page light paper and the full thirty four page White paper. So IT looks like a complete win to me.

So I have a couple of questions for you about this prompted by some folks in our youtube chat. We have chat now in eight different platforms. So this i'm trying .

to monitor IT at all they .

emerged or I have emerged view so I can see IT immersion in our youtube set. Chat says, note, the session has removed perfect forward secrecy and deniability from the signal protocol. And they did that a few years ago.

They say you don't need p fs, because that would require full access to your device. And if you had full access, you know, really the jackets up no matter what. And deniability is not necessary because they don't keep any metadata about you so that you don't have to worry about that. Is that seem true to you?

I think that's corrected that the concern with perfect forward secrecy is that the nsa is filling that large server farm.

that all .

that yes, that massive data, that massive data warehouse. And at some point in the future, if and when we actually do get quantum computing able to break today's current public key technology, then they could r retroactively go back and cracked that. Unfortunately, or fortunately rather, signal has already gone to a post quantum technology. So the again the the the concern is that if you're not so private forward secrecy y if you're constantly reaching um cuts off somebody who manages to to h penetrate public key technology for the duration of your use of that key that allows them to to get the the symmetric key. And deep quipped that chunk of conversation is not clear at all today whether there's ever gonna be a way to do that, if anywhere, anybody using the signal protocol where you're using both pre post quantum public key technology.

So so is really matter.

They needed to do that in order to add the features that they wanted .

to that makes. okay. I think that I mean the only real disappoint tages that you'll be the only one in your family using IT.

can you? Yes, yes. And so IT would be where you have a situation where where you have some specific people that you want to have a really guaranteed private conversation with.

You know, it's not gonna be like, oh, you know what's you're signal handle and then you add them to single to signal but still for for somebody who really wants, you know true uh true private communications. And this goes further now than anything we've seen so far. They've got the state of the art best messaging encryption technology in signal marry to unended ting a quite clever and .

no server has the full message. That's the interesting thing.

right? Yeah it's completely decentralized.

I think that's so cool and and I always bothered in the signal one of my phone number, I just I didn't .

feel like that yeah and I think they announce .

they're backing away from that ah of user names.

They saying yeah yeah and it's like, okay, you know, and will IT be many to many. I know that I I was to have them on one phone and one deathtrap, but I but I wasn't able to have an on two phones and multiple deaths top. So in some arbitrary limitations, I I downloaded this thing, uh, and it's on all of my phones and desktops and then they .

found with the same private key. Yes, so you're able to propagate its other devices.

Yes, that's cool. Yes, when that's created, IT gives you A, A, A Q R code. IT shows IT to you in and in that word salad form, you know, bunny, go for them on artichoke experience.

And and so I copied that and just and then paced that into a different device. And I found me, is that up here you are and I got my picture and everything worked. I'm going to install IT right now.

It's slick. And again, all three desktop platform's windows, mac and end and and linux and both phone platform. nice. Let's take another break. And then we're going to revisit software reliability briefly and then and then close the loop and pour into this question of the future of the internet. And does anyone ever even care about bbb six more?

wow. Now used to event, sir hon. He was like trump, bang in the drum. We're going to run out IP addresses. We're gonna n out I P address to go IP.

Really interesting as the chart of the U. S. adoption. We will get there.

I can't wait, all right. But right now, a word from our sponsor, the folks, the great folks, i've talked to him, a threat locker. Threats locker is a very, very good way to do in point security and not explain how.

Just a second. But first, let me accurate rtw ical question because I really know the answer. Do zero day exploits and supply chain attacks keep you up at night? They do.

If you are in charge the network, right? Well, worry no more because you can harden your security. I mean, really harden IT with threat locker worldwide.

Companies like jet blue, for instance, trust threat locker to secure their data and keep their business Operations flying high, if you will. The key with threats logger is this, its zero trust, which is such a clever way to handle of a very big issue. Imagine taking a proactive, and these are the key.

Words are denied by default. And I buy default approach to simple security. You block every action, you block every process, you block every user, unless authorized by your team.

So that locker helps you do that and provides a full audit of every action, which is really great to have for risk management and compliance. Of course, twenty four, seven us based support team fully supports on burdening or on boarding and beyond y'll be with every step of the way. You can stop the exploitation of trusted applications within your organization and keep your business secure and protected from ransom, all using a very simple concept, zero trust.

Or going to have you were talking about solar and listen to this city. Organizations across any industry can benefit from threat lockers, rain fencing, ring fencing isolates, critical and trusted applications from unintended uses, web ization that limits attackers lateral movement throughout their network. Threat rocker's ring fencing was able to foil a number of attacks.

They were not stopped by traditional edr. And that specifically, that solar wins a tech we are talking about foiled by ring fencing. And if you think about IT make sense because you you're blocking that lateral movement without explicit authorization.

Oh, and threat locker works for max to so IT doesn't matter what you've got on your network. Threats locker can help you keep IT safe, get unprecedented possibility and control of your cyber security quickly, easily and cost effectively. Thread lockers zero trust end point protection platform offers a unified approach to protecting users, devices and networks against the exploitation ation of zero day vulnerabilities.

This is such a great solution. Get a free thirty day trial. Learn more how threat locker can help mitigate unknown threats, and at the same time and sue compliance, visit threat locker dot com.

Easy to remember, you put everything inside the threat locker. Threat locker dot com. We thank him so much for their support.

We've talked about a zero trust on the show before, and you know, it's clear how this helps. But now there's an easy way to do IT. And by the way, I could be very expensive tools.

You should check IT out. IT doesn't. It's not just for big companies. You can do IT small company too, very easily. Great locker duck com, Steven, your turn.

So thank you. The e used proposed wholesale revision of the software liability issue has not surprisingly drawn a huge amount of attention from the tech press. We gave IT enough attention here last week, but I was glad to see that I didn't miss state or misinterpret the effect and intent of this new eu directive.

IT really is what IT appears to be one reporter about this route. The eu and us are taking very different approaches to the introduction of liability for software products. While the U. S. Kicked the can down the road, the eu is rolling a hand grenade down IT to see what happens under the status quo.

The software industry is extensively protected from liability for defects or issues, and this results in, I love this systemic under investment in product security authorities believed that by making software companies liable for damages when they pedal crap, where those companies will be motivated to improve product security. And of course, we can only hope um I also wanted to share part of what another writer wrote for the record. He wrote, six years after congress tasked a group of cyber security experts, U.

S. Congress, with reimagining america's approach to digital security. Get this, virtually all of that group's proposals have been implemented. But there's one glaring exception that is especially bedevilled policymakers and advocates a proposal to make software companies legally liable for major failures caused by flawed code.

Software reliability, he writes, was a landmark recommendation of the cyber space sodium commission, a bay partisan team of lawmakers and outside experts that dramatically elevated the government's attention, the ciber policy, through an influential report that has seen roughly eighty percent of its eighty two recommendations adopted. Recent hacks and outages, including adele, adding vendors like microsoft and crowd strike, have demonstrated the urgent need to hold software companies accountable according to advocates for software liability standards. But despite the solarium commission's high profile backing and the avoid interest of the bad administration, this long discussed idea has not born fruit.

Interviews with legal experts, technologies and tech industry reveal why software liability is extremely difficult to design with multiple competing approaches, and the industry warns that IT will rack innovation and even undermine security. Jm dempsey, senior policy advisor at stand for universities program on geopolitics, technology and government, said, quote, the solarium commission and congress knew that this was going to be a multi year effort to get this done. This is a very, very, very hard problem.

unquote. A recent spate of massive cyber attacks and global disruptions, including the solar winds, supply chain attack, the move IT rans aware campaign, the havana hacks, the crowd strike outage and microsoft parade of breaches, has shined a spotlight on the world's vulnerability to widely distributed but sometimes poorly written code. Desi added, quote, there's a widespread recognition that some things got a change where way too heavily dependent on software that has way too many vulnerabilities unquote the software industries.

Repeated failures have exasperated experts who see little urgency to address the roots of the problem, but bring companies to heal will, but bringing companies to heal will be extremely difficult. And associate professor at ford m law school or school of law, who specializes in cybersecurity and platform liability, said, quote, we have literally protected software from almost all forms of liability comprehensively since the inception of the industry decades ago. It's just a golden child industry.

Virtually all software licenses contain causes immune zing vendors from liability. Policymakers originally accepted this practice as the cost of helping a niche industry flourished, but now that the industry is mature and its products power all kinds of critical services, IT will be an appeal battle to untangle what dempsey called, quote, the intersecting legal doctrine that have insulated software developers from the consequences of the flaws in their products. So leo, are we this podcast certainly have not been alone like just observing over the last twenty years that we've been doing this.

Like this is wrong. This has to change, but also change is hard. In other words, I P V six no. okay. Ah ah one last little point that I thought was interesting.

As we know, a recurring event in security news recently has been the industries inadvertent hiring of fake IT workers generally those prompting to come well proportional to be domestic but actually IT turns out working and working for north korea or least north korean interests um hopefully this has not been happening for long you know undetected since there really seems to be a lot of IT going around. Maybe we're just suddenly starting a light on IT. So we're seeing a lot of IT.

I shared the hopes that I had to jump through recently during that one way video conference with a digit agent following his instructions as I move my hands around my face, you know, just holding up the the government h issued ID card and demonstrating that I was me. As far as I know, the coverage of this has not actually reveal that is the coverage of the north korean identity spoofing hasn't actually revealed any mouth seasons on the part of these north korean employees before. Now, IT is certainly illegal to hire them, but you know, they were faking their identities.

IT turns out that changed. The creator of a block chain known as Cosmos, the Cosmos blockchain, has admitted that the company inadvertently hired in north korean IT worker. The company said the FBI notified the project about the north korean worker, but get this.

The individual at the company who received the notification did not report the incident to his managers. what? And moreover, Cosmos says that the code contributed by the north korean worker did contain at least one major vulnerability. The companies now performing a security on IT to review all the code for other issues.

So we can only hope that these now continuing revelations will lead to many more real time video conferences, such the one that I had with digit to prove that I was actually me, you know, just sending, go forwarding a file with some head shots that's not to do IT any longer. Um oh, imagine this at the top, a listener suggest as something I hadn't thought before. Up his name is bryan.

He said, please add me to your security now podcast grc list he said, i'm an occasional listener and appreciate all of your information and tip shared regards brian. It's only said, but I wanted to share this because brian is a mode of listener who can obtain a value from grc weekly podcasts, some options mAiling that i'd never considered I often do here, from listeners who have fAllen behind in listening or who aren't always able to find the time to listen. So bryan's note made me realize that the weekly mAilings, which, as I did at the top of the show, went out to eleven thousand, seven hundred and seventeen people yesterday afternoon, in this case, can come in quite handy when making a determination about how to invest one's time.

You look at the list, you go, oh, there are. There are a couple things here that I want to hear about and then, uh, you've grab the podcast. So thank you, brian, for the idea.

It's good for us to remember there are people who don't listen to every single show. Yes, I think that's .

excEllent point in day. There is a lot of competition for people's time and attention.

IT always worried me, you know, that people would give up on the show if they couldn't listen to everyone. You know, I stabbed subscribing to the new yorker. Consider of being such a big pile of magazines. And there's this guilt like you have to read every issue instead of just stepping into IT. You don't feel guilty, it's okay and that listen every episode.

right? And and by if if you subscribe to the G R C with, just go to G R C dot com, slash mail and and sign up, add yourself to the to the security now list and that we have to ones only for security analyst's ers and the other is just general grc news.

I'm sure that i'll be talking about anything i'm doing A G R C ah oh speaking which uh I I forgot to mention that because I finished the pod cash yesterday afternoon yesterday evening I updated js technology for four digits of podcast numbering so when we go from nine, nine nine to one zero zero zero, everything should work smoothly. So that is now in place. So uh, okay ah two more pieces.

Martin and denmark said, a high Steve love the podcast been with you guys from episode a zero. Unfortunately, I do wish we had started zero. Leo just didn't occur to me, you know, we were Green .

back and we know new bees.

I died thought we're never going to get to nine, nine, nine. We're not even get to three hundred ds. So here we are.

But I just want to point out, as a coder, there's a language that I love in every respect called Julia. My biggest complaint is its accounts a race from one, not zero. And I feel like i'm sorry I I can't do that. I just can't do that in every other respect of wonderful language. But that's a bridge too far.

Yeah, it's supposed to be an offset. Is that a number or an offset?

Right, right.

Oh, so Martin and denmark says, I have a question about the stuff spin, right? Does when quotes speeding up in d unquote, he said, my computer is do for a reformat and a reinstall of windows. Windows are slowing down.

As IT does, but IT seems worse than usual. He has in quotes. So I think my SSD could use a little help since i'm going to knock the drive anyway. Is there a way to do the same stuff that spin right does without spin right? He said, I assumed that using windows installer or disk part to clink the disk just wipes the file system slashed partition table and does nothing else.

Am I right that a poor man's solution would be to delete the partisans on the drive and make a new one and then fill IT with random data? I don't know, spend, right? He said parents money reasons at a and was just wondering if there is another way, as I don't care about the data on the drive regards Martin and denmark.

So here's what I wrote in reply to Martin's email, which was written to me at security now at gr C, D. Com, which is the way anybody who is registered with gr. c.

The email system is able to send me mail like I just read. I wrote, hi Martin. You don't need spin right for that at all.

The only magic spin right does, aside from perhaps helping hugely to recover from any trouble encountered in the process, is rewriting the data on an SSD. But it's the riding, not the rewriting. That's the key here. So if you're going to be falling windows, that act of reinstallation will inherently be overwriting. And those writing, which is the goal, and I said, we've discovered that SSD can grow surprisingly slow without otherwise complaining as the years go by, without regions of their media ever being rewritten.

Spin, right, makes refreshing SSD with data in place easy, but if retaining an s SSD current data is not needed that neither is been right, a standard reinstallation of windows will entirely do the trick for you. So just head up anybody else you may be in Martins situation. You know I feel happy to share that.

Um we're seeing like example after example of people saying, oh, M G, I can't believe how much faster my laptop is after I ran spin right over IT. So there certainly easier to to do that in a couple hours then then reinstall windows, but Martin wants to do that anyway. Oh, I forgot to mention that he got the show notes yesterday afternoon.

He saw my reply in the show notes, and he look back and said, just want to let you know, I reinstalled windows. And oh my god, is IT faster. He said, IT is more, more faster than I expected IT to be. So indeed.

he's in the youtube. He's watching on youtube bright and in the chat he said, that's my question. yes.

What time is IT in denmark .

right now? Yes, pretty late, almost midnight.

okay. And our last bit of feedback, a lane guyer. Oh, and leo, he is a fellow ham.

K, six. A, C, G, is his call sign. He said, hi Steve, i'm really liking the emails versus x. Thank you for switching.

He said, I do lots of python programing and really like the code creation process, so I don't use ChatGPT to write my initial al code, but I use IT after i've written a function. I just paced in and ask ChatGPT to describe what IT does. If I like the result, I ask you if there is any way to improve the code i've written.

He said, I do have my ChatGPT customize so that IT prefers read ability, descriptive functions, slash variable names at seta over shorter or potentially more cypher code. This process fits well into my development flow and results in higher quality code. He said, I hope this can help other people.

It's been working well for me. Alane, okay. One of things, quoters are always being told, is that there is no Better way to improve one's craft than to spend serious time reading other people's code.

Successful novelists will have always spent their early lives reading other people's novels, and music composers grew up listening intently to endless compositions that preceded them. So IT should be no surprise that reading others code would be every bit as valuable to quoters. It's for this reason that I think elan's idea is very interesting and useful.

ChatGPT has already been trained by reading vast quantities of other people's code. So I think IT absolutely makes sense to ask an A I like ChatGPT whether you can see any way to improve upon code that was just written. And that appeals to me far more than asking IT to do the work first if you're coating for the sheer pleasure of doing so, as certainly a lane has said he is. And as I do that, don't give that up, but then also take the opportunity to learn by testing your creation against the distil wisdom of everyone who previously posted their code to the internet and influenced ChatGPT training model. I think that makes a lot of sense.

Yeah I fact what I do when I do. It's coming up, by the way, the event of code december. First of all, our annual twenty five day coating chAllenge, which I ve yet to finish, came the day twenty two last year.

I'm hoping to get twenty five this year. But one of the things I often do is I write, I like to write IT first without looking anybody's code. But then you, I look at all the other people who solved IT, and look at ways they save that, and very often get great ideas, great insights.

And if I find, can find some people doing IT in commonest, there are a handful. I love looking at how they do IT because that really, that's been the best way to improve my commonest is to look at of these masters. And in the gray beers and the stuff they do, it's very amazing, not just clever, but really smart.

I love IT. yeah. Would you like take a break before we get to VP, six? Ipp, six.

Let's do IT. So we not don't interpret this by our last minute. And I think everyone's going to find this really interesting. There are some new thoughts in here that are that are intriguing.

Well, I mean, every device I have now pretty much handle I pv six, and I can use I pv six addresses and so forth. But that doesn't seem to be the same pressure to give up .

by pv for there was less than half of the top one thousand websites today can be reached by IP v sex.

interesting.

Less than half of the top one thousand .

yeah and I got lots us before. Vince and others did not anticipate the success of Carrier and net and isp using you .

that at their end. yeah.

So anyway, we'll get to that in the second. But first, a word from our sponsor. This part of security now brought you by those great folks at one passport.

I want everybody knows what password. But but one password is a new thing that is so cool. It's so smart. Let me ask you a question. Do you and do you this is such a dumb question, dear, I love everything I ask a dear. And users, they always work on company own devices, right, and use IT approved gaps, right? Then ever bring their phone and .

laptop into the office, right?

So obviously they don't. right. So how do you keep your company's data save when IT may be sitting on all those unmanaged depth of unmanaged devices? One password has an answer that's really cool. They called IT extended access management. Eam one password extended access management helps you to cure every sign in for every APP on every device IT solves the problems traditional and md m just cannot touch.

If you think of your company security as the quality of a college campus, there are the nice brick path between the buildings the company owned, n devices that IT approved, apps that managed employee identities. It's all nice and perfect, right? But but there are always the past.

People actually use the shortcuts, warn through the grass that actually they're not people aren't dumb. They're actually the strangest line from building a to building b. People going to do what people going to do.

This is like a one of your pictures, Steve. Those are the unmanaged devices, the shadow IT apps, the non employ identities like contractors on your network. And most security tools think we live in this world of happy brick pads, but a lot of security problems take place.

Let's face IT on the shortcuts. That's why you need one password extended access management. It's the first security solution that brings all these units, magine devices and apps and identities under your control that ensures that every user credential is strong and protected, every device is known and healthy, and every APP is visible.

Is security for the way we really work today. And it's now generally available. The companies that use octave or microsoft and truf authentication IT kind of adds to IT and in beta, right after google workspace customers, I think you need to check IT out, go to one password that com slash security.

Now that's the number one password, one password dot com slash security now one passport extended access management. It's really an idea whose time has come now. Speaking of an idea whose .

time hasn't come.

keep keeps coming, but he hasn't arrived. I P V six, Steve, okay.

So I know the majority of our listeners need no introduction to the difference between I pv four and I pv six. But I want to share some of a wonderful recent blog posting made by A P nick labs. And since IT assumes complete comfort with ipv for reverse S I P V six, I want to for share a very quick orientation.

IP stands for internet protocol, and version four of the internet protocol is the original version that took off and became the worldwide standard by the mid one thousand nine hundred nineties. The folks who created this first successful internet, we're already starting to worry about its growth because the growth was exponential at that point. So they started working on its successor replacement that became known as I P V six or version six of the internet protocol, although I P V six changes a bunch of sort of insignificant things from IP.

The most prominent and significant um is addressing internet dresses are expressed by a set of binary bits and any set of binary bits can only have so many possible combinations. The original I pv four protocol uses thirty two bits. The original .

doted quote is for two hundred fifty six eight bit and .

four sets of a bits. exactly. So back before the internet happened, when IT was still just a what if experiment, IT was believed that these thirty two bits, which allowed for four billion two hundred and ninety four million nine hundred and sixty seven thousand two hundred ninety six individual internet addresses.

you never need more.

That no, almost four point three billion get serious, right? That mean what we have we have five main frame computers to something .

back and anticipate is that leo report would have a hundred I P waste devices in his house saloon.

That's true, right? Um so you know they thought that would be more than apple, okay. But as we're gonna find out today, around twenty billion devices are attached to the internet, and many people feel that the internet is in trouble.

If anyone wonders how this is possible, consider the number of internet connected devices in the average home. To your point, leo, and thanks to the miracle of net routing network address translation and at, they're all able to comfortable ly share the household's single I S P assigned I P address in the case of of I P V four. So the way to think about this is that the ipv for protocol also set aside sixteen bits for port numbers.

Thus, at any given thirty two bit I P V four address, an additional sixteen bits are then used to specify the port number at that address. So when you think about this, if you think about the internet as publicly addressing by port number rather than by host I P, port based addressing yields and effective forty eight bits of total addressing, thirty two bits for the I P, plus sixteen bits for the port at that I P. Thus, what net routing does is borrow bits from ipv force port numbering and reuses them as additional addressing bits. This works, but IT really upsets the internet purists. These guys hate the idea with a passion um because now they just say that's not the way we designed .

IT to work. I didn't know that are .

not happy. In fact, i've got some some quotes from them here. They are not happy about that. So okay, refocusing on today's topic. Everyone agrees that I pv four is being stretched and stretched way past is expected in of life.

But why without I P V six since the nineteen nineties? So what's the hold up at this point? Two podcasts away from episode one thousand.

Would any of our listeners be surprised to learn that it's nothing more than resistance and inertia and the fact that port addressing works well enough? okay. So first of all, who are the people who wrote this blog posting?

What is ap nick? Ap nic is the regional internet address registry for the asia pacific region. Thus, ap.

It's one of the world's five regional internet registries, abbreviated R I S. So we could think of this as where the I P. Address assignments come from because, well, it's where they come from.

So here's what the guys in charge of the I P. Address space have to say as of one week ago last tuesday when this was written. And since jeff writes in the first person, IT only seems right to introduce him by name as jeff houston.

He is the chief scientist at a picnic, where he undertakes research on internet infrastructure, IP technologies and address distribution policies, among other topics. He is widely regarded as the preeminent researcher on I pv for exhAusting. IT is routinely referenced by international agencies and frequently quoted by the media.

So jeff is the guy we want to hear from about this. Here's what he had to say last tuesday. He said, I wrote an article in may twenty twenty two asking, are we there yet about the transition to I P V six at the time?

I concluded the article on an optimistic note, observing that we may not be ending the transition just yet, but we are closing in. I thought of the time that we wouldn't reach the end of this transition to I P V six with a bang, but with a winter a couple of years later. I'd like to revise these conclusions with some different thoughts about where we are heading and why the state of the transition to I P V six within the public internet continues to confound us.

R fc twenty four sixty, the first complete specification of the I P V six protocol, was published in december nineteen ninety eight. Over twenty five years ago, the entire point of I P V six was to specify a successor protocol to IP v 4。 Due to the prospect of depleting the ipv for address pool.

We depleted the pool of available ipv for addresses more than a decade ago. Yet the internet is largely sustained through the use of I P V four. The transition to I pv six has been under way for twenty five years, and while the exhaustion of IP v for addresses should have created a sense of urgency, we've been living with IT for so long that we've become desensitized to the issue.

It's probably time to ask the question again, how much longer is this transition to I P V six got to take at A P nick labs? We've been measuring the uptake of I P V six for more than a decade now. We use a measurement approach that looks at the network from the perspective of the internet user base.

What we measure is the proportion of users who can reach a published service when the only means to do so is by using I P, V six, the data is gathered using a measurement script embedded in an online ad and and the ad placements are configured to sample a diverse collection of end users on an ongoing basis. The I P V six adoption report showing our measurements of I P V six adoption across the internet users based from twenty fourteen to the present is shown in the figure. And this is the the chart that I have yet at the top of this.

So IT is a very nice looking from twenty fourteen to twenty twenty. Well, through twenty twenty hours are basically a decade. And here we are nearing the end of twenty twenty four. So almost eleven years. And I got a little bit of a slugging start, and then IT picked up a little bit in twenty seventeen and then pretty much a straight upward .

moving mine. That's a good adoption curve. What are the weird Spike? So I think .

those are just measurement out.

just like something .

wasn't working. Ah okay. So he says on the one hand, the figure is one of those classic up and to the right internet curves that show continual growth in the adoption of I P.

V. six. The problem is in the values in the yais scale.

The issue here is that in twenty twenty four, we are only at a level we're slightly more than one third of the internet user base can access an I P V six only service. Everyone else is still on an I P V four only internet. Only a third are able to access. That's good. No.

that's shocking. Actually, those are looking at machines, routers. What are they looking at, at what is that.

So it's it's a server which is sitting somewhere that only accepts incoming I P V six traffic. So they're .

looking at receivers versus quarriers my not my machine in my brothers, they're looking .

at the service is correct. So and there are again, you make IT a good point. There are many different ways we could consider what does what does I P, V six adoption mean.

So what they're specifically saying is and he he said this here, we're going to we're going to chart the the the the percentage of the internet s user base who are able to reach a service which is only available over I P V six. And right now, as he says, as one third of of users on the internet can can contact a server that you can only get to over the six. And I don't note that their approaches, I think, very clever.

They've scattered ads around the internet as that means of running a bit of their own script in the users browser. The script probably queried two servers, one using IP v four addressing and at another using IP v six addressing. And presumably, the visitors whose browsers pull these ads and run the script are widely diverse.

Anyway, jeff continues. He says this seems to be a completely anomalous situation. It's been over a decade since the supply of new I, P, V four addresses has been exhausted. Mean, there just are no more to give out. And the internet, he says, has not only been running on an empty, but also being tasked to span an ever increasing collection of connected devices without collapsing in late twenty twenty four, is variously estimated that some twenty billion devices use the internet, yet the internet ipv for routing table only encompasses some three point zero three billion unique I pv for addresses.

Just note that the reason for the disparity between the total number of addresses in thirty two bits, which is nearly four point three billion, and the internet current routing table spending three points, zero, three billion, is management overhead in the fact that network allocations always leave some headroom. Just, you know, you can have two few hosts network, you just not good. If you have too many, you can do that.

So so here comes the purest part of the argument. Jeff rights, the original, and he calls at the end to end. The end to end architecture of the internet assumed that every device was uniquely addressed with its own I, P address.

Yet the international net is now sharing each individual I P V four address across an average of seven devices. And apparently IT all seems to be working if end end was the sustaining principle of the internet architecture that as far as the users of I pv four based access and services are concerned, it's all over. I P V four, he writes, was meant to address these issues.

And the one twenty eight bit wide address fields in the protocol have sufficient address space to allow every connected device to use its own unique address. The design of I P V six was intentionally very conservative, meaning they went way big. They, we're going to make the same mistake twice, he says.

At a basic level, I P V six is simply I P V four with bigger addresses on quote. There are also some changes to fragmentation controls, changes to the address acquisition protocols, arper versus neighbor discovery, and changes to the IP options fields. But the upper level transport protocol s, meaning that run on top of IP, the I P packets are unchanged.

I P V six was intended to be a largely invisible change to a single level in the protocol stack, and definitely not intended to be a massive shift to an entirely novel networking paradigm in the sense of representing a very modest incremental change to I P V four. I P V six design achieved its objective, but in doing so, IT necessarily provided little in the way of any marginal improvement in protocol use and performance. I P V six was no faster, no more visual, no more secure than I P V four.

The major benefit of I P V six was to mitigate the future risk of ipv for pull depletion in most markets, including the internet, future risks are often heavily discounted. In other words, no one really cares about the future. The result is that the level of motivation to undertake this transition is highly variable, given that the expenditure to deploy this second protocol does not realize tangible benefits in terms of lower cost, greater revenue or greater market share.

In a networking context where market based coordination nation of individual actions is essential, this level of diversity of views on the value of running a dual stack network leads to reluctance on the part of individual actors and slug ish progress of the common outcome of the transition. As a result, there is no common sense of urgency. I'll just note that when he refers to a dool stack, he means using a machine that simultaneously runs both I P V four and I pv six protocols, which is entirely possible. Everyone running modern desktop machines today is running a dull stack. Yeah, if I open what yeah.

I mean, that's how my router is. This on my test top is I can choose I bv six, right? I just don't need .

to if even for me, if I open a command prompt on the windows seven machine that's in front of me right now and enter the command I P C O N F I G I P config, I see that my machine has both I P V four and I P V six addresses, as well as I P V four and I P V six default gateways.

So that means my I sp cocks cable is providing both I P V four and I P V six support, which is flowing through my cable modem to my P F sense firewall router, which is distributing both flavors of the internet to all of the machines in my local network, thus dool stack. So jeff point here is that the only significant thing I P V six was intended to provide, aside from minor fixes around the edges, was significantly greater, addressing space. And a nurse ship being what IT is that was not sufficient to drive its adoption.

My guess is what we're seeing is what I would call adoption by attrition, the same way we're getting windows eleven when windows ten machines die and it's impossible to get another windows ten machine, in other words, for reasons other than desire or demand. Jeff says, to illustrate this, we can look at the time series shown in the figure below and ask the question, if the growth trend of I P V six adoption continues at its current rate, how long will IT take for every device to be? I PVC is capable.

He says, this is the same as looking at a linear trend line placed over the data series used in the first figure, basically extra pulling, right. He says, looking for the date when this trend line reaches one hundred percent using a least squares best fit for this data set from january twenty twenty to the present day, and using a liner AR trend line, we come up with figure too. And leo, you've got that on the the screen and it's in the shower notes.

This exercise predicts that we will see completion of this transition in late twenty, forty five or some twenty years into the future. And i'll just take i'll take issue with that, but will get that a minute. I don't think we will ever be there.

He says IT must be noted that there is no deep modeling of the actions of various service providers, consumers and network entities behind this prediction. The only assumption that drives this prediction is that the forces that shaped the immediate recent past are unaltered when looking into the future. In other words, this exercise simply assumes that tomorrow is going to a be a lot like today.

The projected date in the second figure is less of a concern than the observation that this model predicts a continuation of this transition for a further two decades if the goal of I P V six was to restore a unified address system for all internet connected devices. But this model of unique addressing is delayed for thirty years from around twenty fifteen to twenty forty five. IT raises questions about the relevance and value of such a free work in the first place. Steve.

I want to point out that you and I have some idea of what twenty years means, and it's sooner than you .

think that is true, right? That mean we are we're approaching .

episode one thousand and two.

That will mean the world i'll be at two thousand.

yeah. When we, in twenty years.

in twenty years, when this .

I V six, finally, we can convert the whole thing to a cold. What is that? Colin? sex? I hate those addresses.

leo. They just make your eyes cross their hacks.

First of all, their hacks and and their four hacks digits separated by Collins and there .

were of those six groups well and and they're so long that there's weird there that like previous systems have .

been created in order I had previous because there's a lot of zeros in many VP IP v six addresses. So you just collapse those. Yes.

it's it's not good, not good. So he says, if we can Operate a fully functional internet without such a coherent and device address architecture for three decades, then why would we feel the need to restore address coherence at some future point in the future? What's the point of I P V six if it's not addressed? Coherence, something he writes, has gone very wrong with this I P V six transition.

And that's what i'd like to examine in this article. okay. So um he goes on at great link h more than this podcast even can handle. So i'm going to skip some things, but i'm going to share some some highlights.

Let's look back a bit to see what these internet pioneer saw during the nineteen nineties, he says by nineteen ninety, IT was clear that IP had a problem. IT was still a tiny internet at the time, but the growth patterns were exponential, doubling in size every twelve months. Now there are two things that have happened that they did not foresee, and those two things solve this problem.

That's only one of them, not only on the client side, um he says we were stressed out the the the pool of class B I pv 4 addresses and in the absence of any corrective measures， this address pool would be fully depleted. In in nineteen ninety four. okay.

So so they were at nineteen ninety and they were charting the the rate of class b network allocation consumption. And I have a picture here that was taken IT was from the proceedings of the ietf in August nineteen ninety. And it's so quite because they were still like drawing things by hand.

Um you know it's like written out of my hand. I just adorable. wow.

Back in nineteen, I knew we really didn't have laser printers, so we had to do IT by hand like a back of a napkin yeah and .

that was that those are from the official proceedings is caught. This titled the internet growth by Frank ski. Proceedings of the ietf, August ninety.

ninety least. Frank used a ruler for the graph.

Yeah, he did. Yes, but not, but not the title in the headlines, you know, and other products by. And so jeffrey explains that the ie.

tf. Was panicking in the early nineteen nineties because the internet original design was designed. IT was destined to collapse, never lego. Back then, there were only three classes of network allocation, and that was a big problem. He says there was a collection of short, medium and longer m responses that were adopted in in the ietf to to address the problem. In the short term, the ietf dispensed with the class based I pv for a dress plan and instead adopted a variably sized address prefix model.

He said routing protocols, including B, G, P, were quickly modified to support these classless address prefixes variably sized address prefixes add an additional burden to the address allocation process, and in the medium turn, the internet community adopted the organ izaak measure of the regional internet registry structure to allow each region to resource that the increasingly detailed Operation of address allocation and registry functions for their agon. These measures increased the specificity of address allocations and provided the allocation process with a more exact alignment to determine adequate resource allocations that permitted a more diligent application, a relatively conservative address allocation practices. These measures realized a significant increase in address realization efficiency.

The concept of address sharing using network address translation nets also gained some traction in the I sp world. Not only did this dramatically simplify the address administration processes in I S P S, but that also played a major role in reducing the pressures on overall address consumption. The adoption of these measures across the early one thousand and nineties pushed a two year imminent crisis into a more manageable decade long scenario of decision.

However, they were not considered to be a stable long term response. IT was thought at the time that an effective long term response really needed to extend the thirty two bit address field used in I P V four. At the time, the transition from mainframe to laptop from main frame leo mainframes were.

there are only a right a couple of hundred emps now was IT.

So that the tradition from mainframe, the laptop was well underway in the computing world yeah and the work to further or or and the prospect of further reductions in size and expansion of deployment in smaller embedded devices was clear at the time and address space of four billion was just not large enough for what was likely to occur in the coming years in the computing world. And of course, if you absolutely did require every device yeah to have their own address, that's what absolutely true we are at twenty billion and growing fast, easy.

yes. I mean, I can imagine somebody, oh my god, they're giving toaster. There are only internet address.

We're got a problem here. It's going to be a die. I mean, laptops for get laptops.

What about IoT? I mean, this is about to explode. You have light switches .

that have IP addresses. Yes, exactly. Yeah so um so to what? To the point he just made about class A, B and c networks, we should remember that the original internet divided the entire network space.

Thirty two bits on bite boundaries. I, P, V. Four addresses have, as we said, four, eight bit bites. So a class a network had IT was numbered by its most significant bit. The most significant bite was the was the network number, so you couldn't have many of them. And then the remaining twenty four bits to the right of that most significant bit where the host machine within that massive network .

have two hundred fifty, two hundred fifty .

five cla took .

classes networks.

Class b networks had used two bites for the network ID, and then six bits for the individual host machines with each within each one of those class b networks. And finally, classa networks had three bites for their network ID, and then just one bite for host machines. So they can only have two hundred and fifty four because you need zero. You know, all zero at all ones are are reserved for broadcast and things. So anyway, the problem that jeff is referring to is that this created massive granularity, massively granular network allocations.

The adoption of the so called classless, because you don't have classes b and c classless inter domain routing or cider cid r, where the division between the network ID on the left and the host machines number in that network on the right could now fall on any bit boundary, rather than being only on bite boundaries that massively increased the load on the internet routers and on the routing tables. But in return, IT meant that the size of individual network allocation could much more closely track and Better fit the number of host machines within that network. So that was a huge win that brought them a decade, basically a because I mean, otherwise in a day would you know just couldn't have that money network, let alone that many machines. But jeff mentioned the emergence of net routing and a fascination of mine has always been, what's wrong with that?

IT works. Yeah, jeff, here's what jeff.

Oh my god, we have to have IT use what jeff has to say about nap. He says at this point, there was no choice for the internet and a sustained growth in the I pv for network. While we were waiting for I pv six together, momentum returned to nets, nets, or a chAllenging subject for the ietf. The entire concept of coherent and to and communications was to issue active middle are in the network.

They wanted everything, have a unique dress, every single thing on the network.

The original concept was point to point, well, address to address. And they did not want to let that go.

Phone numbers without area codes. IT would just be.

you just, they said that this is wrong. This is not the way it's supposed to be. And so he says that s created a point of disruption in this model, creating a critical dependency upon network elements. They removed elements of network flexibility from the network and at the same time, reduce the set of transport options to T C P N U D P. And when you think about that, you can't pay like arbitrary devices behind a net router hid and you're supposed be able to paying any device on the internet .

IT really makes you think if they adopted I P V six from the very first IT would be a very different.

Oh, IT would be completely different.

And so many other things to be possible.

Yes, many, many other things. That's exactly right.

You could finger every device doesn't work, but you .

could query .

devices that all be publicly as a security .

would be .

maybe a little more chAllenging. I mean, that protects us.

doesn't IT behind. Oh my god, IT is a wonderful firewall technology. So he said the I but it's the fact that it's a firewall like as a side effect is their complaint.

Yeah, they didn't like that if you could have one but IT shouldn't be like like there's no what that me you cannot not have one exactly. yeah. And as we know, you cannot put a machine on on the raw internet today. It's taken over in seconds. okay.

So he says the ietf resisted any efforts to standardize the behavior of nets, fearing perhaps that standard specifications of np behavior would bestow gives macy on the use of nets and outcome that several ietf participants and you know, they have bears we're very keen to avoid, he said. This aversion. Did not reduce the level of impetus behind that development.

In other words, sorry, we don't care what you guys don't need. We need them. Yes, he said we had run out of I pv four addresses and I pv six was still a distant prospect.

So that were the most convenient solution. What this action did achieve was to create a large variance of np behaviors in various implementations. In other words, since they were unwilling to standardize them, what we just got was a mess, because everyone just had to invent this stuff for themselves.

And everybody did IT a little bit differently. He said. What this action did achieve was to create a large variance of nap behaviors in various implementations, particularly concerning udp behaviors. This was was this has exacted a cost in software complexity where an application needs to dynamically discover the type of net or nuts in the network path if IT wants to perform anything more complex than a simple two party T, C, P connection. Despite these issues, nuts were a low friction response to ipv for address depletion, where individual deployment could be undertaken without incurring external dependencies.

On the other hand, the deployment of I P V six was dependent on other networks and servers also deploying I P V six that's made a highly efficient use of a dress space for clients, as not only could a nt use the single, not, not only could the net use the sixteen bit source port field, but by time sharing, the t binding nats achieved an even greater level of address efficiency. Basically reuse this space. A major reason why we've been able to sustain an internet with tens of billions of connected devices is a widespread use of nets.

okay. So that's over on the clients side of connections. The solutions that the industry has evolved over on the server side is something we've covered previously but never really thought about in this context. Jeff rights server architectures were evolving as well with the introduction of T, L, S, transporting layer security in web servers. A step was added during tls session establishment where the client informs the server of the service name IT intends to connect to.

Not only did this allow tls to validate the authenticity of the service point, but this also allowed a server platform to host an extremely large collection of services from a single platform and a single platform I P address, and perform individual service selection via this tls server name indication sni. The result is that server platforms perform service selection by name based, distinguishes DNS names in the session handshake, allowing a single server platform to serve large numbers of individual servers. The implications of the widespread use of maps for clients and the use of service of server sharing in service platforms have taken the pressure off the entire ipv for address environment.

And I have a perfect example of this, a grc. I don't have endless ibs given to me from level three. You know, I clutching the the set that I have dearly, but through the years, the range of services I have wanted to offer his grown thanks to server name indication I have, I just checked thirteen different webs services, sharing a single I P address D N S points, thirteen different domains to a single I P.

And any web browser that wishes to connect indicates the machine is looking for during that connection handshake. So that's really something I hadn't focused on. But IT is absolutely true.

Both ends of the ipv for connection the client side has nt that allows, you know for practical purposes, limitless expansion there on the client side and on the server side. And I allows hosting providers to have a modest number of I P addresses. DNS is now redundant redundantly pointing a huge jury of of DNS names at a subset at a small number of I P V four addresses.

And it's all of this, this ambiguity, a from from domain name to I P address occurs thanks to the tls S N I handshake where the the browser says this is the host time looking for i'm told it's a IP address. Well, yes, IT and hundreds others are all there. So it's a it's a really cool scheme and IT actually works.

okay. So jeff goes on in substantially greater detail for anyone is interested, the interest of time. As I said, I have deliberately skipped over a lot of jeff ts, truly interesting discussion. But he eventually gets to examine the question, how much longer he says, now that we are somewhere in the middle of this transition, the question becomes, how much longer is this transition gonna take? He says, this seems like a simple question, but IT does need a little more explanation.

What is the end point when we can declare this transition to be complete? Is IT a time when there is no more I pv for based traffic on the internet? Is IT a time when there is no requirement for I P V four in public services on the internet? Or do we mean the point when I P V six only services are viable? Or perhaps we should look at the market for I P V four addresses and define the end point of this transition at the time when the Price of acquiring a new ipv for address completely collapses.

Perhaps we should take a more pragmatic approach. And instead of defining completion as the total elimination of I P V four, we could consider a complete when I P V four is no longer necessary. This would imply that when a service provider can Operate a viable internet service using only I P V six and having no supported I pv for access mechanisms at all, that we would have completed this transition.

What does this imply? Certainly, the I sp needs to provide I P V six, obviously, but as well, all the connected edge networks and the hosts in these networks also need to support I P V six. After all, the I S P has no I P V for services at this point of completion of the transition.

IT also implies that all the services used by the clients of this I S P must be accessible over I P V six. Yes, this includes all the popular cloud services and cloud platforms, all the content streamers and all the content distribution platforms. IT also includes specialized platforms such as slack zero at asia and similar the data published on internet societies pulse reports that only forty seven percent of the top one thousand website are reachable over I P, V six today.

And clearly, a lot of service platforms have worked to do, and this will take more time. When we look at the ipv six adoption data for the us. There's another curious anomaly.

And leo, that's the the last chart that I talked about. Look at that. It's I think it's very interesting.

It's flat.

IT is flat for things a little bit in the twenty. It's stopped growing old boy IT went in twenty fourteen IT came off the ground that about little over IT looks like a over five percent, maybe six percent climb ed up to around fifty five, sixty and then flat line.

This this .

is websites that, no, this is their probe which showed linear growth. Same probe shows for us, IT is flat. Oh.

this is us compared to the lobby graph that we see ously. I know .

that we previously observed that much of the I P V six growth has been in, you know, elsewhere in the world. Developing nations, for example, which are just obtaining internet access, are naturally acquiring I P V six access since they have no inertia that I P V six is certainly available. But where we previously observed a surprisingly straight upward moving line of total global adoption, the charge showing only U.

S. Based adoption is an entirely different animal for the past six years, since around the start of twenty nineteen and through twenty twenty four, the the united states I P V six has been flat, showing no growth, none. Jeff draws the really interesting conclusion that the services and the service model of the internet are changing.

And that, in a very real sense, DNS has evolved into our routing protocol, alluding to what I was I mentioned before. He explains, he says its domain ames, that Operate as service identifiers. IT was supposed to be ips.

No, it's domain names that Operate a service identifies and it's here. This is him, and it's domain names that underpin the user tests of authenticity of the online service. It's the DNS that increasingly is used to steer users to the best service delivery point for content or service.

From this perspective, addresses I P V four or I P V six are not the critical resource for a service and its users. The currency of this form of cdn network is names. yeah.

So where are we in twenty twenty four? Today's public internet is largely a service delivery network using cdn to push content and service as close to the user edge as possible. The multiplexing of multiple services on to underlying service platforms is an application level function tied largely to tls and and service selection.

Using the S N I field of the title as handshake, we use DNS for closest match service platform selection, aiming for cdn to connect directly to the access networks where users are located. This results in a cdn routing table with an average path link design to converge on one. From this aspect, the DNS has the planted the role of routing while we don't route names on today's internet IT functions in a way that is largely equivalent to a named data network.

In other words, no longer addresses but names. There are a few of different implications of this architectural change for the internet tls, like IT or not, and there is much to criticize about. The robustness of tns is the sole underpinning of the authenticity in the internet.

DNS sec has not gathered much momentum to date. D. N, S, sec is too complex, too fragile and just too slow to use for most services and their users.

Some value is benefits highly enough that they're prepared to live with its shortcomings, but that's not the case for most name holders and most users. And no amount of passionate exportations about DNS sec will change this IT supports the view that is not the mapping of a name to an I P address. That's critical.

What is critical is that the named service can demonstrate that IT is Operated by the owner of the name, in other words, certificates. Secondly, the routing P K I, the framework for securing information being passed in the B G P routing protocol, is really not all that useful in a network where there is no routing. The implication of these observations is that the transition to I P V six is progressing very slowly, not because this industry is chronically short sited.

There is something else going on here. I P V six alone is not critical to a large set of end user service delivery environments. We've been able to take a nineteen eighties address based architecture and scale IT more than a billion fold by altering the core reliance on distinguished tokens from addresses to names.

There was no real lasting benefit in trying to leap across to just another nineteen eighties address based architecture, meaning I P V six, with only a few annoying, stupid differences, apart from longer addresses. So to give this something of a summary, what's happened is the internet has become the web net. IT is mostly all about the worldwide web.

And even where IT isn't most in points are still being secured by the webs. T, L, S. What's happened is that both ends of the web have independently solved their ipv for resource depletion problem.

Over on the client end, we have net routing, which, as we've noted earlier, effectively borrows access bits from the sixteen bits of poor addressing to allow many clients side devices to share a single public thirty two bit ipv for address. And over on the server side, we have server naming indication sni, which allows grc, for example, to host thirteen different named services from a single I P address. Name is the key, that the key.

And this is the point that I think jeff brilliantly observes. We are now using names rather than addresses to access the services we need and to see that, you know, fewer than half of on, on, on top of that, fewer than a half of the top one thousand websites today are reached at all over I P V. six.

Certainly, all of them over I P V four, but I P V six fewer than half. That suggests that the majority still feel very little pressure to invest in something that will literally make no difference in the services they deliver. And finally, even before seeing that, the us.

Adoption of I pv six has been completely flat and static for the past five years. We know that no straight line continues straight out to the end. That's just not the way the world works.

That line was a percentage of I P V six adoption. So that rate of adoption is absolutely going to slow down. And probably not long from now, nothing ever gets to one hundred percent. So my guess is that IT will begin flattening ing out and will asymptotically approach ninety percent over a great many more decades. And that's fine too, since I think it's clear that I pv before will never die.

I this should be in the title of the show. I pv four will never die. Well, that's you know what you're right.

I was thinking I don't is Steve really going to be able to turn this in as something interest and IT is is quite interesting actually. And the way the internet has rounded around the problem and save that kind of organically and effectively is very, very interesting. So without the the real issue is without the pressure to go to I P V six, no is like metric body. You well, there's no access that the us. Is a lagger here.

no. And notice that it's in our desk tops. We didn't ask for IT, right? But it's just there. So is IT easy to build IT in.

I mean is is that the kind of thing works well? We can implement IT on the client and easily.

Yeah I mean, there there there is open source code. All of the various jobs, you know I P stacks support IT now. So it's just there and so it'll it'll end up getting used.

There is a preferential use of IT when both are available. I PVC is chosen. So that four is now become the fall back .

I had heard is probably apocryphal. V six is faster. That's not faster.

It's say there's there's nothing about IT. You got argues a little slower because it's got a little more addressing overhead.

yes. Yeah, yeah.

And that's this point. If IT was faster, IT won't been to die.

right? There was no real no all .

IT is is offing something that turns out we don't need.

So do you think we'll never .

get there? Well, i'm still a nervous about the client end because four billion, we still need four billion clients. Now Carrier net, as you said, Carrier net solves that right now.

I have a public I P address. Cox is like thirty eight does something about something or or seventy not something, something. So I have a public I P for ipv for address.

Some people are getting ten dot addresses from their irs. So because I made them, the I sp is doing the net. wow.

And so it's double net. I S P is noted and they get one IP. And then their their residential net router is netting. But so again, IT solves the problem if the isp has more customers than it's able to get IP s from its upstream supplier, IT just applies Carrier. Great net.

fascinating. This is now I know there are people watching. I could tell because I see and tiktok stuff.

Leo, I start watching you and I was sixteen and i'm thirty five now I know there are people who leo, you're on tiktok, so I know there are people watching who maybe have not seen our podcast. We've been doing this kids for twenty years, Stephen. I this in a couple of other shows too. Twitch chus passed its one thousand episode, and we're so glad that you could watch. We only recently figured out how we could stream to eight different platforms.

Very cool.

which I love. Let me see there are six hundred and seventy one people watching on youtube, twitch, tiktok. Welcome tiktok.

That's pretty awesome. Extra com linked in facebook. Of course, our own kick and our own club, twit discord makes IT. But if you are watching this in the live version, and that's great, that's like getting Steve email a day early, the real finished polished product is available for downa because IT is ultimately it's it's a podcast Steve has his version of at the sixty four killed a bit audio file that's kind of the canonical audio version. He also has sixteen kilo bit audio, so it's much smaller for quick downloads.

As for people on limited ban with, and he has, of course, transcripts, which he commissions the inference as those takes a few days. But those are written by humans, not A I. So by a human, not A A.

I. So they are really good and they do a great job of capturing the show. All of that is at grc dot com.

Now while you're there, don't forget he's bread button. The thing that he does for a living, it's not this is spin right now in six point one. The current version just came out six point one upgrades for previous owners.

But if you're new owner, go to grc that come get your self a copy has been in right? If you have mass storage, you need IT. IT is a mass storage maintenance recovery and as we talked about earlier, performance enhancing tool that really everybody should have.

So get a copy of spin, right? Ware grc outcome. Sign up for his email. Actually he's very clever. He he has well, it's jersey that that comes as email. And by default, if you go there, I will just registry al email so that you can email him because others SE he doesn't want to hear from me.

So security now at grc dot com right, is not posted anywhere, and no one or all of us right IT .

will bounce anything that is not validate. Through that system, I had the time G R C that comes like email, but you will notice unchecked, a couple of newley ters that you can subscribe you. But you got got to check the box because Steve is very much an option kind of guy.

He doesn't want to you sneaky send you the emails. So if you want the newsletter for all the showut, you can download the shown that said his website, but you can also get them a day early via email so you'll be very could be very no at all. They're friends. And so I know all about Carry on nt. I've redly show notes.

We have, of course.

at our website, copies of the show. Twitter, TV, slash, sn for security. Now, clever. Uh, there is youtube. Well, before I say, I think there is a video version in our site that steep does not have.

So if you want to see what IT looks like, like the pictures and stuff that we have, we also have the audio version. We have a link there to the youtube channel, which is video, obviously, but that is a great little thing for you to share with the boss, clients, friend's family. If you hear Steve says something you think all men, I going to send this just youtube makes IT easy to clip.

IT and senate never brays got youtube. So a very friction freeway of sharing the show. And when you do that, by the way, that helps us because IT introduces new people to Steve s good works here.

We also have a it's a podcast. So we have a downadup version you could subscribe to and your favorite podcast player, but either audio or video or get pox. Why not? They are free.

They are at supported support our advertisers. And if you want IT without ads, you can get IT by going to tweet that TV slash club twitter, joining our club. You don't just get at three versions that shows you get access to the club, twit discord, which is a great hang.

Lovely people. They're all just as smart as you are, just as hang. It's a great hang among the tiktok. So only that .

hip were artificial. No.

know, it's funny. Almost all the other shows. The discard is late with animated gifts.

The people is the security now are very text focused. Look at that. No pictures, just text. That's a very different group of people. That's kind of interesting. A lot of good conversation is a great way to a to learn more kind of if you remember the club, you getting to that discord .

and IT help most up up. I I .

spoke too fast like that the interactive .

pod cash lio, they're .

actually listening. It's wonderful to have all of our club members, all of you watching live subscribed the show. You don't want to miss an episode, and guess what? Kids next? Episode .

nine, nine. wow.

For those of you knew to us that would have been the last show for years.

Steve said.

I'm amending IT at nine, nine, nine. I don't have room for four digit.

Nobody needs more than that.

But we Carry on, noted Stephen brain.

And now a four digit show .

starting in two weeks. So the kind of qazi last show will be next week. That's good.

That's good. Yes, Steve, what do you do? Dress up as halloween is enorme. What do you differently?

No, we we're in neighborhood that has no kids or they are if they are, they go down to a more and yeah .

and .

we have a wonderful week and read .

some more Peter of hamilton, and we will see you back here. As always, two days. We're after mack break quickly. That's roughly to be emaciated. C five pm. E stern, and because we are finally changing to daylight, to standard time, rather from daylight saving time, IT will be twenty two hundred UTC.

Is this coming weekend?

Yeah, I think so. Oh, no, it's not this weekend. It's next weekend.

Wait a minute. No, what is this weekend? I think, oh.

I don't know whether ever IT happens. What IT used to be a big deal, but now all of our devices, no, just do IT is an amazing it's like or not to reset anything used to forget and you work microwave was wrong for about the first months and a half.

everything fixes itself. Now thanks to net reversal. I expect .

IP before this time next week, I will be announcing that i'm starting work on a new commercial product. Wow, not spend, right? seven.

Oh, my, yeah. Well, let's reason to tune in next week.

I think that I will, I will be in a position that, I mean, work should be underway. I'm doing something fun, not on the we never talked about, not beyond recall either. So I .

thought I was oh, because we have talked about the on .

record beyond have after that and then spent right seven. But i'm going to do something first that I think we will be interesting.

interesting. So well, we have to say Steve and excEllent health so he may well make make two one hundred .

it's funny due because as you would saying, the only thing you selves it's like, well, okay.

so bread and butter okay, good. Oh, I can't wait next week. Join us for security now.

Nine, nine, nine. Security now.

You have worked so hard to make business into a reality, but achieving your next business call that can be overwhelming. What if you have someone to talk to the options of the next steps with someone who wants to see you see, while giving you piece of mind? That's why the bankers, merchants action, every step of the way, let's dream together, visit merchants, bank outcome to get started. Merchants bank is a proud member. F, D, I, C.