Transcripts

Security Now 1009 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show


0:00:00 - Leo Laporte
It's time for security now. Steve Gibson is here with a rundown of the what is it? 160 critical patches Microsoft shipped last week. On Patch Tuesday, microsoft's also forcing you to take Outlook. Godaddy is going to get much more serious about its hosting security. And then, get ready, get your propeller hats on, because there will be math. We're going to brute force your one-time password authenticator. Well, at least we'll talk about how hard or easy it would be to do that. It's going to be a fun episode. Next on Security Now Podcasts you love From people you trust. This is Twit. People you trust. This is Twit. This is Security Now with Steve Gibson, episode 1009, recorded Tuesday, january 21st 2025. Attacking TOTP. It's time for Security Now. The show where we talk about security, privacy, protecting yourself and your loved ones on the great big, vast Internet, with this guy right here our security in chief.

0:01:13 - Steve Gibson
You jumped a little bit when you said we talk about security. I thought, well, you're surprised.

0:01:17 - Leo Laporte
No, what Is this? The security show, oh my.

0:01:20 - Steve Gibson
We do like to surprise our listeners every week one way or the other. Yes, give them something to think about, and we're going to do that again this week. Today's topic for Security, now number 1009, and yes, that's four digits is attacking TOTP. We've talked a lot in the past about brute force attacks and we understand the concept of that, but I thought it would be fun and this was another one of those outgrowths from a listener feedback question where he mentioned that. Well, I don't want to step on my eventual explanation of this, eventual explanation of this, but it led from a listener feedback question that we will get to. That, I think, produces a really interesting conversation where we look at, not just like wave our hands over it and say, oh yeah, you just dry a lot of things. No, let's really look at what it means to brute force, something like the authenticator that we're all using in our lives every day. Is it secure enough?

Last week, we dug deeply into the protocols, the actual algorithms that this thing is using. So now we have that as a basis and I thought, okay, this is too good an opportunity to pass up. Let's see what it would take to attack an authenticator. What information do we need from it. How much of that information do we need and what do we need in terms of processing power and capability? So that's our main topic for the day, but we're going to look at, of course, last week's, which is to say January's, record-breaking zero-day critical Patch Tuesday, brought to us by none other than Microsoft.

Also, there's some interesting news that I thought was like what I had to pursue it. Microsoft will be force-installing that's the jargon that everyone is using Force-installing a new version, a new and arguably unwanted version of Outlook into every single Windows 10 and Windows 11 desktop, and there's no way to prevent it. Again, we'll dig into that more. Godaddy is being required to get much more serious about its hosting security. We know they've had some problems there. We've got more age verification enforcement coming, this time internationally, and what another instance of a widely exposed management interface continues to teach us. Also, dji drones official firmware update lifted its geo-fencing, now allowing unrestricted flight Odd timing.

0:04:19 - Leo Laporte
Isn't that strange?

0:04:20 - Steve Gibson
I thought that was odd, Really yeah really CIS's efforts pay off with much improved critical infrastructure security. Let's hope everything continues working for them. And also, I've got a bunch of listener feedback. A fun piece of errata something I completely got wrong that several of our listeners said what are you talking about? And then we're going to take a deep dive into cracking authenticator keys and, of course, we have a picture of the week that will not disappoint. If you haven't seen it yet, leo, it'd be great to share your reaction live with our audience.

0:05:00 - Leo Laporte
I like to scroll up live. That's a goodie, very good. This is going to be a good show, as always. I loved last week.

0:05:30 - Steve Gibson
It was really fascinating to hear how they came up with the. Totp protocol in such a weird way brute forcing of it.

0:05:32 - Leo Laporte
You could take the position that that wacky spin makes it makes it more difficult. Okay, to run a brute force, so maybe that's why they did it.

0:05:35 - Steve Gibson
It was in 2005. I don't think they were thinking clearly about anything back then, but you know, maybe all right.

0:05:45 - Leo Laporte
Well, we'll talk about it in just a bit, when we get to brute forcing TOTP. That is the main subject, but, as you can just hear, there's a lot more in between there and here. Before we get too much farther down the road, I'd love to tell you about our sponsor for this segment on. Security Now Vanta. I really think this is an interesting company. Security now Vanta. I really think this is an interesting company.

Trust for you as a company isn't just earned, it's demanded, it's by regulations in many countries. So, whether you're a startup founder navigating your first audit or a seasoned security professional, scaling your GRC program, proving your commitment to security, has never been more critical or, frankly, more complex. That's where Vanta comes in. Businesses use Vanta to establish that trust by automating compliance needs, and they do it over 35 frameworks I mean, I didn't even know there were that many. That's SOC 2, of course, iso 27001,001, but many, many more. Vanta will help you centralize your security workflows, complete those questionnaires up to five times faster and proactively manage vendor risk, because, at the bottom, that's really what it's all about, isn't it? Vanta can help you start or scale your security program by connecting you with auditors and experts people with real experience in the field to conduct your audit and set up your security program quickly. Plus, with automation and AI throughout the platform, vanta gives you time back so you can focus on building your company. Get this over with faster and better with Vanta. Over 9,000 companies global companies like Atlassian and Quora, and Factory use Vanta to manage risk and prove security in real time For a limited time.

Just because you listen to Security Now, you get $1,000 off Vanta. But you have to go to vantacom security now. V-a-n-t-a dot com slash security now $1,000 off. You know you, you need it. Why don't you save right now? Vantacom slash security now. We thank vanta so much for supporting the good work uh steve does here and we thank you for supporting it by going to that special address vantacom slash security now. So they know, oh, they were watching security now. That's where they, that's where they found out all about that. All right, steve, I have not. I have preserved my virginity. I have not looked at maybe that's not the way to describe it. I have not. I have not looked at the picture of the week, but I am now about to scroll up.

0:08:21 - Steve Gibson
I will tell you first that I gave it the caption. So how exactly do you propose?

0:08:44 - Leo Laporte
we get up there to fix that. Um, okay, there's a scissor lift, but this is above a swimming pool yeah like it looks like an olympic size, big, big swimming pool and the.

0:08:57 - Steve Gibson
Apparently there's something that's gone wrong up in the beams, like in the middle one, not in the middle, but like over the water of the pool. So this scissor lift is like it's up, like where they'd be standing on the third story if it were oh yeah, it's high you know, so it's way extended.

Um then, but the problem is it's out. This, where they need to be, is over the water. So, so they found some sort of a float, which is a large rectangular float, and you know again Did that possibly work? Oh, and you'll see that they've got yellow ties to the four corners of the float.

0:09:42 - Leo Laporte
Oh, so it doesn't float around.

0:09:43 - Steve Gibson
Well, so that the scissor lift itself doesn't tip over and it doesn't roll anywhere.

0:09:49 - Leo Laporte
Yeah.

0:09:50 - Steve Gibson
So it's anchored itself to the center of the float and then got pushed out. Now one question I had was like okay, how do they position themselves? Maybe they did a hand over hand off the top beam in order to, like they float around Like float around, yeah.

0:10:15 - Leo Laporte
So many questions, so many questions. That's hysterical.

0:10:18 - Steve Gibson
Looks legitimate to me. I mean, you know, it looks real. Wow. And again, I guess you could do one of those things with a long arm and park it off to the side of the pool and have the long arm reach out with a guy in a basket as your alternative. But otherwise anyway, regardless, a fun picture of the week. How exactly do you propose we get up there to fix that? Okay, Joe, here's what I suggest.

0:10:50 - Leo Laporte
And then of course, phoenix Warp in our YouTube chat says I'm not worried about how they got there. How did they get back?

0:10:59 - Steve Gibson
Wow.

0:11:00 - Leo Laporte
Yeah.

0:11:02 - Steve Gibson
Okay. So Patch Tuesday. Crowdstrike's blog was titled January 2025 Patch Tuesday 10 Critical Vulnerabilities and 8 Zero Days Among 159 CVEs and we touched on this last week the fact that this was the highest number of patches that we'd seen from Microsoft in years Not ever, but quite a while which goes to show, as we're always saying, things are not getting any better. Noted that he said quote this month's leading risk type by exploitation technique is remote code execution, rces, with 36% of them being okay. So more than a third are like the worst problem you can have remote code execution, followed by elevation of privilege. Well, that's the second worst type you could possibly have, because once you get in, you need to be able to get the OS's safeguards out of your way in order to do some real damage, which standard users are largely prevented from doing, just to protect them from themselves.

So CrowdStrike gave us a pie chart which shows around the pie. 9% of the problems were security feature bypass. So okay, whatever that is. That's sort of a generic catch-all. 13% denial of service, meaning you crashed something and so its service was thereby denied. Then we get a big light green chunk that's the 25%, which is elevation of privilege. We drop down to 14% for information disclosure, and then the biggest of all, at 36%, is remote code execution, followed by a little 3% sliver for spoofing. So, unfortunately, as we've laid out in the past, of all the vulnerability classes, we know that the two most powerful and desired by the bad guys are remote code execution and elevation of privilege. And of course those were the top two, 36 percent and 25 percent respectively, and they don't overlap. Those are, you know, summed so together that's 61 percent of all.

159 problems were of the most serious kind available. Elevation of privilege, as I said, allows someone who arranges to get into a system as a regular and somewhat constrained user to bypass the operating system's privilege strictures and remote code execution can both create that initial entry into the system that is enabled the way of getting in, and then, once your privilege has been elevated, allow the bad guys to run the code of their choice to wreak havoc. Viewed by product, windows itself received 132 of the patches. Of the patches and, somewhat chillingly, microsoft's ESU, that's, the extended security updates for previous Windows operating systems that no longer receive free patches and must have these fixes for Microsoft's own security flaws purchased. Those received 95. And in distant third place was Microsoft Office, with a relatively sedate 19 patches. It's interesting that current Windows received 132 patches, whereas older Windows, which Microsoft has stopped fussing with, was down at 95, which you know which windows would you say is objectively safer to use?

It's so easy, you know, to become numb to the idea that these vulnerabilities are being actively exploited. This means that there are serious somewhere in the world are serious campaigns that are investing heavily because you know these are not easy to find. Other people would have found them. You know white hat hackers people getting paid to find problems would have found them and, by the way, these are old. We'll get to that in a second. But so my point is somewhere mean, there's like serious industry at work investing in discovering these subtle vulnerabilities and then deploying exploits to take advantage of them in the real world, because these are zero days under active attack.

Windows Hyper-V NT kernel integration, vsp received three patches, all having a severity of important and a CVSS of 7.8. The three are elevation of privilege vulnerabilities allowing attacker to gain system privileges, to gain system privileges. Microsoft has indicated that the weaknesses are due to heap-based buffer overflow, but has not shared any details of the vulnerabilities or how they learned of them, what the source of the disclosure was. Microsoft Office Access received patches for another three, all having the same severity of important and the same CVSS score of 7.8. But all three of these, that is, microsoft Access, are remote code execution vulnerabilities exploited by opening specially crafted Microsoft Access documents. Microsoft addressed this attack vector by blocking access to certain types of extensions, in addition to patching the vulnerabilities. So here again we have one of those fundamental problems of unneeded features coming back to bite them well into the past and we'll talk about the past in a second there were three critical rated 9.8 problems which, as we know, it's very difficult to get a 10.0. 10.0 is like we see that very rarely, but 9.8 is regarded as this is really important, you got to fix it right now because it's going to happen. The first was a critical remote code execution vulnerability affecting Windows Reliable Multicast Transport Driver, rmcast, and that has a CVSS, as I noted, of 9.8,.

An unauthenticated attacker meaning anybody out on the public internet anywhere can exploit this vulnerability by sending specially crafted packets to a Windows. I love the name of this Windows Pragmatic General Multicast. That's the PGM, the Pragmatic General Multicast opencket on a server without any user interaction Wow. However, exploitation is only possible if a program is actively listening on one of these PGM Pragmatic General Multicast ports. Pgm pragmatic general multicast ports. The vulnerability is not exploitable if PGM is installed or enabled, but no programs are listening as receivers. Since PGM does not authenticate requests, it's crucial to protect access to any open ports at the network level, such as with a firewall. Gee, you think it's strongly advised to avoid exposing a PGM receiver to the public Internet due to these security risks. So that's a problem.

Now, I have not dug into this to see how likely it is that a machine might have this port publicly exposed, nor what services might be listening for incoming traffic there. But it's clear from its 9.8 rating which, again, they don't want to give to anything, and that it's a remote code execution exploit. If those conditions were met, the result would be, shall we say, not good, would be, shall we say, not good. The second of three critical rated 9.8 RCEs seems much more worrisome since it affects Windows. Old Olay, remember object linking and embedding technology, which allows embedding and linking to other documents and objects from within documents. Embedding and linking to other documents and objects from within documents that was all the rage back in the early days of Windows.

In an email attack scenario, which is why this is raising such concern, an attacker could exploit this vulnerability simply by sending a specially crafted email to their victim. Crafted email to their victim. Exploitation of this vulnerability might involve either a victim opening the specially crafted email with an affected version of Microsoft Outlook software, but that's not necessary. The Outlook applications displaying of just the preview of the specially crafted email could allow an attacker to remotely execute their own machine on the victim and take it over. So yikes. Now, given Olay's age, my guess was that this would have been one of those vulnerabilities that Microsoft would have required payment for fixing on their older yet still vulnerable machines, and indeed they list Windows Server 2008 and 2012 among the vulnerable systems. Since Server 2008 and 2012 are the equivalent of the desktop Windows 7 and Windows 8, I bet that those desktops are vulnerable to this as well.

Their workaround advice is to I love this, okay, so this is bad. What do we do? Their advice only view your email as plain text so that Outlook's HTML viewer will not have the chance to invoke Olay for the display of content which, due to this very old bug in Windows, olay like again, right, we're talking 2008. So this has been a problem since 2008. Was recently found that there was a way to leverage this which, to my point, is that you know there's an active industry looking at ways to get into people's Windows networks. So and probably not end users, right? They're sending a phishing email into enterprises hoping that somebody will. Just you know, outlook just has to sniff it and its curtains, but not if you use their plain text viewer.

So and I know this is a hobby horse of mine, but this is why it seems wrong to me that Microsoft wants to sell the patch for this bug. How is it okay that they want to charge us for this? What they want to do instead is to force us to move to a newer operating system, which has arbitrarily also decided that it may not support the hardware that we have. And, as we just saw, these newer operating systems just had significantly more newly introduced vulnerabilities patched, compared to the older operating systems that are being allowed now finally to settle down because Microsoft has stopped making them better for us.

Anyway, the third critical 9.8 vulnerability is a trivial-to-exploit elevation of privilege in good old NT Land Manager. That's the V1 version, which refuses to die because there are things out there that still need windows to connect to them. So it's remotely exploitable across the Internet and its low attack complexity means that attackers need minimal system knowledge and consistently can and this is Microsoft saying this can consistently succeed with their payload against a vulnerable component in Windows, a vulnerable component in Windows. To eliminate the danger entirely, don't expose any LAN manager network ports to the Internet. And of course, I've been saying for many years that there is no safe way to expose any of Microsoft's networking services other than to their web server and their email server. All of the other services have been found to be vulnerable over and over and over, you know. And if this simply don't do it, admonition, you know, is not useful for you because your application needs you to do this. It leaves you with no other choice. And Microsoft says that the danger can be mitigated by setting Windows LM compatibility level to its maximum value of five on all machines. This forcibly disables both the original Landman and NT Landman version 1, allowing then only the use of NT Landman version 2.

And of course, as I said, we've talked about how this could be a problem in heterogeneous environments where Windows machines have no choice but to communicate with older legacy equipment that, for whatever reason, cannot be updated. So many such situations like that exist today in the real world. That's just the way the real world still looks. The simplest possible solution to all these I want to highlight again because boy do I use it is to use IP address filtering, simple IP address filtering, where only the IP packets of specific remote machines, filtered by their IP addresses, are allowed to see the older and less secure Windows protocols. You know, yes, this does make the resulting network slightly more brittle, since firewall rules need updating in the event of IP addresses changing. But it is such a simple and bulletproof solution and many instances exist where someone casually just exposed SMB protocol server message, blocks the NT Landman stuff to the Internet, relying on username and password authentication, saying, well, you know it's protected, it's not, and they're having connections coming from other fixed locations. If they're fixed, put a, put a filter in front of that land man port so that only those locations can see it. It's just so simple to do and it is. I mean it ends the it's. I mean it's just such a good solution.

Okay, before I leave last week's Patch Tuesday topic, I should mention a pair of remaining critical remote code execution vulnerabilities which receive CVSS scores of 8.1. Scores of 8.1. Despite being remotely exploitable across the internet, they were spared that same hair-on-fire 9.8 rating because their attack complexity was high. But the bad news is they both exist in Windows Remote Desktop Gateway. Once again, nothing but web and email. And the reason those are secure is they're publicly exposed, meaning they're not supposed to need to authenticate anybody. Anybody can access someone's web server by design and email in order to send them email, but Microsoft just doesn't seem to be able to get authentication right, no matter how much time goes by. And boy, we're going to see an example of that in one of our listener feedbacks coming up.

Okay, so Remote Desktop Gateway has these two 8.1 CVSs. So we've seen problems with this before and unfortunately, many enterprises believe that they have no choice other than to expose the remote desktop gateway to the public internet. I would argue that there are always ways around that, but one needs to care enough first to do so. Hopefully our listeners you know none of our listeners are any longer affected by this. They've come up with a way of putting something else in front of their enterprise's Windows Remote Desktop Gateway.

To exploit these two vulnerabilities, an attacker needs to win and we've seen this before also a race condition by precisely timing their actions. You know that may be difficult, but most such remote desktop gateways sit unattended and unmonitored, meaning that attackers can try and retry without limit until they succeed. The attack involves connecting to a system running the remote desktop gateway role, then triggering the race condition to create a use after free scenario. Free scenario so memory is being released somewhere, a pointer is still not freed and is pointing to that released memory, which then gets reallocated, giving the attacker a pointer to something that might have some juicy content and gives them the hook. So, if successful, them the hook. So, if successful, microsoft agrees the attacker could leverage this to execute arbitrary code on the target system, given the patches available.

It appears that this problem was introduced in server 2012 timeframe, since server 2008 is not affected. So 12 years ago now, I certainly under, or 13. Now I certainly understand that. You know, once bitten, large enterprises will understandably be very wary of windows update. You know bringing down any of their important applications and infrastructure. It's a devil's bargain. So the best enterprises can do is to give each second Tuesday's updates immediate attention. Get the updates deployed as quickly as practical after verifying that you know, installing them on a few sacrificial systems, you know, keeps all the enterprise infrastructure stuff and critical services functioning.

So, that said, you know the smarter thing to do rather than always being reactive to whatever the latest problem is and, as I said, they're not slowing down, they're arguably speeding up is to really spend some time arranging to not be vulnerable to most of these problems in the first place by placing some other form of additional access, control and authentication in front of anything having the need to offer secured public access and exposure. As I said, web and email servers are meant to receive anonymous connections from the public internet. Pretty much nothing else is. What we keep seeing is that the inbuilt authentication for any other private services is just not trustworthy and cannot be, and should not be trusted. Once something other than Windows itself is protecting Windows services, none of this stream of ongoing zero-day actively being exploited in the wild vulnerabilities will be a source of concern. That's where you want to be, so it's really worth spending some time thinking about how to get yourself into that position.

0:32:35 - Leo Laporte
What's your sense? So it seems like I mean this is a huge number of flaws to patch. I mean it's the largest since 2017, I think they said, of flaws to patch. I mean it's the largest since 2017, I think they said. Which would just on the surface, people would say, oh well, look how insecure Windows is. But maybe it's the case that just Windows is in such widespread use that it's more likely that these are discovered and fixed than on a lesser used operating system. Do you think Windows is inherently less secure than any other operating system? Is this a sign of that? You understand what I'm saying? I am.

0:33:17 - Steve Gibson
I do On Microsoft's side. No other operating system offers the sprawl of features that Windows does. I mean the reason Enterprise no. I mean Microsoft, has, I mean no enterprise, no sizable enterprise cannot use Windows.

0:33:43 - Leo Laporte
Okay.

0:33:44 - Steve Gibson
They, you know there were little artsy ad ad agencies with max right, that's you know. But but there there isn't any enterprise or government agency anything sprawling, because it's the one that that that they have to use to have the features that they has the most features, have the features that they want.

0:34:05 - Leo Laporte
But along with the most features come the most bugs, right?

0:34:08 - Steve Gibson
Well, yes, and it is significant that the older purchase, the repairs, had fewer flaws fixed than the newer operating systems. And every week on Windows Weekly you guys are talking you and Richard and Paul are talking about all you know and we got this update and we got this update and all this is added now and this now goes this way, and I mean Mary Jo used to be kept busy talking about all of this enterprise crap that they just keep adding. Well, any new code is going to be, is going to have some percentage of flaws. That's what we see and that's why I said that you know the older operating systems had fewer things to fix because Microsoft stopped screwing with them.

0:34:58 - Leo Laporte
So so it isn't necessarily. I mean it's more insecure because there's more little edges to attack, but it's not that they're writing worse software, it's just the nature of the beast and we've said this before. The fact that there were what is it? 163 patches means there's 163 fewer problems. The longer it gets patched.

0:35:25 - Steve Gibson
The more it gets patched, the better the only argument to they're not writing worst software is that. Was it 10,000 known bugs at release of what? Was it Windows?

0:35:39 - Leo Laporte
XT or something. A lot of those are cosmetic yeah. I mean what we care about is security flaws and 10 critical vulnerabilities in eight zero days and 159 CEs.

0:35:52 - Steve Gibson
Somewhere in the world, people that aren't listening to this podcast and aren't being sufficiently proactive are having their Windows networks penetrated. We keep hearing about I mean, I don't cover it anymore because it's so boring- is all the ransomware attacks Every day. But it's like yes, it's still going on and companies are being victimized.

0:36:22 - Leo Laporte
But they don't have a choice. You just said they have to use Windows. They don't have a choice and that they have to use windows.

0:36:25 - Steve Gibson
they don't have a choice. Yeah, that's why I also called it a devil's bargain it is a devil's bargain. You have to use windows because only it will do the things you need. And but it is a it is. It is a system dragging legacy code forward. I mean, it's still got ole in it right.

0:36:45 - Leo Laporte
Object for no fact that windows 3 and that's another downside is you can't take anything out. Microsoft can't take anything out. It'll break something because somebody's using it yeah, it was like.

0:36:56 - Steve Gibson
It's like ie6. It stayed around because people had, you know, enterprises had written applications that only ran on ie6 and it's like, no, no, no, you can't take it, it'll are well, we'll go out of business and when microsoft has contemplated creating a secure windows, it doesn't have win32 and you know, is a lot safer.

0:37:20 - Leo Laporte
They back off because nobody wants it. That's not, nobody wants that. They don't want the more limited Windows. The whole reason they use Windows is because of all the features.

0:37:31 - Steve Gibson
Yes, and Intel is a perfect example. Intel learned the lesson a long time ago forward compatibility or backward compatibility as we move forward. You know you can still run and I do 16-bit code on the spiffiest triple turbocharged gazillion core Xeon double scoop processor Works great Boots dos, you know you can't even see it, can't do floating point math, but Okay, well, it's an interesting question, right?

0:38:04 - Leo Laporte
I mean I think on the face of it you'd say, well, look at all these flaws, clearly it's an interesting question, right? I mean I think on the face of it you'd say, well, look at all these flaws, clearly it's a crappy operating system. That's not necessarily the case.

0:38:11 - Steve Gibson
No, but the takeaway here is don't trust it and pay attention. You can use it and not trust it, which means don't put it on the public internet. Put something in front of it that you have to pre-authenticate to in order to get to it. Use an overlay network, use some other system or use aggressive port filtering, so that Russia and China can't just connect to an open port and go. Let's see what we can do here.

0:38:48 - Leo Laporte
Second question and this is really germane to many of our listeners who are not targets Do you have to worry about this if you're not a natural target?

0:38:59 - Steve Gibson
No, Nobody has remote desktop.

0:39:01 - Leo Laporte
An individual like me.

0:39:03 - Steve Gibson
We don't have remote desktop gateway on our systems and we probably don't have remote desktop exposed and we're sitting behind a NAT router, which is nature's perfect firewall.

0:39:15 - Leo Laporte
And I still block IP addresses from Russia and China on my Ubiquiti. And there's also I mean I actually run quite a bit of security software there's times I can't use sites because it's being blocked For some reason. I can't go to Taylor Lorenz's newsletter because it's being blocked and it's annoying that you can't prove a negative, you'll never know what attacks you thwarted.

0:39:38 - Steve Gibson
But you can say toward the end of your days well, I've never got hacked.

0:39:44 - Leo Laporte
Didn't get bit Yep I never have.

0:39:44 - Steve Gibson
I've never got hacked, Didn't get bit.

0:39:45 - Leo Laporte
Yep, I never have, as far as I know.

0:39:47 - Steve Gibson
As far as.

0:39:48 - Leo Laporte
I know that's a big one. Yeah, All right. I'm sorry, I didn't mean to interrupt, but these are interesting questions.

0:39:56 - Steve Gibson
It's good to flesh this out. I mean and I think you make a very good point I have said I don't want that job at Microsoft, In the same way that I wouldn't want to be in charge of security for Sony Entertainment. I said years and years ago Right, Because it's impossible to secure that.

0:40:15 - Leo Laporte
As you have said, the hackers. You only have to make one mistake. They can make as many mistakes as they want. You only have to make one to be compromised right not right.

0:40:28 - Steve Gibson
Every single thing that you do has to be secure, perfect, because they only need one route in what a world. It's fascinating let's take a break, oh and then we're going to talk about, uh, this odd thing microsoft's decided to do of forcing everyone to get the new version of Outlook.

0:40:47 - Leo Laporte
This is the new thing. Did you know that Instagram has made every Instagram user follow JD Vance, the new vice president? You're automatically following him, you're not kidding? No, there's this new compulsion thing that's happening. That worries me a lot because we forget. But really, these guys who run all of these apps have a lot of control and they can do things that maybe you wouldn't want them to do. Anyway okay, although I think it's fun to follow JD.

0:41:23 - Steve Gibson
He's an interesting fellow.

0:41:28 - Leo Laporte
Okay, although I think it's fun to follow jd, he's an interesting fellow. My, uh, my ex texted me. She said I unfollowed him and it got followed again. It's like hi, yeah, yeah, yeah, our show today brought to you by a company you should be following, you should know about a company I love, bit warden.

Look, uh, if you listen to the show, you use a password manager, right. If you don't, I have to question your commitment. Like what? Are you writing them on Post-it notes or do you use this? This is the worst thing that people do. I did it for years. I didn't know any better. Use the same password everywhere, right? Easy to remember that monkey one, two, three works everywhere. No, you remember that monkey one, two, three works everywhere. No, you need a password manager. Now, I'm going to assume that you use one. So if you are using one, that's not bitwarden, I want to explain to you why you might want to look at bitwarden, especially for your business. But also remember bitwarden is free because it's open source free forever, unlimited passwords, unlimited devices for individuals, and so if you've got family members and I know you do who think, oh yeah, my password is completely secure, it's my birth date, my dog's name and my mother's maiden name. No one would guess that. If they're doing that, tell them about bitwarden, the trusted leader, and not just passwords and secrets and passkey management. I, all my passkeys, are bitwarden, which is nice because then I don't have to run and get my phone it's everywhere I am.

Now let's talk about business, because in today's digital landscape, protecting your organization if you listen to the show you know is more critical than ever. Bitwarden has stepped up to the challenge. They've got some great features now brand new designed to simplify and fortify your business. Password management strategy, for instance, they've expanded their Teams plan with robust. Now, Steve, it's a SCIM, s-c-i-m System for Cross-Domain Identity Management. I think it's SCIM. It's a way of provisioning your users, which means if you're an MSP and you have many users or any business, you can streamline access control with these. We were just talking about access control.

By integrating seamlessly with leading IDPs like Azure, active Directory, okta, onelogin, jumpcloud and on and on and on, bitwarden delivers enterprise-level security capabilities that work for businesses of all sizes, and it's just integrated in so it makes it very easy for you to implement and use. But that's not all. Bitwarden has also redesigned its password manager browser those of you the browser extension. For those of you who use it, you probably noticed. I think it's beautiful. It creates a more intuitive and efficient password management experience. It also the new extension features a modern interface, faster navigation, clearer organization, smoother workflows.

Give it a try. At first it's like, oh, this is different, but as soon as I kind of got it, man, I love. It Makes it easier for individuals and businesses to manage passwords across platforms. Look, this is what sets Bitwarden apart. It's not just about security, it's about simplicity. Bitwarden's setup takes only a few minutes.

It's very easy to move to Bitwarden, to move your entire enterprise. They support importing from most password management solutions and, as I say over and over, they are GPL open source. That means every bit of their code you can inspect and they have regularly audited by third-party experts. And they do something a lot of companies don't do. Not only do they do the audit, they publish the audit results in full, so you can assure yourself it's secure, doing what you expect. I think your business deserves a cost-effective solution for enhanced online security. I hope you do too.

Get started today with Bitwarden's free trial of a Teams or Enterprise plan and again, if you want to move to Bitwarden or you have family members who are still putting on post-it notes, notes, get started for free, forever across all devices. If you're an individual user bitwardencom slash twit and if you'rea sophisticated individual user and you have and you follow steve's trust, no one you'll be glad to know. Bitwarden lets you host your own vault. There's some, and because it's open source, there's some very good third-party open source servers that you can run that are very one's, written in Rust. It's really good. Bitwardencom slash twit. This is the way to go absolutely, and we thank him so much for supporting security. Now you support us too when you go to bitwardencom slash twit. All right, steve.

Let's see what Microsoft is imposing on us now.

0:45:44 - Steve Gibson
Yes, before we leave the topic of Microsoft.

I want to give a heads up to our listeners about the forthcoming so called new Outlook for Windows. The first I saw of this was a piece of news that said Microsoft will force install a new Outlook email client on both Windows 10 and Windows 11 on February 11th and January 28th respectively. That news blurb then posted a quote which read Currently, there is no way to block the new Outlook from being installed. If you prefer not to have new Outlook show up on your organization's devices, you can remove it after it's installed as part of the update. So I did a bit of poking around and of course, that revealed that the sharp folks over at Bleeping Computer were on top of this Under their similar headline, microsoft to force install which I guess is now a term of art new Outlook on Windows 10 PCs. In February they wrote Microsoft will force install the new Outlook email client on Windows 10 system starting with next month's security update. The announcement was made in a new message added to the company's Microsoft 365 admin center, tagged MC976059, and it applies to Microsoft 365 apps users. As Redmond explains, the new Outlook app will be installed on Windows 10 devices for users who deploy the optional January 28th update and force installed for all who install the February 11th security update, meaning next February's Patch Tuesday. The new Outlook client will run alongside the classic Outlook app and will not modify configurations or user defaults. Microsoft added that there's no way to block it from being installed on Windows 10 devices. However, those who don't want it can remove it afterward, although actually it's a little trickier than that because it'll reinstall it. Well, we'll get there in a second, so they said. Microsoft wrote quote new Outlook exists as an installed app on the device. For instance, it can be found in the apps section of the start menu. It does not replace existing classic Outlook or change any configurations. Slash user defaults. Both classic Outlook and new Outlook for Windows can run side by side. Currently there's no way to block. This is Microsoft. Currently there's no way to block the new Outlook from being installed. If you prefer not to have new Outlook show up on your organization's devices, you can remove it after it's installed as part of the update.

Then they said the bleeping computer said the company added in a support document updated on Thursday as last Thursday document updated on Thursday, that's last Thursday. So bleeping computer said, to remove the new Outlook app package after it's force installed on your Windows device. You can use the. And then they show a PowerShell commandlet remove hyphen. App X provisioned package commandlet with the package's name parameter value Microsoft dot Outlook for Windows. They said this can be done by running the following command from a Windows PowerShell prompt and adding a new reg value and I've got this in the show notes for anyone who's interested, although you can easily find it from bleepingcomputercom. Next, they said add a reg string registry setting named blocked OOBE updaters with a value of MS underscore Outlook.

Then they said after removing the Outlook package, windows updates will not reinstall the new Outlook client. Otherwise, they would Like, every month it would be reinstalling it. Otherwise, they would like, every month you'd have to, it would be reinstalling it. They said the first preview version of the new Alec for Windows was introduced in May of 2022. No-transcript. Ok, so this doesn't seem like to me like the end of the world. But you know, I know our listeners. Some may object to having Microsoft force installing a new and presumably unwanted Outlook client onto their machines. One would argue whether a Windows 10 or 11 machine could be considered theirs, but we'll leave that for another time.

0:50:31 - Leo Laporte
Well, yeah, and mail has always been installed automatically, right, yeah, yeah, that's a good point, that look express and all that.

0:50:37 - Steve Gibson
Yeah you know. So it's sort of there. So this new client is apparently based upon the web version. It's essentially, from what I could gather looking through the Microsoft pages, a port of the web client to a native Windows app. As such, it does not support Outlook's traditional and problematic PST file format and it also does not support any COM. You know, component object model integration with Outlook. I also noticed that Microsoft says that, unlike traditional Outlook for Windows, the new Outlook offers limited they said limited support for third-party email services, for third-party email services such as Gmail, yahoo and so forth. So if you've got, you know, your Outlook or an Outlook pulling from multiple other providers, you'll want to you know. If you are wanting to switch to the new one, you'll want to make sure that it can, because Microsoft appears to be moving away from that. Okay, all that said, complete segue here. I want to take this opportunity to mention that I recently switched away from Mozilla's Thunderbird as my email client to something that I am.

0:51:59 - Leo Laporte
You weren't using Eudora.

0:52:01 - Steve Gibson
No, but that's you know. Thank you, Leo. For years and years you did use Eudora. No, Okay, I'm just teasing you. Thank you, Leo. For years and years you did use Eudora Before being driven to Thunderbird. My original true blue email client had always been Qualcomm's Eudora. I do still use it.

In fact, my tech support guy, greg, is still using Eudora. Wow Works fine. Life was good. I didn't care when Qualcomm support for Eudora ended because Eudora worked for me perfectly. But over time, as other email clients' behavior changed, cracks began forming. Changed cracks began forming. Email started coming in to me with high ascii or unicode, weird like capital a's with umlauts in them.

0:52:54 - Leo Laporte
Uh, added to space characters and for about a year or so spelled viagra yes, well, it wasn't me spelling it, it was people sending me email.

0:53:06 - Steve Gibson
So for a year or so I manually edited them out of every reply that I was quoting, until I don't know a couple of years ago I finally decided to switch to Thunderbird. I tried the bat for a while and that never really took hold. But I then used Thunderbird for several years and, truth be told, I've never really been happy with it. I'm very finicky about the appearance of my outbound email. You know the email that I author, and even when I'm quoting somebody, you know I'm. Pretty much everything that I produce I care about. Our listeners know that well.

And Thunderbird's handling of fonts and formatting, the indentation of email threads and the signatures it appends to email never made sense to me. It was trying to handle formatting details, but it made things mysterious and deliberately uneditable. It's like oh, don't worry about it, we'll take care of this for you. I wasn't allowed to fix these things when they didn't look the way I wanted them to, because Thunderbird's formatting was not only erroneous but it was automatic. It apparently believed that it knew better than I did about how things should be. Maybe for some users who just don't care, great, take care of this for me, but it bugged me.

So finally, about two weeks ago, something drove me to seek another email client. As I mentioned, I already had an old copy of the bat around, so I tried to resurrect that, but it didn't seem to be any kind of an improvement. I tried to resurrect that, but it didn't seem to be any kind of an improvement, so I went. Oh, and I want to also mention that Thunderbird really started acting up after I added the whole new GRC email system, because incoming email from our listeners has been quite successful. I've never mentioned that I have I think it's 4484 pieces of email from our listeners.

So, uh, that really seemed to like thunderbird kind of got lost somewhere. It would just stop showing me new ones. I'd have to like give it a kick and shut it down and restart it or, you know, shake it three times. I mean I it just, it just wasn't working. So, anyway, I so I went. I spent some time two weeks ago cruising around the various top 10 best email client lineups until I stumbled upon one I had never heard of before, named EM Client. And life is good once more.

0:55:51 - Leo Laporte
I'll have to try this.

0:55:52 - Steve Gibson
It's a little difficult, and there's one for the Mac.

0:55:56 - Leo Laporte
I've been using Pegasus on Windows, which I like, and if you, like what you've got.

0:56:01 - Steve Gibson
I'm not going to try to convince you otherwise. It's a little difficult for me to explain exactly why. It's a personal thing, it makes a huge difference to me and, yes, it is a personal taste, personal choice thing. But I can say that after setting it up as an IMAP client and allowing it to synchronize with GRC's email server, I almost immediately felt that I had a handle on my email. It found back and forth email from long ago and knitted them into threads. It allows me to mark things in various names and colored tags and to then view all of my emails and tags as folders, which are now dynamic. I can see all my inboxes consolidated into a single view. It doesn't do any mysterious, unwanted and wrong things with nesting of replies, you know. And since my needs are not necessarily aligned with everyone else's, I'll briefly share a broader view from Wikipedia.

Wikipedia's EM client page says EM client has a range of features for handling email, including advanced rules management, mass mail, delayed send or a built-in translator for incoming and outgoing messages. It supports signatures, quick text and tagging and categorization for easy searching and snooze email functions are available, as well as direct cloud attachments from cloud services like Dropbox, google Drive, onedrive, owncloud or NextCloud. Em Client also provides a lookup service for GNU PG public keys their EM keybook in order to more easily send encrypted communications via email and generally simplify PGP encryption in email communication. Em Client supports all major email platforms, including Exchange, gmail, google Workspace, office 365, icloud and any POP3, smtp, imap or CalDAV server. Automatic setup works for Gmail, exchange, office 365, outlook, icloud or other major email services. Following the shutdown of IncrediMail, an auto-import option was added to transfer data from this platform to EM Client. Since version 8.2, em Client supports online meetings via Zoom, microsoft Teams and Google Meet.

Em client allows extensive appearance customization. Em client 10, released in 2024, also provides AI features for composing messages and replies, inbox categories and quick actions which allow users to create their own macros. So I need like which allow users to create their own macros. So I need like. Just give me IMAP please, I mean, but I need like four accounts to help me organize things. Okay. So here's my complaint. My only complaint is that the free version will only handle a single email account and, as I said, I need at least four. And that would be okay if I could purchase a paid version once, but it's rentalware. Yeah, it's a subscription Only, available for $40 per year. I rent no other software of any kind, and that's something I actively fight against, so this is the first time I have ever capitulated. But come on, at $3.33 per month, it's not expensive, allowing installation on three machines.

The experience of using this client continues to impress me, and if paying something is what's required to keep this stunning creation alive and maintained, then I'd rather do that than not have any access to it at all. I didn't realize really how unhappy I had been with Thunderbird until I began using EM Client. It's like a continuous happy breeze that washes over me whenever I look at it. Mobile editions are available at no charge and I can't vouch for anything about it other than their Windows edition, which is all I've used. But, as I said, macos, ios and Android are all there. They claim to be in use in over a hundred thousand businesses and have 2.5 million users. Ooh, it has PGP built in.

1:00:54 - Leo Laporte
Yes, it has PGP built in.

1:00:56 - Steve Gibson
And and also a GNU PG key management is also built.

1:01:02 - Leo Laporte
Oh, I'm down Now. I'm interested, yeah, yeah.

1:01:06 - Steve Gibson
So Key management is also built in. Oh, now I'm interested, yeah, yeah. So for anyone who might be seeking a similar improvement to a major aspect of their lives, em Client is available for download. You can get it feature complete for 30 days in trial mode. I've been tweaking it here and there, like removing displayed columns that I don't need, and I could not be happier. Oh, it's also possible to export all of the tweaks and preference settings you make into an XML file and then import them into another instance of EM Client on a different machine, so that you're able to keep cloning all of the improvements that you make as you tune and tweak it.

Along the way, I've been moving back and forth among machines so I've been able to, as I said, to keep the instances looking and operating the same Anyway. So I just wanted to pass this along. In case any of our listeners might be wishing for something better, this could be it. It's wwwemclientcom and I can't give you a comprehensive review because I haven't done all these other things with it, but my sense is, as you said at the beginning, leo, everyone's needs and tastes are so different that no one else's opinion would or should matter to be other than a pointer. So I'm just giving everybody a pointer. As I said, I just need multiple IMAP accounts and a consolidated inbox. Is nice to be able to tag things for follow-up and then be able to look at them all as if they were a folder. That's cool. It threads beautifully.

1:02:53 - Leo Laporte
Does it show your GRC Ruby logo?

1:02:56 - Steve Gibson
It does, but I might be getting it from a favicon, because it beautifully pulls favicons from everybody.

1:03:03 - Leo Laporte
Yeah, I noticed that's what it's using. Yeah, yeah yeah I just installed it very easy, very straightforward yeah, I will play with it.

1:03:11 - Steve Gibson
Yeah, yeah, it's interesting, it's very interesting, yeah so anyway, for I I don't know why, but it just and and it could be subtle things like just the way it sorts or filters or something, but I'm really happy, so I just wanted to share my happiness.

1:03:30 - Leo Laporte
It has to fit your kind of gestalt.

1:03:34 - Steve Gibson
Yeah, yeah, it does.

1:03:36 - Leo Laporte
Interesting, I'll be playing with it.

1:03:40 - Steve Gibson
A listener who is apparently listening, or maybe he just read the show notes. He said Hi Steve, I've been using EM Client for two years now on the home PC and have been happy with it. Back then I bought a license with only a one-time upfront cost.

1:03:56 - Leo Laporte
Oh, had I known. I think they still do, Maybe not no, Somebody in the no they don't offer that, he said I added lifetime upgrades to that for another one-time fee. So, boy.

1:04:06 - Steve Gibson
Had I known I would have done that. He says I see that the company charges monthly slash yearly now, but they still have a lifetime upgrade purchase option as well. Lifetime upgrades.

1:04:19 - Leo Laporte
I see it right here for EM client.

1:04:22 - Steve Gibson
He says I bet you can pay once and have the software from now on. It doesn't make sense for them to charge $90?

1:04:29 - Leo Laporte
What?

1:04:31 - Steve Gibson
Ah, interesting. So I mean that's interesting. I wonder how many systems you're limited to if that's all of your personally owned systems. Because, based on what I've seen. Again. Leo, I have a philosophical problem with this whole mode of renting software, paying by the month or by the year. It just annoys me. I just want to own it so that it's mine.

1:05:03 - Leo Laporte
Yeah, I know what you feel, but I think these days, developers are saying look, we're going to keep developing it, we're going to keep working on it, that one-time fee is going to work for us. Yes, exactly, and as I said.

1:05:13 - Steve Gibson
So first of all, thank you. Whoever you are, he signed AC, so I don't know. But thanks for that. I'm glad to know that. I will look into that, because I mean. I'm so happy with this thing. I would do that if it would solve my problems.

1:05:33 - Leo Laporte
Good, thank you for the recommendation. You can see, leo.

1:05:36 - Steve Gibson
But to the point of paying, if that's what it takes to create a revenue stream, to keep it like compatible with everything and up to date, and so forth, and it's like okay. Yeah, I guess, though I would prefer the old school option of here's the next version you bought 10. Here's what 11 does. Do you want these things Right? And so it's up to them to entice me to move forward for an upgrade fee.

1:06:04 - Leo Laporte
I prefer that as well.

1:06:05 - Steve Gibson
Offer yearly upgrades or whatever, yeah, yeah, and you know me, I like to offer them every two decades. So wait, no, wait, wait, I made it free, didn't I?

1:06:15 - Leo Laporte
after 20 years, so that didn't quite work out either. You're crazy. You're a crazy man.

1:06:22 - Steve Gibson
Okay, we're at an hour. Let's take another break. Let's take another break, let's take a break, and we're going to talk about GoDaddy and then move forward.

1:06:27 - Leo Laporte
I want to talk about one of my favorite sponsors, because we were talking about Zero Trust, and this is a company that makes Zero Trust very affordable, very easy to implement. I'm talking about ThreatLocker. It is a way to harden your security and never have to worry about zero-day exploits or supply chain attacks again. Worldwide companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high, and I think they're doing a little side-eye to those companies using that other security software. The airline that was brought down for a week, jetblue, didn't have those problems because they used ThreatLocker. How does it work? Well, imagine taking a proactive and these are the three key words deny by default, deny by default approach to cybersecurity. That means by default. You block every action, every process, every user, unless explicitly authorized by your team. That's basically the premise of zero trust. Just because somebody's in the network doesn't mean you should trust them. Threatlocker not only makes this easy to do, they also are great for compliance and security. They provide a full audit of every action, so that helps you with risk management. You know, because you know who was using what when. It also helps you with compliance. You've got that audit trail. Their 24-7 US-based support team is fantastic. They will help you get on board and beyond. They have made.

I think this is the company that has made zero trust easy for everyone. You could stop the exploitation of trusted applications within your organization, keep your business secure, protected from ransomware Organizations in any industry, of any size. Because it's very affordable can benefit from ThreatLocker's ring fencing. Because you're isolating critical and trusted applications from unintended uses or weaponization. You're limiting attacker's lateral movement within the network. Just because they're in doesn't mean they can do anything. Oh, and ThreatLocker works for Macs too. So your whole network. Get unprecedented visibility and control of your cybersecurity quickly, easily, cost-effectively, with ThreatLocker's zero-trust endpoint protection platform.

You want to know more? How about a 30-day trial? You'll see how easy it is to onboard. 30 days free. See how ThreatLocker can help mitigate unknown threats. Zero-day stuff you never even heard about. Ensure compliance. At the same time, threatlockercom that ThreatLockercom. That's ThreatLockercom.

By the way, we're getting close to Zero Trust World, their big conference. For a limited time, if you go to ZeroTrustWorldThreatLockercom, use our code, it's ZTW for Zero Trust World, ztw TWIT25. Ztw for Zero Trust World ZTW TWIT25, ztw TWIT25,. 200 bucks off. Registration for Zero Trust World 2025. By the way, you get access to everything all sessions, hands-on hacking labs. It even includes meals and an after party.

It is a great event. I wish I could go. We're tied up and I really want to go. Jonathan Bennett from the Untitled Linux Show is going, the most interactive hands-on cybersecurity learning event of the year, coming up February 19th through the 21st. Bring the family, because it's a Carib Royale in Orlando, florida, so they can go out. Have a great time in Orlando while you're learning the latest in security. And if you do register, do us a favor, say, do yourself a favor. You're going to save 200 bucks. But also it helps us because they'll know you saw it here. Use the code ZTWTWIT25. Threat Locker Security starts and finishes at the end point and there's no better way to do it than Zero Trust ThreatLockercom. And if you want to know more about ZT World, zero Trust World, go to zerotrustworldthreatlockercom. And that special code again ZTW for Zero Trust World, twit25,. All one word Thank you, threat Locker, for a great product and for helping our fam here. Stay safe. God knows we need the help On. We go with the show, mr G.

1:10:44 - Steve Gibson
So we've previously covered the various security troubles with GoDaddy's web hosting services. The sense I've had is that adding web hosting was an afterthought behind their domain name services and that that's what got them into trouble, because we haven't seen problem with the mainstream domain host or the domain name services. It's been well. You know we got to add this feature because you know other registrars are offering hosting. The news is that the US Federal Trade Commission has decided to require GoDaddy to clean up its act. Last Wednesday, the FTC announced that GoDaddy will be required to bolster its cybersecurity program to address years-long deficiencies. The FTC stated that GoDaddy's failure to use industry-standard security measures led to what the FTC called several major security breaches, and we covered those at the time between 2019 and 2022. The agency also alleges that GoDaddy deceived its customers about how adequately it safeguards its web hosting product. The agency said that consumers were sent to malicious websites and otherwise harmed after hackers broke into GoDaddy's customers' websites and accessed their data. The extensive information security measures which the FTC is requiring GoDaddy to adopt are similar to the reforms the agency also ordered Marriott to implement, after that hotel chain and we talked about that famously failed to improve its cybersecurity posture, despite being breached three times between 2014 and 2020.

In a statement explaining why the FTC had acted, samuel Levine, director of the FTC's Bureau of Consumer Protection, said millions of companies, particularly small, small businesses, rely on web hosting providers like godaddy to secure their websites, and that they and their customers rely on godaddy, which has about five million hosting clients. Wow failed to track and manage software updates, analyze threats to its shared hosting services properly log and continuously assess cyber, they said. Godaddy also falsely advertised that it prioritized a strong security program and complied with international frameworks requiring companies take reasonable measures to protect personal data. Consequently, the proposed settlement order bars GoDaddy from exaggerating its security practices, orders it to design a comprehensive whatever that means information security program and directs it to retain an outside company to assess its enhanced cybersecurity program when it launches and every two years thereafter. So okay, it's interesting that the reporting about this referred to the infamous Marriott Hotels. Remember the Starwood group breach incident? What we recall from that is that Marriott acquired the independent Starwood group, whose network security was a lackluster afterthought, if you can call it that. You know, like way out of date. They didn't bother to update and there were like known, well-known problems, but Marriott, the acquirer never took the time to thoroughly vet what they were purchasing, and that lack of oversight over their purchase came back to bite them Now.

Godaddy's past is similar In as much as it has grown into the behemoth it is today. It's the number one registrar through a long series of mergers and acquisitions, buying up and consolidating independent internet registrars, and I recall also that their web hosting business was the result of one or more similar acquisitions, so much like Marriott. They purchased something that needed work and was then bitten when their name became tied to that new acquisition's poor security, when their name became tied to that new acquisition's poor security. I'm sure there's a lesson here for any large organization that purchases any other high-tech entity and just sort of decides they want to bring it under their wing and probably promises like oh, don't worry, we're going to allow you to maintain your autonomy, we're not going to get all in there and micromanage you, okay, but the purchase negotiation should include a very thorough and deep independent, third-party review of that soon to be acquired company's security practices. For one thing, the enforcement of true security can be expensive, right, I mean, it's one of the reasons it's not done. Not only is it annoying, but it costs something. That means that an entity's true bottom-line profit may be inflated due to a lack of sufficient security. It's making lots of money because it's hoping nothing bad happens, since any missing security practices would need to be added afterward. A better purchase price might be negotiated once its lack of security had become apparent and in any event, the buyer will have a better idea about the potential liability that might come along as part of the package if they don't do something about that beforehand. So again, consider the security you enterprise people out there of anything that you might be acquiring and hope that you can just leave alone. They probably want to be left alone, but you need to decide if you could afford to do that.

I saw a news item that indicated that the US Supreme Court appeared to be poised to support the enforcement of age restriction for adult content websites. The determination being made was whether more than one-third of the site's content contained adult-oriented material. That would be the determination of is this an adult content website? And if so, any such websites would be forced to affirmatively verify any visitor's age before they would be able to view that site's content. And you know how do we get there from here? It's not clear. We don't have a widespread system in place that prioritizes privacy, and what occurs to me is, especially for those adults who want privacy about the sites they visit, being forced to disclose their identity. That's going to be a problem for them. Anyway, since we did just discuss this issue last week, I decided that it was worth mentioning again, because I ran across some other news from across the pond about what's to transpire in the United Kingdom, and since the verification of age is, I think, clearly a sticky wicket here, I decided to share the news from the UK.

The publication, the security site, the Record, reported the following last Thursday so we've got six months Verify that all of their users are adults or potentially face being blocked by the country's Internet service providers. No-transcript. The record said Ofcom has set out a range of methods that it considers highly effective for checking users' ages, including photo ID matching and checks on credit cards, which you must be 18 to own in Britain. Other age-checking methods could be acceptable, said Ofcom, but they must quote be technically accurate, robust, reliable and fair in order to be considered highly effective per the definition in the legislation. Specifically, the regulator has stated that the self-declaration of age and online payments using a debit card which do not require a person to be 18, would not be considered effective and could put people at risk of new cybercrimes.

Citing research published with the Electronic Frontier Foundation, the age verification measures are part of Britain's controversial Online Safety Act, which passed back in 2023 and aims to enforce technology companies to address a range of online harms. Businesses that failed to comply could face a range of enforcement actions, from being fined up to 18 million pounds, which is currently 22.3 million US dollars, or 10% of their global revenue, having their websites blocked by British ISPs, or even face criminal prosecution For their part. Ofcom's chief executive, melanie Dawes, said quote For too long, many online services which allow porn and other harmful material have ignored the fact that children are accessing their services. Either they don't ask or, when they do, the checks are minimal and easy to avoid. Yeah, like I talked about last week, the yes I'm 18 button. She said that means companies have effectively been treating all users as if they're adults, leaving children potentially exposed to pornography and other types of harmful content. She said as age checks start to roll out in the coming months, adults will start to notice a difference in how they access certain online services. Services which host their own pornography must start to introduce age checks immediately, while other user-to-user services, including social media, which allow pornography and certain other types of content harmful to children, will have to follow suit by July at the latest.

Baker again of the Open Rights Group said there needs to be a specific and enforceable guarantee that age verification systems will be private, safe and secure. The new plan missed this vital step, so place people at risk of data leaks and having their sexual interests exposed to blackmailers and scammers. Wow. So I would say it's very safe to conclude that the handwriting is on the wall here. You know, like it or not, both the US and the UK are going to be seeing some sort of true age verification, more than just pressing the button that claims your age, which I guess has just been there to technically let the sites off the hook, saying well, this visitor said they were 18, so it's on them, not on us.

Effective network security of any given organization. It could hardly be any easier for regulators to determine for themselves whether a given website is effectively verifying the ages of its visitors. Just go there from any anonymous IP and see what happens. Just go there from any anonymous IP and see what happens. So I don't know, leo, you know. Will it be a third party entity that produces an age verification service? Will Apple and Google get in?

1:24:28 - Leo Laporte
I you know, it's just not clear. Yeah, uh, there are ai based kind of face recognition uh technologies. Paris wrote a story on the information about yoti y-o-t-i. Um, but what you really don't want is for me to have to offer my driver's license to the porn site or go into a pub. This is something Britain proposed a few years ago. Go into a pub to verify my age by showing my driver's license and getting a certificate from the pub. It's a huge privacy concern. I think probably the best way to do it would be a third party. If you could trust the third party, maybe a pub isn't such a bad idea, or a government office where they see it, they look at it, they sign a paper that says yes, you're over 16, you're over 18, and leave it at that. This is all, by the way, unaddressed by any of these regulations.

1:25:17 - Steve Gibson
Right. All they're saying is we want this you must do this.

And, yeah, I saw something that was interesting and the idea would be that a phone or a computer would have a verified age and identity with photos of you, required in real time, to do essentially a selfie for that app, so that it would be seeing your animated real-time photo, be able to compare it to the photos it has on record of you internally and say yes, that's you, and then itself have an API that a site could verify in order to say you know, I mean, and that's the thing, the kind of thing that Apple could offer if they were willing to get into this game.

1:26:11 - Leo Laporte
This is what both Meta and Google and everybody have said is that you know, Meta says we don't want to do this, X says we don't want to do this. The phone should do it, because the phone has enough information. You can I mean in many states, I can do in california put your driver's license in your phone and use that for age identity without really revealing any other information so you're.

They're saying apple should be responsible. This apple, on the other hand, does not want to be responsible. And I don't blame them. This isn't't their problem. No, and of course it does.

1:26:44 - Steve Gibson
Then it means that anybody who doesn't have the requisite phone is then disadvantaged, even though they may otherwise qualify. I mean, this is a real mess. I started out talking about how the cyber world is fundamentally different from the real world. That is what you know when, if you were 10 and tried to walk into a strip club.

1:27:10 - Leo Laporte
You know your age is off the real world. The bouncer is going to say get out of here. Exactly yeah.

1:27:16 - Steve Gibson
But on the internet, no one knows how old you are. I mean, it's a, it's a fundamental, and we've been ignoring it up until now. Literally we have been completely just saying oh well, you know, it's somebody else's problem.

1:27:32 - Leo Laporte
I think you could make the case that the people who are proposing this really don't want it to work. They want porn to be banned. That's their real goal, and so in that case it's kind of disingenuous of them.

1:27:49 - Steve Gibson
And we have real First Amendment problems in the United States. Well, they can't do that.

1:27:53 - Leo Laporte
so they have to do this kind of backdoor system. You know it's going to be an interesting few years, but again, as I said, as I said, uh, I think that, uh, hackers are going to be the freedom fighters and that the people who know how to get around these things, how to use the internet without giving up your privacy, are going to be the ones who come out on top. So start studying.

1:28:21 - Steve Gibson
If I were in high school, leo, I could make some money on the side. I tell you, it's like that first scene in the Matrix where Neo is selling some contraband digital thing.

1:28:33 - Leo Laporte
Right, you know, or Mr Robot those people are. Those are the ones and you could be that one. If you're listening to this show, you have the knowledge to become that person. Start thinking about your OPSEC and start considering these companies and the federal government as perhaps an adversary, and think of ways you can keep them out of your cheese. That's kind of what I think, but I'm old, I don't need to worry about it, so I'm going to leave that for you.

1:29:03 - Steve Gibson
Young folks, I got nothing to hide Any AI that takes a look at us. Leo is going to go. Whoa, I'm sending every word. Is there a heartbeat? Is there a heartbeat?

1:29:13 - Leo Laporte
Every word in the house. This show everything To an unknown AI. I don't even know what it is or where the server is or anything. Yeah, we know, you gave up a long time ago. I give up and there's benefits, by the way to that as well, Lower blood pressure, until they come knocking on your door. Your blood pressure goes down. It's like yeah okay, and say Mr Laporte, come with us. Oh, and then my blood pressure might go back up.

1:29:38 - Steve Gibson
Okay. So reinforcing the point I made about never relying upon any single manufacturer's public-facing remote access authentication, the security of the Fortinet security appliance, a major mainstream device, has once again been found wanting. In a posting on the Arctic Wolf security firm's website titled Console Chaos a campaign targeting publicly exposed management interfaces on Fortinet FortiGate firewalls, they listed four key takeaways. First, arctic Wolf observed a recent campaign affecting Fortinet FortiGate firewall devices with management interfaces exposed on the public internet. Everyone heard that right. With management interfaces exposed to the public internet, what could possibly go wrong? Number two the campaign involved unauthorized administrative logons. Imagine that on management interfaces. Imagine that of firewalls, creation of new accounts, ssl VPN authentication through those accounts and various other configuration changes. Third, while the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable and I should note, since they posted this, it has been confirmed. And fourth, organizations should urgently disable firewall management access on public interfaces as soon as possible. On public interfaces as soon as possible. Once again, that final point Organizations should urgently disable firewall management access on public interfaces as soon as possible. Organizations should never have had it turned on in the first place. Again, you cannot count on any single vendor's authentication Layer. Your security. Put a layer in front of anything that requires authentication Always that. Cisa and multiple cybersecurity firms warned of a zero-day vulnerability in FortiGate firewalls that hackers are actively exploiting. Cisa ordered all federal civilian agencies to patch the vulnerability by today, january 21st, making it one of the shortest deadlines CISA had ever issued of the shortest deadlines CISA had ever issued. And Fortinet said in an advisory that the bug is being exploited in the wild, but did not say how many customers had been impacted. The company said threat actors attacking organizations with the vulnerability are creating administrative privileged accounts on targeted devices and changing settings related to firewall policies. In other words, reading between the lines. We know that they're creating accounts and enabling SSL VPN so that they can then march right back in and get onto the internal firewall or the internal network behind the firewall. So patching as soon as possible is the responsibility of the owner of the device. Patching as soon as possible is the responsibility of the owner of the device, but again, this was being exploited before any problem was known and before any patches were available. Secure remote access to a device such as this is entirely possible, but it should never rely solely upon the manufacturer's account logon protections. Always add your own independent layer of authentication. And that seems to be the unintended theme of today's podcast, because we're seeing so many instances where people are being hurt by not doing that, so do it. Where people are being hurt by not doing that, so do it.

Okay, so what's up with DJI lifting firmware-enforced drone geofencing? I posed the introduction of this next surprising bit of news as a question, so I'll follow up with and is it really? But, like it is so why I was put onto this by a short impending ban in the US. Chinese drone maker DJI has removed firmware restrictions preventing its drones from entering no-fly zones. So I thought, whoa, if true, I didn't see that coming, and there's no way to smoke that, you know, and that's no way to smoke the peace pipe with authorities in the US. The risky business news then provided a screenshot of a posting by Matthew Stoller on Blue Sky Social, which read Matt posted Chinese drone maker DJI, the world's biggest drone producer, is disabling geofencing in the US. You can now fly your drone over airports, military bases, prisons, infrastructure, wildfires and the White House, if you want. This is a gloves off move by China. He finished and then provided a link to the viewpoints blog at DJI. Okay, so viewpoints bills itself as the official DJI blog and it's at djicom. I've got a link in the show notes for anyone who's interested. So last week's DJI blog this was early in the week is titled DJI Updates GEO. That's all caps G-E-O system in US consumer and enterprise drones.

The update follows changes in Europe in 2024 and aligns with FAA Remote ID objectives. Dji has announced updates to its geofencing system, geo, which applies to most of its consumer and enterprise drone products in the United States. These changes will take effect starting from January 13th on both the DJI Fly and DJI Pilot flight apps. This update follows similar changes implemented in the European Union last year. With this update, dji geofencing data sets replaced to display official FAA data. Areas previously defined as restricted zones, also known as no-fly zones, will be displayed as enhanced warning zones, aligning with the FAA's designated areas. In these zones, in-app alerts will notify operators flying near FAA-designated controlled airspace, placing control in the hands of the drone operators in line with regulatory principles of the operator bearing final responsibility. Okay, so they're saying the same thing, but in a gentler way. They said to update, operators need to connect their flight app to the internet and click update on the fly safe pop-up notification when dji and this is them what they're saying.

When dji first introduced the geo system in 2013, so 12 years ago, consumer drones were still a relatively novel technology and formal drone flight rules and regulations were sparse. The geofencing system was created as a voluntary built-in safety feature to help foster responsible flight practices and prevent DJI drone operators from unintentionally flying into restricted airspace, such as around government buildings, airports or prisons. For many years, dji has led the drone industry in safety, making several unprecedented commitments which apparently they're backing off to integrating advanced safety systems into its drones, including first, to install altitude limits and GPS-based geofencing to guide drone pilots away from unsafe locations. First, to deploy autonomous return-to home technology if drones lose connection to their controllers or have critical low batteries. First, to integrate sensors for nearby obstacles and approaching aircraft. First, to operate remote identification technology to help authorities identify and monitor airborne drones. Since then, they wrote, global regulations and user awareness have evolved significantly, with a greater focus on geo-awareness and remote ID solutions, which makes detection and enforcement much easier.

National aviation authorities, including the European Aviation Safety Authority in the EU, the UK Civil Aviation Authority and the FAA in the US, have established comprehensive geographical zones for unmanned aircraft systems and enforced drone regulations. This geo-update has been active in the UK and several EU countries since January 2024, okay, so, over the past year, starting with European countries that have implemented geographical maps compliant with existing technical standards, such as Belgium, germany and France. In June it expanded to Estonia, finland and Luxembourg. The remaining EU countries under EASA jurisdiction will also receive the update this month. Dji reminds pilots to always ensure flights are conducted safely and in accordance with all local laws and regulations. For flights conducted in enhanced warning zones, the new term drone operators must obtain airspace authorization directly from the FAA and consult the FAA's no drone zone resource for further information.

Okay now, while this posting from early last week is far less inflammatory than the middle finger reference I first encountered, you know, it does say the same thing, which is it's going to be the responsibility of the drone operators, not the firmware and the technology, to enforce the so-called, you know, enhanced warning zones. So, in other words, operators will be notified, but the updated firmware will no longer prevent a DJI drone from flying right into and across what was previously designated as a no-fly zone Fly Zone. Okay, apparently, variations of this middle finger reference were widely picked up and circulated, and this prompted DJI to release a second blog posting later last week, on Thursday. The second blog posting was titled DJI's Geosystem is an education, not enforcement tool. It attempted to clarify DJI's position and data sets in most of our consumer enterprise drone products in the United States will be replaced with official FAA data. We first introduced the geosystem in 2013, at a time when consumer drones were still and they repeat that paragraph in the first posting they said.

However, some concerning reactions circulating online are either categorically false or seek to politicize this update, given the current geopolitical climate. In the first Get the Facts article of the year, we want to take this opportunity to dispute the information and set the record straight. Ok, fact one they say Politics does not drive safety decisions at DJI. For over a decade, dji has led the drone industry in safety, making several unprecedented commitments and investments to integrate advanced safety systems into our drones, often ahead of regulatory requirements and without being prompted by competitors. To suggest that this update is linked to the current political environment in the US is not only false but also dangerous. Politicizing safety serves no one. We encourage discussions and comments to remain focused on technological facts and evidence to understand the true reasons behind this update. Read on.

Fact two aviation regulators around the world, including the FAA, have advanced the principle of operator responsibility. This geo update aligns with and respects this principle. Similar updates to the geo system began in the EU last year with no evidence of increased risk. We had planned to roll this update in the US months ago, but delayed the implementation to ensure the update worked properly. To add, over a decade has passed since DJI introduced the geo system, and regulators have not chosen to mandate geofencing, instead opting for solutions like remote ID, which requires drones to broadcast the equivalent of a license plate, laanc, automated drone flight approvals in controlled airspace near airports and community-based training.

Fact three the geo system has always been an educational, not an enforcement tool. The geo system has also not been removed. Well, okay, well, warning zones and in-app alerts remain in place. So continue educating pilots on safe flight operations. In other words, it's making them aware, but it's their choice. This change gives back control they write to operators and provides them the information they need to fly safely. Dji remains committed to promoting safe and responsible flight practices and will continue its community education efforts, reminding pilots to always ensure their flights are conducted safely and in accordance with all local laws and regulations.

And finally, fact four in addition to aligning with the FAA's operator responsibility-led principles, the update to enhanced warning zones provides two operator benefits. First, reduced operational delays for pilots. The previous no-fly zones often placed an unnecessary burden on operators. While a user could receive instantaneous approval through LAANC to fly, they were still required to submit an application to DJI and wait for manual review and an unlocking license. In other words, it was enforced. This process could result in missed opportunities, delayed operations or unnecessary wait times. This was especially challenging for commercial operators. Delayed operations or unnecessary wait times this was especially challenging for commercial operators, drone businesses and, most critically, public safety agencies performing life-saving work where delays are simply unacceptable.

And second, improved consistency with official FAA data. Previously, the global geofencing system relied on ICAO Annex 14 configurations for airspace around airports which did not always align with official FAA data. This mismatch caused confusion among operators, unsure about where it was safe to fly. By displaying official FAA data, this update ensures operators can view airspace as FAA intends, clearly understanding where they can and cannot fly or I should say, should or should not fly. And they finished. We hope this explanation clarifies the real reasons behind the updates to the geosystem an opportunity to align with regulatory principles and power customers with greater control and provide them with accurate official information to confidently operate their drones within safe and permitted airspace.

And I guess to me an interesting aspect is that they've deliberately taken themselves out of the loop and removed responsibility for creating exceptions to their policies, which is interesting, especially given who knows what's going to happen with them and in the US and legislation so.

But you know, when all is said and done, it's clear that their firmware will no longer be taking responsibility for flatly refusing to allow someone to fly somewhere that it believes they shouldn't have been levied at DJI over the possible use of their high-quality camera-equipped drones for unwanted surveillance. It's not a stretch to imagine the conspiracy theories that this would have triggered. And given the United States' current political climate with China, which is certainly a thing, I have no idea what's really going on here. If nothing else, it would appear to be an inopportune time for DJI to remove its historically firmware-enforced no-fly system, which would seem like a good thing for them to have if they're saying you know, we have no intention of allowing our drones to be misused for eavesdropping Anyway. But I thought it was interesting and I wanted our listeners to know that this had happened yeah, it's very strange.

1:48:48 - Leo Laporte
It's like if you want to get banned faster, do that exactly allow your drones to fly over prisons and and military bases. And well, superbowl's coming up and remember I mean in the fires in la that a drone punched a hole in one of the-.

1:49:04 - Steve Gibson
There were only two. They called them super scoopers which scoop up water. One was grounded because a drone punched a three by six hole in the leading edge of its wing.

1:49:16 - Leo Laporte
And dollars to donuts. It was a DJI, I mean, that's what everybody uses.

1:49:20 - Steve Gibson
Actually I saw the FBI photo of the debris. It says DJ the on a chunk of gray plastic irresponsible to turn off the geofencing.

1:49:31 - Leo Laporte
You know, I have a dji. I love my dji. It's the best drone. That's what everybody uses. That is, you know, is a professional photographer I mean, I guess we should trust everybody that they're not going to do bad things and leo, have you noticed how movies now? Okay, the strong shots all the time all the time these it. It's really nice to to be able to offer that much smoother than a helicopter shot. They replaced. They basically replaced the helicopters and and much lower cost uh for movie producers yeah, getting all sorts of interesting shots everywhere now, yeah, and I immediately go.

I go, lisa and I are watching. I go drone.

1:50:07 - Steve Gibson
Yep Drone. I say the same thing to Lori. While we're watching a movie it's like, oh, we wouldn't have that were it not for inexpensive drones.

1:50:15 - Leo Laporte
Yeah yeah, not just movies, tv shows everywhere, yeah, okay.

1:50:18 - Steve Gibson
We're at an hour 40. Okay so a break time. Then we're going to look at CISA's huge improvement in vulnerability, the huge improvement that CISA has driven in vulnerability remediation. It's an astonishing graph we have here in the show notes.

1:50:32 - Leo Laporte
All right, I will cue it up, but meanwhile I want to talk to you about our sponsor, veeam. I think everybody running a business should know about Veeam. I would hope by now we've been talking about them for some time. You know about V-E-E-A-M. Your data in your business is everything right. Without your data, your customer's trust turns to digital dust. That's why you need to get data resilient. With Veeam's data protection and this very important two words you're going to want ransomware recovery ensures that you can secure and restore your enterprise data wherever and whenever you need it, no matter what happens.

I don't I. It baffles me because you know, and I've even asked this on the show, steve with you hear about all these breaches and people paying millions of dollars to bad guys because their stuff got ransomware. And I just? The first thing I always say is didn't they have backups? I mean, it's not as easy as just you know, you and I backing up to a thumb drive, but well, if they had Veeam, they wouldn't have to worry. It's the number one global market leader in data resilience. That's the term you need to know. Veeam, I mean. This should tell you something. Veeam is trusted by over 77% of the Fortune 500. More than three quarters of the Fortune 500 keep their businesses running when digital disruptions like ransomware strike. That's because Veeam lets you back up and recover data instantly, and it does it across the entire cloud ecosystem.

And that's one of the problems. Your data's in a lot of places, right, but Veeam doesn't. You know, veeam knows, veeam handles it. Plus, with Veeam, you might not even get bit in the first place, because it proactively detects malicious activity and it does something that, even if you didn't have Veeam you should be doing, but I bet you're not automates your recovery plans and policies. You have a recovery plan and policy, right, right? I think I don't know, I think a lot of companies, it's just like it's not going to happen to us. It's not going to happen to us. It's not going to happen to us. No, you got to plan. Plus, if you do get bit, you'll get real-time support from ransomware recovery experts.

Look, you know this Data is the lifeblood of your business, and not just data, but reputationally, getting hit by ransomware is bad. So get data resilient with Veeam. Go to veeamcom to learn more, v-e-e-a-mcom to learn more. It seems like this should be just like obvious, like a no-brainer vim. Three quarters of the fortune 500. That should tell you something, vimcom. Thank you, vim, for supporting uh security now. And if they ask I don't know if they will, but if they say, where'd you hear this? You tell them security now. Right, all right.

1:53:21 - Steve Gibson
Okay, steve so in its recently published Cybersecurity Performance Goals Adoption Report and I'm sure that's kind of an abbreviation CISA said that the number of critical infrastructure organizations enrolled in its vulnerability scanning service remember we talked about that they were going to be doing proactive vulnerability scanning from the Internet to detect problems early doubled over a two-year period, reaching now 7,791 organizations at the end of August of 2024. Cisa added 1,200 vulnerabilities to its known exploited vulnerabilities catalog. Through the same period and during the two-year period of analysis, critical infrastructure organizations enrolled in CISA's vulnerability scanning service reduced their average remediation times from 60 days to 30 days. So cut it in half and cut a month off of what it had been. I have a chart in the show notes showing the average remediation time over the past two years, from 2022, the middle of 2022 to the middle of 2024. And it's very clear. It shows federal, international, private and SLTT showing a clear downward trend in remediation times and, of course-.

1:54:53 - Leo Laporte
That's good right. Oh yeah, yeah, yeah, yes, okay, yes.

1:54:56 - Steve Gibson
So that's yeah, faster remediation, yeah it looks like it's almost like a third of what it was before overall. So followers of this podcast know firsthand that this is not a simple feat to pull off. It's especially true for any sort of large and lumbering bureaucratic organization that is bringing your remediation time down like that. But this is truly looking like a significant change in the security posture and active vulnerability reduction which we know that we need. We talk about the work that CISA is doing more and more frequently because they're doing so many things surprisingly right. They really are having a huge effect by raising the awareness of cybersecurity as a crucial consideration for any and every organization. I would say, leo, over the past I don't know five years or so, we've really seen like the notion of cybersecurity. You know, get on the map. Ransomware certainly helped, you know, seeing, you know the true effect of that being a victim created. Nobody wants that for their organization.

But, you know it really, it's clearly happened now. So, anyway, we've come a long way, certainly during the 20 years of this podcast.

1:56:24 - Leo Laporte
Yeah, you deserve some credit. I think you've been fighting the good fight every week.

1:56:28 - Steve Gibson
Well, you know, just looking, taking a clear, sober look at the news, you know, we end up coming up with a bunch of conclusions that history keeps affirming for us A bit of closing the loop. Affirming for us A bit of closing the loop, listener Earl Rod. He said other stats on six digit numbers that I feel feed our psychological tendency to see patterns where there are none, he said, remembering that only 151,200 of the million have all six digits unique. Okay, so we got a million potential, obviously 00000 to 999999. So a million potential six-digit numbers. Of those, only 151,000 and a few more have all six digits unique, 157,600 have at least three of the same digit. That's more than have six unique digits, meaning it is more common to have three of the same digit occurring out of only six. There's only six. So there are more instances of a digit repeated three times than all of them being unique. So that's significant. That's significant. 395,200 out of the million have four or fewer unique digits and 409,510 have at least two consecutive digits the same. So I think really there just aren't that many possible possibilities in a six digit number. You know, and also, in thinking about this again, we've talked about that famous birthday paradox a lot right. Given randomly distributed birthdays occurring throughout the year of 365 days, we are surprised by how small a group of people is needed to get a better than 50% chance of there being any two people having the same birthday a birthday collision. When you think about it, the same thing is happening with our six-digit authenticator codes. Here we have six digits and only 10 possibilities for each one of those six-digit places possibilities for each one of those six-digit places. I think the same sort of counterintuitive experience occurs where the likelihood of inter-digit collisions is actually much higher than our intuition would predict. You know, as with the surprising birthday paradox, every digit has a collision possibility with every other one and there aren't that many possibilities for each digit.

I received a great piece of feedback from someone who's in the field, trying to do the right thing. This is important because Microsoft, as I said earlier, for all practical purposes, owns the enterprise world. This listener's feedback contains a bunch of Microsoft jargon that will mean something to our enterprise listeners. For everyone else, these details are not important, because everyone will be able to understand the fundamental dilemma that our enterprises face. So he said Hi, steve, I would like to remain anonymous. I'm 24 years old and have been a listener since around episode 900. I work as an IT systems admin for a local government in North Carolina. One of my responsibilities is managing security for our city's police department.

We are required to comply with the FBI's CJIS, that's Criminal Justice Information Services security policy, which is updated regularly. I've included a link to the policy below. It's 451 pages long and all law enforcement agencies must adhere to it and pass periodic audits. Ok, so to interrupt here for a second, all that sounds like the right thing. So far.

This clearly sets a high bar that's onerous to meet. Clearly sets a high bar that's onerous to meet. But we know from everything we've seen that unless this level of specification and its enforcement by audit are applied you know the everything appears to be working, so let's not break it rule will be taken by default. Now everyone has too much work to do and no one wants to go looking for trouble. And while first achieving compliance might well be a heavy lift, once things have been tightened up to meet the audited requirements, remaining compliant should only require a much more modest effort going forward. Okay, anyway, our listener continues. He says one requirement in the policy found on page 97, requirement number 20, is especially challenging. Surprisingly, that is. All. Secrets must be hashed and salted.

2:02:24 - Leo Laporte
That's nice to hear that's good.

2:02:26 - Steve Gibson
But, Leo, that it's challenging.

2:02:28 - Leo Laporte
Yeah, well.

2:02:29 - Steve Gibson
Okay. He says we might wonder why that would be challenging, right? After all, hashing and this is to your point, leo hashing and salting stored secrets such as passwords has been standard operating procedure for a very long time. I didn't find the earliest reference to salting hashes in our transcripts. That is, there are many of them. That's the problem. I had more than 10 pages of search results of salt, so I'm assuming we're not talking about recipes. So I'm assuming we're not talking about recipes. I found a reference from 2012 where you and I were talking about it as if it was something that everyone knew, right, so 12 years ago.

Yeah, of course Salt, and I imagine we were talking about it from the start. But I was curious, for the sake of this discussion, how old the idea of salting a hash for storing secrets was. So I asked the 01 mini model of ChatGPT the following question.

2:03:35 - Leo Laporte
You're finding a lot of use in these. Oh, I love this thing, yes.

2:03:39 - Steve Gibson
There are some things it's very good at. I asked it what's the earliest appearance of the recommendation that stored passwords should both be hashed and salted for secure storage, and I received the following reply to store passwords, both hashing and salting has its roots in the late 1970s, primarily driven by the practical implementations in early operating systems and evolving security best practices. This thing's amazing, it wrote. Unix version 7, 1979. One of the earliest and most influential implementations of salted password hashing was introduced with Unix version 7 in 1979. This version of Unix featured the crypt function, which incorporated a 12-bit salt alongside the hashing process.

2:04:43 - Leo Laporte
Before you go too much farther, do you want to quickly tell us what salting and hashing is?

2:04:47 - Steve Gibson
Oh, okay, can you do it quickly? Yeah, yeah Okay. The idea is that we would always use a standard hash function like SHA-1 that we were talking about with the time-based one-time passwords, and so the idea is, rather than just saving a password, a service would hash the password so that if their database was breached, the passwords themselves, in the clear, like the thing that the user provided, would not be stolen. All that any bad guy could get would be the hash. The problem is that you could then a bad guy could run through a bunch of common passwords, could run through a bunch of common passwords, hash them in order to determine their hashes and then look for any matches of the hashes with the stored password. So the idea was to add what was technically termed salt. That's like sprinkling some salt on it. The idea is you would take another value and it doesn't even matter, and actually it would be non-encrypted. I was going to say it doesn't matter if it's not a secret longer directly represent what the user password was, in order to break simple hash matching problems. And that's why even here in Unix version 7, 12 bits, which is 4,096 possible combinations 12 bits is enough. It doesn't need to be cryptographically strong salt. It just needs to. It's something thrown in to, to, to scram, to further, scramble the hash so that because you're always using a, the sameGPT's response. It gave me a purpose for salting which I skipped here in the show notes. I just wrote down, skipping over 01's completely correct explanation of the purpose of salting. It then added, under evolution in security practices, it said following the implementation in Unix, the practice of salting hashed passwords became a cornerstone in password security. Early 1980s, security literature and guidelines began to formally recommend the use of salts in conjunction with hashing to protect stored passwords. And in subsequent decades again decades as computing power increased and new attack vectors emerged, the methods for hashing eg transitioning from DES-based hashing to more secure algorithms like Bcrypt, scrypt and Argon2, salting became more sophisticated, further strengthening password storage mechanisms. And then it ended with key takeaway. While the precise first recommendation in academic or security policy literature might be harder to pinpoint, the practical implementation of hashing with salting in Unix version 7 in 1979 marks the earliest prominent appearance of this security practice. This implementation set a standard that has been built upon and refined in subsequent years to enhance the security of stored passwords. Okay, I could not have phrased any of that any better. Thank you, and now we have a marker.

Yeah, this brings us back to our listener, who quoted page 97 of the security requirements his IT systems were required to offer. Quote all secrets must be hashed and salted. Unquote, which he said was especially challenging. He continued quote this is our listener quote. Like many small to medium-sized cities, we operate on a tight budget and are often behind on adopting the latest technologies. We still rely on Active Directory, which syncs with Microsoft Entra formerly Azure AD via Microsoft Entra Connect for managing Office 365 products and Exchange Online, however he wrote, and exchange online, however he wrote. Active Directory does not salt user password hashes?

2:09:48 - Leo Laporte
Of course not, jeez.

2:09:53 - Steve Gibson
By the way, this is not computationally difficult.

2:09:56 - Leo Laporte
It is well known. There's no reason not to do that.

2:10:00 - Steve Gibson
There is none, leo, it's just obscene at this point. He says, however, active Directory does not salt user password hashes and it seems Microsoft has no plans to implement this feature. And he's correct. Wow, active Directory is still using older LAN manager or NT LAN manager user passwords which have never incorporated salt and insecure, yet they are still in use. So what are people supposed to do? Our listener continues writing From my research, microsoft's suggested solution is to migrate entirely to the cloud no kidding, with Entra ID, azure AD, eliminating the need for on-premise domain controllers and moving all authentication to the cloud.

Here's where we run into two major issues. He writes Limited features in GCC, which is GCC is the abbreviation for government community compliance, which is one of the packages that Microsoft offers to governments. He says we're on the GCC tenant of Microsoft 365, which lacks many features available to regular enterprise customers. I recall you mentioning the federal government's frustration with Microsoft. Local governments face similar challenges. Information about feature differences between enterprise GCC and GCC. High is not easily accessible, especially from Microsoft. High is not easily accessible, especially from Microsoft. We tested a full migration to EntraID with Intune for device management, but Intune in GCC is noticeably less functional than in the enterprise environment. Many settings and options are grayed out, often with messages indicating that our tenant didn't contain the correct license. And there are the high costs. He says Fully migrating to the cloud is expensive, with steep annual fees.

2:12:37 - Leo Laporte
It would require us. Yeah, of course, that's why Microsoft is not updating SMB. They want you to go to the Azure.

2:12:44 - Steve Gibson
Yeah, uh-huh, yeah. He says it would require us to upgrade every user's license from Office 365 to Microsoft 365. Given the lack of features in GCC, it's hard to justify the additional cost. So my question is for IT environments that still rely on on-premise Active Directory, what solutions are available to salt password hashes in Active Directory? Thanks for your insight and I appreciate all the work you do. Great question. Unfortunately, this is where the expression caught between a rock and a hard place comes in. This is where the expression caught between a rock and a hard place comes in.

I'm not an expert on Microsoft's enterprise offerings, for which I will be eternally grateful, but I poked around and nowhere could I find any solution for specifically adding salt to Active Directory passwords. There are all manner of enhanced security and authentication features, such as Kerberos, but even there, kerberos authentication uses the unsalted password stored by Active Directory grounds. I so strongly dislike the idea of these blanket security requirements driving organizations into Microsoft's cloud services, where they will even be more at Microsoft's mercy than they are today and then have even less recourse when Microsoft raises their rental rates. The only thing I can suggest is that an appeal be made proactively to the auditor that they're beholding to, to explain the situation and ask what solutions other government organizations may have found.

Has this single requirement driven everyone else into the cloud, or is there a wink and a nod that allows this one requirement to be quietly ignored? Because I see no way around it. There is no way to add this to Active Directory. You know Microsoft has moved on. They've moved to the cloud, and if you're holding on to actually owning your own hardware and keeping your costs low and leaving things as they are, well, you're going to need an exception because your passwords, believe it or not, have never been salted.

2:15:24 - Leo Laporte
I will ask Richard tomorrow, because he knows a lot about this stuff. He might have an idea, but I think you're probably right. This is just Microsoft's way of pushing you into the cloud.

2:15:35 - Steve Gibson
Wow. Dean Wheaton said Hi, steve, I have a suggestion for the podcast. I'm a longtime listener, not quite back to the beginning, but something like 16 years. I'm a member of Club Twit and I do enjoy the respite from advertising. However, I would like to know which advertisers support the show and maybe take advantage of special offers, for instance for a VPN provider. Would Leo consider inserting a short? This podcast is supported by blank, which offers 15% off using promo code. Blank or whatever short announcement is appropriate, pointing the listener to the show notes, which might have full details in place of each advertisement, instead of cutting out the advertisement audio. Best regards Dean in Maryland. Instead of cutting out the advertisement audio. Best regards Dean in Maryland. Now to Dean, I say I sometimes found myself in a similar situation. So I discovered some time ago that Twit maintains an easy to find sponsors page at twittv slash sponsors.

2:16:44 - Leo Laporte
And this is up to date. If somebody doesn't buy ads, we take them right off of it. So if they're on here, they are currently supporters.

2:16:51 - Steve Gibson
Yep, you can also just go to twittv and it's in the menu at the top, toward the right end of the page, and the entries there include the special discount sponsor codes and their URLs, so anyone can at any time check that out. Uh, and that way you'll also get information about twit sponsors other than those that may only be a sponsor on this podcast yeah, all these companies probably show up on security now once in a while.

2:17:22 - Leo Laporte
The only reason they wouldn't be honest? Because we're sold out and and there's no room for them. There's no room for everybody wants to be on your show. I have to tell you so uh, they all deserve your uh patronage because they all support security. Now it's if, if they could get on, they would be on.

2:17:39 - Steve Gibson
But you don't want. And as you scroll through that list on the screen, leo, I recognize them all from from from your reads here during the podcast yeah 1Password, Bitwarden, Cashfly.

2:17:48 - Leo Laporte
Yep, 1Password and Bitwarden were on today. Coda, DeleteMe ExpressVPN. That's the VPN.

2:17:54 - Steve Gibson
we recommend NetSuite, I think was on, threatlocker was also on today. Threatlocker was just on, vanta was just on, thanks to Canary off and on, and Veeam was also on.

2:18:05 - Leo Laporte
So, yeah, I think that the people who pay for no ads might not want to have those little short announcements.

2:18:15 - Steve Gibson
So we're just going to. Anyway, it's easy to find for anybody who wants them.

2:18:22 - Leo Laporte
You know just twittv and it has sponsors up in the upper right. If you click those links, that takes you to the offer, the best offer, the current offer.

2:18:26 - Steve Gibson
So I have a piece of errata to share, because my mistake was picked up by several of our listeners who essentially asked variations of what do you mean? Sync Thing hardly ever updates. This feedback is from our listener, brendan Koop, who offered some interesting additional information. Brendan wrote I'm catching up on last week's show and I was surprised to hear you say that Sync Thing is rarely updated. I rarely use Windows and love Notepad++, but agree that at times it seems to update just to increase the version number. I think the developer sends political messages with some updates, which is their right. I've been a SyncThing user from way back when BitTorrent Sync went from being a useful free application to a mess with lots of restrictions.

2:19:16 - Leo Laporte
And they sold to Resilio. That's when I moved to SyncThing as well, yep.

2:19:20 - Steve Gibson
He said, I stumbled onto SyncThing and I've never looked back. I have SyncThing running on more than 25 devices, including various Android phones and tablets. I have half a dozen backup servers running on Odroid HC2, and HC4 devices running Linux at various locations. It functions as a live backup system that syncs as files are changing. Most of the time there's a local server that should sync quickly while the off-site servers can catch up, even if I shut down the source device before the remote servers are synced up, I can also turn on my laptop when I use it before long. It matches my desktop computers. Not sure what I would do without SyncThing.

2:20:12 - Leo Laporte
It's become my backup strategy entirely. It's just incredible.

2:20:16 - Steve Gibson
He said one thing I've not heard you talk about is self-hosting the relay and discovery servers. Oh, interesting. He said I've been doing that since day one and have it running at five or six locations. I never rely on the public servers that SyncThing provides. And he says TNO, tno.

He said when I first started using SyncThing it was very early in the development and it was a little rough around the edges. As I recall, it used to update more than monthly and possibly more than weekly at times. A while back they switched to a monthly update cycle and it seems to update at the beginning of the month most months. What made your comment about how rarely they updated it stand out, especially this month, is that they issued two updates shortly after the initial monthly update, which is unusual. In other words, I got it exactly wrong. He said you picked the worst month in the past couple of years to say they rarely update the software, since this is the first time in more than two years they've done it more than twice in one month.

He said I've attached the update log I have on one of my backup servers. Luckily it updates automatically and all of my linux devices send me an email which my update log with my update log when they update. He said this month's updates included updates to the relay and discovery servers, which doesn't happen often. I had to update them three times this month instead of the normal zero times, and so, yes, we have a. I won't even try to read it or go through it, but, yeah, many, many, many updates which somehow I missed. So I certainly stand corrected. I'm obviously not seeing those update notices for whatever reason, and perhaps I did happen to see one specifically because there were so many of them you know them last month and so that caught my attention. In any event, I'm happy to have that corrected and it's interesting to hear about Brendan's success running his own relay and discovery servers.

2:22:39 - Leo Laporte
Yeah, I do that.

2:22:40 - Steve Gibson
I've considered doing that, but my particular application because I've got fixed IPs allows me to create direct point-to-point links between remote sync thing instances. I took the trouble to do that, which I've been very happy with, after noticing that the use of the communal relaying was dramatically slowing down the resyncing process. In other words, syncthing has become super popular, as you'd expect, although you can often knit between NAT routers and get a direct point-to-point connection direct point-to-point connection as we talked about in the early days of the podcast, using a rendezvous server in order to help two sync thing instances, both behind NAT, still establish a point-to-point link nevertheless. Still there are plenty of cases where that won't happen. So a relay server is needed where both instances go out to the relay server in order to have their traffic relayed as that becomes more popular. And of course this is just a.

I don't know who is nice enough to host these relay servers, but they're getting bogged down. So that was slowing down my syncing to a point where it became intolerable. So I went to the effort of establishing point-to-point links. But I could see the feasibility of running a rendezvous server, a relay and a rendezvous server myself for SyncThing because, like Brendan, it really is a terrific service. Yeah, and it would just be for you, right?

2:24:31 - Leo Laporte
I would just use it for my internal in the network, which means it'd be right as brendan is.

2:24:34 - Steve Gibson
Brendan is in tno mode, so he has. He has pointed his sync thing instances to his, to the ip of his own relay server, right, uh, and so you can run public ones.

2:24:47 - Leo Laporte
That's interesting, but I presume you can also run private ones.

2:24:51 - Steve Gibson
Right, that's interesting.

2:24:52 - Leo Laporte
Yeah, right, so that's what's going on is that there are people all over the world running public relays.

2:24:59 - Steve Gibson
And thank you all you people, thank you, yeah, yeah.

2:25:02 - Leo Laporte
I had no idea Wow.

2:25:04 - Steve Gibson
Unfortunately.

2:25:04 - Leo Laporte
I'm sure it's, I'm sure it's uh, it's fragmented, so it doesn't uh, nobody gets the whole file or anything yes, yeah, yes, oh no, it's all.

2:25:12 - Steve Gibson
Oh, leo, it's all super encrypted. It is, it is, it is absolutely end-to-end encrypted. So all they're relaying is opaque data that they have absolutely no access to.

2:25:23 - Leo Laporte
Yeah, I mean, we wouldn't be, you wouldn't have me no, we wouldn't be telling you how much I use it and you can. Uh, it's on github, the relay server, so you could easily install it. I bet you there's a. I would hope there's a synology package, because that would make it very much easier for me just have it running on synology. Yeah, oh, very interesting.

2:25:44 - Steve Gibson
Okay, we are at our final break before we attack TOTP.

2:25:52 - Leo Laporte
Let's go after, let's see. I mean, we talk about brute forcing a lot.

2:26:06 - Steve Gibson
I think this is going to be a very here that when the question of is it strong enough came up, I thought, ooh, let's answer that question, yeah, okay.

2:26:18 - Leo Laporte
So this week we have another example of an instant Wait a minute Before you start, I do want to just say a little bit about Club Twit, do you mind? No, of course not. Just a little. I get to drink my coffee, drink your coffee while I beg.

I recaffeinate. I'm going to do some begging, if you don't mind, if you listen to this show and you get value out of this show. If you listen to every one of our shows and get value out of any of our shows and I hope you do, because that's why we do it we really are doing these because we want you to hear and learn and use the stuff we talk about, whether it's security on this show or max on mac break weekly, or windows weekly at windows. Uh, we're rebranding, uh, this week in google to intelligent machines, because, I agree with you, steve, that's the most exciting new thing happening in the world and it's starting to happen very fast. In fact, today, openai, oracle and some other companies announced a joint venture with massive investment $100 billion now, half a trillion in the next few years, along with softbank, to create get this the stargate project, to make a giant ai, to secure american leadership in ai.

If you want to know when skynet started, I would say today be my guess. Um, anyway, this is stuff you need to know about. This is stuff we cover, uh, and we do it with, and you know this if you listen to steve, without fear or favor. We want. We're honest. We give you the straight information. We're not hyping stuff um. We're giving you the honest information so maybe without favor.

2:28:02 - Steve Gibson
I'm not sure about fear.

2:28:03 - Leo Laporte
Yeah, we might be scared.

That's right. We could be scared, but no, nobody's afraid here because we're doing God's work. But you could help us because, unfortunately, it doesn't pay for itself. Yes, we have ads and we are very grateful to our advertisers, but we don't have enough ads to pay the entire and we've cut. By the way, don't think we haven't. We closed the studioisa gave me the good news we're going to be out of that lease. Uh, so that's really good news. That saves us money. Uh, you know, I'm working out of my house now. Um, we're doing everything we can to cut costs, but the best way for us to go forward, I think, is the way I always wanted to go forward, which is to be a listener, supported, networkorted network To the degree that you feel like you get something out of this.

Is it worth $7 a month to you? Is it worth a latte or two a month? I'd like to invite you to join Club Twit. Now. We do give you benefits Go to twittv slash club twit, ad-free versions of all of the shows, access to the Club Twit Discord which. Access to the Club Twit Discord, which is.

I think that this is a great social network, with smart, interesting people who have lots to say not just about the shows, but all kinds of topics. We also do a lot of club-only events. Thank you, iridescent Ox, proud Club Twit member. I love these guys, I really do. It's not just about the shows, it's about anything people are interested in having to do with tech. There's food, everything's in here. So you also get those special shows.

We've got Micah's Crafting Corner coming up and just a little bit of our photo time with Chris Marquardt. I'm going to schedule another coffee show with Mark Prince, the coffee geek, and, of course, stacy's Book Club. We have settled on a much more interesting book. Thank goodness, join the club please, I beg of you. We're not PBS, we're just us. We're just your buddies doing what we do, trying to keep you up to date and keep ourselves up to date on what's happening in the world of tech. Twittv slash club twit. We would love to have you in the club. That's all. Just a little plug, little club plug. Now, steve Arino, let us talk about brute forcing T-O-T-P. That's exciting.

2:30:30 - Steve Gibson
This week we have another example of an instance where a piece of listener feedback I started replying to kept expanding until it had acquired a life of its own. I love it and I realized that our listeners would probably enjoy another journey and thought experiment in a direction this podcast has never taken us, bizarrely, I mean except in broad strokes. Following from last week's podcast topic of HOTP and TOTP, this week we're going to take a detailed look at the task of attacking and cracking a key for the authenticators we all use. We're going to answer the question of whether the 8080, 80-bit keys that most sites give authenticators to use are long enough to contain sufficient entropy. And if, by any chance, you tend to skip podcasts from time to time so that you missed last week's main HOTP and TOTP topic, I would strongly suggest that you pause here to first listen to that one, since I need to assume that everyone here is now aware of what happened last week. So this all started with an interesting piece of feedback from our listener, lachlan Hunt. Lachlan wrote Hi, steve, I enjoyed your review of HOTP and TOTP algorithms in episode 1008 and wanted to share some of my own observations. I agree that the algorithms are designed to be very easy. I had previously implemented it as a hobby project and the whole HOTP algorithm can be done in around 10 lines of code. It's a fun coding challenge and I used it to brute force the next year's worth of codes and see when interesting numbers will appear. See the screenshot showing my one password, two-factor authentication token equaling 000000. And sure enough, he took a picture of his phone. He had presumably set the calendar and clock forward, knowing when it was going to happen, having done this reverse engineering of his own code and then watched it happen and took a picture. So very cool. He said the widespread use of QR codes for setting up TOTP is not actually defined by either RFC and instead seems to have originated with Google Authenticator and copied by all other implementers.

Codes the secrets as base 32 strings. Now, okay, so base 32 means an alphabet of 32. So he says where each character represents five bits, because two to the fifth is 32. He says I had a look at the secrets for some of my own accounts to see how long the secrets were. Many sites had secrets with 16 characters, which is only 80 bits, right? 16 times 5, 16 characters, 32 combinations per character, 5 bits per character. So 80 bits, he says. On the other hand, the longest secret I saw was a full 256 bits, which seems extreme, he said. However, the HOTP RFC actually requires that the secret key be a minimum of 128 bits, with a recommendation to use 160 bits. The ones below 128 bits are technically not compliant. And that's Google, by the way. So he said. Finally, I thought it was a nice coincidence that there are a million possible six-digit codes and there are a little bit over a million 30-second intervals in a year.

2:34:54 - Leo Laporte
So it won't repeat for a year? Well, it will.

2:34:57 - Steve Gibson
I mean it repeats, right, yeah, actually it does not repeat because it just keeps on going. So you'll get a different set in the second year, but you will probably see them in a different order the next year. That's fine, and not necessarily because you could see the same one five times in one year and not see any for 10 years. I mean that's the nature of true, pseudo, random.

2:35:26 - Leo Laporte
Yes, yes, Okay.

2:35:28 - Steve Gibson
So the HOTP recommendation of a 160-bit secret key input to the SHA-1 HMAC makes some sense since, as we saw last week, hsa1 produces a 160-bit hash. So that's also the output size of HOTP's HMAC, so there's some symmetry there. But the way the HMAC works and obviously from what we've just said and I didn't talk about it last week the key length can be anything you want, because you're just mixing it in much like you are salting very much like you are salting very much like you're salting a password hash. You're just throwing the, the, the secret, into the hmac and sha hashing it all together. So it can be whatever length that you want, but but? But lachlan observed that many sites were using secrets having 16 characters which expanded to only 80 bits, and Google, you know, chief among them. How should we feel about that? Using a key having only 80 bits for this application provides okay, and I'm going to read the number, the number 1-208-925-819-614-629-174-706-176. Unique keys, that's roughly 1.2 million, million, million million possible keys. So we've got four sets of six zeros following the 1.2. Okay, which brings us to the question of whether this is a sufficient number.

To address that question, we need to remember that when judging relative security. Everything is about the application in which the various security components will be used, in which the various security components will be used. So what's the security model of an HOTP-based TOTP authenticator? The purpose of time-based authentication is the generation of a completely unpredictable code generated within any 30-second window. Generated within any 30-second window Using an authenticator whose specific key is hidden among more than 1.2 million million million million. Possible wrong keys would appear to meet that requirement, but one of the key concepts in security is that of a security margin. Is that of a security margin? So how much security margin do 80-bit time-based authentication keys provide?

To answer that question, we need to examine the system and design an optimal attack to determine a key, given the proven high quality of SHA-1 for pseudo-random bit generation, which is then wrapped by the HMAC algorithm. The only known attack on authentication would be brute force guessing of different input keys, which would then be used to generate a specific six-digit authentication code output at a specific time. So let's say that we knew our targeted authenticator's output at a given time, so we know the time and the six-digit code produced at that time. Given the solid design of the authentication algorithm, which is essentially an extremely well-designed, cryptographically strong hash function with some ad hoc post-hash processing. The only strategy available to us is simple brute force guessing, that is, we can only go forward through that function. We cannot go backward. There's no way to go back, especially from a six-digit code, to go back and somehow miraculously get an 80-bit key. The information is obviously not available in a six-digit code to somehow magically get an 80-bit key. So we can only go forward, over and over and over. Okay, so let's say that we knew our targeted authenticator's output, targeted authenticator's output.

We start testing all 1.2 million, million, million million possible keys, one at a time, starting at zero. That's going to take a while. That's going to take a while. Each key we feed into the algorithm is combined with the timestamp for the one-time authenticator output. We know that's processed by the HOTP's HMAC SHA-1 algorithm, each use of which requires two uses of SHA-1, with some XORing and bit manipulation. That's what the HMAC is. Then, as we saw last week, we performed the extraction of the four bytes from the 20, followed by the modulus one million division to extract the remainder and to arrive at our first candidate six-digit code. Being a high-quality pseudo-random six random, six digit code, this first candidate will have one chance in a million of matching the six digit code we're seeking.

The probability of things happening is something that often trips people up. If the probability of something random happening is one in a million, we might tend to assume that giving that one in a million thing one million opportunities to occur, that'll fix it. Or, in our case, one million key guesses that we would probably get a collision of six-digit values. And that's true, but it's not guaranteed. Probability theory tells us that even given one million guesses of a one-in-a-million event, there's a 36.79% chance of never hitting upon the value we're seeking.

36.79%. So we're probably going to, but it's not guaranteed. 36.79%, we're not going to hit it. That does mean that, given 1 million guesses, there's the reverse a 63.21% chance that we will hit it. So 63.21% that we will hit it, better than 50-50. But it's not certain that we would. For random events it's all about probabilities, and 693,147 guesses so nearly 700,000, would be required to hit the 50-50 point, the 50-50% chance of guessing. 700,000 guesses, not 500,000, right, not half of the 1 million 700,000 for an even chance of a one in a million guess being correct.

So at this point all we can do is keep guessing key values. Key was generated by a purely pseudo-random system. There's absolutely no benefit to generating trial key value guesses at random. No key generating algorithm could be any better than any other, and being fancy about it would just take us some more time and waste some more resources. So to generate successive guesses, we're going to treat the key like a large 80-bit binary number that we simply increment, starting at zero. We'll eventually test them all.

The problem, of course, is that 80 is a lot of bits. We've already seen that there are 1.2 million, million, million million possible combinations of those 80 bits. So let's proceed and see what happens. We keep incrementing our key and keep producing six digit codes until we hit upon the one that the target authenticator produced for the same timestamp. So yay, we found an 80-bit authenticator key that gives the proper six-digit output at the proper time. But that's no use to an attacker, since it's never going to be that time again and besides, they already know the proper six-digit code for that time.

The goal is to be able to generate the proper code for any time in the future. So for that, the attacker and we in our case, since we're taking that role need the one key that will do that role, need the one key that will do that. The problem is that there are 1.2 million million, million million possible 80-bit keys and the only thing we've accomplished is to find the first key, counting upward from zero, that produces this one correct six digit code. Since we know that these codes are randomly distributed throughout the entire key space, that means that there will be, on average, 1.2 million million million Okay, I've dropped one of the millions, 1.2 million million million total keys that will also produce this same six digit code for this same timestamp. In other words, the discovery of that first matching code is very unlikely to be useful. We still need to eliminate many millions of millions of other keys. To do that, we need some more sample outputs from the target authenticator.

So we've just clearly proven one thing there is absolutely no possible way for an attacker unless they were to get insanely lucky, like you know, 1.2 million, million million times lucky user's single six digit code at one point in time to reverse engineer a user's authentication key, regardless of how much time and processing power they may have.

And note that this is all symmetric crypto, which has always been safe from any threat from quantum computing. So holding out for a quantum computer to arrive isn't going to help us here. This is symmetric crypto. Quantum computing only helps with public keys things, okay. So, as I said, to usefully narrow things down, we need some more sample outputs from the target authenticator. Okay, so let's make that a given. Let's agree that our attacker is able to observe the target authenticator being used with the same key at multiple points in time. Okay, so how many points in time do we need that will allow us to achieve this? As we've seen, each point in time gives us one code in a million and in its first use, out of the total 1.2 million, million, million million possible keys, this one in a million matching would allow us to select one candidate key out of every million possible keys. So on average again, because they're not also perfectly distributed, they're randomly distributed. So it effectively reduced the candidate key space by a factor of one million. In other words, we're able to use a six-digit code generated by the targeted authenticator to weed out a factor of a million possible keys. Or, phrased differently, each application of a different six-digit code can be used to reduce the remaining candidate key space by a factor of 1 million. Okay, so suddenly that doesn't seem so bad. An 80-bit key space gives us a total of 1.2 million, million, million, million keys that's four millions, and we've seen that each use of one six-digit code for a given point in time will, on average, eliminate a factor of one million wrong keys that do not produce a matching six-digit output. So that would suggest that the use of four six-digit code output samples, four six-digit code output samples, each reducing the total key space by a factor of one million, would bring the key space down to one or two remaining candidate keys.

Okay, so let's go back now to that first test where we were incrementing the 80-bit key and generating a test six-digit code to look for a match against the authenticator's known output. We know that we will eventually find a match and we're just going to go linearly from zero. We're eventually going to find a match and that the probability of that happening is 50% during the first 693,147 tries, rising to 63.21% by the time we've tried the first million keys. So not quite two-thirds assurance of it happening by the time we've tried the first million, but regardless, we know it's going to happen sooner or later. So having found the first candidate key that gave us the first proper six digit output, we know that this only reduced the possible key space by a factor of one million. So next we try this same candidate key against the second point in time to see whether we obtain the proper second six-digit code. This will still be highly unlikely, since that first test left 1.2 million million million candidate keys, only one of which is the one we're seeking. But nevertheless we checked the key against the second point in time and almost certainly fail. That means that the first test found a key that produced the proper six-digit result at this point in time but not at the second reference point. So we need to keep searching, we move forward again until we find a match for the first point in time, then again check that against the second point in time.

As before, there are still so many candidate keys that will pass the first test but fail the second that it's likely to take quite a bit of time, quit quite a bit more searching until we find a candidate key that passes both the first and the second tests. But we're still a long way from home, since each of these two first two tests reduces the candidate key space by a factor of 1 million. Together they reduce it by a million million. But since we started out with an 80-bit key that gave us a key space of 1.2 million, million, million million, that means that even after finally finding a candidate key that passes the first two tests, that the new key that was found is still only one among the remaining 1.2 million million that will pass both tests. So it's still exceedingly unlikely that the one we found that passed both of the two first tests is the proper key.

To test this, we of course check this latest candidate against our third authenticator sample. As we know, there's only one chance in around 1.2 million million that this first key that passed the first two tests will also pass the third. And even if it did by some miracle pass the third test, it would still be one of among 1.2 million keys that would do so. So we would then need to test against a fourth authentication sample output to see whether that key, which somehow managed to pass the first, second and third tests, was the one out of 1.2 million that can also pass the fourth sample test. And since there were 1.2 times 1 million to the fourth possible keys, even this might not be the one we're looking for and we need to remember that when we succeed in this search it all boils down to statistics. That 69.3% number which we encountered earlier comes back here, since we're essentially performing four unrelated one in a million tests against random events where we need all four of them to succeed 6.93 times 10 to the 23 80-bit keys before we would reach the point of having a 50% chance. Again, we would need to test on the order of 6.93 times 10 to the 23rd 80-bit keys before we would reach the point of having a 50% chance of finding a first key that passes all four of our one in a million six-digit matching tests. 6.93 times 10 to the 23 is 57.3 of the total 80-bit key space to search only to achieve a 50% chance of success.

One question to ask is whether there might be any shorter route for brute forcing a solution. I've given this some thought and I cannot see one. I considered various sorts of sieve approaches, like the famous sieve of Eratosthenes, which is used to find primes, where you could apply a sieve to three or four samples to weed out. But actually that would be vastly slower than this. Testing against one test is by far the fastest solution. There just isn't a faster way to do this.

The algorithm we just examined closely is going to be the fastest to check successive keys against a first test and then to apply successive tests only when they successively succeed. That minimizes the number of tests being performed. And we also know that we will need to test 57.3% of the total 80-bit candidate key space in order to have just a 50% chance of success, with no guarantee even then. And each test with a candidate key will require two uses of SHA-1 for the HMEC algorithm and the application of the ad hoc HOTP six-digit extraction. It's easy to say 6.93 times 10 to the 23rd, just as it's easy to be glib about 80 bits. But 6.93 times 10 to the 23rd is 693 million, million billion.

2:57:24 - Leo Laporte
That's a lot.

2:57:25 - Steve Gibson
So if an attacker were able to perform, say, a million billion of these complete TOTP, hotp candidate key tests per second, we would still be left with 693 million seconds. 993 million seconds, now, that's if you could do a million billion per second. We would be left with 22 years, full-time, around the clock, without pausing, never stopping, and even then only obtain a 50% chance of cracking a single key of a time-based one-time password when having a handful of that authenticator's outputs which are necessary, and knowing exactly when each of them were generated. Now, modern hardware has become very fast Absolutely the case but it's generally fast at performing simpler algorithms for which it's been designed, like straight SHA-256 hashing for cryptocurrency mining. The hash rates have gone insane there.

Ad hoc algorithms, especially something as wacky as HOTP, which selects the bits to be divided based upon some bits in a nibble, would be much more difficult to accelerate. So it might be, yes, that even a million billion complete tests per second would be difficult to achieve in practice. And, leo, as we said at the top of the show, that's an advantage of a wacky ad hoc algorithm is it is more acceleration resistant. I don't know if they did it on purpose back in 2005, but it is a consequence of their ad hoc wacky-ality, of their ad hoc wacky-ality. But that said, given the current performance of crypto mining and a million billion tests per second, taking only 22 years for a 50% chance of success, that's not the sort of security margin that would, or should, make anyone feel completely comfortable. It's better when realistic estimates come in at, you know, 22 million years rather than just 22 years. This really boils down to how fast the individual tests can be performed you know, and how many of the testers you can have running at the same time?

3:00:10 - Leo Laporte
How many times? How fast can you submit a one-time code, can you? Is there some way you can download the something so you can do it locally or you're?

3:00:22 - Steve Gibson
Oh yeah yeah, yeah, we're not actually asking the other end. They don't have to respond Right, we are comparing against the code that the authenticator generated.

3:00:32 - Leo Laporte
Oh well, so you're right, this is maybe a little more doable than we'd like.

3:00:37 - Steve Gibson
Yeah, it is more doable than we'd like. You know, I'm not at all worried about sites being protected by 80-bit keys, but given that what we've just learned from this exploration, I would feel more comfortable if the keying material had at least 128 bits. That's a difference of 48 bits and that makes a huge difference in difficulty. Adding 48 bits scales the entire problem up by a factor of nearly 281, 475 million times. Wow, 281, 475 million times. So now we're talking many, many millions of years and we have the sort of security margin that means we never need to think about the problem again.

3:01:34 - Leo Laporte
But what about quantum computing?

3:01:37 - Steve Gibson
No, quantum computers do not help with symmetric at all, so there's no help from Quantum, given that the key length being offered is entirely transparent to any authenticator, user meaning we don't know. We just scan a QR code, we don't know. There is just no reason not to use 128 bits or more for the key. 128 bits or more for the key 80, it's okay, but more would be better and 80 should definitely be considered a minimum. Very interesting Now we have some basis for judging the security margin.

3:02:25 - Leo Laporte
Very interesting. And, of course, computation is only going to get faster, yeah, orders of magnitude faster yeah.

3:02:32 - Steve Gibson
Just those. I looked at what the hash rates are on crypto mining farms. Oh my God, they've got the. I can't. I can't pronounce the number. Quintim zillion trillion billions of of hashes per second.

3:02:45 - Leo Laporte
Of course they're all dedicated, but and and this is just a second factor you still have a password you'd have to get, and so I think it's probably adequate.

3:02:56 - Steve Gibson
But oh yeah, I guess I said I'm not, I'm not worried about it, but now we have now we have a basis for judging, which we did not have before. Good, and that's why we do this.

3:03:07 - Leo Laporte
Yeah, I love it On this crazy podcast. I love it. I was told there'd be no math, but obviously I was misinformed. It's nothing but math.

3:03:16 - Steve Gibson
You were punctuating it with your giggles over my million, million, million, million, millions. That's a large number. That was good.

3:03:24 - Leo Laporte
Large number Didn't mean to interrupt Lachlan. Thank you for stimulating this conversation, Very interesting.

3:03:31 - Steve Gibson
Actually, thanks to all of our. It was a listener-driven podcast.

3:03:33 - Leo Laporte
Yeah, all of our comments and questions today were great. Really appreciate it. We love our listeners. Thank you for watching. Thank you for listening.

Steve is at GRCcom that's his website gibson research corporation. You can go there to get his bread and butter, which is spin right the world's best mass storage, recovery, maintenance and performance enhancing utility. You have mass storage. You gotta have spin right. Go there, get it. Support steve and his work. Um, there's other free stuff there, lots, lots of it. So it's fun to browse around.

He also has some unique versions of this show on his website, including a 16-kilobit audio version to go along with a 64-kilobit audio version for people who don't have a lot of bandwidth or maybe they're on a limited connection. There's also transcripts very good transcripts, and, of course, a copy of the show notes there as well. That's all at grccom. At our site, twittv, slash sn, we have that 64 kilobit audio. We also have video and we have a link to the YouTube channel dedicated to security. Now, so if you want to share a clip, that is easiest best way to do it and it's helpful to us because it turns other people onto the show. So, by all means, find something interesting and send it to a friend from the YouTube site. Easiest way, though, just subscribe. As they always say, go where better podcasts are hosted. Just subscribe on your favorite podcast client and you'll get it automatically, audio or video or both, the minute it is available.

We record the show on Tuesdays, you should know right after, and you'll get it automatically, audio or video or both, the minute it is available. We record the show on Tuesdays, you should know, right after MacBreak Weekly. I just got an email from somebody who said why haven't you started yet? It's 1.45. It's like this is not a TV station. Okay, we're not running on a schedule. We're running as fast as we can. We try to get these on as close as possible, but what you're really doing is you're watching, kind of behind the scenes, our recording of the shows. We expect most people in fact we know most people will listen after the fact, and that way you can listen exactly when you want.

But if you do want to watch us live for the, just for the giggles, or to chat along in our chat rooms, uh, we are streamed on eight different platforms. Club Twit members get to watch in the Discord YouTube Twitch For everybody else, tiktok. Now we're back. We're on TikTok, steve. Thank you, president Trump. We are also on Kik. We are also on Xcom. Thank you, vice President Elon Musk. We are also on LinkedIn and Facebook. Thank you, secretary state mark zuckerberg. See the whole fam, all the richest men in the world supporting our little stream. Thank you, guys. We haven't figured out how to get on amazon yet. We can work on that. Uh, the show is, as I said, right after mac break weekly, which generally works out to 1 30 to 2 pm pacific, let's say 5 pm eastern, uh 2200 utc. So watch it live if you wish, but, of course, download it because you would well. You want a copy of it for your records. Right, steve, have a great week. Thank you for everything you do.

3:06:41 - Steve Gibson
We really appreciate it and we'll be back next week with a binary edition of the podcast 1010, episode 1010.

3:06:52 - Leo Laporte
What is that 10?

3:06:54 - Steve Gibson
That's 1010,. Oh, that's binary.

3:06:57 - Leo Laporte
Oh yeah, binary 10, yes, 8 and 2. Thank you so much, steve Gibson. Thank you all for joining us. We'll see you next time on Security. Now, bye. 

All Transcripts posts