Security Now 1013 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show

0:00:00 - Steve Gibson
It's time for security. Now Steve Gibson is here. We'll talk about the US response to the UK's request that Apple stop encrypting your data. Why is everybody calling this a backdoor? Steve has got a rant. He doesn't like that word and he's looking for a better one. We'll also talk about TOAD. Did you know that TOAD stands for Telephone Oriented Attack Delivery? What's Google doing to stop that? And then we will talk a little bit about what a terrible job Google's doing managing the Chrome web extension store. When you hear this, you're going to you won't believe it. Coming up on Security Now Podcasts you love.

0:00:45 - Leo Laporte
From people you trust this is twit.

0:00:53 - Steve Gibson
This is security now with steve gibson, episode 1013, recorded tuesday, february 18th 2025. The chrome web store is a mess. It's for Security Now, the show where we cover the latest security news, privacy news, with a gentle dollop of science fiction and fun, with this guy right here, maybe a little math, even Steve Gibson from GRCcom. Hello, my friend.

0:01:22 - Leo Laporte
It's great to see you and actually it's funny. You should mention sci-fi because I'm gonna we are gonna swing in briefly, uh, and I'm gonna update our listeners on the recommendations that I accepted from chat gpt when I asked it for I. I, as we may remember, about four or five weeks ago, I said here are the things that I've read, that I've enjoyed. What else do you?

0:01:49 - Steve Gibson
recommend.

0:01:50 - Leo Laporte
And first of all, it guessed a bunch that I hadn't told it about that I also have loved in the past and recommended some others Anyway, so we're going to talk about that Now. I should explain the title of today's podcast Chrome Web Store is a mess. It's not my title, it's the title given to a jam-packed with information and experience blog posting by a very well-known Chrome and, more broadly, web extension developer who's been active for more than 20 years, I believe it, or not, before this podcast began. Wow, so that was his title. And by the time we're done, rather than people saying, oh yeah, well, it's a mess, everyone is going to know why, and I contend that understanding the reason why is much more useful than just stating it as a fact. So a lot of really interesting information which is going to leave us with some questions also about why it's a mess, because it's a bigger mess than it arguably needs to be. I mean like provably. So what's Google up to? Because it's not like they lack resources, anyway. So that's our main topic for this episode 1013.

Here we are, in the middle of February already, we're going to talk about US lawmakers responding to last week's topic or discussion point, which was the UK's outrageous demand about Apple's encryption outrageous demand about Apple's encryption. Also, I want to just touch on what exactly do we mean when we say backdoor? What is a backdoor Careful? Can a backdoor not be a secret? Because I don't think so. Also, we have highlights from last week's Windows Patch Tuesday a look at Ransom Hub, the latest king of the ransomware hill.

We've not taken a close look at one of these operations for a while because we kind of OD'd on it a few years ago, but there's some interesting stuff here. We also have something called TOAD, which stands for Telephone Oriented Attack Delivery, which we're going to describe. We have Texas versus DeepSeek, which is now a thing, the disabling of Apple's restricted mode and the question now, this is not I speaking. Where did I put that 800 million in Bitcoin? My Bitcoin is not worth 800 million. Now, this is not I speaking. Where did I put that $800 million in Bitcoin? My Bitcoin is not worth $800 million. But there is some guy whose is. Oh yeah, as I mentioned, we've got the sci-fi author update and then a deep dive into the misoperation of Chrome's critically important web store. Critically important web store 90% capture of the market has Chrome and extensions are an important part of that ecosystem. But installer beware, because we're going to really understand what's going on there by the time we're done. And, of course, one of our great pictures of the week thanks to our terrific listeners.

0:05:29 - Steve Gibson
I only can see some peanuts at the top of the screen, so I haven't seen the whole thing yet.

0:05:34 - Leo Laporte
That would suggest that you've seen the caption. I gave it lest there be any doubt. Well, that's not exactly a giveaway. No, it's not. That was my point. That's why I said it, Lest there be any doubt. And then you see a little row of peanuts. Yes, the punchline is down further.

0:05:51 - Steve Gibson
We'll scroll up together in just a moment with security now, but first a word from our first sponsor of the day, those great folks at Veeam. I you know, when I talk about Veeam, I think, well, how could everybody not be using this? You know, we talk all the time. In fact, we're going to talk some more about ransomware and companies. It's amazing Pay ransomware malefactors to get their data back. It always makes me think, aren't you? Aren't you paying attention? Aren't you backing your data up?

Turns out it's not as easy as it sounds, but without your data, your customer's trust turns to digital dust. I guess it is easy, but you have to use Veeam. Veeam data protection and ransomware recovery ensures that you can secure and restore your enterprise data wherever and whenever you need it, and no matter what happens. Veeam is the number one global market leader in data resilience. That's probably why 77% of the Fortune 500, more than three quarters of the Fortune 500 trusts Veeam to keep their businesses running. When digital disruptions like ransomware strike, those businesses won't be in the headlines. Veeam lets you back up and recover. You think this would be obvious, but it's hard to do Back up and recover your data instantly and the reason it's hard is because your data is all over across your entire cloud ecosystem.

Veeam actually stops ransomware before it strikes by proactively detecting malicious activity. That's a huge help and this is really important. Again, every company should have this, but a lot don't. Veeam will help remove the guesswork by automating your recovery plans and policies. You do have a recovery plan policy right. Plus, you get real-time support, should the worst happen, from ransomware recovery experts. I shouldn't have to say it Data is the lifeblood of your business. It's time to get data resilient with Veeam. V-e-e-a-m. Go to Veeamcom to learn more. V-e-e-a-m. Go to Veeamcom to learn more. V-e-e-a-mcom to learn more. And if you don't, I tried, I tried to save your company. I tried Veeamcom. All right, steve, let's scroll up together the picture of the week.

0:08:24 - Leo Laporte
With the caption, lest there be any.

0:08:25 - Steve Gibson
The caption, lest there be any doubt, lest there be any doubt, a well-known uh anti-allergy warning, I guess. Right, that's right.

0:08:36 - Leo Laporte
You definitely want to be notified if what you're eating contains peanuts, if, if the equipment ever processed peanuts in the past, if peanuts were being eaten by someone walking down the corridor near you.

0:08:57 - Steve Gibson
I was on an airplane where the flight attendant said we're taking all your peanuts back. There's a kid on board who's allergic, deathly ill, so we're going to come around and collect your peanuts.

0:09:07 - Leo Laporte
so even in the air, if you're really allergic, I guess yeah, so for those who don't have the benefit of video, we have a large bin, uh, probably a like a self-serve bin of, of peanuts in the shell. So they're those, clearly peanuts. It's very, you know, remember the old planters guy that was like a big mr peanut, you know, yeah, yeah, mr peanut, thank you. Yeah, like with their, there's actually two peanuts in most shells, you hope. Uh, sometimes there's three you never know.

Yeah, that's a yeah, uh, anyway, we got a big bin of that. It's leaving no doubt in anyone's mind what this contains, and there is, of course, a warning sign in front of it letting everyone know that this product contains peanuts. Really Well, it could be good news if you like peanuts?

0:10:04 - Steve Gibson
This product is peanuts. Yes, there you go. Yeah, this product is peanuts.

0:10:11 - Leo Laporte
Okay, so US lawmakers have responded. Last Thursday and gadgets gave their updated coverage of the UK decryption order that headline. Us lawmakers respond to the UK's Apple encryption backdoor request and the subhead was Senator Ron Wyden, and representative Andy Biggs said the order is, quote effectively, this is the. This is the. They're speaking of the uk's order. Effectively, a foreign cyber attack, wow, waged through political means they're not far wrong.

0:10:54 - Steve Gibson
I mean it. It affects americans. Data too yeah.

0:10:59 - Leo Laporte
so what n gadget said was the uk's shockingly intrusive order for Apple to create a backdoor into users. Encrypted iCloud data doesn't only affect Brits. It could be used to access the private data of any Apple account holder in the world, including Americans. Less than a week after security experts sounded the alarm on the report, the US Congress is trying to do something about it. Now, actually, if the US Congress was able to do anything, that would be good. They continued.

The Washington Post reported on Thursday that, in a rare show of modern Capitol Hill bipartisanship, senator Ron Wyden, who is a Democrat, and Representative Andy Biggs, an Arizona Republican, wrote to the new National Intelligence Director, tulsi Gabbard, asking her to take measures to thwart the UK's surveillance order, including limiting cooperation and intelligence sharing, if the country refuses to comply. I mean, we're talking about breaking our allegiance with the UK over this. You know allegiance as an ally. Biggs and Wyden wrote. Quote OKdoor will end up in Americans' phones, tablets and computers, undermining the security of Americans' data as well as of the countless federal, state and local government agencies that entrust sensitive data to Apple products. The US government must not permit what is effectively a foreign cyber attack waged through political means. Unquote the pair, wright and Gadget, told Gabbard that if the UK doesn't retract its order, she should quote re-evaluate US-UK cybersecurity arrangements and programs, as well as US intelligence sharing with the UK. Unquote. Wyden sits on the Senate Intelligence Committee and Biggs is on the House Judiciary Committee and chairs the Subcommittee on Crime and Federal Government Surveillance. So those are the right two guys.

Wyden began circulating a draft bill that, if it were passed, could at least make the process harder for US, for UK authorities. The proposed modification to the 2018 CLOUD Act C-L-O-U-D Act would make information requests to US-based companies by foreign entities more onerous by requiring them to first obtain a judge's order in their home country. In addition, it would forbid other countries, like, say, the UK, from demanding changes in encryption protocols to the products or services of companies in the US. Request challenges would also be given jurisdiction in US rather than in foreign courts. So you know, basically, if we create a law demanding the UK demanding that changes in encryption products are basically forbidden, then whoops okay.

The UK order first reported by the Washington Post, of course, is what we discussed last week requires Apple to create a backdoor into its advanced data protection, a feature introduced in iOS 16.2 back in 2022. Advanced data protection applies end-to-end encryption to many types of iCloud data, including device backups, messages, content, notes and photos, making them inaccessible even to Apple. The order demands a blanket ability to access a user's fully encrypted data whenever and wherever the target may be located. The order was issued under the UK's here comes the word Investigatory Powers Act of 2016, known not so affectionately as the Snoopers Charter, which expanded the electronic surveillance powers of British intelligence agencies and law enforcement. It would be a criminal offense for Apple to publicly confirm receiving the order, so like they can't talk about it. So the company hasn't commented, writes Engadget on the matter.

Security experts warn that implementing this backdoor would needlessly expose anyone with any Apple account to foreign spying, hackers and adversarial countries. Apple received a draft of the order last year when UK officials debated the changes. In a written submission protesting them, the company said the planned order could quote could be used to force a company like Apple that would never build a backdoor into its products to publicly withdraw critical security features from the UK market. Unquote. The company can appeal to notice, but cannot use the appeal to delay compliance to delay compliance. Sirian Martin, former chief executive of the UK's National Cybersecurity Center, told the Washington Post quote most experts in the democratic world agree that what the UK is proposing would weaken digital security for everyone, not just in the UK, but worldwide. Unquote.

Okay, now I wanted to take a moment to focus upon the use of the term backdoor, which has appeared about 20 times so far in what I've read, and even in Apple's own response, which was quoted. Unfortunately, its original meaning is being lost and stretched through reuse for other purposes. As I noted, the term was liberally used throughout the original Washington Post article and also in Engadget's own reporting, mostly because we don't have another term like that, another term like that Now. In the past, I've pedantically objected to the use of the term backdoor in these cases and I'm going to take this opportunity to be at least as pedantic about this again today, but maybe for the last time, because I'm going to have to give up. I've previously suggested that what's being asked for is a locked, yet unlockable front door. That's what they're asking for Now.

I suppose the trouble is that this stuff can be confusing for those who don't inhabit the security space for a living. You know the term back door sounds bad right term. Backdoor sounds bad, right and bad is often the way someone wants it to sound when they're trying to say, oh, this is what they're asking for, is bad. Well, okay, backdoor. So what's wrong with using the term backdoor? My problem is that the word needs, you know, that words in general need to have and to hold onto their meaning and although we also see that blurring with misuse, right, the term backdoor already, I want to say, has maybe, I have to say, had an extremely specific and exact meaning. You know, I mean, we've been around since its early use.

It was originally used to describe any sort of security measure, bypass, and it was definitely meant to be a secret period. A backdoor is, by definition, a secret, so the uk cannot possibly mandate the inclusion of a back door into anything, because anything mandated could never be a secret. The uk could certainly mandate that apple have some means for complying with their demands for a user's data, and if that data was initially encrypted for the user's privacy, then Apple would need to have some means for decrypting it in order to comply with the UK's demand. But nothing about that suggests the use of any sort of backdoor and in fact, from where we are now, apple would need to deliberately design in a new front door for which only they possess the key. Apple clearly objects to doing this, and for that I salute them, and, as has been previously mentioned, google has supported full, similar end-to-end device-to-device encryption of cloud-stored data from Android 9's Pi edition, and in this case Pi referred to a dessert rather than to pre-internet encryption, even though that's what it offered.

So it had double meaning there. So if we should not refer to designed-in decryption capabilities as backdoors, what should they be called? The problem is the security industry doesn't have any sufficiently pithy and engaging term for this. So backdoor it is for better or for worse, even though that isn't at all what anyone is asking for, whether they know it or not. Anyway, I did say I was going to be pedantic about this and I'm sure I haven't disappointed on that account.

Every time I see the term backdoor, which again has a very specific meaning you know, meaning being its meaning being used as a generic term for obtaining otherwise inaccessible information.

0:21:38 - Steve Gibson
I think to myself yeah, but a backdoor is not what it is. Unfortunately, that's what everybody's going to be calling it, and I think we've collectively lost control of the term. Do you want to propose another one? I mean, it's basically, they want the keys. You have talked before about some sort of-.

0:21:49 - Leo Laporte
They want Apple to be holding keys. Yeah, I mean, that's really it. They want Apple to be holding keys. Apple has said we don't want to be holding keys because we don't want that responsibility and also we're selling the fact that we're not holding the key. I mean that's a sales point for Apple technology.

0:22:11 - Steve Gibson
Well, it's only for the advanced data protection version, because they do hold the keys for everything else, and this is important because most Apple users do not use ADP because it's a pain in the butt, you and I don't.

0:22:23 - Leo Laporte
I can't because I still have an iPad where I wait about an hour for it to turn on, but it works.

0:22:28 - Steve Gibson
Let's be clear, I'm kidding With the UK Snoopers Charter or, as you say, the Investigatory Powers Act. Now you know why they call it the Snoopers Charter. Really, what they're saying is we want clear text of every of any message ever, of any file ever. We want access to it privacy is bad privacy. Bad privacy bad. And and we want to be able to. We want you to be able to give us the information should we ask for it, uh and we don't like encryption.

0:23:00 - Leo Laporte
I don't want we, we don't like encryption, we, we. You know we used to be able to put a wiretap on somebody and we'd get all of the content from them.

0:23:10 - Steve Gibson
Well, we saw what happened because of Kalia, that now the Chinese are in our phone system Right Because Using that backdoor for lack of a better term. It's up to you to come up with a better we need I, okay, so here it is.

0:23:27 - Leo Laporte
This is here it is. You know, I've asked for a caption on a photo before, so now we need a better. This is our listeners challenge you. You all heard that, um, back door means a secret. So what would be a fun, pithy, catchy, successful term for this, for an encryption bypass? Essentially is what we're asking for.

0:23:54 - Steve Gibson
That's what it is, isn't it? It's an encryption bypass. Yeah, so there is no such thing as real encryption. That's what they want. That's the. That's what they want. Well, um, you've mentioned in the past you had come up with this is some years ago the notion of some sort of key escrow system that might allow this without really compromising people's privacy. Do you remember that?

0:24:15 - Leo Laporte
um way, back when there are there are a lot of work has been done. For example, you can there there are ways to take a single key and divide it up among some number of people, where you need some subset of those people to provide their content in order to recreate the whole key. I mean, cryptographers have solved all these problems before. But when we start getting tricky and anything seems muddy, you end up like no one wanting those CSAM image hashes on their phone. They're like, they're not the images. No, no, no. We don't want anything to do with that. So I respect Apple for being very sharp-edged about this. It's either it's, it's, you know, yes or no.

0:25:12 - Steve Gibson
It's either we cannot do it or we're not going to try well, the real, the real issue here if it were just the uk saying we want that for uk traffic, traffic inside the UK, for UK citizens, apple would just say, okay, fine, uk citizens, you don't get advanced data protection. And that's maybe what will end up happening is the UK might back off and say, okay, just for the UK.

0:25:35 - Leo Laporte
But then how do you define that border? That's the problem, it's very fuzzy what about a UK phone traveling outside of the UK.

0:25:42 - Steve Gibson
Or if I'm having a conversation with somebody from the UK, that's my data too, so it is very tricky Asking for it globally, though Apple is not going to say, okay, we'll turn off advanced data protection globally. They're not going to do that, no.

0:26:04 - Leo Laporte
And they shouldn't. No, not because the UK says we want the right to have access to anyone's data, no, and I mean right, so the we've, I know, for a couple years now, right, we've been talking about and following and chronicling this, the inherent tension. In fact, it's why I dropped the development of CryptoLink, which was my, you know, I mean absolutely uncrackable cryptographic networking technology that, and I just decided I don't want to invest heavily in creating something that I, that the government may tell me is is making me an outlaw, and this is back in the Obama days.

Yeah, right, I mean, this is well before this was an issue.

So it is really good that the UK has come down like this, because now I mean, what they've asked for is such overreach. What they've asked for is such overreach. So, as you said so much, they're asking for complete decryption of anything they want. They need to just be told no and the other governments who are watching this are going to go oh okay, well, let's not try. I mean, in france, as I mentioned last week, france is has got some of their own legislation moving forward through their own parliament and and and. If the uk just gets slapped down and says you know, if you want to do that, we're just, you know, not gonna give encryption to anybody in the uk.

0:27:40 - Steve Gibson
See how your citizens like that and, honestly, if, if our congress asked for that in the uk, if the, if the us congress said, oh, and we want you know to be able to look at anybody's conversations anywhere in the world, people in the uk be just as upset as as ever, as we are. Yeah, it's not okay, it's uk it's. I saw that coming. There's a slogan, that's right.

0:28:11 - Leo Laporte
Okay. So, compared with last month's massive batch of software fixes, it didn't break a record. I suppose it was 163 or something, but it was a local record. February's updates last week were mild. Uh, they addressed a mere merely 63 flaws and eliminated a pair of less severe those still actively exploited zero days in windows. Of those flaws, three were rated critical, 57 were deemed to be merely important, one was moderate and the last two were rated as low severity. So don't be in a big hurry for that, but of course they all come as a big bundle.

In addition to those 63, microsoft also separately resolved 23 flaws over in their Chromium-based Edge browser. The two resolved zero days had CVSSs of 7.1 and 7.8, respectively. The 7.1 was an elevation of privilege in Windows storage. Microsoft's alert said an attacker would only be able to delete targeted files on a system. That's interesting. This vulnerability, they said, does not allow disclosure of any confidential information, but could allow an attacker to delete data. That could include data that results in the service being unavailable. Thus the 7.1. It's like, well, that's not good, but it's not going to. You know, it's not a 9.8 house on fire CVSS. However, mike Walters, the president and co-founder of Action One, noted that the vulnerability could be chained with other flaws to escalate privileges and perform follow-on actions. That can complicate recovery efforts and allow threat actors to cover up their tracks by deleting crucial forensic artifacts. So yeah, deleting, deletion if that's all you can do, that can still be good If you want to delete logs of you poking around in someone's system which you would otherwise not be able to delete, which you would otherwise not be able to delete.

The second zero day, having the higher CVSS of 7.8, also created an elevation of privilege vulnerability, this time in Windows Ancillary Function Driver for WinSOC. Winsoc is short for Windows Sockets and it's part of the operating system's networking subsystem. Due to the fact that the ADF, that's the ancillary function driver, adfsys driver is down in the kernel, the successful exploitation of this vulnerability you know good old networking vulnerability would allow an attacker to obtain system privileges. So you know, yes, escalation all the way up to full system. Now a similar flaw in AFDSYS was disclosed by General Digital last August after they found that it had been weaponized by North Korea's Lazarus Group.

A year ago, in February of 2024, microsoft plugged a Windows kernel privilege escalation flaw affecting the app locker driver, that's appidsys. That was also being actively exploited by the same group rely upon the bring your own vulnerable driver BYOVD approach, which we've talked about. Like an old signed printer driver which has known flaws, the bad guys will bring that in. It's signed. So Windows says, oh, a signed driver, let's load it. And then they exploit the vulnerability down in the kernel that that driver created. That's the bring your own vulnerable driver. Instead, what's happening here is that they take advantage of the comparatively rare security flaws that still can be found and these two were just patched in native window drivers to eliminate the need to introduce vulnerable drivers into their targets and really lockdown systems can even prevent not surprisingly to bring your own vulnerable driver. They're locked down so much they won't allow any new driver to be installed. Of course that creates lots of headaches for people who just want to use windows a little more casually, but you can't have it both ways.

Now it's not known whether the abuse of last month's zero day is also linked to the Lazarus group. Remember, both of these drivers are zero days. They were under abuse, so somebody had found them and they were found being exploited. Cisa has added both of the flaws to its known exploited vulnerabilities, that's, the KEV catalog. Their presence in CISA's KEV catalog does require federal agencies to apply patches by the 4th of March, so within like four weeks of this thing happening.

So the most severe flaws addressed by Microsoft in this month's update were not zero days, a CVSS of 9.0, allowing remote code execution in the so-called high-performance compute or the HPC pack. Microsoft documented that, saying an attacker could exploit this vulnerability by sending a specially crafted HTTPS request to the targeted head node or Linux compute node, granting them the ability to perform remote code execution in other clusters or nodes connected to the targeted head node. Okay, so although this is bad, it wasn't known to be abused at the time of its patching. So you know now the vulnerability is known and remember CVSS of 9.0, and it's a remote compute in something network, remotely network accessible. So the bad guys could potentially reverse engineer the update, discover the vulnerability, weaponize it and start using it. So now would be a good time to apply this month's patches, if you haven't already.

There's also an 8.1 CVSS which affects Windows LDAP, its Lightweight Directory Access Protocol. The flaw allows an attacker to send a specially crafted request and to execute arbitrary code. Now, since that's really not good, the LDAP flaw would normally have a higher CVSS right Network Accessible Remote Code Execution. So why only an 8.1? Because it involves a race condition that has to be won in order to succeed. Even so, ben McCarthy, the lead cybersecurity engineer at Immersive Labs, said, quote given that LDAP is integral to active directory, which underpins authentication and access control in enterprise environments, a compromise there could lead to lateral movement, privilege escalation and widespread network breaches.

In other words, the precursor to ransomware in your company, and nobody wants that. Precursor to ransomware in your company and nobody wants that. Oh and speaking of authentication, because that's what this problem was is a very low probability of success authentication bypass. There's also a CVSS 6.5 NT Landman version 2 hash disclosure vulnerability which, if successfully exploited, would permit an attacker to authenticate as the targeted user. So you know, not any sky is falling updates, but, as usual, updating as soon as practical would be a good idea. And you know, leo, what would be another good idea.

0:36:19 - Steve Gibson
A break.

0:36:20 - Leo Laporte
I'm looking at this mug of coffee over here thinking that would be good. All right, we can do. That would be good.

0:36:25 - Steve Gibson
All right, we can do that. We can take a break. This portion of Security Now brought to you by a brand new sponsor. I want to welcome Legato Security. Let me, steve, we're going to talk about Chrome extensions in a bit. Wasn't it like Christmas Eve that that attack on Chrome extensions happened, like all the malicious Chrome, was it? Chrome extensions were uploaded, or something, on Christmas Eve. I remember this last year. You're right.

0:36:50 - Leo Laporte
And we noted it because it was clearly the timing was chosen to maximize the length of time before it would probably be seen.

0:37:01 - Steve Gibson
Because the security people in your company and those extensions were off for christmas right also like a good eggnog, and so yes.

So this is the thing like big companies have 24-hour monitoring, you probably, if you have a burglar alarm on your house, have 24-hour monitoring right. No business should be their own burglar alarm. You know, because people go home for the weekend and bad guys know that. Legato Security is perfect for small and mid-sized businesses that want that 24-hour protection. Legato Security provides the same standard of security controls the big enterprises depend on, but you don't have to build your own internal SOC Security Operations Center because Legato's got one. Now, don't worry, they're not going to install a bunch of their own tools. They work with everybody. So this is the beauty. Imagine 24-hour monitoring of your security posture, of what's going on in your network, what's going on with your apps and your data, but you don't have to build the SOC. As a recognized leader by CRN and MSSP Alert in 2024, legato Security, legato remember this name? L-e-g-a-t-o.

Legato Security transforms how businesses approach their cybersecurity. First of all, legato is a technology agnostic MSSP platform, managed security service provider platform. That means they provide your business with a suite, a custom suite of security solutions tailored to your needs and your existing tools. They integrate seamlessly with your existing security infrastructure, so you don't have to do some big infrastructure overhaul. They though an incredible platform. It's called ensemble. It's a proprietary security operations platform, and so it works with all your existing you know tools, your firewalls and so forth. It delivers consolidated, prioritized and actionable alerts in real time. It's nice because it's a single pane of glass. It's a dashboard that says exactly what your status is what's going well, what's not. Look, hackers don't take holidays. They love holidays. They want to work christmas eve. They don't stop working when you clock off. That's when they go to work. Legatoato Security 100% US-based team provides proactive threat detection, triage and remediation, and they do it 24-7, 365 days a year in their purpose-built security operations center, so your team can focus elsewhere. You can go home and have some eggnog when it's time to to clock out, but they'll work with you when it's not.

From entrepreneurs to fortune 100 companies, legato security creates custom mdr solutions that protect businesses so leaders can focus on growth. A recent customer says quote legato security is the only supplier that has delivered everything they said they would. We didn't have to drive them, they just get it done. Don't you want that? Legato Security isn't going to call to tell you have a problem. Hey, we think you got a problem. They're going to call to say we saw the problem, we fixed the problem. That's the call you want. We saw it, it's fixed, don't worry.

It and security professionals. Legato Securities MSSP is here to help augment your security team. Don't worry, they're not there to replace them. They're going to work with you. They're the professionals you want on your team to back up your cybersecurity forces and to fortify your proactive defenses 24-7, 365 days a year. Security tools they're great, but they're not enough. You need the expertise to back it up. See if your defenses are as strong as you think. They've got a free risk assessment available on their website to give you the information you need. I think you should check it out. Legatosecuritycom L-E-G-A-T-O. Legatosecuritycom L-E-G-A-T-O. Legatosecuritycom Brand new sponsor. I had a great conversation with these guys last week I think it was maybe two weeks ago Was very impressed. You could have a burglar alarm, but if somebody's not monitoring it 24-7, it's not good enough. You gotta have it full-time. Visit LegatoSecuritycom to discover how they can help you regain. Enjoy your weekends and Christmas Eve like you used to. That's legatosecuritycom L-E-G-A-T-O. Legatosecuritycom. All right enough, back to the show, steve, let's talk tech or something.

0:41:45 - Leo Laporte
Ransom Hub oh with a U.

0:41:50 - Steve Gibson
Misspelled. Is it or no? No, it is spelled with an O.

0:41:54 - Leo Laporte
Okay, At the top you spelled it with you and I thought I did, I did notice that's a good, that's a good way to spell it yeah, so this 2024s, as in last year's top ransomware group, they hit more than 600 organizations.

0:42:18 - Steve Gibson
This is the email you do not want to see.

0:42:21 - Leo Laporte
We are the ransom hub. Your company servers are locked and data has been taken to our servers. This is serious. Yeah, then they have good news. Your server system and data will be restored by our decryption tool. For now, your data is secured and safely stored on our server. Oh, that's nice. What a relief. We're your backup system.

Yeah, that's right, nobody in the world is aware about the data leak from your company, except you and RansomHub. Oh boy, in other words, we got it, we encrypted it, we wiped all of yours out because obviously you're not able to hold on to it, and it's been decrypted and we haven't told anybody. So now is the time to pay. Look at their address, holy cow. Yeah Well, those are Tor nodes.

0:43:18 - Steve Gibson
Okay, so that's a GUID, okay.

0:43:20 - Leo Laporte
Yeah, so under the FAQ section of their ransom note they have who we are, and then they've got a normal browser link and then a Tor browser link that will take you to their site on the dark web in order to learn about these nefarious cretins.

0:43:37 - Steve Gibson
Well, I'm going to go to the authorities immediately that's right.

0:43:40 - Leo Laporte
And then, and then they say want to go to the authorities for protection. Seeking their help will only make the situation worse. And then they go on to explain how they will be you'll be prevented, you know. They will try to prevent you from seeking help and and they're incompetent, and incident reports and blah, blah, blah blah blah.

Wow. And they even give a Wikipedia link to the general data protection regulations to show how you could get in trouble if you do anything except open your Bitcoin wallet to these guys, except open your Bitcoin wallet to these guys. So what we have is a new and quite effective ransomware as a service, which, of course, is the way to do this. Now R-A-A-S ransomware as a service group, calling themselves Ransom, with an O hub no-transcript, including healthcare, finance, government and critical infrastructure. This has firmly established them as currently the most active ransomware group through 2024. Now, the group first surfaced exactly a year ago, in February of 2024, after acquiring the source code associated with the now-defunct Knight KNIGHT, formerly known as Cyclops Ransomware as a Service Group from the RAMP Cybercrime Forum. Five months later, an updated version of the Locker, as it's called, the encryption software, the Locker, was advertised on the illicit marketplace with capabilities to remotely encrypt data via the Simple File Transfer Protocol, so SFTP. The group's updated malware comes in multiple variants that are capable of encrypting files on Windows, vmware, esxi and SFTP servers. Ransomhub has also been observed actively recruiting affiliates from LockBit and BlackCat groups as part of the partnership program. This is very professional, wow, unfortunately indicating an attempt to capitalize on. All the rats scurry, and some of them take the source code with them and set up new operations. Some of them just switch over to using you know like merge with other groups.

In the incident, which was analyzed by Group IB, ransomhub unsuccessfully attempted to exploit a critical flaw impacting Palo Alto Network's Pan OS devices. That was using a flaw 2024-3400, and they were trying to use a publicly available proof of concept, but then they ultimately breached the victim network by means of a brute force attack against the exposed VPN service. The group IB researchers said, quote this successful brute force attack used an enriched dictionary of over 5,000 usernames and passwords. The attacker finally eventually gained entry through a default account frequently used in data backup solutions, which then allowed them to breach the network perimeter. So don't reuse usernames and passwords from anywhere. Make your own from scratch, everybody. The initial access was then used to carry out the ransomware attack, with both data encryption and exfiltration occurring within 24 hours of the compromise.

The attack weaponized two known security flaws in Active Directory, one from 2021. Now, okay, anybody who's getting compromised today or I should say in 2024, through an Active Directory flaw that was patched in 2021. Again, I will never tell anybody. They deserve it. But wow, come on. So that was 2021-42-278, also known as NOPAC P-A-C, and the network, the net logon protocol that flaw dates from 2020, the year before that, cve 2020, 1472, also known as zero logon, that we've talked about, and so here's a network again. Just nobody is giving it any thought, any maintenance, any updates. I mean you have to try not to have your system updated by Microsoft. It takes work for that to be the case, so yikes. And that, of course, allowed the attacker to seize control of the domain controller and then conduct lateral movement within and across the network. So trouble, the researchers said that, quote the exploitation of these vulnerabilities enabled the attacker to gain full, privileged access to the domain controller, which is the nerve center of a Microsoft Windows-based infrastructure.

Following the completion of the exfiltration operations, the attacker prepared the environment for the final phase of the attack.

The attacker operated to render all company data saved on the various network attached storage systems completely unreadable and inaccessible, as well as impermissible to restore, with the aim of forcing the victims to pay the ransom to get their data back. The researchers added the origins of the Ransom Hub group, its offensive operations and its overlapping characteristics with other groups confirm the existence of a still active cybercrime ecosystem. This environment thrives on the sharing, reusing and rebranding of tools and source code, fueling a robust underground market where high-profile victims, infamous groups and substantial sums of money play central roles and substantial sums of money play central roles Ransomware as a service. Affiliates are incentivized with an 80, 8-0 percent share of ransom proceeds. Yeah, that was always the thing, that, from the first moment this appeared, leo, you and I noted that that's so smart that the affiliates that are doing essentially the upfront work of getting into people's networks and creating, you know, opening those doors, be they front or back, that you know they get 80% of the proceeds.

0:51:32 - Steve Gibson
That's just dare I say, smart business. They take a smaller cut than Apple, does you know they? Oh, we're only going to take 20%, but you know, if you've got 1,000 affiliates, that adds up yeah.

0:51:45 - Leo Laporte
So, after originally being saturated in ransomware stories, you know, I've been actively avoiding them, since there hasn't really been that much new to report, except just incident after incident after incident.

Law enforcement has successfully tracked down when they've been like. Really motivated by the big, embarrassing breaches, tracked down and stomped out many of the larger and highest profile groups. But, exactly as was predicted, any members who managed to escape law enforcement sweeps or those who were more peripheral to the operations changed groups, moved, merged into others or formed new groups. Detailed look into attacks on K through 12 school systems. There's just too much money potentially waiting to be collected from insurers for bad guys to ignore the chance to get some of that. So ransomware in one form or another promises to remain a cyber crime staple for the foreseeable future. It's not going away. It's, you know. I would argue maybe it became too high profile and learned a lesson from that. You know all of that. You know shutting down the East Coast oil pipeline. That roused the giant, and those groups no longer exist today, but it as a source of extortion and revenue through extortion. It's not gone away and it's not going to.

0:53:26 - Steve Gibson
You can kind of see why I mean, not only is it lucrative, it's probably pretty fun to try to find a way to get into these systems right. It's like a game, uh, and you get paid always.

0:53:38 - Leo Laporte
I would always be too afraid. On the other hand, I'm not in russia, aiming at the at the west. If you're in belarus, nobody's gonna arrest you, you know you're safe?

0:53:50 - Steve Gibson
uh yeah, and you know you're underemployed. They probably are highly educated, maybe not, maybe they're just script kitties.

0:53:56 - Leo Laporte
But a lot of these they're. I mean this does show some, some engineering yeah, and how many ways are there to socially engineer an attack? I mean, and now you've got gpt making your letters sound really good that's right, you can right.

0:54:14 - Steve Gibson
You can no longer look at a phishing attack and say, well, that's clearly phony because of the bad grammar. No, they're perfect Spelling grammar everything.

0:54:24 - Leo Laporte
And you can also say well, you know, this is a company involved in remarketing. You know flim whistles, and so please write a letter that you know flim-wizzles, and so please write a letter that would induce a flim-wizzle purchasing agent to click on this link.

0:54:42 - Steve Gibson
I think I can write that letter for you. Wow, wow.

0:54:48 - Leo Laporte
Yeah, here's something I didn't realize was a thing until I learned that Google was beta testing its prevention. There is a class of attack using the acronym TOAD, which stands for Telephone Oriented Attack Delivery. This forthcoming feature of Android 16 blocks fraudsters from sideloading apps during phone calls. Now, when I read that, I thought sideloading apps during phone calls, what that's a thing? Anyway, the Hacker News explains feature for android that blocks device owners from changing sensitive settings when, let us to say, while a phone call is in progress, wow, which they're directed to do by the fake tech support guy.

0:55:45 - Steve Gibson
So it's not automated that somebody says oh, you know? Yes, it's like oh to do you have to anyway.

0:55:52 - Leo Laporte
Specifically, they said, new in-call anti-scammer protections include preventing users from turning on settings to install apps from unknown sources and granting accessibility access. The development was first reported by Android Authority. Okay, so apparently scammers are are, as we could like, reverse engineer the attack from this right. Scammers are instructing unwitting users to do things during phone calls, such as, I suppose, when calling a fake technical support hotline for this for assistance. You know the hacker news continues saying users who attempt to do so during phone calls are now will now be served. The message quote. Scammers often request this type of action during phone call conversations, so it's blocked to protect you. If you are being guided to take this action by someone you don't know, it might be a scam unquote. By someone you don't know it might be a scam unquote. Furthermore, it blocks users from giving up app access to accessibility over the course of a phone call. The feature is currently live in Android 16 Beta 2, which was released last week. The idea is to introduce more friction to a tactic that has been commonly abused by malicious actors to deliver malware, dubbed telephone-oriented attack delivery or TOAD. These approaches involve sending SMS messages to prospective targets and instructing them to call a number by inducing a false sense of urgency, using a combination of SMS messages to initiate scam calls, followed by phone apps to trick users into installing malware such as Vulture.

The development comes after Google expanded restricted settings to cover more permission categories in order to prevent side-loaded apps from accessing sensitive data, so like so. So google added protections and then the bad guys realized, oh, we got to get those to be turned off. So let's get the guy on the phone and explain why, oh, you need to turn this off just for just a second. I'm just gonna, you know, uh, we just need to make a few little changes here in order to solve your problem. So Google has also rolled out the ability to automatically block sideloading of potentially unsafe apps in markets like Brazil, hong Kong, india, kenya, nigeria, philippines, singapore, south Africa, thailand and Vietnam. So, anyway, this seems like a very useful feature, and I think it's the sort of thing that our phones could obviously very easily do. How often do you actually need would you legitimately be fiddling with app access permissions while you're on the phone? I mean, it could even be like sorry, this is not available while the phone is in use. So, you know, like a deliberate shutdown in the phone's multitasking system.

0:59:26 - Steve Gibson
The problem is that sometimes it's legit right If you called your help desk at your company and they want you to do this. That's the problem.

0:59:34 - Leo Laporte
So all they can really do is warn you and say yeah, and, and I think this should serve as a reminder of just how effective social engineering attacks remain. You know, as I've often said, most people have no idea how any of this stuff works, that you know. They're just like okay, I can turn it on. And when a knowledgeable sounding voice at the other end of the phone explains how to fix some made up problem, many people will just follow along. Sure, especially when this is the-.

1:00:08 - Steve Gibson
Especially older people, right.

1:00:10 - Leo Laporte
Yes, and when it's spoken with authority. I mean notice how even chat GPT's voice of authority it's like it's seductive, it's like so sure that it's correct. I loved how it wasn't Andy, it was Alex who was mentioning that he asked about the specs for some router. Who was mentioning that he asked about the specs for some router. Oh yeah, he had like the 16-port version and he asked for the specs for the 8 and the 4. And the 8 exists. There is no 4-port version, but it just produced 4-port specification sheet.

1:00:46 - Steve Gibson
that was beautiful for a completely fictitious router Confidently wrong is the term you saw. I mean this is such a common problem that Zelle, which is the yeah, it's the term you saw. I mean this is such a common problem that zell, which is the electronic payment system used by very many banks, uh, chase just started blocking zell payments through social media contacts because there's so many scam. Uh, social media systems, right and and older people go oh yeah, I saw this guy thing on Instagram and so they're going to stop it because 50% of fraudulent wire transfers from Zelle originated on social media. Wow, I mean, we're sitting ducks out here. Steve, help us. It's amazing. It's just amazing. Good on Google for doing that.

1:01:40 - Leo Laporte
That's the least I mean. Again, it makes so much sense. It's a simple thing to do and I'm sure there's a. You know. If you're really sure, then OK, but you know, but for that to come up on your phone, even some oldster is going to go oh that didn't occur to me, sonny, who did you say you were with again?

1:02:04 - Steve Gibson
Yeah, I see that Zelle does that. Now, if you use Zelle which I do It'll warn you. It'll even show you sample spoof messages and things.

1:02:13 - Leo Laporte
This happens, so I guess they're really a vector um, let's take a break and we're going to talk about texas versus deep seek.

1:02:24 - Steve Gibson
Oh, okay, that should be. That'll be. That'll be interesting. Um, I uh, actually, this is great. All of our sponsors are very timely.

Steve, I don't know if you've noticed that. I think it's too bad that, uh, that individual users, home users, can't use zero trust, because that would solve a lot of this. That that ransomware you just talked about, the lateral movement using vpns to exfiltrate data all of that just would be stopped cold by Zero Trust. The problem, of course, I think for a lot of companies is Zero Trust is a hard thing to implement. Perhaps it's a new idea for you.

This portion of our show is brought to you by ThreatLocker, which is absolutely just kind of the premier example of a company that makes zero trust easy and very affordable. Harden your security. With ThreatLocker, you'll never have to worry about zero-day exploits, supply chain attacks Worldwide. Big companies like JetBlue trust ThreatLocker to keep their data and keep their business operations secure and flying high. The whole idea is I really wish people could do this at home. It's taken a proactive, deny by default approach to cybersecurity. We've talked about this on the show.

I think Zero Trust started with Google and it really is the single best way to protect your network. With ThreatLocker, you block every action, every process, every user, unless explicitly authorized by your team. Threatlocker makes it easy, it helps you do it and and this is great provides a full audit of every action. That's great for compliance, but it's also great for risk management, because you know who was doing what, when and where. Threatlocker's 24-7 US-based support team fully supports onboarding and, of course, beyond. Stop the exploitation of trusted applications within your organization. Keep your business secure, keep it protected from ransomware. Organizations in any industry can benefit from ThreatLocker's ring fencing. It isolates critical and trusted applications from unintended uses or weaponizations. It limits attackers' lateral movement within the network and, by the way, heterogeneous networks too.

Threatlocker work doesn't just work for Windows, works for Macs too and, man, if you go to the website, it is very affordable. You'll get unprecedented visibility and control of your cybersecurity quickly, easily and cost-effectively with ThreatLocker's zero-trust endpoint protection platform. Visit ThreatLockercom right now. Get a free 30-day trial. You'll see how easy it is to implement and how effective it is to protect. Learn more about how ThreatLocker can help mitigate unknown threats and, yes, ensure compliance. That's nice, threatlockercom. It is to protect. Learn more about how threat locker can help mitigate unknown threats and, yes, ensure compliance. That's nice, threatlockercom. Security starts and finishes at the end point zero trust, done right, threatlockercom. We thank them so much for supporting security now, and the great analogy is a firewall.

1:05:32 - Leo Laporte
We used to have a firewall that was open and you would block abuse-prone ports, and we switched firewalls universally to deny default. Deny by default and then selectively open the ports that you need.

1:05:48 - Steve Gibson
I think you're responsible to a great degree because of Shields Up. You taught people that these ports were open, you showed them that and you explained it very nicely if you've never used shields up. Every time I install a new router I immediately go to shields up because it explains not only what ports are open, what ports are responding. You know, uh, not necessarily open, but, but, but not, but closed, but not. You know hidden, yep, yep, not stealth, not stealth. Uh, it's a really good site to to learn about that at grccom so plug there, steve.

1:06:20 - Leo Laporte
Thank you, and I think it's what 109 million or something uses of shields up.

1:06:26 - Steve Gibson
So I think really, you get a lot of credit for teaching people about securing their routers Absolutely, absolutely All right Under the heading.

1:06:37 - Leo Laporte
because, why not? We have the news reported by the record that Texas is investigating DeepSeek. Of course they are. Because, why not? It comes from China, right, which you know yeah. Deepseek comes from China. It's got to be, bad.

What did they do wrong? Well, they embarrassed the US by making a better AI, so we've decided that they probably violated the state's data. They made the app publicly available for download on their app stores. In other words, the attorney general in Texas has no information of any sort whatsoever. Well, that's obvious, but just thinks that it's kind of probably a bad idea.

1:07:45 - Steve Gibson
Tell us about it. You tell us yeah, exactly.

1:07:49 - Leo Laporte
That's right, paxton said in a statement. Quote DeepSeek appears to be no more than a proxy for the CCP. Oh, that's a little much. Yeah, to undermine American AI dominance, and you know they did it better than we did. We don't like that and steal the data of our citizens.

That's why I am announcing mostly it's the announcement I'm announcing a thorough investigation and calling on Google and Apple to cooperate immediately by providing all relevant documents related to the DeepSeek app. In other words, their AI is better than ours and we can't have any of that. So we're going to investigate them in order to hopefully find some evidence of some misbehavior somewhere. The record wrote DeepSeek, google and Apple did not immediately respond to requests for comment, and maybe even not immediately and maybe even not not immediately. On January 28th, paxton banned DeepSeek's use on all devices owned by members of his staff due to security concerns and what a press release from his office called the company's blatant allegiance to the CCP, including its willingness to censor any information critical of the Chinese government. Oh, that's right, because it doesn't have a right to censor information that's critical of China, even though it's from China.

1:09:39 - Steve Gibson
This week, new York State and Virginia both federal workers from using deep seek on government devices josh holley's proposed a bill that would fine anybody a million dollars or as much as 20 years in prison for downloading deep seek. You know you can run deep seek in the us, explicitly right it's. It's just a model people can download, uh. There are a number of places you can run deep seek uh around here, so so sadly. Yes, without any access to China without you know completely locally.

1:10:14 - Leo Laporte
Any Chinese technology backlash has become predictable.

Yeah, with deep seek just being the latest example, since it's exceedingly difficult to prove that China is not using their deep seek app you know, the smartphone, the mobile app to monitor the questions, behavior and who knows what else of US citizens.

It appears that we're inevitably heading into a world of increasing mistrust, basically a technology cold war, where everyone is going to be trusting only going to be trusting the hardware, software and firmware produced by their own country and their close allies. And even close allies are having trouble, as we're seeing, with the emerging standoff between the UK and Apple. That this was where we were headed appeared to be clear for years, as tensions between the US and both China and Russia have been gradually mounting. Everyone listening to this podcast has heard me wonder on many prior occasions how it is that China and Russia were still using Microsoft's Windows, an operating system that could so easily be hiding pro-Western capabilities. As we know, both of those countries have felt similarly and are now working to remove Windows from their critical enterprises and industries, and, as we know, that's a feat that's much more easily ordered than accomplished. It's sad, leo, but it's the direction we're headed in, you know.

Well, he sort of had a technological detente for a while.

1:12:03 - Steve Gibson
The reason this was embarrassing the US is because this was an open model. Yes, and so you can run DeepSeek v3. Here it is on Together AI, but there are plenty of places you can do this Running completely on United States servers. By the way, you can ask it about Tiananmen Square, because it doesn't have that lock. It will respond you don't need the app, and this is great. It's good. It was open source. Even Sam Altman said yeah, we might be on the wrong side of history with this.

1:12:33 - Leo Laporte
Yeah Well said. Yeah, we, we might be on the wrong side of history with this. Yeah, well, I mean they are. This was a breakthrough. This was without a question.

1:12:38 - Steve Gibson
It caught a lot of people flat-footed in in the more traditional, I mean and I say traditional with air quotes because, yeah, that's a month ago was traditional- let me just uh quickly, uh query uh this deep seek running it together, dot AI, to see if, if it will tell me about this famous photo of a man standing in front of a tank. Oh yeah, absolutely.

1:13:05 - Leo Laporte
Uh huh.

1:13:06 - Steve Gibson
Tiananmen square protest, 1989 tank man. This is deep seek. The so-called censored Chinese AI. Yeah, nevermind.

1:13:19 - Leo Laporte
Yeah, somebody should should call ken paxton and show him this well, and I would imagine there will some money will will surface a a non-chinese deep seek based you know us app well that's what this is. It's not an app, but it's a website together because it is the app that that that texas is upset about yeah, well get.

1:13:39 - Steve Gibson
Yeah, I took the app off.

1:13:40 - Leo Laporte
I don't need the app, right right, right, but I I would imagine somebody will, will will do an app that is based on domestic hardware running, you know, deep sea could write a model.

Yeah, yeah, Okay, Uh, I wanted to note that eight days ago, as I'm sure you covered, on Mac break, Apple announced that they had updated all of their operating systems to fix a bug that they said may of course they always say may may have been used in quote, extremely sophisticated attacks against specific targeted individuals. Which is to say we know that it was, but we're not going to say that Back when it was introduced, we covered the introduction of so-called restricted mode. It further locks down Apple devices wherever it's enabled, locks down Apple devices wherever it's enabled. On the one hand, it makes those devices much less fun to use because they can't do as much. But that's the whole point. Right, With more capability comes more opportunities for vulnerability. We once talked about how it's actually not a multiplicative, it's a squaring function, Because anything you add that interacts with everything else has all those new interaction possibilities. It's not just twice as much, it's the square of number of interactions, of number of interactions. So in return, however, for making the devices much less fun to use, it also makes them much less, far less easy to compromise, and I strongly endorse the addition of this option at the time, since we still haven't figured out how to make highly complex products 100% secure and bulletproof. So this allows an individual who is a highly likely to be targeted target of interest person to make their phone less functional in return for making it much less easy to compromise the flaw that was fixed.

This flaw that Apple just fixed eight days ago, which is now fixed would have and presumably did at the time allow sophisticated attackers to employ the flaw in an attack chain. Its role in the chain was to disable restricted mode, which should not have been possible. That should have been a UI thing only on a locked device. So the phone was locked, restricted mode was enabled with this flaw as part of the attack chain. Restricted mode would be turned off even though the phone was locked.

The vulnerability as described could have been used to enable unlocking technology similar to that that's in Celebrites products, which, as we know, allow snoopers to break in devices when they have physical access to them. And what I loved is that Apple's restricted mode also helps with this by proactively blocking data access to iPhones and iPads when they've been locked for more than an hour. So after the phone's been locked for more than an hour. So after the phone's been locked for more than an hour, the physical access through the external port is restricted so that you can't plug it in and have it be a drive or connect it to your car or whatever. Very cool.

The vulnerability in Apple's iOS and iPad OS affects iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch third generation and later, iPad Pro 11-inch first generation and later, iPad Air, third generation, and later, iPad 7th generation and later, and iPad Mini, 5th generation and later, said Apple. So across the board, that's been fixed and just a good thing that they're doing that. Staying on top of this, In other news, we have Leo James Howells. That's the poor guy who lost?

his hard drive.

1:18:18 - Steve Gibson
I know, I know that name.

1:18:20 - Leo Laporte
Containing the only copy of the 51-character private key which he needs to unlock his cryptocurrency wallet. Sounds familiar.

1:18:33 - Steve Gibson
His wife threw it out. By the way, Did you see that? Yeah?

1:18:41 - Leo Laporte
The wallet contains 8,000.

Yes, you heard me right 8,000 Bitcoins $800 million $800 million Give or take, with Bitcoin now worth around $100 thousand dollars each. Wow, ouch, that's gotta hurt. James is certain that the drive was mistakenly thrown out with the trash and is now lurking somewhere in a landfill in newport City, wales. Last month, he lost a court battle with the Newport City Council in Wales, which may have been his last shot at excavating the dump, since soon after the city council revealed that it would be closing the landfill and building a large solar farm on the site, he offered to purchase the landfill. He was going to get investors who would all be willing to gamble that he was going to be able to find the drive somewhere and so they would invest in in subsidizing his purchase of the entire landfill property so that he could go through it Gunk, gunky bit by gunky bit, I mean, we're talking old bananas and to find the hard drive and then recover his $800 million.

Anyway, the city council said no, we're not going to offer it for sale. We're going to set up a solar farm there because we want to replace our fleet of diesel garbage trucks with EVs to help the city transform itself into a renewable energy, lower carbon footprint environment. So sorry about that. The opportunity is closing. Closing, you know you're not, unless you're going to tunnel underneath the solar farm. I don't think they're going to allow them to do that. So ouch, looks like that chapter is closing. Of course, stories abound right of people who well, and my own and yours, leo yeah who?

who uh didn't take those early Bitcoin wins very seriously.

1:20:55 - Steve Gibson
Somebody we know very well bought, I think he said, three Bitcoin for $6 back in the day. It was right around when we were talking about it. He heard the show. He has kept them all this time Nice, and he is about to buy a car. He calls it his $6 car, nice. It will be a nice car, Nice, but you have to keep it. That's the problem. When it gets to a hundred bucks, you might be tempted when it gets to 150. Well, I remember that spike at 17,000.

1:21:29 - Leo Laporte
Yeah, and that sent me on my first complete check of every hard drive. Every drive image everything I had where it might have been around. And yes, had I found it, I would have said, woohoo, you would have sold it.

1:21:44 - Steve Gibson
Right, absolutely. And now you'd be kicking yourself. I'm just figuring I'm going to hold on to that wallet until quantum computers can crack the RSA encryption, and then I'll have some money. That'd be cool, might be worth millions by then.

1:22:02 - Leo Laporte
It absolutely could because, as I covered, you were on vacation when Tom and I did the Bitcoin.

1:22:14 - Steve Gibson
The intro to Bitcoin.

1:22:15 - Leo Laporte
Yeah, yeah, the whole podcast was on the topic of the Bitcoin blockchain, yeah, and I explained how it worked and how the number of Bitcoins were asymptotically approaching a limit. It was designed in scarcity, which is the reason we've seen what's happened happen. Yeah, I should have taken my own advice. Oh, steve, I've been waiting to gain sufficient experience with a new-to-me sci-fi author before mentioning my recent science fiction reading enjoyment. As I mentioned at the top of the show I don't remember if it was before we began recording or not I took ChatGPT up on its advice about other authors who were similar to those whose novels I previously enjoyed More often than you know. Sometimes I've enjoyed them more often than once. I've enjoyed them more often than once.

As we recall, chatgpt not only produced a list of recommendations, but among those were others of my favorites that I had never mentioned or didn't ask. In that proposal to ChatGPT, and being cautiously suspicious of AI, we wondered whether ChatGPT might have previously ingested my own published sci-fi reading list or even the transcripts of this podcast. Who knows how it came up, but it did suggest others that I had already read. But, in any event, I obtained a handful of new author recommendations, since I had seen Neil Asher's name around a lot. I purchased a copy of Gridlinked and I do mean purchased. It wasn't free as part of the—it wasn't offered as part of the Kindle Unlimited plan, which I subscribe to. Everything else I've been reading recently has been been but, given that inflation has jacked the price of Leo, a five-shot Starbucks venti latte is $9.50.

1:24:24 - Steve Gibson
Are there eggs in it?

1:24:27 - Leo Laporte
No, but it's the shot. Somehow espresso got very expensive.

1:24:33 - Steve Gibson
We ate at the Waffle House in Tucson.

1:24:35 - Leo Laporte
There's a 50 cent per egg surcharge, so everything's more expensive these days, wow, anyway, paying $7 for a novel that will give me weeks of true enjoyment.

1:24:49 - Steve Gibson
It works for me, and you're supporting the arts, you're supporting creativity. Yes, that's good. Yes, thank you. That's a good point too. Buy stuff, yeah.

1:24:55 - Leo Laporte
But the novel's got to be good. Remember that awful thing that I tried writing, or tried reading, where the first sentence was the starship Ziggawatt dropped into orbit.

1:25:12 - Steve Gibson
Immediately. I dropped those immediately. No, no, not Ziggawatt, not Ziggawatt dropped into orbit.

1:25:15 - Leo Laporte
Immediately. I dropped those immediately. No, no, not Ziggawatt.

1:25:16 - Steve Gibson
Not Ziggawatt no.

1:25:18 - Leo Laporte
I started with Gridlinked because it was Asher's early work and I prefer to start at the beginning of an author's work. But if the critics on Reddit know what they're talking about, this five novel series this series, of which Gridlinked is the first pales in comparison to Asher's later work. Someone who finished Gridlink asked on Reddit whether the other four in the series were worth reading and someone replied quote I think he was finding his feet in the polity universe with Gridlinked. They said his following works are miles ahead. Keep at it, you won't be disappointed. Well, that sounds great to me because I'm already not disappointed. You know I mentioned that I seem to be quite sensitive to an author's ability to write. You know, it's not just the plot and the characters for me. They need to be able to express themselves and this Neil Asher really can. It is a little disturbing that Brits spell ass as in someone's rear, arse. It's like. That's okay. It's like do you actually say arse? Yeah's rear arse.

1:26:38 - Steve Gibson
Yeah, it's like, that's okay. That's like do you actually print? Yeah, do you say arse? Yeah, they say arse you do. I don't think it's a different spelling. I think it's just a different way of saying. No, it is a r? S? E, yeah, yeah, no, I know, but I mean, I think it's just another. I don't think it replaces. Well, I don't know, we don't need to get deep into this.

1:26:53 - Leo Laporte
Anyway, goodreads described Gridlink by writing Gridlink is a science fiction adventure in the classic fast-paced, action-packed tradition of Harry Harrison and Paul Anderson, with a dash of cyberpunk and a splash of Ian Fleming added to spice. The mix of cyberpunk and a splash of Ian Fleming added to spice the mix. Ian Cormack is a legendary Earth Central security agent, the James Bond of a wealthy future where Runcibles matter. Transmitters controlled by AIs allow interstellar travel in the blink of an eye throughout the settled worlds of the polity. Unfortunately, cormack is nearly burnt out, having been grid-linked to the AI net for so long that his humanity has begun to drain away. He has to take the cold turkey cure and shake his addiction to having his brain on the net. Okay now it's a bit freaky that Neil Asher wrote about net addiction and the tendency to lose one's humanity through being overconnected back in 2001, 24 years ago, when this book was first published. So anyway, I'm not going to say much more other than I'm now 67% through the second of the five book series and I am really enjoying them and in fact I've been reading them. I've been reading the second book since I saw that sort of like you know, pooping on his work stuff over on Reddit and being like being willing to be more critical of it. I really like it. I'm sorry, I like it. So what's really interesting is that this particular polity universe is run by dispassionate AIs because humans cannot be trusted to wield such power. Basically, the people said okay, you know, sorry, you know politics corrupts, so we're just going to turn this over to AIs because you know we can't be trusted with it. Within the polity, life is sweet and orderly, with no crime, and everyone has something interesting to do. So what it reminded me of is Star Trek's Federation of Planets. Remember. There isn't even any currency anymore. You just do things that are good. So of course, there are those who chafe under the bit of authority and who prefer the freedom of. That is anarchy. So there's plenty of adventure and war and opportunity to be found out on the fringe, beyond the control of the polity. Anyway, mostly Neil Asher can write and I think he's a terrific storyteller. I will definitely keep paying $7 for each for the next three books and, given the Reddit comments about Neil's follow-on works and there's like 15 of them at least I mean he's been very prolific because he started writing in 2001, and he's been going steadily. You know I'm going to be very glad that I took ChatGPT up on its suggestions for similar authors and I have one piece of listener feedback because I had so much that I wanted to share about the Chrome Web Store.

But surely if you configure DNS over TLS in your browser, you will miss out on the caching performed by any of the more local DNS resolvers, such as the one in your router. Wouldn't it be better to use DNS over TLS in the router, thus hiding your DNS queries from your ISP but getting the advantage of cached lookups other people on the same LAN have performed? So Bob is 100% correct. Of course, in all of our discussion I had not mentioned that if a user configures their local web browser to use any form of encrypted DNS service, to use any form of encrypted DNS service, which seems to be the way things are evolving some loss of local caching for example by the local router if it does DNS caching although a lot of them don't would be lost. The flip side of this is that the emerging DNS benchmark code which I'm working on continues to show that once a TCP and TLS connection have been negotiated and brought up which browsers typically do once per page.

The individual flurry of DNS lookups being offered by the internet's major providers over those encrypted TLS connections are actually being resolved faster by them than, for example, by my own ISPs local resolvers. So, as we, I mean it's like it's still faster to do it. As we noted last week, this might be due to the fact that encrypted DNS servers are still lightly loaded, because the use of DNS over TLS or DNS over HTTPS is still the exception by far more than the rule, but I'm going to be very interested to learn what everyone else discovers once the benchmark, can you know, start to be more widely used. So okay, um leo, our last break, and then we're gonna dig into the the really information-packed posting by somebody who knows the chrome web store inside and out okay, I'm excited.

1:32:55 - Steve Gibson
Well, no, that would be a lot I I am anticipating with great interest how about that? Our show today? I mean it's good stuff. I'm not saying it's bad stuff, I'm just it's not. I'm not like jumping up and down with excitement for it, I just want to hear it.

I get it, thank you, leo, for clarifying that our show today brought to you by bit warden, the trusted leader in passwords, secrets and passkey management, with over 10 million users. This really makes me happy. I've been a Bitwarden fan since they were a lot smaller Open source project deserves all the success it gets 10 million users, 180 countries, 50,000 business customers worldwide. I bet you didn't know that. I think people don't realize. Bitwarden is a great enterprise solution. In fact, bitwarden has entered 2025 as the essential security solution for organizations of all sizes. Consistently ranked number one in user satisfaction by G2, recognized as a leader in software reviews data quadrant, bitwarden continues to protect businesses as well as individuals worldwide, and part of it is because Bitwarden pays a lot of attention to the features businesses want. But also they pay attention to us users. For instance, they just announced the general availability of Bitwarden's apps for iOS and Android. You may say, well, wait a minute, they've been there forever. Yes, but this is their first native mobile applications. That means faster load times, improved overall app functionality and, of course, they are exactly matched to the platform iOS and Android so they're much more intuitive user experience. They really look nice. Plus, the deeper hardware integration, especially on iOS, means that you've got biometric authentication, multi-device support, so it's actually more secure.

Bitwarden has strengthened its password manager with SSH now. Now this is a big issue. How many times maybe you've done it I think I have have you accidentally committed your SSH private keys, let's say, to a GitHub repository? 90% of authorized SSH keys in large organizations actually go unused, and how often are they accidentally shared? So now there is SSH key generation and management right inside Bitwarden. So you've got centralized cryptographic key management enabling secure storage, import and, yes, generation of SSH keys directly within the Bitwarden vault. I actually have in my notion a long list of the steps to take to generate new SSH keys, where to put the private keys, how to protect the directory, where to upload the public keys and all of that. Now it's all handled by Bitwarden, which really enhances workflows for developers, it professionals, anybody who uses SSH.

I think that what sets Bitwarden apart is it's prioritizing simplicity, because they know you're not going to use a security solution if it's hard or unintuitive. Right Bitwarden's setup only takes a few minutes. If you migrate at work, you'll see they support importing from most password management solutions or even as an individual. And, of course, as always, bitwarden's source code is open source. Anyone can inspect it and it's regularly audited by third-party experts and they publish the full report. So absolute transparency. Your business deserves a cost-effective solution for enhanced online security. So see for yourself.

Get started today with bit warden's free trial of a teams or enterprise plan. But I you know it's I'm an individual, I use it as an individual and I'm sure you're all using some sort of password manager. Consider bit warden. And then if you've got friends and family we all do who say, oh, I'm, I use it as an individual and I'm sure you're all using some sort of password manager, consider Bitwarden. And then if you've got friends and family we all do who say, oh, I don't need a password manager, I'm just going to use my mother's maiden name and my dog's birthday, get them to use Bitwarden. You can tell them it's free because it's open source, free forever across every device. Unlimited passwords, passwords, pass keys, secrets, everything free for individuals, bitwardencom, slash, twit. And if you're a super geek, you'll be glad to know, you can even host your own bitwarden vault as an individual. Bitwardencom, slash, twit. It's a really great solution. We're very proud to have them as a sponsor for so many years. All right, steve, I am uh I'm now excited.

1:37:39 - Leo Laporte
I'm excited, intrigued, interested, uh I am uh, thrilled, thrilled, I tell you through this yes, um, okay, as I said, chrome web Store is a mess is the exact title Someone who should know gave to a recent blog posting of his, a few weeks ago Vladimir Palant. His posting caught my eye both due to his pedigree and due to the importance of his message, of his message. Anyone who's been following this podcast for more than a few years could probably reduce the number of major security trouble sources to a high single digit, and among those most important would be the security of web browser extensions, because web browsers are the way we interface to the internet and the rest of the world. So much you know. Extensions to the basic functionality of our web browsers have been with us since nearly the beginning, and 20 years ago, back, when there was much less to do on the Internet, the security of an add-on was much less critically important. In fact, the very first extensions didn't have any security. In fact, the very first extensions didn't have any security. Mozilla created an extension mechanism and you really needed to trust the source of that code completely. But every year since then, more and more of our lives have moved online. This has meant that the overall security and privacy offered by the web browsers we use to interact with the internet has become increasingly important, and no one who has listened to more than a couple of this podcast episodes could entertain any doubt that, disheartening though it might be, the world is apparently filled with an astonishing number of total strangers who would hurt us without a second thought to obtain any advantage.

Several times in recent weeks, I focused our attention upon the security and privacy issues surrounding web browser add-ons. Sadly, there are many, so when I saw that Vladimir Palant had taken the time to push back a bit from the entrails of specific add-ons to survey the larger picture, I knew that was something I wanted to share. Earlier I mentioned Vladimir's pedigree, but his name may not ring any bells right off, so here's how he explains himself on his blog site. He writes One particularly well-known project of mine is Adblock+, which I originally developed. Eventually, I co-founded IO, a company to take care of this project. I'm still developing the browser extension PFP pain-free passwords, while my other extensions have become obsolete over time. My writing is meant to help people learn, so I aim to provide information on both how vulnerabilities can be found and how they can be prevented in your own code. I won't merely discuss security issues, but also try to draw generic conclusions from those and give recommendations. Despite researching security topics since at least 2007, I still do it as a hobby rather than my job.

I experimented with earning money via bug bounty programs, which resulted in acceptable income. However, other aspects eventually turned me away from bug bounties In particular. I want to write about my research and don't want to be prevented from it by a company taking years to fix an issue. In other words, he was becoming annoyed that after finding and reporting some problem and being paid for his responsible disclosure, the bug bounty agreement would require that he never reveal anything about the problem until after it had been fixed. This differs, of course, from unpaid security researchers who are able to set 90 day fix it before we publish it deadlines. So Vladimir was becoming annoyed that bugs were being purchased and he was being effectively gagged when he wanted to be able to document the problems and use them as illustrative teaching examples. In any event, here's a highly technical developer who created one of the earliest and most popular and successful privacy extensions, who has been at this for more than 22 years. So when this guy titles his blog posting Chrome Web Store is a mess, I want to understand why he thinks so. Vladimir wrote.

Let's make one thing clear first. I'm not singling out Google's handling of problematic and malicious browser extensions because it is worse than Microsoft's, for example. No, microsoft is probably even worse, but I never bothered finding out. That's because Microsoft Edge doesn't matter. Its market share is too small. Google Chrome, on the other hand, is used by around 90% of users worldwide and one would expect Google to take their responsibility to protect its users very seriously. Right After all, browser extensions are one selling point of Google Chrome, so certainly Google would make sure they're safe.

Unfortunately, he writes, my experience reporting numerous malicious or otherwise problematic browser extensions speaks otherwise. Google appears to take the least effort required approach towards moderating Chrome Web Store. Their attempts to automate all things moderation do little to deter malicious actors, all while creating considerable issues for authors of legitimate add-ons. Even when reports reach Google's human moderation team, the actions taken are inconsistent and Google generally shies away from taking decisive actions against established businesses. As a result, for a decade, my recommendation for Chrome users has been to stay away from Chrome Web Store if possible. Again, he writes. As a result, for a decade, my recommendation for Chrome users has been to stay away from Chrome Web Store if possible, he said. Whenever extensions are absolutely necessary, it should be known who is developing them, why and how the development is being funded. Just installing some extension from Chrome Web Store including those recommended by Google, as we'll see or featured, is very likely to result in your browsing data being sold or worse. Google employees will certainly disagree with me. Sadly, much of it is organizational blindness. I'm certain he says that Google meant well and that they did many innovative things to make it all work, but looking at it from the outside, it's the result that matters, and for the end users, the result is a huge and rather dangerous mess.

Okay, so some recent examples. He said five years ago, I discovered that Avast browser extensions were spying on their users. That was he who discovered this. Remember we covered that at the time. It was a big deal. It's this guy who made the discovery, which may be why his name is at least some familiar to some of us. He continues Mozilla and Opera disabled the Avast browser extension listings immediately, he says, after I reported it to them. Google on says quote Building and maintaining user trust in Chrome Web Store is paramount, which means we set a high bar for developer transparency. All functionalities of extensions should be clearly disclosed to the user with no surprises. This means we will remove extensions which appear to deceive or mislead users, enable dishonest behavior or utilize click-baity functionality to artificially grow their distribution. Ok, so he says so. When dishonest behavior from extensions is reported today, google should act immediately and decisively. Right? Let's take a look at two examples that came up in the last few months. In October, he says in October, I wrote about the Reforest extension deceiving its users.

I could conclusively prove that Colibri Hero, the company behind Reforest, deceives their users on the number of trees they supposedly plant, incentivizing users into installing with empty promises. In fact, there is strong indication that the company never even donated for planting trees beyond a rather modest one-time donation. Google got my report and dealt with it. What kind of action did they take? That's a very good question that Google won't answer. But Reforest is still available from Chrome Web Store, it is still featured and it still advertises the very same, completely made-up numbers of trees they supposedly plant. Google even advertises for the extension, listing it in the Editor's Picks extensions collection, probably the reason why it gained some users since my report. So much for being honest. For comparison, reforest used to be available from Firefox add-ons as well, but was already removed when I started my investigation. Opera removed the extension from their add-on store within hours of my report, but maybe that issue wasn't serious enough. After all, there's no harm done to users if the company is simply pocketing the money they claim to spend on a good cause.

So also in October, I wrote about the Karma extension spying on users. Users are not being notified about their browsing data being collected and sold, except for a note buried in their privacy policy. Certainly that's identical to the Avast case mentioned before, and the extension needs to be taken down to protect users. Again, google got my report and dealt with it, and again, I failed to see any result of their action. The Karma extension remains available on Chrome Web Store unchanged. It will still notify their server about every web page its users visit. The users still aren't informed about this, yet their Chrome Web Store page continues to claim A statement contradicted by the extension's own privacy policy. The extension appears to have lost its featured badge at some point, but now that's back Note. Of course, karma isn't the only data broker that Google tolerates in Chrome Web Store. I published a guest article today by a researcher who didn't want to disclose their identity, explaining their experience with BI Science Limited, a company misleading millions of extension users to collect and sell their browsing data. This post also explains how Google's approved use cases effectively allow pretty much any abuse of users' data.

Neither Reforest nor Karma were isolated instances. Both recruited or purchased other browser extensions as well. These other browser extensions were turned outright malicious, with stealth functionality to perform affiliate fraud and or collect users' browsing history. Google's reaction was very inconsistent here. While most extensions affiliated with Karma were removed from Chrome Web Store, the extension with the highest user numbers and performing affiliate fraud without telling their users was allowed to remain for some reason. With Reforest, most affiliate extensions were removed or stopped using their Impact Hero SDK. Yet when I checked more than two months after my report, two extensions from my original list still appeared to include that hidden affiliate fraud functionality, and I found seven new ones that Google apparently didn't notice.

As for the reporting process, you may be wondering if I reported these issues, why do I have to guess what Google did in response to my reports? Keeping developers who report in the dark is Google's official policy, and he quotes a pop-up that he received that says Hello developer, thank you again for reporting these items. Our team is looking into the items and will take action accordingly. Please refer to the possible enforcement actions and note that we are unable to comment on the status of individual items. Thank you for your contributions to the extensions ecosystem. Sincerely, chrome Web Store developer support. In other words, you explicitly receive no feedback. As somebody who reports a problem to the Chrome Web Store, he says this is the same response I received in November after pointing out the inconsistent treatment of the extensions.

A month later, the state of affairs was still that some malicious extensions got removed, while other extensions with identical functionality were available for users to install, and I have no idea why that is. I've heard before that Google employees are not allowed to discuss enforcement actions, and your guess is as good as mine as to whom this policy is supposed to protect. Supposedly, the idea of not commenting on policy enforcement actions is hiding the internal decision-making process from bad actors so that they don't know how to game the process. If that's the theory, however, it isn't working. In this particular case, the bad actors got some feedback, be it through their extensions being removed or through, you know, due to adjustments demanded by Google. It's only me, the reporter of these issues, who is left guessing. But this is a positive development. I've received a confirmation that both these reports are being worked on. This is more than I usually get from Google, which is silence and typically also no visible action either, at least until reports start circulating in media publications forcing Google to then act on it.

But let's take a step back and ask ourselves how does one report Chrome Web Store policy violations? Given how much Google emphasizes their policies, there should be an obvious way. In fact, there's a support document for reporting issues and when I started asking around, even Google employees would direct me to it, would direct me to it. And he shows a bunch of radio buttons on this. Where the radio buttons are, did not like the content, not trustworthy, not what I was looking for, felt hostile content, was disturbing and felt suspicious. And then it's highlighted with if you find something in Chrome Web Store that violates the Chrome Web Store terms of service or trademark or copied infringement, let us know. And then those were the radio button options.

But Wadimir notes he says this doesn't seem like the place to report policy violations. Even felt suspicious, isn't right for an issue you can prove is a violation, he says, and unsurprisingly, after choosing this option, google just responds with your abuse report has been submitted successfully. No way to provide any details, no asking for my contact details in case they have questions. No context whatsoever, merely felt suspicious. This is probably fed to some algorithm somewhere which might result in I don't know what. Actually Judging by malicious extensions where users have been vocally complaining, often for years, nothing whatsoever results. This isn't the way he says. You know to do this right.

He says well, there's another option listed in the document. If you think an item in the Chrome Web Store violates a copyright or trademark, fill out this form. He says yes, google seems to care about copyright and trademark violations, but a policy violation is neither. If we try the form, that is, try to use this form. Nevertheless, it gives us a promising selection. We have two options policy, meaning a non-legal reason to report content, or legal reasons to report content. He says finally yes, policy reasons are exactly what we're after. Let's click that. And here comes another choice, and there's only one. It's under select the reason you wish to report content, and it has a radio button.

Child sexual abuse material. And it has a radio button child sexual abuse material. Report images or videos involving a child under 18 engaging in sexually explicit behavior. He says well, that's really the only option offered, and I have questions. At the very least, those are in what jurisdiction is child sexual abuse material a non-legal reason to report content, and since when? Is that the only policy that Chrome Web Store has? He says we can go back and try legal reasons to report content. Of course, but the options available are really legal issues, intellectual properties, court orders or violations of hate speech law. So that's another dead end. He says. It took me a lot of asking around to learn that the real and well-hidden way to report Chrome Web Store policy violations is Chrome Web Store one-stop support. He says. I mean, I get it that Google must be getting lots of nonsense reports and they probably want to limit that flood somehow, but making legitimate reports almost impossible can't really be the way.

In 2019, google launched the Developer Data Protection Reward Program, ddprp. Developer Data Protection Reward Program meant to address privacy violations in Chrome extensions. Its participation conditions were rather narrow for my taste. Pretty much no issue would qualify for the program, but at least it was a reliable way to report issues which might even get forwarded internally. Unfortunately, google discontinued this program in August of 2024. It's not that I'm very convinced of DDPRP's performance. I've used that program twice. First time, I reported KIPA's data exfiltration. Ddprp paid me an scope for the program but forwarded internally. The extension was then removed quickly, but that might have been due to the media coverage it received. The benefit of the program was that it was a documented way of reaching a human being at Google who would look at a problematic extension. Now it's gone.

And what about the web store and their spam issue? He says in theory, there should be no spam on Chrome Web Store. The policy is quite clear on that Quote. We don't allow any developer related developer accounts or their affiliates to submit multiple extensions that provide duplicate experiences or functionality on the Chrome Web Store. That's what Vladimir considers spam spamming the store with essentially identical apps. He says. Unfortunately, this policy's enforcement is lax at best.

Back in June of 2023, I wrote about extensions belonging to a single cluster, pointing out their spamming in particular. 13 were almost identical video downloaders. Nine almost identical volume boosters. Nine almost identical translation extensions. Five almost identical screen recorders, definitely not providing individual value. He said. I've also documented the outright malicious extensions in this cluster, pointing out that other extensions are likely to turn malicious as well once they have sufficient user counts. And how did Google respond? The malicious extensions have been removed, yes, but other than that, 96 extensions from my original list remained active in January 2025, and there were, of course, more extensions than my original report did not list. For whatever reason, google chose not to enforce their anti-spam policy against them, and that's merely one example. My most recent blog post documented 920 extensions using tricks to spam Chrome Web Store, most of them belonging to a few large extension clusters. As it turned out, google was made aware of this particular trick a year ago, before my blog post already, and again, for some reason, google chose not to act.

What about extension reviews? Can they be trusted? When you search for extensions in Chrome Web Store, many results will likely come from one of the spam clusters, but the choice to install a particular extension is typically based on reviews. Can at least these reviews be trusted? On the topic of moderation of reviews, google says moderation of reviews. Google says Google does not verify the authenticity of reviews and ratings, but reviews that violate our terms of service will be removed. And the important part of the terms of service, he writes, is your review should reflect the experience you've had with the content or service you're reviewing.

Do not post fake or inaccurate reviews. The same review multiple times. Reviews for the same content from multiple accounts, reviews to mislead other users or manipulate the rating or reviews on behalf of others. Do not misrepresent your identity or your affiliation to the content you're reviewing. Now you may be wondering how well these rules are being enforced. The obviously fake review on the Karma extension is still there three months after being posted. Not that it matters with their continuous stream of incoming five-star reviews, he says. A month ago, I reported an extension to Google that, despite having merely 10,000 users, received 19 five-star reviews on a single day in September and only a single negative review since then, he says. I pointed out that it is a consistent pattern across all extensions of this account. For example, another extension with only 30, three zero 30 users received nine five-star reviews on the same day. It really doesn't get any more obvious than that. Yet all these reviews are still online. I actually, for what it's worth, have a picture of them.

Sophia Franklin, september 29th 2024, five stars. Solved all my proxy switching issues fast, reliable and free. Robert Anthony, same day, september 19th 2024, five stars. Very user-friendly and efficient for managing proxy profiles. Liz Berry works like a charm. Exclamation point A must-have for anyone using multiple proxies. Godwin Max no more digging through setting. This extension makes proxy switching so much easier. Five stars Also. Anthony Brookley five stars. September 19th all of these the same day. Excellent proxy tool, flexibility, perfect for my needs. Going kate five stars smooth performance and no issues switching between different proxies. Datie max makes proxy management hassle-free, simple and effective Wow.

So I have a lot to say in reaction to what Vladimir is observing and reporting, but I'm holding that for a minute until he's finished. Still, I wanted to note and I hear you laughing and chuckling, leo, in the background, I understand I want to note that the automated cleanup of clearly bogus reviews would be trivial to implement. Vladimir is made suspicious when an extension with 30 users acquires nine five-star reviews all on the same day. Right, one wonders whether they were all posted from different accounts at the same IP address. Google would know. But even if not, the fraudulent pattern is glaringly obvious. And remember that it's more than likely that this conduct is also reflected in the operation of the extension itself. Someone who's unwilling to honestly earn a reputation for their extension is more likely to have ulterior motives for creating it in the first place. So if Google were to automate extension review cleanup which again would be trivial for them to do, they would be reducing the damage being done through the fraudulent overpromotion of less savory extensions, because no trivial cleanup is happening.

We need to wonder whether review spamming may be something Google doesn't mind, despite the policy publicly posted to the contrary. And they don't mind it even if it's actually clearly hurting Chrome's users, because it's the spammy reviews that are going to have the unsavory actions against their users, selling their browsing histories, watermure says. And it isn't only fake reviews. The Reforest extension incentivizes reviews, which violates Google's anti-spam policy, which says developers must not attempt to manipulate the placement of any extensions in the Chrome Web Store. This includes, but is not limited to, inflating product ratings, reviews or install counts by illegitimate means, such as fraudulent or incentivized downloads, reviews and ratings. He says it's been three months and they're still allowed to continue.

The extension gets a massive amount of overwhelmingly positive reviews. Users get their fake trees and everybody is happy Well, other than the people trying to make sense of this meaningless, of these meaningless reviews. With reviews being so easy to game, it looks like lots of extensions are doing it. Sometimes it shows a clearly inflated review count. Sometimes it's the overwhelmingly positive or meaningless content. At this point, any user ratings with the average above four stars is likely to have been messed with, and he said.

What about featured extensions? He said. But at least the featured badge is meaningful, right, it certainly sounds like somebody at Google reviewed the extension and considered it worthy of carrying the featured badge. At least Google's announcement indeed suggests a manual review. They say Google team members manually evaluate each extension before it receives the badge, paying special attention to the following. We got two points First, adherence to Chrome Web Store's best practices guidelines, including providing an enjoyable and intuitive experience using the latest platform APIs and respecting the privacy of end users. And second, a store listing page that is clear and helpful for users, with quality images and a detailed description, he says.

Yet, looking through 920 spammy extensions I reported recently, most of them carry the featured badge. Yes, even the endless copies of video downloaders, volume boosters, ai assistants, translators and such, if there's an actual manual review ofVPN extensions all to the PDF Toolbox cluster which was removed from Chrome Web Store in 2021. And they also don't even work. No VPN connections succeed. The extension not working is something users of Nucleus VPN complained about, which the extension compensated for by loading it up with fake reviews. And again, all of these carry the featured extension badge. So it looks like the main criteria for awarding the featured badge are the things which can be easily verified automatically, like user count.

Manifest V3, claims to respect privacy, not even the privacy policy. Merely the right checkbox was checked. Given the privacy policy, merely the right checkbox was checked. And a Chrome Web Store listing with all the necessary promotional images. Given how many such extensions are plainly broken, the requirements on the user interface and general extension quality don't seem to be too high, and providing unique functionality definitely is not on the list of criteria. In other words, if you're a Chrome user, the featured badge is completely meaningless. It's no guarantee that the extension is not malicious, not even an indication. In fact, authors of malicious extensions will invest some extra effort to get the badge.

2:13:05 - Steve Gibson
That's because the website algorithm seems to weigh the badge considerably towards the extension's ranking we will get back to the thrilling, gripping story of the chrome extension mess in just a second with Steve, but first a word from our sponsor, this episode of Security. Now this portion brought to you by Vanta, v-a-n-t-a Trust is not just earned, it's demanded. Whether you're a startup founder navigating your first audit or a seasoned security professional scaling your GRC program, or a seasoned security professional, scaling your GRC program, proving your commitment to security has never been more critical or more complex, but Vanta makes it easy. Businesses use Vanta to establish trust by automating compliance across over 35 frameworks, including SOC 2, iso 27001. Vanta will help you centralize security workflows, complete questionnaires up to five times faster and proactively manage vendor risk. Vanta can help you start or scale your security program by connecting you with auditors and experts to conduct your audit and set up your security program quickly. Plus, with automation and AI throughout the platform, vanta gives you time back so you can focus on what you really care about building your company.

You got to get the compliance done, though, right. That's why over 9,000 global companies, like Atlassian Quora Factory, use Vanta to manage risk and prove security in real time. For a limited time, you get $1,000 off Vanta right now, but you have to go to vantacom security now. That's vantacom security now. $1,000 off. Vantacom security now. I love their slogan. I see it every time I go up and down Highway 101 in Silicon Valley Vanta down Highway 101 in Silicon Valley, vanta compliance that doesn't suck too much. Vantacom slash security now. Thank you, vanta, for supporting the show. You support us by using that address so that you know you saw it here.

2:15:15 - Leo Laporte
So, finally, how did Google get into this mess? Google Chrome, he writes, first introduced browser extensions in 2011. Google Chrome, he writes, first introduced browser extensions in 2011. At that point, the dominant browser extensions ecosystem was Mozilla's, having been around for 12 years already. Mozilla's extensions suffered from a number of issues that Chrome developers noticed. Noticed, essentially, unrestricted extension privileges necessitated very thorough reviews before extensions could be published on Mozilla's add-ons website. And since these extension code reviews largely ride on volunteers, they often took a long time, with publication delays being very frustrating to the add-on developers, he says. Note that I was an extension reviewer on Mozilla add-ons myself between 2015 and 2017.

He says Google Chrome was meant to address all these issues. It pioneered sandboxed extensions, which allowed limiting extension privileges, and Chrome Web Store focused on automated reviews from the very start, relying on heuristics to detect problematic behavior in extensions, so that manual reviews would only be necessary occasionally and after the extension was already published. And, of course, I remember we talked about all of these things when Chrome first happened on this podcast, because it was during the podcast. This all happened, he says. Eventually, market pressure forced Mozilla to adopt largely the same approaches. Forced Mozilla to adopt largely the same approaches, he says, a set of rules to make manual reviews possible. For example, all code should be contained in the extension, so no downloading of extension code from web servers remotely. Also, reviewers had to be provided with an unobfuscated and an unminified version of the source code. Google didn't consider any of this necessary for their automated review systems, so when automated review failed, manual review was often very hard or even impossible. You couldn't fall back. He says it's only with the recent introduction of Manifest V3 that Chrome finally prohibits remotely hosted code Like. In other words, until then, an extension could just download whatever it wanted. Afterwards, he says, and it took until 2018 to prohibit code obfuscation, while Google's reviewers still have to reverse minification for manual reviews. He says, mind you, we're talking about policies that were already long established at Mozilla when Google entered the market in 2011.

And extension sandboxing, while without doubt useful, didn't really solve the issue of malicious extensions. I already wrote about this, about one issue, back in 2016. He says, quoting himself, the problem is useful. Extensions will usually request give me the keys to the kingdom permission, so these permissions always need to be granted. Essentially, this renders permission prompts useless. Users cannot possibly tell whether an extension has valid reasons to request extensive privileges. So legitimate extensions have to constantly deal with users who are confused about why the extension needs to quote, read and change all your data on all websites unquote. Eventually, users become desensitized and trained to simply accept such prompts without thinking twice. And then malicious add-ons come along requesting extensive privileges under a pretense. Monetization companies put out guides for extension. Get this. Monetization companies put out guides for extension developers on how they can request more privileges for their extensions while fending off complaints from users and Google alike.

There's a lot of this going on in the Chrome Web Store, and Manifest V3 is unable to change anything about it. So what we have now is one, automated review tools that malicious actors willing to invest some effort can work around. Second, lots of extensions with the potential for doing considerable damage, yet little way of telling which ones have good reasons for that and which ones abuse their privileges. Third, manual reviews being very expensive and unreliable thanks to historical decisions. And finally, fourth, massively inflated extension count due to unchecked spam. Those last two manual reviews being very expensive and unreliable thanks to historical decisions and manually inflated extension count due to unchecked spam, he says further, trap Google in the. It needs to be automated mindset, because, after all you know, there's 135,000 extensions now and it's completely and they've completely lost control, he says. Yet adding more automated layers isn't going to solve the issue when there are companies which can put a hundred employees on devising new tricks to avoid triggering detection. He says, yes, hundreds of employees, because malicious extensions make a lot of money and are big business.

So what could Google do? If Google were interested in making Chrome Web Store a safer place, I don't think there is a way around investing considerable manual effort into cleaning up the place. Taking down a single extension won't really hurt the malicious actors. They have hundreds of other extensions in the pipeline. Tracing the relationships between extensions, on the other hand, and taking down entire clusters, that would change things, as the saying goes. The best time to do this was a decade ago. The second best time is right now, when Chrome Web Store, with its somewhat less than 150,000 extensions, is certainly large, but not yet large enough to make manual investigations impossible. Besides, there's probably little point in investigating abandoned extensions, those whose latest release is more than two years ago, which make up almost 60% of the Chrome Web Store. And he finishes. But so far, google's actions have been entirely reactive, typically limited to extensions which already caused considerable damage. I don't know whether they actually want to stay on top of this. From the business point of view, there is probably little reason for that. After all, google Chrome no longer has to compete for market share, having essentially won against all competition. Having essentially won against all competition, even with Chrome extensions not being usable, chrome will likely stay the dominant browser.

Okay, so, as we so often observe on this podcast, it's certainly useful to tell someone, as I noted at the top, to be careful when they may be considering some action that might have negative consequences for them, but at least for me, if I'm told not to do something. In order to really accept that, I want to understand why. I want to understand exactly why something would be bad for me. You know, actually, I think that's why I grew up to respect my father. He was an explainer, so I suppose I come by that. Honestly, that's where you got it. Huh yeah, his explaining approach always made so much sense to me because, armed with an understanding, no one needs to tell me anything about what to do or not to do, since I'm able to judge that for myself.

So in the case of Google Chrome Web Store extensions. I'm not going to tell anyone not to download and install extensions they feel they need. Rather, everyone who's reached this point in today's podcast is now fully equipped to judge for themselves whether anything that's there may be worth their time. It would be great if Google were able to function as a reliable curator of the 135,000 Chrome Web Store extensions that are currently available for download. We now absolutely know that, for whatever reason, they are unable and or unwilling to do so, so we're individually on our own, knowing all the things that are wrong rampant spamming of code, identical extensions under different names, the return of previously removed hostile extensions under different names, an essentially broken extension permissions system, totally bogus five-star reviews, conscientious developer reports going completely unheeded, featured extensions having no additional value whatsoever, and more. You know. The title Wadimir gave to his extremely informative blog posting of Chrome Web Store is a Mess, seems entirely fitting.

I author these show notes in Google Docs every week, so I'm in a web browser while I'm writing this and at one point while I was writing this yesterday, I looked up at the top of my browser with the intention to enumerate the browser extensions I'm using. Then I realized with a smile that none of this applies to me, since I don't use Chrome at all. I'm happily using Firefox, where the full-strength uBlock origin still continues to work, while I'm sure that many of the same issues plague Mozilla's extension repository. Vladimir's comments did indicate that Mozilla and Opera may have been far more responsive to abuse reports, and that's important. If nothing else, it's Chrome that has by far the largest market, well, the largest target painted on its back. In this case, I'd rather stick with an also-ran browser where the browser I'm using is not as big a target as Chrome.

2:26:37 - Steve Gibson
Yeah, and I think also it's probably the case that if you stick to a handful of well-known extensions, you're okay. I mean, look at the dopey extensions he's talking about.

2:26:49 - Leo Laporte
Privacy Badger uBlock Origin.

2:26:59 - Steve Gibson
Obviously, I'm on Arc, which is a Chromium derivative so I am using Chrome extensions, but I stick. I mean I guess it's always possible. I have Bitwarden. That's safe, Of course, Taggy.

2:27:12 - Leo Laporte
Search. That's safe.

2:27:14 - Steve Gibson
Raindropio Snowflake, which I forgot I put on here. That's cool. That's the Tor reflector and you block origin. I think they're probably all fine. Yes, I don't need a browser extension to set my proxies.

2:27:32 - Leo Laporte
And Leo, it's not clear. You could even get one, yeah. There may not be one that actually does that?

2:27:40 - Steve Gibson
I'm actually much more concerned and it's true that this is a problem in apps as well with malicious SDKs that either used to be okay or have and have been co-opted or always had a little bit of supply chain attacks yeah, I mean, there's so many of those and so many develop.

Very few developers write all their code. Almost all apps, and I'm sure all extensions too, use libraries and other SDKs that could well be malicious. That's why you got to use stuff that's trusted. Steve, once again, another fabulous episode of Security Now. Thank you so much.

We do this show every Tuesday so you can watch us live if you want, and it's always nice to have some live viewers. We are on eight different platforms, including twitch, xcom, tiktok. We're on facebook, we're on linkedin, we're on kick and, of course, for our club members, we're on discord. We do the show wednesdays right after I'm sorry, tuesdays, right after mac break, weekly, so that's around 1 30 to 2 pm pacific, 5 pm eastern, 2200 utc. You can watch it on those live streams uh, after after the fact, of course. Uh, you'll get the edited version. You won't get all that good pre-show stuff though, I gotta tell you, but at least you can listen at your uh, at your leisure.

Steve's got a couple of unique copies on his website. Of course. He has the show notes at GRCcom. Those are fantastic. He also has human-crafted not AI written, but human-crafted transcriptions, which is very handy you could read along as you're listening, which I think really helps with comprehension. I do that on your show notes. You could see a picture of the picture of the day and all of that stuff. He also has a 64-kilobit audio version version that's half the size of our normal audio version, 128k, and he has an even smaller, 16 kilobit audio version. So all of that at grccom steve's website.

While you're there, don't forget pick up a copy of spin right, the world's best mass storage, maintenance, recovery and performance enhancing utility 6.1 is out now. It's official. Uh, it is steve's bread and butter and is well worth the money. If you have any mass storage and performance enhancing utility 6.1 is out now. It's official. It is Steve's bread and butter and is well worth the money. If you have any mass storage, you really should have security. I'm sorry, you should really have Spinrite. You should also have security now. Absolutely Lots of other great stuff on the website. And if you want to correspond with Steve, you have to first validate your email address to grccom slash email. Enter your address. He'll, you know, validate somehow, magically validate that you're a real person. There's also a place there you could check, uh, the check boxes for two of his newsletters. He has this show notes newsletter. You can get that ahead of time. And what's the other one? I don't't know. You sent out two, right Am I?

2:30:23 - Leo Laporte
wrong. Oh yeah, well, it's super low traffic. It's GRC's news. Ah, so it won't be until the DNS benchmark is ready.

2:30:32 - Steve Gibson
But if you want a heads up about that, that's worth subscribing to. But again, those are not checked by default. You have to opt in. At grccom slash email. You can get a copy of our 128-kilobit audio or our video at our website, twittv slash sn. There is a YouTube channel dedicated to security. Now Great way to share clips of the show. Tell your boss you know we really ought to get this, or whatever. And then you can, of course, subscribe, and that's probably the best way to get it. That way, you're all set for your Wednesday morning with your Security Now ready in the phone to listen to Steve. Have a wonderful week. I will see you next week on Security.

2:31:13 - Leo Laporte
Now I'll be working on the DNS benchmark code. It's coming along, I'm getting ready. Thanks, my friend.