Security Now 996 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
0:00:01 - Leo Laporte
It's time for security now. Steve Gibson is here. He realizes, as we all have, that uBlock Origin is the greatest extension ever for your browser. He's come up with some really interesting additional uses for it top-level domain disappearing and gets into this whole new thing called bimi, a new email authentication standard. He even walks us through signing up. It's all coming up. Next, podcasts you love from people you trust. This is Twit. This is Security Now, with Steve Gibson, episode 996, recorded Tuesday, october 15th 2024. Bimmy up, scotty. It's time for Security Now. The show. We cover your security, your privacy, your safety, the internet, science fiction and anything Steve wants to talk about. Vitamin D.
This guy right here, steve Gibson of GRCcom. Hi Steve.
0:01:13 - Steve Gibson
Leo, it's great to be with you Middle of October. Is there a chill?
0:01:18 - Leo Laporte
in the air in beautiful Irvine.
0:01:20 - Steve Gibson
Three weeks from now, there may be a chill in the air.
0:01:23 - Leo Laporte
Oh jeez, don't bring that up. Oy, you know how much anxiety I have over November 5th. I can feel it the pit of my stomach. Yeah, it's going to be really fun. We will either be cheerful on Wednesday or not.
0:01:40 - Steve Gibson
I'm a spectator. I have no control.
0:01:42 - Leo Laporte
We're both in California, so nothing we do really, we don't really get a choice, and that's really isn't that annoying.
0:01:48 - Steve Gibson
Yes, it's like yeah, they're just focusing on three or four states and those are the ones who on the other hand, I don't miss all the ads that those poor people in those states are getting buried by.
0:01:59 - Leo Laporte
I don't know about you, but I am buried by text messages, five or six a day now. Do you not get a lot?
0:02:05 - Steve Gibson
of camping, laurie made the mistake of giving money once.
0:02:08 - Leo Laporte
And O-M-G yeah, I donated money, so that's why I'm on the list. They never forget you.
0:02:14 - Steve Gibson
They come back and say well, if we got five bucks, there's going to be another five available.
0:02:19 - Leo Laporte
And it's always an emergency. Oh yeah, it's always panicking emergency.
0:02:27 - Steve Gibson
Oh yeah, it's always panicking it's end of end of the world. Yeah, you know. Do you have your snorkel to fill?
0:02:30 - Leo Laporte
your bathtub with water and it's kind of amazing and drown yourself oh my god it's. It has literally made my text messaging unusable for the past months.
0:02:38 - Steve Gibson
Yeah, uh and I just think about how the mailman feels, too suddenly they had to increase the size of the trucks in order to get all of those ridiculous. He's bad, he's good, he's bad, he's good, she's bad, she's good. Oh, it's like, oh really.
0:02:56 - Leo Laporte
It's actually a windfall for both the Postal Service and your local news and TV and radio stations, because all the political spending goes right into them. And the Postal Service, if it weren't for junk mail, would not exist.
0:03:12 - Steve Gibson
No, and I send every month. I collect my receipts and send them to Sue. It used to be 15 cents, now it's $2.43. Not cheap, so, yikes. Well, I got my ballot. I remember my candy bar Yep 43 cents.
0:03:26 - Leo Laporte
So yeah, you know, yikes well, I got my ballot and I'm ready to vote. Yep, yeah, I presume you got. Everybody in california gets a mail-in ballot, which is tremendously convenient, and so I've got mine. If you are watching and you are not yet registered or you're not sure, check, make sure you're registered and then get out and vote either by mail now or in person on November 5th.
0:03:45 - Steve Gibson
The good news is that in California the ballots come with the I Voted sticker in them.
0:03:50 - Leo Laporte
Yeah, so I will have mine right on my forehead in three weeks. If you go to voteorg, I believe I think that's the URL you can check your registration. They have a little registration checker. You have 20 days in most states to 20 days to Election Day. In many states, you only have a few more days to register. All right, this has been a political announcement. Let's move on to the reason people are here security, what's up?
0:04:18 - Steve Gibson
this week, so a great deal more this week about uBlock Origin, which it turns out we've pretty much all actually there are some exceptions within our listener base but we've pretty much been underutilizing what it can do.
0:04:36 - Leo Laporte
I liked your emergency email midweek. I did that immediately.
0:04:40 - Steve Gibson
Yes, yes, yes, yes. Everybody who has subscribed to the Security Now email listing received an unplanned. I didn't even plan it, but Saturday morning, when I made this thing work, I thought, oh, I have to share this news to easily turn off those increasingly prevalent and thus annoying when they're unwanted, which they typically are log in with Google pop-ups, and I think it was because I went to Stack Exchange.
I was doing some coding and I did a Google search. I clicked a link to Stack Exchange. Up it came and I looked at it and I realized you know, I've been getting so many of these and they are so annoying. And then I thought, wait a minute, we have uBlock Origin. I wonder if it could help. We're going to start by talking about that. Also, the question of will the io top-level Internet domain be disappearing? There's some talk that it should, but I don't think it should.
Also, last week was Patch Tuesday. What did we learn from that? Firefox had a bad remote code exploit that was being used to attack Tor users on their Firefox-based Tor browser. I realized why this server edition of Windows does not substitute for a desktop. We talked about this a couple of weeks ago and I've been meaning to bring it back up Today's the day. Also, we're going to look back thanks to a question or an observation or actually a discovery from one of our listeners at a fabulous multi-platform puzzle game that we got all hot and bothered over back in 2015. Also, I do have a couple pieces of feedback from that surprise mailing on Saturday. We've got a little bit more on what's the best router. And then I titled today's podcast, be Me Up, scotty, b-i-m-i. Actually, it's apparently supposed to be pronounced B-E-M-E, but I like B-E-M-E, it's.
0:07:22 - Leo Laporte
B-E-M-E. What do you mean? B-e-m-e? B-e-m-e? You, but I like BME. It's BME. What do you mean? Bme, bme? You don't wear a bikini. You wear a bikini.
0:07:28 - Steve Gibson
What are you talking about? We're going to answer the question. What in the world is BME? For email what it does, what it promises, and if it's going to actually happen, it's trying to.
And then I will end by noting that we're going next week because, it just happened yesterday and I didn't have a chance to get up to speed exchange protocol CXP for passkeys, which, when implemented, will give us the one thing we've really been needing, which is a means of backing up and transporting passkeys between providers. So, oh, and I didn't get into the show notes also I'll talk about it next week but all of our listeners started sending me the news that RSA crypto had been broken by Chinese researchers who figured out how to use the D-Wave quantum computer.
And it's like, oh my God. It's like well, leo, what was it we left off at? Was it 13 bits that?
0:08:48 - Leo Laporte
they could factor. Yeah.
0:08:50 - Steve Gibson
The breakthrough is 22. Oh, Now we are running at 2,048.
0:08:57 - Leo Laporte
Oh. So so you're saying they broke a weak RSA password.
0:09:02 - Steve Gibson
No, they didn't even break R. They didn't break the leading bit of font of the R. I mean 22 bits. And you can't decompose factorization, otherwise we would have a long time ago. So the fact that they cracked ooh, they factored a 22-bit number. Good going Keep at it.
0:09:30 - Leo Laporte
We'll see in a few decades.
0:09:31 - Steve Gibson
And meanwhile RSA is alive and well. I mean actual RSA. It never had a weaker key than 1024. I don't think there was a 512-bit, maybe in the early you know For a while.
0:09:44 - Leo Laporte
I remember the US government wanted us to use very small passcodes. I can't remember if it was 128 or 42.
0:09:53 - Steve Gibson
Those were the symmetric keys where it was. It was a small. It was disturbingly small. Yeah, back in the early. Well, it wasn't TLS, it was SSL back then. And the idea was, if you didn't export it, you could have a useful strength, but if you oh, you couldn't leave the country. Well, websites left the country, so it was necessary for them to all be neutered, but it's not like we were doing anything important back then.
They were all using HTTP, so like, yeah, not a big deal, so anyway we have a picture of the week after our first announcement break and we'll share that and get into a bunch of fun podcast stuff Exciting.
0:10:44 - Leo Laporte
Thank you, mr G. But before we do that, may I interrupt with a commercial for one of our great sponsors. You get the best sponsors in this show. They're almost all security sponsors.
Here's a name I know you know 1Password. But I'm not talking about the consumer version of their password manager. I'm talking about something new from 1Password. They call it extended access management. Let me ask you a question. Do your end users I'm talking to businesses now do your end users always work on company-owned devices and IT-approved apps? Yeah, right, if only right. So how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices? 1password has the answer to that question. That's why they created this is something brand new extended access management.
1password. Extended access management helps you secure every sign-in for every app on every device. It solves the problems traditional IAM and MDM just can't touch. Here's how you can visualize this. Imagine your company's security like the quad of a college campus. Of course, you have those lovely brick paths leading from place to place between the buildings on that beautifully manicured lawn. Those are the company-owned devices, the IT-approved apps, the managed employee identities. But you never can leave it there. These are college kids. There are the paths people actually use the shortcuts worn through the grass, the actual straightest line from point A to B. You've got them in your network. They're the unmanaged devices. This is what real people use, right? Shadow IT apps, non-employee identities like contractors. The problem is most security tools only work on those happy brick paths. A lot of the security problems take place on the shortcuts right.
1password Extended Access Management is the first security solution that brings all those unmanaged devices, apps and identities under your control. It ensures that every user credential is strong and protected, every device is known and healthy and every app is visible. In other words, it's security for the way we work today. It's great. It's now generally available to companies that use Okta or Microsoft Entra and it's in beta for Google Workspace customers. If that's you, you've got to go check it out now. 1passwordcom slash security now, that's the number one P-A-S-S-W-O-R-D. 1passwordcom slash security now Extended access management from 1Password. This is an idea whose time has come. Check it out. 1passwordcom slash security now. We thank them very much for their support and, of course, we thank you for supporting us by going to that address so they know, you saw it on. Security now. 1passwordcom slash security now, steve, I have the picture of the week queued up and ready. Should we look at it together?
so I gave this one the caption when your message interferes with your message all right, I get it right away because I like to ride my bike around town.
0:14:04 - Steve Gibson
So for those who don't have the show notes, in front of them or are not watching the video.
We have one of those large sort of mobile road signs which is lit up. They often have like a bunch of batteries on them, Sometimes they have a little generator, you know, keeping them alive. Anyway, this sign brightly says on three lines give cyclists space. Unfortunately, it is right in smack dab in the middle of and completely blocking the cyclist lane, which it's telling everyone. You need to give more space, to Give them space, please. Yeah, that's right.
0:14:53 - Leo Laporte
Yeah, that's pretty typical of our civic fathers.
0:14:57 - Steve Gibson
There are no broken bicycles and maimed bodies laying around there, but anyway, yes, when your message interferes with your message, no kidding. Okay. So everyone is annoyed but we know this because we've talked about it often by the pervasive cookie permission banners which compliance with the European Union's GDPR has forced upon the world. I recently realized that I had become similarly annoyed by another increasingly pervasive website feature, which is the proactive offer to sign into whatever website I may be briefly visiting. Here's the example that you gave on Stack Overflow. And there it is up in the upper right-hand corner, or Stack Exchange. You know I— of this podcast who, for whatever reason, have not yet subscribed to the Weekly Security Now mailing. You may think, oh well, fine, I'm going to hear it anyway. Well, when I realized I had a solution to this Saturday morning, I thought, oh, let's tell everybody.
0:16:19 - Leo Laporte
So help me do this on this machine, because I haven't done it on this machine yet.
0:16:24 - Steve Gibson
Okay.
0:16:24 - Leo Laporte
There I am, in the upper right-hand corner. I've gone into the uBlock origin settings and I'm going to click the gears.
0:16:32 - Steve Gibson
Actually what we should probably do is wait until I update you and everyone with the better solution.
0:16:40 - Leo Laporte
Oh, you got a better one.
0:16:42 - Steve Gibson
I got a better one.
0:16:43 - Leo Laporte
Okay, because I did the manually entering in a filter thing.
0:16:47 - Steve Gibson
Yes, and that works for most people. There were some people for whom it didn't work. Okay, so I'm getting ahead of myself, so okay. So just to be clear, I don't want to have people misunderstand my annoyance here. I often choose to sign into websites using my Google account identity because Google provides a very secure implementation of OAuth. My primary email you know, everyone knows my main email is going to be a GRC mailbox mailbox. So my Google email is my generic catch-all throwaway account that most of us have one or two or more of these days. So signing in with Google gives me convenient one-click login at any site that offers it. And yes, we know, being OAuth means that Google knows where I am, where I'm signing in and what I'm doing. But Google almost certainly knows that anyway, and the truth is, you know, I don't really have time to care.
0:17:53 - Leo Laporte
You know, all other things being equal.
0:17:55 - Steve Gibson
Yeah, I would choose privacy. Who wouldn't? And I get it that there are people many of them are our listeners who make a hobby out of the rigorous enforcement of their online privacy. I respect that, but that's not me. I'm in a hurry, and since I have no way of gauging my actual success at privacy enforcement due to the myriad sneaky ways in which it can and is being violated, it's not something I'm willing to invest in heavily. So okay, for the sake of convenience, I use Login with Google when I'm at some site where I do want to log in for some purpose and that's not a problem.
I like having the option to sign in with Google and at that point it's not the source of my annoyance. By mid-afternoon on Saturday I had 135 pieces of email from our listeners saying oh my God, thank you, thank you, thank you. Some said it was life-changing. I mean, clearly I was not alone in this really bugging me. So the source of the annoyance is that this trend has been developing to proactively push signing in with Google on us wherever we go and whenever we visit a participating website, even if we have absolutely zero interest in or need to sign in there. You know I don't want to sign into every website on the internet and I believe that's the case for most of us. You know, if I want to sign into a website, I'll click the site's sign in or log in link and be taken to a page to do that. Thank you very much. I don't need to have signing in suggested to me or pushed on me.
And what happened Saturday morning was it finally? It was like the straw that I finally realized. Okay, I'm really being annoyed by these. Okay, so I'm skipping over a little bit of my notes here that I've already covered. So this occurred to me thanks to last week's discussion of uBlock Origin. My original solution, the one that I came up with Saturday morning and shared, was very specific, and it has the advantage of only doing exactly that one thing. However, it did not work for everyone. Some people needed a somewhat broader solution, which turns out is easy. Broader solution, which turns out is easy. And it also turned out that this sort of annoyance blocking is also built into some of uBlock Origins' already existing filter lists?
0:21:17 - Leo Laporte
That's what I was wondering if there's a checkbox.
0:21:19 - Steve Gibson
Yes, there is, and we're going to be there in a minute, so they're not turned on by default. Well, for our listeners, probably, they are for me, and I'm happier even than I was Saturday afternoon. Ok, so the way we got into this is as you were going to do, leo. If you open the Ublock Origin dropdown and then click on the little gears, you get taken to a series of webpages that have tabs across the top. The my Filters tab is initially empty. Mine was empty. I didn't have any custom filters there. Initially empty Mine was empty, I didn't have any custom filters there.
0:22:12 - Leo Laporte
And then the instructions that I gave were to first put in a comment line, so that when you come back to this in a year you're not thinking what the heck is that?
0:22:18 - Steve Gibson
Anyone who's done any coding by the time. You're our age, leo. We've become humbled. We've realized that, no matter how sure we are that we will never forget this wonderful code that we've just created. You know, a week could go by and we look at it and go what?
0:22:40 - Leo Laporte
the heck is that? Who wrote that You're looking around for anybody else? It's like did I do that? Who wrote that You're looking around?
0:22:45 - Steve Gibson
for anybody else. It's like did I do that, anyway? So any line that begins with an exclamation point is a comment. So I said exclamation point, block side in with Google iframe in top right corner of websites and then the filter phrase to do that is two vertical bars, which is sort of it sort of stands in for the normal forward slash, forward slash. Anyway, the vertical bars tell the easy filter list syntax, which is what Gore Hill has adopted, that what follows is a domain name. So vertical bar, vertical bar, accountsgooglecom, forward slash, gsi, forward slash iframe. Okay, so that says when the browser attempts to load something from a URL that begins with this, just skip over it, just say these are not the droids you're interested in. So nothing happens.
Now it turns out that a couple people wrote back and said well, that did not work, but if I put client instead of iframe, then it worked. Or even broader instead of iframe, then it worked. Or even broader if you do an asterisk. Asterisk is sort of the generally accepted wildcard character. So if you did forward slash, gsi, forward slash asterisk, then that generally works for more cases. Now you might think, oh, wait a minute, maybe a wildcard is more than I want. Well, okay, you could put one line with iframe and then another line below it with client and block those two. But GSI, so we're accountsgooglecom forward slash. Gsi, that certainly stands for Google sign-in.
That certainly stands for Google sign in, so it seems like safe to follow that with an asterisk and just know that you're going to nuke anything that tries to pop up on your screen to do that. Ok. But after the email went out, I started getting some feedback from people. One of them said well, I'm not getting those and I think I know why. So, rather than the my Filters tab, we click the preceding tab, which is Filter Lists. Down near the bottom, you'll find a group of three filter lists under the heading annoyances.
0:25:28 - Leo Laporte
Couldn't have phrased it better myself.
0:25:29 - Steve Gibson
Open up the list of three and you'll see easy list, add, guard and you block. Now it's so easy to get one of those annoying Google sign-in pop-ups Just go over to redditcom, for example that it was easy for me to experiment with enabling and disabling these three lists. I discovered that enabling either of the first two EasyList or AdGuard, would suppress the gratuitous yes and look at how comprehensive that is Leo.
This is the uBlock one, oh okay, and EasyList and AdGuard are similar. Either of those two suppresses that gratuitous Google sign-in pop-up. In other words, people have been here before us.
0:26:18 - Leo Laporte
Oh yeah.
0:26:18 - Steve Gibson
And they've already fixed this for us. We just didn't tell them fix this.
0:26:24 - Leo Laporte
I think one of these also blocks the cookie banner, if I remember that's the one.
0:26:29 - Steve Gibson
Oh, actually, yes. Okay, so we have some documentation for the AdGuard list, and so under AdGuard's list, under the annoyances filter they said annoyances filter blocks irritating elements on web pages, including the following AdGuard filters All of them could be enabled separately from the annoyances filter, in this case cookie notices blocks cookie notices on web pages. Pop-ups blocks all kinds of pop-ups that are not necessary for websites operation. Mobile app banners blocks banners that promote mobile apps of websites. You know, thank you anyway. Widgets blocks third-party widgets, online assistance, live support chats all that nonsense. Other annoyances blocks elements that do not fall under the popular categories of annoyances. At that point I thought, okay, I am all in, turn them all on.
Yes and mine are.
0:27:34 - Leo Laporte
In fact, I'm going to turn on all the uBlock filters, but I have to point out, occasionally you'll be on a website where they do things in a pop-up that this could break, so you have to be aware. You've done that and whenever. I have trouble on sites. I just disable uBlock on that site.
0:27:49 - Steve Gibson
Turn it off briefly and then it'll work.
0:27:51 - Leo Laporte
Yes, that is exactly the right strategy, and don't forget to click apply changes when you do this.
0:27:56 - Steve Gibson
Correct. So well, actually you want the update now which does both. Oh, okay, so okay. So I also just want to mention the other thing that I'm sure people are seeing and being annoyed by are those, you know, would you like some help sliding up from the?
0:28:17 - Leo Laporte
upper right. I hate that guy. I hate that guy.
0:28:19 - Steve Gibson
No, no, I don't want any help. I want you to stop distracting me and leave me alone. So that's gone now too. And while we're here, I'll just mention that the section above annoyances is social widgets. So we have the easy list, the ad guard and the fanboy social widgets. Social widgets, and it's described as social media filter, removes numerous like and tweet buttons and other social media integrations on popular websites. That may not be something everybody wants, but I bet you that there are a lot of people.
0:28:58 - Leo Laporte
Anybody who listens to this show wants it Exactly. The thing is. This is why we're really sad about Google disabling what is the most important tool on the web? I think yes, yes.
0:29:12 - Steve Gibson
So those are turned on online and, as I said, after you've done that, you'll want to click the update button, which will refresh, download the latest instance of those lists and then bring them current. And life has been sweet ever, ever since this happened, it's like. Oh, thank you thank you, thank you what a relief.
0:29:39 - Leo Laporte
No longer do I see on reddit the popup saying you want to use Google.
0:29:44 - Steve Gibson
Yeah, come on. Yeah, I know you do, I know that's nice.
0:29:47 - Leo Laporte
I know.
0:29:47 - Steve Gibson
So anyway. So I wanted to thank everybody who did take the time to say hey, steve, take a look over here, because that allowed me to get this into today's podcast and update everyone with what I think is a superior solution. Update everyone with what I think is a superior solution. And you know, the cool thing about this is that these lists are being constantly curated by people who do really enjoy this. They're chasing these things down, some of the expressions on these things. I mean, they're also professional filter list builders, because these things are hair curling. So they're going in with a scalpel and saying, okay, exactly that I don't want and we don't want to break anything else. Just stop doing that to me. And so this does that.
Now, the other thing that is different about this from the uBlock Origin Lite is that and Gore Hill mentioned this uBlock Origin Lite is that and Gorhill mentioned this and we talked about it last week the V2 manifest is able to independently update its lists. That's not something that Chrome wants to promote going forward. It's not available in Manifest V3. So you'll need to be up. You'll need, like, a new version of the entire add-on extension, rather than the extension being able to reach out and update the lists on its own behalf. So that's another.
As you said, leo, it's why we're annoyed with Google. Now, I'm sure, since Chrome has 37 million users of uBlock Origin compared to Firefox's seven, that Gore Hill will be incentivized to do everything you can to make the light version as powerful as possible. And, as we know from last week, we do have nine months more until Chrome users lose access to the V2 manifest thanks to the policy tweak that we found and shared last week. So a lot can happen in nine months. We've seen Chrome back off on terminating third-party cookies when it turns out they couldn't, so maybe there will be sufficient pressure on them to reconsider saying no to V2. Or maybe they'll just turn it off for most people, but they'll give us a little back door where, if we really must have it, we'll, you know, be able to like, maybe have a policy that that.
0:32:37 - Leo Laporte
That says, I'll make a registry tweak if I can keep my v2 manifest they're going to do something about it because, uh, as you point out, brave and many of the people in our chat room has all these lists built in. By the way that's you know, I use arc from the browser company, which I love. It's also a chromium based browser, and what arc is? What the browser company has already said is yeah, if, if, once, once v3 is in our browser because it's going to be as it will be in any Chromium browser we're going to have to write our own blocker and put it in the browser that way, as Brave has done. So I think Chrome's at great risk of losing a huge number of people by forcing this. So we'll see what happens. You're right, it may not happen. I wouldn't be surprised.
0:33:28 - Steve Gibson
So I'll just say that, after enabling these six additional filter lists for uBlock Origin, I'm more happy than I've ever been that I'm using Firefox, which shows no sign of getting rid of V2 compatibility and uBlock origin, and we have a bit of feedback that I'll share down in our feedback section. But this has sort of brought me to the awareness that we've been underutilizing this marvelous tool, because, you know, I could have had these turned on a long time ago and saved myself a lot of clicks of you know. The other thing, leo this unsolicited sign-in prompt for a site I don't want to sign into covers up regions of the screen that I have to see sometimes. So it's like it's annoying. You can't move it, you have to close it. I find it most annoying, like on move it, you have to close it.
0:34:25 - Leo Laporte
I find it most annoying, like on reddit, where I already have a login. I don't want to use the google login because I already have a login and it covers up the part of the screen where you click to log in. It's incredibly frustrating. It's terrible, terrible design okay. So anyway, I want on your mailing list, though I'm glad that you uh sent that out as a burst and nobody complained about that right not.
0:34:51 - Steve Gibson
I did not get a single complaint in fact I said at the end.
I said I hope you don't mind me interfering with. You know, interrupting your weekend for this, um, I was a little. I felt. I did feel a bit self-conscious because it was, you know, it was unscheduled and you know, Security Now list subscribers did explicitly sign up to that list to receive weekly podcast summaries, the show notes and the pictures of the week. Everyone said they loved it, and since the system that I built makes it so effortless to send these sorts of announcement mails to what we now I think we're now at 10,500 plus subscribers I would like to formally expand the mission of that list I am announcing it here to include things like this in the future. Announcing it here to include things like this in the future. I don't know what they might be, but I'll make sure that whatever it is will be. You know that has a high probability of being of interest to everyone, just like this one certainly appeared to be. So thank you for our subscribers and I'm glad that I was able to brighten everyone's weekend because it certainly did that.
0:36:06 - Leo Laporte
Yeah, you're right, we underutilize one of the greatest things in the world. And now that we're about to lose it, yeah, now we're appreciating it. We're appreciating it.
0:36:16 - Steve Gibson
I'm sorry, honey, I didn't mean it.
0:36:20 - Leo Laporte
Come back. All right, let's take a little break. More to come in, just a little bit with Steve Gibson and Security Now. Our show today, brought to you by a great company that does something we've talked about before on Security Now, zero Trust. They make Zero Trust easy for you to implement at your company Threat Locker If zero day exploits and supply chain attacks are keeping you up at night, and if they're not, they probably should exploits and supply chain attacks are keeping you up at night and if they're not, they probably should no more worry.
You can harden your security with ThreatLocker. The companies that use ThreatLocker feel safer. Companies like JetBlue trust ThreatLocker to secure their data to keep their business operations flying high. If you will Imagine taking a proactive and this is the key deny-by-default approach to cybersecurity, blocking every action, every process, every user unless authorized by your team, threatlocker helps you do that and provides a full audit of every action for risk management and compliance. This is fantastic and great support from their 24-7 US-based support team. They're there to help you with the onboarding and beyond. So here's how you stop the exploitation of trusted applications within your organization. Here's how you keep your business secure and protected from ransomware.
Organizations across any industry can benefit from ThreatLocker's ring fencing by isolating critical and trusted applications from unintended uses. Weaponization, limiting lateral movement from attackers across your network we know this happens. That's what we talk about all the time is these threats. I'll give you a perfect example of this. Threatlocker's ring fencing was able to foil a number of attacks that traditional EDR could not stop because they were zero days. As an example, the SolarWinds Orion attack. Orion was completely foiled by ring fencing. And here's another great thing it doesn't matter if you're PC or Mac. It works for Macs too. Pc or Mac, it works for Macs too. Get unprecedented visibility and control of your cybersecurity quickly, easily and cost-effectively.
Threatlocker Zero Trust Endpoint Protection Platform offers a unified approach to protecting users, devices and networks against the exploitation of zero-day vulnerabilities. You want this. Get a free 30-day trial. Learn more about how ThreatLocker can help mitigate completely unknown threats completely out of nowhere and ensure compliance, because you've got a complete audit trail. Threatlockercom to learn more. Threatlockercom. We thank him so much for supporting Steve and SecurityNow. We thank you for supporting SecurityNow by going to that site and if they ask, you say you heard it on Security Now. Threatlockercom. Thank you, threat Locker. Now back to Mr G, so under the heading.
0:39:16 - Steve Gibson
It couldn't happen to a nicer guy. Last Wednesday, the Register reported that everyone's favorite massive data leaker, national Public Data, aka NPD the organization which first collected the personal data on pretty much everyone, then had their collected data stolen, sold first on the dark web and finally released released publicly has, not surprisingly, filed for bankruptcy. The Register wrote. The Florida business behind the data brokerage, national Public Data, has filed for bankruptcy, admitting hundreds of millions of people were potentially affected in one of the largest information leaks of the year.
Now, just to recap a bit last June, as we know, the hacking group USDOD put a 277 gigabyte file of data online that contained information on about 2.9 billion individuals and asked $3.5 million for it. The data came from National Public Data, they wrote, a brokerage owned by Jericho Pictures, which offered background checks to corporate clients via its API. Npd confirmed it had been hacked in an attack on December 2023 and initially said just 1.3 million people had lost personal details you know, such as name, email address, phone number, social security number and mailing addresses. But in the court documents filed for bankruptcy, the business concedes the total is much higher. The bankruptcy petition from Jericho Pictures states quote the debtor is likely liable through the application of various state laws to notify and pay for credit monitoring for hundreds of millions of potentially impacted individuals. As the debtor's schedules indicate, the enterprise cannot generate sufficient revenue to address the extensive potential liabilities, not to mention defend the lawsuits and support the investigations. The debtor's insurance has declined coverage.
0:41:44 - Leo Laporte
Oh, you bet, they have.
0:41:46 - Steve Gibson
According to the filing, the organization is facing more than a dozen class action lawsuits over the data loss and potential regulatory challenges in quotes from the FTC and more than 20 US states more than 20 US states. Any plaintiffs will have a hard time getting paid any money out of Jericho, since the documents state the business has, shall we say, very limited physical assets. In the accounting document, the sole owner and operator, salvatore Verini Jr. Salvatore Verini Jr operated the business out of his home using two HP Pavilion desktop computers valued at $200 each, a ThinkPad laptop estimated to be worth $100, and five Dell servers worth an estimated $2,000. Dell servers worth an estimated $2,000. It lists it. The company lists $33,105 in its corporate checking account in New York as its assets, although the business pulled in $1,152,726 in its last fiscal year and estimates its total assets are between $25,000 and $75,000, all told. It also lists 27 internet domains with a value of $25 each. These include the corporate website, which is now defunct, as well as a host of other URLs, including criminalscreencom, recordschecknet and asseeninporncom. So yes, we have another example of legislation running far behind the consequences of technology.
At some point it's going to become clear that the aggregation of large quantities of personal data, along with its merging, rather, into comprehensive profiles itself. That is, just the aggregation and consolidation present, an inherent danger, but today there's no regulation over this. Anyone who wishes to can amass such data to create essentially a latent data bomb. On the one hand, it's free enterprise and capitalism, which no one wants to stifle, but allowing fly-by-night operations of this sort to do this is clearly a problem. The solution may be to require any such information aggregator to have a substantial bond posted, plus a verifiably effective insurance policy in place to cover the losses and lawsuits that would follow any egregious breach of responsibility. This would nicely serve to privatize the risk, so that the investors, who would be required to create and post the bond, and the insurance company, who would be collecting insurance premiums and would be on the hook for their losses, would both be motivated to assure that the enterprise's IT staff, its procedures and security are adequate to protect their investment. It's the only way I can see that this makes sense. Moving forward, we're going to have to have some legislation which says anybody who does and you know aggregate data and you know the attorneys can figure out what exact language to use, but the idea being anyone who is warehousing quantities of data affecting over some number, some minimum number of individuals must have the ability to pay for the consequences of the loss of that data. Otherwise, sorry, you can't collect it. Maybe we'll get there someday. It's just going to take legislation Okay, legislation, okay.
Many of the top-level domains that we have today we have because they're associated with countries. You know the Bitly service that I used to use, l-y. You know that L-Y is the country code for Libya. That's why dot L-Y existed and why it was possible for Bitly to get the domain B-I-T in Libya's country code, dot L-Y. And when I left there, of course I created G-R-C, dot S-C. Well, dot S-C is the country of Seychelles, so I got GRCsc because Seychelles has its own top-level domain, sc. And, as we know, there are lots of top-level domains that are created independently. You know com, org, net, edu, the original big four.
But when a top-level domain belongs to a country, it's tied to that country, because a couple of weeks ago, on October 3rd, the British government announced that it would be releasing its claim of sovereignty over a small tropical atoll in the Indian Ocean and that these islands would be handed over to the neighboring island country of looks like Moridius, which lies about 1,100 miles off the southeast coast of Africa. Now remember that I said the island nation being dissolved was the Indian Ocean. Well, that country's top-level domain is io, as in Indian Ocean, and the presumption is that, as has happened a few times in the past, when the country controlling its top-level domain is dissolved for any reason, so too is its top-level domain. And given the strong interest in and use of the io domain, that presents a problem. What's supposed to happen is that once Britain signs the new treaty with Maridius, the British Indian Ocean Territory will formally cease to exist. So various international bodies will update their records. In particular the International Standard for Organization, the ISO, will remove country code from its specification list.
The IANA, the Internet Assigned Numbers Authority, which creates and delegates the top-level domains, uses the ISO's specification to determine which top-level country domain should exist. Once IO is removed, the IANA is supposed to refuse to allow any new registrations with a io domain and it's supposed to automatically begin the process of retiring existing domains within the io top level. What's not known at this point is whether this will actually be allowed to happen. You know, humans make the rules and humans can change the rules that we've made, and so you know if the rules are causing too much trouble, that may be what happens. You know we certainly have no lack of non-country TLDs. You know, in addition to those original big four, there's, for example, xyz and lol and online, which are not country domains. Why io cannot similarly be repurposed, just adopted as a valid non-country TLD? People who are writing online are saying io is going to go away, but I find that hard to believe. But again, I'm not the IANA who ultimately decides these things. So we'll see what happens.
I should note in passing that last Tuesday, october 8th, was the second Tuesday of the month, which meant that Microsoft and many others used the occasion to release their monthly patches. Nothing was particularly notable this month. Microsoft released updates to fix a total of 118 vulnerabilities across its software offerings, two of which were being actively exploited in the wild. So of the 118 flaws, three were rated critical, 113 are rated important and two were rated moderate, 113 are rated important and two were rated moderate and, as is the case these days, that count does not include the 25 additional flaws that Microsoft previously updated in its Chromium-based Edge browser over the past month. So you know good to update as usual after the second Tuesday and restart your machines if you tend to leave them running all the time.
Also, firefox, as I mentioned at the top, and the Firefox-based Tor browser have been warning everyone of the discovery of a serious attack which was levied against Tor users. The flaw carries an attention-getting CVSS of 9.8, and it affects both Firefox and the Firefox extended support release products. It's a use-after-free bug that has been found in the animation timeline component. Mozilla reported in a post last Friday, october 11th, that it had received from ESET an exploit sample containing a quote full exploit chain that allowed remote code execution on a user's computer just by causing their browser to go to a web page. So yeah, that'll qualify as a 9.8, you know, under anyone's scoring system. Mozilla also noted that the fix was shipped within 25 hours of its responsible disclosure, so one day and one hour.
Two days previous to that, on Wednesday, mozilla said an attacker was able to achieve code execution in the content process by exploiting a use after free in animation timelines and then added we have had reports of this vulnerability being exploited in the wild. So the issue has been addressed in Firefox 131.0.2, esr that's, the extended support release ESR 128.3.1, and ESR 115.16.1. The Tor project has also released an emergency update to what they're calling version 13.5.7 of their Tor browser. So certainly, if you are a Tor user, you'll want to make sure that your Tor browser is updated to 13.5.7, since those were the targets of this attack.
But the vulnerability did affect everyone and, as I mentioned at the top, next week this just happened. We will be talking about the credential exchange protocol. So I don't I have not had a chance, because I've been working on this podcast to dig into it, but I will have and, unless something really very significant happens, I have a feeling that that will be the title of next week's podcast, because that's something we're going to want to take a close look at and understand exactly what it is, what it does and how it works.
0:55:04 - Leo Laporte
Yeah, it's big news, because this was something you could not do.
0:55:08 - Steve Gibson
Yes.
0:55:09 - Leo Laporte
And that's what's kept. Frankly, kept people kind of frozen in place, I think with Passkeys.
0:55:17 - Steve Gibson
I took a quick look at it, Leo. Many of the password manager people were participating in the development, as was Google. I did not see Apple there.
0:55:31 - Leo Laporte
See, this is a perfect example. They don't have any incentive to let you move your passkeys off your iPhone because they want you to be stuck there forever. Wow.
0:55:41 - Steve Gibson
Yeah, that was annoying. It doesn't mean they're not going to adopt it, right?
0:55:45 - Leo Laporte
They might have to. If FIDO does. I mean, don't they kind of want to keep full compatibility with the standard? I would think so. We'll see. It depends what FIDO Alliance says. Is it required or just optional?
0:55:57 - Steve Gibson
Well, it will be optional, unfortunately, it has to be right, but then maybe at some point to get the next level of certification you'll need it.
No-transcript. Okay, several weeks ago I mentioned that a listener of ours had suggested that when I move my Windows 7 workstation over to Windows 10, I choose a Windows Server version in order to have a simplified experience. At the time that sort of caught me by surprise and I thought it was a great idea, since Microsoft will presumably have exercised far greater restraint against including all of the unwanted Xbox, candy Crush Jewels, android phone integration and all that other crap that they force on regular desktop Windows users. But then I remembered that I had that idea a long time ago. It may have been back in the Windows XP era that I did try running, and I did run for a while a server edition of Windows as my desktop machine, a server edition of Windows as my desktop machine, probably because I wanted to be using exactly the same build of Windows that my servers were using back then. But I hit a big problem the installers for many of the desktop applications I wanted to run would complain and refuse to proceed when they saw that I was running on a server release of Windows. I fought against that and put up with it for a while. I remember looking around seeing if there was some way I could create my own hack to make the server edition look like the desktop version. I didn't end up doing that, I just ended up learning my lesson and deciding to go to a desktop and in fact, for example, the Windows 7 Workstation version is essentially Windows Server 2008 R2. So it's essentially the same code anyway. But I just wanted to close the loop on that in case anyone else was thinking, hey, that sounds like a great idea, I'm going to run server. I'll just caution you that in some cases apps just would not install. In other cases they said, well, if you're a server version, you're going to have to. It's going to cost you this much money, you know like way more than it was for the equivalent desktop version. So I just said, no, thank you.
Ok, touching on sci fi briefly, I am 15% into the book. I said I would not read until its companion novel was also ready, though, as I recall, my position on that was noticeably softening recently. Anyway, yes, I now know a lot about Peter F Hamilton's Exodus, the Archimedes Engine. However, I don't know nearly as much as John Salina, our jammer B, who is already well into his second read-through. He noted that the second pass is more fun for him because by then you know who all the players are. And boy the players are somewhat dizzying.
The book begins with a chronology which is stunning in its sweep and scope of humanity's near and far future and, knowing Peter, I knew not to skip over that. I figured this was important. So I read all of that. Then it runs through and introduces a vast array of characters and, as I said, the historical summary was engaging to read through all of the names of the entities whose roles were described, mostly in relation to each other, in that vast list. And then the book began. So I can well understand why John, you know, upon finishing it once, would immediately reset his e-book to the beginning and go again. So anyway, I don't know if I'll read it a second time immediately. Maybe I'll wait for who knows how long for the it's it's it's second half of the whole story to be finished. Anyway, I just did want to mention that, yeah, I'm in. I was rereading the Frontiers saga like for the fourth time and I was getting a little boring actually. So I thought, ok, I'll try something new. So I'm there. Ok, a bit of closing the loop with our listeners.
Brian Hendricks wrote. He said hey, steve, I was looking for a new puzzle game to play on my tablet. I was looking for a new puzzle game to play on my tablet and I saw that the Sequence Plus was released a couple of weeks ago. I haven't tried it yet, but thoroughly enjoyed the Sequence at your recommendation a few years ago. I tried the Sequence 2 when that came out, but I did not enjoy it as much. He says. Hopefully this new game lives up to the original Happy security nowing to four digits and beyond. Okay, so I agree with Brian completely. Whereas I loved the sequence, I was disappointed by the sequence too, and I never bothered to spend much time with it once I saw that in my opinion, and I guess his and others, it missed the mark. It turns out that it's not a simple matter to create a truly terrific puzzle game, which the original was, which the original was. So I agree that more of the original would be welcome.
So I went looking for it. It is nowhere that I was able to find it in Apple's notoriously horribly indexed app store. So I dropped back to searching the net and I found something called the Sequence 2 in the Google Play Store. I have a link to it in the show notes for anyone who's interested. I replied to Brian asking whether he might be an Android person playing the Sequence 2 on an Android tablet, and he confirmed that he was. So I'm hoping that it isn't. You know that. It's just you know. It just hasn't yet surfaced in Apple's App Store. Since the author, who is an outfit by the name One man Band, uses the Unity framework, it could also be available for iOS. I'm hoping it's just delayed. So anyway, I should note that also, when Brian said a few years ago, he actually meant nine years ago, back in 2015. So I wanted to tell all of our listeners there is a big treat awaiting any of our listeners who have joined us since then, who enjoy extremely well-crafted puzzle recreation and who are not yet familiar with what we've been talking about.
The sequence created, as I said, by one man band is a sort of graphical sequential programming environment. It's that perfect blend of progressively increasingly difficult challenges where you're required to discover new tricks and problem solving techniques as you progress forward through the game's levels. You build machines composed of individual functional blocks, with each block having a single, very simple and very clear function, and then you turn it loose to loop through its operation four or five times, since another requirement is that each iteration leaves the machine you've built in a stable state, ready to do it again. And one final comment for those who may have heard things like this before, only to be then disappointed. I have too. We haven't talked about my affection for puzzles for years, but I've often tried other things that sound exactly like what I just described and I have been disappointed. So I would never recommend them. This one I recommend without reservation.
I have a link in the show notes to its author's website.
It's OMB, as in one man band, ombgamescom, and note that it's HTTP only, not HTTPS.
So if your browser assumes S it'll complain one way or the other, you want http//ombgamescom. I also have a link to the author's official YouTube video in the show notes, and it earned this week's GRC shortcut of the week. So you can get a quick sense for what I'm talking about by opening any browser and going to grcsc slash 996, which is this week's episode number grcsc slash 996. It is available for a few dollars without any ads or any in-app purchases, thank God, from the Windows Store, steam, apple's App Store and Google Play, if anyone discovers the Sequence Plus in Apple's App Store. Please let me know. I'll be all over that one. And as I was preparing these show notes, I spent some time poking around the author's one-man band site. On his contacts page he had both a Gmail and a Twitter handle, so I first went over to Twitter and I was surprised when Twitter said that he was following me. The only way that was possible was that back in the day I had made such a fuss over the sequence.
1:07:04 - Leo Laporte
Well, of course I'd be following you too, my biggest fan.
1:07:09 - Steve Gibson
Yeah. So I figured that this podcast must have come to his attention and he decided to follow me. He had not posted anything recently over on his Twitter feed, so I shot him a note asking about the status of the Sequence Plus and not long after I received a reply from him. His first name is Maxim and he wrote Hi Steve, I'm glad to hear that everything is going well for you. I'm grateful to you and your podcast for giving my little-known game a loving audience back in 2015. As for the Sequence Plus, I can say that it is a slightly improved version of the Sequence, with some tweaks in the controls and fixes. In certain levels. It is free and contains ads, so it might not be suitable for everyone. Yeah, apple, doesn't let you do demos or anything.
1:08:20 - Leo Laporte
And that's a big problem, frankly.
1:08:22 - Steve Gibson
Yeah, yeah, he said for now it's only available on Google Play as an experiment. He said I can't say for sure if I will release it on iOS, but for all lovers of logic puzzles, on iOS my three games are still available the Sequence, the Sequence 2, two and unit 404. He said best regards Maxim. Ok, so now we know, and apparently he understands me, since I would gladly pay to not have any sort of advertisements in a good puzzle game. I mean we're only talking a couple of dollars for many hours of engaging mystery. I've been driven nuts by the prevalence of advertising in iOS puzzles where, again, I would gladly pay for their removal and to have a quiet and puzzling experience. I hate ads. I hate ads. So it does not sound like the Sequence Plus would be anything I want, even if it were available for iOS. You know, as Maxim said, it's largely just the Sequence as it used would be to follow GRC Shortcutters of the Week, as Leo you did and you played his little 50-second sample to give you a sense for what this is, either on iOS or Android to purchase, or actually Windows or Steam to purchase the sequence and get ready to have some fun. I really think you will.
Parker Stacy wrote. Dear Steve, thank you for this extremely helpful tip. He's referring to Saturday's email. He said you have saved me time, you have saved me frustration. You have saved me from the repetitive irritation felt on so many sites these days.
These annoyances on websites around the globe are more than just little gnats to be swatted away. They divert our attention and, more importantly, they divert our focus. When I'm researching something online, I'm usually trying to follow a train of thought, a thread, a path, a stack of ideas. Something so seemingly mild as a cookie policy or sign-in-with-me box can interrupt my flow and completely unwind the stack, and it can take an unreasonable amount of time to rebuild it. I know you know this and I am grateful that you take the time to share these types of countermeasures with us. This type of special notification email is greatly welcomed and I look forward to more in the future.
With gratitude and kind regards, parker and I'll just note that his is it would be possible to suppress these unsolicited and unwanted login push pop-ups from appearing. It turns out they're quite unpopular and I was glad to learn that it wasn't just me being cranky that this was all about. And, as we know now, by turning on those pre-curated lists, we're getting rid of a whole host of other stuff. But, leo, your point is very important. If you go to a site where something seems broken, something doesn't work, it could be that uBlock Origin has been overprotective, in which case it's a matter of just of opening it up and disabling it for the site, or briefly turning it off, and then you know you'll get the full site in all of its glory.
And you may be sorry and you can wade through all the pop-ups and ads and nonsense, yes, and nonsense, yes. And finally, frank from the Netherlands wrote Dear Steve, I want to report a feature of uBlock Origin that I don't see other people using but that significantly improves my productivity. In addition to blocking ads, I use uBlock Origin to clean up cluttered user interfaces. To clean up cluttered user interfaces, many web applications today include more features than I need or aggressively promote new ones. For example, clickup is now filled with AI buttons and banners. I hide all these distractions to restore a clean interface that helps me focus on my work. Hope it helps other listeners. Best regards, frank from the Netherlands. So that's interesting. There are still features of uBlock Origin that we're not using. Frank is, I just haven't spent any time with it and I'm beginning to feel like I'm missing a bet here. Ublock Origin has like a dropper and I think you're able to use it to go like click on something which allows you to identify the something on the page to it and maybe you're able to say I don't want this anymore. Anyway, I haven't looked, but I wanted to share Frank's note to note that, again, most of us certainly myself have been grossly underutilizing the power of uBlock Origin. It is an extremely capable general purpose web experience filter and, you know, I think the reason that it's been underutilized is probably a case of you know that old story about cooking the frog in the pot of water, where you slowly increase the temperature so the frog never thinks to jump out, it just gets cooked.
For us, you know, this incursion into our browsers has been very gradual and incremental. You know, at first only a few sites were pushing that login pop-up for Google. So, you know, we put up with a few of those unwanted appearances. But over time that number grew and grew until it was something some of us were seeing and tolerating throughout our day, and those Google pop-ups were just one symptom. What's happening is that, little by little, our online experiences have been increasingly leveraged and we're being increasingly coerced. Nobody likes being coerced. So anyway, thank you Frank from the Netherlands, who is using uBlock Origin more fully, and I will invite others to consider doing the same. And Leo, we're at an hour in.
Let's take a break now and then I will finish up with two final pieces of feedback.
1:15:31 - Leo Laporte
Good, thinking I almost stopped you. Then I thought well no, he's put in these breaks, he knows what he wants, but okay good.
I thought I did. Let's talk about a very appropriate speaking of bothersome, annoying, intrusive companies, a very useful tool. Uh, if your data was in the national public database yeah, I think mine was too, but you know whose't? My wife's, because she uses our sponsor Delete Me. If you've ever searched for your name or address birthdate online, I bet you didn't like how much of your personal information was available. I wouldn't recommend doing this, by the way. Unless you don't believe me, Then please by all means search for your name, See what you get. But maintaining privacy is not just your concern. It's your whole family's affair, and I think Delete Me's family plans mean you can make sure everyone in the family feels safe online. Delete Me helps reduce risk from identity theft, but also harassment, but more cybersecurity threats, and this is why Lisa is a proud Delete Me customer.
Bad guys were able to figure out who she was, what her phone number was, what her direct reports were and put together a spear phishing campaign that had our employees not been very smart and probably most of them listeners to this show we would have been badly bit by. Where'd they get all that information? Data brokers Data brokers are collecting this stuff like crazy, and Deleteme is your weapon against data brokers. Deleteme's experts and it's human, by the way, which I love will find and remove your information from hundreds of data brokers. There are literally hundreds of data brokers Want to include your family. You can assign a unique data sheet to each family member, tailored to them and with easy-to-use controls. As the account owner, you can manage privacy settings for the whole family. Deleteme and this is really important even after it does that first initial deletion, will continue to scan and remove your information regularly, because new data brokers pop up all the time and, frankly, data brokers are not the most honorable of people and they're going to start rebuilding your dossier, even if you told them not to. And I'm talking everything addresses photos, emails, who your relatives are, your phone numbers, your social media, your property value and more. Protect yourself, Reclaim your privacy. Do what we did Go to joindeletemecom slash twit.
If you use the offer code twit, you'll get 20% off. That's joindeleteemecom slash TWIT. Offer code TWIT gets you 20% off. I think I don't really need to explain to the Steve Gibson audience why you want to do this. In fact, you probably have already been thinking about it. This is the way to do it Joindeleteemecom slash TWIT. Don't forget that offer code for 20 percent off. Now back to Mr G. Ok, A little router discussion here, yes Two pieces of feedback from our listeners about routers.
1:18:53 - Steve Gibson
Justin Long wrote. Steve had to throw in my two cents about routers for parents. Eero, full stop, do not pass Go, do not collect $200. Leo mentioned its great mesh networking capabilities, but there's one thing that makes it a perfect router for parents the ability to configure it without having to be at their house.
1:19:17 - Leo Laporte
I do that with my mom. I can actually look at her setup.
1:19:21 - Steve Gibson
Exactly, he said. All Eero devices are configured via a smartphone app. This means when you get quote the internet stopped working call. You can pick up your phone, which you're probably already holding, and see what's going on without having to drive to their house, which is good because her house is in Rhode Island and I'm in California.
She's across the country. You can add multiple Eero networks to one account so you can switch between your own network and theirs for administration. Another benefit is Eero Plus, which is their monitoring software that blocks access to sites that host malicious content, botnets, phishing sites, etc. If you have multiple networks on the same account, one Eero Plus subscription covers them all for the same price, he said. Currently I have ours, my parents and my in-laws. Another added bonus there's no way for dad to attempt to fix something by blindly clicking around the router's UI. They don't have access to it at all. As far as they're concerned, it's just the magic box that allows them to complain about things on Facebook.
1:20:37 - Leo Laporte
I will add one more thing. I don't know if you've ever used Waveform's buffer bloat test, which is a really useful speed test. I've done on all of my routers from time to time because it is really much better than a regular speed test. It shows whether latency goes up when you're doing other things like uploading and downloading. You're doing other things like uploading and downloading and uh, but one of the things you'll find there is their recommendation for routers that don't have buffer bloat and, among others, the neck, your nighthawk and the iq router and the ubiquity edge router.
You've recommended so many times the euro pro 6. I think all the euro routers are well designed and they're also very. I think they pay a lot of attention to, uh, the latest thinking in terms of configurations and so forth, and I think that's one of the reasons they do such a good job with with buffer bloat. So another good reason, I think they're I we've recommended them for ever since they started coming out and, as far as I can tell, if amazon's ownership has not made them worse, oh, Amazon bought them.
I was wondering why it said Amazon Eero. Yeah, they bought them some years ago.
1:21:50 - Steve Gibson
And another listener took Michael Horowitz's advice about the Peplink router. Phil wrote hi, stephen, I'm glad you pointed out Michael's router security website again. Remember that was routersecurityorg. He said I recently replaced my Verizon Fios router with his recommended Peplink router P-E-P-L-I-N-K Peplink router and was able to go over his shortlist as well and I could not be more happy list as well and I could not be more happy. He's even been very responsive in answering my questions that I may have had in configuring the router and anything relating to what to expect when you ditch your ISP's router. Not only that, but Peplink themselves have been responsive in replying to email inquiries about any issues for which there have been none. He said when I do my monthly tech talk at the library where I work, one of the topics is router setup and security and I recommend the peplink Patrons will come back saying how it was pretty simple to set up and Michael's instructions were very straightforward. So he says thanks, phil, and I'll just mention that the peplink router is what router security sites author Michael Horowitz recommends.
I have no experience with it so I can't weigh in either way, but I wanted to share Philip's positive experience and invite our listeners to consider these alternatives.
As I said on this topic earlier, unless someone deliberately chooses an insecure configuration and with just a few tweaks, any modern consumer router should be safe, though you know I won't argue that security is relative and you can certainly spend a lot of time securing a router. But generally, what you get, unless you, you know, turn on lots of remote serving features, you're probably okay. Okay, so BIMI, that stands for Brand Indicators, for Message Identification. For this week's main topic, I want to share an adventure of mine from last week. It will introduce some new email authentication technology while touching on the challenge of thwarting North Korean and AI identity spoofing and ending with the fact that several recent DDoS and network penetration attacks have left the world's Internet Archive offline and that, as a consequence, something I was trying and hoping to do last week has been paused until the Internet Archive is back up. And last night it seemed to be better. This morning it was slow and sluggish, then later this morning it was better.
1:24:49 - Leo Laporte
It's been de-dossed by an ass something.
1:24:53 - Steve Gibson
Yeah.
1:24:56 - Leo Laporte
And it was supposed to be up read-only this morning, but maybe it's still having trouble, I don't know. Yeah, and I did see that.
1:25:09 - Steve Gibson
And in fact only the way back machine portion was up in read only.
1:25:10 - Leo Laporte
Apparently it's able you're able to to like manually submit pages to it for archiving good and that feature is not currently uh what kind of low life would attack the Internet archives beyond me it's apparently it was an Iranian hackers. I can't remember North Korean.
1:25:47 - Steve Gibson
Somebody. I heard that I saw the same thing, that there was. You know some some some attribution given to some you know something about. You know some of the mess going on in the Middle East was supposedly behind it. But okay, so this adventure began when I checked my email last after last Tuesday's podcast and found a new feature notification from my favorite certificate authority, DigiCert. It said we're writing to let you know that CommonMark certificates are now available. Commonmark certificates allow an organization to place a brand logo in the sender field of outbound emails confirming the organization's DMARC status and their authenticated identity and helping protect against phishing and spoofing attacks.
They said common mark certificates are similar to verified mark certificates but do not require a registered trademark for usage. This allows a broader range of senders to add an additional layer of security to emails and help their recipients feel comfortable that the emails come from a legitimate source. They said to qualify for a CommonMark certificate and we've got a few bullet points First, the corresponding email domain must be configured to enforce DMARC. The corresponding brand logo must either have at least a year of previous public usage on a domain controlled by the applicant or be an acceptable modification of a registered trademark. And they say see section 3.2.16 of the BME Group's Medium Security Requirements for Issuance of Mark Certificates for more details.
And finally, the logo file used for the certified mark certificate must be an SVG file that adheres to the SVG-P-S profile. Then they finished saying note, currently most image editing tools do not support the SVG-P-S profile. Oh, that's handy. Oh yeah, like I said, I had an adventure and will require using a specific conversion tool or manually editing an SVG file. They said see our guide for properly formatting the logo. Ok, so first I should reiterate that Bimi is officially pronounced Bim-i like bimmy or bikini.
Okay, yeah, bimmy, bimmy not be me, but I was unable to resist the.
1:28:31 - Leo Laporte
Be me up, scotty so bimmy up scotty is just as good bimmy up it's kirk in a hurry bimmy up sc. Scotty.
1:28:39 - Steve Gibson
Bimmy up, Scotty, you know because we've lost a bunch of red shirts and we're about to go to Get me out of here, so you know how that goes.
Okay, so BIMI, as I said, is the abbreviation for Brand Indicators for Message Identification. It is a new, relatively we'll see. It's been around, for they've been working on it for 10 years and slowly, as in very slowly emerging email standard, that creates. What's interesting here is a secure means for incoming mail to carry and display its senders unspoofable logo icon. Logo icon. Email clients and online services that choose to support BIMI will be able to display these logos and will only display these logos if and when the email's senders have jumped through quite a large number of hoops to make that possible. This is all being managed by an industry BIMI working group at BIMIGrouporg B-I-M-I-G-R-O-U-Porg. The members of this group are Fastmail, google, mailchimp, proofpoint, sendgrid, validity, valimail and Yahoo, validity, valimail and Yahoo. The project began, as I said, a full 10 years ago, back in 2014, and today the display of BIMI logo icons is supported by Apple, cloudmark, fastmail, google, yahoo and.
1:30:16 - Leo Laporte
Zoho, I want to do this. We have a trademark. Yes, you do.
1:30:23 - Steve Gibson
So what this group has managed to design and achieve, finally, wide consensus on, is the rough equivalent of the web server tls certificates we rely heavily on to prevent interception and spoofing of the domains our web browsers visit. This BIMI system provides a means for senders who care to to strongly authenticate that they are the sender of their email. I don't have to tell anyone that email is a mess, whether one is on the sending or the receiving end. Everyone knows this. Yet everyone needs email. It is, as we know, the Internet's lowest common denominator for communication.
As we've observed here, we could not have usernames and passwords without email, because no other authentication system is viable without some reliable backup. Lowest common denominator fallback means for ultimately authenticating users when they forget their password or don't have their second factor authenticator handy, or whatever. It always comes down to email. An effort has been underway to allow email senders who choose to and email services who choose to to display strongly authenticated visual graphic logos in email recipients' inboxes. What you normally see, for it shows, you know, mail timer, and so there's just a generic M in a circle and email marketing news and E in a circle, as opposed to their actual logos which the email client is able to show, and I confirm that my iOS devices are showing those where they're in use iOS devices are showing those where they're in use.
1:32:29 - Leo Laporte
Now, if I okay. So I have my picture as a gravitar and most email clients will pick that up as the icon and put it next to the email. How can I distinguish a BIMI official trademark from a gravitar?
1:32:40 - Steve Gibson
which is anybody could do. That is a good point. A gravatar, uh, if, if it is available or if you have a a photo associated with the person's on apple.
1:32:51 - Leo Laporte
If it's in the context, that's right, right yes, so so.
1:32:54 - Steve Gibson
So we are seeing, you know some, some collision, kind of a flimsy authentication method.
1:33:00 - Leo Laporte
Is that all? There is the icon on the email. Yes, that's what this is for. Okay, all right, I mean I use PGP authentication that not only verifies that I am the sender, but that the message is unmodified.
1:33:16 - Steve Gibson
But nobody knows how to receive that.
1:33:18 - Leo Laporte
Nobody knows what to do with it, but it's there, right.
1:33:23 - Steve Gibson
You could use.
1:33:23 - Leo Laporte
S-MIME certificates to do that. Nobody knows how to use that either.
1:33:28 - Steve Gibson
Yeah. So what I want is, when GRC's email comes, people will see that Ruby G logo that I've been using for 40 years since before the Internet existed. Right, and make no mistake, this has been slow to catch on. For one thing, as I'll explain in a minute, it's a serious pain in the butt. It's almost comical for the sender to get it working and it's not for end users. It's intended specifically for use by bulk email senders. Right, specifically for use by bulk email senders. It's also not free, since it requires the use of an annually expiring certificate, behind which is some truly world-class authentication.
But I would argue that for this purpose, not being free is a benefit, since the entire reason the world is being buried in unwanted email is that it costs nothing to send. And even in a world with high BIMI adoption, email will still cost nothing to send. But only those senders who are willing to spend some money and take the time and trouble will be able to embellish their incoming email with their company's unspoofable brand logo and Leo for what it's worth. If this becomes adopted and becomes valuable, then Apple could, for example, could certainly choose to further enhance the authenticated status, Put a key on it or something that says this is not a gravitar.
Exactly, this is an authenticated piece of email. Okay, so for bulk mail senders, and even for me, I want that G to show up. It'll likely be worth something. So how does all this new stuff work? The first gating requirement for any possible display of a BIMI logo is that the sender's email passes DMARC validation. Ok, so let's briefly review these three email standards, which are all part of this SPF, dkim and DMARC.
Spf, which is the stands for Sender Policy Framework. It uses additional records in the apparent sending domain's DNS to indicate which IP addresses are valid originators of that domain's email. Since email is sent using the SMTP protocol over TCP, the IP addresses of the endpoints cannot be spoofed. So when a remote sending email server connects to a receiving server, the receiving server obtains the unspoofable IP address of the sending server. Then, when the recipient receives an email claiming to be from a specific domain, the receiving server can issue a DNS query on the spot to request that originating domain's SPF records, if any. Those SPF records will specify which IP addresses are authentic senders for that domain. So if the IP of the sender of the incoming email for that domain is not authorized by the domain's SPF records, the connection will be dropped and the email will not be accepted. This costs nothing to do and it very nicely prevents spammers from spoofing the domains of valid senders. For example, I have an SPF record for GRC. It uses GRC's DNS to publish the IP address of GRC's email server. So when a random spammer generates email claiming to be from the GRCcom domain, any receiver of that email is able to check the sender's IP, see that it's not coming from the one IP allowed by GRC and to then ignore the email. Note that SPF has no way of preventing the attempt to spoof an email's origin, but it does provide a zero-cost means for a recipient to confirm the validity of the originator. And you can believe that Apple and Outlook and Google and Yahoo and everybody they're using this because they want to block all of this that they can.
While SPF identifies the authorized sender by IP address, it does not protect the integrity of the email itself. It offers no protection against anything that might alter the email's contents in transit. For that we have DKIM, which stands for Domain Keys Identified Mail. Dkim allows sending email servers to digitally sign the email envelope headers their outgoing email has, so that the receiving server is able to verify that signature. And once again, we have another use for DNS, where additional DKIM records in the server's DNS domain are used to publish the public's DNS for its DKIM public key, then uses that key to verify the signature contained within the incoming email.
The final piece of this triumvirate is DMARC Domain-Based Message, authentication, reporting and Conformance DMARC. Dmarc is a policy which is also published in the Sending Domains DNS. It allows the sender's domain to indicate whether their email messages are protected by SPF and or DKIM, and this DMARC policy instructs a recipient what to do if either of those authentication methods which the site says must be enforced fails. Do they reject the message or quarantine it, or send back a report, or what?
So a crucial thing to appreciate is that even today, all of these layers of email integrity and anti-domain spoofing are completely optional. There is no need for any of them to be present or applied. They benefit the sender by preventing the sending domain's reputation from being abused, and they benefit the receiver by providing a means by which the true sender of any DMARC-protected email can be verified. But all of this only works if both ends play. If the sender doesn't take advantage of these tools or if the recipient doesn't bother to check against them, then neither end gets any benefit. The other factor here is that all of this happens down in the plumbing of the Internet's SMTP protocol. None of this is ever seen by any of the eventual recipients of the email. There's never been any obvious visual indication of whether or not any of these various tests pass or fail until now. Various tests pass or fail until now.
One of the key requirements for any display of a BIMI logo is that the sender's DMARC policy must pass, which in turn requires SPF and DKIM to be present and to both succeed. So the first thing BIMI's display will mean in the real world is that the email actually originated from the claimed sender. And this brings us to the logo itself and the question of how BIMI avoids the unauthorized or fraudulent use of organization logos. What, for example, prevents somebody else from copying GRC's RubyG logo and using it for themselves? To answer that question, let's see what the BIMI group themselves have to say In their FAQ for this they write Verifying a logo is authorized for use by a specific domain has been at the center of the debate since the idea for BIMI was first discussed. In fact, that very issue is why it has taken the past seven years to develop the specification. Past seven years to develop the specification.
1:43:03 - Leo Laporte
I should point out, by the way, that DKIM, spf and DMARC are often now supported. For instance, gmail will reject mail that isn't properly signed. So, that's the good news, right.
1:43:19 - Steve Gibson
The things are getting better, at least in that regard, maybe better, and at least in that regard, um, maybe. Uh, google's policy is that if you send more than 5 000 pieces of email a day, then you have to have dmark ah, okay but I'm talking about inbound.
1:43:33 - Leo Laporte
I think that you you have a good chance of getting black hold. If you are not, at least google said they were going to require dmark, but I might be. I might be mistaken on that.
1:43:42 - Steve Gibson
Uh, it's the. The problem is there are still too many servers out there that do not support it. Right, and they want to be able to send email to gmail people because that's about half of the world. So right, yeah, uh, but but bulk mail senders sending more than 500 5 000 pieces of mail a day google will say You're right.
1:44:03 - Leo Laporte
It says bulk. It says Google and Yahoo announced requirements that bulk senders must have DMARC in place. Yeah, yeah.
1:44:09 - Steve Gibson
Yeah, oh, I misread that. I thought it was everybody.
1:44:12 - Leo Laporte
But you're right, so few people have that.
1:44:36 - Steve Gibson
Right, and again, anyone who, any email supplier, like Apple or Google or whomever who chose to could use BIMI to create a stronger indication that authentication was in place, because that would be nice to know. So anyway, they said this issue has taken seven years to develop, and this thing I'm reading was written in 2021, so it's been 10 years, oh my God. They said. Since this was such a difficult problem to solve, we developed two different types of BIMI records to get where we are today Self-asserted records, they said. In the first case, there is no verification of the logo at all. It was left up to the mailbox providers to decide whether of evaluation such that a logo could be verified as being authorized for use by a domain. So, they said, up until recently, the most broadly deployed BIMI records were self-asserted. Only a couple of mailbox providers accepted them, and those that did, for example Yahoo, carefully considered which domains they allowed to display logos. Then, on July 12th, gmail announced support for BIMI, which required an evidence document in the form of a verified mark certificate. In order to obtain a verified mark certificate, a company must provide evidence that their logo is a registered trademark, ie that a government agency recognizes its legitimate use. The VMC also attests to the use of that logo in relation to identified domains. Mailbox providers can now retrieve and verify the VMC to ensure that the logo is authorized for use by that domain. And I'll note that they've actually softened this a bit for that CommonMark. The CommonMark certificate just requires that you can demonstrate at least a year's worth of use of that logo on your domain. So they finish.
Regardless of which BIMI record is used, the situation collapses into a single requirement reputational trust. Reputational trust from the domain to the VMC issuer. And so now we're talking certificates and now we're talking certificate authorities, which is why DigiCert got into the game. In other words, we introduce the classic concept of a certificate authority. We trust the certificate authority, so we trust the certificate authority's identity assertions. By extension, now they have an FAQ. They said at this time there are two certificate authorities that are accepted as mark-verifying authorities MVAs, who can issue VMCs for use with BIMI and get this Leo, digicert and Entrust. And yes, it's that Entrust.
1:48:10 - Leo Laporte
How did that happen?
1:48:13 - Steve Gibson
The Entrust, from whom Chrome will no longer trust certificates signed after the end of this month.
And, by the way, mozilla has made the same decision, ending their new certificate trust of Entrust one month later, at the end of November. Now I don't know whether Entrust's hack to become a certificate intermediary would work here, and I don't care, because GRC's BIMI certificate, if I'm ever able to get one, will certainly be signed by DigiCert. More on that in a minute. The BIMI fact continues. So they said it's essentially the job of the MVA, the mark verifying authority, to verify that the logos are authorized for use with BIMI. Then it's up to the mailbox providers to decide what MVAs they trust to issue VMCs, what MVAs they trust to issue VMCs, the verified mark certificates. And, believe me, if everyone does what DigiCert does, it'll be a cold day in Arizona before any spammer is using GRC's logo. Ok, well, I'll explain in a second. They said, and if you're curious about the steps the MVAs perform when evaluating a request for a VMC, here's the current process the CAs are following and then they provide the VMC guidelines latest PDF.
Now they said if you've gone through the entire 94 pages, congratulations. It's pretty dense and actually today it's 129 pages.
Oh, wow. So they said you'll see that the evaluation process is reasonably thorough. The CAs are trying very hard to ensure that their VMCs can be trusted. As a check sum, if the email security community finds the CA has improperly issued a VMC, mailbox, providers will no longer accept VMCs provided from that CA, which would essentially neutralize the CA's VMC business. So maybe Entrust shouldn't even bother.
Okay, so I know that listeners to this podcast would find it interesting to see GRC's RubyG logo appear in the sender field of their email client when, for example, they open email from me in Gmail or Yahoo or Apple, when, for example, they open email for me in Gmail or Yahoo or Apple. And if the presence of a BIMI logo and everything that went into obtaining one lent more credibility to GRC's email and helped them to be routed not to spam or junk folders, then I would regard that as time well invested. And in fact that's the other thing that is expected is that BIMI signed email will have a stronger reputation out of the gate. So last week, after seeing that email from DigiCert, I headed over to their site to see what I needed to do On the request verified mark certificate page. The first thing that's needed is to create the logo. You got to create it and upload it for them to approve. But, as I mentioned before, the uploaded format is quite specific and not readily created. In this day and age of widely varying device resolution, it makes sense for anything being newly defined to finally drop pixels and resolution in favor of vectors. Vectors are the only way to go for the future and the world figured that out in the case of fonts a long time ago.
So the BIMI specification normally or nominally uses the SVG, the Scalable Vector Graphics Standard. But they really wanted to get this right, which creates a few roadblocks since pretty much nothing currently supports the new, deliberately constrained standard that they defined. On their Solving SVG Issues page they wrote. They wrote, which is tiny-ps standard? Huh, they said the SVG. Tiny-ps, where ps stands for portable, secure, is a streamlined profile of the SVG scalable vector graphics specification, designed to provide a lightweight, secure and portable solution for displaying vector graphics, particularly in environments with resource constraints. It retains the core functionality necessary for rendering scalable images, while eliminating more complex features that may pose security risks or require extensive processing power or require extensive processing power. Its simplicity and focus on security ensure that graphics are rendered consistently and safely across diverse platforms. When updating an SVG file to comply with the SVG TinyPS standard, additional considerations include ensuring device compatibility, maintaining performance efficiency and adhering to the standard's limitations.
Svg TinyPS supports a limited subset of SVG elements and attributes, and I can attest to that. Basically, the SVG standard grew over time, as all standards of this sort do, to include all kinds of superfluous crap. In fact, you could even put a bitmap in an SVG, even though that's contrary to the SVG concept, but of course. So what they've done is they've stripped it back to the things you really need. You know curves and rectangles and circles and filled patterns and gradients and things, so you can do what you need. You just can't dump anything in. So it ends up being constrained. I think it's entirely reasonable, but it does introduce a hurdle.
After searching around the internet, the only tool I could find that would export an SVG file in what's known as the Tiny Version 1.2 format was Adobe Illustrator, and, having been an early fan of PaintShop Pro and CorelDRAW, I've never been over in Adobe's camp. But I discovered that Illustrator is available with a seven-day free trial. You don't need a credit card or anything. It'll just stop working after seven days. So I installed it, then used an illustrator script which I found over on DigiCite's BIMI help page to export a fully compliant SVG TinyPS format. I then uploaded that to DigiCert, who inspected the file and approved it for BIMI's use. So now what it turned out. That was the easy part. I'll explain what happened next out.
1:56:09 - Leo Laporte
That was the easy part. I'll explain what happened next. That was the easy part.
1:56:13 - Steve Gibson
Then we start having to prove things. So let's take our last break, Leo. And then the fun begins.
1:56:20 - Leo Laporte
Wow, what fun this is Down the beamy trail, okay.
1:56:27 - Steve Gibson
Yeah, beam me up, scotty.
1:56:28 - Leo Laporte
Beam me up, scotty. Be me up, scotty. Uh, all, right, and you know that no normal human is going to know anything about this, or whether it exists or anything, so our audience will. So that's good. We will continue the saga of Steve's attempt to get a BME compliant logo in just a minute. But first a word from our sponsor, vanta. Now, this is a company I can't get behind.
Whether you're starting or scaling your company's security program, you know that demonstrating top-notch security practices and establishing trust with your customers is more important than ever and, frankly, you probably have a legal requirement too. Vanta automates compliance for SOC 2, iso 27001, and more, saving you time and money while helping you build customer trust and money. While helping you build customer trust. You're going to love it too, because you can streamline security reviews by automating questionnaires and demonstrate your security posture with a customer-facing trust center. It looks great, all powered by Vanta AI. Over 7,000 global companies, like Atlassian, flowhealth, quora, use Vanta to manage risk and prove security in real time. Wouldn't you like to do that? Well, how about getting $1,000 off Vanta when you go to Vanta? V-a-n-t-a dot com slash security now. V-a-n-t-a dot com slash security. Now, $1,000 off Vanta. You owe it yourself to learn more about what Vanta can offer. Vantacom slash security now. We thank him so much for supporting Steve's excellent works here. Somebody's got to pay the bill while he's raster vectoring his Ruby.
1:58:24 - Steve Gibson
G.
Before a would-be BIMI user even begins the process, it's necessary for the organization to be certified at the EV level. Remember EVs, those extended validation certificates that fell out of favor when web browsers decided to stop showing extra fields of green for EV certificate sites, because end users didn't ever really understand what was going on To your point, Leo about the beamy logos. Maybe we won't ever understand, or maybe they'll be given special treatment once they achieve critical mass. Who knows treatment once they achieve critical mass? Who knows? And also, since nothing prevented typosquatting sites from obtaining their own EV certificates, that was really the death knell, because typosquatters were able to get EV certs on their mistyped domain names. So users saw that and said oh look, it's all green, it must be safe Now.
So even though EV certificates are not coming back, the level of organizational validation they once required is still going strong. What this essentially means is that any organization displaying a BIMI mark in their email will have been validated at the same level as is required for EV certification. In this case, it means that I had to have Sue standing by at our corporate landline when someone from DigiCert called the phone number that an organization such as Dun Bradstreet has listed in their corporate records for Gibson Research Corporation. Sue answered DigiCert's call and verified a bunch of information about our company and our website. She also confirmed that I, Steve Gibson, would be serving as DigiCert's verified contact for this verified mark certificate order and that I was authorized to request and have a verified mark certificate generated. Do you get a special hat? No, but I got a special phone call. Good.
2:00:46 - Leo Laporte
Once that was done.
2:00:48 - Steve Gibson
I received an email explaining what my role would be. I first needed to take photos of the front and back of an officially issued US government photo ID and securely upload them to DigiShirt through their SharePoint 365 account. Now, what might once have seemed intrusive is no longer any big deal, since, after all, national public data has already posted all of that stuff publicly.
Everybody's got that, it's all out there already, so who cares? On the other hand, couldn't all of that public data now be used to convincingly spoof an uploaded identity? Maybe, but DigiCert thought of that too. The next step was to use an online scheduling app to arrange an interview, first by phone and then by online Zoom video conference.
Using the scheduling app, I booked the first available 30-minute slot and at the appointed time I received a phone call from a DigiCert person. He identified himself as the person I'd been corresponding with and he instructed me to please upload photos of my ID to their SharePoint 365 account. I told him that I had already followed the link in the earlier email and done so. He thanked me and asked if I was ready to switch to Zoom. I told him I was, so he sent me a Zoom link. Clicking the link brought me into a two-way audio conference with a one-way video. His camera was never enabled, so I only saw his name, but he had a clear view of me, just like our listeners do right now, because I used our same system.
Yes, he had told me that I would need to show the same ID during the video conference, so I went back, got it out of my wallet. I had it handy. He first asked me to pose on camera so he could capture that. Then he asked me to hold the ID up next to my head.
2:03:01 - Leo Laporte
Oh, my God.
2:03:02 - Steve Gibson
So that both my face and my ID were on camera side by side at the same time I did that this is more than you had to do for an EV search. Oh yeah, ev. We left off on Sue telling the guy to have a nice day Wow.
So he asked me, while still holding the ID up next to my head, to pass my other free hand across my face, and then both in front of and behind my ID, while still holding it relatively motionless. Oh my God, it took a bit of finagling to satisfy him. No-transcript. And this brings us to the final step, where they verify that I've been using that logo on GRC's website for at least a year, since. I've been using it for the past 40 years, since before the web came into existence. From the moment it came into existence and every day thereafter, I figured this final step would be a slam dunk. So how do you imagine they verify my longstanding use of this logo? Oh no, oh yes, you imagine they verify my long-standing use of this logo? Oh no. Oh yes, they use the famous wayback machine? Oh no.
At the internet archive over at archiveorg, I was wondering what the connection was there was a slight glitch last week, since for most of last week and all of the weekend, and apparently until sometime yesterday, all of the Internet Archive was under attack and offline.
2:05:58 - Leo Laporte
They were trying to keep you from getting your bimmy. Now we know why.
2:06:05 - Steve Gibson
And as a consequence of that, after everything I had gone through, the final step in the long process of obtaining a BIMI certificate has been placed on hold.
2:06:17 - Leo Laporte
The weakest link. Oh, my God.
2:06:22 - Steve Gibson
Now that's fine with me, since GRC obtaining this certification is certainly not an emergency. So whenever it manages to happen, we'll be fine with me, probably later this week. All of the required steps have been taken on my end. So once DigiCert is able to look back in time at GRC's historic use of that logo, which they will see on every single page that the Wayback Machine has ever indexed- Wait a minute.
2:06:54 - Leo Laporte
What if you weren't on the Internet Wayback Machine? Not everything is right, that's true. The heck.
2:07:04 - Steve Gibson
That seems very In that case if your logo was registered, then you would be in the US Patent and Trademark Registry.
2:07:15 - Leo Laporte
Our logo is registered. Your logo is not registered.
2:07:16 - Steve Gibson
I never bothered to register the logo. Yeah, so that's why?
2:07:20 - Leo Laporte
Because ours is. This logo is in the trademark and if you've got that trademarked, then no problem it's a service mark or whatever it is.
2:07:27 - Steve Gibson
Yeah, okay, marked then, no problem. Service mark or whatever, right, yeah, okay. So, uh, what happened was that a series of ddos attacks began last tuesday, october 8th, and somehow mixed in with that was a javascript library-based site defacement which affected the internet and a breach which leaked usernames and email addresses and salted hashed passwords for 31 million past Internet Archive users. The Archive's greatest concern was the preservation of the integrity of their Archive, so they took everything offline while they worked to figure out exactly what had happened. Wikipedia informs us that Brewster Kahle is an American digital librarian, computer engineer, internet entrepreneur and advocate of universal access to all knowledge. In 1982, he graduated with a bachelor's degree in computer science and engineering from MIT, and in 1996, cale founded the Internet Archive. In 2012, he was inducted into the Internet Hall of Fame.
2:08:41 - Leo Laporte
And a year later he was on Triangulation, if you ever want to see an interview with him. I love Brewster Cale, amazing fellow. He seems Brewster Kahle Amazing fellow.
2:08:50 - Steve Gibson
He seems like 100% good. He's like what we wish we had more of.
2:08:54 - Leo Laporte
I agree, yeah.
2:08:56 - Steve Gibson
So archiveorg has a Mastodon instance and Brewster has posted two updates there. His first one said what we know DDoS attack Fended off for now. Defacement of our website via JS library, breach of usernames, email salted, encrypted passwords. What we've done disabled the JS library, scrubbing systems, upgrading security. We'll share more as we know it. And then he said a little bit later sorry, but DDoS folks are back and knocked archiveorg and openlibraryorg offline At. Internet Archive is being cautious and prioritizing keeping data safe at the expense of service availability. We'll share more as we know it.
So, as I said, I checked this morning and I saw I checked this morning online and saw a raft of articles about this. You know headlines read from bleeping computer Internet archive hacked data breach impacts. From Bleeping Computer Internet Archive Hacked Data Breach Impacts 31 Million Users. Forbes wrote Internet History Hacked Wayback Machine Down, 31 Million Passwords Stolen. The Verge wrote the Internet Archive is Still Down but Will Return in Days, not Weeks. That's something that Brewster posted elsewhere. Cyber News said Internet Archive Down After Two-Day DDoS attack, user info compromised. And Fast Company more recently said the Internet Archive is back online after a cyber attack. So I've observed some of the Internet dialogue surrounding this event and this interruption in the availability of the Internet's Arch has served a useful purpose. I think it has served to you realize just how important it can be to have a wayback machine that allows us to view earlier states of the Internet. Our listeners may recall that I put the archives wayback machine to extensive use back when we were examining the effects of that polyfillio trouble, where we looked at the danger of a publisher of a widely used and publicly hosted JavaScript library turning control over to another entity. I needed to look back in time to see how the polyfillio site had grown and evolved since its earliest days, and this research was only possible because the Wayback Machine had been quietly, dutifully and continuously taking and storing snapshots of the polyfillio site, along with all the other sites that it crawls on the internet, throughout its entire life.
The verge's most recent reporting said this. They said the internet archive is back online in a read-only state after a cyber attack brought down the digital library and wayback machine last week. A data breach and ddos attack kicked the site offline on October 9th, with a user authentication database containing 31 million unique records stolen in recent weeks. The Internet Archive is now back online in a provisional read-only manner, according to founder Brewster Kahle, safe to resume, but might need further maintenance, in which case it will be suspended again, he said. And they wrote while you can access the Wayback Machine to search 916 billion web pages that have been archived over time, you cannot currently capture an existing web page into the archive. Kale and team have gradually been restoring archiveorg services in recent days, including bringing back the team's email accounts and its crawlers for national libraries. Services have been offline so that Internet Archive staff can examine and strengthen them against future attacks. A pop-up from a purported hacker claimed the archive had suffered a quote catastrophic security breach. Unquote last week before. Have I been pwned? Confirmed the data was stolen.
The theft included email addresses, screen names, hashed passwords and other internal data for 31 million unique email accounts. The Internet Archive outage came just weeks after Google started adding links to archived websites in the Wayback Machine. Google removed its own cached page links earlier this year, so having the Wayback Machine linked in Google search results is a useful way to access older versions of websites or archived pages.
2:14:17 - Leo Laporte
This would be a good opportunity, by the way, for people to donate to the Internet Archive. I'm a longtime supporter. I give them money every month.
2:14:26 - Steve Gibson
I am as am I.
2:14:27 - Leo Laporte
Yeah, this is such an important more than a service. This is an important way to back up our history and it's got to be supported.
2:14:36 - Steve Gibson
And I don't know if an organization like Cloudflare might be interested in being a benefactor here. You know nor what Brewster's requirements would be. They might be in collision or even if it's even feasible. But the Internet Archive, leo, as you said, it's a vital tool for researchers, academics and others, and I suspect that its value and importance will only increase over time. In any event, it now appears that the Wayback Machine is limping back online and that before long, digicert will say that they have been able to use the Wayback Machine to verify my decades-long use of that G logo and issue a BEMI certificate that will be valid for any newly minted certificate's maximum life of 398 days. They seem eager to host the logo and the certificate from their servers. You can do it yourself, but they're volunteering, so I'm fine with that. It seems to me that you know they'll provide the URLs and it might add a little more credibility to it that it's coming from, you know, digicertcom. So whenever a BIMI-supported email provider receives email from GRC, as you know, apple will, gmail will, yahoo will and so forth In addition to verifying that email's authenticity by pulling our SPF, dkim and DMARC DNS records, they'll proactively check for and pull GRC's BIMI record that will provide two URLs. It will tell them where to obtain the RubyG SVG logo itself and where to find its validating certificate. I haven't looked into how the logo and the certificate are related, but since it's possible for me to host those files myself, they must be protected from tampering, assuming that the SVG file itself is not altered. The certificate probably contains a hash of the approved SVG logo file and an indication of the domain for which the logo is valid. So anyone wishing to support BIMI logo embellishment on their mailboxes could look up the information hash the SVG logo they retrieve and check for the matching hash inside its matching BIMI certificate. Since the certificate would be signed by DigiCert's trusted root, this would establish a chain of trust sufficient to authenticate the logo's use for the indicated email domain, and the email provider could then confidently show that logo to its email users, but only if the email also passes DMARC validation. So it's the first visible indication we've had on the internet of of email authenticity in the guise of a logo provided by the email sender.
Now for GRC. As I've said, that did not happen in time for this week's podcast mailing to the Security Now subscribers which went out this morning. But having jumped through, as I said, through all these hoops to get this far out this morning. But having jumped through, as I said, through all these hoops to get this far, and with us now only waiting for the Wayback Machine to be available to allow GRZ's historical logo usage to be confirmed, I'm hopeful that everyone may see it in their mail next week, so that'll be an interesting change.
Upon learning that Gmail had adopted BIMI support some time ago, upon learning that Gmail had adopted BIMI support some time ago, I went poking around in my own Gmail inbox, though I did not dig too deeply, and again, I don't get lots of valid email there. It is my throwaway email account. I did see that PayPal and Disney Plus both had BIMI logos for their email. So BIMI logo usage is around, but we're certainly not seeing it in common use. Will it become more common over time?
It's too soon to tell, since email providers have total freedom to decide which certificate authorities verified Mark's certificates they wish to support, and having seen the costly rigor DigiCert just applied to me to prevent any form of spoofing, it's clear that if the BIMI group could be accused of anything, it would be setting the bar for this too high, but in an industry that has repeatedly been in such a hurry that the bar is usually set too low, I consider this to be a change in the right direction.
Though obtaining this level of identity proof is difficult and costly, any organization that does this gets a year of extra strong identity for their email. If anyone notices or understands. At this point, I'm pretty certain that most users have no idea that any of this is going on. I certainly didn't until I dug into this, but if it catches on, it might begin to chip away at some of the catastrophe that completely free email creation and delivery has created, and it only costs something to the sender, who's decided that they care enough to super authenticate the sending of their email to their ith recipients.
2:20:26 - Leo Laporte
Couple of questions, that's bimmy One doesn't? An EV cert cost quite a bit of money.
2:20:35 - Steve Gibson
Yeah.
2:20:36 - Leo Laporte
They are not cheap. Okay, like thousands of dollars a year.
2:20:43 - Steve Gibson
I don't think it's that much, it's not that much, I think that's a multi-year with an annual renewal, but you can't get multi-year renewal anymore. So, yeah, okay, maybe it's not that much. It's not that much, I think that's a multi-year with an annual renewal, but you can't get multi-year renewal anymore.
2:20:51 - Leo Laporte
So yeah, okay, maybe it's not that expensive, but it's expensive. It's not trivial to get it. It's interesting that it's required. Is that just a DigiCert requirement or is that a BME requirement?
2:21:02 - Steve Gibson
That's a good question and, as I said, I did not look through that 127-page document on its requirements. But what is required is EV-level certification.
2:21:16 - Leo Laporte
That makes sense.
2:21:17 - Steve Gibson
So I didn't actually get an EV cert. I didn't mean to imply that I got an EV cert, but EV-level certification.
2:21:26 - Leo Laporte
Oh, you don't have to have an EV cert. You just, oh, you were just saying it's the same level.
2:21:32 - Steve Gibson
I misunderstood it's EV-style certification.
2:21:36 - Leo Laporte
God they call and all that.
2:21:38 - Steve Gibson
Yeah, back when we were doing EV certs, sue had to do the same thing. She had to be standing by when the phone rang and answer it and sound official.
2:21:47 - Leo Laporte
Yeah, we did the same thing. Yeah, yeah, and any company would be able to, you know, jump through those hoops yeah, paypal's got you know, they pay people to stand around, uh all right, okay, um, that'd be interesting to see if this catches on. I feel like it doesn't really go the full distance and, of course, you've got to get all the email clients to display it. True, true, I was just looking at fast mail. I don't see any, any provision in fast mail to display bimmy uh logos are they?
2:22:21 - Steve Gibson
gmail? Does uh fast mail.
2:22:24 - Leo Laporte
I I named them either they're on the group, they're in the group group. That's why I was surprised.
2:22:28 - Steve Gibson
So are they in the group that were supporting it or were displaying it?
2:22:35 - Leo Laporte
They were in the initial team putting it together. Ah, okay, but whether they I mean maybe they do. I just was a cursory search.
2:22:43 - Steve Gibson
So you should if you have PayPal or Disney+. Those are the only two that I know of.
2:22:49 - Leo Laporte
I have a dedicated PayPal folder.
2:22:52 - Steve Gibson
And maybe, if this works, by next week you'll be able to look at my mail.
2:22:58 - Leo Laporte
That would be so cool.
2:23:00 - Steve Gibson
Yeah.
2:23:01 - Leo Laporte
Yeah, I would like that. Oh well, yeah, I don't see any, I'm going to do it. Oh well, yeah.
2:23:06 - Steve Gibson
I don't see any. I'm going to do it and our listeners who receive email from me will. I mean, like any time you get email from GRC, it'll then have it'll be embellished with that RubyG logo.
2:23:17 - Leo Laporte
Yeah, I'm looking at PayPal emails and I don't see any logo.
2:23:21 - Steve Gibson
The other question was it's got their little double P leaning. Yeah Is the logo and that's presumably stored not by paypal. Right, it's, it's, it is well. Paypal could source it or digicert could source it. See, I don't like it if paypal sources it, because then that's a tracking pixel uh oh, if it's not embedded, you're right, uh no, well, uh no no, because google, for example, would download one copy of it and then okay and then would use it everywhere, cash it, okay, right, that's fine.
2:23:58 - Leo Laporte
I would just I could see paypal going.
2:24:00 - Steve Gibson
Oh good, yeah, so it's not the email client that that reaches out and fetches it, it is the server provider. That is only if the email passes DMARC and you have a matching certificate for the logo, then the email provider adds that to your inbox.
2:24:19 - Leo Laporte
Well, I don't mind the idea. We'll see what happens. I look forward to seeing a Ruby G in my email from now. Make it a lot easier to find you, yay, in that pile of trash. Ruby G in my email from now, make it a lot easier to find you, yay, in that pile of trash. I call my email.
Steve Gibson is at GRCcom. You know what that stands for Gibson Research Corporation. That's where he does his work, including creating Spinrite, the world's best mass storage, performance enhancer, recovery tool, maintenance tool. If you have mass storage, you need Spinrite. It's this bread and butter. 6.1 is the current version. Everybody who has previous versions can get an upgrade. But if you don't, now would be a good time to purchase your own personal copy of Spinrite While you're at GRCcom.
He also has copies of the show 64 kilobit audio, kind of the traditional canonical version, but he also has 16, 1-6, sweet 16-kilobit versions for the bandwidth impaired. He has transcripts written by a human, elaine Ferris. That's why they don't come out the same day as the podcast. It'll be a couple of days later. He also has the show notes, which are very handy if you don't have the transcript yet for reading along. Transcript is actually everything that was said, all of that GRCcom and if you want the emails I think I love this midweek email. This could make your emails even more valuable. If you send out alerts and bulletins and things like that to get on that list or just to get validated so that you can send him email, go to GRCcom slash email and we do need to remind people because they're always complaining.
2:26:01 - Steve Gibson
They go. I signed up for this and I can't find out anywhere is the address where I send it to you and I go. I write back and I say I know that's on purpose, because this is not for everyone. This is for people who actually listen to the podcast yes, so nowhere on grc does it say security now at grccom.
2:26:22 - Leo Laporte
no, you know what you might guess that, but I do the same thing. People say why don't you? You really need to publish an email address. No, I don't want your email, I don't need email. Uh, we do have an email address, but good luck finding it. Let's put it that way.
2:26:38 - Steve Gibson
And I do want your email, but you got to sign up, you know you don't have to subscribe. You don't have to subscribe to the email which is just register. That's my anti-spam. Oh and Leo, you would not believe the spam fest that is now at that address. Oh my God. None comes in because the spam centers are not registered. But the reason I did this was I knew spam would happen. And boy it is a hurricane out there.
2:27:07 - Leo Laporte
It really has not gotten any better. The only thing that's gotten better is our ability to filter it out.
2:27:12 - Steve Gibson
Well, and when you have a big provider like Gmail, they have such visibility that they're able to see crap coming in across their user base and go wait a minute. This is just junk.
2:27:24 - Leo Laporte
Yeah, my experience, though, with Gmail filtering is it's not very effective.
2:27:27 - Steve Gibson
No, you have to train it more. Yeah, maybe experience, though, with Gmail filtering is it's not very effective.
2:27:29 - Leo Laporte
No, you have to train it more. Yeah, maybe that's it. Yeah, I stopped using it. I use Fast. You know I use Fast Mail. Let me see what else. Oh, we have a copy of the show at our website, twittv slash sn. That's important. When you go there, you might as well sign up for Club Twit, because that's the best way to support Steve's work. Twittv slash. Club Twit supports everything we do, gives you access to the Club Twit. Discord Also gives you access to a lot of extra content. We've got a coffee show coming up on Friday. We're going to talk about beans Bean connoisseurship. This will be very interesting. Oh, steve, if you're not paying attention to the beans you're missing a whole thing.
2:28:07 - Steve Gibson
Where have you been all my life? Where have you been.
2:28:10 - Leo Laporte
So that'll be fun. And then next week is Stacy's Book Club with a really fun book Jason Snell said best book of the year. It's called Service Model by Adrian Tchaikovsky. I have finished it, which means I now can move to the new Peter F Hamilton. I'm very excited about that. Anyway, stacey's book club is on the 25th, micah's Crafting Corner.
There's a whole lot of stuff in the club. The club is very important to us. It kind of helps us kind of smooth out the bumps. As you may have heard, podcast monetization is not what it was and, as a result, we really need your help. Twittv, slash clubtwit, or scan the QR code in the upper left of the screen and join the club. It's a great place to hang all the fun people.
In Discord you can watch us do the show live. Thanks to the club and club members, we are able to put this up on Restream, which puts it in not one, not two, but seven different streams. There's the Discord stream for club members, but there's also YouTube, youtubecom, slash twit, slash live, twitchtv, facebookxcom, linkedin and Kik Seven different places you can watch this show live and the chats in all those places are live and I see all the chat posts from all the different places. So, thank you, I appreciate that. What else, oh, you need to know when we do it, don't you? It's Tuesdays, right after Mac Break Weekly, which is usually around 1.30 to 2 pm Pacific time, 5 pm Eastern, 2100 UTC at those various places. After the fact, though, you can get the show, as I said, at Steve's site or at twittertvsn. There's also a YouTube channel dedicated to the video.
That is really handy, because I know a lot of times you'll hear something on the show and say, oh, I got to show this to my friend, my boss, my roommate, my mother, whatever. You can easily clip those things on YouTube. Everybody knows how to watch a YouTube clip, and YouTube has a nice clipping feature, so you could take that little portion of the show, send it to them. That helps us, because it's a subtle way of introducing new listeners too. In fact, another way we're doing that now is a referral program.
If you're a Club Twit member and you invite somebody else to join and they join, you get a month free, so that can add up. That can make your whole membership for free, just by spreading the word. That's very important to us. After the fact, you can also subscribe, of course, in your favorite podcast player and, honestly, I know there's 996 episodes, but I think anybody who's interested in this should have all 996 on their hard drive. Subscribe now, start your collection, then you can go back to the website and download all the rest Three away from 999. And then we don't know what happens. Steve's got to rewrite his entire system.
2:31:10 - Steve Gibson
I do have to update some code do you really?
2:31:13 - Leo Laporte
yeah, you never thought there'd be four digits. Who would have thought that, leo? In fact, for years you actively planned for there not to be, but thank goodness I said oh well too bad. Too bad so sad, too bad, so sad.
2:31:28 - Steve Gibson
That'll be a good point. That'll be a good time to hang up.
2:31:31 - Leo Laporte
There is no good time to hang up the security spurs or whatever, whatever you wear during the show. Good. Yay, we're all happy. Thank you, steve. Have a great week, go play your game and I will see you next time on Security Now.
2:31:46 - Steve Gibson
Will do, and we'll be almost certainly talking about the Passkey FIDO exchange framework in detail next week. So everybody, bring your propeller hat beanies and get ready to spin up the propeller.
2:32:01 - Leo Laporte
And if you want to know more about the Internet Archive issue, Corey Doctorow is going to be on Twitter on Sunday and we will absolutely go into the Internet the archive and do good work, sometimes Cool.
2:32:12 - Steve Gibson
Have a great day, Steve.
2:32:13 - Leo Laporte
Okay, bye.