| ||||||
Description: What's the new "nearest neighbor" attack, and how do you defend against it? Let's Encrypt just turned 10. What changes has it wrought? Now the Coast Guard is worried about Chinese-built ship-to-shore cranes. Pakistan becomes the first country to block Bluesky. There's a new way to get Git repos "swatted" and removed. Who's to blame for Palo Alto Networks' serious new zero-day vulnerabilities? If you have any of these six D-Link VPN routers, unplug them immediately! It turns out that VPN apps are against Sharia Law. Who knew? The Return of Windows Recall. What are we learning now? How many of today's systems remain vulnerable to last year's most popular exploits? We share and respond to a bunch of terrific feedback from our listeners. Then we ask: What are Microsoft's "Connected Experiences," and why might you choose to disconnect from them?
High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-1002.mp3 |
SHOW TEASE: Time for Security Now!. Steve Gibson is here. He's in love with these Chinese cranes that they use at container ports. But he says there's a problem. Apparently there's a Chinese backdoor. Oh, no. We'll also talk about the "Nearest Neighbor" attack, and a warning about a new feature of Microsoft Windows they call "Connected Experiences." Steve says it's a recipe for disaster. All of that and more coming up next on Security Now!.
| Leo Laporte: This is Security Now! with Steve Gibson, Episode 1002, recorded Tuesday, November 26th, 2024: Disconnected Experiences. It's time for Security Now!, the show where we talk about your security, your privacy, how the Internet works, how computers work, a little bit of sci-fi thrown in, maybe some vitamin D. And it's all because of this guy, the man in charge, our very own Steve Gibson. Hi, Steve. |
| Steve Gibson: Hey, Leo. You know, when you're saying "Security Now!," you're leaning back, and it gives us kind of a nice, like, the... |
| Leo: I have to for the mic. |
| Steve: That's right, a little Doppler shift effect there. |
| Leo: I learned that from Adel. It's so funny because I realize now, we had a photo meetup in New York City, oh, gosh... |
| Steve: Yeah, a couple months ago. |
| Leo: Couple months ago, September. And I would look back at the pictures, and there were a bunch of people doing the "Live Long and Prosper" sign. And I realized, that has become, not just the Security Now! thing, but everybody now. |
| Steve: Really. That's... |
| Leo: It's our TWiT hand sign. |
| Steve: That's very cool. |
| Leo: Thanks to you. |
| Steve: That's good. |
| Leo: What's going on this... |
| Steve: I know not everybody can do it. |
| Leo: No, I know. I know. Didn't they have to tape Leonard Nimoy's fingers because he in fact could not do it? |
| Steve: Interesting. |
| Leo: And they had to - I believe there's an anecdote of how they, when they first - he was the guy who came up with it, but he couldn't do it. Maybe it was somebody else who couldn't do it. But, yeah. Anyway. I'll go find that anecdote. We want to hear that. |
| Steve: As I was saying to you before we began recording, every time I look at these four-digit episode numbers I'm thinking, whoa. |
| Leo: Wow. |
| Steve: I mean, that really does seem like an accomplishment. |
| Leo: It is. |
| Steve: Yeah, wow. |
| Leo: You should be very proud, yeah. |
| Steve: Well, we're at one oh two. One oh two. One thousand and two today. |
| Leo: See, there's the problem right there. |
| Steve: Yeah. |
| Leo: Even his brain can only do three digits. |
| Steve: We're at 1002. And the software didn't collapse. I did spend some time updating GRC's system so that it also would not freak out when four digits were presented to it. And that all - that experience was smooth. Emailing continues to go well, it was 13,219 subscribers received the show notes, the Picture of the Week, various links and things, yesterday evening. So that's turned out great. And we're going to have lots of feedback because there was also lots of news. But my discussion of what I titled "Disconnected Experiences" wasn't half of the podcast, as some of our main topics have been in the past. I have something like 3,800 pieces of feedback from our listeners. So I have plenty to choose from. I feel a little bit badly that I'm getting so much feedback that I can't even begin to put a dent in it. But thank you, everybody, for sending me your thoughts. And as I said, the quality of the feedback has a very different flavor since we were able to switch to email, and people didn't have to try to squeeze something into 280 characters. So, big benefit. We're going to talk about, at the end of this, something that Microsoft calls their "Connected Experience," which is an interesting turn of phrase. We'll understand what it is, why they sort of slipped it in under the covers, and why it may not be what everyone wants; and, if so, how you can turn it off, thus disconnecting your experience from Microsoft. And it's not what it sounds like, either, because, I mean, it's not at all that. But we're first going to talk about something known - actually, and this was probably the most sent to me topic for the show, and it happens that it's what I had chosen myself already by the time I saw that, the "nearest neighbor" attack. And, wow. It just sort of goes to show you how clever bad guys can be, whether we like it or not. We also have Let's Encrypt just turning 10. We're going to take a little bit of a retrospective look at the changes that it has wrought. Also, now the Coast Guard is worried about Chinese-built ship-to-shore cranes. Turns out 80% of the big cranes that we use for offloading containers are made by China. And what could possibly go wrong there? Uh-huh. Also, Pakistan becomes the first country to block Bluesky. Going to talk about that. There's also a new way to get Git repos "swatted" and removed from their repositories. |
| Leo: Oh. |
| Steve: I know. Again, it just - it's just incredible how clever bad guys can be. Who's to blame for Palo Alto Networks' serious new zero-day vulnerabilities? And if you have any of six specific older D-Link VPN routers, the advice would be to unplug them immediately. We'll see why. It turns out that, speaking of VPNs, they are against Sharia Law. So says some legislators in Pakistan. So we'll touch on that. Also we have the return of Windows Recall. What are we learning from that? And how many of today's systems remain vulnerable to last year's most popular exploits? So after sharing then a bunch of feedback from our listeners, we're going to talk about disconnecting your experiences from Microsoft. So I think another interesting podcast for our pre-Thanksgiving listeners. |
| Leo: Yeah. Shatner, according to Patrick Delahanty, is unable to do the salute. So he would have to put his fingers in position, and then he would hold it up, or he would hold it up behind. |
| Steve: And did he actually do it often? Obviously Spock was the - it was a Vulcan hand sign. |
| Leo: It was a Jewish hand sign that Leonard Nimoy had seen in his childhood. |
| Steve: Oh. |
| Leo: That meant roughly, it was a Jewish benediction. And it wasn't in the script, but Nimoy thought, well, you know. And then he asked the director, is it okay if I do this, and the director said, yeah, that'll work real well. And it became, of course, a trademark. Shatner joked that it took years of diligent practice and self-denial for him to be - he was on Conan - to be able to do it because he could not do the "live long." |
| Steve: And there are people who can't. The best man at my wedding was unable to do it. |
| Leo: Wait a minute. You had this at your wedding? |
| Steve: Of course. |
| Leo: At what point did you say "Live Long and Prosper"? Was this instead of kissing the bride? What did you... |
| Steve: Gary got up for the best man's toast and said to, you know, was holding the microphone and said, "Now, Gibson made me promise that I would not do anything to embarrass him." |
| Leo: Oh. Oh. |
| Steve: "So I'm just going to say," and then he held his hand up and said, "Live Long and Prosper." |
| Leo: Oh, that's beautiful. |
| Steve: But he had two orthodontia braces bands around his fingers because he also was unable to do that... |
| Leo: I can't do it with my left hand. I can only do it with the right hand. |
| Steve: ...without some assistance. |
| Leo: Yeah. |
| Steve: Well, you'd expect... |
| Leo: Here. You didn't like the sound effects, but I will play one more, "Live Long and Prosper," and continue on now. |
| Steve: Yes. |
| Leo: With the show. |
| Steve: And I thanked Gary for keeping his toast quite quick and to the point. |
| Leo: That's a perfect toast. That says it all. |
| Steve: Yes, yes. |
| Leo: All right. I have the Picture of the Week. Shall I look at it? |
| Steve: Yeah. |
| Leo: I'm going to scroll up here. |
| Steve: I gave this the caption "What's wrong with this picture?" |
| Leo: Oh, I love it. |
| Steve: I do. And, okay, so for those who aren't seeing it, we have the entry to a facility where there's a big staircase sort of front and center in the middle. And you can imagine the parking lot is on a lower level. So these stairs are leading up to the entrance to this facility. And to make things easier for the people who wish to come and go, at the extremes, the far left and the far right of the staircase, are escalators, one, you know, an up escalator, and the other the down escalator. Which would all be fine. But sort of the non sequitur of this whole thing is that the facility is 24-Hour Fitness. And nobody's on the stairs, and the people are taking the escalator. |
| Leo: No, no, no. I have to go on a Stairmaster. I can't just climb stairs. |
| Steve: So, and of course, the show notes went out yesterday evening. And so I've already had feedback saying, how do you know they're not going up the down escalator, which is actually giving them extra exercise? |
| Leo: Oh, that would give you more exercise, yes. |
| Steve: Rather than if the stairs were fixed. |
| Leo: There you go. |
| Steve: And there is that. Or what about for people who are there for physical therapy, you know, PT, and so they're not able to climb the stairs? You know, they need to be gentle. And I thought, well, yes, of course. Thank you very much. |
| Leo: We have to be accessible. |
| Steve: Those alternative possibilities. Anyway, I always - I think we showed this once before. I know I've seen it before. And I just always get a kick out of just sort of the, like, okay, we're going to 24-Hour Fitness, but we're not ready to start working out just yet. We're going to take the escalator up rather than taking the stairs. |
| Leo: Well, that's the equivalent of searching for the closest parking space, too; right? Why walk? |
| Steve: Yes, in fact, yes. Somebody also wrote to me using exactly that analogy. How many times - in fact, at his gym he's see people circling, waiting to get a close parking place, rather than walking from afar. |
| Leo: There's exercise, and then there's just work; you know? |
| Steve: Okay. So, wow. Last Friday, on the 22nd, the security firm Volexity published the details of a somewhat astonishing and successful attack. Being several years old, predating Russia's invasion of Ukraine, this story is not about a threat any of us will ever face, at least almost certainly not. But I wanted to share it since it presents a perfect example of my "porosity" theory of security, where the security of today's systems is best viewed as being porous to varying degrees. I like this model of a porous system which I think fits best because, while the amount of effort an attacker may need to exert to obtain access to any specific system may vary, most systems - and look at systems in the broadest sense. Most systems can ultimately be breached by a sufficiently motivated and determined attacker. Okay, now, that might mean, you know, arranging to install a subverted employee into the organization, I mean, right, playing the long game. Or it might mean, you know, subjecting employees to phishing attacks of increasing complexity until you finally make it happen. The point is, our systems are not infinitely secure. They're, you know, kind of secure, where it kind of varies. So, you know, the term "absolute security" is more of a concept than a reality today. Okay. So here's how Volexity opened their disclosure of this astonishing attack which they're now able to talk about. They wrote: "In early February of 2022, notably just ahead of the Russian invasion of Ukraine" - and that ends up being significant, as we'll see - "Volexity made a discovery that led to one of the most fascinating and complex incident investigations we'd ever worked. The investigation began when an alert from a custom detection signature Volexity had deployed at a customer site," and they said, "(we'll refer to them as Organization A because they're still going to be anonymous even today), indicated a threat actor had compromised a server on that customer's network." They said: "While Volexity quickly investigated the threat activity, more questions were raised than answers due to a very motivated and skilled advanced persistent threat (APT) actor, who was using a novel attack vector Volexity had not previously encountered. At the end of the investigation, Volexity would tie the breach to a Russian threat actor it tracks as GruesomeLarch, publicly known by many names." One is best known, I like APT28. There's also Forest Blizzard, Sofacy, Fancy Bear, and among other names. In other words, the Russians. They said: "Volexity further determined that GruesomeLarch was actively targeting Organization A in order to collect data from individuals with expertise on and projects actively involving Ukraine." Okay. So what did Volexity's investigation uncover? Strange as it might at first seem, despite being thousands of miles away in Russia, this well-known APT28 group of Russian state-sponsored actors breached an unnamed U.S. company - this Organization A - by gaining access through its enterprise WiFi network. But wait, we're thousands of miles away in Russia. How's that possible? If I told you that the attack has been dubbed the Nearest Neighbor attack, you'd start to get the idea. That's right. APT28 pivoted to their ultimate target after first compromising an organization in a nearby building that was within WiFi range of their target. APT28 has this level of expertise. They're part of Russia's military unit 26165 in the General Staff Main Intelligence Directorate (the GRU), and they're known to have been conducting offensive cyber operations dating as far back as 2004, so for the past 20 years. APT28 initially obtained the credentials to the target's enterprise WiFi network through password-spraying attacks targeting a victim's public-facing service. But the presence of multifactor authentication prevented the use of those credentials over the public web, so they couldn't use the web. Although connecting through the enterprise WiFi did not require multifactor authentication, as Volexity phrased it, "being thousands of miles away and an ocean apart from the victim" presented a problem. So the hackers got creative and started looking at organizations in buildings nearby that could serve as a pivot to the target wireless network. The idea was to compromise another organization and search its network for a wired accessible device containing a wireless adapter. You know, so a dual homed, both wired and wireless. Such a device, whether it be a laptop, a router, or an access point, would theoretically allow the hackers to use its wireless adapter to connect to the target's, you know, Organization A, the targeted organization's enterprise WiFi. Volexity wrote this. They said: "Volexity now determined the attacker was connecting to the network via wireless credentials they had brute-forced from an Internet-facing service. However, it was not clear where the attacker was physically that allowed them to connect to the enterprise WiFi to begin with. Further analysis of data available from Organization A's wireless controller showed which specific wireless access points the attacker was connecting to. "After overlaying them on a map, a physical map that had a layout of the building and specific floors, Volexity could see the attacker was connecting to the same three wireless access points that were in a conference room at the far end of the building near windows along the street. This gave Volexity the first evidence that, as they put it, 'the call was not coming from inside the building.' Could this be an attacker conducting a close access operation from the street outside? Nothing was ruled out, but Volexity was not too far off from discovering the real answer." Okay. So what they discovered was that APT28 had compromised multiple organizations as part of this attack. They daisy-chained their connection using valid access credentials. Ultimately, they gained access to a device containing a WiFi radio that was able to connect to those three access points near the windows of the victim's conference room. Then, using a remote desktop connection (RDP) from an unprivileged account, the threat actor was able to move laterally within the target network to search for systems of interest and to exfiltrate the data which had been their target all along. The attackers generally used "Living off the Land" techniques, as they're now referred to, which rely mostly on already present native Windows tools in order to minimize their footprint and thus reduce the chance of being detected. And one of the things that's happened in Windows through the years is the number of already present built-in utilities, you know, things you just don't even realize are there, have really expanded. So for attackers who have full knowledge of just how much available utility is in Windows for them to repurpose, there's a lot they're able to use. Even with all of their research, Volexity was working from forensic data and was unable to trace the attacks back to the original attackers. Attribution at that point was still impossible. But a Microsoft report just this last April provided them with the missing clues. Volexity saw clear overlap in indicators of compromise, as we call them, IoCs, that clearly matched and pointed to the Russian advanced persistent threat group. Based on details in Microsoft's report, it's very likely that APT28 was able to escalate privileges before running critical payloads by exploiting a zero-day vulnerability back in 2022, CVE-2022-38028, that existed in the Windows Print Spooler service - remember we talked about that a lot a couple years ago - within the victim's network. So our unsettling takeaway from this is that close-access operations, as they're known, that typically require proximity to the target, such as from an adjacent parking lot sometimes is used, can also be conducted from great distances by compromising something nearby. You know, that makes an otherwise impossible attack possible and has the benefit of eliminating all the risk to the attacker of being physically identified and caught onsite. Nobody can get them. The other, and this is the most significant takeaway, I think, for our listeners is that everything should be logged. The mantra should be "Log everything." It's crucial to appreciate that it is inherently impossible to know which logs will be needed after the fact. And nothing brings an investigation to a grinding halt more quickly than running up against the, "Oh, we don't have logs of that." Today's storage is so inexpensive that it's no longer a factor. Logs don't take up much space. They contain so much redundant information and formatting which is repetitive that they compress down to nothing. And they serve as a form of time machine that later allow forensic investigators to venture far back into the past to view what happened when and to retrace the previously unseen footsteps of unknown network users. And logs are not only useful for tracking Russians. Large corporations cannot be certain about the changing motivations and loyalties of their own employees. So an IT culture of logging, and letting it be widely known within the enterprise that everything within an organization is being logged, is a bit like planting a sign on the front lawn to let would-be burglars know that the premises is being monitored by such-and-such a company. It can be an ounce of prevention. |
| Leo: It reminds me of the warning that I always get when I do a sudo and mistype the administrator password, and then it says - or give the wrong name. It says you are not allowed to do this. Your presence will be logged. Back in the day they knew this stuff. You know, the other lesson, though, is also important, which is that we are not operating on our own, that we are in a community, and our security impacts other people's security; right? That this is not just our machine that we're securing or not securing. We could be a vulnerability happening to our neighbor. |
| Steve: Yeah. Well, and in fact, you know, oftentimes now you go and look at the available WiFi access points within range. |
| Leo: Oh, man. |
| Steve: It's astonishing. |
| Leo: It is really, yes. We're living in a community. |
| Steve: Yeah. |
| Leo: And we all have a responsibility. |
| Steve: So it is the case that one WiFi network is able to see another one. And if the hackers are good, they can get near you and then use that WiFi link to jump across the air gap. So, wow. The world we live in today. Okay. Let's Encrypt has turned 10, Leo. And you and I have been here the entire time. |
| Leo: Yup. |
| Steve: Watching it happen. |
| Leo: You did a show when it first came out; right? |
| Steve: Oh, yeah. Last Tuesday was the 10th anniversary of Let's Encrypt, and its statistics page shows that its certificates are now being used to encrypt the connections of, get this, 500 million domains, half a billion domains. |
| Leo: Wow. |
| Steve: And the rate of certificate issuance, I have that chart and the rate of certificate issuance both in the show notes for anyone who is interested. The rate of certificate issuance tells the story. This shows that the number of certificates issued per day has now touched six million. Now, that's of course because the certificates are short-lived; right? They're 90 days. So that's one of the things that Let's Encrypt has been able to do is to reduce certificate life by automating the process. Twenty years ago, when we began this podcast, most websites used unencrypted and unauthenticated HTTP. Those sites which needed to obtain private and confidential information from their users, even if it was only their username and password to login, would typically switch to an HTTPS connection only during the transmission of that information, and then would switch back. We later learned the problem with that because during that secure negotiation of username and password, the browser would be given a cookie. But then when the browser switched back to HTTP non-secured, non-encrypted connections, that cookie would be transmitted in the clear, which we had a lot of fun with under the name Firesheep, which was a means of very easily capturing that credential from an unsecured WiFi network and immediately impersonating a logged-in user. The good news is those days are gone. But as the world began to grow ever more dependent upon the Internet for everything, it became clear that this original "trust by default" model was not going to take us where we needed to go in the future. The industry needed a future where the privacy provided by encryption could be available to everyone, not just those who were willing to pay to purchase a certificate, because the trouble was that encryption required certificates, and certificate authorities had made a lucrative business out of verifying the identity of website owners and signing their certificates which attested to that verification having been performed. And since performing this verification did require significant work, certificates carrying those attestations were not free. The ISRG, the Internet Security Research Group, was formed to solve this problem. Two engineers from Mozilla, a guy from the EFF, and one from the University of Michigan incorporated the ISRG and set about solving this problem. The Group decided that the inherently expensive and scaling-resistant verification of domain ownership could simply be bypassed in favor of reducing the test to anonymous domain control. And if that was done, web and DNS servers would be able to verify the domains they were serving and the entire process of certificate issuance and maintenance could be automated. Thus the ACME, Automated Certificate Management Environment, protocol was born. And today, half a billion domains later, by any measure this has been a huge success. Thanks to Let's Encrypt, any website that wishes can now have every connection encrypted for privacy for free. Have Let's Encrypt's free certificates been abused? Of course they have. That's what happens on the Internet when anything is free. Look at email spam, and today's social media. You know, it's abuse frenzy. Both are an utter catastrophe because both are free. But this was not the problem Let's Encrypt was trying to solve or prevent. Their clearly stated goal was to offer equal opportunity privacy through encryption for all. Bad guys and phishing sites were every bit as welcome to have Let's Encrypt certificates as anyone else. At least the communications of the people they were scamming would now also be private and encrypted. And that really was all that the ISRG intended to provide. So 10 years, and thanks to these guys, you know, as we've seen, we had a pie chart, remember, a couple months ago that showed, you know, they'd just taken over. |
| Leo: Yeah. |
| Steve: You know, why not? |
| Leo: Everybody uses them. |
| Steve: Yeah. |
| Leo: We did just - Patrick Delahanty has sent me the link. This is our episode, almost exactly 10 years ago, November 25th, 2014, where you introduced Let's Encrypt to the world, Security Now! 483. And Grayson Petty, who is very sharp-eyed, pointed out that you had at the time three PDPs behind you. |
| Steve: Still do. |
| Leo: What happened to the other one? |
| Steve: Maybe I moved them up. There is one up there, above. |
| Leo: Oh, okay. The angle of the shot changed, that's all, Grayson. No PDPs have died in the making of this program. |
| Steve: Okay, Leo, let's take a break. Then we're going to talk about, oh, the latest concern of stuff coming from China. |
| Leo: Oy oy oy. |
| Steve: And a little bit of a sticky wicket in this case. And, oh, Leo, I want one of these cranes. Oh, wait till you see. I have a picture of one. |
| Leo: What would you do with a crane, Steve? |
| Steve: Oh, wait till you see. You have to have one. |
| Leo: Offload your hard drives or something. I don't - well, if you lived in a container, you could use the crane to move your house around every once in a while. |
| Steve: That's true. |
| Leo: That would work well. Steve? |
| Steve: Okay. So last Wednesday's report in GovInfoSecurity was titled "Coast Guard Warns of Continued Risks in Chinese Port Cranes." |
| Leo: Wow. |
| Steve: Yeah, boy. This becomes an issue, actually, when it's accompanied by the news - get this, Leo - 80% of all heavy lift gantry cranes used to load and unload container ships at American ports were manufactured by a single company, ZPMC, a state-owned company in China. Eighty percent of these cranes. And I know why. Oh, my god, they are just the most lovely things you've ever seen. |
| Leo: They're good. This is the problem. They're the best in the business; right? |
| Steve: Like the DJI drones, which are the best drones there are. |
| Leo: Right, right. |
| Steve: Yes. So, okay. The report explains that the U.S. Coast Guard is warning that Chinese-made, as they're called, "ship-to-shore," STS cranes come with - and this is unspecified, but they said with "built-in vulnerabilities." |
| Leo: Oh. Like backdoors. |
| Steve: Well, okay, enabling remote access and control. Consequently, the Coast Guard has begun urging operators across the country to adopt enhanced security protocols. Okay. |
| Leo: Are these the cranes you're talking about? |
| Steve: Oh, I've got one in the show notes, so down another page or two. |
| Leo: Oh, okay, okay, okay. |
| Steve: It's just the most gorgeous thing you've ever seen. Oh. So in their notice, the Coast Guard wrote: "Additional measures are necessary to prevent a transportation security incident," and the Coast Guard cited "threat intelligence related to the PRC's interest in disrupting U.S. critical infrastructure." Now, the notice instructs owners and operators of Chinese-made STS, you know, ship-to-shore cranes to obtain a copy of the official directive from their local Coast Guard officials, stating that the materials contain sensitive security information. In other words, we're not telling you what we know in this public notice. Get the official directive from your local Coast Guard. They're tell you more. A congressional report published in September warned a Chinese company with a major share of the global market of STS port cranes posed "significant cybersecurity and national security vulnerabilities" for the United States. According to the report, the Chinese state-owned company, ZPMC, supplies 80% of all ship-to-shore cranes in the U.S. market and has significant involvement in militarizing the South China Sea. Lawmakers warned that the company and its cranes could "serve as a Trojan horse," allowing Beijing to "exploit and manipulate U.S. maritime equipment and technology at their request." What remains unclear is what measures the Coast Guard could implement to restrict the remote functionality of ship-to-shore cranes which are integral to port operations nationwide. Okay. So here we add another example, a new example to the Chinese-made DJI drones and Chinese-made security cameras which those in the U.S. have been blithely purchasing and plugging in everywhere for years because, as you said, Leo, they're the best. The answer to the question of what are we to do about these cranes is the same as for the DJI drones and cameras, I think. In theory, we could purchase the hardware and independently source the firmware or software for these devices. But nothing prevents firmware buried deeply within the hardware from being similarly compromised. So, you know, it's not just flash memory in obvious firmware. So, you know, the real truth is, in any instance where we've seriously and firmly determined that we cannot trust the supplier of equipment, that equipment cannot be used anywhere its physical or cyber compromise might lead to other damage. And imagine if Beijing could do nothing more than cause - and I say "nothing more" - than cause 80% of all U.S. ship-to-shore port cranes to self-destruct. It would instantly and irreversibly cripple all major U.S. ports. And at the bottom here of page 6 I have a picture of this thing. Oh, my god. Look at that thing. |
| Leo: You want one. |
| Steve: It looks like something out of Star Wars. You know, you definitely don't want to have that thing walking in your direction. |
| Leo: Well, it doesn't walk. It does roll back and forth. One of the things I love about going on cruises, which we do a lot of, is you get to see these ports, and you get to see these cranes in operation. |
| Steve: Well, it's beautiful. I want one. Except then, look at the itty-bitty size of the standardized containers next to it. |
| Leo: This thing's huge. |
| Steve: I mean, my god, it's just amazing. So anyway, it is a beautiful machine. And it's a pity that apparently we can't trust it. I mean, we don't know what is known, that says what. Was it pre-installed vulnerabilities? What does that mean? |
| Leo: Yeah. |
| Steve: I mean... |
| Leo: Like this, probably. |
| Steve: Have they discovered that they reverse engineered the firmware and actually found backdoors that China knows are there? That would be a real case. |
| Leo: Or maintenance and service. There's probably a backdoor; right? I mean... |
| Steve: Well, or it ought to be a documented front door. |
| Leo: Right. |
| Steve: You know, where like ZPMC is able to update the software in order to, you know, handle the new type of shipping container, which is 30% bigger. |
| Leo: This is a universal issue. We've talked about how the Chinese, what do they call this attack? They're in the phone systems. They're listening to phone calls. They're taking advantage of the legitimate wiretapping capabilities that law enforcement put in 20 years ago to listen to, I mean, they're in our power grid. We know that they are. They're just sitting there. They're not doing anything. But honestly, it sounds as if the Chinese government has infiltrated pretty much all of our infrastructure and has full access to... |
| Steve: Well, Leo, we're buying all of our stuff from China. They didn't have to even try. |
| Leo: Right. |
| Steve: I mean, we said, oh, we like those cameras. |
| Leo: Yeah. |
| Steve: We'll take a million of them. |
| Leo: But they're taking advantage of flaws in SS7 that have been there for 30, 40 years ago; right? So... |
| Steve: Right. So on the one hand... |
| Leo: They can hack our stuff, too. |
| Steve: ...there are vulnerabilities in the technologies that we are using. But on the flipside, I mean, we don't know that there's no evidence, for example, that DJI actually was ever used in a covert surveillance effort. |
| Leo: Right. |
| Steve: We just know it could happen. |
| Leo: Right. |
| Steve: And we know that they are a Chinese-based company. So everyone is now - and now we're looking at these cranes saying, oh, my god, what if? You know, no crane has ever gone crazy and done anything wrong. |
| Leo: Excuse me. Is there any reason that crane is online? Should that crane not be air gapped? |
| Steve: My switches are online. My plugs are online. |
| Leo: I guess it has to be. |
| Steve: My, you know, your blender is online. The microwave is online. The coffee maker is online. Everything is online. |
| Leo: Yeah. We're out of luck. |
| Steve: I mean, that's really what has happened is we've gone online happy. |
| Leo: Right. |
| Steve: And so you betcha; you know? I mean, who knows how those cranes even get installed? I'm sure a whole bunch of people who are experts in installing them, you know, erect them, and then you've got to install the software because, again, it's going to all be software controlled. Once upon a time there was a guy sitting in a cab with big levers. |
| Leo: Oh, there still is. There still is. |
| Steve: Now you've got a game controller that runs the whole thing. |
| Leo: Right, yeah, yeah. That's one of my favorite seasons of "The Wire." Did you ever watch "The Wire"? |
| Steve: Oh, Leo, one of the best shows ever produced. |
| Leo: Absolutely. And one of the seasons they're down at the shipyards talking to the guys who operate those big cranes. And they have lots of scenes of them in there and how fast they can move them and so forth. It's pretty cool. But that was a long time ago. I'm sure it's even cooler now. |
| Steve: Yeah. |
| Leo: And Chinese infiltrated, so [crosstalk]. |
| Steve: I, you know, I feel really mixed about this. I know we have a lot of Chinese listeners. I love them. Nothing against them. And we don't know that China has ever misbehaved. We do know that we're being attacked. You know, that we know. But commercial companies, there's no evidence that I'm aware of of misbehavior. Yet because it's possible, you know? |
| Leo: I don't know, I'm going to throw this out here, I think this narrative is a little disturbing to me because where it leads is, well, you just don't have anything that's made or from China. Which probably still wouldn't secure you, right, because... |
| Steve: Correct. |
| Leo: ...we still are using SS7. So, yeah, I've ripped and replaced all the Huawei equipment in my network. But I still have software that's got massive holes in it. And I'm not willing to replace that. But let's say that's the road we go down. Let's get rid of all the Chinese stuff. I think that makes us more vulnerable because China no longer is economically dependent on us, is no longer intertwined with us. I think we're less vulnerable if we trade with our enemies. |
| Steve: I know. |
| Leo: And they're economically tied. Their fate and our fates are economically linked. That to me is a better strategy for keeping the peace than putting up a big wall and saying, oh, we're not going to buy any Chinese stuff. Well, then it doesn't - then they have no dog in this hunt; right? They... |
| Steve: No economic incentive for keeping their number one customer. |
| Leo: Right. So I don't have as, I mean, look. By the way, we are infiltrating their stuff. We know this from the Edward Snowden leaks. The NSA has plenty of tools to do the same thing back. And they buy American stuff. Probably not as much American stuff as we buy Chinese stuff. But I think it's a - it makes me nervous to think of the direction we seem to be heading with these reports that, well, let's just not have anything from China at all. |
| Steve: I feel exactly the same way. |
| Leo: Because that could be a prelude to... |
| Steve: It would be better if we just all got along. |
| Leo: Yeah. And you know what, we've got - there is, by the way, there is this mutually assured destruction because we do have stuff in their gear, as well. And there is, in fact, Bill Clinton even made, and Obama made these agreements with China. Okay, you're going to have your stuff in there, but we're going to have our stuff in your stuff. And we'll only go so far in this espionage game. And these are the rules. And, you know, that's - I don't know how good a way to do that, that's a very good way to do things. But that is kind of where it is right now. So I'm just nervous about the idea of, oh, let's cut off all Chinese stuff. No Chinese stuff. Maybe the other direction would be safer. |
| Steve: And look at the crane. It's gorgeous. |
| Leo: They make good stuff. |
| Steve: Oh. |
| Leo: I mean, probably it's also cheaper than the American-made or the German-made cranes. I don't know. I'm sure Germany makes equally good cranes. |
| Steve: I'll bet. I'll bet. And who's to say, though, that if we start, we switch to those, there wouldn't be some vulnerabilities, even if Germany didn't intend to. |
| Leo: That's the problem. |
| Steve: But there'll still be vulnerabilities that Chinese cyber ops could get into. |
| Leo: There are still supply chain issues. There are still software vulnerabilities. I don't - is perfect security possible? No. |
| Steve: I wonder what the German cranes looks like. I might be in love. |
| Leo: Where are you going to put this crane? Have you talked to Lorrie about your crane lust? |
| Steve: I think I'll just get a little model. I want a model. |
| Leo: A model would be okay. |
| Steve: Yeah. |
| Leo: And you could have little model containers and little model ships, and you could go [sound effects]. |
| Steve: One of the best things about my wife is she loves trains, like model trains. |
| Leo: Ah. |
| Steve: I could have model trains running around the house. |
| Leo: Well, there's a very small difference between a model train and a model crane. |
| Steve: That's what I'm saying. That's what I'm saying. I think this will probably work. |
| Leo: I love it. |
| Steve: Okay. So after a phenomenal surge in new users, Bluesky has received its first country-level block. And the winner is Pakistan. |
| Leo: Congratulations. |
| Steve: For those who don't know, Bluesky was originally conceived as a project with Twitter, back in the Twitter days, at Twitter, by Jack Dorsey. It was designed to create an open decentralized standard for social media. And it was launched in 2021 as an independent entity. After that, Bluesky quickly evolved into a strong competitor to X, offering a more customizable and transparent UI, you know, user experience, UX. Bluesky's overall popularity has been soaring recently, and in Pakistan specifically this is being driven by increasingly or increasing accessibility issues with X due to government restrictions and the growing need for a VPN to access X. Many Pakistani users have turned to using Bluesky as an alternative. Unfortunately, now it appears that within Pakistan Bluesky is quickly hitting the same barriers as X. I should mention that I've received Twitter DMs from our listeners asking when I'll be moving to Bluesky. I'm not moving anywhere. For me, X is being, you know, it's just kind of slowly allowed to fade. I'm still posting the weekly show notes to X because I've been doing so for years, and some of our listeners who hang out there continue to appreciate that. But, you know, a nicer presentation of today's show notes was, as I said earlier, emailed to more than 13.25 thousand of our listeners yesterday. And everyone of those listeners is able to email directly back to me at securitynow@grc.com. And all of that works, even for our listeners in Pakistan. |
| Leo: There you go. Mail works. When I was in China I used mail to post to my blog and guestbook and Twitter because I could email it, yeah. |
| Steve: Yup. |
| Leo: By the way, I got something for you, Steve. Actually, should I send a link to Lorrie? It's a Lego City Seaside Harbor with cargo ship toy, model container frame, and boat with eight mini figures. Steve, this is what you want. |
| Steve: You know, we don't need a train running around the Christmas tree. |
| Leo: You need a crane. |
| Steve: We can set this puppy up. Wonderful. |
| Leo: This is yours, man. |
| Steve: That's great. Arrives before Christmas. |
| Leo: Thank you to Chocolate Milk Mini Sip, as you know him, Paul Holder, in our chat for providing us with that. |
| Steve: So under the section of "What will they think of next," we now have what's being called "repo swatting attacks." Repo is, of course, short for "Repository," which is the unit of organization employed by GitHub and GitLab. So get a load of this: Threat actors have been abusing a hidden feature to cause GitHub and GitLab accounts to be taken down. The technique allows - and this will really strike home for you, Leo, with the problems TWiT has with anything, you know, copyrighted. The technique allows users to open issues against a targeted repo, upload a malicious file, and then abandon the issue without publishing it. On both GitHub and GitLab, the file remains attached to a victim's account. Then, the pesky threat actor reports the hidden, non-public file for breaking the service's Terms of Service, which forces the repo to be removed for hosting malware. |
| Leo: Good lord. |
| Steve: Apparently, this is just one more reason why we can't have nice things, for everything we do. |
| Leo: I hope that the administrator - this is the problem with DMCA takedowns, you're right, on YouTube. |
| Steve: Yup. |
| Leo: Is that the process is so efficient, works so fast, you have no, virtually no time to defend yourself. |
| Steve: Right. |
| Leo: One would hope that both GitHub and GitLab would start to understand this attack and... |
| Steve: Figure out this is what's going on. |
| Leo: Yeah, say I have a visible file. |
| Steve: Say, uh, not so quick. |
| Leo: Yeah, yeah. |
| Steve: A couple of weeks ago I touched on two recently announced zero-day flaws that had been discovered to affect Palo Alto Networks enterprise firewalls. That led to my quite predictable rant about the proven impossibility of protecting any form of remote management access to Internet-facing services. Even firms like Palo Alto Networks, whose business is security and security appliances, still don't know how to do that, as this, you know, two recent zero-day flaws demonstrate. In this case, to say that Palo Alto's internal architecture seems somewhat wanting would be an understatement. An analysis by WatchTowr Labs - that's spelled T-O-W-R, they've dropped the "E" - reveals that this vulnerable appliance, and it's actually a family of them, is implemented in what they declare, with tongue in cheek, to be the "absolutely stellar PHP language," which is served by Apache, fronted by an Nginx reverse proxy. They then note that the system implements its authentication layer by using a PHP feature known as "auto_prepend_file," which prepends the file "uiEnvSetup.php" to anything PHP loads, which is just such poor design I can't even begin. Okay. This is implemented by the line auto_prepend_file = uiEnvSetup.php in PHP's .ini file, which they preface by saying "Take a look at this gem of a hack in the php.ini file," and I could not agree more. They introduce its use by noting: "We guess auto_prepend_file actually has legitimate uses besides writing PHP exploits." I mean, it's just, you know, the bottom line is that this is all quite dispiriting. I don't know why I always imagined that Palo Alto Networks would be doing things right. I suppose I wanted to give them the benefit of the doubt. The uiEnvSetup.php text file which provides front-end authentication by redirecting pre-authenticated access to the login page actually contains the comment - this is their own source code. Their own PHP code contains the comment "These are horrible hacks. This whole code should be removed and only made available to a few pages: main, debug, et cetera." In other words, their own coders know this was awful. |
| Leo: That's exactly what you'd expect some engineer to write, looking at this code, just to put in the comment "This is a hack. This is terrible. Please don't." |
| Steve: I don't know why I'm doing this. It's late. |
| Leo: Don't make me do this. |
| Steve: I'm hungry. Or they just delivered pizzas to the conference room. |
| Leo: Oh, my god. |
| Steve: Anyway, I couldn't agree with the coder's own comment. And I would never say that Palo Alto Networks deserves to have been hit by these vulnerabilities, especially since it's their customers who will be taking the hit for this. But a design that is this slipshod can only be called "asking for it." It's unconscionable that this is the utter crap they're shipping. And in order to see any of this, because it's not out for public display, the WatchTowr guys needed to first jailbreak this Palo Alto Networks appliance, which they did. But this means that this extremely poor design is locked away out of sight so that it's only visible to intrepid researchers who go to the effort to create a jailbreak. But even if it cannot be seen, every Palo Alto Networks customer remains reliant upon it. We all know the rigid line I draw between bad policies, which are deliberate, and true mistakes which anyone could make. None of this is an example of a mistake anyone could make. These are policies. There are developers inside Palo Alto Networks who know this is what they are shipping. Those people should be looking for a new job far away from anything having to do with security. And so today we have the news from The Shadowserver Foundation of evidence that at least 2,000 of those Palo Alto Networks firewalls have been compromised using those two recently disclosed zero-days. 2000 of Palo Alto Networks enterprise customers have been penetrated as a result. Once they've been compromised, the firewalls contain a PHP web shell which allows attackers to return later, at their leisure. The presence of this web shell is one indicator of compromise. The Shadowserver Foundation said that their number was a conservative estimate since it relies upon a limited set of IoCs released by Palo Alto Networks last week. Now, to their credit, Palo Alto Networks had warned of a possible zero-day earlier this month, which is when I talked about it back then, and their communication throughout this has been stellar. So there's much to commend Palo Alto Networks about their response to this trouble. Unfortunately, this stands in stark contrast to whomever is developing their devices. |
| Leo: Did they fix it? |
| Steve: They probably patched it, and it's probably largely the same. |
| Leo: Yeah. |
| Steve: Maybe if a bright enough light is shined on this, they'll say, wow, is what Gibson just said true? |
| Leo: Wait a minute. Does anybody know? Is that true? Oh, man. It's not, you know, and don't blame PHP because you can code securely in PHP. But the problem is it makes it very easy to code insecurely. It has some... |
| Steve: Thank you for finishing the sentence I was about to rebut with. |
| Leo: It doesn't exactly get in your way, I guess. |
| Steve: Yeah. If they had developed it in interpreted BASIC, you would wonder about the level of the programmer expertise that chose the BASIC language to do the work. |
| Leo: Right. |
| Steve: And PHP is similar. It's a very nice language. You know, we know what PHP the initials stand for; right? |
| Leo: Yeah. Personal Home Page. |
| Steve: Personal Home Page. |
| Leo: Do not write your security appliance frontend in Personal Home Page. |
| Steve: No. Exactly right. |
| Leo: Wow. |
| Steve: Okay. So a responsible security researcher going by the handle "delsploit," who reportedly answers email at delsploit@gmail.com, has privately and responsibly disclosed their discovery of a terminally serious stack buffer overflow vulnerability across D-Link's past VPN routers. I characterize this as being terminally serious because this now-known-to-exist vulnerability allows unauthenticated users - also frequently referred to as "anyone anywhere" - to remotely and at their whim execute their remote code on the victim's targeted D-Link VPN router. The concerns are that D-Link's announcement of this sobering reality last Monday contains a field for "Link to Public Disclosure," which is currently filled-in with the abbreviation "TBD" as in "To Be Determined," which strongly suggests that this delsploit character is being responsible with his or her knowledge and is giving D-Link some time to respond. But there's a problem with that: All six of these venerable (and vulnerable) D-Link VPN routers have gone well past their end of life. They're no longer being supported by D-Link and thus will not now, and not ever, be receiving updates to correct this most critical vulnerability. No CVS tracking designation will been assigned to track this vulnerability because it's never going to be fixed. And if a CVS were to be assigned, it would be carrying a flashing red CVSS score of 9.8, perhaps, or maybe even the rarest of 10.0s. Okay, now, this vulnerability is as bad as they come because this otherwise lovely family of routers offers a standard SSL VPN which runs a simple web server at the standard HTTPS port 443. I have a screen shot in the show notes of what you get when you use your HTTP browser to connect to this thing's port 443. It looks like a web page, asking you for your username and password. From the standpoint of almost actively soliciting attackers, this could not be any worse. The page that's displayed to any device connecting to port 443 of an affected router prominently displays the device's model number and both the hardware and firmware version numbers. This thing effectively shouts "Please exploit me!" So, you know, where they are on the Internet will never be any mystery, and I have no doubts that the lists of their IP addresses have long ago been assembled. Okay. So now everyone knows the situation. The two oldest affected routers are the DSR-500N and the 1000N, which both went end-of-life nine years ago, back in September of 2015. The more recent four VPN routers are the DSR-150, 150N, 250, and 250N. All four of those went end-of-life just a few months back, in May of this year. But as the saying goes, "Close only counts in horseshoes and hand grenades," meaning in this case that end of life is end of life, and that D-Link formally states in their disclosure that these now known to be seriously vulnerable D-Link VPN routers will never receive updates. Longtime listeners of this podcast know what will come next, as sure as the sun rises every morning. Many tens of thousands of these devices are currently sitting on the public Internet. The number may be around 60,000, six zero thousand. I haven't seen an exact count, but I'm sure that either Shodan or Censys would have that number, and be able to provide their IP addresses, since every one of them, as I said, proudly presents its logon page to any passerby. There's been no public disclosure of the details of the vulnerability that delsploit found, but D-Link has confirmed it. And at some point delsploit is going to want to have their day in the sun and bragging rights about having discovered this vulnerability. So it's going to be published. And no one can really fault delsploit for eventually disclosing the vulnerability they discovered because that's the way the game is played these days. You wait long enough to give the impacted parties a reasonable amount of time to respond. And after that, no matter whether or not they have, and regardless of the consequences, the entire hacking elite is then informed of exactly how to bypass the Internet-facing authentication which protects tens of thousands of networks that are currently behind every one of these VPN routers. There's nothing any of us can do other than protect ourselves and those we have responsibility for and care for. So make absolutely double-damn certain that nowhere within your spheres of influence do any of this six D-Link VPN routers currently exist because we all know exactly what's going to happen next. In their disclosure, D-Link ineffectually recommended that this hardware should be replaced. We know that most of the owners of these devices will never receive any sort of notice of this, and probably wouldn't pay it the attention it deserves even if they did. We're all being so inundated by all of our software being constantly updated that it's easy to become numb to it. But if anyone is in the market for a replacement, I would now say to stay well clear of D-Link. They have a long and still-growing history of very serious remotely exploitable vulnerabilities being discovered after the fact in their past end-of-life products. This happened earlier this month with 66,000 of D-Link's Internet-connected NAS devices. Their response was effectively, "Well, we're sorry. We don't make NASes any longer. And even if we did, those 66,000 Internet-connected remotely exploitable network-attached storage devices we once made are now past their end of life, so it wouldn't matter even if we still made them." It's true that hardware is not forever, and that it would not be unreasonable to expect an aging NAS or router that's past its end of life to be rotated out of service in favor of something new. But we all know that that doesn't happen often. Given their track record, I would be disinclined to give D-Link any more commercial support. If you really like the brand, okay, you know, I get it. It is truly nice-looking hardware. But you should be aware that "end of life" or "end of support" probably means "end of secure service life," after which point a device, a D-Link device should be rotated out of service. And if you have any existing inventory of D-Link devices, you should be very certain to have a current subscription to their security bulletins and other notifications, and really pay attention when you get one. |
| Leo: It's too bad. This used to be a good company; right? I mean, I had a lot of D-Link routers in the day; right? |
| Steve: I did, too. But, you know, they're having problems. And, I mean, again, it's not unreasonable to say, okay, well, it's end of life. |
| Leo: It's old, and we're not going to support it anymore. |
| Steve: Yeah. Yeah. I mean, you know, all the other companies do that, too. But even Microsoft has gone back and, like, fixed a really bad Windows 7 problem after Windows was end of life because they recognized they didn't want to hurt their own users. |
| Leo: The problem really is that D-Link was a consumer, dominant consumer brand for a long time. And so there are a lot of people who aren't that sophisticated who have D-Link here, and they're not... |
| Steve: Right. |
| Leo: ...paying attention. They don't listen to this show. |
| Steve: Right. |
| Leo: And so they'll never know that there's a problem with their router. Or actually it's not a router, it's a, what, it's a NAS? |
| Steve: Well, it is a, yeah, earlier this month it was 66,000 NASes. And now we've got - we have six different models of SSL VPN routers. |
| Leo: Routers, okay. |
| Steve: And so an SSL VPN router is sitting there, listening for incoming SSL connections on port 443. |
| Leo: Right. Right. |
| Steve: So mark my words, a month or two from now we will have a count of how many systems have just been taken over. |
| Leo: Yeah. At least an SSL router is not a consumer product. That's not in Grandma's hands. |
| Steve: Well, actually, I don't know. I would say that's a bigger problem because it means that it's hooked to a more valuable network. |
| Leo: Yes, something you're trying to protect. |
| Steve: It's not Granny's - it's not on Granny's LAN. You know? It's on some small business's network that can be, you know, have all their systems encrypted and then held for ransom. |
| Leo: Yeah, some IT guy 12 years ago installed it in the lawyer's office, and nobody's thinking about it. It just works. And security is not a concern, except [crosstalk]. |
| Steve: I had sort of a related story. It turns out that, as many people know, Sharia is a religious law that governs some aspects of the lives of Muslims, based on the teachings of Islam and the Quran. We were just talking about Pakistan being unhappy with pretty much all things Internet. I should note that Pakistan's religious advisory board recently ruled that the use of VPN apps is against Sharia Law, apparently because Sharia Law is whatever they want it to be. |
| Leo: Yeah. |
| Steve: The Council of Islamic Ideology said that VPN technology was being used in Pakistan to access content prohibited according to Islamic principles or forbidden by law, including "immoral and porn websites or websites that spread anarchy through disinformation." And this gave me pause to wonder, Leo, whether they might be inclined to change their minds if they were able to get a really good deal on some used D-Link VPN routers. |
| Leo: Yeah, that's the ticket. Oh, lord. |
| Steve: What a world, huh? |
| Leo: What a world. Well, this is, yeah, I mean, yeah, yeah. |
| Steve: So we have the return of Recall. Let's take a break. |
| Leo: Yes. |
| Steve: And then we're going to talk about Recall now being put back into Windows Insiders to begin testing. |
| Leo: Yup, congratulations. We talked about it on Sunday on TWiT, and all four of us said, yeah, but we would love to have something like Recall. In fact, my problem with Recall is it should be on every device. It should be on everything. But of course that would be a security nightmare. Okay, Steve. On we go. |
| Steve: So last Friday the Windows Insiders Blog announced the return of Recall to Windows 11. They wrote: "Hello Windows Insiders. Today we're releasing Windows 11 Insider Preview Build 26120.2415," or as one of my employees would have once said, "Stardate," which I thought was funny. They said: "...to the Dev Channel. With this update, we welcome Windows Insiders with Snapdragon-powered Copilot+ PCs to join the Dev Channel to try out Recall (Preview) with Click to Do (Preview)," which is a new feature that they are now going to be testing. So anyway, I have a link to the lengthy rollout text in the show notes for anyone who wants more. Suffice to say that Microsoft has done exactly what they had promised to do. The setup experience of course promotes Recall as a wonderful and really secure feature. It's unclear from the few screenshots Microsoft provided what the user's decision tree looks like and how readily the user is able to decline to receive the "Recall experience." But presumably, after all the backlash Microsoft received and their commitment to disable Recall until and unless its user explicitly enabled it, that's what they've done. I do know from reporting that Recall can mostly be removed from Windows through that "Turn Windows features on and off" dialog. One security researcher noted that a few Recall-related DLLs do remain under the Windows\SystemApps directory, specifically MicrosoftWindows.Client.AIX. But this researcher noted that the core functionality is removed. So that's good. A few items of note from their blog posting were: "Recall (Preview) will begin to rollout on Snapdragon-powered Copilot+ PCs, with support for AMD and Intel-powered Copilot+ PCs coming soon. As we gradually roll out Recall in preview, Recall is supported on select languages including simplified Chinese, English, French, German, Japanese, and Spanish. Content-based and storage limitations apply. Recall is not yet available in all regions, with expanded availability coming over time." So there were anecdotal reports of researchers being able to get the first shot at Recall running on PCs without any fancy AI GPU support. So it might be that Recall will be made more widely available over time. So this might also mean that, for now, no one without Copilot+ PCs will need to worry about removing it since it may never be present. And again, not yet in the main channel. This is all just insider preview. Also of interest in the posting for their enterprise customers, they said: "As announced at Ignite, for our enterprise customers, Recall is removed by default on PCs managed by an IT administrator for work or school, as well as enterprise versions of Windows 11. IT administrators fully control the availability of Recall within their organization. Employees must choose to opt-in to saving snapshots and enroll their face or fingerprint with Windows Hello for snapshots to be saved. Only the signed-in user can access and decrypt Recall data," theoretically. "So although enterprises cannot access employee Recall data, they can prevent Recall from being used altogether and prevent any saving of specific apps or sites." So essentially they're saying that group policy settings that the IT admin controls can prevent Recall's use. But if Recall is allowed, then employees will - it is still a one-to-one relationship between the machine and the employee that under no circumstances does the enterprise have access to the data that Recall is collecting for that employee. So that's good. And of course that was not the case when this was first rolled out in, you know, that very what many people feel was a premature mode because none of the data was encrypted. It was just all there in a user directory. So just for the record, Microsoft is also previewing a Recall feature which they call "Click to Do." And they write: "With Click to Do in Recall, you can get more done with snapshots and improve your productivity and creativity. Click to Do recognizes text and images in snapshots and offers AI powered actions you can take on these, saving you time by helping complete tasks inline, and/or quickly getting you to the app that can best complete the job for you." They then show that the user is able to mark and highlight to select text in an image on a Recall snapshot, which is cool. And then, once selected, you get a context menu with Copy, Open With, Search the Web, Open Website, and Send via Email. And if the user happened to right-click on a recalled image as opposed to text, a block of text, then the context menu commands are copy, save as, share, open with, visual search with Bing, blur the background with photos, erase objects with photos, and remove the background with Paint. So some things you can actually do with images that are recalled. And apparently soon with things that are not recalled. They said: "In this update, Click to Do only works within the Recall experience." And by the way, we're going to have a lot of experiences with Windows, apparently, and Microsoft. That's their new favorite word. They said: "In a future update, you'll be able to effortlessly engage with Click to Do by simply pressing Windows logo key + mouse click, Windows logo key + Q, through the snipping tool menu and Print Screen, or searching 'Click to Do' through the Windows Search Box." In other words, it'll be pervasive in Windows. They said: "These methods will make it easier than ever to take immediate action on whatever catches your eye onscreen. We're also working on introducing more intelligent text actions to enhance your experience even further. Just like with Recall noted above, Click to Do (Preview) is available only on Snapdragon-powered Copilot+ PCs. Support for Intel and AMD-powered Copilot+ PCs is coming soon." So, okay. For people who have those, again, not yet mainstream, not yet released. But it's clearly coming. I was talking earlier about the fact that we absolutely know that very, very few of the now known to be vulnerable D-Link VPN routers will be removed from the Internet as a result of D-Link's announcement of their serious vulnerability. How do we know? Well, all of the history that we've talked about on this podcast shows that. In this case, CISA maintains a list of the most exploited security vulnerabilities by year. We know that at least 60, six zero, known threat actors exploited vulnerabilities from CISA's list of the most exploited bugs last year. And we have details. According to the security firm VulnCheck, the North Korean group "Silent Chollima" was the most active in this regard. They targeted nine out of 15 CVEs from CISA's list. China and Russia's groups were the most active among the 60 known threat actors, with China sponsoring 15 groups of those 60, and Russia supporting nine groups. And here's the most distressing news that gets back to why we know that few of those D-Link routers will be removed from service. Hopefully all of our listeners will, you know, if there's any intersection between those D-Link routers and our listeners, action will be taken. But VulnCheck reports that over 400,000 systems that are currently online at this moment are vulnerable to attacks using one of last year's most popular vulnerabilities; 400,000 systems online now are vulnerable to at least one of 2023's most popular, you know, popular, most exploited vulnerabilities. So, wow. We have to do better. As an industry, we really do somehow need to better. Okay. |
| Leo: Just shows you how hard it is to do, though. I mean... |
| Steve: Yeah. Well, and, you know, I'm sure that notices are going out. As I said, you know, we all just get inured to them, essentially. I mean, we would just stop paying attention to every one of them because it's like, oh my god, oh my god, oh my god. And finally saying, "Oh, yeah, fine, well, we keep hearing that, but nothing ever bad happens," until something bad happens. Okay. Some great feedback from our listeners. Thomas wrote: "On a recent episode you mentioned a device that acts like a Bluetooth keyboard and connects via a dongle between a phone or other Bluetooth device and a computer, or basically anything you could plug a USB keyboard into. It sounds to me like an input stick" - and that's http://inputstick.com - he said, "a device that I used frequently as a hardware tech when replacing HP motherboards. After you replaced the motherboard, you had to enter a setup command string that was about 30 characters long and case sensitive. Since it was entered before/during bios, you could not copy it into the field from the web. It was a nightmare." Okay, right, 30 characters of upper and lowercase gibberish. He said: "But with the input stick..." |
| Leo: This is so cool. |
| Steve: Oh, Leo, I immediately ordered one, yes. |
| Leo: I was about to order one myself. |
| Steve: It is very, very cool. And the apps... |
| Leo: Kind of like a YubiKey, but you could program it to do whatever you want. |
| Steve: That's exactly what it is. And not only keyboard, but also mouse. |
| Leo: Wow. |
| Steve: So you've able to remotely control, like do mouse functions. So he said: "But with the input stick you could go to HP's website on the phone, copy the string, paste it into input stick's software, and send it/input it directly the first time." |
| Leo: So clever. |
| Steve: He said: "Been a while since I've done that. Mostly it now works as the volume control to turn my computer down when I'm going to sleep," because they have also complete multimedia controls also. |
| Leo: Nice. As any keyboard does, of course. |
| Steve: Yes, exactly. He said: "Still one of my favorite toys, though. Even though I'm no longer in the biz, I still keep up with the news via Security Now!." Signed, Thomas. |
| Leo: Nice. |
| Steve: So as I said, Thomas is 100% correct. That is the gizmo that another listener mentioned, which I immediately purchased since it looks clever and interesting. I think it was $39 U.S. plus shipping from Poland, and they immediately shipped it. I got a notice of it being shipped, like, hours later. I'll report again once I've had a chance to play with it. Its creator appears to have done quite a lot with the capability. It's able to simulate both a keyboard and a mouse; and, as I said, it's able to simulate multimedia control keystrokes. It's got macro capabilities and the works. So I'm constantly annoyed that, despite my decades-long loyalty to all things Apple for everything other than PCs, Macs offer integration features that Apple refuses to bring to Windows. You know, I would, oh my god, would I love to have iMessage for Windows. But, no, I don't get that. And I was wondering if this would somehow allow me to bridge that gap, but actually it's going in the wrong direction, probably, unless I were to - I guess I could - no, it's going the wrong direction. So I guess at the same time, if they brought us something that was like iTunes for Windows, then I'm probably better off without it. |
| Leo: So, okay. |
| Steve: You have a solution? |
| Leo: No, I'm just - I'm trying to think of how you would use it. So your goal is to be - to do what? |
| Steve: I guess my goal would be - okay. So it's burdensome writing a long message on the horrible touchscreen. |
| Leo: Yeah. You want to do it on your keyboard. |
| Steve: So I'd like to do it on my keyboard. |
| Leo: Right, and then paste it in, yeah. |
| Steve: And then just send that, yeah. And I've, like, I've emailed myself messages and then gone to email on the iPhone, opened it, copied it, gone to messages, pasted it, and sent that. |
| Leo: Yeah, that's such a pain. |
| Steve: It's like, what? |
| Leo: This is how Apple keeps people in the Apple ecosystem. It's easy to do if you're an Apple, if you're all Apple. |
| Steve: Yeah. I know. |
| Leo: Otherwise, you know, you might buy other people's computers, and we can't let that happen. |
| Steve: Right. Gino Guidi, who signed his note "The Network Ninja," earns his title. He wrote: "Steve, was listening to the episode where you had a listener ask about how to capture the command-and-control (C2) traffic when it's using a hard-coded IP. The solution you offered would absolutely work. I think the more elegant solution would be to just NAT the destination. I'm not entirely familiar with pfSense or OPNsense, and I use Untangle and Palo Alto at home. However, if you have firewall software that supports it, you could create a NAT rule that changes the destination from the hard-coded IP to a host of your choice. You won't even need additional interfaces. "If you configure the rule correctly, it will re-NAT it back for return traffic. The malware will have no idea that it isn't actually talking to that IP. The additional advantage is that you wouldn't have to change the IP or add additional IPs onto the machine you are sending the command-and-control traffic to. You could easily create as many of those NAT rules as you want, which I think would make it more robust long-term. I appreciate the podcast and hope to be listening for another 1,000 episodes." Okay. |
| Leo: Oh, boy. |
| Steve: "Hope this suggestion makes sense." Okay. So given that a router's firewall supports it, I think it's a brilliant solution that's clearly superior to the more complex approach that I proposed. So I like it a lot. Okay. So let's think this through. As I understand it, it would require routing software that's able to perform NAT translation for packets traversing the router's internal LAN interface. That's different from typical consumer router NAT which is generally applied to outbound packets crossing the router's WAN interface. So this would definitely require some third-party routing software. You know, higher end routing software like pfSense or OPNsense. Applying NAT to the internal interface would cause any packet sent from any machine on the LAN, such as the malware-infected machine, which is addressed to a specific external public IP, to have its destination IP changed to another host machine on the LAN, the one that's serving as the command-and-control server. So that packet's source IP would remain - the source IP would remain unchanged, the IP, which would be the IP of the infected machine. So on its way out from the malware-infected machine, the outbound packet crosses the LAN's selective NAT translation, which would give it a local destination LAN IP address. This would cause the router to send it back out the same LAN interface, now addressed to the command-and-control server. And since that packet arriving at the command-and-control server would still be carrying the local source IP of the malware-infected machine, the spoofed command-and-control server would return its replies directly to the malware-infected server. So it's an elegant solution, and I can't see why it wouldn't work. I haven't tried it, but it's sort of an interesting concept. I replied with this to our Network Ninja, Gino, who sent me a follow-on link that referred to this using the term "hairpin NAT." So this thing is a known technique, and you can see a hairpin; right? It's like bent. It's like it does an immediate 180. So it's called a "hairpin NAT" where you NAT across your local interface, your LAN interface, as opposed to the WAN, in order to perform these sorts of tricks. So very cool, thank you. Abhi Rau, A-B-H-I Rau, driving his kids to school in Charlotte, North Carolina, wrote: "Hi, Steve. I've been listening for the past 12 years. Your podcast has been a constant on my drive to work and dropping my kids to and from school. My kids have grown up listening to your voice" - sorry about that - "and more security conscious because of you. So thank you." Yeah, I guess the kids are probably on edge now. He said: "In your last show, Episode 1001, you mentioned Cloudflare Tunnel as an option for accessing home networks. One main clarification I would like to make, which you did not mention, is that although a Cloudflare Tunnel is simple to set up and use, it does not provide true end-to-end encryption. While it encrypts traffic between your origin server and Cloudflare's network, Cloudflare can decrypt and inspect the data in transit as it terminates the TLS connection at its edge network, meaning it is not fully encrypted from start to finish." And he says what we all know: "For true end-to-end encryption, an overlay network like Tailscale can be used. For more detailed comparison," and he gives us a link that I haven't seen before at tailscale.com/compare/cloudflare-access. He says: "I looked into Cloudflare Tunnel myself to access my self-hosted Bitwarden running on my home Synology NAS, but I decided to use Tailscale instead for this reason. Love the show. To 2000 and beyond," Leo, which appears to be everyone's new goal for us since we did pass 999 unscathed. |
| Leo: We need to come up with a hand gesture. |
| Steve: He provided a link, which I have in the show notes, to Tailscale's Tailscale-vs-Cloudflare-Tunnel side-by-side feature comparison. And I tend to agree with Abhi's feelings. I think that the best way to think of it is that these two solutions, Cloudflare Tunnel on one and an overlay network like Tailscale on the other, they have some overlap in their capabilities which allows either one to solve the remote access problem, but they are also very different. Cloudflare Tunnel has a large range of features that go far beyond what's needed for remote access to a user's LAN. It's really aimed at secure remote access to servers. And an overlay network's true full end-to-end encryption is really what we want for remote network access. And it sort of tips me in its favor. Stephen Clowater reminds us of an even simpler solution, writing: "Hey, Steve. Congrats on hitting 1000-plus episodes. Thanks for all the thoughtful content you've shared. I wanted to share an observation about remote access to Homelabs," he said, "having tried Cloudflare Tunnels and various VPN clients. For those who don't need the features of an overlay network like Tailscale, WireGuard is worth considering. It offers simple, lightweight, Layer 3 connectivity, modern elliptic curve crypto, and straightforward setup. While Tailscale builds on WireGuard for robust overlay features, a standalone deployment keeps things minimal and widely supported across platforms like Linux, pfSense, and OPNsense. "What has kept me using WireGuard," he writes, "is how it handles iOS sleep cycles," meaning the WireGuard client on iOS, he said, "ensuring apps can reliably access data when waking from sleep. VPNs like OpenVPN, CF WARP, and IKEv2 often struggle with app-level connection failures because their clients cannot wake up properly in the selective sleep process iOS has or renegotiate stale connections before a TCP timeout. WireGuard's small kernel footprint and fast connection renegotiation allows it to reconnect on demand without timeouts." He said: "I started using WireGuard in 2020-2021 while setting up a self-hosted email server. I needed a reliable way to fetch mail on my phone while keeping port exposure to a minimum. Since then, it's become a core part of my setup, enabling reliable email fetch cycles, isolating Ubiquiti cameras, and syncing files via Syncthing on my phone. Just thought I'd share in case it's helpful to anyone exploring options. Best," and he signed off "Another Steve" because he's Stephen Clowater. So I'm really glad Stephen reminded us of the many benefits of just plain old Wireguard. We originally discussed WireGuard, which was at the time viewed as the replacement for OpenVPN, which had grown very old and stale, back when it first appeared on the scene about five years ago. In Episode 744 I first talked about Wireguard after meeting and being very impressed by the founders of the Mullvad VPN service and learning that they were already adopting Wireguard. And recall that not long after that, Linus Torvalds incorporated Wireguard natively into the Linux kernel, which is saying something for it because he would never do that casually. The only downside to running, for example, Wireguard on a pfSense or OPNsense router is that the first thing you need to do is open a static port through the router's WAN interface to the Wireguard service running on the router. And from then on that port is open, facing the outside world, and you're relying on Wireguard not to have any critical vulnerability that would allow an authentication bypass. If you're okay with that, then Wireguard is likely the lightest weight and most secure solution available. And I loved what Stephen shared about its compatibility with iOS. But running with a statically open port, which is never required when using any of the overlay networks, would tend to bend me away from Wireguard, much as I would otherwise love to be able to use it. What I would consider as an option would be adding some sort of port-knocking solution that would allow a remote IP to be authenticated so that that IP and that IP only could then connect to the Wireguard VPN running in the home base router. Since, for example, an ICMP ping packet can contain plenty of payload, a simple and secure challenge/response mechanism that incorporates the endpoint IP addresses and some crypto would do the trick. And I would write one, I would create it if only there were more hours in the day. But maybe somebody has or will. Enrico gave his note the subject: "EP989: backdoor or incompetence." And he said: "Happy 1000. I'm still a bit behind. I'm listening to Episode 989 where you talked about the Chinese RFID badge chip that was found to have a backdoor. We've heard plenty of reports about vulnerabilities found where the manufacturer left some debugging credentials in. We've also heard lots of reports about backdoors in products. I'm curious, in general, how does one determine if something is a backdoor or incompetence? How can the researcher infer intent? Perhaps an internal company memo gets leaked that shows it was on purpose. It is still hard to tell if this was mandated by the government unless top secret documents get leaked. Is it just based on the country that manufactured the device and whether they're friendly to the U.S.? "I also heard about the guy that has gone back and started listening to your podcast from Episode 1. I've wanted to do this, too. However, I'm already over 10 episodes behind, so I'd just fall even further back. Only listen to podcasts while driving. Maybe I need to plan some long road trips." Okay, so I think Enrico makes a very valid point. Controversy is inherent when attempting to ascribe intent. The question of the Windows Metafile Escape, which I talked about last week, is another perfect example. Why was it there? Why had it been faithfully copied and reimplemented through many editions of Windows, even jumping from Windows 3, 95, 98, and ME over to the brand new Windows NT, where it had to be reimplemented. Was all that an accident? The original intent of its designers has been lost to history, and we'll probably never know. And remember about 10 years ago when Cisco kept "discovering" hidden backdoor credentials in one appliance after another, month after month? And I have "discovering" in quotes because these were their own systems. How difficult could it be to "discover" a undocumented login account in software that they wrote and for which they have the source code? They just had to look. So I guess they just looked, and it's like, whoopsie. Anyway, since Cisco is not evil, and never was, and since they were confessing over and over to what they kept finding in their own machines, I think that's a case of poor judgment and changing times. Twenty years ago, just as it may have been acceptable to design an escape hatch into Windows Metafiles, it may have been acceptable for developers to just kind of lazily leave their development accounts in Cisco appliance firmware. Back then it may have been no big deal. But as we've seen, times change, as does our expectations. My feeling is that in nearly all cases it's just a mistake. For one thing, no clever developer would implement something that was meant to remain a secret by leaving a username and password in the firmware. That's way too obvious. If someone told any competent developer - okay, not somebody using PHP, I did say competent developer - to design-in a backdoor, it would be far more well hidden. For example, it would be necessary to first bounce an ICMP PING packet off the device with a particular payload length. This would leave an insignificant trace. Then it would be done again with a different specific length. And that pair of events would prime the device to then accept anything originating from the same source IP only without requiring any authentication, or something like that. My point is, nothing as dumb and obvious as leaving a username and password account burned into the firmware. There are an infinite number of ways to bury a true backdoor in today's insanely complex systems. And there's something that keeps people awake at night because these things could be really difficult to find. |
| Leo: Yeah. I guess it doesn't - the intent doesn't really matter. It's the fact that it exists, period, is sufficient. |
| Steve: Right, right. And I guess the real point is who else knows about it. It's an undocumented... |
| Leo: Right. Eventually everybody knows everything. Don't think you can hide anything. That's really the truth. |
| Steve: Right. Exactly. |
| Leo: There are no backdoors. |
| Steve: David in the U.S. wrote: "Hello, Steve. I'm a long-time listener, but haven't reached out before. I credit you in large part for my career in infosec. I was unable to get formal education in the field, so I self-taught using resources including your podcast. It's been many years since I started my first job in the field, but I still listen regularly and learn a lot. Thank you for all your efforts. "I'm sure this is an edge case, but regarding your remarks about SoHo routers in Security Now! 995, I was recently treated to an experience with a new Nokia - they still exist - SoHo router/access point. I changed ISPs, and they provided one for 'free,' with a WiFi access point ready to use. They came out and installed it for me, and plugged what they thought was 'my computer' into it," he says, "(as if I had only one, haha)." He said: "After they left, I plugged my entire home infrastructure into their router. As a result of your recommendations some years ago, my main firewall is pfSense running on a Protectli unit," you know, P-R-O-T-E-C-T-L-I, that I mentioned recently. He said: "I didn't bother to reconfigure the new Nokia box for a couple of days because I didn't consider it an important layer of security. However, I finally got around to logging into it and was stunned by what I found. For some unfathomable reason, the firewall was set to 'light' filtering mode. Apparently it had a short, self-described 'non-disruptive' block list it was using to blacklist certain things. However, it was not performing NAT services for the Ethernet. "It was a pass-through mode by default, giving my public IP address to my pfSense firewall behind it. There was an option on the Nokia device to enable NAT, but it was disabled. While I would like to think that perhaps it detected the firewall behind it and switched itself off, I somehow doubt it was that smart. If I was a typical user, whatever I plugged into that Ethernet port would have been immediately exposed to the Internet. The WiFi did seem to be using NAT, so perhaps they thought that was good enough for most users." Okay. So this was really interesting to me. The thing that occurred to me first after thinking about what David wrote was that I'll bet almost no typical Internet user today ever plugs anything into their router's wired Ethernet ports. I know that many of us who listen to this podcast do. But we're far from typical Internet users. WiFi really has overtaken wired Ethernet. And that's the only way I can think to explain what David experienced is that, you know, just everyone uses WiFi, so that was what was set up in order to, you know, share a single IP. |
| Leo: Maybe that Nokia just wants to say, you know, anything you plug in is DMZed, and maybe that's, you know, I wonder if it even says that. If you're going to hook up a web server to this, put it on the Ethernet port because then it will be DMZed. It's directly connected to the Internet; right? |
| Steve: Yeah. |
| Leo: As you could tell, not a recommended solution. |
| Steve: Not a recommended solution. I have a couple inches at the bottom of this final page before we switch to today's main topic. So I wanted to answer the many questions I've received from listeners who have taken note of the fact of the reMarkable Pro box on the bookshelf behind me. You could see it right there over my left shoulder, it's right - it's there, I'm pointing at it. Dave wanted to know what I think of it. I very much wanted to love it, but I don't. |
| Leo: Awww. |
| Steve: I don't. I wanted to like its support for color, its slightly higher pixel density, its larger size and its reputed higher stylus tracking rate. But I don't. Its support for color feels like it's not ready for primetime. The display goes through all sorts of conniptions when using color. I mean, it's almost comical what the thing has to do with things flashing and switching back and forth and blinking. You know, it's clearly not easy to pull off color, and I don't think it was worth the effort. Also, the darn thing is heavy. I mean, it is really heavy. And its stylus now requires charging. |
| Leo: Oh, that's too bad. |
| Steve: Which the reMarkable 2 doesn't. By comparison, its predecessor, the reMarkable 2, I really love. You know, I do wish I could get the cool cover for the Pro which much more securely captures the stylus than on the reMarkable 2. But at least for the time being it appears that that cool cover is only available for the Pro. So anyway, to answer everyone's questions, I was hoping I would like the Pro as much as I love my reMarkable 2's. I have a couple of them. But it doesn't really make the grade. |
| Leo: You tried the Amazon Scribe; right? |
| Steve: Yeah. |
| Leo: Didn't like that much? |
| Steve: Well, yeah, yeah. Only because the reMarkable is just, I mean, I don't do any reading on it. I don't read PDFs. I just use it as a replacement for my engineering pad. |
| Leo: Right. |
| Steve: And a soft No. 2 pencil. |
| Leo: It's nice to have unlimited graph paper; isn't it? |
| Steve: Oh, yeah. And I now have - you're able to sync three devices through to a single account. And because I purchased one in the old days, I'm grandfathered in to the no-charge iCloud connectivity. So if I doodle at one location, when I turn it on on the other, it's synchronized, so... |
| Leo: Multiple location doodling, what more could anybody ask? |
| Steve: I've got everything I want. |
| Leo: Yeah, the Advent of Code is coming up in just five days. |
| Steve: Oh, that's right. |
| Leo: And that's one where it's very often handy to sketch out... |
| Steve: I'm a big algorithm bits sketcher. |
| Leo: Yeah, yeah. Just to understand. And the Advent of Code it's all about tech problems. And so to even understand the geometry, sometimes you have to draw it because otherwise it's like... |
| Steve: Yeah. |
| Leo: In fact, there were people a couple of years ago cutting up paper and making paper cubes so they could understand the relationship from one side to another. |
| Steve: No, I absolutely get it. It's all those off-by-one problems. |
| Leo: Oh, a nightmare. |
| Steve: You want to make exactly sure that do you mean greater than or greater than or equal. |
| Leo: Right. Right. |
| Steve: And so I just - I quickly jumped to a little sketching out, a little simple example of a more complex problem. |
| Leo: I do the same thing. I did exactly the same thing, yeah. |
| Steve: Did we do all of our breaks? |
| Leo: We have one more. Would you like to do one more? |
| Steve: Let's do it. And then we'll talk about Disconnected Experiences. |
| Leo: Whatever that is. We'll find out in just a moment. |
| Steve: Yes, why you may want to be disconnected from some of these experiences. |
| Leo: Yes, please. Here's, you know, you listen to the show, I'm sure, because it gives you... |
| Steve: No, I'm right here. |
| Leo: No, you do. I'm talking to our fine audience. |
| Steve: Okay. |
| Leo: Yeah, I was watching the F1 race on Sunday, it was in Las Vegas, and they talked to one of the drivers, a long-time F1 driver. And they said, "Do you ever watch your races?" He says, "No, I was in it. I don't need to watch it. I know what happened." Yes, we don't listen to our own podcasts. We were in them. All right, Steve. You've got to explain the title. |
| Steve: Okay. So the way things are going, it looks like I'll be needing to set up I guess what I would call a "sacrificial lamb." |
| Leo: Oh, no. Oh, I'm so sorry. |
| Steve: Yeah. Running the current, which is to say the latest, Windows. The last thing I would use for myself would be such a machine because Microsoft really does appear to be pushing well past the limits of what is acceptable practice for me. You know, Windows Recall was a perfect case in point. If the industry hadn't pushed back so loudly and quickly, they may have delivered that first disaster, who knows. But it occurs to me that if this podcast is going to continue to be as relevant as it has been in the past, it's becoming clear that I'm going to need to have a machine that's running what the rest of the unwashed masses are running, which is to say, you know, the latest version of Windows. There was a time when creating a sacrificial lamb PC meant exposing the machine to the Internet without protection. As we know, the half-life of such machines is best measured in seconds, and not many of those. But the way the Windows desktop environment has been evolving, today the creation of a sacrificial lamb PC means just exposing a machine to Microsoft. The need for such a machine became clear when I encountered the news that Microsoft has silently enabled the use of its users' Microsoft Office Word and Excel document content for training its AI models. Rather than being straightforward and calling this something like, I don't know, how about AI training, they obscure it behind the title "Microsoft Connected Experiences." Now, how the hell would anyone ever know that that means that they're training AI models? Connected Experiences? And that's my point. This is what Windows has become. At the moment, I'm reporting this blind because I have no way to verify the reporting that I've seen. At the moment I don't have a Windows 11 machine, and that's going to have to change. But, okay, so here's what we know. In Microsoft's documentation for their so-called Connected Experiences, under the topic "Connected Experiences that analyze your content," they write: "Connected Experiences that analyze your content are experiences that use your Office content to provide you with design recommendations, editing suggestions, data insights, and similar features." The key phrases there are "analyze your content" and "connected," but connected to what and to where? That appears to mean what the reporting on this states, which is that the connection is to some AI which is doing the analyzing and being trained against Windows users' Office document data. Now, add to this the fact that it's been reportedly enabled by default. Because of course it has. And I should say, since the show notes went out last night, I have heard back from listeners who found this stuff enabled by default. So this reporting is confirmed, and they turned it off. Okay. It seems clear that, just as a great many people are made uncomfortable by the idea of having Windows Recall silently collecting and analyzing everything they do on their computers, some Windows users may not be interested in having Microsoft's AI being trained on the content of their otherwise private Word and Office Excel documents. First I'll note where this Connected Experiences setting is located, since they clearly want their Windows users to have ready access to this potentially significant privacy setting. So under File in an Office application, you choose Options. Under Options go to Trust Center. In the Trust Center, select Trust Center Settings. There you'll find Privacy Options which you need to select in order to get to the Privacy Settings. And on the Privacy Settings page there's a section for Optional Connected Experiences, where you should find a checkbox labeled "Turn on optional connected experiences," which all regular users will reportedly find, and a bunch of our listeners have, has been thoughtfully enabled by for you default. Users whose machines or Microsoft accounts are managed by their organization may not have these options showing. And Microsoft appears to confirm this on their own website, where under the topic "Choose whether these connected experiences are available to use," they write: "You can choose whether certain types of connected experiences, such as connected experiences that download online content, are available to use. How you make that choice depends on whether you're signed into Office with a Microsoft account, such as a personal Outlook.com email address, or with a work or school account. "If you're signed in with a Microsoft account, open an Office app such as Word and go to File > Account > Account Privacy > Manage Settings." Okay, now, note that that's a very different path from what I had first shared from the reporting on this. It turns out, and I've heard from our listeners, both are correct. You can get to the proper setting either way. And Microsoft's is a shorter path: File > Account > Account Privacy > Managed Settings. Although maybe once you get to Managed Settings, then you go to Privacy Settings. I don't know. Anyway, if you've got it, you'll be able to find it. And they said: "Under the Connected Experiences section, you can choose whether certain types of connected experiences, such as experiences that analyze your content, are available to use. If you don't go to Managed Settings, all connected experiences are available to you." In other words, all of your content gets analyzed. So there it is. What's apparent nowhere is that Connected Experiences is a euphemism for we're going to share all of your Office documents to train an AI in the cloud in order to make Office smarter for you, and of course for themselves. So talking about content retention, they write: "Most connected experiences don't retain your content after performing their function," although I should tell you there's about 50 of them, "to help you accomplish a task, but there are a few exceptions. In those cases, Microsoft retains the content for as long as your account exists, and it's used to support, personalize, or improve that connected experience." Now, as I write this, part of me wonders whether I'm just becoming an old curmudgeon. Why not just, you know, enjoy all of the many benefits of having Microsoft watching everything I do on my PC, thus allowing me to scroll back in time and ask questions about things I did in prior years. And sending my document content to the cloud to train their AIs so that it can provide me with more relevant stories on Edge's home page, more relevant search results in Bing, and more relevant advertising on my Windows Start menu? I'm not being facetious when I say that many Windows users might actually want all of that. I get it. You know? Just as many may have been enjoying having Candy Crush Soda Saga or whatever all that flippy-tile nonsense is under Windows 10, along with Xbox crap that refuses to be removed. I've never owned an Xbox, but it has taken up residence on my Start menu nevertheless. It seems clear that an alternative view of Windows is apparently an all-encompassing, deeply connected entertainment portal that also has some productivity applications. And, really, that's fine. It's just not for me. I mentioned a while back about the eventual move I would make to Windows 10 when I finally decide to retire this Windows 7 machine that still works great. I was briefly thinking that a server edition might allow me to avoid some of this commercial crap - before I remembered that I had tried that years ago when I wanted my desktop to be running the identical code as GRC's servers. But I had encountered many instances of desktop software refusing to install on server editions. Some of our listeners have since suggested that I take a look at the enterprise editions of Windows 10, explaining that unlike even the Professional editions, the Enterprise editions are also free of Xbox and other unwanted nonsense. And as I was digging around in Microsoft's documentation, I was encountering all of the places where Microsoft has been and is installing AI. Microsoft is essentially AI-izing every nook and cranny of Windows 11 and their Office suite. I have no doubt that a memo went out a year or two ago stating that AI was coming, that it was the future, and that once it had arrived it was here to stay. Therefore, every single product manager and product planning team within Microsoft was hereby being tasked with figuring out anything and everything that adding AI to their offerings could do, and then to get going on implementing all of that immediately. What that will turn Windows into, I have no idea. I know that it won't be any machine that I'm sitting in front of while I produce these weekly Security Now! podcasts, nor while I'm working on code for the DNS Benchmark, the Beyond Recall product, or SpinRites 7, 8, and 9 and Beyond. But it's also clear that I need to stay in touch with the frontier, or as many have called it, the bleeding edge. For now, I want to be certain that those listeners of ours, and I know there are many of them, who may also dislike the idea of Microsoft sharing their Office content with their AIs in the cloud, while acknowledging that this is being done by default and that in many cases the data is being retained indefinitely, will at least be informed of this new behavior and would know that they have the option of deliberately disconnecting their Windows experiences from Microsoft. And finally... |
| Leo: Before we move on, because I know you want to finish this up, but it's not - I think you're implying that this is being used for training LLMs for other people to use. I don't think that's what this is. |
| Steve: No. |
| Leo: This is asking permission, just as a... |
| Steve: To help you train against your own data, right. |
| Leo: So that it can - so a spell checker tells you whether you've misspelled a word. In order to do that, it needs to actually look at the words you're typing. A grammar checker needs to look at the words you're typing. |
| Steve: Well, Leo... |
| Leo: That's what it's doing. |
| Steve: This comes back to your original assessment of AI; right? It's just a spell checker. |
| Leo: Well, yeah, I mean, so what Microsoft's offering you with these things is you're designing a power - it's kind of Clippy on steroids. You're designing a PowerPoint, and it says, hey, you know, I could - I see what you're trying to do here. Would you like this image? It's that kind of thing. We'll have to check into this. I don't think it's sending it to their, you know, a lot of content is, you know, LinkedIn content is being sent to train LLMs. You know, The New York Times is suing because they say OpenAI used it to train LLMs. I don't think that's what this is. We'll have to check in more detail. |
| Steve: About how much containment of the data... |
| Leo: Right. They say they'll retain it because that's information you've provided that you - just like a cookie is that might be useful down the road. |
| Steve: Well, all of your previous documents that have been used to train an AI model that they maintain, I guess. |
| Leo: Yeah, but the real question is if the AI model is going to be used by others, which I don't think it is because that would immediately be a problem in all businesses. Or is it an AI model that you will then be able to use for yourself? |
| Steve: Yeah, probably we need to look at the terms of service and, like, actually read the fine print. |
| Leo: I'll ask Paul and Rich tomorrow. But my sense is it's not, you know, going to send it out to their own LLM servers and train their own servers. That would exfiltrate your own data. It is basically for your use, just as a spell checker or grammar checker is for your use. |
| Steve: Well, they're retaining something, and they're saying that they're retaining. So it is being sent to them. |
| Leo: Yeah. After performing - they don't do it after performing a function to help you accomplish a task, but there are a few exceptions. They retain your content for as long as your account exists, implying that it's attached to your account. |
| Steve: Right. |
| Leo: And it's used to support, personalize, or improve that connected experience, your experience. |
| Steve: Right. |
| Leo: In other words, not for other people. But I will check into that because I think it is an important distinction. It's like Clippy. Clippy in the day would have asked the same permissions. Hey, I'd like to keep track of everything you're doing so I can offer you suggestions. It's like that except it's on steroids; right? |
| Steve: Right. |
| Leo: Anyway... |
| Steve: Anyway, I was done. I just wanted to wish all of our listeners who celebrate Thanksgiving, and I know Leo and all the TWiT crew join me in wishing everyone the best holiday. |
| Leo: Absolutely. |
| Steve: And with this particular opportunity to spend time, which is precious, with your family and friends. |
| Leo: And don't argue about things. |
| Steve: And we'll be back in December for more. |
| Leo: And tell them to use a password manager. Thanks, Steve. Have a great Thanksgiving. All our love and best wishes to you and Lorrie, and have a great time, and we'll see you in December. |
| Steve: Yay. |
| Leo: Which is only a week away. |
| Steve: It's next week. |
| Leo: [Crosstalk] concerned about that. We'll see you next week. Thank you, Steve. |
|
 | Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |  |
| Last Edit: Dec 03, 2024 at 13:14 (195.44 days ago) | Viewed 7 times per day |