| ||||||
Description: The long-awaited lawsuit to block Texas SB2420. Embattled Texas SB2420 also impacts Google Play. At long last, NIST modernizes their password policy. Scattered LapSus$ Hunters demise was exaggerated. China claims that the NSA has been hacking them. Half of all geosynchronous satellite traffic is unencrypted. AWS outage highlights the rising risk of Internet monoculture. A terrific collection of listener feedback. And could your PC's mouse have much bigger ears than you know?
High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-1048.mp3 |
SHOW TEASE: It's time for Security Now!. Steve Gibson is here. We're going to talk about a lawsuit aiming to block the new Texas age verification law. NIST finally gives up on its password policy, its long-discredited password policy. The AWS outage, what caused it, and what happened? And then is your mouse listening to you? It might be. That's coming up next on Security Now!.
| Leo Laporte: This is Security Now! with Steve Gibson, Episode 1048, recorded Tuesday, October 21st, 2025: Mic-E-Mouse. It's time for Security Now!. I know you wait all week for this fabulous show, the show where we cover the latest in security news, technology information, hacking, sci-fi. Anything Steve Gibson's into, we're into. Right? Steve Gibson. |
| Steve Gibson: We do try, Leo, my friend, to stay on topic because I recognize that's mostly security stuff, privacy, technology stuff is mostly what people come back for every week. But they do. We broke a record with yesterday's mailing of the show notes. We crossed 19,000 subscribers... |
| Leo: Wow. |
| Steve: ...for the first time. 19,010 was our total. And... |
| Leo: So I have to point out something. You are now, like, 4,000 more subscribers than Club TWiT. So those 4,000 people, you're getting Steve's newsletter for free. You're getting this show for free. But wouldn't you like an ad-free version of it? Wouldn't you like to support it directly? Join the Club, Club TWiT, at TWiT.tv/clubtwit. Then we can have 4,000 - we should have as many members as you have newsletter subscribers. Don't you think? Feels fair. |
| Steve: Of course, subscribing to the newsletter is free, so... |
| Leo: That's what I'm saying. Oh, you think those 4,000 people are the cheapskates. |
| Steve: I don't know what's going on. I mean... |
| Leo: I'm just joking. We're glad to have you. Thank you. |
| Steve: And I don't have a sense for what percentage of our listeners have subscribed. My sense is that even there it's a low percentage of subscribers relative to the downloads. |
| Leo: It is. It's roughly 1.5% of the downloads. |
| Steve: Yeah. I know. And so it's like the people want to listen, and I'm glad for that. |
| Leo: You know, it's always a problem. If you gave something away for free, to suddenly say, hey, could you pay for it, most people, I'm the same way, no. It's free. I'm going to stay free. |
| Steve: And I'm going to find out about that, exactly that, when I commercialize the DNS Benchmark. |
| Leo: That's exactly right. |
| Steve: I have no calibration on how many people would be willing to pay 10 bucks for a dramatically improved, I mean, this thing, the thing we just did - and this is, oh, god, I can't wait to talk about this at some point. I did a statistical analysis that demonstrated that there is so much uncertainty in DNS timing, not due to the resolvers at the other end, but due to the Internet which is in between. |
| Leo: Yeah. |
| Steve: That to actually get statistically significant results requires many more tests than the Benchmark has ever been performing. That's why every time you ran the Benchmark, you kind of got the same answers, but they differed. Not because the resolvers were of any different speed, but it turns out that, you know, statistics is weird. If you tossed a coin... |
| Leo: That should be the title of this show, I'm just going to say right now. Statistics is weird. |
| Steve: If you tossed a coin three times, there's a one in eight chance, actually one in four chance, you know, 25% chance you would get all heads or all tails. |
| Leo: Yes. |
| Steve: So a three toss coin, three coin toss, whatever, you know what I mean, you might be led to believe that there were heads on both sides or tails on both sides, that it was a bogus coin that wasn't actually 50/50 because in three tosses, 25% of the time you're going to get all the same outcome. So what we've learned, and this was only just recently, I've added the ability to dramatically increase the number of samples which the Benchmark takes. And we're getting far better results, I mean, like consistent reports now where all of the resolvers from the same provider end up grouping together on the chart, which you'd kind of expect, but it actually happens now. But only when you take many more samples. Anyway, the point is that what I'm going to be offering soon for 10 bucks blows away the free one. But again, I don't have any idea how, I mean, free is free; right? And asking someone to pay anything is a heavy lift. I get it. But I have to try. |
| Leo: I do think that you are a unique case, that people will pay for something even if they were getting it for free before, just because they want to support you. I really think this is true of you, Steve. |
| Steve: I hope that's the case because I need the support in order to keep doing all this. I have one note... |
| Leo: It's not even that. They just feel good about you, and they just, you know, they're not looking for anything out of it. They just want to support you is my guess. |
| Steve: Which I really appreciate, makes all this possible. It makes possible Podcast #1048 titled "Mic-E-Mouse," obviously a play on "Mighty Mouse." |
| Leo: And I had to ask, is it Mick-E-Mouse? And you said no, this is a Mic we're talking about. |
| Steve: We're going to answer the question, could your PC's mouse have much bigger ears than you know. |
| Leo: Oh, no. |
| Steve: Oh, yes. |
| Leo: Now I'm scared. Oh, boy. |
| Steve: You thought that bag of chips laying on the table might give away the conversation in the house. Turns out it's worse than that. We're going to look at the long-awaited lawsuit to block Texas SB2420, which happened last week, just after last week's podcast, when I mentioned that it's kind of odd that there's been no legal challenge to this very worrisome law that takes effect on January 1st. And also take a look at how it's going to affect Google Play and their plans. We looked at Apple in detail last week. Oh, my god, Leo, at long last NIST has formally modernized their password policy. And they fixed it. |
| Leo: You mean I don't have to change my password every three months? |
| Steve: Wasn't that insane? No. You no longer do. And we'll have something that all of our listeners can wave in the face of their employers' IT people and say, okay, fix this. This has always been dumb. Now it's officially dumb. Also it turns out we now have much better proof that Scattered LapSus$ Hunters group, that their demise that I reported - wrongly, it turns out - a couple weeks ago was indeed exaggerated. Finally, China is claiming that the NSA has been hacking them. Yay. We'll explain that. |
| Leo: They've been hacking us. It's only turnabout is fair play. |
| Steve: Yes, come on. So it turns out also half of all geosynchronous satellite traffic is unencrypted. Who knew? |
| Leo: Yeah. Amazing. |
| Steve: Turns out, yes. Also we'll touch on yesterday's AWS outage, which I agree with the take that the Guardian had. It highlights the rising risk of something you and I have talked about relative to browsers often, which is any kind of an Internet monoculture, you know, all the eggs in one basket. Better not drop that basket. We've got a terrific collection of Listener Feedback. And then we're going to look at, you know, another new side channel attack. Who would have ever imagined that people's mice could actually be picking up the audio of conversations around them? |
| Leo: Wow. |
| Steve: And guess what made it possible? |
| Leo: I'm going to - I've got a guess. Is it rattling balls? |
| Steve: It's, well, no. I don't think a rattling ball - the balls never had the resolution of a good old optical sensor. |
| Leo: Oh, yeah, that's right. My mice don't have... |
| Steve: Those balls, did you ever roll them around your hands? They were neat. They were rubberized. |
| Leo: Yeah, they were heavy. They were metal with rubber coatings on them, yeah. |
| Steve: Yeah, I liked those. |
| Leo: I think they would make excellent transducers for a microphone, but I guess since we don't have those, we'll find something else to rattle, if you will. Let's move on, shall we? We're going to get to that in just a moment, and the Picture of the Week, which looks pretty funny. I haven't seen it. Haven't seen it. I like to preserve my virgin eyeballs. |
| Steve: This will take a little bit of visual parsing, but you'll - yeah, everyone's having... |
| Leo: Okay. We'll see it together. I always see the caption, but I don't scroll up. So, hmm. Hmm. Okay. First, though, a word from our sponsor. All right. I'm ready to scroll up whenever you want to talk about it here. |
| Steve: Our listeners had a lot of fun with this, those who subscribe to the email and saw this yesterday. I gave this picture the title "When an interlock must be very clear and must absolutely definitely never fail." |
| Leo: Okay. All right. I don't even know what - that looks dangerous, man. I hope that handle is somehow insulated. |
| Steve: Well, I don't think it needs to be. |
| Leo: It's not electrical? |
| Steve: For those who don't see the picture, we've got - we have a pair of apparently very high-current toggle switches like, you know, like light switches where... |
| Leo: Oh, I see. |
| Steve: Yeah. Up is on, and down is off. And for whatever reason you'd absolutely never want them both to be on at the same time; or apparently, like, there would be fire and explosions and things. |
| Leo: I get it. I get it now. Wow. |
| Steve: Yep. So somebody, and I don't know if this was an off-the-shelf... |
| Leo: I doubt it. |
| Steve: ...handle. But it's just... |
| Leo: Oh, yeah, I mean, it's like you got it at the hardware store, for sure. |
| Steve: It would be, or, like, you know, you talk about the horses escaping after the barn door's been closed. |
| Leo: Yeah, or your fence would have this. Your fence could have this, yeah. |
| Steve: Well, yeah, some heavy-duty fence has this thing where a handle is used to slide a bar back and forth. Well, this has been jury-rigged in between these two big switches. |
| Leo: And it's totally intentional because the switches are positioned on the wall exactly precisely so that the interlock fits right in that gap there. |
| Steve: Yes, exactly, yes. |
| Leo: This was an intentional design. |
| Steve: Yes. |
| Leo: Wow. |
| Steve: Yes. Somebody said there is no provision for absolutely making sure that these cannot both be on at the same time. Presumably, you know, who knows, they're feeding to the - I think maybe I'm seeing like a loop at the bottom. I didn't really look at it, but to me looks like maybe the bottoms of these are connected together. You sort of see it on the lower, on the left unit, the bottom right wire looks like it bends and then goes over to the other unit. So I'll bet you that these are two different feeds that go to the same place. And if you turn them both on, they would short those two feeds and, again, something would explode. |
| Leo: That's so funny. That's so funny. |
| Steve: So somebody said, okay, we need to be able to choose A or B. But we don't have an A or B choosing switch. We only have two on/off switches. So... |
| Leo: "How could we solve that?" said Mo, Larry, and Curly. |
| Steve: Yeah, exactly. Using a lock from a barn door from the 1920s. |
| Leo: That's hysterical. That could come in handy. |
| Steve: Thanks again to our listeners. |
| Leo: That looks like something Burke might have designed. |
| Steve: Burke, your solutions work, and this one does, too. |
| Leo: And it works, it works. |
| Steve: Okay. So our coverage of the pending enactment of that new Texas SB2420 legislation galvanized our listeners and generated quite a bit of feedback because, I mean, this is a mess. |
| Leo: Insane. |
| Steve: I mentioned last Tuesday that there was still no sign of any legal challenge to that legislation. But then last Friday, to no one's surprise, that situation changed. Ars Technica's headline read: "Big Tech sues Texas, says age-verification law is 'broad censorship regime.'" Ars gave it the teaser line "Texas app law compared to checking IDs at bookstores and shopping malls." So here's what they wrote, to get a sense for the flavor of the attack. And this, by the way, well, in fact they said: "Texas," they wrote, "is being sued by a Big Tech lobby group over the state's new law that will require app stores to verify users' ages and impose restrictions on users under 18. The lawsuit, brought by the Computer & Communications Industry Association (CCIA) alleges: 'The Texas App Store Accountability Act imposes a broad censorship regime on the entire universe of mobile apps. In a misguided attempt to protect minors, Texas has decided to require proof of age before anyone with a smartphone or tablet can download an app. Anyone under 18 must obtain parental consent for every app and in-app purchase they try to download, from eBooks to email to entertainment.'" Ars wrote: "The CCIA said in a press release that the law violates the First Amendment by imposing" - boy, we're getting a lot of use out of our First Amendment, Leo - "violates the First Amendment by imposing 'a sweeping age-verification, parental consent, and compelled speech regime on both app stores and app developers.' When app stores determine that a user is under age 18, 'the law prohibits them from downloading virtually all apps and software programs and from making any in-app purchases unless their parent consents and is given control over the minor's account.' The CCIA said: 'Minors who are unable to link their accounts with a parent's or guardian's, or who do not receive permission, would be prohibited from accessing app store content.'" Okay. So yes, as we understand it, that's all completely true; and it's, moreover, exactly the law's intent. It's not like the law was, you know, written in an overbroad fashion. No, this is what they want in Texas. Ars continued, saying: "The group said the law requires app developers 'to age-rate their content into several subcategories and explain their decision in detail,' and 'notify app stores in writing every time they improve or modify the functions, features, or user experience of their apps.' The lawsuit says the age-rating system relies on a 'vague and unworkable set of age restrictions.' "The lawsuit claims" - so here's the argument against in the lawsuit, which reads: "'Our Constitution forbids this. None of our laws require businesses to card people before they can enter bookstores and shopping malls. The First Amendment prohibits such oppressive laws as much in cyberspace as it does in the physical world.'" Ars said: "The lawsuit was filed in the U.S. District Court for the Western District of Texas. CCIA members include Apple and Google, which have both said the law would reduce privacy for app users. The companies recently described their plans to comply, saying they would take steps to minimize the privacy risks. The Texas App Store Accountability Act is similar to laws enacted by Utah and Louisiana. The Texas law is scheduled to take effect on January 1st, 2026, while the Utah and Louisiana laws are set to be enforced starting in May and July, respectively." So we're only talking about Texas now because it's, like, 70 days away from today. And, you know, Utah and Louisiana will hopefully fall under the same umbrella, depending upon how this all happens. And there is something new and interesting. Ars also wrote: "The Texas law is also being challenged in a different lawsuit filed by a student advocacy group and two Texas minors. Attorney Ambika Kumar of Davis Wright Tremaine LLP said in an announcement of the lawsuit: 'The First Amendment does not permit the government to require teenagers to get their parents' permission before accessing information, except in discrete categories like obscenity. The Constitution also forbids restricting adults' access to speech in the name of protecting children. This law imposes a system of prior restraint on protected expression that is presumptively unconstitutional.'" Now, that's interesting, but that argument was also tried in the argument against Texas HB1181, as we covered previously. Here are a few choice and chilling tidbits from those proceedings. The Supreme Court said: "The First Amendment leaves undisturbed States' traditional power to prevent children from accessing speech that is obscene from their perspective. Because no person, adult or child, has a First Amendment right to avoid age-verification, the statute requires only [what's known as] intermediate scrutiny." And, from the Supreme Court's further opinion, they wrote: "Submitting to age verification is a burden on the exercise of [adults'] right. But adults have no First Amendment right to avoid age verification, and the statute can readily be understood as an effort to restrict minors' access." In other words, the Supreme Court is agreeing with what Texas is doing and has said so in their formal opinion on HB1181. And that sure does seem to cover what the Senate then, the Texas Senate did with SB2420. So this is really going to be interesting. Ars said: "Davis Wright Tremaine LLP said the law 'extends far beyond social media to mainstream educational, news, and creative applications, including Wikipedia, search apps, and Internet browsers; messaging services like WhatsApp and Slack; content libraries like Audible, Kindle, Netflix, Spotify, and YouTube; educational platforms like Coursera, Codecademy, and Duolingo; news apps from The New York Times, The Wall Street Journal, ESPN, and The Atlantic; and publishing tools like Substack, Medium, and CapCut." So sounds like there's some good counterargument and pushback here. And I'm sure they're correct, although unfortunately this is exactly the law's intent. It's a feature, not a bug. They wrote: "Both lawsuits against Texas argue that the law is preempted by the Supreme Court's 2011 decision in Brown v. Entertainment Merchants Association, which struck down a California law restricting the sale of violent video games to children. The Supreme Court said in Brown that a state's power to protect children from harm 'does not include a free-floating power to restrict the ideas to which children may be exposed.' "So the tech industry has sued Texas over multiple laws relating to content moderation," Ars wrote. "In 2022, the Supreme Court blocked a Texas law that prohibits large social media companies from moderating posts based on a user's viewpoint. Litigation in that case is ongoing. In a separate case decided in June of 2025" - and this is the one that the House 1181 law - they said: "the Supreme Court upheld a Texas law that requires age verification on porn sites." So it may be that the way this ends up cutting is that SB2420, because it attempts to encompass all downloads of anything, is what will end up being ruled as too broad, and that it'll get pulled back so that it's only age-restricted content that needs to get parental approval. That looks like that may be the way this thing survives. |
| Leo: You're acting like this is all rational, and that the courts are acting rationally. Look at what Australia's doing. December 10th, if you're under 16, you will not be allowed to use social media in Australia. And they have made no provision for how that gets solved. |
| Steve: And we've just seen that with Mississippi. That is the current law in Mississippi. |
| Leo: Right. |
| Steve: Same thing. All social media for a minor, no. |
| Leo: Seems like that would fail. |
| Steve: I'm not taking a position or suggesting this is rational or not, Leo. I'm just looking, I'm just reporting, like, this is what's happening. You know? We were shocked. We were shocked when the Supreme Court said of the Texas pornography law, yeah, sorry, adults, you need to prove that you're an adult. And if that requires that you turn over your identity, then that's not an undue burden. That's insane. Of course it is. |
| Leo: Yeah, because it means basically everybody, not just children, but everybody has to offer federal or state ID, some sort of government ID. |
| Steve: Yes, adults need to prove they're not children. And there's no privacy-enforcing way to do that today. |
| Leo: Right. Right. |
| Steve: So as I said, January 1st happens to be exactly, to the day, 70 days away from today, 10 weeks. So not a lot of time for this to get resolved. But with any luck, it will be that time that will bring this to the court's attention. It'll run through appellate court, and then probably get turned back over to the justices again with the Supreme Court. And last time they said no, sorry, adults. You need to prove that you are an adult if you want to watch pornography. And so instead the porn sites just left Texas. |
| Leo: Yeah, the Supreme Court decision with Texas said that adults have no First Amendment right to avoid age verification. |
| Steve: Exactly. |
| Leo: Okay. Wow. |
| Steve: Yeah. Okay. So Google Play. They're going to be impacted by this in 10 weeks, in 70 days. We know that Apple has informed their developers that new APIs would be available "later this year," even though there's not much left of this year to be later than. Okay. But, you know, these are not hard problems to solve in code. I'm sure Apple has this stuff commented out of their code. They just have to remove the comments. Meanwhile, Google just posted something similar for their Play Store app developers. Under their headline "Changes to Google Play for upcoming app store bills" - meaning legislation - "for users in applicable U.S. states," they wrote: "A few U.S. states, currently Texas, Utah, and Louisiana, have recently passed verification laws requiring app stores to verify users' ages, obtain parental approval, and provide users' age information to developers. These laws also create new obligations for developers." And that's the other thing, Leo, is look at all the apps that are out there that are impacted by this. Again, legislation without any apparent concern for the consequences to the ecosystem that exists. "These laws," they wrote, "also create new obligations for developers who distribute their apps through app stores in these states. The effective dates for these laws, applicable for both developers and Google Play, are quickly approaching and present short implementation timelines across the ecosystem. While we have user privacy and trust concerns with these new verification laws, Google Play is designing APIs, systems, and tools to help you meet your obligations. Given the significant implications of these changes across the ecosystem, we are working to keep Play a trusted experience for everyone while also providing you information to support your preparations. "Our plan to support you is, the first app store bill to take effect is Texas SB2420 on 1 January 2026. We understand that significant work may be needed for you to make changes to your apps. To help you, we plan to provide," and they have three things: "a new Play API. For users in these states, your app will be able to receive users' age verification or supervision status, age ranges, and other applicable signals." Okay, and of course something upstream has to make that possible; right? So this is an API that apps will be able to call upon to obtain information which the phone has, which the phone has to have obtained somehow. So Google will be, you know, sourcing this information downstream to the apps running on its platform. "Second, Play Console features: You will have the ability to notify Google Play of a significant change in Play Console without publishing a new version of your app. Additionally, you'll also get a report in Play Console showing when a parent revokes approval for your app." Because that's also something that the law allows is, you know, after the fact approval if a parent changes their mind. "And third, Trust and safety requirements." They said: "To protect users, your use of this new API must comply with Google Play's requirements governing how data from the API must be handled." They said: "More details" - because all this is a moving target happening rapidly - "more details on these features and requirements will be shared in the coming weeks. Planned dates and next steps subject to change." And so they said: "October 2025 [sometime here]: Requirements and a detailed integration guide with example code for the new Play API will be published for you to get started." And then "1 January 2026: The new Play API will be live for applicable users in Texas when the Texas SB2420 bill takes effect." They said: "If you'd like to learn more or have any additional questions, please contact our support team." |
| Leo: You know, this points out the real issue with having these app stores as the only place you can get an app for your device because now they're a chokepoint the government can use to enforce this. You can't do this on a computer because any, you know, are you going to go look at all - is the government, is the state going to go look at a million apps and see if they do it? They can't. It's not practicable. It's only possible because Apple and Google have these chokepoints which are their app stores. And this is just another reason why those chokepoints are a bad idea. |
| Steve: And another example of a monoculture. |
| Leo: Yeah. |
| Steve: Where too much is dependent upon a single point of failure. |
| Leo: Yeah, it's Apple and Google. Right? And by the way, you can make sure, you can enforce this law because there's only two companies you have to penalize. |
| Steve: Right. |
| Leo: It's very simple. Too easy. |
| Steve: Right. So I'm not an attorney. We all know that. But no one needs legal training to get a definite sinking feeling from reading the opinion of the Supreme Court in that previous very similar challenge to the previous Texas HB1181 legislation. The Court explicitly supported the requirement that anyone wishing to view age-restricted content could reasonably be asked to prove their age, even if doing so required them to reveal their identity and would certainly have the effect of limiting access to content even among those whose age would make such access legal. Doesn't matter. It's like, I don't want to tell you who I am. It's none of your business. You know, I've hardly got any hair left, and it's grey. The Supreme Court said: "Adults have no First Amendment right to avoid age verification." Wow. |
| Leo: That's really shocking. |
| Steve: It is. And that was Justice Thomas, who, reports were, enjoyed some of that kind of content. |
| Leo: Yeah, that's right. Long Dong Silver. I remember that, yeah. |
| Steve: That's right. So all that said, though, you know, the law is a complex instrument, and there could well be other factors in play with SB2420. We won't know until we do. But we'll certainly be letting everyone know what happens as it transpires. |
| Leo: I mean, it's true that desktop computers are a huge loophole in all this. You cannot... |
| Steve: Yes. |
| Leo: ...age-gate something that doesn't have a locked-in app store. |
| Steve: Right. |
| Leo: You can try, but there's just... |
| Steve: And I looked at the legislation, and it does, it is expressly and explicitly, I think this comes up in one of our feedback questions today, it is only aimed at mobile devices. |
| Leo: Right. |
| Steve: Phones and tablets. |
| Leo: Like kids don't use computers? |
| Steve: Exactly. It's like nothing else exists, you know, gaming platforms are excluded, TVs, PCs. It's targeted only at that. Which is really like, okay, then kids are going to use their laptop. |
| Leo: Right. This is why open computing is so important. And look, I don't want kids to be able to access pornography. That's not what we're talking about here. |
| Steve: Absolutely. No one should get confused about that. |
| Leo: No. But we don't want government to be able to say this is what you can and cannot do. It starts with pornography, but then it goes to social networks, then it goes to, I don't know, news sources. Or, I mean, there's a lot of things government would like to restrict. And if there is a single point of failure that they can put pressure on, they can do it. But they can't do it on a general purpose open computing platform. |
| Steve: No. |
| Leo: No, it's very sad. I supposed we're going to have to see this tied into biometrics, as well; right? This is more than just here's a picture of my photo ID. How do we - right? |
| Steve: Yeah. So that's what I was always wondering is through the months our listeners have heard me saying, if we're going to have any kind of effective age verification, it needs to have a biometric tie, which was why it was so odd to me that the system - was it Italy? I can't remember now. I talked about a country a couple weeks ago. |
| Leo: It was Spain. |
| Steve: Yes, it was Spain. |
| Leo: They have a national ID system. |
| Steve: Yes. And all you need is a PIN in order to verify your identity. It's like, oh, what? But... |
| Leo: Fortunately there's no way that teenagers can distribute things like PINs on the Internet. |
| Steve: No, that's never been heard of. You would never find a PIN written on the inside of a restroom wall. |
| Leo: No. |
| Steve: No. No. But there is a requirement in the Texas legislation, the HB1181. It defines a session, during which you're authenticated, of no more than 60 minutes. |
| Leo: Right. |
| Steve: So you are required to reauthenticate. |
| Leo: Continual reauthentication. |
| Steve: Yes. |
| Leo: This is nuts. |
| Steve: And they would have done it every 10 minutes if it was feasible. |
| Leo: Right. |
| Steve: But even they thought, well, we can't ask that. |
| Leo: Yup. |
| Steve: Okay. We're going to talk about NIST finally catching up with their password policy. And who among us might have been a little ahead of the curve after... |
| Leo: Uh, um, hmm. |
| Steve: ...we take a sponsor break. |
| Leo: Hmm. |
| Steve: Can you say "haystacks"? |
| Leo: If you've been listening to this show, you know that we have sensible password concepts. But NIST for some reason, well, you know, the whole thing about - well, we'll talk about it in a minute. It's a favorite topic of mine. Okay, Steve. Let's show everyone how you knew, you were right from the very beginning. |
| Steve: Well, as all of our longtime listeners will recall, about 13 years ago, back in 2012, after spending some time on the podcast examining and sharing the details of what was then modern password cracking using high-speed hardware-assisted hashing systems, I hit upon the idea that a password's length was far more important to its provision of cracking resistance than its complexity. The idea was that if some hashing system was going to be trying every possible password of a certain minimum assumed length, and then increase its guessed length by one after exhausting all possible passwords of that initial length, and so on until it succeeded, then the easiest means of preventing this form of password cracking would simply be to use longer passwords so that anyone attempting to brute force crack the password would give up long before they reached a password of the length that you had chosen. The essential revelation was that, if all possible passwords were going to be checked, it made no difference what characters those passwords contained since they would all be checked eventually anyway. The only thing that mattered was the password's length. This could be summed up in the time-honored way: Size does matter. Searching for a name for this concept, someone in GRC's newsgroups suggested the proverbial "needle in the haystack," which I loved, and of course we coined that "Password Haystacks" on the web page that I created. That page has helped people appreciate the power of the math behind the idea that longer passwords will take much longer to crack. And that was 9.3 million visits ago. So that page has been quite popular, and hundreds of people visit it every day. I'm mentioning this today because, although it took 13 years for NIST, the U.S. National Institute of Standards and Technology, to catch up with this idea, they finally have. Friday before last, Malwarebytes picked up on this news with their headline: "Your passwords don't need so many fiddly characters, NIST says." Malwarebytes wrote: "It's once again time to change your passwords; but if one government agency has its way, this might be the very last time you do it. After nearly four years of work to update and modernize its guidance for how" - talk about bureaucracy. After nearly four years of work to update and modernize its guidance for how companies, organizations, and businesses should protect their systems and their employees, the U.S. National Institute of Standards and Technology has released its latest guidelines for password creation, and it comes with some serious changes. "Gone," they write, "are the days of resetting your and your employees' passwords every month or so, and no longer should you or your small business worry about requiring special characters, numbers, and capital letters when creating those passwords. Further, password 'hints' and basic security questions are no longer suitable means of password recovery; and password length, above all other factors," they write, "is the most meaningful measure of strength. The newly published rules will not only change the security best practices at government agencies, they will also influence the many industries that are subject to regulatory compliance, as several data protection laws require that organizations employ modern security standards on an evolving basis. "In short, here's what NIST has included in its updated guidelines." They have six points, six bullet points. "Password 'complexity' (special characters, numbers) is out. Password length is in (as it has been for years)," they said. "Regularly scheduled password resets are out. Passwords resets used strictly as a response to a security breach are in." |
| Leo: Yes. |
| Steve: Yes. "Basic security questions and 'hints' for password recovery are out. Password recovery links and authentication codes are in." They said: "The guidelines are not mandatory for everyday businesses, and so there's no 'deadline' to work against. But small businesses should heed the guidelines as probably the strongest and simplest best practices they can quickly adopt to protect themselves and their employees from hackers, thieves, and online scammers. In fact, according to Verizon's 2025 Data Breach Investigations Report, 'credential abuse,' which includes theft and brute-force attacks against passwords, 'is still the most common vector' in small business breaches." And I wonder if that includes phishing because technically, you know, you get somebody's credential through phishing them. But anyway. Malwarebytes then went into some additional detail which I'm going to share because it was interesting and relevant. So they said: "Here's what some of NIST's guidelines mean for password security and management." Just to be clear. So first: "The longer the password, the stronger the defense." They wrote: "Password length is a primary factor in characterizing password strength," which of course is the point that the Passwords Haystack page has been making for 13 years. They wrote: "NIST said in its new guidance. But exactly how long a password should be will depend on its use. If a password can be used as the only form of authentication (meaning that an employee doesn't need to also send a one-time passcode or to confirm their login through a separate app on a smartphone), then those passwords should be, at minimum, 15 characters in length. If a password is just one piece of a multifactor authentication setup, then passwords can be as few as eight characters. Also, employees should be able to create passwords as long as" - wait for it - "64 characters." Yikes. Number two: "Less emphasis on complexity. Requiring employees to use special characters (&~%$), numbers, and capital letters does not lead to increased security, NIST said. Instead, it just leads to predictable bad passwords. 'A user who might have chosen "password" as their password would be relatively likely to choose "Password1" if required to include an uppercase character' - oh, uppercase P, Password, and a one on the end - 'if required to include an uppercase letter and a number, or an uppercase P, "Password1!" if a symbol is also required,' the agency said. 'Since users' password choices are often predictable, attackers are likely to guess passwords that have previously proven successful.' In response, organizations should change any rules that require password complexity and instead set up rules that favor password length. "Third: No more regularly scheduled password resets." They wrote: "In the mid-2010s, it wasn't unusual to learn about an office that changed its WiFi password" - oh, gosh - "every week." |
| Leo: Yeah, how handy is that. |
| Steve: Yeah, right. Go to the coffee room or the water cooler to get today's corporate password written above on the chalkboard. |
| Leo: Yeah, right. |
| Steve: Wow. They said: "Now this extreme rotation is coming to a stop. According to NIST's latest guidance, passwords should only be reset after they have been compromised." |
| Leo: Yes. |
| Steve: "Here, NIST was also firm in its recommendation: A compromised password must lead to a password reset by an organization or a business." So definitely, if it's compromised, duh. But otherwise never. Just make it really strong. "Fourth: No more password 'hints' or security questions. Decades ago," they wrote, "users could set up little password hints" - you know, like what was your favorite first-grade teacher name or that kind of crap - "to jog their memory if they forgot a password, and they could even set up answers to biographical questions to access a forgotten password. But these types of questions, like 'What street did you grow up on?' and 'What is your mother's maiden name?' are easy enough to fraudulently answer in today's data-breached world." In other words, it's easy to do some research on a person to get the actual answers of where they grew up and what their mother's maiden name was. "Password recovery," they wrote, "should instead be deployed through recovery codes or links sent to a user through email, text, voice, or even the postal service," in extreme cases. And I think that actually our credit bureaus often use postal mail in order to do that. "And fifth and final: Password 'blocklists' should be used," they said. "Just because a password fits a list of requirements doesn't make it strong. To protect against this, NIST recommended that organizations should have a password 'blocklist,' a set of words and phrases that will be rejected if an employee tries to use them when creating a password. This list should include passwords from previous breach corpuses, dictionary words used as passwords, and specific words, for example, the name of the service itself, that users are likely to choose," said NIST. So this qualifies as big news. What NIST says, paradoxically, matters, since it drives official corporate and government policy. Although NIST has slowly been coming around for some time, through the years we've heard from so many of our listeners whose employers have been enforcing NIST's earliest, arguably crazy, guidelines which required, for example, passwords to be changed regularly, every 60 to 90 days. We know it's widespread. I've obviously invested a great deal of time thinking about this stuff. And Leo, I have never understood what problem this periodic enforced password change was ever supposed to solve, and why it would have ever had any effect other than reducing security. |
| Leo: It was created, as I remember, by a guy, about 40 years ago, writing password recommendations for NIST. And when somebody asked him about it, he said, yeah, I just thought it was a good idea. It was never justified in any way by any logic or reason. |
| Steve: You know, it's not as if passwords are osmotically seeping out of the storage location that held them, so that a new password should be put into effect before the entire previous password has had time to finish fully seeping out of its storage. You know, none of it ever made any sense. So... |
| Leo: His name was Bill Burr, B-U-R-R. And there's a story from the BBC, here, I'll show it to you. Let me, oh, I've got to turn on my camera again. That's right. I left and came back. There's a story, this is a few years ago, but I remember in 2017 reading this, and it stuck with me. So by the way, 2017, eight years ago, this guy who wrote it, he had advised users to change their password every 90 days and to muddle up words by adding capital letters, numbers, and symbols. The problem is the theory came unstuck in practice. This was in 2003. He now says "I was barking up the wrong tree." The original advice was distributed by NIST. |
| Steve: And it became hacker speak; right? Like this example of... |
| Leo: Yeah, LEET. Leetspeak. |
| Steve: Yeah. |
| Leo: Which every, by the way, password-cracking tool immediately tries. |
| Steve: Yup. Turn the "O" into zero. Turn the "E" into three and so forth. |
| Leo: Yeah, yeah. He even knew this was a mistake in 2017. But it took NIST all this time. |
| Steve: So, you know, things are now significantly more sane, as of now. We have new official NIST guidelines that can be, as I said earlier, waved around in front of the IT department of anyone's employer. |
| Leo: That's the problem is that the IT department doesn't - they're not reading these updates. |
| Steve: No. |
| Leo: They changed their policy back in the day, and they ain't going to fix it; right? |
| Steve: So I made this today's GRC Shortcut of the Week. |
| Leo: Good. |
| Steve: So anyone can get the new NIST guidelines by going to grc.sc/1048, grc.sc/1048. |
| Leo: And tell your IT department. |
| Steve: That will take you to the browser page of the NIST website for special publication 800-63B, as in Baker. And I've also got the full link in the show notes. Anyway, thank goodness. And, you know, if any of our listeners are being driven nuts by being under this 60- to 90-day password change, I mean, we've heard, like, there are, like, so much resource has gone into this; right? Like you can't, oh, you can't use any password of the last five. And so we've had people who, because they're so annoyed by this, they will make five password changes in a row and then immediately go back to their original password to flush the MRU, the Most Recently Used password list, out of the system so that they can just stay with the password that they want. I mean, it just - this is the kind of crazy workaround behavior that bad policy begets. So, so nice that this is over officially. So now we just have to flush it out of the rest of the system. We know that won't take, like, it won't be overnight. But again, grc.sc/1048. That'll get you the new guidelines. It'll get your IT department the new guidelines. And tell them, okay, kill the - I mean, they can just turn that off. That's got to be easy to do; right? Just not like they have to implement anything new. Just turn off the timer on the password reset enforcement. Ugh. So as I mentioned, news of Scattered LapSus$ Hunters' demise was greatly exaggerated. A couple weeks back I reported that the group Scattered LapSus$ Hunters, which we know is the amalgam of several other prominent groups, had officially declared itself done and disbanding. But then some of just last week's news brought that claim into question. And now we have pretty clear evidence that the group remains a going concern. Last Thursday, Joseph Cox with the highly respected 404 Media group published a short piece with the headline "Hackers Dox Hundreds of DHS, ICE, FBI, and DOJ Officials." And the subhead was "Scattered LapSus$ Hunters - one of the latest amalgamations of typically young, reckless, and English-speaking hackers - posted the apparent phone numbers and addresses of hundreds of government officials, including nearly 700 from DHS," the Department of Homeland Security in the U.S. So not much more is known about that at this time, but I did want to formally take back any suggestion that Scattered LapSus$ Hunters had in fact disbanded. All of the evidence since we saw that claim suggests they just threw that out for shits and giggles, who knows why, just you know, it's just not at all true. Okay, now, did the NSA hack into China? As our listeners know, I've often bemoaned the lack of any news of offensive U.S. cyber operations being carried out by the U.S. and aimed at our cyber-adversaries, of which we have a few. Just to be clear, I would much prefer that no one was attacking anyone else. Let's just not have any of this. But since we've been buried in reports of Russian, North Korean, and especially China's state-sponsored cyber attacks against the West, I'll admit that it was not unwelcome to encounter the Associated Press headline: "China accuses U.S. of cyberattack on national time center." That's kind of welcome news, though it might have been more useful if it's both true, and if the U.S. had not been caught, because you want this to be happening, but not to get caught at it. So here's what the Associate Press reported out of Beijing day before yesterday. They said: "China on Sunday accused the U.S. National Security Agency of carrying out cyberattacks on its National Time Center following an investigation, saying any damage to related facilities could have disrupted network communications, financial systems, and the supply of power. "The Ministry of State Security alleged in a WeChat post," because that's the way we do things now, I guess, "in a WeChat post that the U.S. agency had exploited vulnerabilities in the messaging services of a foreign mobile phone brand to steal sensitive information from devices of the National Time Service Center's staff in 2022." So three years ago. And so this sounds like apps, insecure apps, in some mobile phone was used to infiltrate the devices of staff at the National Time Service Center, probably obtained their authentication credentials, and then began to have some fun. There was no specification as to the phone brand. They wrote: "The U.S. agency also uses" - I love this - "42 types of 'special cyberattack weapons.'" That's good, you know, we've got a few - "to target the center's multiple internal network systems and attempted to infiltrate a key timing system between 2023 and 2024, it said. It said it had evidence, but did not provide it in the post on WeChat. "It said the time center is responsible for generating and distributing China's standard time" - as you would expect maybe a time center would - "in addition to providing timing services to industries such as communications, finance, power, transport, and defense. It had provided guidance to the center to eliminate the risks." Meaning the Ministry of Security provided guidance to the time center. "It said: 'The U.S. is accusing others of what it does itself [yay], repeatedly hyping up claims about Chinese cyber threats." Well, they don't seem very hyped up. They seem quite real. You know, we're talking about the consequences of them all the time. "Western governments in recent years," they wrote, "have alleged hackers linked to the Chinese government have targeted officials, journalists, corporations, and others. The ministry's statement could fuel tensions between Washington and Beijing, on top of trade, technology, and Taiwan issues. The U.S. Embassy, for its part, did not immediately comment." So as we know, it's certainly true that the West has been moaning about Chinese state-sponsored attacks for a long time. So I'm not unhappy to finally hear Chinese authorities complaining that the NSA has similarly been crawling around inside their networks for many years, as it turns out. It would be better to have peace maintained for reasons other than mutually assured destruction. But if that's the only way we can have peace in a world with mutually aggressive governments, then at least we should have some peace, even though it might be somewhat less stable than it could be. So again, as I've often said, it would be nice to know that we're giving as much as we're getting, and maybe we are. So if I had a dream job, Leo, patriotic as I am, I'd, you know, hacking legally, boy, what fun would that be? So we're at an hour in. Let's take a break. And then we're going to look at an instance of security through obscurity. And you're muted. |
| Leo: Yeah. How about that? |
| Steve: There you are. |
| Leo: Sorry about that. Yes, let's take a break, and then we will talk about your - what did you say? Security through obscurity. |
| Steve: Security through obscurity. Why would satellites bother encrypting everything that's raining down on our heads? |
| Leo: They're up in the sky. Nobody ever looks up there. |
| Steve: I can't see them. I looked up there. I didn't see them. |
| Leo: They're invisible. |
| Steve: So when I heard the news of this next story, my first thought was it was a classic example of security through obscurity. Our listeners know that I've sometimes decried the pronouncements of online tech weenies whose sole chant, issued to anyone who hides anything, is "security through obscurity is no security." You know, it's as if, after being exposed to that one concept, they feel like now they're a security expert every time they echo it. And, you know, such flippant remarks are annoying because actual security mechanisms are not so simple. Right? For example, the gold standard of flexible encryption is public key crypto. Its power is that one of its two keys is made public by design. But then we go to extreme lengths to keep their matching private keys secret. So is that "security through obscurity?" No. It's security through secrecy. Since all security inherently depends somewhere upon secrecy and secrets, the actual security provided by any security system depends upon our ability to keep those dependent secrets a secret. So I started off saying that when I heard the news of this story I was put in mind of "security through obscurity" because, in contrast to the misuse of that phrase, which I see all the time, there are certainly some instances where a system was just assumed to be secure only because no one had even ever bothered to check to see if anyone had locked the door. Boy. Researchers from the Universities of San Diego and Maryland thought to aim a commercial off-the-shelf satellite dish upward - which, you know, being an antenna dish for talking to satellites in the sky is sort of the obvious direction to point it. But what they discovered is perhaps the best definition of "security through obscurity" imaginable. Talk about not locking the door. Apparently, because most people do not have their own satellite dishes aimed at the sky - and even when they do it's hooked to some box that's selecting only what it should out of what's available, an astonishing amount of important data turns out not to be encrypted and is in no way protected. Obscure? Kind of. Secure? Not even a little bit. Details of what they discovered were recently announced by the universities whose members performed the research. The summary of their findings reads: "We pointed a commercial, off-the-shelf satellite dish at the sky and carried out the most comprehensive public study to date of geostationary" - and they abbreviated that geo, G-E-O - "geostationary satellite communication." This is them saying: "A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens' voice calls and SMS, and consumer Internet traffic from in-flight WiFi and mobile networks. This data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware. There are thousands of geostationary satellite transponders globally, and data from a single transponder may be visible from an area as large as 40% of the surface of the Earth." So these are not just beams going down, they're just a widespread spray of radio. Unencrypted-in-the-clear data being blindly and widely beamed down onto us from above, including critical infrastructure, internal corporate and government communications, private citizens' voice calls and SMS, consumer Internet traffic and more, and all apparently happening because no one ever thought to look up. So under their topic "What type of network traffic was exposed?" they broke it down into six categories. We've got Cellular Backhaul. They said: "We observed unencrypted cellular backhaul data sent from the core network of multiple telecom providers and destined for specific cell towers in remote areas. This traffic included unencrypted calls, SMS and end user Internet traffic, hardware IDs (IMSI numbers), and cellular" - get this - "cellular communication encryption keys." All for the taking. Also we have Military and Government. They said: "We observed unencrypted VoIP and Internet traffic and encrypted internal communications from ships, unencrypted traffic for military systems with detailed tracking data for coastal vessel surveillance, and operations of a police force." Then there was In-flight WiFi: "We observed unprotected passenger Internet traffic destined for in-flight WiFi users on airplanes. Visible traffic included passenger web browsing (DNS lookups and HTTPS traffic), encrypted pilot flight-information systems, and in-flight entertainment." VoIP: "Multiple VoIP providers were using unencrypted satellite backhaul, exposing unencrypted call audio and metadata from end users." Internal Commercial Networks: "Retail, financial, and banking companies," they wrote, "all used unencrypted satellite communication for their internal networks. We observed unencrypted login credentials, corporate emails, inventory records, and ATM networking information." And, you know, as I'm reading this, I'm thinking maybe China should be the least of our worries because we're just - we're not even protecting ourselves. You don't have to do any hacking. And really, Leo... |
| Leo: They don't have to spy on us. They just buy a $750 device and listen. |
| Steve: Yeah. With today's new SDRs, Software-Defined Radios, and the inexpensive availability of satellite dish antennas, I think it would be kind of a fun pastime. Some people have, like, high-powered telescopes, optical telescopes. Get yourself a dish and see what lands... |
| Leo: A dish. You know who used to do this, by the way, Steve Wozniak, very famously. I remember him talking about sitting in his living room listening to unencrypted phone conversations back in the earliest days of cell phone communications. |
| Steve: And it's only gotten juicier since. |
| Leo: Yeah. He loved it. |
| Steve: I think it would be fun. Anyway, finally, Critical Infrastructure: "Power utility companies and oil and gas pipelines used GEO satellite links to support remotely operated SCADA infrastructure and power grid repair tickets." All there for the viewing. So the researchers' paper, which will be published in the "Proceedings of the 32nd ACM Conference on Computer and Communications Security," or lack thereof, which will be held in Taipei, Taiwan, is titled: "Don't look up: There are sensitive internal links in the clear on GEO satellites." So I've included a link to their full paper in the show notes. But just to give everyone a bit of additional feel of flavor for the content of the data that's constantly pouring down over all of our heads, here's what the paper's Abstract explains. It says: "Geosynchronous satellite links provide IP backhaul to remote critical infrastructure for utilities, telecom, government, military, and commercial users." So just to clarify, so they're saying that in isolated areas, where you can't run fiber or any kind of electrical communications lines, like the boonies, what is often done is a satellite dish is stuck there aimed up at a geosynchronous satellite which is used to connect this out-of-the-way backwater zone into a larger network. And unfortunately, because whatever it is that device is used to being connected to a private network, even though this is now being bounced through the sky in order to reach it, the network is still treated as if it were private, meaning unencrypted. So you get to see what's on this private network. They wrote: "To date, academic studies of GEO infrastructure have focused on a handful of satellites and specific use cases. We perform the first broad scan of IP traffic on 39 GEO satellites across 25 distinct longitudes with 411 transponders using consumer-grade equipment." Nothing fancy here. "We overcome the poor signal quality plaguing prior work and build the first general parser that can handle the diverse protocols in use by heterogeneous endpoints. "We found 50%" - five zero percent, half - "of GEO links" - meaning data links - "contained cleartext IP traffic; while link-layer encryption has been standard practice in satellite TV for decades, IP links typically lacked encryption at both the link and the network layers. This gives us a unique view into the internal network security practices of these organizations." Which is a kind way of putting they didn't bother. "We observed unencrypted cellular backhaul traffic from several providers including cleartext call and text contents" - exactly like you were saying, Leo, Wozniak listening to people talking on the phone - "job scheduling and industrial control systems for utility infrastructure, military asset tracking, inventory management for global retail stores, and in-flight WiFi." So in other words, no one really took the trouble before now to look closely at what was going on. These guys did, and what they discovered was a profound lack of security. Satellite Television has always been encrypted because that was always part of its business model. Pirating early satellite TV was a cottage industry. But what we see of the IP, the Internet Protocol traffic, is the same thing we see of the Internet itself. As we know, the Internet's networking, just like internal corporate networking - at the link layer, that is, the physical layer - is still today and always has been entirely unencrypted. Encryption was added as an afterthought only where it was deemed necessary, and only at the application layer. It still doesn't exist at the link layer. So what appears to have happened is that satellite links have been used as simple network extenders, extending the reach of existing industrial, corporate, major retail - actually it was Walmart, it turns out, in the paper it's made clear - "and even military networks through satellite links, where those links themselves have never been, and to this day remain, completely in the clear and unencrypted. So they have an 18-page paper, and I recommend that our listeners look at this thing. It is chock full of really interesting tidbits. It's fantastic work, and I could easily spend several podcasts just detailing all of the nuances and motivations that they discovered in this paper. But there's much more that needs our attention. So for what it's worth, the researchers acted responsibly, and they worked to notify all of the affected parties that they encountered, and there were many. If shining a very bright light on this doesn't get it fixed, then nothing will. And it appears to me that nothing will. Anyway, there is a link to their full paper, it's a PDF, 18 pages, near the top of page 11 of the show notes. Again, I had a hard time not spending more time on this because there's so much cool stuff in this 18-page paper. And seriously, what's the law, Leo? If something is being broadcast to our home, and we have an antenna, I think it's legal to listen to it. |
| Leo: You can pick it up. Absolutely, yeah. |
| Steve: Yeah. So what a fun, I think, what a fun project for maybe a mom, maybe a techie mom, but I think of it I guess, you know, like for a youngster who's precocious and... |
| Leo: Set up an antenna there, yeah. |
| Steve: Yeah, and a dish. |
| Leo: Get the kid involved. Yeah, it's good to... |
| Steve: Aim a dish at the sky and... |
| Leo: Skim, yeah. |
| Steve: Yeah, exactly. |
| Leo: Well, you know, when you were a kid, I'm sure you did this, I did this, I had a shortwave radio. And it was so much fun at night to tune up and down the dial and get radio stations from all over the world. Now kids can listen to, you know, important corporate phone calls. Just tune down the dial. |
| Steve: And I definitely had a radio at one point later, when I was a young adult, which... |
| Leo: Scanner. |
| Steve: ...could receive cell phone frequencies. |
| Leo: Oh. |
| Steve: And what was interesting was that you only heard one half of the conversation. |
| Leo: That's right. That's what Woz would say. But you could infer the other half. |
| Steve: Well, yes. And I heard clear evidence of men giving their wives excuses for why they weren't coming right home. It was, you know, odd, the conversations in the afternoon. |
| Leo: You learn a lot. See, kids? You can learn a lot. You don't need that social network account on your phone. Just get a satellite listening device. |
| Steve: Old-school, baby. Old-school had something going for it. |
| Leo: Old-school. It's only 750 bucks' worth of equipment. Anyone can do it. |
| Steve: And I'll get you can get it on eBay on the cheap. |
| Leo: You should do it, Steve. You should do it. |
| Steve: If I had the time. I've got other priorities. But that would be... |
| Leo: What would you need? You just need a dish and a radio... |
| Steve: It would be fun for retirement. |
| Leo: Yeah. |
| Steve: Yeah. You just need an SDR and a satellite dish. I think you could probably do it for a couple hundred bucks. |
| Leo: Probably could. |
| Steve: Yeah. |
| Leo: A Software-Defined Radio. So most ham radios are software-defined these days. And you certainly - there's software out there that you can use to do that. So, yeah. Great little hobby. |
| Steve: All the documentation is in the public. All of this, all the protocol, all the frequencies. You probably just ask Claude or something, write me some code, and what are the frequencies that I need to scan? And, you know, you'll get it. |
| Leo: What would you listen to? Cell backhaul? Military vessel tracker? Telecom? Retail? |
| Steve: Internal corporate email, that would probably be interesting. |
| Leo: Be fun. |
| Steve: Yeah. |
| Leo: Be fun. Aviation. Yeah. Lot of stuff. There's unencrypted radio traffic on the radio waves; right? |
| Steve: Yeah, maybe you'll find like random numbers being beamed down from the skies, like what are these? |
| Leo: The number stations. If you ever find out what that's about, I hope you will share that with us. I'd like to know myself. |
| Steve: Okay. So we've often commented that security and other risks accrue anytime everyone is using the same solution. We were just talking about the fact that the government can clamp down on app downloads because they only come from two stores. So this is generically referred to as a dependence upon a monoculture. Diversity brings huge benefits. We've worried about, you know, for example, the world becoming "Chromium browser centric," where all web browsers are essentially based on a single code base. So far, Safari and Firefox have been maintaining their own. So that's good. And one of the most powerful design benefits of the Internet's autonomous packet routing architecture has been its resilience in the face of trouble. If links to one router go down, packets can "route around" the trouble, taking different paths to still reach their destination. That was part of the original design. Problems can arise when this massively decentralized and inherently resilient design is eschewed in the pursuit of market dominance. Much as I love Cloudflare and so much of the work they do, I'm always made a bit nervous by the outsized power they inherently wield by virtue of their size and the percentage of the world that's being serviced by a single organization, any single organization. |
| Leo: Yeah, you could say the same thing for Google. It's always bugged me that Google's enforcing these - admittedly, you know, HTTPS Everywhere is a good idea. But Google shouldn't have so much power that they can do that. Right? |
| Steve: Yeah, yeah, yeah. And of course Google might have our interests, you know, in mind, although... |
| Leo: As does Cloudflare; right? |
| Steve: I loved what you were talking about, or I guess you and the guys over on MacBreak Weekly, taking about how unfortunately Alexa is just a consumer sewer. |
| Leo: It's an ad network. |
| Steve: I just said the "A" word, sorry, but tough. |
| Leo: That's okay. |
| Steve: Yeah, it is. It's all about selling you stuff. And, you know, I was thinking that maybe I would use that for my own home automation. But no way am I going to put up with - I have a zero tolerance for being marketed, yeah. |
| Leo: You use an iPhone, so I think you - I think that's going to be the way to go, once HomeKit gets more sophisticated. |
| Steve: Yup. And Apple indicates they're really going to put a - go for a push for it. So I'm glad for that. |
| Leo: So I hope they do, yeah. |
| Steve: So anyway, problems can arise when there's too much of this centralization. What Cloudflare and others have grown into, however, is not the Internet way. That's every bit as true for Amazon's AWS services as it is for Cloudflare. And just yesterday the entire Internet learned exactly what can happen... |
| Leo: Yes. |
| Steve: ...when the aggregated services offered by a single provider are inadvertently withdrawn from the world. The Verge's headline yesterday was: "Major AWS outage took down Fortnite, Alexa, Snapchat, and more," with the subhead "The cause of the AWS outage is currently unclear." Okay. So now the first trouble I experienced, and many people did yesterday morning, was when I attempted to get to the IMDB website and received a "503 Bad Gateway" error. It's like, what? But it was the Guardian's coverage of this and their take on yesterday's serious outage events that really resonated the most for me. The Guardian's headline was "Amazon Web Services outage shows Internet users 'at mercy' of too few providers, experts warn," with the subhead "Crash that hit apps and websites around the world demonstrates 'urgent need for diversification in cloud computing.'" Okay. I just want to mention that since this, several of our listeners who got yesterday's show notes early have sent me some feedback, a couple of them noting there was actually a computerized bed somewhere where you stopped being able to raise and lower the bed because of the AWS outage. |
| Leo: What? |
| Steve: Believe it or not, like the buttons that the user pressed had to go out on the Internet in order for the signal to come back to the bed in order to lift or lower the footrest or the back of it or something. I mean, so at some point you also have to accuse designers of doing a bad job of design because the idea of your bed requiring Internet connectivity strikes me as a little extreme. But okay. |
| Leo: Yeah. I bet there's a lot of it. I bet there's a lot of it. |
| Steve: Yeah. Yeah. I mean, I would imagine outlet plugs and lights and things, you know... |
| Leo: Sure. |
| Steve: ...you know, that are on timers, yes. So The Guardian wrote: "Experts have warned of the perils of relying on a small number of companies for operating the global Internet after a glitch at Amazon's cloud computing service brought down apps and websites around the world." And I should mention, not the first glitch. There have been a few through the years. And we just all come rushing back. They wrote: "The affected platforms include Snapchat, Roblox, Signal, and Duolingo, as well as a host of Amazon-owned operations including its main retail site [ouch] and the Ring doorbell company. More than 1,000 companies worldwide were affected, according to Downdetector, a site that monitors Internet outages, with 6.5 million reports of problems from users, including more than one million reports in the U.S., 400,000 in the UK, and 200,000 in Australia. "In the UK, Lloyds Bank was affected, as well as its subsidiaries, Halifax and Bank of Scotland; while there were also problems accessing the HM Revenue and Customs website on Monday morning. Also in the UK, Ring users complained on social media that their doorbells were not working. "In the UK alone, reports of problems on individual apps ran into the tens of thousands for each platform. Tens of thousands. Other affected platforms around the world included Wordle, Coinbase, Duolingo, Slack, Pokmon Go, Epic Games, PlayStation Network, and Peloton." |
| Leo: Not Pokmon Go. No. |
| Steve: I know. What are you going to do? |
| Leo: No. |
| Steve: "By 10.30 a.m. UK time, Amazon was reporting that the problem, which first emerged at about 8:00 a.m., was being resolved as AWS was 'seeing significant signs of recovery.' Referring to the U.S. East Coast region, at 11:00 a.m. it added: 'We can confirm global services and features that rely on US-EAST-1'" - that's the designation for that chunk of AWS - "'have also recovered.'" Although actually I can confirm that recovery was actually quite slow. They said: "Experts said the outage underlined the dangers of the Internet's reliance on a small number of tech companies, with Amazon, Microsoft, and Google playing a key role in the cloud market. "Dr. Corinne Cath-Speth, the head of digital at human rights organization ARTICLE 19, said the outage underlined the dangers of placing too much digital infrastructure in a small number of hands. She said: 'We urgently need diversification in cloud computing. The infrastructure underpinning democratic discourse, independent journalism, and secure communications cannot be dependent on a handful of companies.' "Cori Crider, the executive director of the Future of Technology Institute, a think-tank that supports a sovereign technology framework for Europe, said: 'The UK cannot keep leaving its critical infrastructure at the mercy of U.S. tech giants. With Amazon Web Services down, we've seen the lights go out across the modern economy - from banking to communications.' "Madeline Carr, professor of global politics and cybersecurity at University College London, said it was 'hard to disagree' with warnings about the over-reliance of the global Internet on a small number of companies. 'The counter argument is that it's these large hyper-scaling companies that have the financial resources to provide a secure, global, and resilient service. But most people outside those companies would argue that this is a risky position for the world to be in.' "Amazon reported that the problem originated in the East Coast of the U.S. at Amazon Web Services, a unit that provides vital web infrastructure for a host of companies which rent out space on Amazon servers. AWS is the world's largest cloud computing platform. "Shortly after midnight (PDT) in the U.S. (8:00 a.m. BST), Amazon confirmed 'increased error rates and latencies' for AWS services in a region on the East Coast of the U.S. The ripple effect appeared to hit services around the world, with Downdetector reporting problems with the same sites on multiple continents. "Cisco's Thousand Eyes service that tracks Internet outages also reported a surge in problems on Monday morning, with many of them located in Virginia, the location of Amazon's US-East-1 region where AWS said the problems began and where AWS has a number of data centers. "Rafe Pilling, the director of threat intelligence at the cybersecurity firm Sophos, said the outage appeared to be an IT issue rather than a cyberattack." And we know that's the case now. It was a DNS problem that was really bad and that affected access to a critical database that AWS runs. They said: "AWS's online health dashboard referred to DynamoDB, that's its database system where AWS customers store their data. He said: 'When anything like this happens, the concern is that it's a cyber incident, and that's understandable. AWS has a far-reaching and intricate footprint, so any issue can cause a major upset. In this case, it looks like it's an IT issue on the database side, and they'll be working to remedy it as an absolute priority.' "The UK government has said it's in contact with Amazon over Monday's Internet outage. A government spokesperson said: 'We are aware of an incident affecting Amazon Web Services, and several online services which rely on their infrastructure. Through our established incident response arrangements, we are in contact with the company, who are working to restore services as quickly as possible.'" So, okay. When I hear these people saying, oh, you know, it's really a problem that there's this overreliance, it's like, no one's forcing you to use AWS. Right? I mean, there are a lot of alternatives. There are a lot of smaller outfits. There are a lot of, you know... |
| Leo: Big outfits. |
| Steve: ...other ways you can go. |
| Leo: There are many choices when it comes to cloud, yeah. |
| Steve: Right, right. And so... |
| Leo: AWS is just a default, isn't it. It's just... |
| Steve: Yes. It's like... |
| Leo: It's like IBM in the old days. |
| Steve: Exactly. No one ever got fired for choosing IBM, was the saying back then. |
| Leo: Yeah. |
| Steve: And for the most part it's up, it's reliable, it's strong. I'm sure the price is right, which is why everyone uses them. Unfortunately, the flipside is... |
| Leo: Everybody uses them. |
| Steve: ...when it goes down, it takes everybody down. |
| Leo: Yeah. That's pretty amazing. Wow. And it was, so it was an IT error. |
| Steve: Yeah. |
| Leo: It wasn't Border Gateway Protocol or something. It was just some misconfigured DNS. |
| Steve: No, it was a misconfigured DNS, and it propagated, and then it disconnected their DynamoDB that everything depends upon, and everything just kind of - it was a - it was funny. There was in the AWS announcement that I saw, they listed the various systems that were affected and then the specific AWS systems. And it was like - it went on and on and on, and then I saw the total. It was 143 different AWS systems, which is all of them. Basically, we're gone. We're off the 'Net. |
| Leo: Just cascading failure, yeah. |
| Steve: Okay, Leo. It's feedback time, after we take a break. And then, oh, boy, this first bit of feedback is one that many of our listeners picked up on that I missed last week. |
| Leo: Apparently I did, too. I didn't - okay. I thought last week's show was absolutely letter perfect. Not one single problem. Wow, I'm shocked. |
| Steve: We are human, and maybe there's a little bit of senile dementia creeping in. |
| Leo: Maybe, okay, okay. |
| Steve: Because we're stuck on the same floor. |
| Leo: Yeah. All right. Now, back to Steve Gibson, the error-prone Steve Gibson. |
| Steve: I was tempted to title today's podcast "You forgot to press star." |
| Leo: Oh. Brilliant. They're right. |
| Steve: Yes, they are. Several less-senile and more sharp-eyed listeners than we posted to GRC's Security Now! newsgroup, and many listeners sent feedback email about something I missed last week. And I do hope this is not a sign of our early onset dementia, Leo. |
| Leo: No. You know what? No, no, no, no. I went right along with it, too. I think that makes sense. |
| Steve: I know. I saw that the first word of each of the first four lines of our Picture of the Week last week was "For access to elevator, one must ask the desk, to get the new code, seven times to remember." And then it said "Starry blue skies ahead." And I remember thinking, okay, well, that's kind of odd. But I figured it was just thrown in there to make the rest of it seem a little less obvious. No. The keypad has a star and pound key. |
| Leo: Of course. |
| Steve: So I have a feeling that you and I would be stuck on that floor. |
| Leo: We'd be saying, where's my starry skies? I don't see any starry skies. |
| Steve: Yeah. Why didn't the elevator come? |
| Leo: I pressed the four digits. |
| Steve: Yeah, why didn't the elevator come? I don't know. Anyway, thank you, listeners. Yes, you were on the ball. You noted that we didn't read the last line of the secret handshake. |
| Leo: Well, we read it. We just didn't understand it. It fooled us. So if we're ever on the memory care ward, we're going to be stuck there. I hate to tell you, Steve. |
| Steve: Yeah, I'm going to try to remember to do the last line, too. |
| Leo: I know there's something I'm forgetting. |
| Steve: Okay. So Stephen Palm said: "It seems like this was inappropriately focused on Apple products and specifically iPhones." He said: "It should be noted that Google, Microsoft and some Linux distributions" - oh, he's talking about Texas SB2420. He must have had that in the subject line. He said: "Google, Microsoft, some Linux distributions, Amazon, Docker, Synology, Netgear routers, game consoles, modern digital cameras like Sony, HP printers, Smart TVs, and a lot more" - he forgot the garage door opener - "have a marketplace where you can shop and pay for an app or expansion or upgrade of some sort. Even some cars." He said: "The legislation is doomed." Okay. So we now know that that legislation's constitutionality has been challenged, even though, as I noted earlier, my guess is that it may be survivable in some state, although maybe get trimmed down, and survive much as HB1181 did before it. But Stephen's note about, like, all of these other things made me curious about what SB2420's legal definition of an "App Store" was. And, indeed, it's frighteningly broad. The legislation reads, and this is from Clause 2 of the actual legislation, which I tracked down: "'App store' means a publicly available Internet website, software application, or other electronic service that distributes software applications from the owner or developer of a software application to the user of a mobile device." Okay. So at least we have mobile device as a parameter there. But still, Internet website, software application, or other electronic service that distributes software applications from the owner or developer of a software application. So that is a broad definition. This means that it is at least constrained to platforms that distribute software applications to mobile devices. And we know that what the legislation's intent is, is it's squarely aimed at the major app stores, Leo, as you said, for Apple iPhones and Android smartphones. Thus Google Play. So it's probably less dire than Stephen was suggesting in his note. And on the receiving end of this download, the legislation defines "Mobile Device," that's their paragraph 4 at the top of the legislation, which reads: "'Mobile device' means a portable, wireless electronic device, including a tablet or smartphone, capable of transmitting, receiving, processing, and storing information wirelessly that runs an operating system designed to manage hardware resources and perform common services for software applications on handheld electronic devices." Okay. So that's also pretty tightly specified, and it means that, as Stephen enumerated, Synology NAS, Netgear routers, game consoles, modern digital cameras, printers, and smart TVs would not be swept up by SB2420. It's only meant... |
| Leo: But that's just that law, because California has an ID law that says any operating system. |
| Steve: Yeah. |
| Leo: So it really depends how the law's written; right? |
| Steve: Yeah. It's a mess. Well, and where; right? Because even with all this, it's only currently Texas. |
| Leo: In Texas. |
| Steve: And then eventually Utah and Louisiana or somewhere, wherever it was. So, I mean, this is a mess. And of course federally there's nothing happening - I mean, in more ways than one - with any of this. So it's being all left up to the states, which just creates a mess. So, you know, with all - and like we have Mississippi, where it's just blanket social media. And so Bluesky had to go dark in Mississippi. Wow. I mean, we're going through a tough time. |
| Leo: Yeah, yeah. |
| Steve: Jason Tschohl said: "Hi, Steve and Leo. First, thank you for 20 great years of Security Now!. I've been a listener since the very beginning. I just finished listening to SN-1047" - so that's last week - "and I'm confused about something. F-Droid is worried about Google's changes to the Play Store, but they seem very quiet about SB2420. Wouldn't SB2420 be even more detrimental to F-Droid than the changes to the Play Store? Thanks. Jason." And I would say yes. Yes. The home page of the F-Droid site asks the question "What is F-Droid?" and then answers it, writing: "F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device." But this raises an intriguing loophole question; right? The F-Droid app itself would first need to be obtained from the Google Play store under the new restrictions. And for that, any and every minor-aged person would need a parent's approval. But the F-Droid app itself offers an installable catalogue of FOSS applications for Android. So technically it's an application which accesses a repository. It's not a store. So the letter of the law doesn't quite encompass the F-Droid case. But to Jason's point, I would not want to be in F-Droid's shoes here, because one thing Texas SB2420 does clearly state is that each and every software download and installation must receive parental consent. The F-Droid app, once installed and obtained, allows for unrestricted application use from F-Droid's repository. So, you know, it could be a lawsuit waiting to happen. And you would think that F-Droid would probably need to incorporate the API which Google Play will be making available to apps, and then that would allow F-Droid to then gate the access of its sort of sub-apps, you know, the FOSS apps that it's allowing the download of, through the forthcoming Play Store API. So doesn't seem like it would be a horrible thing to have happen, but it's going to require them to at least take a look at it, and basically protect their app download in the same way that the Play Store is doing for the primary F-Droid app. Flemming Hansen in Denmark wrote: "EU chat control would be useless." He said: "In my view it would be relatively straightforward to bypass the proposed EU chat-control measures," which of course we now know failed in a vote which never even happened because it was known that the vote would not pass. He said: "An individual could encrypt an illicit image on a desktop computer, transmit the encrypted file via an app subject to chat control, and the recipient could then decrypt it on a computer to restore the original image. Kind regards." And of course he's absolutely right. You know, not nearly as convenient, but clearly true. That would work. It's a variation on the old theme of "If the use of encryption is criminalized, only criminals will use encryption." In this case, of course, it's the use of a smartphone to converse that is at issue. So certainly he's right, it would be - I would not argue that it would be useless. It's a good thing it didn't happen. But it can certainly be bypassed. Ray Noemer wrote: "Thought I'd let you know" - oh, this is the guy I mentioned before. "I just purchased 6.1." Meaning of course SpinRite. He said: "I've owned previous versions for many years, and it saved my butt (data) many, many times. I realize I could take advantage of the upgrade path, but I would rather support your work and the effort that goes into your weekly podcast, so I bought 6.1." |
| Leo: Aw, that's nice. |
| Steve: "Keep up the great work, please. Ray." |
| Leo: It's true, it's worth it, yeah. |
| Steve: Well, depending upon what's at risk, and also even for the performance enhancement that 6.1 is now proven to offer. But I chose to show that, not because I expect anyone else to do the same, but because I wanted to give Ray's generosity some wider recognition. |
| Leo: Aw. |
| Steve: Because apparently he's a listener. While I appreciate his extra purchase, my plan is to give everyone new stuff to purchase, stuff that they want, which will hopefully benefit their lives as much as SpinRite has been able to for the past 36 years. To that end, as I mentioned, I'm working every day to get the DNS Benchmark wrapped up. I am very excited about what it has evolved into. So after nearly 10 months of work on it, I'm very close. So again, thank you, Ray. I appreciate that. Duncan said: "Hi, Steve and Leo. Longtime listener, propeller-head, and SpinRite user," he said, "which paid for itself a hundredfold by restoring my daughter's crashed MacBook hard drive weeks before her final school exams." |
| Leo: Oh, boy. |
| Steve: Duncan said: "I've been listening with interest to your coverage of the age verification topic, alongside developments in the imminent Australian social media restrictions planned for December 2025. While I'm sure your listeners want to protect the innocence and mental health of our children, they also appreciate the technological challenges involved and the fact that any solution will require all adults to verify their age, not just minors." Right, because adults have to prove they're not minors. He said: "My reason for writing is to make a point that seems to have been overlooked in this whole debate, the 'older brother loophole.' "Existing laws around the globe were drawn up in a physical world, where it is possible to physically identify someone entering an adult pub, club, or movie theater, or purchasing alcohol, cigarettes, magazines, or other restricted activities. However, in the physical world, there was nothing to stop an older brother or friend from purchasing alcohol, cigarettes, movies, or magazines, and sharing those with minors after purchase. We all know this happens in real life. Away from the 'point of sale,' there's nothing that can be done about this, apart from vigilant parenting or Big Brother policing in your own home. "The technological world is no different. You can put all the electronic age restrictions you want on minors themselves, but you can't stop them watching or reading information on their older brother's or friend's phone, computer, or TV, or the unlocked iPad sitting in the family room. People often talk about savvy kids using VPNs to override national or regional restrictions, but there will be endless other ways for older brothers and friends to 'lend' their age verification, credentials, or device to a minor that makes the whole exercise futile from the start, with the obvious cost and risk to everyone else's privacy. "I can't envision," he says, "a feasible technological solution to this problem until our devices are constantly surveilling their viewers' eyeballs or brains to ensure no minors are watching their screens at any point in time. I look forward to you covering this Big Brother world in Episode 1984." He said: "Hopefully this brings another angle to your ongoing analysis of this interesting challenge. Keep up the great work. Regards, Duncan in Sydney, Australia." And of course Duncan's note about the need for continual surveillance in the cyber world reminded me, as I mentioned, of that clause in the Protecting Tennessee Minors Act, which does require constant reauthentication. They define a session as 60 minutes, and you must reauthenticate within a 60-minute window in order to stay within the letter of the law. So, yeah, "1984" indeed. I mean, you can imagine, Leo, like something like the camera looking at you, constantly doing a retina verification. |
| Leo: It's inevitable. This is the end game. This is, you know, remember in "1984" the TVs watched you; right? Yeah, and you had to have them on at all times. And I really think we're headed in that direction. It's just... |
| Steve: Well... |
| Leo: And by the way, he's got a good point. Forget Big Brother. It's unenforceable. Harper Reed was on TWiT on Sunday. He's kind of a bit of a hacker himself. He said: "This is great. Australia's going to breed a whole generation of kids who know how to hack stuff. This is going to be the best thing." Seriously, he's right. |
| Steve: Yeah. |
| Leo: This is how it starts. |
| Steve: They won't take it for granted. They will get their engineering hats on and figure a way around. |
| Leo: A way around it, yes. And there are multiple ways around it. And they will find them. |
| Steve: Yeah. Matt Storms wrote: "Is it possible that Discord needed to keep the age verification data as proof of verification?" He said: "(In case of audit or lawsuit, or proof of compliance with regulations.)" Which is a great question. Looking at the recent legislation regarding age-gated access to Internet content, there is very clear and explicit language stating that any and all personally identifying information (PII), including image or data derived from images, must be deleted immediately after it has been used for age verification. And even Discord's own support information says: "Discord and k-ID" - which is the organization they use - "do not permanently store personal identity documents or your video selfies. The image of your identity document and the ID face match selfie are deleted directly after your age group is confirmed, and the video selfie used for facial age estimation never leaves your device." Okay, now, unfortunately, for those more than 70,000 users whose identity documents Discord acknowledged were leaked, this doesn't appear to be true. And given how sensitive people understandably are about having their identity documents leaked onto the Internet, coupled with how litigious the world has become, this might be a mistake that gets Discord's provider in some very hot water. Because you can imagine lawsuits will be flowing after any of these 70,000 users learned that the provider, whoever Discord used, the actual provider in this instance seemed to be somebody else, not this k-ID group, so I don't understand, you know, maybe k-ID uses a third party themselves. Anyway, one way or another, this stuff wasn't deleted after it was used. It was kept around, and the hackers got a hold of it. So one wonders also if the fine print of whatever agreement the age verifier might have had its users click on might provide some legal loophole and maneuvering room for them. I don't know. So what little good news there is amid all of this recent age-gated legislation, at least the legal verbiage stipulates that whatever information is used for the determination must be immediately deleted. The legislators got that right, at least. Now, of course, the techies have to abide by that law. And I would imagine they really need to because there'll be upset people who are saying, hey, you said you deleted this. How did the bad guys get it? |
| Leo: Well, how did they? |
| Steve: Uh-huh. |
| Leo: Right? I guess they weren't... |
| Steve: Yeah, oh, we forgot to empty our trash can. |
| Leo: Oh, that's it. We put it in the recycling bin. |
| Steve: That's it. That's right. It's in the recycling bin. What are you going to do? Brian Orme wrote: "Steve, I'm listening to 1047 right now and had to pause it to send you a note. I'm a father of three kids. My youngest is a teenager, and my older two are now adults. While this new Texas law is at least a step, it won't help much. I'm hopeful that an age validation standard will be established that's secure and simple. This is a hard problem, since it hits the center bulls-eye of the definition of Personally Identifiable Information." He's certainly right about that. He said: "Raising my older two, there is one obvious fact." And this is to your point, Leo. "Our children are not like us, who grew up without the Internet. Kids grew up with the Internet like we grew up with electricity. They live it, eat it, and breathe it. They can get around everything. They buy reloadable credit cards at Dollar General to appear as adults. My 18-year-old son told me he simply used my birthday whenever he registered for a service to get around all the filters." |
| Leo: He's not dumb. |
| Steve: Same last name. Right? "On that note, the problem with this new law is that they are locking the gate on the two-foot-tall fence, while neglecting to lock the house doors. Once kids have a child-friendly app installed, the problem is what happens inside the app and developers' neglect of monitoring their own services. This is especially true when developers incorporate the app with some ability for users to communicate among themselves. "It was recently discovered that a friend's son was being groomed via Pinterest chat by a woman halfway across the United States. I'm thankful for his mother's perception, who noticed behavior changes and took action. But who would have ever thought when their child asked permission to install Pinterest, that this age-appropriate app would have the ability to cause such harm. The same obviously goes for Minecraft, Roblox, and many, many other apps. The age requirement in this and most cases is truly useless. Require all the age verification you want. It will not help the issue, except for a small fraction of extreme apps and websites. The complexity for parents to set up child accounts thus far is so frustrating that even myself, a certified security professional, just gave up. "A case in point, while auditing my subscriptions recently, I realized that I was paying for three separate Spotify family accounts. I don't have answers, just some parental observations trying to raise kids in this digital world. These new requirements will be ineffective until developers and store owners" - and he has three points. "First, make it stupid simple for parents to create and manage family accounts. Second, enable parents' visibility and proactive notifications into what's actually happening INSIDE the apps. And three, force developers to either shut down or actively monitor (and be held accountable) for their in-app communication services." And of course no developers want to have any responsibility for what is transacted, you know, inter-app. That would be a huge burden. And he finishes: "Until these things happen, this age verification service will only be an annoying speed bump. Thank you for all you and Leo do each week. Signed, Brian." So I thought the points Brian made were very certainly good ones. I'll be interested to see how Internet-savvy minors arrange to circumvent these new restrictions. But Brian's point about the social networking content carried within otherwise innocuous apps is clearly important. It's unclear how that will eventually be addressed, but it seems that it would need to be. We know that apps such as Facebook or 'X' do not, in and of themselves, have any age-specific rating. It's the content they communicate that these Texas legislation folks appear to be completely naive about. As we know, the state of Mississippi dealt with this simply by saying no to all social media stuff. And I want to finish, before our last break and we talk about Mic-E-Mouse, just by noting that, Leo, you and I are both huge fans of a Netflix series, "The Diplomat." |
| Leo: Oh, yeah. |
| Steve: So much so that I'm sure we've mentioned it on the podcast previously. I just wanted to make sure that anyone who loves it as much as we do is aware that last Thursday Netflix released the entire eight-episode third season. I've already ingested it. Lorrie and I binged on it. |
| Leo: You watched the whole thing already? |
| Steve: Yeah. Yeah. |
| Leo: Wow. |
| Steve: I get it that it's not for everyone. But if you loved the first season, I wanted to make sure that everybody knew that the third season is out, and it's just as good as the previous two. |
| Leo: You finished it. |
| Steve: And a fourth season has already been commissioned. |
| Leo: It's really good. |
| Steve: So there will be a fourth season. And I just - it's everything I want in a... |
| Leo: The way the second season ended I just loved. I just - it was just everything I like in the world, and it was so good, and I just can't wait to see where it goes after that. |
| Steve: Number three is really good, Leo. So you have a big treat in store for you. |
| Leo: Oh, boy. |
| Steve: And I wanted to make sure that our listeners knew that they do, too. And again, I get it, you know, there's something for everyone. This may not be for you. But if you have a Netflix subscription, you never even saw it, give the first episode a try. If it doesn't grab you in one or two, then, you know, you'll know that. But a lot of fun. |
| Leo: Yeah, yeah. It's not - everybody, yeah, everybody has different tastes. |
| Steve: Yeah, we're all different. |
| Leo: Yeah. |
| Steve: Yeah, I mean, there's so much comedy that I just, I look at it, and I go, that's not even funny. Like, you know. So. |
| Leo: Hey, I like Jim Carrey. Don't you be knocking Jim Carrey. How did I know you were talking about Jim Carrey? All right. One last break, and then we will get to the Mic-E, whatever, Mic-E-Mouse, whatever that is. |
| Steve: Look at that picture that I have. It's the one that AI generated from a simple query, that generated the... |
| Leo: Are we going to get in trouble with the Disney Corporation here? |
| Steve: I think they just lose their rights, or that was just to... |
| Leo: No, just to the very first one, Steamboat Willie, I think, yeah. Let me just look at it. Because, yeah, that, you know, you can generate a lot of - oh, that's funny. You did that? |
| Steve: No, no, no, no. They did. |
| Leo: Oh, they did. It's definitely AI, yeah. But somebody did, yeah. Very cool. Okay, Steve. I've got the Mic-E. Very nice. |
| Steve: So through the years of this podcast we've had a lot of fun examining a range of bizarre and often surprising side-channel attacks that have been able to exfiltrate a surprising amount of information from the surrounding environment. It turns out that, not only can you bounce a laser interferometry beam off a vibrating window, as spies are known to do, to recover the spoken audio on the other side of the glass inside a room a long ways away, but a laser can also be, and has been, bounced off a large plant leaf, a balloon, a bag of chips, and even an exposed light bulb innocuously hanging in the room. We've seen keyboard keystrokes recovered with the aid of an inconspicuously placed nearby smartphone. We've even seen the reflections of WiFi radio signals used to locate people moving around inside a room on the other side of a solid wall. We've seen the power supply's fan speeds controlled to change its sound to transmit low-bandwidth information, and the sounds made by its switching power supply similarly modulated for the covert transmission of information. So perhaps we should not be overly surprised to learn that today's contemporary desktop mouse, thanks to the ever-growing demands of high-speed gaming, has become so sensitive to its surroundings that it, too, is able to detect, pick up, and transmit the sounds of ambient conversations. Now, it's not a microphone. It's far from it. But a team of five researchers in the Department of Electrical Engineering at - I can see it from my balcony - the University of California at Irvine have worked to create "Mic-E-Mouse" a mouse turned into a microphone of sorts, thanks to its ability to perceive a room's vibrations. Now, I say "of sorts" because what these guys had to go through to make this work was some serious gymnastics. Before I go any further, for the sake of strict scientific accuracy, I feel that I should note, just for the record, that this is not actually the first time we've seen someone speaking into a mouse, Leo. Thirty-nine years ago, in 1986, the movie "Star Trek IV: The Voyage Home." |
| Leo: I would play it if I could, but they'll take us down. |
| Steve: The Enterprise's chief engineer, Montgomery Scott, first picked up and spoke into the mouse of an Apple Macintosh PC, naturally assuming it to be a microphone, and that the computer would be able to take his verbal instructions to show the molecular design of transparent aluminum. Of course, at the time that was just science fiction; right? And it was meant to be humorous, and was. But as we also so often see, what was once a flight of science fiction fancy has now become all too real. The researchers feel that the threat potential from covert eavesdropping and spying through mice is today all too real. The Abstract of their paper explains: "Modern optical mouse sensors, with their advanced precision and high responsiveness, possess an often-overlooked vulnerability: they can be exploited for side-channel attacks. This paper introduces Mic-E-Mouse, the first-ever side-channel attack that targets high-performance optical mouse sensors to covertly eavesdrop on users. We demonstrate that audio signals can induce subtle surface vibrations detectable by a mouse's optical sensor. Remarkably, user-space software on operating systems can collect and broadcast this sensitive side channel, granting attackers access to raw mouse data without requiring direct system-level permissions. Initially, the vibration signals extracted from mouse data are of poor quality due to non-uniform sampling, a non-linear frequency response, and significant quantization. Now, of course, it's not designed as a microphone. So it is, to coin the term, a crappy microphone. They wrote: "To overcome these limitations, Mic-E-Mouse employs a sophisticated end-to-end data filtering pipeline that combines Wiener filtering, resampling corrections, and an innovative encoder-only spectrogram neural filtering technique. In other words, AI. They wrote: "We evaluate the attack's efficacy across diverse conditions, including speaking volume, mouse polling rate and DPI, surface materials, speaker languages, and environmental noise. In controlled environments, Mic-E-Mouse improves the signal-to-noise ratio by up to 19 dB for speech reconstruction. Furthermore, our results demonstrate a speech recognition accuracy of roughly 42% to 61% on the AudioMNIST and VCTK datasets. All our code and datasets are publicly accessible on the Mic-E-Mouse website. And that's sites.google.com/view/mic-e-mouse. |
| Leo: M-O-U-S-E. |
| Steve: So in other words, modern optical mice will respond to the surface vibrations of the surface they're resting on, and any standard app running within that machine can monitor the mouse closely enough to capture and exfiltrate that raw and rough vibration data to an outside eavesdropper. From there, although this is just the beginning, bringing the power of today's massive data processing to bear, what the mouse has heard to cause it to report the vibrations that it transmitted can then be determined. Now, I am reminded as I'm reading this of some of the different data reconstruction research we've covered, where remember that where the upshot was that visually blurring the text in order to obscure it was no longer considered safe because, although the text's image could not be algorithmically "unblurred," that is, there's no way to bring back the information that the blurring lost, if the text's font were known, which is often not difficult, the amount of blur could be determined and modeled. At that point, a brute force attack could be launched by rapidly trying all possible underlying characters, one at a time, from left to right... |
| Leo: Looking for a match, sure. |
| Steve: ...until, yes, until you've got an exact blur match, and eventually the entire message could be deblurred. Similarly, even if a mouse's vibrations are nowhere near audio quality, and they are really not, mapping the audio that would have resulted in those vibrations solves the same problem. |
| Leo: Is this an example of a use of AI? |
| Steve: Yes. Yes. |
| Leo: How interesting. |
| Steve: They trained OpenAI's Whisper model in order to solve this... |
| Leo: Oh, Whisper's really good, yeah. |
| Steve: In order to solve this problem. So to put some meat on these bones, here's what the researchers explain. They said: "The proliferation of low-cost, high-fidelity sensors in consumer devices has greatly improved user experience in common computing tasks. From lower response times to more adaptive workflows, these devices have been" - oh, my god, and Leo, the technology in a mouse today is just astonishing. I mean, it's like doing so much digital signal processing, you know, DSP computation, using the images, high-resolution images from today's sensors. It's just it's incredible what we just take for granted. We just, you know, shoop around on the desk under our hands. |
| Leo: 61% is amazing. I mean, that's really good. |
| Steve: Yes. Yes. |
| Leo: Holy cow. |
| Steve: They said: "The lion's share of these improvements is found in the category of user input devices, including styli, mice, and monitors. More specifically, improvements in mouse sensor technologies have allowed commercial offerings to operate with a sample rate of 4KHz, with a growing selection of products that also support 8KHz. "Consumer-grade mice with high-fidelity sensors are already available for under $50 US. As improvements in process technology and sensor development continue, it's reasonable to expect further price declines. Furthermore, mouse sensors' resolution and tracking accuracy also follow the same pattern, with steady improvements each year. Ultimately, as lower performance mice leave the consumer space, these developments lead to an increased usage of vulnerable mice by consumers - vulnerable meaning higher precision - by consumers, companies, and government entities, expanding the attack surface of potential vulnerabilities in these advanced sensor technologies. "The rise in work-from-home policies has led to the widespread adoption of new technologies and practices, making it more difficult for employers and government institutions to control the physical operating environments of their workforces. Meanwhile, these arrangements often boost employee sentiment and productivity. The security implications of work-from-home policies are still being understood. Specifically, attacks exploiting personal peripherals on work computers, such as keyboards, microphones, styli, earphones, mechanical hard drives, and even USB devices, have become increasingly common. Even in relatively secure office environments, the threat posed by these exploits is still significant, especially for unknown or poorly understood attack vectors. "We posit that the seemingly innocuous computer mouse is the source of yet another vulnerability. Importantly, we claim that recent advancements in mouse sensor resolution can be sufficient to enable a side-channel attack capable of extracting user speech. Through our Mic-E-Mouse pipeline, vibrations detected by the mouse on the victim user's desk are transformed into comprehensive audio, allowing an attacker to eavesdrop on confidential conversations. This process is stealthy since the vibration signals collection is invisible to the victim user and does not require high privileges on the attacker's side." Right. Whoever though that tightly watching mouse position could be a security vulnerability? They said: "Potential adversaries can collect user-space mouse signals and remotely use the Mic-E-Mouse pipeline to convert raw data packets into audio." Okay. Now, I'm going to interrupt here just to observe that websites are also able to obtain mouse coordinates in real-time. So it might be that just visiting a site which innocuously downloads and runs some high-performance WebAssem code might now be sufficient to collect sufficient mouse vibration data while you're visiting the site to later reverse-engineer the speech that was taking place during that visit. You would assume that having your microphone disconnected or muted would be sufficient. But perhaps not. The researchers continue: "Modern optical mice employ various methods to provide precise movement tracking under different sensitivity settings. Over the past two decades, optical mice leveraging a high-performance CMOS camera with an onboard Digital Signal Processor have become the preferred design choice. Generally, optical sensors enhance reliability and fidelity through the use of self-illumination, typically from an independent diode or an integrated laser. By taking thousands of snapshots of the illuminated surface under the mouse, the DSP can then compare each successive image in order to determine the direction of movement. The rate at which this process happens is determined by the sensor's frame rate, measured in Frames Per Second. Each frame is processed via an on-chip correlation algorithm to provide a two-dimensional displacement to the host computer. The described process can be broken down into two key elements, the imaging sensors and the image processing and movement detection algorithm. "Rather than relying on expensive Charge-Coupled Device (CCD) sensors, the sensor in an optical mouse is typically a CMOS, Complementary Metal-Oxide-Semiconductor image sensor collecting up to 30x30 pixels' worth of data per frame, where each pixel represents the intensity of the reflected light at that point. This basic mini-camera is a critical component of implementing speckle-pattern detection. Some sensor models, such as the PixArt PMW3552, capture data using an 18x18 pixel grid, while others can record up to 30x30 pixels, depending on the manufacturer's specifications. For visualization purposes, we destructively studied a PixArt PMW3552 sensor in our institutional lab. This sensor features an 18x18 CMOS pixel grid and is designed to interface directly via USB. Speckle patterns are random, granular intensity patterns produced when coherent light, such as laser light, is scattered by a rough surface. When an optical mouse is moved over a surface, the speckle pattern on the surface changes smoothly and reliably." That's how mice are now able to scan over glass. "The CMOS sensor captures these changes in the speckle pattern frame by frame and processes them to detect movement. These movement detection algorithms allow for the translation of data into corresponding coordinate deltas." So the researchers go into an extreme level of detail which should satisfy anyone wishing to deeply understand their work. Anyone listening who wants more than I'm going to share here on the podcast is invited to follow the links at the end of the show notes, which point to all of their research including all of the code they developed to pull this off. It's all in the public domain. The important point I wanted to make, however, is that none of this would have even been remotely possible without what we now know of as AI. A crucial aspect of their system's success, that so-called Mic-E-Mouse signal processing chain, was their ability to retrain an existing OpenAI Whisper model using the X and Y movement outputs from actual mice. Whisper is OpenAI's open-source speech recognition system. It's specifically designed to take input material representing spoken audio and convert it into text. This team was able to cleverly retrain and repurpose Whisper to accept incredibly low-quality audio, I mean, you really have a hard time calling it audio, barely recognizable as anything, and obtain up to 65% word recognition accuracy. So bottom line is we may need to be careful about what secrets we utter around our mice. You may not want to repeat important passwords out loud. Your mouse might indeed have very big ears. |
| Leo: You know, it's funny, I often, how can I say this without giving it away, I often use passwords - oh, let's not show that. I often use passwords that are lyrics from songs or soliloquies from Shakespeare plays, that kind of thing. And so I'll frequently sing it out loud as I'm saying it. I'm going to have to stop doing that. I always get nervous, like is anybody listening? So I try to hum hum hum under my breath. Wow. And I do, you know, I often buy these gaming mice that have very high resolution rates. |
| Steve: We know, Leo, you have the highest frame rate, highest resolution gaming mouse... |
| Leo: Only the best. |
| Steve: ...available moment to moment. |
| Leo: Only the best. |
| Steve: Only the best. |
| Leo: Now, to be clear, they'd have to get software on your system. |
| Steve: Yes. |
| Leo: Like they'd have to have a compromise - yes. |
| Steve: But a browser can do it. |
| Leo: Oh. |
| Steve: Yes. |
| Leo: It could be a plug-in, you mean? Or... |
| Steve: No, oh, no. Any website you visit, because now we all download WebAssem. |
| Leo: Because of WebAssem, yup. |
| Steve: And that's got all the power that it needs in order to do a high-speed extraction and exfiltration of the movement data. |
| Leo: WebAssem. WebAssem. Wow. We've really made these browsers way too powerful. If you can do that... |
| Steve: Yeah. |
| Leo: ...that's - that's scary. That's really scary. |
|
 | Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |  |
| Last Edit: Oct 24, 2025 at 13:13 (25.08 days ago) | Viewed 22 times per day |