Security Now 1010 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
00:00 - Leo Laporte (Host)
It's time for security now. Steve Gibson is here. What an amazing find A five-year-old typo in MasterCard's DNS. They say that's no problem, but is it no problem really? Also, 18,459 script kitties get pwned. And then is it possible that neural nets neural nets like our own brains could I don't know, attention could wander Squirrel. Steve talks about that and a whole lot more. Next on Security Now Podcasts you love From people you trust.
00:39 - Steve Gibson (Host)
This is Twit.
00:45 - Leo Laporte (Host)
This is Security Now with Steve Gibson, episode 1010, recorded Tuesday, january 28th 2025. Dns over TLS. It's time for Security Now, the show where we cover the latest security news, privacy news, help you protect yourself and your company. Uh, with this guy right here, the king of the hill, the king of security, mr steve gibson back for episode 1010 which, as we noted, is binary eight.
01:21 - Steve Gibson (Host)
No wait no 10. No 10.
01:24 - Leo Laporte (Host)
Whatever it is, I've only been doing that for 55 years or something. So yes, Binary 10.
01:30 - Steve Gibson (Host)
10-10. Binary 10. Yes For the last episode of January Wow.
01:37 - Leo Laporte (Host)
Hard to believe. Here we are when did the year go?
01:40 - Steve Gibson (Host)
Where is it going? What's going to happen? We don't know. Okay, go. Where is it going? What's going to happen? We don't know, okay. So lots to talk about this week. Today's episode is titled DNS over TLS. I'm going to share. If you were Microsoft, if we were Microsoft, I would call it my personal learnings, because I hate that.
02:05 - Leo Laporte (Host)
Yeah, I don't know why they use that word. It's awful so bad.
02:09 - Steve Gibson (Host)
Yeah, yes, and you can see that we suffered a power failure which I have not yet reset things.
02:16 - Leo Laporte (Host)
Oh, there's no blinking lights.
02:18 - Steve Gibson (Host)
No, the blinking lights are frozen lights, but I imagine after our first sponsor announcement the blinking lights will be blinking again Magically, Because that was over the weekend and I haven't remembered to get them started again.
02:32 - Leo Laporte (Host)
I have to flip.
02:33 - Steve Gibson (Host)
Well, you know, you've got blinking lights. I have blinking lights, yes, and whenever they stop, they need a little bit of kick in the blink.
02:40 - Leo Laporte (Host)
You've got to reprogram the whole damn thing. That's right. That's right Actually my. Pdp has stopped. But, that doesn't mean it's frozen. It means it solved the little number problem I gave it.
02:54 - Steve Gibson (Host)
That's right 42. Yes, it's 42. 42. That's right. So you'll restart yours and I'll restart mine. We're going to be talking about a lot of fun things. Em client can be purchased outright.
03:12
We have an astonishing five-year-old typo which was found, discovered by a security researcher in MasterCard's DNS, which, whoa. That was not good, and neither was their response. We have an unwelcome surprise which was received so far has been received by 18,459 low-level hackers, also known in some circles as script kiddies. Ddos attacks continue to grow, seemingly without any end in sight. We've got news on that front. Let's Encrypt has clarified their plans for six-day. We barely knew. Ye certificates. Spinrite uncovers a bad brand new eight terabyte drive. A little something I want to explain about that which occurred to a user of Spinrite. I thought it would be fun to share that. We've also got a ton of listener feedback about TOTP, syncthing and UDP, hole punching, email, spam, valid drives, speed, ai, neural nets, gdi, dji sorry, dji geofencing, advertising in the new Outlook. And then, as I said, we're going to look into the trade-offs required to obtain privacy for our DNS lookups.
04:41
And of course, as always, we've got another picture of the week that I think everyone will get a kick out of awesome.
04:48 - Leo Laporte (Host)
Yes, stand back. Great show. I haven't looked at it. I I could see the caption, but I can't see the picture and I won't.
04:55 - Steve Gibson (Host)
I'm gonna preserve my virginity we're gonna get a candidate, a candidate, a candidate. We can get a candidate response, but first a word.
05:07 - Leo Laporte (Host)
Thank you, steve. First a word from our sponsor for this segment of Security. Now, those really nice folks and I know that because I've spent some time with them at US Cloud, the number one Microsoft Unified Support replacement We've been talking for at least a few months now about US Cloud, the global leader in third-party Microsoft support for enterprises. They now support, by the way, 50, 5-0 of the Fortune 500. Switching to you and there's a reason for this. Actually, there's three reasons. I'll give you the first one, the one that might be easiest to sell to the boss. I'll give you the first one, the one that might be easiest to sell to the boss. Switching to US Cloud can save your business 30% to 50% over Microsoft Unified and Premier Support. So it's much more affordable. But of course, less expensive doesn't mean better, except in this case it does. Us Cloud is faster. That's reason number two Twice as fast in the average time to resolution versus Microsoft. Twice as fast. It's also better. So less expensive, faster, better, with very accomplished, high-end engineers with lots of experience, all based in the US. It's the kind of support you wish you had, but it's yours now if you want, and US Cloud is dedicated to helping you save money in other ways. For instance, us Cloud is excited to tell you about a new offering. They just announced their Azure cost optimization services.
06:42
So think about it. When was the last time you took a close look at your Azure usage and really scanned it? It's been a while. It's not an easy thing to do. You can't just look at the line items. You got to go down the hall and say, joe, are you still using that VM you spun up six months ago? What happens is you get I like to call it Azure creep Azure sprawl spend creep because you buy this stuff. You like to call it Azure creep Azure sprawl. You know spend creep because you know you buy this stuff. You forget to turn it off. You're not sure if Joe's still using it. Good news saving on Azure is easier than you think with US Cloud.
07:16
Us Cloud has an eight-week Azure engagement. It's powered by VBox that will identify key opportunities to reduce costs across your entire Azure environment and you're going to get expert guidance in this access to, as I said, us Cloud's senior engineers. They recruit the best, with an average of over 16 years doing Microsoft products break-fix At the end of those eight weeks of the Azure engagement. Your interactive dashboard will actually help identify, rebuild and downscale will actually help identify, rebuild and downscale opportunities, unused resources, stuff that's hard to find but can save you a lot of money. You can reallocate your precious IT dollars toward needed resources, like maybe a US cloud support contract, or just put it in the bag, put it in your pocket. Actually, a lot of US clouds customers do exactly that. They they take the savings that they got for this azure engagement. They put it in their us cloud microsoft support. You could completely eliminate your unified spend. Now. That's a money saver. Sam, the technical operations manager at bead gaming their customers. They give us cloud five stars. He said quote this is the review.
08:24
We found some things in the Azure engagement that have been running for three years. No one was checking those VMs were, I don't know, 10 grand a month. Not a massive chunk in the scheme of how much we spent on Azure, but once you get to $40,000 or $50,000 a month, it kind of starts to add up. Stop overpaying for Azure. Identify and eliminate Azure creep. Boost your performance too. All in eight weeks with US Cloud, the best Microsoft unified support replacement. Visit uscloudcom. Book a call today. Find out how much your team can save. Figure out what you're wasting on azure. That's uscloudcom. Book a call today. Get faster, better microsoft support for a lot less. Thank you, us cloud, for your support. All right, back we go. All right, I'm. I'm ready for a? Uh, the picture of the week, should I scroll up in front of you?
09:19 - Steve Gibson (Host)
and see, as benito said when he saw this before we began recording oh my God, We've seen things like this before. I gave this the title. What do you mean? You forgot to pack our Australia New Zealand plug adapter. Oh Lord, above.
09:40
Now, what we have here is a very clever I have to give them credit. This is a very clever use of fingernail clippers. You know those, the kind of old-school chrome-plated fingernail clippers where you can swing out that little nail file part from the top. I mean, I'm sure everybody has seen those. It's like sort of like you know the one design of the can opener which is, you know, immortal. Well, these are. This is like that generic chrome-plated fingernail clipper where you can slide out the little filing portion. Well, somebody apparently did forget their Australian New Zealand plug adapter. That's the one that's got. You know, they all sort of look like a face. This one's got slanted eyes slots and then the little grounding nose slot, but apparently they brought a regular US style straight prong plug, Not deterred. However, they were managed to use a pair of fingernail clippers to bridge from the slanty slots in New Zealand, oria, to the us straight uh prong plug and uh, they're difficult to describe this, but you'll have to see the picture anyway it's a mess and yikes.
11:14
Good lord, don't do this. And benito did mention, apparently, these switches are. They switch the outlet on and off, and so you certainly would want the option to turn this outlet off while you're setting up this disastrous. I mean, it's really on the fringe right there. What I can't tell is whether this is a grounded plug that they're connecting to. If so, the ground prong. You need a paper clip. That'll solve it. That's right. We need one more exposed bare metal item yeah, that's right Wow.
12:00 - Leo Laporte (Host)
Wow, is right, anyway, all right.
12:03 - Steve Gibson (Host)
And I've already got next week's queued up. It's the return of the scissor lift. Wow is right. Anyway, all right, and I've already got next week's queued up. It's the return of the scissor lift, because it turns out there have been some other creative applications. Oh and Leo, last week's picture, the scissor lift on the float was. You know, some people suggested yeah, maybe this was Photoshopped. I've got pictures of it being set up. Wow, like where it was actually being. This was being established.
12:25 - Leo Laporte (Host)
Interesting, so it's real.
12:28 - Steve Gibson (Host)
We are going to keep having fun with our photos. Everybody, thanks to our listeners. This is entirely listener generated, so thank you all of our listeners who are sending email to securitynowatgrccom after registering at grccom slash mail. Okay, I have to start with errata because, leo, I thank God I have EM client to help me manage the number of responses that I receive from our listeners, basically saying variations of.
13:00
Steve, you know that one big gripe you had about EM client, you know like, you know, which you recently fell in love with, is not actually a thing. So I wanted to say thank you to one and all. I have no idea how I missed the very clearly marked slider up near the top of the EM client's pricing page, but I certainly did. And now that I've seen it, it's impossible to unsee it. You know, every time I go to the page, that's all I see is the big slider that says you know, rent this or purchase it is the big slider that says you know, rent this or purchase it. And I am now, needless to say, the proud owner of a lifetime license with upgrades, updates, forever, of EM client. And I was thinking about this, leo, I know that you're at least in is regard Tivo's as I am back in the early days of XM satellite radio. They offered a lifetime license, which I purchased since I loved the concept of commercial, free streaming music just coming down from the heavens later.
14:22 - Leo Laporte (Host)
That way you don't get all the emails from them saying, hey, it's time to renew. They're very bad about that.
14:27 - Steve Gibson (Host)
Yeah, of course then later xm merged with sirius right and, somewhere along the way, the option to purchase a lifetime subscription. What do you know? It's gone, no longer there. But you're still active yes, wow, I still have mine, and I'm very glad that I made that choice many years ago. Uh, you know and I I mentioned you before back when tivos were the way to go I know that you and I both always purchased the lifetime subscriptions for our tivos, of course, it was the lifetime of that hardware, not anything else.
15:05 - Leo Laporte (Host)
Yeah, I know.
15:07 - Steve Gibson (Host)
That was annoying Because we all had Series 1 TiVos and they became somewhat endangered at some point. Anyway, since I tend to stick with things until I'm forced to switch the approach of just putting the money in up front and then writing it out a long way, that's always worked well for me. So anyway, just to follow up on my raves about EM client last week, I wanted to say I'm even more pleased now with my Switch than I was then, and I heard from many of our listeners, you know, who were saying things like what took you so long. You know they had discovered EM client years ago and similarly love it. So, in addition to thanking everyone who wrote to make sure that I knew that it was possible to own it outright and that it I oh, and that it's a 100% free to take it out for a spin for 30 days to see whether you might feel the same way about it as I do. Anyway, in my opinion they really got the user experience right. And of course, leo, you perked up upon hearing that it also fully supports end-to-end encrypted GNU PG email and address books. So that's in there too. So, anyway, my entire reason for mentioning my own discovery of EM Client last week was to make sure that everyone at least had the opportunity to check it out and that if they too were feeling frustrated with their current solution, whatever they might be using, they would know about it. And that was a success.
16:49
Dan Taylor, one of our listeners, said Hi, steve, I realize that you receive a ton of email these days and your time is valuable, so I'll attempt to keep this short. I just feel the need to thank you for mentioning EM Client on the podcast. I hope you saw my message about the one-time purchase option they have. It's not at all obvious on the pricing page, but it's there and for what it's worth. I did have other people say they didn't see it either. So maybe the EM client people could do a better job of, although they probably would rather like you paid for it for the rest of your life every month. You know, I think what you like after four years is the break-even point or something. So it's like okay, I'm going to be using this well, more than that, anyway, he said.
17:34
Dan Taylor said I had no previous knowledge of its existence. In a nutshell, it's wonderful. He said I have only one Gmail account. I also own two domains via Cloudflare, which forwards all email destined for those domains to my Gmail account. He said I've configured some aliases. One of you've done an outstanding job on Spinrite 6.1. As I type this, my Xima board is churning away on a 256 gigabyte flash drive. That's been giving me problems. I've already run a level three on another one which improved its performance. Thanks again. Need for only a single domain where he's got the other ones forwarding into it suggests that he may be able to use EM clients free single account offering forever and so never need to go. I've got four domains that I need minimum, so anyway, just wanted to close the loop on that. Thank you all of our listeners. With the audience size we have, when I make a mistake like this, I get corrected, and so I'm happy to stand corrected on this because I am so happy that I own this thing. I own this thing.
19:02
Ok, this week's first piece of security news is, as, as they would say in the UK is, gobsmacking. Our friend Brian Krebs over at Krebs on Security shared a wonderfully surprising piece of news last Wednesday under his headline MasterCard DNS error went unnoticed for years, and before we go any further into that exactly, into what exactly went unnoticed. I want to first highlight that it wasn't unnoticed for minutes or days or weeks or even months, but literally for years, which is what like puts a sharp point on this. Brian wrote the payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years, he writes, until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.
20:32
Now Brian's article then posts the output of a DNS dig command which returns the name servers for a portion of the MasterCardcom domain. I have a screenshot of the commands output in the show notes. Even knowing that something is wrong with this picture, you would need to be sharp-eyed to catch the mistake. I missed it the first time I looked at it. I looked at the screen without having read the text yet, because it's big on Brian's page, and I kind of scanned over it. Okay, looked, okay. Brian explains. He said from June 30th of 2020 until January 14th of 2025, thanks to the work of this security researcher, he said, one of the core Internet servers that MasterCard uses to direct traffic to portions of the MasterCardcom network was misnamed. Mastercardcom, he says, relies on five shared domain name system DNS servers at the Internet infrastructure provider Akamai. All of the Akamai DNS server names that Mastercard uses are supposed to end in AKAMnet, but one of them was misconfigured to rely on the domain akamne. Yes, whoever created this is me talking.
22:13
Whoever created, edited or updated the DNS record for that MasterCardcom domain on June 30th of 2020, which lists the five authoritative DNS name servers that should be referred to when looking up any IP address for MasterCardcom subdomains made a tiny and earth-shaking mistake. Just a simple typo when they were entering the names of the five name servers, and it's as plain as day once you know what to look for. The first name server is named a1-29.akamnet, the second one is a7-67.akamnet, the fourth one is a26-66. Who knows why those are the machine names, but akamnet. And the fifth one is a9.64.akamnet, a22-65.akamnet, but the one in the middle of those five. The third one, is A22-65.akamne. The final T of net was never entered, and boy does that make a difference. Brian continues to tell the story writing.
23:47
This tiny but potentially critical typo was discovered recently by Philippe Cataregli, founder of the security consultancy Seralys, s-e-r-a-l-y-s. Serrales, s-e-r-a-l-y-s. Kataregli said he guessed that nobody had yet registered the domain AKAMNE, which is under the pur item of the five very clearly AKAMENE period. They've dropped that final T. So Kataragli said it took $300 and nearly three months of waiting to secure the domain with the registry in Niger.
24:50
After enabling a DNS server on AKAMNE, he noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe. Now I'm not sure about this. Brian wrote. Apparently MasterCard wasn't the only organization that had fat-fingered a DNS entry to include AKAMNE, but they were by far the largest. Now I don't know, maybe he was seeing other DNS queries to other domains Not clear to me. If so, that really makes you wonder how common these sorts of mistakes might be. Like it would be worth. I don't want to give bad guys any ideas, but you know there might be others.
25:41
Brian said had he enabled an email server on his new domain, aka mne, um Keter Wrigley likely would have received wayward emails directed toward mastercardcom or other affected domains. If he'd abused his access, he probably could have obtained a website encryption certificates I'm sure he could have that were authorized to accept and relay web traffic for affected websites. He may even have been able to passively receive Microsoft Windows authentication credentials from employee computers at affected companies. But the researcher said he didn't attempt to do any of that. Instead, he alerted MasterCard that the domain was theirs if they wanted it, copying this author, meaning Brian Krebs, on his notifications. A few hours later okay, quickly to their credit MasterCard acknowledged the mistake but said there was never any real threat to the security of its operations.
26:47
Uh-huh right. A MasterCard spokesperson wrote quote we have looked into the matter and there was not a risk to our systems. This typo has now been corrected. Okay, I suppose. Technically it's true that there was not a risk to their systems, but there was certainly a serious risk to anyone who might be relying upon the security of MasterCard's systems. Since that flew out the window with this typo, and that was five years ago. Brian continues writing this typo, and that was five years ago. Brian continues writing.
27:29
Meanwhile, catareggly received a request submitted through bug crowd. A program that offers financial rewards and recognition to security researchers who find flaws and work privately with the affected vendor to fix them. You know, in other words, responsible disclosures and bug bounties was not aligned with ethical security practices and passed on a request from MasterCard to have the LinkedIn post removed. Katarigli said he does have an account on BugCrowd, has never submitted anything through the BugCrowd program and that he reported the issue directly to MasterCard. Katarigli wrote in reply quote reported the issue directly to MasterCard. Ketter-wrigley wrote in reply quote I did not disclose this issue through bug crowd. Before making any public disclosure, I ensured that the affected domain was registered to prevent exploitation, mitigating any risk to MasterCard or its customers. This action, which we took at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure. Unquote.
28:49
Now, most organizations have at least two authoritative domain name servers, and that's true, that's what Brian wrote and that's what I do for GRC, and that's typical.
29:01
That's why most people will see two DNS servers in their own computers. This has always been done to create some redundancy for the sake of DNS lookup reliability, brian says. But some handle so many DNS requests that they need to spread the load over additional DNS server domains, which is also true, over additional DNS server domains, which is also true. And in fact, dns deliberately responds when there is a list of available DNS servers, it will send them in round-robin fashion so that successive requests get a differently ordered list of name servers in order to further cause them to get spread out. So you know, if they always listed the first one first, then everyone would just choose that one, and so you wouldn't really get much effect of having five. So in MasterCard's case that number is five. So it stands to reason that if an attacker managed to seize control over just one of those five domains, they would be able to see about one fifth of the overall DNS requests coming in.
30:11
But Katerigli explained that the reality is many Internet users are relying, at least to some degree and this is what Brian is writing on public traffic forwarders or DNS resolvers like Cloudflare and Google. Okay, now I would strengthen that statement a lot to say that there is, I would argue, no one who is not relying upon caching resolvers. As we've often discussed on the podcast, often discussed on the podcast, caching DNS is critical. It's the only way this hierarchical system of distributed domain name resolution is able to function. When you turn on your computer for the first time in the morning and you go to amazoncom, you're not hitting amazoncom's name server to find out a list of IP addresses. Your ISP has obtained that from any other of the customers, of its customers, who you are sharing the ISP's DNS server with. So it's in the DNS server's cache, for you know eight hours a day, who knows how long. So caching is crucial for this whole process, kataregli said, quote so all we need is for one of those resolvers to query our name server and cache the result, our name server and cache the result and here's the key by setting their DNS server records with a long TTL, which is the time to live, a setting that can adjust the lifespan of data packets on the network. Actually, it's the lifespan of the DNS record which is cached throughout the DNS hierarchy. Dns record which is cached throughout the DNS hierarchy, and attackers poisoned instructions for the target domain can be propagated by large cloud providers.
32:12
He said with a long TTL we may reroute a lot more than just one fifth of the traffic. Ok, and so that's absolutely true. Typical TTLs, you knows, are maybe an hour or two. It's entirely up to the discretion of the person who's setting up an entity's DNS. The longer the TTL that you publish that is how long you are telling the rest of the DNS caching hierarchy out on the internet it can wait before it comes back to refresh your IP address. The longer that is, the fewer requests you're going to get right, because a greater percentage of the requests will be handled by all the caching out on the internet. So back in the you know, two decades ago, when GRC was first being a victim of DDoS attacks, I would decrease our TTL so that I could change IPs. Well, that's no longer feasible because it's not about changing IPs. Today's attacks just swamp the bandwidth. So there's no point in doing anything except just waiting. But if an organization's IP addresses are very stable, then it can make sense to set a TTL to it to 24 hours, for example, and many of them are so. In effect, if you try to set it too low, many caching resolvers will ignore a too low setting and just set their own minimum, ignoring what you have asked for.
33:54
Anyway, katarigli said he hoped that MasterCard might thank him or at least offer to cover the cost of buying the domain. He wrote in a follow-up post on LinkedIn regarding MasterCard's public statement quote. We obviously disagree with this assessment, but we'll let you judge. Here are some of the DNS lookups we recorded before reporting the issue, and then his post, which Brian quoted and has a picture of in Brian's own reporting, shows a sobering list of the queries that were coming into his ne domain. We can see West Europe, east, us, west, us, au, southeast AU, east, australia, east and more, and remember that this DNS record was last changed and had been incorrect for the past four and a half years.
35:03
So let's just say that if this had fallen into the hands of a malicious Russian or Chinese attacker, you know, who repeatedly demonstrated that they're looking for any advantage they can find over the West, the story we would be reporting today would have a very different ending. You know that mistakes happen and anyone can make an innocent mistake. I'm sure that's all this was. This was just that, you know. At least MasterCard had the good sense and grace not to threaten this researcher, who helped them significantly, in return for nothing other than some recognition for his sharp eyes and you eyes and the demonstration of his own integrity within his community. But wow, and again, the thing that really caught me out here was the suggestion that this wasn't just MasterCardcom queries that were coming in as a result of this typo. That would suggest that there were other places where this Azure stub domain was being referred to and somebody was referring to somebody else had it as ne in their own DNS, not just MasterCard, which again you really sort of wonder how many typos exist in DNS and how many opportunities there are to get up to some real mischief.
36:50
We've talked often. I mean when Dan Kaminsky discovered that DNS recursive resolver queries had insufficient randomization in their queries, which allowed for their caches to be poisoned by bad guys guessing what a query would be and inserting a malicious response. That panicked the entire industry so much that in a matter of 24 hours. All DNS resolvers were updated in a pre-planned, staged secret update. I mean, it was that big a deal. This is that scale. So I hope the news gets out and people check their DNS records, because a typo as we've seen here can go unseen for five years and could cause some real damage Again, not to the company but to the people who are relying on the security of its services. Wow and Leo, we're a little after. We're more than half an hour in. Let's take a break and then we're going to look at what happens when script kiddies think they're getting away with something.
38:09 - Leo Laporte (Host)
I like low. What did you say? Low-level hackers?
38:13 - Steve Gibson (Host)
Oh, script kiddies, Low-level hackers, that's right.
38:17 - Leo Laporte (Host)
All right, that's coming up, but right now, a word from our sponsor, this portion of Security Now brought to you by Deleteme. Don't do this, but have you ever searched for your name online? You don't. This is not something anybody should do. I mean the amount of personal information about you. Only do it. If you doubt me. You will be shocked of what's online.
38:44
Maintaining privacy is not just an individual's concern. It's a concern for your business. It's a concern for your family. Delete me has corporate plans and they have family plans. With the family plan, you can sure everyone in your family feels safe online. The corporate plan is a great. I think it's a must for any company.
39:04
Protect your security by protecting the privacy of your managers. We know this because well, it happened to us. Spear phishing attacks work only when they know a lot about the manager, their direct reports, their phone numbers and all of that. But that's easy to do if you're a determined attacker, because you just go to those data brokers and you can find anything you want. That's why you need delete me. Delete me helps reduce the risk all kinds of risks, from identity thefts to cyber security threats, of course, harassment and so forth. We use delete me to protect our management, our ceo, and it worked, steve. And I know it worked because when we searched the national public data breach for our data, our socials, steve and mine were in there. Lisa's wasn't, because Deleteme had found and removed her information from hundreds of data brokers, including national public data. You're going to do it for the family. You can assign a unique sheet to each family member, tailored to them, with easy to use controls. Account owners can manage privacy settings for the whole family. But whether it's family, an individual, a corporate plan, the most important part is, after they do the initial cleaning, they continue to scan and remove your information regularly, because there's new data brokers popping up every day and, let's face it, data brokers are strongly incented to repopulate your information, even if you delete it, because that's where they make their money is selling information about you all sorts of information addresses, photos, emails, your relatives, your direct reports at work for phone numbers, their, your social media, your property value and a whole lot more.
40:50
Protect yourself, reclaim your privacy, visit, join. Delete mecom slash twit. If you use our offer code twit, you can get 20 off. That's join. Delete mecom slash twit and don't forget, offer code twit for 20 off. Thank you, deletecom slash twit. And don't forget, offer code twit for 20% off. Thank you, delete Me, for protecting twit and thank you, dear twit listener and viewer, for supporting us by going to that address so they know that you saw it here JoinDeleteMecom slash twit. Use the promo code twit for 20% off. Thank you, delete Me. Thank you, all right, steve.
41:26 - Steve Gibson (Host)
On, we go.
41:26 - Leo Laporte (Host)
I've got a pie chart here.
41:29 - Steve Gibson (Host)
Yes, last Friday, the security firm CloudSec spelled S-E-K disclosed the details of their investigation into an interesting attack that I don't think we've seen before. Get a load of what they shared. They wrote a Trojanized version of the X-Worm Rat Builder, where R-A-T is the common abbreviation for Remote Access. Trojan has been weaponized and propagated. It is targeted specifically towards script kitties who are new to cybersecurity and directly download and use tools mentioned in various tutorials, thus showing that there's no honor among thieves. Okay, now, not that anyone ever thought there was any. Rather than going with the no honors among thieves theme, I think I might have chosen. There's no such thing as a free lunch because these script kiddies think that they've found a hacked version of a commercial Xworm rat builder tool. I saw one of the postings somewhere that said you know this is a cracked version, so you get to use it for free. Uh-huh, right, anyway. So the is a cracked version, so you get to use it for free. Uh-huh Right, anyway. So the article goes.
42:48 - Leo Laporte (Host)
How stupid do you have to be?
42:51 - Steve Gibson (Host)
Well, that's what the hacker sites are full of is you know this or that has been cracked or here's the key for using it and so forth, you only do that once, I think.
43:01
Yeah. So the article says the malware is spread primarily through a GitHub repo, but also uses other file sharing services, specifically the well-known meganz uploadee, two Telegram channels and several hacker sites. It has so far compromised and here it is 18,459 devices globally. Wow Is capable of exfiltrating sensitive data like browser credentials, discord tokens, telegram data and system information. The malware also features advanced functionality, including virtualization checks, that is, to check to see whether it's running in a virtual machine and is thus being analyzed by researchers. Virtualization checks, registry modifications and a wide range of commands enabling full control over infected systems. Thus Remote Access Trojan, as the name goes, or RAT for short. Top victim countries include Russia, USA, india, ukraine and Turkey. The malware uses Telegram as its command and control infrastructure, leveraging bot tokens and API calls to issue commands to infected devices and exfiltrate stolen data. Analysis revealed the malware has so far exfiltrated more than one gigabyte of browser credentials from these 18,459 devices globally. 18,459 devices globally Okay, so these wannabe hackers really are being hacked. Browser credential theft, as we know, allows the actual bad guys behind this to impersonate them on any websites where they're logged on. The article continues. Researchers also identified the malware's kill switch feature, which was leveraged to disrupt operations on active devices. Disruption efforts targeted the malware's botnet by exploiting its uninstall command. While effective for active devices limitations such as offline machines and telegrams rate limiting posed challenges. Attribution efforts linked the operation to a threat actor malware the mal-malware. He uses aliases at shinyenigma and at millenniumrat, as well as GitHub accounts and a proton mail address. They wrote.
45:56
The rise of sophisticated remote access Trojans has amplified cyber threats, with XWorm emerging as a significant example. Recently, a trojanized XWRM rat builder has been identified being propagated by threat actors via multiple channels, such as GitHub repositories, file sharing services and others. This was specifically targeted towards script kitties who are new to cybersecurity and use tools mentioned in various tutorials. So, for example, youtube tutorials were saying go here and get this. So this was a serious campaign deliberately looking for these, you know, as we said, low-level hackers. They said our analysis aims to provide detailed insights into the delivery, functionality and impact of this trojanized X-worm rat builder by leveraging data exfiltrated via telegram. These researchers said they said we uncovered the infection sources, mapped its command and control mechanisms and identified the breadth of its capabilities and the affected devices. Additionally, we conducted disruption activities targeting the botnet infrastructure to mitigate its operations. So they went further than just being a passive observer. They got proactive, which you know.
47:33
The legal issues there are a little shaky. Apparently you're able to do it I think the last time we checked in if you had some state-level agreement to do so. But otherwise, even if you're disinfecting other people's machines, technically, you're still affecting other people's machines without their permission. So that's a little sketchy. But the malware that these script kitties inadvertently installed and hosted on their own machines, believing that they were obtaining a cracked copy of the well-known Xworm rat builder is able to obey commands such as the slash browsers command, which steals saved passwords, cookies and autofill data from their browsers. Slash Keylogger what its name sounds like, records everything the victim types on their computer. Slash Desktop captures the victim's current screen. Slash Encrypt Password encrypts all files on the system using a provided password Process. Kill terminates specific running processes, which would typically be security software. And then there's the upload file, which exfiltrates specific files from the infected system and 50 other commands in total. Infected system and 50 other commands in total. So that's, you know, a very complete command set.
49:15
What struck me is that there is such a large okay, this was like first blush such a large and thriving ecosystem of low-level hackers who apparently aspire to be running their own botnets, who apparently aspire to be running their own botnets 18,459 specific known instances where this Trojan was downloaded, installed and run. 2,478 of them are located in Russia, but the US is the runner-up with 1,540 installed instances. Now, I suppose when you consider the size of the world and the number of kids who are probably enamored of the idea of being a stealthy internet hacker, it's understandable. And when you consider the viewpoint of the more sophisticated hacker who created this double cross, your targets are easily baited with low-hanging fruit. They think they're getting something for nothing. And well, boy are they. They're installing you you know really bad malware into their own machines, thinking that they're getting a malware builder for free.
50:33 - Leo Laporte (Host)
So anyway, wait, let me get this straight script. Kitties who wanted to install a remote access Trojan on their systems, exactly Okay, by their own swords.
50:52 - Steve Gibson (Host)
They thought exactly hoisted by their own petards. They thought that they were going to be getting a rat, a worm-based remote access Trojan system, in order to create their own botnets, and they became a victim of somebody else's effort to infiltrate their system.
51:17
So, whoopsie Speaking of botnets generating widespread attacks. Leo, we have set a new record. Oh yeah, last Tuesday, cloudflare updated the world on the state of internet DDoS attacks by publishing their 20th quarterly report since they began quarterly reporting in 2020. I've got a link on the next page, top of page nine. You may want to just bring that up on the screen while I'm talking about this, because this thing I'm only going to touch on it. That's why I've got the link and I mentioned it several times, because there's so many interesting charts and graphs in this thing.
52:00
So today's DDoS attacks appear to be the DDoS attack records. The size of today's DDoS attacks at this point appear to be broken just for the sake of breaking them. By that I mean that hitting anyone with get this 5.6 trillion bits of traffic per second Per second, 5.6 trillion bits of attack traffic per second Well, it's massive overkill. I mean, the only exception to this would be if one were stubbornly trying to attack a site that was being protected by a leading DDoS mitigation service, you know, such as CloudFlare, and this is their quarterly report. And in fact, that is what happened During the week of Halloween, at the end of October 2024, cloudflare's DDoS defense systems and this is to me this is astonishing and autonomously detected and blocked that 5.6 terabit per second DDoS attack registering the largest attack ever reported. And so incredibly, the company paying for CloudFlare's DDoS attack prevention services remained online and blissfully unaware that anything had even happened. That's amazing.
53:56 - Leo Laporte (Host)
It's incredible.
53:58 - Steve Gibson (Host)
So in their report which, as I said, I've linked to in the show notes for anyone who's interested, they note that in 2024, cloudflare's autonomous DDoS defense systems blocked around and here's a number that'll sober you up quickly 21.3 million DDoS attacks. 21.3 million DDoS attacks, representing a 53% increase compared to 2023. So 2024 saw a 53% increase in number of attacks compared to 2023. And it's the botnets, right? I mean it's. Unfortunately, there are lots of botnets and it's not difficult to enlist them to just throw garbage at a given IP and to knock those IPs off the net. They said, on average, in 2024, cloudflare blocked 4,870 DDoS attacks per hour, nearly 5,000 DDoS attacks per hour. Okay, and that's not all of the internet, right? That's not all the internet. That's only the attacks against Cloudflare, its infrastructure and its customers. That means that worldwide, the DDoS attack rate will be many, many times more, since Cloudflare is only protecting a tiny subset of the entire Internet. Nonetheless, nearly 5,000 attacks per hour, 21.3 million DDoS attacks last year just for Cloudflare. Last year, just for Cloudflare. Also, they noted, in the fourth quarter, over 420 of those attacks. 420 in the fourth quarter of 2024, were what they're now terming hypervolumetric, exceeding rates of 1 billion packets per second and over 1 terabyte of 1 terabit per second. So 1 billion packets per second and 1 terabits per second. 420 of those were hyper volumetric and the number of attacks exceeding one terabit per second. Attacks from the same quarter in 2023, compared to the fourth quarter in 2024.
57:21
A 5.6 terabits per second UDP DDoS attack launched by a Mirai variant botnet targeted a CloudFlare Magic Transit customer, an internet service provider from Eastern Asia. The attack lasted only 80 seconds and originated from over 13,000 IoT devices. Detection and mitigation were fully autonomous by Cloudflare's distributed defense systems. It required no human intervention, did not trigger any alerts and did not cause any performance degradation. The systems worked as intended. Then they added about this attack.
58:06
While the total number of unique source IP addresses was around 13,000, the average unique source IP addresses per second was 5,500. We also saw a similar number of unique source ports per second In the graph below, and I have this below on our next page in the show notes. Each line represents one of the 13,000 different source IP addresses and, as portrayed, each contributed less than 8 gigabits per second. On average, the average distribution of each IP address per second was around 1 gigabits per second, and this is just. I have it at the top of page 10 of the show notes. It's just a beautiful chart, so you need to see the show notes to appreciate this.
59:04
But every line is one of the bots and so there's 13,000 of these little thin lines and I have to say this also represents astonishingly good control. Astonishingly good control. You know, I don't want to give credit to the bot herders, the bot masters, but to bring up an attack, the earlier chart that you showed from their page, leo, that showed just basically a big square wave, that the attack began with a sharp edge, it almost immediately came to full strength, it lasted for 80 seconds and then it immediately shut off. Oh, so that's only 80 seconds.
59:56 - Leo Laporte (Host)
Yes so it's a test.
01:00:00 - Steve Gibson (Host)
Well, yes, exactly, and in fact in some other reading that I've done, ddos attacks are often being aimed at people who are capable of measuring them, because they want to know.
01:00:14 - Leo Laporte (Host)
We just want to show what we can do.
01:00:15 - Steve Gibson (Host)
Yes, and when you think about it, they don't know they're commandeering routers, they're grabbing routers and NAS boxes and random crap, except for Mirai.
01:00:26 - Leo Laporte (Host)
This is all a Mirai bot. That's amazing, yes 13,000.
01:00:30 - Steve Gibson (Host)
Mirai, a 13,000 agent, mirai botnet did this, and I mean this melts wires. I mean it's crazy. It's a lot of data, it is just crazy.
01:00:43 - Leo Laporte (Host)
It's also very impressive and of course that's why Cloudflare writes the blog post that they were able to mitigate this 100%.
01:00:52 - Steve Gibson (Host)
Yes, if you were like a gambling site or you know because— it's a big ad for them. It is a big ad for them. I would argue. They deserve it. And, of course, they're not the only people who are able to do DDoS attack mitigation. We've named a bunch of them before. I think Akamai has a service, I think Microsoft offers a service. Amazon does, yes, amazon does. So you know there are alternatives, but wow, just 5.6 terabits, trillion bits per second Per second. Yeah, wow, just 5.6 terabits, trillion bits per second Per second. Yeah, wow.
01:01:31
12 days ago, on January 16th, let's Encrypt posted their formal announcement, which we had a preview of a few weeks before that, which worried me a bit. On the 16th, they posted their formal announcement of their plans for 2025. And a sincere thank you to one of our listeners for pointing me to this. I'm glad to know this and to be able to share this. The opening paragraph of their announcement says this year we will continue to pursue our commitment to improving the security of the WebPKI by introducing the option to get certificates with six-day lifetimes and, they said in parens, short-lived certificates. We will also add support for IP addresses in addition to domain names, for IP addresses in addition to domain names. Our longer-lived certificates, which currently have a lifetime of 90 days, will continue to be available alongside our six-day offering. Subscribers will be able to opt in to short-lived certificates via a certificate profile mechanism being added to our Acme API. Okay, so I am grateful for this welcome clarification.
01:02:53
As our listeners know, I question whether this is actually solving a real problem with the industry's PKI, our public key infrastructure, pki, our public key infrastructure. And it exposes you know it does expose its users to some threat of connectivity outage if anything should occur to prevent a timely ACME certificate renewal. But, that said, why not offer it as long as it's not mandatory? This places a huge burden on anyone offering such short-term renewals. It's very much like the analogy I just drew with DNS. Dns depends on caching in order not to load down the DNS name server. If it didn't have it, it would have to be feeling all these requests Well.
01:03:47
Certificate lifetime is very much like caching the credentials out on the web server, which otherwise has to come back and get updated credentials within. You know, before it's cached credential, the lifetime of its certificate expires. So if you're shortening that, you're shortening the. You know you're requiring all of the web servers that are opting to do this to come back much more often. But okay, if they want to do it, fine, as long as they don't make everybody do it.
01:04:18
So you know again, I just I don't know what's driving this. You know again, I just I don't know what's driving this. You know, the fact that they're willing to put this huge burden on themselves suggests that there must be some problem. You know, maybe there are people who are being kept up at night worrying about the theft of their web server authentication certificates and who place no faith in the ongoing move to client-side bloom filter-based revocation enforcement, which we talked about last year, toward the end of last year, and which is in place and working and being increasingly relied on. Anyway, the let's Encrypt statement included a timeline. They said we expect to issue the first short-lived certificates to ourselves in February of this year.
01:05:11
So you know, in a few days you know, around April we will enable short-lived certificates for a small set of early adopting subscribers. We hope to make short-lived certificates generally available by the end of 2025. So not tomorrow Hope to make short-lived certificates generally available by the end of 2025. Again, this is going to require some scaling up of their infrastructure. In order to pull this off and they finished, once short-lived certificates are an option for you, you'll need to use an ACME client that supports ACME certificate profiles and select the short-lived certificate profile, the name of which will be published at a later date. So this is, you know, very much, still nascent and on its way. So this is, you know, very much, still nascent and on its way.
01:06:15
I did hear from a listener of ours who received this, who received the show notes last night where I was talking about this just recently with the let's Encrypt Certbot, because he was having an email connectivity problem. It turned out that they defaulted. They changed the default to elliptic curve certificates from RSA and it was necessary to explicitly specify that you wanted RSA certificates because he was having connectivity problems with other servers who were not able to support elliptic curve crypto. I don't have a sense of time for a timeframe for when this happened to him, but I got the sense that it had just happened and he was having an email outage as a consequence of an updated let's Encrypt certificate having changed its certificate in a way that was other email servers were having a problem connecting to. So there's another sort of gotcha for that. I want to share a Spinrite story that I think everybody will find interesting, leo, but we're at an hour in.
01:07:29 - Leo Laporte (Host)
So, let's tell our listeners why we're still here, indeed, indeed On the air, as it were, on the air. How does it manage to stay on the air? It manages thanks to our great sponsors and, of course, our Club Twit members sponsors and, of course, our club twit numbers. Great sponsors like bit warden. This episode of security now brought to you by the trusted leader in passwords, secrets and pesky management. In today's digital landscape, protecting your organization obviously is job one. Bit warden has stepped up to the challenge with powerful new features designed to simplify and fortify your password management strategy. For example, recently Bitwarden expanded its team plans with Robust SCIM System for Cross-Domain Identity Management User Provisioning. What does that mean? Well, it's great. It means MSPs and IT departments can streamline access control with ease by integrating seamlessly with leading IDPs like Azure, active Directory, okta, onelogin, jumpcloud and more. Bitwarden delivers enterprise level security capabilities that work for businesses of all sizes, and it simplifies your job with automatically provisioning and unprovisioning employees. But that's not all. Bitwarden has also redesigned its password manager browser extension. Have you seen the new one? It's beautiful. It's a more intuitive and more efficient way to manage your passwords. The new extension has a modern interface with faster navigation, clearer organization, smoother workflows. It's important, because it's one thing to have a password manager at work. It's another thing to get your employees to use it same thing for individuals. This new ui makes it easier for businesses and individuals to manage passwords across platforms.
01:09:17
What sets bitwarden apart? I can think of a lot of reasons. The reason I use it, uh, is because it's open source. It it's open source, but also, again, it's easy to use, and if a password manager is too complicated or too difficult or gets in the way, it just encourages you to do unsafe things with your passwords. It's really not just about security, it's about simplicity, or maybe I should. It would be better to say simplicity is good for security, right? It's very quick to set up Bitwarden. It'll only take a few minutes If you're moving from another password management solution. Imports are supported from almost all of them. So it's very quick, transparent, very easy and, of course, open source is another reason I use Bitwarden. It's so important to me.
01:10:03
The Bitwarden Source code can be inspected by anyone. It's GPL licensed. You can see it on GitHub. But they go a step farther. They also have regular paid audits from third-party experts and they publish the results of those audits. So you can always be assured that the program is doing what you expect it to do and no more.
01:10:23
Your business deserves a cost-effective solution for enhanced online security. You deserve Bitwarden. You can see for yourself. Get started with Bitwarden's free trial of a Teams or Enterprise plan for your business. Or if you're an individual, or maybe because you're smart, you're already listening to security now. You probably already have a password manager, but I bet you have friends we all do and family who's still using that same password over and over again. Let them know. Bit warden is free forever across all devices. Unlimited passwords as an individual user? Uh, of course they are. They have to be their open source. Uh, that includes pass keys. It includes hardware keys like yubikey. Find out more bitwardencom slash twit. Send your security unaware friends and relatives to bitwardencom slash twit. They will be glad you did and if you're, not using a password manager and you're listening to this show.
01:11:18
huh, you use it to go to sleep. What I don't understand? Bitwardencom slash twit. All right, Steve.
01:11:30 - Steve Gibson (Host)
Spinrite story. Well, I haven't mentioned Spinrite for quite a while since I haven't had anything new to share. We all know of the discovery that the fronts of SSDs where the operating system files live slow way down after years of use and that a single level 3 Spinrite pass will restore the drive's original performance. I receive ongoing reports of that and I've posted some of them over on Spinrite pages, but it becomes redundant after a while. I'm mentioning Spinrite today because last week we received a report that I did want to share. A generic Spinrite user wrote to my tech support guy, greg digital red plus eight terabyte hard drives for a Zima cube and wanted to check their operation before installing the first two. That is, the first two of his four drives passed Spinrite level three in about 28 hours each with no errors. The third got 80% through but then started showing problems through the smart screen by 94%, which took 106 hours. There were 216 bad sectors, 379 minor issues, 6,845 command timeouts with the status screen showing four Bs for bad regions. He said I'm running the fourth WD eight terabyte drive on a Zima board. Like the first two drives, it's having no trouble at 68% and should finish before the bad third drive, which I guess was still chugging away and struggling. So then he had questions. He said questions would you return this third drive showing the problems? What do command timeouts mean? How do I know how many spare sectors remain for future swapping out? Okay, now the big news here is the picture that he included. He took a picture of that third drive's smart system monitor page in Spinrite. Now this is what this one drive was showing him about itself, and what we see here is a brand new drive that's in serious trouble.
01:14:12
The whole smart system, you know, smart self-monitoring, analysis and reporting technology has always been a mixed blessing, because it's never been a strong standard. In fact it's an extremely weak standard, I would argue it's really not much of a standard at all. What's standardized is the way to access the drive's smart data. What's never been standardized because there was never any way to force its standardization is the precise meaning of the various things a drive may choose to report about itself. As a result, large databases have been assembled by volunteers and they're being maintained on a volunteer basis to show what this or that specific drive's make and model means with this or that specific drives make and model means with this or that smart parameter. But, that said, the one thing that is universally understood is that the drives summary health parameter has the meaning that the more positive it is the better. You know, up is good, down is bad.
01:15:24
So the screen that we see tells an unambiguous story. It shows us that the drive itself is this is not Spinrite saying this, and that's what's key here the smart is self-monitoring analysis and reporting technology. Self-monitoring analysis and reporting technology the drive itself is saying that three clearly crucial parameters the amount of ECC error correction being needed, the rate of bad sector relocations and the number of relocation events those are those three red bars shown there. They are reflecting a drive that is in serious trouble. That is, the drive itself is saying you know, I am in serious trouble. You know SpinRite is showing those three smart parameters in red bars because what it does is it holds the maximum positive health value it has seen since it was started and any subsequent drop in those values which again down is bad, up is good. So any subsequent drop in those values is shown in red because that's never good.
01:16:43
The screenshot also shows us that many other smart health parameters the drive is reporting have remained pinned at their peak of 100%. Sector seek errors, recalibrate retries, cabling errors, uncorrectable errors, write errors and pending sectors are not worrying the drive at all. They're all sitting at 100 out of 100 or 200 out of 200, but ECC, corrected, has dropped to negative 50 out of 149. Sectors relocated is at 30 out of 200, and relocation events is down to one out of 200. These all reveal that something is very wrong with this drive. So the question is not should I return it, but how quickly can I return it and get it replaced? I mean, this was just. You know, it's a bum drive.
01:17:45
And this brings me to the first of two points I want to make. If a drive is just sitting there doing nothing but spinning happily away, it will be quite fine. Many other smart monitoring tools have been created and they can be useful, but it's important to really understand that if a drive is not being asked to do any work, if it's just sitting there happily spinning away, then the drive's sunny disposition doesn't have the same meaning as when it's still smiling while doing what a drive is there to do, which is reading and writing data. Human doctors who want to test someone's cardiac function put their patient on a treadmill because it's only when the patient's heart is under some load that its response to that work can be determined. Resting state is also useful, but it doesn't tell the whole story. And here's the second point I wanted to make.
01:18:52
This Spinrite user purchased four drives and only one of the four was brought to its knees just by asking the drive to read and write during a level three Spinrite pass. It's not as if this is some sort of torture for a drive. Spinrite is not abusing a drive in any way. It's just saying how would you feel about doing some reading and writing? Three of those identical drives, all purchased, all four purchased at the same time. Three of them respond by saying sure thing. While one of the four is really very unhappy about being asked to do what it was designed to do.
01:19:37
You know and I've shared the story before, both from hearsay and also from people who have reported from having been there themselves that in the early days the famous IBM PC cloning company, compaq, would overorder the number of drives they needed, then use Spinrite to pre-test those drives before putting them into service. Any drives that didn't make the grade were returned, since those drives technically worked and would have passed the manufacturer's QA testing. I imagine somebody else wound up with Compaq's rejects, but nobody wants that. So it's interesting that, even though today's technology could hardly be more different and you know we're talking about 8 terabyte drives, 8 trillion bytes on a drive, rather than 30 or 40 megabytes back in those early compact days some things have still not changed. In those early compact days, some things have still not changed. And Spinrite has remained useful for performing pre-deployment hard drive testing, and actually I know that that's what a lot of Spinrite users do with it. So just a perfect case in point of that. You know, yeah, you can look at a drive's smart data. When you turned it on and it's been sitting there for a while. That'll tell you a few things, but you need to ask it to do some work and see how it feels about its own ability to do that. And this drive you know this needs to be replaced.
01:21:18
Okay, so a listener of ours, stephen, says Hi, steve, another incredible podcast breaking down one-time passwords. But I'd like to drop a spanner in the machine. Sorry, if an attacker is trying to brute force a one-time password, they already have the user's creds, which means the code space is reduced to one million, the weakest link in the chain. Okay, now what he means is that there is one in a million possible correct answers if you're trying to log in. We know that's true. Six digits, he says. In theory, a bad actor could easily spin up a few hundred cloud instances and distribute the two-factor authentication attempts across them. Multiple simultaneous attempts within the 30-second time window doesn't have to get the one-time password the first time, but, given enough resources, would likely succeed. Obviously, the server could throttle login attempts per account, but no server admin is perfect. Just a thought. Best regards Stephen.
01:22:38
Okay, so a number of our listeners shared variations on this theme, so I wanted to take a moment to mention that last week's challenge was not so much about defeating multi-factor authentication once in order to log in as a user, but rather to examine the theoretical requirements for cracking an authenticator's secret key. That was what we were trying to do. After writing and sharing that last week, I've been thinking about it since I realized that there's a somewhat clearer and simpler, cleaner way to think about the entire thing. Since it's a different construction of the same solution, I want to share it. It won't take long. I think it's sort of a distillation of what we talked about.
01:23:29
Okay, so first, we once again assume that we have some set of sample outputs from an authenticator where each output is a six-digit code and the time of that code, that code's timestamp. So for any given 80-bit candidate key, there will be a one in a million chance that the candidate key will produce the same code as the authenticator for the same timestamp. For the same timestamp, the key we seek is the one that produces the proper authenticator code for every timestamp. So we get a new candidate key and we start testing it against each of the authenticator samples. We have authenticator output samples. We have the right key will match all of them and since there's always a one in a million chance for any match, that means that non-matching is always a near certainty. Except for one in a million times we're not going to get a match.
01:24:45
So as we test a new candidate key against our set of samples, each successful match allows us to be one million times more certain that we have found the one proper key that will match every sample we can test, since 80 bits allows for and here it comes 1.2 million, million, million million keys. This makes very clear why we need at least four sample matches and why a few more would be good, just to make sure. Anyway, that seems like a distillation of my longer exposition of this last week. Every sample that you can test against makes you a million times more sure that you've got the right key. Since there's only one in a million chance that the right key will work, and since there's four millions times 1.2, if you're able to test four different keys, you're a million times more sure four times. So you're getting pretty sure at that point, but a few more would be good. Anyway, I wanted to acknowledge Stephen's other point, which was that the authentication service, on the receiving end of many failed guesses, would be expected to limit and throttle the number of those a user would be allowed to make. It would seem a bit far-fetched for that not to be done if we hadn't recently covered Microsoft's own multi-factor authentication systems, having made exactly that mistake. So some great points from our listener, as always, always Joe Havlat. He said on the subject of SyncThing and UDP hole punching. Hi, steve, thank you for all the time and effort you and Leo put into the Security Now podcast. I look forward to listening to it every week.
01:26:57
I end up using a lot of software and services you mentioned on the show, and SyncThing is one of them. In the past I've used TailScale to access my internal devices remotely, including devices I used SyncThing on. I recently decided to try something other than TailScale and after I removed it from my devices, to my surprise, syncthing continued to work Right After looking at the settings and doing a bit of reading, it appears that Sync Thing was making quick QUIC connections, leveraging STUN for a direct connection. I believe this is similar to how Tailscale gets around NATS. Anyway, as my eyes were glazing over while reading about Stun, I thought this might make a good topic for one of your propeller hat discussions. If you could find the time to discuss this in one of your future episodes, it would be greatly appreciated. If not no big deal, you always seem to come up with something that piques my interest. Thanks again, joe.
01:28:03
Okay, so I was certain that we once had a podcast titled Stun and Turn, but I was unable to locate it. I did locate a reference to that phrase in podcast number 443, which was titled Sisyphus, where I said quote and they use in order to do nat traversal. We've talked about nat traversal in the past. There's the so-called stun and turn protocols unquote. But given my inability to locate a podcast with that title. Perhaps I've only ever referred to it in passing. So, joe, if that's the case, I agree it would make a terrific and still very relevant deep dive topic, because Nat Traversal is something as important today as it ever was. So thank you for that. Joe Harris said Hi, steve. So thank you for that. Joe Harris said Hi, steve.
01:29:04
After hearing you talk about switching to EM client for email, I decided to check it out. Currently, I'm using the built-in mail apps on macOS and iOS to manage my personal Gmail and Yahoo accounts. While they work fine for my needs, I'm curious about what other email clients have to offer. That leads me to a question and, leo, this would be one I'd like to hear you weigh in on. He asks do you have any recommendations for email providers?
01:29:35
Over the years, I've noticed that my Yahoo account in particular has been receiving more and more spam. I suspect this might be due to how long I've had the address and how many services I've linked to. Thanks for any insights you can share. Best regards, jason.
01:29:54
Okay, so I first want to say that many, many years ago and I know that you and I talked about this at the time, leo, I spent some time looking at the spam problem. A very techie coder buddy of mine, mark Thompson, and I developed a Bayesian filter for spam that was pretty much state of the art at the time. Now this was back in the famous John Dvorak I get no spam days where, as I recall, john was stating that his ISP was so good that he got no spam. Meanwhile, I was being buried under an avalanche of spam, since my email address at the time was just steve at grccom. Yikes.
01:30:50
I will never forget the time I enabled real-time logging for GRC's email server and watched foreign SMTP servers connecting to GRC and just running down an alphabetic list of account names using people's proper first names, I mean starting with A, running through, you know, like Abigail and Annette and so forth. I realized that it wasn't only that my email address had leaked though I'm also sure by then that it had. It was that my email account name was just likely to be valid because it was just my name. So it was clear that I needed something uncommon uncommon. The other thing I wondered was how long it would take for an uncommon email address to escape into a spammer's hands, or the internet's spammer's hands widely, and this is where Jason's thought of quote I suspect this might be due to how long I've had the address and how many services I've linked to comes in.
01:32:08
What I started doing at least 15 years ago is deliberately changing my email address annually. I'll keep forwarding all previous year's email account names into my current email so that I don't miss those, but anything I generate will be from the current year, so an awareness of my current email tends to migrate forward sort of organically. And if at some point some annoying spammer does start using an older email account and if I'm unable to unsubscribe from that, I'll just delete that old account's forwarding into my current account. And here's the surprising breakthrough that this allowed me to discover. I don't understand why To this day I don't, but it appears to take spammers many years to obtain and or to begin using an email address.
01:33:18
I often remember John Dvorak's I get no spam proclamation with a smile, since now that's also true for me. Grc runs with zero spam, filtering none, and spam is not any problem for Sue or Greg or me, because all of our email addresses are rotated annually. I truly do not understand why this is so. That is that it works as well as it does, but it does, and it's also been confirmed by others with whom I've shared this simple discovery. So if you're able to periodically change your email account, I believe you'll be quite surprised to see how long it takes for that new account to be discovered and despoiled by the world's email abusers. A few years from now, let me know, and Leo, any thoughts about email services.
01:34:18 - Leo Laporte (Host)
Most people can't do that because you know that would mean that they wouldn't get email. Basically, I mean, you don't care, I guess, but uh, we rely on email for so many things and it's not convenient to say to everybody who sends us email oh, change our address every year, so people keep the same email. They're going to do that and honestly, this guy, uh, it possible, I don't. I don't think there's any service that provides uh, effective email filtering.
01:34:50
The dvorak's I get no spam goes back many years to this to this company and if you look at their website you can see how many years old this is. I think they're still around. Junk email filtercom. Um, so it was on top of his email provider. I think spam is, for most of us, just a fact of life and there are all sorts of ways. I mean what I do is I have an email box that checks against my contact list and that box is the first one I look at, but inevitably I have to go through the spam folder every few weeks to make sure I haven't missed anything. I think spam is. I don't know if there's any real way to avoid spam except do what you do, which is impractical for 90% of our clients.
01:35:35 - Steve Gibson (Host)
No, all my previous years still come to me, leo, that's what I said. I'm forwarding all of those previous emails.
01:35:41 - Leo Laporte (Host)
Don't you get spam on that email?
01:35:42 - Steve Gibson (Host)
No that's what's bizarre.
01:35:45 - Leo Laporte (Host)
On the older email.
01:35:47 - Steve Gibson (Host)
I don't understand why. So people still write to me on old addresses comes through with no trouble at all. Anything I generate goes out on today's email.
01:35:55 - Leo Laporte (Host)
So anyway, I invite our listeners to give it a try. There's a puzzle there. That's an interesting idea. So you still get all the old email, but no spam comes on your address from 2008.
01:36:09 - Steve Gibson (Host)
Nope.
01:36:10 - Leo Laporte (Host)
I think you're just lucky. I don't know how you do that, just reporting what works for me. Yeah, that's interesting.
01:36:17 - Steve Gibson (Host)
And has worked for others. That's interesting. Yeah, a customer of ours, jeff Parrish, I'm a customer I don't mean a customer, a listener and also a user of freeware, of GR. All right of them so far. I will be checking all 10.
01:36:51
Now he attached to his email a screenshot from Validrive's display for two of the 10-pack of the 16-gigabyte PNY thumb drives he purchased. He pointed out that whereas he believed he was only purchasing 16-gigabyte drives, was only purchasing 16 gigabyte drives, what he received were 32 gigabyte drives that fully passed valid drives scrutiny. So that was cool, I mean. You know he got twice the drive for the price and really it makes sense because subterabyte thumb drives have become commodity items. So there's actually no cost difference to the supplier between 16 gig and 32 gig media. You know who would ever imagine the day that that would be true? And frankly, this is one of the reasons why Apple's device pricing always rubs me the wrong way. They are charging so much more for double or four times the memory you know, as if there was any marginal cost difference for them or nearly that, it just isn't.
01:37:51
But you know that's the game they're playing. Okay, but aside from that, what really stopped me in my tracks about Jeff's thumb drives was the total time spent reading and writing. Was the total time spent reading and writing? Valid Drive performs a pseudo-random spot test by reading and writing 1,152 4K regions, 4k byte regions, uniformly spread across the drive's self-declared size. That is the drive that you know. The size the drive declares itself to be, which is if it's faking its size. We see whether it's telling the truth or not and find that we're unable to read and write spots that it says should be valid and thus valid Drive's purpose. So Valid Drive reads and writes, rereads and rewrites and finally reads again each location, gathering statistics while it's doing this. During this process, a gram total of 3.6 seconds that is on Jeff's drive, 3.6 seconds total was spent reading, whereas 1,307.8 seconds was spent writing. Okay, 3.6 seconds spent reading, 21.8 minutes spent writing. 21.8 minutes spent writing.
01:39:32
Now, we know that NAND flash memory is fast to read and slower to write, but this is 362 times slower to write. I believe we're going to find that the better way to express this is that the bulk of this time was spent waiting to begin writing. We know that writing to NAND flash memory requires pushing electrons through an insulating barrier so that those electrons are then stranded as an electrostatic charge on an insulated floating gate In order to read bits. It's easy to sense that charge. That's what field effect transistors do. They are affected by the field, but changing that charge requires generating a sufficiently high voltage to create an electrostatic potential that will strongly attract or repel those electrons to break down that floating gate's insulation. That high voltage charge must be dumped before the data can be read, but it takes no time to dump the charge before the data can be read, but it takes no time to dump the charge. But then, when immediately switching back to writing, that charge must first be built up again from scratch and that's where all the time goes, waiting to be able to start writing after reading, after reading. So this inexpensive thumb drive is very, very slow to switch from reading to writing. It's crazy that this first release of Validrive took nearly 22 minutes to validate that 32 gig thumb drive, which explains why I cannot wait to get back to work on valid drive to create version two. In order to create beyond recall, which will be GRC super secure mass storage drive wiping tool I'm going to need to develop a bunch of technology I don't have yet. So my plan is for the second release of Validrive to be the development testbed for that new technology.
01:41:51
Validrive 2 is going to take a different approach to solving this problem. It's going to read and store the data from all of those 1152 4k locations of those 1,152 4K locations, then switch into writing mode and write them all with signature data. Then it will switch back to reread and verify them all. Then it will switch to writing to replace all of the drive's original data, then perform one final read, confirmation of the replaced data. So that will mean two switchings from reading to writing for valid drive two, whereas valid drive one is doing that 2,304 times. 2,304 times it's switching. So I suspect Valid Drive 2 is going to be much faster, more sure of its conclusions, since it will lay down signature data across the entire drive at once and much more pleasant to use as a result. It's the thing I plan to start working on as soon as the DNS benchmark is finished and ready. Take a break.
01:43:15
Yeah let's take a break. We've got a bunch more really great feedback from our listeners.
01:43:19 - Leo Laporte (Host)
I really want you to figure out why you're not getting spam. This just bothers me because, if I mean, I thought the whole purpose of your changing your email was to cast aside the previous year's email address.
01:43:34 - Steve Gibson (Host)
Never comes in, the spam never catches up.
01:43:36 - Leo Laporte (Host)
So why do you create a new email address every year?
01:43:38 - Steve Gibson (Host)
Because I want to stay ahead of the pack.
01:43:42 - Leo Laporte (Host)
I mean, I understand if you do that and then say, well, if you don't know this year's email address, you can't email me, but if you're accepting email to all the previous email addresses, I don't get it. I don't understand, A, why it would prevent spam and B, why even bother. I mean, unless you believe that it prevents spam somehow.
01:44:05 - Steve Gibson (Host)
I don't get any. I'm really trying to figure out, so I think I probably have maybe about the last 10 years and, as I said, if I start getting spam, on some prior year and I think maybe like three or four years ago, someone started spamming me and I was unable to unsubscribe. Then I just killed that one year's forwarding.
01:44:32 - Leo Laporte (Host)
So you kill addresses if you start getting spammed If they start getting abused.
01:44:37 - Steve Gibson (Host)
But right now, about eight of the past 10 years, just they've never been discovered.
01:44:47 - Leo Laporte (Host)
Probably I'm going to guess it's because you very rarely use email for anything. In other words, you're not exposing your email to people, particularly Most of the rest of the world.
01:44:59 - Steve Gibson (Host)
We use our email address all the time. I'm not in a position where my email address is being scraped and I do, it's like my when you buy something, do you give them an email address? Yeah.
01:45:12 - Leo Laporte (Host)
Yeah, do you give them a special email address or your regular email?
01:45:16 - Steve Gibson (Host)
address Often my regular email address. Well, I don't get it then.
01:45:20 - Leo Laporte (Host)
We'll have to figure out what is Steve doing and how can we duplicate that.
01:45:24 - Steve Gibson (Host)
We'll have to figure out what is Steve doing and how can we duplicate that? Well, as I said to my listeners, give it a try. See what happens. You may be surprised. Set up a new email account, forward the old one into your new one so you don't lose anybody, and then see how long it takes.
01:45:40 - Leo Laporte (Host)
I do create new email addresses all the time, but it is very quick for them to start getting spam. But then that's probably because I use them in a variety of places that may be exposed. I don't know. It's an interesting question. If you can just bottle that, Steve, I think you have a future. You could be the new Dvorak.
01:46:01 - Steve Gibson (Host)
I just wanted to share that.
01:46:03 - Leo Laporte (Host)
No one in my company gets any spam yeah, so yeah and we don't have any filtering it's fascinating, uh, our show today brought to you by z scaler. Now, actually, this is kind of you're doing, kind of an I a similar idea, at least in my mind, because I think of zero trust as as, uh, blacklisting, but whitelisting right, only allowing people to do stuff that's explicitly permitted, that's the idea of zero trust. I don't know, maybe there's something about what you're doing. That's kind of like that. Zscaler is the leader in cloud security.
01:46:40
Enterprises have, over the years, spent billions of dollars on firewalls, perimeter defenses, in effect, right and VPNs, because if you've got a big wall built up, you got to have somehow to let people in. Right. Doesn't help. Breaches continue to rise. There's been an 18% year-over-year increase in ransomware attacks. Year-over-year increase in ransomware attacks. Last year 75 million dollars a record number paid out to ransomware. Yeah, that is just it's.
01:47:11
These traditional security tools are not working. They expand your attack surface because you've got public facing ips that are exploited by bad actors more easily than ever with ai tools. And and, of course, your VPN struggles to inspect. Or your firewall outbound traffic. If it's encrypted, right, which means you're letting people in, then they can browse around inside, because what Firewalls don't prevent lateral movement? That VPN connects the user to the entire network and just assumes yeah, you're in, so you must be safe. And so what the bad guy does? They get in, they go around, they exfiltrate stuff via encrypted traffic. You're powerless to stop it. It is not a good scenario.
01:47:59
Hackers exploit traditional security infrastructure using AI to outpace your defenses. That's the latest flavor here. It's time to rethink your security. Don't let these bad actors win. They're innovating and exploiting your defenses faster than you can.
01:48:14
You need Zscaler Zero Trust and AI. It's two together. It's Zero Trust plus AI. It stops attackers by hiding your attack surface, making apps and IPs invisible. You can't attack what you can't see right. It also eliminates lateral movement because users are only connected to specific apps, apps they're explicitly given permission to, not the entire network. And, of course, you're continuously verifying every request for every resource based on an identity, on context. It really locks everything down very effectively. You'll be simplifying security management with AI-powered automation. You'll be detecting threats. Zscaler analyzes half a trillion daily transactions, looking for the needles in the haystack right, the real threats, as opposed to just the background noise, and it uses AI to do that very effectively. Hackers cannot attack what they cannot see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscalercom. Zscalercom oh, add this slash security Very important, so they know you saw it here. Zscalercom slash security. We thank him so much for supporting the important work steve is doing here at security.
01:49:36
Now zscalercom slash security all right, mr, I get no spam On, we go.
01:49:47 - Steve Gibson (Host)
Okay. So, as we know, I've only studied AI briefly and enough to satisfy my desire to have some sense for what the heck is going on. So I claim no deep expertise in AI, but I have spent a great deal of time more than our listeners know. You have some idea of it, leo quietly studying human brain function, and I've developed a deep appreciation for its complexity. Over the weekend, a question was posed in GRC's Security Now news group which I thought was very much worth asking and very much worth answering. The poster wrote Just wondering if AI developments rely heavily on neural networks and as they start to approach the human brain in capability, can they also suffer from some of the same weaknesses of the human brain? With experience, could they start to get distracting thoughts and produce more confused output, a case where adding training data might actually lead to deterioration in performance. Okay, so, first of all, yes, I think we already see some of that behavior, which those working in the field take very seriously. But I wanted to take a moment to address some of the implications of the questioner's phrase. If AI developments rely heavily on neural networks and as they start to approach the human brain in capability, dot, dot, dot. As they start to approach the human brain incapability dot dot dot.
01:51:31
One thing our discussion of AI and neural networks never touched upon is the fact that today's current generation of AI uses structures that we call neural networks, while at the same time, we all learned in elementary school that our own human brains are filled with richly interconnected neural cells. That creates networks of neurons. When listening to this podcast, imagined that there's anything more than a very loose notion of a network of interconnected somethings that AI and our brains might have in common, but I wanted to take this opportunity created by the question to make absolutely certain that even those listeners here who may have not been following all of this very closely appreciate without any shadow of a doubt that the only thing an AI's so-called neural network has in common with a biological brain's neural network is the name. The truth is that calling the addition and multiplication operations that are organized into networks of propagating values neural networks, where the use of the term neural is in any way intended to suggest that any of this bears any resemblance whatsoever to the operation of biological brains, is just a joke, a total joke, really. It should almost be an embarrassment to the AI community for anything they're doing to be called neural in any way, you know. But it's certainly true that calling them, you know, neural in quotes networks were laboratory curiosities. It didn't matter that they were. You know what they were called because they were busy learning how to win at tic-tac-toe and to play the game of NIMH. But things have changed radically since that time. Neural networks have obviously moved from the lab into daily mainstream life. So it's to me and I've talked to my friends and neighbors it's a little worrisome that the neural network moniker has struck around because it can be so misleading and that's beginning to matter as this becomes a commonly used term.
01:54:30
Everyone in the AI field is very clear that there is nothing whatsoever neural in the sense of a biological neuron about performing massive numbers of factor-scaling, multiplications, summating, additions and thresholding. But it's easy to see how the general public could begin to get somewhat creeped out by the idea that our brains are being emulated in some way. They're not. We do not even begin to have the capability or capacity to emulate the tiniest fraction of the complexity of a biological brain. In fact, we don't even have an accurate emulation of a single solitary biological neuron, not even one. Two are the same and every neuron's precise operation is unique, involving and including a hair-raising number of intrinsic and extrinsic factors.
01:55:33
I say that the only behavior shared between these artificial and biological networks is the surprisingly emergent property of their ability to self-organize. They both have that, and that behavior over on the artificial side was discovered and applied more than 50 years ago. That's not new. Since then, the work has been about scaling and research to discover the best pre-organization to apply to these untrained artificial networks. But Anyway, you know just. I'm sure everyone's clear about this, but I just kind of wanted to dot the I here. You know there's a collision of naming, where both artificial networks and biological networks employ the term neural. But that's it, that's it. There could not be anything further from the truth that anything about an artificial neural network relates to our biological brains. All they share is a name and nothing else. So I thought it was a neat question, because the idea being oh, if our artificial neural networks start approaching our complexity, what's going to happen? Well, nobody knows how to make anything like a biological brain, and what we have today, which is surprising people, is incredibly simple by comparison. And the fact that they both use the word neural is just kind of a coincidence of history rather than anything else. Back 50 years ago it was a joke to call them neural networks. It's like, well, okay, let's call them. That Doesn't mean anything, doesn't mean they're like human neurons at all biological neurons.
01:57:32
Lyle Halit said I've been a listener of 1009 Security Now podcasts. Lyle Halet said I am an FAA certified part 107 commercial remote pilot, a drone operator, as well as a certified private and instrument rated pilot. Ok, so he flies both drones and planes. He says I utilize two DJI drones and a home built drone to do commercial 3D mapping photography and videography for the construction, real estate and other businesses I imagine maybe wedding photography. He says drones that are considered enterprise or commercial, as well as lower-priced drones that are considered consumer or recreational, can and are routinely used for these business purposes. I just I love our listeners. This is so great. Here's somebody who's right in the middle of all this. Thank you, lyle. He continues.
01:58:45
I wanted to clarify that, to my knowledge, no other drone manufacturers have ever limited where a drone can fly. Any other drone could fly over any of those restricted areas you mentioned, subject only to the will of the operator. The DJI restricted zones were never well aligned with where someone could legally fly a drone in the United States. In many cases their restrictions apply to areas where it's perfectly legal and safe to fly and he says, and I believe, in some cases they even permitted flying in areas where it is not legal to fly for pilots like me, since I can get FAA LAANC authorization to fly almost instantly, only to find when going to the site of a job that there was some DJI geo zone that needed to be unlocked. If internet access was not available, I would be unable to fly. In addition, I had instances where the geo zone kicked in after taking off, limiting my control of the drone.
02:00:14
He said, gps isn't perfect and can sometimes be widely inaccurate.
02:00:15
Combine that with a function that takes control of or limits manual control of the drone, that creates a hazard. Moreover, he said, my biggest concern with the old DJI GeoZones is that many particularly recreational flyers is that many particularly recreational flyers believe that if they're okay according to DJI geo zones, then they're safe and legal to fly, when oftentimes they're not. In many of these areas they would need to get FAA LAANC approval to be legal and safe to fly and they simply don't know. Now, since DJI has aligned their warning zones with the FAA areas that need approval, at least pilots will be properly warned to make sure they're legal and safe to fly. I think that, on balance, the new system is better for everyone, particularly since no other drone manufacturer to my knowledge has ever been doing anything like this.
02:01:19
I'm an avid proponent of safe drone flying and probably somewhat obnoxious to people recreationally flying drones when I try to educate them on what they should and should not be doing. I don't know if you have a drone, but I do know that Leo has one, so, as part of my drone safety soapbox, I hope he or you, if you have a drone have taken the FAA trust test and are legal. Sincerely, lyle, from Tennessee.
02:01:50 - Leo Laporte (Host)
So, lyle thank you so much.
02:01:54 - Steve Gibson (Host)
It is so valuable to receive feedback from someone who has a broader were aligning with the rest of the industry and hopefully making drone operators more responsible by aligning their warning zones with the FAA's guidelines.
02:02:23 - Leo Laporte (Host)
So you know. Thank you for bringing us a reality check. I had no idea. Yeah, huh, yeah, I was just ignorant.
02:02:30 - Steve Gibson (Host)
Most people you know, unless we know from somebody who got experience and doesn't have their own, you know cross to bear. I hope it doesn't needlessly harm DJI, as we know they're the best drones and we would like to still have access to them.
02:02:45
Tim Clevelinger said hi, steve, I heard you talking about the sponsors page on TWIT's website. Club members can also find the links to the current show's advertisers in the episode's description in their podcatcher. Thank you for the show. It helped me to not only ace the interview when I moved from IT into cybersecurity a few years ago. It also helped me pass my CISSP certification exam last April, tim. So, tim, thank you, and I wanted to share that news with anybody else who is looking for where to find the sponsors we talked about this last week. It's on the twittv website in the upper right of the menu. Yes. And finally, george Adamopoulos said Dear Steve, I'm a Security Now subscriber for several years. Thank you for all the hard work.
02:03:37
I have a remark about the forced Outlook update that you talked about in SecurityNow number 1009. So that was last week. As Leo mentioned, windows already had an email client Windows Mail, an email client, windows Mail. What you did not mention is that this is being deprecated in favor of this new outlook. In fact, when I tried to open mail just now, I got a warning that quote support for Windows Mail calendar and people will end on December 31st 2024, unquote. He said yes, that's in the past. He said next to it is a button to quote try the new Outlook. Unquote, he said even if I press nothing, a few seconds later, the new Outlook opens automatically. To add insult to injury, the new Outlook displays ads. Anyway, thank you, and once again for the excellent work that you do.
02:04:41
Kind regards, george Edemopoulos. Well, there's not much more I can add to that other than to say thank goodness for EM Client. I have no idea whether EM Client would work for the enterprise, but it looks like it checks a lot of the boxes. You know they bill it, as all you know compatibility tool support and so forth that we talked about last week Google Workspace, outlook 365, office Exchange and all that. So, anyway, that would you know. I appreciate that, and I, you know, leo, this is what Microsoft's doing now. Right, I mean we've talked about Edge and the inshutification of all of this, and so here's new Outlook.
02:05:23 - Leo Laporte (Host)
It's not the first time. Even Remember Outlook Express. Yeah, and they changed it and turned it into live mail. Right, and then I think there have been a couple others since then. They just kind of do this on a regular basis. I guess it makes sense. You have a lot of technical debt built up in a male client. Maybe sometimes it's good to start over.
02:05:45 - Steve Gibson (Host)
Yeah, yeah, okay, our final break, and then we're going to talk about the expense of encrypting our DNS. From my own personal experience about a week or two, oh, I can't wait.
02:05:58 - Leo Laporte (Host)
Well, there's not much to say on this break, except we thank our club members for making this show possible and we encourage you, if you're not a club member, to think about joining the club. We keep it affordable seven bucks a month, that's so that everybody can participate. We don't do a paywall. Really, this show is available for free, ad-supported, to everybody. But we do need some additional support. Advertising no longer covers the entire cost. We've cut back as much as we can. We shut down the studio, we canceled shows, we even had to lay off some people, but I don't want to do that anymore and with your help we won't have to. In fact, with your help, we could even grow and do more shows.
02:06:39
If you appreciate what you hear here, I invite you to join the club. It's $7 a month. There are some benefits. You get access to Club Twit's Discord, where there's a great community talking about all kinds of stuff 24-7. You get access to special shows we put out just for the club our coffee show, chris mark, where it's photo shows coming up. Uh, micah's got a crafting corner, um, things like that. We, you know, just to make it fun. We do fun things, um. And then, of course, you get ad free versions of all the shows with special rss feeds, just for you as a club member. All of that at twittv slash club twit. I just like to invite you, if you're not alreadya member, to consider joining to support the work steve's doing here, and and everybody else. Uh, it is not inexpensive, um, but your help really does make it possible. Twittv slash clubtwit. That's all. Just wanted to say that, and now back to Steve.
02:07:38 - Steve Gibson (Host)
Okay, so DNS over TLS. I wanted to share my experiences thus far with the implementation of GRC's DNS benchmark which, as we all know, I'm in the process of updating to support IPv6 and the various encrypted DNS protocols that are increasingly being used to protect the privacy of users' web accesses, and I think everybody's going to find this interesting and a little surprising. What I discovered was initially surprising to me until I sat back and thought about it a bit and I believe, at least for intellectual curiosity's sake, it'll be of use to our listeners. As I've mentioned before, grc's original DNS benchmark, which I first wrote 16 years ago, provided a complete solution at the time for determining the performance of the DNS servers that everyone could choose to use.
02:08:40
But, as we know, times change. That first release was strictly IPv4, and there was no notion of encrypting DNS for privacy. All of that has changed during the intervening 16 years. All of that has changed during the intervening 16 years. Ipv6 is slowly but steadily coming online with all recent operating systems most ISPs now, and the intervening equipment, such as consumer routers, now supporting IPv6. So it's on the desktop. During the past 16 years, we've also witnessed a massive transformation in the monetization of the Internet's users who we are, who and what interests us and where we go is all up for sale additional revenue for everyone at every stage of the pipeline, from the websites we visit and the advertisers to our ISPs who connect us to the internet. Since many who use the internet would prefer to do so with as much privacy as possible, the ability to encrypt DNS queries, which otherwise advertise our every whim and desire, is of growing interest. In response to this growing interest, all of the major public DNS providers, such as Google, quad9, cloudflare and many others, already offer fully encrypted DNS services, are routers and web browsers offer support, and it's already built into Windows 11, so it's easy to have. To the best of my knowledge, no one has ever answered the question of how much DNS query performance is sacrificed to obtain the privacy offered by encryption. How do DNS encrypted lookups using encrypted TLS or HTTPS connections compare to traditional in-the-clear DNS over UDP? And even if this were to concern, I could hardly offer an updated DNS benchmark today that didn't also benchmark IPv6, dot and DOH in addition to traditional IPv4.
02:11:08
As I mentioned before when Leo and I were talking about the work I've been doing recently, the first major change was restructuring the entire DNS benchmark to use any protocols other than IPv4. Since IPv4 addresses are all 32 bits long, and since the DNS benchmark was written for Windows Win32 API 32 API 16 years ago, I took advantage of the ability to hold any DNS name servers IP in a native machine 32-bit register. The switch to IPv6's 128-bit addresses not to mention DOT and DOH name servers, which are addressed by URLs, just like web pages, meant that needed a change 32 bits no more. Today's DNS benchmark is now, as a consequence of the updating work I've done so far, completely protocol agnostic. Any protocol can be added to its underlying structure, which has largely been rewritten, so it's now ready to handle today's newer DNS protocols and whatever else the future might hold. Going forward, after the benchmark's fundamental redesign, the first thing I did was to add support for IPv6 name servers, since that was just a matter of adding more name server address bits, making room for longer IP addresses in the user interface and teaching the benchmark about the funky zeros compression that's used to shorten the many IPv6 addresses that contain one or more words of all zeros.
02:12:53
Then it was on to TLS and things suddenly became quite a bit more interesting. Windows has an API known as Secure Channel, or S-Channel for short. Using the API takes some getting used to, since it was designed to provide an interface, sort of a generic interface, to a large collection of very different underlying secure protocols, of which TLS transport layer security is only one. So this requires the user to do weird things, like repeatedly call into the API until we're told that its needs have been satisfied, whatever they may be. It's all deliberately opaque, so as a coder, you just have to sort of shrug and say, ok, follow the weird rules and hope for the best. And say, okay, follow the weird rules and hope for the best. However, no one explained the API to me like that. In fact, the entire thing is woefully under-documented, so I spent some time staring at what few examples I could find online, wondering whether what I was seeing could possibly be correct, since, as I said, it's really quite weird. I've been documenting my journey through all of this in GRC's public news groups, and I'm currently at the fifth generation of this TLS support system. The code that I finally have is actually quite lovely and I'm proud of it. It's far more clear and clean than anything I've found online, and someday after I've pulled the plug on GRC and I release all of the source code of my work, which is my eventual plan. I'll be glad to have contributed to cleaning up the mess that Microsoft created with this weird S-channel API, and I will make a point of inviting the world's AIs over to dig around in that source code so that they might be able to help others quickly get to where I wound up. So my point is I have TLS working beautifully now, but that's where some real surprises that Microsoft had nothing to do with were encountered when GRC's DNS benchmark started or is started.
02:15:30
When you start the program, fire it up, it loads the list of DNS name servers it will be testing. For every name server. It sends a couple of test DNS queries to verify that the name server is online and reachable from the user's current location and connection. The system's standard DNS name servers whatever name servers are configured on the Windows desktop to query a couple of public databases to obtain the ownership information about the IP address space housing the name server. To create a richer experience and provide more background information about all these IP addresses. You know who owns them, because that's not otherwise clear from an IP address. The URLs which the encrypted name servers use does tell a much richer story.
02:16:25
So here's where we first encounter the biggest difference between traditional DNS and any form of encrypted DNS. Traditional DNS is carried over the UDP protocol. Udp stands for User Datagram Protocol. When a user's computer wishes to look up the IP address of a domain name, that domain name is packaged into a single internet UDP packet and it's sent to whatever DNS name server the user's computer has been configured to use. And that's it Package the domain name into a packet and send it out onto the internet with the destination IP of one of the user's configured name servers. Hopefully the packet arrives at its destination. When it does, the name server examines it, takes whatever actions may be needed to obtain the IP address that's been requested and eventually replies by appending the answering IP to the user's DNS query, which also fits into a single packet.
02:17:40
The original DNS protocol designers understood the value of keeping everything tucked into single packets, so DNS doesn't miss a trick when it comes to quick hacks to eliminate any redundancies in DNS queries and their replies. If the sender of the query doesn't receive a reply within a reasonable length of time, either the query or the reply packets may have been dropped by a router. Along the way. They'll simply ask all of the name servers they've been configured for and accept the first reply they receive. They just try again, but typically on a retry they ask everybody. What we have as a result is a truly elegant and minimal system. One internet DNS query packet goes out, finds its way across the internet and is received by the user's designated DNS name server. That name server makes it its mission to get the answer to the user's DNS query and once it has it you know it might just be as I talked about earlier it's got the youcom, got the IP right there and it's cash. It just immediately sends the answer back. Either way, once it has the answer, it sends the reply back in another single packet. It's beautiful? Yes, it is.
02:19:09
Unfortunately, what it also is is ruthlessly hostile to encryption. It offers no privacy. Now we know what encryption requires. At the bare minimum, encryption requires that the entities at each end of any connection share a secret that no one else can possibly know, share a secret that no one else can possibly know. They then use that shared secret to encrypt and decrypt the messages they sent back and forth. So how do they obtain that secret? We know that there are key exchange mechanisms that make establishing a shared secret in full view of the public possible, but they're vulnerable to man-in-the-middle attacks, and we know that the only way to prevent a man-in-the-middle attack is to be able to positively authenticate the identity of the party we're connecting to.
02:20:09
The way that's done, using the technology we currently have, requires a certificate, and certificates are large, like between 3 and 6K. What this all means is that just asking for a tiny little bit of privacy here for our DNS queries and their replies completely blows all of the original elegance of DNS's fast and lightweight single packet queries and replies out of the water. All we want is for a single packet not to be eavesdropped on, but the realities of the internet means that in order to do that, we have no choice other than to drag all of the massive overhead of connection security along for the ride. The other thing I didn't explicitly mention is that all of this back and forth exchange of certificates and handshaking and encryption protocol enumerations and agreements on top of all of that, we cannot just have packets getting lost along the way. So the only way to carry on this dialogue, which has suddenly become much more complicated, is by moving from the minimal elegance of single-packet UDP, the user datagram protocol, to the reliable delivery system provided by TCP, the transmission control protocol. So that's what I built, that's TLS on top of TCP.
02:21:54
For every remote name server that the DNS benchmark will be testing, it looks up the IP address for that name server's domain name Because, again, remember, encrypted name servers are referred to by domain names, just like web pages. They've got URLs. So we look up the IP address of the name server's domain name. Whereas the original standard port for DNS is port 53, the standard port for TLS encrypted DNS is 853. So the benchmark establishes a TCP connection to the remote name servers, port 853. It then initiates a TLS connection negotiation, negotiating encryption protocols, receiving and verifying the remote name servers certificate certificate, because that's part of TLS agreeing upon a shared secret key and then bringing up the encrypted tunnel and that's that whole weirdly opaque S-channel API stuff that I spoke about earlier. Okay, at this point, whew, yay, we have a connection to a remote DNS name server over TLS, which should allow us to send and receive DNS queries.
02:23:26
So it was with great joy and celebration that I got all of that working, whereupon the remote name servers began unceremoniously disconnecting and dropping their connections without warning or reason and with prejudice. I thought what. I tried it a few times and the same thing kept happening. It seemed that these name servers were, I don't know, impatient for queries and they were not being uniformly impatient. Some would drop the connection after a second, some would wait five seconds or in between, but without fail the connections would be dropped, be dropped. So I figured that perhaps they were getting annoyed with me for getting them on the line and not immediately asking them for some DNS resolutions. So I started having the benchmark send them DNS queries to answer over this newly created connection. This maybe worked a little better. Things were definitely working. The connection was up and TLS was running. I was able to use Wireshark to observe the transactions, the packets moving back and forth across the wire, and I was receiving valid answers to the benchmark's queries. So we were on the right track, but without warning. Even in the midst of DNS queries and replies, the remote ends were still getting fed up with my questions and dropping connections. After sitting back and thinking about this for a few minutes, the reason for this all became obvious.
02:25:10
Compared to unencrypted UDP queries and replies, tcp and especially TLS over TCP connections are incredibly expensive, not only to establish but to maintain. But to maintain Traditional UDP DNS name servers have been so spoiled compared to almost all other servers. They receive a UDP query packet to which they reply with an answering UDP reply packet, and that's it, period, mission accomplished. Thank you very much. We've talked about all of the back and forth that's required to establish a TCP connection and then even more for TLS once the TCP connection is established.
02:26:10
But there's another significant cost to maintaining a connection. Both TCP and TLS require each end to maintain a great deal of state information, since TCP numbers every byte that's sent and received. It's responsible for providing reliable delivery of anything sent and acknowledged and acknowledging the receipt of everything received. It needs record keeping to make all of that happen and that also means that the TCP IP stack needs to be aware of the existence of all of the many various connections to everywhere so that the incoming and outgoing packets can all be routed appropriately. And once the packets pass through the TCP IP layer, the TLS protocol has a bunch more of its own state. It needs to retain the knowledge of the specific TLS encryption protocol and the version that were that was negotiated with the end and the shared secret key for encrypting and decrypting the data and the state of all the many options that have been added to TLS, from the start of SSL up through TLS 1.3. In other words, a lot.
02:27:43
And now consider all that in comparison to plain old standard DNS queries over UDP, which has none of that None. A packet arrives and a reply is returned. Dns over UDP has no state, nothing to remember between queries, no state to preserve, no connections, nothing. Okay. So now we switch back to those big iron DNS servers that are being operated by Quad9, google, cloudflare and many others. Think of how many thousands or tens of thousands of clients' queries they may be handling every second of every single day. For UDP, that's no problem Pack it in, pack it out, they just do it Done, they reply to every query and forget about it.
02:28:44
But for DNS queries that need to establish a TCP connection, then negotiate a TLS secure tunnel on top of that, all before even the first DNS transaction, that's one heck of a lot of overhead. And now imagine, with this expensive connection established, the client expects this busy, widely shared public name server to just sit there with a TCP connection established and TLS crypto negotiated and wait for the client to ask a question Not happening. There's no way busy and super popular name servers can possibly afford that. They cannot afford to tie up their precious RAM memory with all of the state tables and flags and options that every single one of those connections requires, only to have the client not immediately needing and using its services. So it should come as no surprise that these name servers are exhibiting very little patience with inactive connections and that, even with active connections, they're only able to give anyone who asks a limited amount of their time.
02:30:09
Given all of this, you might be inclined to wonder why all of this works at all. How can encrypted DNS, which is so much more expensive than good old DNS over UDP, be the future? The answer is that web browsers' use of DNS is inherently bursty. When a user clicks a link to jump to a new web page that it's never visited before, and assuming that the browser or the operating system is configured to use DNS over TLS or DNS over HTTPS, a connection will be brought up to the remote name server to obtain the IP address of the site. Once the IP address is obtained, the browser will immediately connect to that remote web server to obtain the destination web page.
02:31:05
Today, in 2025, fully populating a typical web page requires the resolution of an average of between 50 and 150 DNS domain names. Those are the domains for the advertisements, the script libraries, the images, the various tracking gizmos and all of the other goop that runs today's web and all of the other goop that runs today's web. So, upon downloading and obtaining the destination web page, the user's web browser, which would very likely still be holding open the connection to the remote name server, will send off a blizzard of those 50 to 150 DNS queries over the previously negotiated, secure and encrypted TLS tunnel, and that will pretty much be it. For a while, the user's web browser will have collected all of the IP address responses it needs to fetch all of the rest of the page's contents. So if either it or the far end decides to drop the expensive-to-maintain TCP-TLS connection, who cares?
02:32:25
This is what I meant when I said that DNS queries are inherently bursty. They generally arrive in a very brief flood with the display of a new page which the browser then renders, and the user examines and ponders before eventually clicking another link which generates another brief flurry of queries. And so it goes that bringing up a relatively short-lived and very expensive to maintain TCP-TLS connection winds up being cost-effective. It's true that doing all of this connecting, establishing and negotiating takes time and multiple, many packet round trips. But once it's been done, the DNS queries and replies are able to occur with the same speed as regular DNS, even though they're now encrypted with the same state-of-the-art crypto protocols we use to protect all of our other crown jewels. And if 50 to 150 queries are being sent in a burst, the time required to set up the connection can be amortized across all of the DNS work that can get done. Once the connection is ready, the user will not experience any different page loading performance than before. Different page loading performance than before.
02:34:00
Also, the TLS protocols offer session resumption features where the answering remote server bundles up all of its post-negotiation TLS state information, encrypts it under its own local secret key and hands it back to the client to keep at the end of their initial connection negotiation.
02:34:23
This allows the client to cache that opaque blob which it's then able to return and offer to the server the next time it reconnects to that same server. The server receives the blob, decrypts it using its own private key, which no one else has, and, if everything matches up the client and the server are able to bypass all of the time-consuming and expensive TLS renegotiation to pick up right where they left off an expensive TLS renegotiation to pick up right where they left off. Having thus understood what's going on with name servers, grc's benchmark is now working with every one of them. I have found I've got a long list and since DNS over HTTPS just wraps the DNS query and its response inside HTTP protocol, which also runs inside TLS, I expect to have that added and running shortly. And now everyone has a much better sense for how the industry is moving forward to encrypt the last of the simple plain text protocols which has survived until now. I imagine that DNS over UDP will someday go the way of good old unencrypted HTTP, which we hardly use any longer.
02:35:50 - Leo Laporte (Host)
Bravo, you have to. You need some sort of musical note at the end of the, like a Steve Gibson always a pleasure. Thank you so much for the job you do and the information that you pass along. I know everybody who listens uh looks forward touesdays. That's when we do the show right after mac break. Weekly um, about 1 30 pm. Pacific 4 30 eastern, 2030 utc.
02:36:21
It, it's, it's. It's not a tv station. We don't begin exactly, begin when the last show is over and all the buttons have been pushed and we begin. So it's going to be a little loose. Don't get too upset if it's not exactly 1 30, but it's going to be a little loose. Don't get too upset if it's not exactly 1.30, but it's roughly around there.
02:36:37
I only mention that because you can watch it live. It's by far the least popular way to watch it, but you can watch it live. We stream on eight different platforms. Club Twit members can watch in Discord, but there's also a YouTube live stream. Twitch, tiktok yes, tiktok x. Facebook linkedin, kick and something else. I can't. I've, I've, I've gotta make a list. I usually can do it by memory, but I'm missing something and I can't think of what. X facebook. Anyway, you don't have to watch live.
02:37:12
The whole idea is this is a podcast. So if you aren't around in the afternoon on Tuesday, all you do is you go to twittv, slash SN. You can download it there. Better yet, go to Steve's page, grccom, because while you're there you can pick up a copy of Spinrite. Everybody should have Spinrite if you've got mass storage. It's the world's best mass storage, maintenance, performance enhancing and recovery utility. Version 6.1 is there While you're there. Pick it up. Then go to the Security Now page.
02:37:44
Steve has the 64-bit kilobit audio that we both have. That's kind of the canonical audio version, but he also has a 16 kilobit version for the bandwidth impaired and really nicely written human created, not AI created transcripts. Lane Ferris does a very good job with that. That's nice to have because you can download that, follow along as you listen, use it to search, or you could search on his site and search it there. It's just a handy thing. Make it maybe a uh, it's a, it's just a handy thing. Make it maybe a, a spiral notebook, and bind it in and then you'd have all of the episodes. You could read along and listen along and that kind of thing. We have, of course, the 64 kilobit audio at our web page, but we also have video, and there are some people who like to see steve's blinking lights. Did you get it? Did you get them all?
02:38:33
uh, they're blinking away firing them all up Is it just a reboot, or do you actually have to enter a code?
02:38:38 - Steve Gibson (Host)
No, I just flip a few switches. Yeah, it's essentially a restart.
02:38:43 - Leo Laporte (Host)
Yeah, I unplugged my PDP-11. Plugged it back in again.
02:38:49 - Steve Gibson (Host)
Oh, it's going again.
02:38:49 - Leo Laporte (Host)
Yeah, nice, the bottom one, the inside. I do. Nice, the bottom one, the inside. I do have to start a program. I have underneath it. I have a piece of paper there's, flip that, switch up, flip that, switch down.
02:39:00 - Steve Gibson (Host)
Then toggle that switch and it gets it blinking so the videos we used to have dents in our fingers from from from pushing all the little switches up and down. Yeah guys, just nuts just nuts um.
02:39:13 - Leo Laporte (Host)
So get the video you know, subscribe. You can subscribe in your favorite podcast player and get audio and video. Audio or video, so a lot of different ways you can watch the show or listen to the show. We do hope you'll do that Every week. If you're a Club Twit member, even better. You get ad-free versions of the shows for $7 a month, plus a lot of other benefits. Is uh still possible to buy it uh individually, I think for five dollars a month?
02:39:38
uh on apple and I so I think we also offer that on youtube, so you can just buy an individual show. But do me a favor, spend a couple bucks more and get them all. Why wouldn't you, why wouldn't you want to um anything else to say steve are Steve, are we done here, got it.
02:39:57 - Steve Gibson (Host)
I think we got it all, and I'm excited too, because we'll be back next week with another episode that only has ones and zeros. It'll be 1011 which is episode 11, if my binary arithmetic is correct and it will not be until our episode 1100 that we're back to ones and zeros.
02:40:19 - Leo Laporte (Host)
So enjoy it while you got. It is what you're saying.
02:40:22 - Steve Gibson (Host)
Yeah, thank you, steve. That's what I'm saying.
02:40:24 - Leo Laporte (Host)
We'll see you next week on Security. Now Bye.
