Apr 15th 2025
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
0:00:00 - Leo Laporte
It's time for security now. Steve Gibson is here we're going to talk about. Well, there's a lot of things the 100, some fixes in Microsoft's patch Tuesday last week, why it's so difficult for Oracle to fess up an Apple versus the UK update and the arrival of all that more coming up next on Security Now Podcasts you love From people you trust. This is Twit. This is Security Now with Steve Gibson, episode 1021, recorded Tuesday April 15th 2025. Device-bound session credentials. It's time for the moment you wait for all week long. Security now the show. We cover your security, privacy, your safety online with the king of all of that stuff, mr Steve Tiberius Gibson. Hello.
0:01:04 - Steve Gibson
Steve, actually Leo. What they're waiting for all week long is the next protracted event in their life, typically a five-hour commute or a plane flight, or something.
0:01:17 - Leo Laporte
Something they can listen to the show.
0:01:18 - Steve Gibson
Yes, because now it's in their queue and it's time to spool this into their brain. And boy, we got a spool for you today.
0:01:30 - Leo Laporte
Think of us as a printer driver spooling up all this information for you to unwind.
0:01:35 - Steve Gibson
Yes, even the title needed to be spooled because it stretched out the screen there down at the bottom.
0:01:43 - Leo Laporte
Yeah, what is device-bound session credentials? Okay, so for.
0:01:46 - Steve Gibson
Security. Now episode 1021 for Tax Day. And, by the way, I heard you saying before you could be listening to the Mac Break Weekly while doing your taxes, and I thought only if you have a time machine and once they're finished you can go back, unless you're filing estimated. You could be listening right now and doing your taxes machine and once they're finished you can go back, unless you're filing estimated in which you could be listening right now and doing your taxes. You don't have to mail until midnight.
0:02:11 - Leo Laporte
You got time that's true, and maybe it's just me, but I always. I mean I did mine yesterday. I was way ahead of the game, okay that's right, oh yeah, yeah.
0:02:22 - Steve Gibson
Well, that's. You had the day off. No podcast to to.
0:02:25 - Leo Laporte
I think it's so you know it's funny. I actually listened to an old twit while I was doing it. I I don't know why I just, dan patterson, sent me an email saying the first time he was on twit on sundays. The first time I was on was back in 2009. This episode, and it had. It was a great episode. It had all these great people. I thought I listened to it and it was kind of fun to hear about the beginnings of surveillance capitalism.
0:02:48 - Steve Gibson
How was Sunday's big anniversary? Twit, I haven't had a chance to.
0:02:51 - Leo Laporte
Steve, we had so much fun Because I had more than 20 videos from listeners and viewers talking about when they first found Twit. It was wonderful to celebrate the audience. You know this because you get the emails and the comments. Yeah, I have a good connection. We love our audience, we really do and so I thought to celebrate 20 years of twit. You're going to be celebrating 20 years of security now in a few months. I'd be fun to, instead of honoring the hosts or the things we've done, but to see hear from the listeners and it was really great. I really enjoyed it. We had a fire eater, we had a guy on a boat, we had not one but two guys in tractors. I mean, it was a.
0:03:34 - Steve Gibson
It was a very, I thought you were gonna say traction.
0:03:36 - Leo Laporte
I was like whoa no, nobody was in traction. There was one person incarcerated. However, one prisoner sent us an email, so he got good bandwidth connection, can he?
0:03:47 - Steve Gibson
he steel bars? They tend to block wi-fi?
0:03:49 - Leo Laporte
no, no, that's not. They give him an ipad with podcasts on it and I don't know if we were ever asked, but apparently security now is on some of them. This one, he only was able to get one of the show's twit I don't know if you want security now going into the prison maybe, that's maybe the war. How do?
0:04:08 - Steve Gibson
I do that hack again. How do I get over to russia?
how do I call a strike good point anyway. So, oh boy, um, this is uh, this is gonna frost your snow cone Device-bound session credentials. What we finally have, after 35 years, is a change in the way we manage session cookies. We manage session cookies, session cookies being the cookies which our browsers receive, which continually identify us to websites that we're logged into, the session being our logged on session, and I'll go back over a little bit of the history of this when we get to it later today, sometime this evening, because we have a lot to cover.
0:05:08 - Leo Laporte
It's going to be a long show. Is that what you're telling me Today? I better go get lunch, okay.
0:05:16 - Steve Gibson
But yeah, you can maybe plan your vacation.
0:05:19 - Leo Laporte
I'll do my taxes for 2025.
0:05:21 - Steve Gibson
Don't take it yet, because, yes, you do have to lick the stamp on your taxes.
0:05:26 - Leo Laporte
Yes, I do.
0:05:28 - Steve Gibson
Anyway, we're going to talk about the industry finally coming up with what looks like the replacement for, and far more security connected to maintaining logged on state with browsers, and really we've been asking an awful lot of the lowly cookie which was created, as I said, back in the mid-90s by some guy named Lou at Netscape. Anyway, I didn't know his name, oh yeah.
Lou, we're going to have a lot of fun, lou's cookies, and I'll explain that. You do not need to understand it. All know his name, that's okay. Oh yeah, lou. Uh, we're gonna have a lot of fun. Uh and cookies, and I'll explain that you do not need to understand at all. On this first pass. We're gonna be.
I'm no doubt we'll be looping back to this a number of times because this is big news, that this is a change in the way we like the, the, the security of logging on in terms of the, the browser identifying it to the server, and it is very cool. I mean, like we have so much in our toolbox now with all of the crypto that we're able to bring to bear, rather than some little gibberish of ascii that is like oh, that looks like him anyway. Uh, we're also good. Before we get to that because that that's just the coup de grace we've got Android believed to be getting a lockdown mode next month. What's new in updates to Chrome and Firefox? And there's some cool stuff. Actually, it was the blurb about Chrome that put me on to this, and then I saw that Firefox, andfox and safari were also already. Uh, we're, uh, we're working on this.
Um, why did apple silently re-enable automatic updates, my new iphone 16 chinese tariffs and electronics dynamic hot patching coming to windows 11, enterprise and edu. Windows 11, enterprise and Edu Cool new tech from Microsoft. Why is it so difficult for Oracle to fess up to what is obvious to everybody else? That happened. We have another multi-year breach uncovered inside US Treasury, making it the third of three An Apple versus the UK update, something I just. I can't get over the name that they've given this Thundermail, and can't we get a better name Thundermail? It works for a bird to put thunder in front of it.
0:07:58 - Leo Laporte
It's like a male strip show, like the Thundermail down under.
0:08:03 - Steve Gibson
It's just every time I see it I go oh God know, I'd be embarrassed to be Steve at Thundermailcom. Anyway, mozilla is going to do something. We also have the insecurity of programmable logic controllers. Why that matters? Oh and, leo, it turns out that you probably ran across this because you're amazingly up to date and informed. You probably ran across this because you're amazingly up-to-date and informed, I find, when LLMs write code and hallucinate non-existent package names.
0:08:35 - Leo Laporte
I know the perfect library for this code. It's going to be weaponized, I guess. So yes, if you know ahead of time, yeah, and it's got even a worse name than Thundermail.
0:08:44 - Steve Gibson
It's Slurp something or other. It's like oh my God. Well, anyway, we'll be covering it today. We also have WordPress's core security, and PHP had a very important audit funded and the problems they found are barricaded. No one is talking about them because they're so bad, so bad, but they're being fixed and I think what we're going to end up seeing, as we'll see, is an important retroactive. You know everybody who still has supported versions of PHP. Now would be a good time to update them. Also, once all that's done if there's anything left of us we're going to talk about device bound session credentials, and I so much want to hyphenate device bound. It's not, and it's like that's wrong, but you know, we put up with a referrer being misspelled in HTTP headers all our lives.
So I suppose we'll leave off the hyphen in device bound and, of course, we've got a great picture. So maybe, leo, we actually have a good podcast this week.
0:09:53 - Leo Laporte
Maybe I hope we don't disappoint. No, maybe about it, steve, I guarantee it. Boy, you're a stickler. I didn't even really think about this, but you're right, device bound should have a hyphen, shouldn't it Bugs me. Yeah, I never even thought about that. Well, we just have to go with whatever the IETF thinks is right.
0:10:13 - Steve Gibson
Maybe somebody at the World Wide Web Consortium is listening to this podcast and thinks he's right, that's a typo.
0:10:21 - Leo Laporte
Let's fix that, steve Gibson. Ladies and gentlemen, we'll get to our hyphen-less discussion in just a moment, but first a word from our sponsor for this segment of Security. Now the great folks at ExpressVPN, the only VPN I trust, the only one I use. I think anybody watching this show knows you need a VPN. I mean right, going online without ExpressVPN would be like, I don't know, driving a car without insurance. You could be a great driver, but with all the crazy people on the road these days, why would you take that risk? Everyone needs ExpressVPN. My perfect example when we flew down to Tucson for the Gem show, we went through SFO, the San Francisco airport, and of course I'm sitting there. We got a couple of hours before the flight I see it, sfo, free airport Wi-Fi, and I'm thinking I would really like to use that. But yes, exactly, steve. That was exactly what I was like. But I could see Steve Gibson over my shoulder saying fortunately, I had ExpressVPN on my iPad. I fired it up, joined the network. I was secure.
Every time you connect to an unencrypted network, whether it's an airport or a cafe or a hotel, you're taking all kinds of risks. First of all, any hacker on the network can gain access to your computer to steal your personal data, to hack you. It doesn't take a lot of technical knowledge to do this. A smart 12 year old could do it and you know what. There is an incentive. Hackers can make like a thousand dollars a person selling your personal info on the dark web, so there is incentive for them to do this. Expressvpn stops those hackers cold. They stop them because they cannot see you.
You have an encrypted tunnel between your device and the outside world and the VPN you use. The choice you make is super important. You need to trust ExpressVPN. I love ExpressVPN and they go the extra mile to make sure your data is absolutely invisible. Why is ExpressVPN the best? It's super secure. Make sure your data is absolutely invisible.
Why is ExpressVPN the best? It's super secure. Obviously, they're using strong encryption. It would take, you know, a billion years to get past the encryption. It's very easy to use. You know? I'm sitting there on my iPad. I just went to ExpressVPN. There's a big red button that says start it. I fired up the app. You just click one button and now, boom, you are completely private, completely secure, completely protected. Even on the free airport wi-fi. It works on all devices on your phones every phone, laptops, tablets. You can put it on your router. Stay secure, not only on the go, but everywhere in your house.
Expressvpn is rated number one by top tech reviewers like cnet and the Verge, and I use it. There's another way you can use it. Sometimes, when we travel, we don't have our locals. You know our local. I want to watch a football game and I'm in Mexico. It's a great way to do that too. Expressvpn you know you need a VPN. Use the best. Secure your online data today. Visit expressvpncom slash security now. Secure your online data today. Visit expressvpncom security now. E-x-p-r-e-s-s-v-p-ncom security now. Find out how you can get up to four extra months free when you buy a two-year package. Expressvpncom security now. We thank them so much for their support of the good work the important work that Steve does here.
0:13:45 - Steve Gibson
Well, and you know if you were entitled to watch the game while you were home, Right. And you were traveling Right, then it's not like you're doing anything wrong.
0:13:54 - Leo Laporte
No In fact, I asked Netflix because I thought, well, should we be promoting this? They said as long as you have a Netflix account, you can be watching Netflix in any other geographic location. That's fine. So that's what you can use a VPN for, too, and it's the only reason people say, well, you should use Tailscale or something local. But I can't do that. Really. That doesn't work as well if I want to be in London, because my house is not in London. So there's an advantage to using ExpressVPN More flexibility, more flexibility.
0:14:25 - Steve Gibson
All right, let's take the picture of the week here. I think we're going to have to not expose what this picture reveals, because it would be a spoiler for those who want to encounter it and solve this puzzle themselves, because this picture takes the form of a puzzle.
0:14:43 - Leo Laporte
Yes, all right, I'm going to scroll up. So by all means going to scroll up and I see Neil deGrasse Tyson, yep, and I can read it right away Yep, I see, I knew you would be able to. Yes, but I won't tell you what it says.
0:14:56 - Steve Gibson
You cannot tell us what it says, but this is a famous example.
0:14:59 - Leo Laporte
I've seen other examples where they don't add numbers for letters, but where they take away letters. Okay, right, and it shows you how adaptive the human mind is, how able to fill in the gaps we are.
0:15:13 - Steve Gibson
Yes, yes, so this picture I gave out the caption, here's one to think about, and it's a T-shirt that Neil deGrasse Tyson is holding up, credited to a famous physicist, uh in our midst, and uh I think everyone will uh enjoy taking a look at the picture do people have a hard time reading this?
0:15:34 - Leo Laporte
do people look at this and go? I don't know what it says.
0:15:36 - Steve Gibson
Yes, I've had some feedback saying that they, you know, had to spend some time thinking about it interesting. So I know and I knew you wouldn't leo it- because you're no fun.
0:15:46 - Leo Laporte
It's not Leet exactly. Well, it's pretty close to Leet. It's pretty close to Leet, so maybe it's. I've spent too many years reading Leet's speech.
0:15:53 - Steve Gibson
Ah, that's a very good point. It bears a strong resemblance to that. Yeah, yeah, okay, so nothing's been not official, but it would make sense for Android to follow in Apple's footsteps, with it available in the kind of the August September timeframe as part of Android 16. It's believed that Google's been quietly working on a new, more secure mode for Android that, as I said, is probably inspired by Apple's iPhone lockdown mode. According to a placeholder documentation page, which currently 404s, and based on analysis of Android beta images, the new feature would be named the Android Advanced Protection Mode, aapm.
As with lockdown mode, AAPM would not be intended for regular Android users. It would be of use for probable targeted individuals who are more likely to face threats from a pressure of regimes, advanced spyware, network surveillance attacks and so forth. To disable older and less secure 2G cellular connections, block users from sideloading apps from unknown sources, presumably prevents them from running apps that have already been sideloaded, I would imagine I don't know enable memory tagged extension, which is a feature to block the exploitation of memory related exploits and force a reboot of any devices after more than three days of disuse. That forced reboot feature was spotted by Android authority as a means of flushing RAM from of any resident malware that may have taken up residence in the device during its owner's absence through whatever means, but then wasn't able to obtain persistence so that it wasn't able to write itself into the file system. Although Google has offered no official confirmation of any such new Android advanced protection mode, a large amount of code to support it is present in Android 16 betas. We've seen instances where something ended up in a further in the future release, not the most current next forthcoming release. So maybe not 16, maybe not till 17. But it's not like this is rocket science to like turn off things that it already has, so why wait? Anyway, it does. The fact that it's in 16 beta suggests that it will probably be official soon.
Android authority found the message that informs users that they may not sideload apps. There's also support I thought this was cool for a new API which allows apps to detect whether the handset mode has this enabled so that they may apply any of their own security enhancing behavior. For example, a web browser might disable its internal JIT. It's just-in-time compilation mode when it detects that the handset is in this advanced protection mode, because we know that the just-in-time compilers tend to be where a lot of security flaws have been found to reside in the past. Or you know another example maybe instant messaging apps might disable their automatic display of multimedia content, since, again, we've seen security vulnerabilities often discovered and leveraged in the interpreters that are used to display media. So there are signs that something resembling Apple's lockdown mode may be coming soon to Android. And you know, like lockdown mode, it probably reduces the device's convenient functionality too much to be used by most people, but you know it would make the smartphone much less fun to use. But the tradeoff is convenience versus security and in this case you know you would be opting for security if you for some reason didn't have an Apple device, and this allows Android to do that Also.
While I was perusing recent news, I saw that Chrome had recently moved to their release 135 and Firefox was now at 137. Among the changes, as I mentioned, in Chrome was the title of today's podcast, missing its hyphen device-bound session credentials, which we'll be getting to here for a very deep technical dive at the end of today's podcast. But nothing else really stood out about Chrome's 135 beyond that. The biggest news for Firefox 137 appears to be tab grouping, although the ability to use Firefox URL field as an ad hoc calculator for quick math actually excites me more, and I'm sure it's going to get much more use by me. Anyway, somehow I've broken the habit of having a seemingly near infinite number of tabs serving as placeholders for things I plan to get back to eventually. I remember, maybe 10 years ago, I had over there to my left a Firefox browser and if it ever crashed or I lost its tab lineup, it was my knowledge base. I had so many open tabs. I don't do that anymore. I don't know what happened, but I just kind of got out of that, I guess. But I know from our feedback, from feedback from our listeners of this podcast, that there are many people who do still organize their life around browser tabs and this is probably going to be a godsend for them. So the Firefox 137 blog page explains, says tab groups begin rolling out today, stay productive and organized with less effort by grouping related tabs together.
One simple way to create a group is to drag a tab onto another, pause until you see a highlight, then drop to create the group. Groups can be named, color-coded and are always saved. You can choose a group and reopen it later. Okay, so I thought, great, let's try it. But no matter what I tried and I was using that, I was using firefox 137. When I attempted to drag one tab on top of another. At some point presumably once at some center line somewhere was crossed, the underneath fixed tab that I was in the process of covering up would suddenly scoot over to fill the gap that was left from the tab that I was dragging.
No matter what I did, I was unable to in any way merge two tabs into a single group. I'm just telling everybody, in case they have the same experience that I did, that it didn't work for me. Then I noticed that the phrase tab groups was highlighted in the blog posting as a link. Clicking that, I discovered the likely cause of my trouble. The more detailed page after I drilled down said starting in Firefox version 137, you can use tab groups to manage open tabs at Firefox by grouping them together and labeling them. Okay, right, except it's not working.
Then it said this feature is experimental and is being introduced.
I'm like how hard is this to do? Why do you have to experiment with it? Anyway, it's being introduced to the Firefox user base through a progressive rollout. It may not yet be available to all users. Number me among them, because I just can't get two tabs to merge. So okay, the Mozilla folks seem pretty excited about this, and they also noted that Firefox's new tab grouping system also works for vertical tabs. I long ago satisfied my absolute and utter need for vertical tabs using a pair of Firefox add-ons Tree Style Tab, which allows a hierarchy of tabs, and also tab session manager, which allows me to save current sets of tabs as a session and keep them in XML files, load them, save them, restore them, move them around, love it Anyway. Together, those two things do everything I need. But once support for native tab groups does finally arrive in my Firefox which I don't yet have I may look at switching to Firefox's native vertical tabs and using tab groups. Maybe that'll give me the same stuff that I have now.
0:25:25 - Leo Laporte
I hate it when they do progressive rollouts like that you just never know what features you have Right.
0:25:31 - Steve Gibson
And Leo, how hard can this be? It's not like, oh, we're going to upset people or we're going to break things.
0:25:40 - Leo Laporte
I think it's more that than is this going to work. I think it's more like people go. Oh my God, what?
0:25:45 - Steve Gibson
happened? I just, yeah, two tabs merged. Oh, they merged.
0:25:52 - Leo Laporte
Wow, well, yeah.
0:25:54 - Steve Gibson
Anyway, earlier I said that the feature that appealed to me most was the ability to use Firefox's URL field as a quick ad hoc calculator. Yeah, that puzzles me. Tell me how you do that Works. You just start telling you like 35 plus 7.
0:26:11 - Leo Laporte
That's a weird feature, okay.
0:26:15 - Steve Gibson
I kind of like it. Anyway, that one was enabled for me and it worked, and it couldn't be any easier. Mozilla writes you can now use the Firefox address bar as a calculator. Simply type an arithmetic expression and you can use parenthetical, you know, prioritizing and so forth and view the result in the address bar dropdown. Clicking on this result will copy it to your clipboard.
0:26:40 - Leo Laporte
I wish I had known this when I was doing my taxes yesterday.
0:26:45 - Steve Gibson
Ah, there you go. I had to fire up a calculator, Anyway, yes, and now you know I'm often reaching for the calculator that's located next to me at my workspace. In fact, here it is. I've never talked about this. I love this. This is from the Swiss Micros guys. Oh, that's cool.
0:27:02 - Leo Laporte
Is that an HP 51 clone?
0:27:06 - Steve Gibson
It's an HP calculator clone, so it's RPN it, it just. It's an extremely nice calculator. It took me a little while to get used to it. You can see that it's got next to this, that AB up there E, f, so it's got. It's also hex, so it's a it's multi-base calculator. Anyway, just, I love this little thing. It took a while to get used to it, but I've got one in each of my locations Anyway.
So my point is I always have a calculator next to me, but you know, sometimes if I just want to do a quick little bit of math, it's now in the address bar. Bit of math, it's now in the address bar. Um, the uh, uh. Also, what I noted was that this integrated calculator appears to be part of a larger address bar. Refresh and update um 250, even though they sort of listed on its own.
Uh, mozilla explains that we now have a unified search button. A new easy to access button in the address bar helps you switch between search engines and search modes with ease. This feature brings the simplicity of mobile Firefox to your desktop experience. They said so. I guess mobile Firefox has already had that and now we're getting it on our desktop. Search term persistence. They said, now, when you refine a search in the address bar, the original term sticks around, making it easier to adjust your queries and find exactly what you're looking for.
They also have a contextual search mode. If you're on a page that has search capability and offers that option to you directly with the page, to search from the pages engine, from the address bar. What, anyway, they said, use this option at least two times and Firefox will suggest adding the search engine to your Firefox, which that was interesting. And then also, finally, intuitive search keywords. You can access various address bar search modes with convenient and descriptive keywords. So, for example, you start with at bookmarks, or at tabs, or at history, or at actions, and the search will then be aimed at or focused on that specific aspect of Firefox.
So, anyway, that contextual search mode, where Firefox is supposedly detecting pages which offer their own searches to me that's surprising and seems both aggressive and error prone. So it'll be interesting to see how that all works out. Anyway, beyond all this, firefox 137 now identifies all links within the PDFs which it's integral PDF viewer displays, turning them into hyperlinks. So it'll do that for you. You don't have to, like you know, copy and paste them and all that, it's also possible to add your own signature to PDFs without leaving Firefox, and signatures can be saved for reuse later. And also, firefox now provides native support for the HEVC media format codecs under Linux. So, anyway, it occurs to me that all this further supports my ongoing contention that our web browsers have become incredibly complex and only continued to become more so.
0:30:35 - Leo Laporte
And this is from a guy who uses a reverse Polish notation calculator. Ladies and gentlemen, that is true. By the way I did the search, I found Swiss Micros. Oh, they have a whole bunch of different models they do.
0:30:49 - Steve Gibson
Now, those little credit card size ones have very cheesy keyboards so no, I don't want.
0:30:54 - Leo Laporte
I mean, oh, you already ordered what it sounds like oh, I own them, I own them all. I want to get the dm42n. That's uh, that, and it's got.
0:31:02 - Steve Gibson
they have nice fonts, They've got. I mean, there's so much in them you can connect them to external storage? Yes, yes, and you're able to upgrade their firmware. They have a USB port along the top. This is pretty cool.
0:31:22 - Leo Laporte
They're neat people. I might have to buy one. I have no use for it Zero people. I might have to buy one. I have no use for it Zero. I still might have to buy one.
0:31:29 - Steve Gibson
Well, there's always tax time next year, Leo.
0:31:31 - Leo Laporte
That's right. Oh yeah, that's what I bought it for, honey. It's for taxes, that's it.
0:31:38 - Steve Gibson
No, I am often doing things. I'm computing currents and microamps and milliamps.
0:31:43 - Leo Laporte
You've never shown me that before. I don't think I never have. I've never mentioned it.
0:31:48 - Steve Gibson
Very cool. Yeah, they are neat people. I mean it is a well-made because you cannot, you can no longer get, which just boggles my mind. Any of the good HP scientific calculators Boggles my mind, any of the good HP scientific calculators. The financial calculator was like the 15 or the 12. I don't remember, not the 12. Anyway, there's the financial calculator the HP still makes, but they've given up. All the scientific ones are now algebraic notation instead of RPN and they've got big screens that could do graphics and all this crap no one really needs, they're just gimmicks. And so these people, they're, they're the real deal. So I mean, although we have 42 for our iphone, and so I wonder, I mean that's a gorgeous calculator too. Yeah, so I'll put it next to my slide rule I should have a collection.
0:32:42 - Leo Laporte
It's nice to have clicky buttons.
0:32:43 - Steve Gibson
This thing's got beautiful, really nice keys.
0:32:47 - Leo Laporte
It's pretty cool. I don't know what the price is because it's in Swiss francs and I hate to see what the conversion is going to be.
0:32:53 - Steve Gibson
It's a couple hundred dollars and it takes a while to get it to you and I don't know what tariffs.
Trump has aimed at Switzerland, but I haven't heard that mentioned. So maybe they're just going to get the blanket tariffs, but it's got semiconductors in it. We'll be talking about that a little bit later because I was induced to upgrade my phone. Let's take a break. We're half an hour in and we're going to talk about Apple and what they just did with their most recent upgrade, which caught some people by surprise did with their most recent upgrade, which caught some people by surprise.
0:33:29 - Leo Laporte
Yeah, I know. By the way, there was one other reason that you might want this um, this reboot thing after, uh, three days. If somebody steals your phone, uh, of course it's great to wipe the memory, but if somebody steals your phone and they can't, you know, and they don't use it, or you or you lose it and they don't use it, it's nice to have it go into the fully locked mode. Yes, after a reboot.
0:33:49 - Steve Gibson
Yes.
0:33:49 - Leo Laporte
Because then it requires the password and all that stuff. I'm sorry, I'm a little busy right now ordering something from Switzerland, don't? Oh, he would want to do an ad right now. All right, I got it.
0:34:05 - Steve Gibson
I ordered it For our listeners who are interested. It's Swiss Micros. It's pretty cool. All the documentation is there. I mean they're engineers, they're Swiss engineers.
0:34:14 - Leo Laporte
Oh yeah, look at the people who are making your Swiss Micro. I mean this is a serious serious device here.
0:34:22 - Steve Gibson
That's what happens when we give up. China, Leo, is we go back?
0:34:26 - Leo Laporte
to We'll make iPhones in the US. Sure we will, sure we will. Put some wheels on it. Wow, Let me yes, let's talk about the advertiser for this segment of Security Now, so you can get right back to our device bound.
0:34:40 - Steve Gibson
And you can get back to ordering your next.
0:34:42 - Leo Laporte
I already bought it. It's too late, I got it. You back to ordering your next. I already bought it, it's too late, I got it. You gotta work fast on this show. I bought the 42 and I thought why not just get the the grandpa right? No idea what it's going to cost me. What do I?
0:34:57 - Steve Gibson
have I got the dm32, whatever it is yeah, they both have rpn.
0:35:03 - Leo Laporte
I want to write little software oh, and fully programmable and oh and yeah it's cool.
we were talking about fourth last week. It's kind of like having a little fourth calculator in your in your house. Uh, ladies and gentlemen, our show today, brought to you by vanta. Okay, this isn't like chocolate for easter, but it's almost as good. Vanta, you need it. It's compliance that doesn't sock too much. I love that. That's a great slogan.
I want a t-shirt that says that Vanta is a trust management platform that helps businesses automate security and compliance. This is fantastic. It lets you demonstrate strong security practices, which is very important to your customers, your partners. It lets you scale Demonstrating trust security practices, which is very important to your customers, your partners. It lets you scale. Demonstrating trust to customers and prospects is critical to closing deals these days, but it can also be a big time sink right. It's time intensive, it's complex, it's expensive Not Vanta.
Vanta turns your GRC programs into growth drivers, all while making it easy to manage your security risks. Vanta makes it easier and faster, by the way, by automating compliance across 35-plus frameworks Almost certainly one that you use, the ones that you use. They automate up to 90% of the work per in-demand frameworks like SOC 2, iso 27001, hipaa, and on and on and on. 35-plus right of them. This gets you audit ready in weeks instead of months, saves you up to 85% of associated costs. Vanta pays for itself. Plus, vanta scales with your business, helping you continuously monitor compliance, unify risk management and streamline security reviews. Vanta V-A-N-T-A saves your business time by centralizing security processes and helping complete security questionnaires up to five times faster using automation and AI. Vanta helps companies save time, save money. A recent IDC white paper found get this. Vanta customers can achieve $535,000 a year in benefits. The platform pays for itself in three months. 10,000 plus global companies trust Vanta Atlassian, quora, chili, piper Factory they all use Vanta.
You should use Vanta For a limited time. Our listeners get $1,000 off Vanta if you go, but you got to go to this address to vantacom slash security now. That's V-A-N-T-A. Dot com. Slash security now $1,000 off. Make your compliance life a lot easier. Vantacom security now. We thank them so much for their support of security now with mr steven tiberius gibson. So this the dhl delivery alone is 70 swiss francs, so I may get it someday in the next six months. Dhl is a good delivery though. Oh yeah, for international, you kind of have to use DHL, okay.
0:38:07 - Steve Gibson
So a posting over in OSX Daily had the headline of a public service announcement. The headline read PSA automatic update enables itself with macOS Sequoia 15.4 and iOS 18.4. Now, maybe the guy got up on the wrong side of the bed, as they say. I'm going to share his posting. There's a grain of this that I kind of agree with, but not quite to the extent that I mean he's really bent. So he writes this is important and relevant to most Mac, iphone and iPad users.
Colon, installing the latest updates for Mac OS Sequoia 15.4 for Mac, ios 18.4 for iPhone and iPad, os 18.4 for iPad will forcibly enable automatic software update for system updates on your device. Okay, now yeah, given the fact that updates can again be turned off, his use of the phrase forcibly enable seems maybe a little over the top. That implies that it would no longer be possible to again disable automatic updates, which is indeed possible anyway. The piece continues some people may already have these auto update features enabled on their devices and not mind this change. Who wouldn't? Nor would they notice a difference? Whereas there may be other people who intentionally disable automatic update and do not wish to have the auto update feature forced upon their devices.
Oh well, he writes, with automatic updates enabled, this means your Mac, iphone or iPad will automatically download and install system software updates onto your devices yeah, no kidding, as they become available without your approval or prompting. Well, that's not true. I know Automatic updates may be problematic for many reasons. For one, he writes not everyone has the bandwidth available in their brain, apparently, to automatically download huge software updates. Additionally, not everyone wants to install the latest software updates when they become available. Many users prefer to wait a little while to see if there are any critical bugs or issues discovered before putting the latest system software on their device. He said, friends, and this is a reasonable caution, though it's not common. Apple has dumped out some bad software updates in the past that had to be pulled due to various issues. That's true, yeah, and of course, many Mac, iphone and iPad users just simply prefer to manually update and manage their devices on their own, without the computer or device doing it for them.
0:41:17 - Leo Laporte
I've always had automatic turned on and it always says there's an update. Would you like to proceed? Yeah, it's just downloading it ahead of time, right?
0:41:24 - Steve Gibson
He says but your personal computing behaviors and your get this, leo, but your personal computing behaviors and your opinion is irrelevant, as Big Cupertino knows what is best for you, your iPhone, your Mac and your iPad Right, as, as we know, for the vast majority of their users, they probably do know what's best. And he says he finishes apple has decided that you will have automatic updates enabled on your devices and your installation of ios 18.4, mac OS Sequoia 15.4, or iPad OS 18.4, was apparently used as an agreement to that setting change. If you don't like that, you can change it back and disable automatic system software updates. Well, and the rant continues. Believe it or?
0:42:23 - Leo Laporte
not, and, by the way, you still can turn it off. I'm just checking right now. Of course you can turn it off too I did too.
0:42:29 - Steve Gibson
I went over and looked and like, okay, there's a big switch. Yeah, he says. Anyway, we don't learn anything more from him beyond the fact that this author really, really dislikes the idea that apple might feel that having automatic updates enabled for the masses is sufficiently important that it should be done. I can certainly agree that it would have been polite for Apple to ask before re-enabling disabled automatic updates, since if Apple were to find them disabled on a device, it would have had to be deliberate on the part of the device's owner to turn them off. But perhaps there are instances where you know that could have been malicious.
I don't know, maybe malware gets in and flips that off good point in order to to that's exactly why they do it.
0:43:23 - Leo Laporte
Yes, we've seen that kind of behavior in the past. Yes, yes.
0:43:28 - Steve Gibson
And there might be something that they have done with this update that they might actually need to emergency roll back, but if automatic updates were off they wouldn't be able to. So maybe they're saying look, we know, we need to just kick this on again, so you know, for safety sake. In any event, since I know there are many listeners of this podcast who do strongly prefer taking and having manual and deliberate control over the updating of anything, I wanted to make sure that everyone knew that the move to these latest Mac OS, iphone OS and iPad OS releases will have re-enabled If we believe this guy I don't know because I leave mine on my phones are set to automatically update, so it was on after the most recent update and I don't know if it would have turned it on. He never turned it off, yeah.
0:44:24 - Leo Laporte
Benito's saying he turns updates off always on all of his devices.
0:44:29 - Steve Gibson
Yes.
0:44:30 - Leo Laporte
I don't know. Did you notice 18.4 turning it back on again? You know, there is something I do get upset about. They turn on Apple Intelligence every single update. That's like a five or six gigabyte download that you should get upset about because there's no security reason for that.
0:44:47 - Steve Gibson
yeah, let's let this guy know, because that would be good for another big.
0:44:49 - Leo Laporte
Yeah, he's got a whole other link baby blog post, yeah, that's exactly right.
0:44:56 - Steve Gibson
Okay, now I also want to take a moment to note that I'm now the proud owner of a shiny new iPhone 16 Pro Ooh, fancy. Now, as I've mentioned before, I had been happily using an older iPhone 12 Pro without any problems, but I became concerned last week over the threat of Chinese import tariffs significantly inflating the prices of iPhones. The threat appeared to be real, with Apple in a panic, flying iPhones in from India and all kinds of kerfuffle about this. But after poking around Apple's site for a while like looking at the 16 and OK, and my 12 is still working good I decided that my older iPhone, which was, as I said, still working just fine, would almost certainly last me through whatever tariff turbulence we were going to be experiencing, even for the next few years. I later mentioned this to my wife Lori, whose response was I later mentioned this to my wife Lori, whose response was my God, buy yourself a new phone.
0:46:14 - Leo Laporte
Yours is old and small. She was talking about the phone. Yes. Now see, this is why we get married. She's absolutely right. I would have said the same thing. You deserve a modern phone, Steve Right, I was driving a 20-year-old BMW.
0:46:31 - Steve Gibson
when we met and she was a little one, she's like it's a little sketchy. Why are you driving, you know? Do you have any resources, Do you? You know, am I going to be picking up the tab?
0:46:42 - Leo Laporte
Honey, I broke down on the 405. Can you come get me?
0:46:47 - Steve Gibson
So last Thursday I returned to the Apple store, and I did that. Now, as we know, I'm not somebody who always needs to have the latest and greatest. My stash of Palm Pilots in the refrigerator is testament to that.
0:47:03 - Leo Laporte
Oh, I hope Lori doesn't find those.
0:47:05 - Steve Gibson
I'm also a testament to the if it's not broke, don't fix it school of thought, so I usually use electronics until they're worn right down to the nub. But I have to say that the 16 is a lot more responsive than the 12 was, a lot more responsive than the 12 was, and since I no longer wear a watch every time, I saw Lori's phone displaying the time of day on its dim OLED screen, I thought that was a terrific feature. You know, we purchased hers for her birthday and she lives on that thing way more than I do on mine. She'll I don't get this on that thing way more than I do on mine She'll I don't get this. She'll be sitting right next to a booted up desktop computer with a full size screen and a keyboard that actually invites typing rather than actively fighting against your data entry, and she'll be squinting at websites on her phone.
0:48:04 - Leo Laporte
That's because she's a modern woman, steve, she's modern.
0:48:08 - Steve Gibson
I don't get it. In any event, last Friday, the day after I purchased the 16, the news broke that imports from China of smartphones and electronics were being exempted from the 154% import tariffs. That had formed part of my purchase motivation. But then over this past weekend, the US Commerce Secretary, howard Lutnick, explained during an interview on ABC's this Week Sunday Morning show that in another month or so, a new set of tariffs specifically targeting all semiconductor imports would be taking effect, and that smartphones would be taking effect and that smartphones would be caught up in that Sigh. Now, a few months ago, I purchased a new set of servers for GRC that I have not gotten around to deploying yet, but they're here. When the second one of an earlier set of five died a few months ago, I decided that I needed to be ready in case I lost another one. Wait a minute, you buy five at a time.
0:49:17 - Leo Laporte
I had five running. Do you run? Oh, you have five servers all at once. Yes, are they?
0:49:23 - Steve Gibson
load balancing no servers all at once. Yes, are they load balancing? Um, no, uh, a couple are running, uh, I think three are running windows. Two are running unix um, uh, and they're in various state. I there, I'm, you know me, security, so they're physically isolated. I'm not sharing function between a secure server and a server that's running PHP.
0:49:46 - Leo Laporte
Each does something else. Yes, okay.
0:49:48 - Steve Gibson
Yes.
0:49:50 - Leo Laporte
So they have very specific Like an image server and right okay.
0:49:53 - Steve Gibson
Yeah, but also security boundaries. As I said, the server that I have that has PHP on it, it's all by its lonesome and it's got its own physical firewall. There are only a few things that it's able to do, because php, uh, and we're going to get to the audit which demonstrates the wisdom of that, so, and the fact that I myself just had to update php because of that, uh, cgi, uh, vulnerability that my version of PHP had at the time that this was happening, so, anyway, so I've got three new, brand new servers, and I'm now somewhat more glad that I already have those in hand, in case their cost might soon be increasing. You know they were not inexpensive inexpensive and it appears that a few months from now they might become more expensive. Can?
0:50:50 - Leo Laporte
can I ask you which company you you buy from? I mean?
0:50:53 - Steve Gibson
just, uh, yeah, I, the servers that have been dying were intel motherboard. I mean, uh, you know intel serious the best I could get servers at the time. And now I've switched to Supermicro, because I do have a Supermicro machine that has been going for about 40 years and it just will not die.
0:51:23 - Leo Laporte
So I thought, okay, I'm going to go back to the ones that seem more solid than Intel. A lot of people would be very interested in your choice.
0:51:26 - Steve Gibson
So, thank you, I've looked at the Intel motherboards and I'm no longer impressed with their build quality. You know they've got stuff like-.
0:51:33 - Leo Laporte
They used to be the king of the hill, didn't?
0:51:34 - Steve Gibson
they, I know, and that's why I thought I'm going to go with the best, because, you know, and they end up paying for themselves in the long term. But two out of the five of these identical Intel servers just stopped working.
0:51:48 - Leo Laporte
Do you buy towers or blades, or what form factory do?
0:51:52 - Steve Gibson
you buy. They're all I was. Originally I had three 2U Intel servers, okay, and these are all 1U Nice. The other five are now 1U servers, one you, the. The other five are now one you servers and they're all uh four, uh three and a half inch across drives in the front, all running raid six with with with physical uh raid six controllers, because I'm still and is this in your living room. Where are you? Oh no, this, the, the, these are all in a uh over at level they're over at level three oh three in their data center.
They're at Colo. Okay, yep, yeah, anyway. So Thank you for sharing that yeah.
0:52:31 - Leo Laporte
Well, you should have. I made on my website a I use this page. I don't use anything nearly as interesting as you do, but for people who are interested in what microphones we use and stuff, you should make a little I use this page.
0:52:42 - Steve Gibson
I think that'd be interesting Well what's really interesting is that I also found myself purchasing some oh shoot, now I'm forgetting. I ended up using a router that we've talked about in the past MicroTik. No, it wasn't Not Ubiquiti.
0:53:04 - Leo Laporte
Yes, it was Ubiquiti. Yeah, I love my Ub. It wasn't Not Ubiquiti. Yes, it was Ubiquiti. Yeah, I love my Ubiquiti's.
0:53:09 - Steve Gibson
There was one particular family of Ubiquiti routers that allowed me to do the static port address translation that I really need to do, translation that I really need to do. I have some other big iron equipment that I was using in back in the day and one of them is still alive. Several of them have died and and I thought, okay, I, I need, you know, I need to have this functionality and it's ubiquity is the router that you know it's, and I'm boy. Am I impressed with that, with their technology?
0:53:45 - Leo Laporte
the router that has. You know it's, and I'm boy, am I?
0:53:46 - Steve Gibson
impressed with that, with their technology. Yeah, yeah, I'm really happy with that. You know the the you'll. You'll remember this, one of the things. Speaking of, you know what hardware I I'm using.
the most famous thing I did back in my tech talk column days on InfoWorld was Steve's dream machine, where you know, I chose this motherboard, these drives, this controller, you know, this keyboard, you know, and I basically kitted out like if you were going to build the ultimate machine. That was also tricky because it was like, okay, these drives say they're only this big, but they actually have these extra cylinders on them and you can format them to this size and get the maximum size partition, and blah, blah, blah. I really spent a lot of time, you know, finding like the best value, not the most expensive, but the best value in each different category and anyway that was popular then in each different category and anyway that was popular then. Anyway, what I wanted to say is that I have no crystal ball and any rational actor looking at the past month of tariff actions would be foolish to place any large bet, because who knows what's going to be true in the next hour? I'm quite certain that no one really knows what the future holds, but I very clearly heard the US Commerce Secretary state that the administration's intention is to use higher import tariffs on all products containing semiconductors to force a shift in semiconductor manufacturing from offshore to the US. So, independent of the practicality, feasibility and sanity of any of that, we may indeed see the cost of devices containing semiconductors rising.
What I would be willing to bet on is that prices are certainly not going to be dropping anytime soon. I don't see any way that happens. So I just wanted to take a moment to talk about this, since I'm now more glad than I was that I had purchased those new servers a few months back. I would likely be doing that now for strategic savings if I had not already. I certainly don't know any more about what's going to happen than anyone else, and this could all change tomorrow. That's the nature of where we are today, but if any of our listeners were waiting on the purchase of any big ticket items containing semiconductors, it might be worth considering that prices may indeed be higher six months from now than they are today. I would certainly not place any bets on them being lower.
Iphone 16 Pro if Apple ever does get around to deploying some useful AI, I'll be glad to have a device that allows me to experiment with it. My 12 wouldn't have, and in the meantime, it's nice to have a dim clock on the lock screen and to be able to edit text messages that I've already sent. So I'm I, uh, I made that jump. Um, good, and and yes, leo, we both have wives that said oh my god, come on steve, you deserve it, you get it.
0:57:14 - Leo Laporte
Your phone is old. I mean I understand the desire to run something into the ground. I mean you still. I mean you don't want to use the latest windows either. So I understand that that's, that's commendable, but you well, you deserve a nice phone.
0:57:29 - Steve Gibson
I just discovered yesterday that my iphone 6 it it used to be all pooched out because the battery expanded, but it turns out that goes down over time, so maybe I can bring that back no, no, no, no.
0:57:43 - Leo Laporte
And don't bring it on an airplane either, oh my God, okay.
0:57:49 - Steve Gibson
So we were just talking about Apple silently enabling updates. Microsoft also recently made some news for Windows 11 Enterprise and Education users, and I'll bet you guys are going to be talking about it tomorrow on Windows Weekly. Oh yeah, users and I'll bet you guys are going to be talking about it tomorrow on Windows Weekly oh yeah, windows 11 enterprise and education users will be getting updates on steroids in the form of the much-anticipated no-reboot-required hot patching. Hallelujah yeah, hallelujah yeah. Microsoft will then only require a once per quarter full cold reboot, with all of the other interim updates able to be applied directly to Windows running in memory. So, in other words, reboots drop from 12 a year to four per year. So not over, but you know only one third. As often, microsoft's announcement blog posting about this is titled Hot Patch for Windows Client Now Available. Where David Callahan, writing for the Windows IT Pro blog, says Hot Patch updates for Windows 11 Enterprise version 24H2 for x64,. Both AMD and Intel CPU devices are now available.
With hot patch updates, you can quickly take measures to help protect your organization from cyber attacks while minimizing user disruptions. Hot patching represents a significant advancement in our journey to help you and everyone who uses Windows stay secure and productive. So let's talk about the benefits. He writes how it works and how you and your organization can take advantage of this advancement as part of your Windows servicing journey. Hot patching offers numerous enhancements when it comes to keeping Windows client devices up to date. Offers numerous enhancements when it comes to keeping Windows client devices up to date.
Immediate protection Hot patch updates take effect immediately upon installation, providing rapid protection against vulnerabilities. Consistent security Devices receive the same level of security patching as the monthly standard security updates released on the second Tuesday of every month and minimize disruptions. Users can continue their work without interruptions while hot patch updates are being installed. Hot patch updates don't require the PC to restart for the remainder of the quarter, he says. Note OS features, firmware and or application updates may still cause a restart in the quarter. He says you'll first create a hot patch enabled quality update policy in Windows AutoPatch through the Microsoft Intune console. All eligible Windows 11 Enterprise version 24H2 devices managed by this policy will be offered hot patch updates in a quarterly cycle. And one also thinks, leo, that maybe at some point in the future, once hot patches have been proven and seen not to cause any trouble, microsoft could certainly be pushing them out more frequently than quarterly that's a good point.
1:01:07 - Leo Laporte
Yes, more more frequently than monthly.
1:01:10 - Steve Gibson
Yeah, if something bad happens and they want to immediately fix it, it's like, why not? It doesn't require, you know, any big change. So they said the hot patch updates follow the same ring deployment schedule as standard updates. Devices receiving the hot patch update will see a different knowledge-based number tracking the hot patch release and a different OS version than devices receiving the standard update that requires a restart. Hot patch updates operate on a quarterly cycle, so cumulative baseline month, so they said, in January, april, july and October, so four times per year, devices install the monthly fixed security update and restart. This update includes the latest security fixes, cumulative new features and enhancements since the last cumulative baseline. Then subsequent two months, devices receive hot patch updates, which only include security updates and do not require a restart. These devices will catch up on features and enhancements with the next cumulative baseline month, which is to say quarterly. This cycle that he wrote includes the number of required. I'm sorry. This cycle reduces the number of required restarts for Windows updates from 12 to just four per year, thanks to eight planned hot patch updates annually. To enable hot patching for Windows client devices you'll need a Microsoft subscription that includes Windows 11 Enterprise, e3, e5, or F3, windows 11 Education A3 or A5, or a Windows 365 Enterprise subscription. A Windows 365 Enterprise subscription, devices running Windows 11 Enterprise version 24H2, build 26100.2033 or later and with the current baseline update installed, an x64 CPU including AMD 64 and Intel. And he said ARM 64 devices are still in public preview but coming, so not available yet, but that'll happen. And finally, microsoft Intune to manage deployment of hot patch updates with a hot patch enabled Windows quality update policy.
Okay, so we've known for some time that patching Windows on the fly without rebooting is both possible and practical, since this has been an aftermarket feature that the gang over at ZeroPatch have been offering for some time. So you know they do in-RAM patching of DLLs that are loaded on the fly, of DLLs that are loaded on the fly. So in instances where Microsoft has strategically decided to abandon Windows security, the ongoing availability of those zero patches may be a godsend. But bringing this to Windows Enterprise and education client machines means that millions more systems will be able to receive the benefits of on-the-fly hot patching. Microsoft is not yet suggesting that this boot avoidance technology might be available for their latest server platforms, but boy, avoiding unnecessary server reboots would appear to be a nice feature for the future Not having server downtime.
I don't have any problem With a brief Once a month reboot Of any of my Workstation machines. That's just not a problem for me. And Microsoft has already invested heavily In minimizing the time required to install updates. As we know, they no longer require the huge amounts of time they once did. I remember like sitting around like for hours while this. You know something spun around on the screen or we watched dots chasing each other. You know it's gotten a lot better. So for me the monthly updates aren't causing much trouble. Okay, now just checking back briefly on where we are with Oracle before we take another break with Oracle. Before we take another break, the TLDR on this is they're still lying and denying, which is just. It's like, to everyone's amazement, security researcher Kevin Beaumont, who we've followed often because he's very involved in the industry, published on Medium from his double pulsarcom site under the headline oracle attempt oracle. He uses the the term oracle um in in the as, as that's british yeah, yeah, they.
1:06:20 - Leo Laporte
That's how the british do it. We, we companies are singular. Yeah, in other countries it's often plural.
1:06:27 - Steve Gibson
It's like you know, data technically is plural, but I never get it right. Anyway, so he says Oracle attempt to hide serious cybersecurity incident from customers in Oracle SSAS service. Kevin wrote cybersecurity incident playing out in a service they manage for customers. Back on March 31st bleeping computer ran a story about around a threat actor named Rose 87, one 68, claiming to have breached some Oracle services inside star dot Oracle cloudcom. And of course our listeners may recall that the that the fact digging Lawrence Abrams did for for bleeping computer which we talked about was so thorough as, in my appraisal, to cross the line from evidence to proof of Oracle's apparently deliberate obfuscation and misdirection about the incident. So Kevin continues Oracle told bleeping computer and customers, quote there has been no breach of Oracle Cloud period. The published credentials are not for the Oracle Cloud period. No Oracle Cloud customers experienced a breach or lost any data period. He says.
The threat actor then posted an archiveorg URL and provided it to bleeping computer, strongly suggesting they had right access to loginus2.oraclecloudcom, a service using Oracle Access Manager. This server is entirely managed by Oracle. Oracle have since requested archiveorg take down the proof and the Wayback Machine no longer shows the page. The threat actor then provided a several hour long recording of an internal Oracle meeting, complete with Oracle employees talking for two hours. The two hour video includes things like accessing internal Oracle password vaults and customer-facing systems. Both Hudson Rock and Bleeping Computer were then able to confirm with Oracle customers that their data, including staff email addresses, was in data released by the threat actor was in data released by the threat actor. The threat actor, rose87168, is still active online and releasing more data and threatening to release more. They've also released data to cybersecurity threat intelligence providers In data released to a journalist for validation. It has now become 100% clear to me that there has been a cybersecurity incident at Oracle involving systems which processed customer data. For example, the threat actor has publicly provided complete Oracle configuration files current also. As one example, they provided Oracle web server configuration files. All the systems impacted are directly managed by Oracle. Some of the data provided to journalists is also current. This is a serious cybersecurity incident which impacts customers in a platform managed by Oracle. Impacts customers in a platform managed by Oracle.
Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility. This is not okay. Oracle need to clearly, openly and publicly communicate what happened, how it impacts customers and what they're doing about it. This is a matter of trust and responsibility. Step up, oracle, or customers should start stepping off. Kevin then provides three updates. In update one he said Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident. Oracle are denying it on Oracle Cloud by using this scope, but it's still Oracle Cloud services that Oracle manage. That's part of the wordplay. Second update although Oracle used the archiveorg exclusion process to remove evidence of writing to one of the OracleCloudcom web servers, they forgot to remove a second URL that clearly shows the threat actor, rose87168, having posted their email address on an Oracle cloud page. And, by the way, I went to that URL and it is still there and I saw Rose87168 at Proton mail posted there.
1:12:03 - Leo Laporte
On an Oracle hosted page. So that's pretty conclusive yes.
1:12:07 - Steve Gibson
And then the third and final update multiple oracle cloud customers have reached out to me to say oracle have now confirmed get this, leo. Oracle have now confirmed a breach of their services, however oracle are. However, Oracle are only doing so verbally, they will not put anything in writing. So they're setting up meetings with large customers who query, he writes. This is similar behavior to the breach of medical PII personally identifiable information in the ongoing breach at Oracle Health, where they will only provide details verbally and not in writing.
Over on Mastodon, Kevin posted and now a class action lawsuit has been filed against Oracle over a data breach at Oracle Health which Oracle has not acknowledged in public. I have a link, if anyone's interested, to the class action breach court document PDF. He said this Oracle thing keeps getting more and more wild. I've never seen a response so bad from a large organization. They're throwing their own security staff under the bus by having them face customers rather than the corporation actually take responsibility. And you know Oracle's handling of all this could be taught and should be taught as a short course in how not to ever handle a data breach. This whole business of only having verbal conversations and refusing to put anything into writing feels like attorneys being asked how to run a company. I'm not sure that's a formula for success. Through my years as a small businessman, I've had occasion to receive the advice of attorneys. I always thank them and pay them and carefully consider the value of their advice and then move on. Yes, but what they would advise often seems to follow reactions to worst case scenarios.
1:14:13 - Leo Laporte
They're there to protect you from the worst.
1:14:15 - Steve Gibson
Yes, Whereas I found that being more open and trusting and optimistic has always worked better for me, me too. One of our listeners, whose name is Keith, wrote from Canada. He said Hi, steve, thank you for covering the Oracle cloud breach in the latest episode, highlighting the significance of the breach and the SEC violations. Given the OCI classic breach, as they're dubbing it now, and the separate Oracle health breach, I'm thoroughly confused on how they haven't had to disclose to the SEC. As a Canadian Oracle Health customer, it's very frustrating to me that they seem to be above SEC regulations and still refuse to disclose breaches to us so that we can be proactive in protecting our organizations. I'm a huge fan of you, leo, and the show. Thanks for everything you guys do. Thank you, and I wouldn't know what to tell Keith. You know regulations only have teeth if they're backed up by the certainty of enforcement. Have teeth if they're backed up by the certainty of enforcement.
And to say that things are somewhat confused in the US at this particular moment could safely be considered an understatement. Both our DOJ and SEC are currently preoccupied with trying to figure out which end is up and what their priorities should be. So it may be that Oracle lucks out on this one and that it slips by on the government side. But, as I noted, us citizens have already filed lawsuits that may force depositions to be taken and place additional facts on the record, which ultimately makes enforcement a you know, a given. So we'll see. And, leo, before we talk about the problems over at US Treasury, we need to take another break, since we're now a little more than an hour in. Never a dull moment, my friend.
1:16:22 - Leo Laporte
Never a dull moment, that's for sure. Well, let me talk a little bit about our sponsor, threatlocker, because I think this is something everybody should know about. Threatlocker is zero trust, done right, and it's affordable. It's usable for your business. Look, you don't have to listen to the show to know that ransomware is a massive problem. It's not just businesses, it's schools. It's not just businesses, it's schools, it's city governments, it's infrastructure. They're attacking with phishing emails, infected downloads, malicious websites, rdpx+, you name it. You do not want to be on that list. You do not want to be on that list, but fortunately you don't have to, thanks to ThreatLocker and their Zero Trust platform. Here's the key it takes a proactive, proactive, and this is it. These are the three words deny by default, deny by default approach. It blocks every unauthorized action, protecting you from both known threats and completely never seen before zero day, unknown threats, right trusted by global enterprises like jet blue. And I mentioned infrastructure. It's so important. You know, when the colonial pipeline went down, people realize this isn't just attacking businesses, this is attacking vital infrastructure. You know else who uses a threat locker? The port of vancouver? Because their vital infrastructure threat locker shields them from zero-day exploits, supply chain attacks and, even better, for compliance, provides a complete audit trail. Everything that happened. Everybody who had access when they had access. Threatlocker's innovative ring fencing technology that's what they call it ring fencing. It isolates critical applications from weaponization, it stops ransomware in its tracks and it limits lateral movement within the network. That's really the threat.
We were talking a few weeks ago about the ransomware gang who got into a system. They're finding hard to find an attack surface. Then they found a camera because they were able to move laterally right and they were able to access this camera. That was running linux and it had enough storage. They put their ransom ransomware on that and took the whole enterprise down from the camera. See, threatlocker prevents that. You don't have access to the camera. You can't touch the camera.
Threatlocker works across all industries. It supports Mac environments as well as Windows environments. You get 24-7 support based right here in the US. You get complete, comprehensive visibility and control. Mark Tolson is the IT director for the city of Champaign, illinois. He's in charge of keeping that whole city up and running right. How does he do it? He protects them with ThreatLocker. He says quote ThreatLocker provides that extra key to block anomalies that nothing else can do If bad actors got in and tried to execute something. I take comfort in knowing that ThreatLocker will stop that. Wouldn't you like that for your business? Stop worrying about cyber threats. Get unprecedented protection quickly, easily, cost-effectively with ThreatLocker and I mean cost-effectively Go check it out. I was blown away. With ThreatLocker, you get everything you need to protect yourself from ransomware. Visit ThreatLockercom slash twit. Get a free 30-day trial. Not just ransomware, any kind of malware. Learn more how ThreatLocker can help mitigate unknown threats and ensure compliance. That's just a nice little extra threatlockercom slash twit. We thank them so much for supporting, uh, the work steve's doing. What's that?
1:19:52 - Steve Gibson
those are pictures of kids at the pawnee high school, see I know that's terrible when that I know.
1:19:59 - Leo Laporte
So these bad guys, they get in there. They get because they can make lateral movement, they can wander around, they can find anything they want. Exfiltrate it, uh, blackmail. You say oh, we don't, we don't want that private information to leak out, you don't want that those embarrassing emails to leak out. There's, they're like fifth grader, headshots that's terrible that they posted publicly. Oh yeah, yeah, yeah. Grcsc slash 1019 if you want to see something terrifying.
1:20:26 - Steve Gibson
Jeez.
1:20:27 - Leo Laporte
Louise.
1:20:29 - Steve Gibson
Okay. So the United States Treasury has something known as the Office of the Com. The emails for nearly 100 of the OCC's staff had been intercepted since the breach originally occurred. Get this, leo, back in June of 2023. Oh my God, nearly two years. Two years Encompassing more than 150,000 pieces of email. Someone has been rummaging around in there. None of the nearly 100 staffers at the US Treasury's Office of the Comptroller of the Currency have enjoyed any actual email privacy. It's all just been an illusion, and Treasury does appear to be either a high-priority target or to have less than adequate security, since this OCC breach is the third Treasury office to recently disclose a breach. Before this, we had the Office of Foreign Assets Control, ofac. Oh man, two previous intrusions. The US government has now credited the Chinese-backed hacking group Silk Typhoon. Now this news connected with something I heard over the weekend.
An Asian analyst was interviewed by Fareed Zakaria during his Sunday morning show on CNN. She made the comment about how, at some point, as tensions between the US and China escalated, china might decide to weaponize all of the data they'd been collecting through their pervasive cyber intrusions into the US. That gave me a bit of a chill because unfortunately, it really made sense. We've seen a great deal of evidence of Chinese, apparently state-sponsored actors rummaging around inside US government and industry networks, but nothing overt and obvious has come of it. It might be that an attack as such and I have that in quotes would take the form of using all of the information that's been gleaned against US interests, in other words weaponizing all of that data. We don't know. You know that this recent and long-running US Treasury Office of the Comptroller of the Currency email breach was the same as who previously was found to have breached those other two US Treasury offices. So far there's been no attribution, but at this point it would almost be surprising if it wasn't the Silk Typhoon group backed by China. So it would be so much better if we could all just get along. That doesn't seem to be happening, though.
Sadly. There's some news on the Apple versus the UK and what Apple will do about the UK's demands to be able to obtain the stored iCloud data for anyone in the world they request. Apple Insider's headline was UK iCloud backdoor mandate hearing must be made public. Eventually, they wrote, after a legal challenge by Apple, the hearing about blowing open Apple's iCloud encryption in the UK for the sake of national security will not be kept secret, but it's not clear when the details will be made public. After the hearing about a mandated backdoor happened behind closed doors, apple very nearly immediately filed an appeal with the backing of most of the world's governments, privacy advocates and journalism organizations. That appeal has been heard and at some point the results of the hearing will be made clear.
The Investigatory Powers Tribunal rejected claims from the UK government that national security would be hurt by revealing the results of the hearing or exposing who attended the hearing. In short, the appeal found that there was no reason to restrict what it calls open justice. So the results of the hearing must be made clear in due time. It's not clear when that will happen, as case management orders will be made only after Apple and the UK government have time to consider the ruling and proposed drafts. So at least we're going to find out what that is about Basically. We've got bureaucracy.
Whatever's going to happen will apparently grind away slowly, but the fact that the UK government now knows that it will not also be able to conduct everything in secret may hopefully dampen their zeal somewhat and reign them in. What's interesting about this is that there's no middle ground here. There's no gray area. Uk users either will or will not have the ability to enable Apple's demand to be able to obtain the data belonging to anyone they choose anywhere in the world has any chance of ever happening, but they might.
They might well force Apple to disable ADP for citizens in the UK. We'll see. Adp for citizens in the UK we'll see. But again, the only good thing about this is that it's black and white. That is, either you have it or you don't, so hopefully the fact that there's a sharp point on this will help a clean and clear decision to come out of all this Now. I missed this news, this next news, when it happened 10 days ago, but I felt the need to come back to put it on everyone's radar, because what Mozilla is doing with a suite of new cloud service offerings which they're calling unfortunately, unfortunately Thundermail, thundermail.
1:27:28 - Leo Laporte
That's what you need. Yeah, I was going to say it right.
1:27:31 - Steve Gibson
Oh, thank you. I will need you again when we're talking about Roscomnanzor. Roscomnanzor, I'm sorry, no, it's good. Come non-zor Risk and danger.
1:27:41 - Leo Laporte
I'm sorry.
1:27:42 - Steve Gibson
That was fun. No, it's good. We have Thundermail and Thunderbird Pro. I'm sure this will be of interest to many of our listeners. For much the same reason we choose to use Mozilla's Firefox. So Mozilla wrote. Today we're pleased to announce what many in our open source contributor community already know the Thunderbird team is working on an email service called Thundermail.
1:28:10 - Leo Laporte
Good Another way to make money that's good.
1:28:13 - Steve Gibson
Yes, well as file sharing, calendar scheduling and other helpful cloud-based services that, as a bundle, we have been calling Thunderbird Pro. First, a point of clarification Thunderbird, the email app, is, and always will be, free. We will never place features that can be delivered through the Thunderbird app behind a paywall. If something can be done directly on your device, it should be. However, there are things that cannot be done on your computer or phone that many people have come to expect from their email suites. This is what we're setting out to solve with our cloud-based services. All these new services are, or soon will be, open-source software under true open-source licenses. That's how Thunderbird does things, and we believe it is our superpower. It's also a major reason we exist to create open source communication and productivity software that respects our users, because you can see how it works, you can know what it's doing and that it's doing the right thing. The why for offering these services is simple Okay, now the truth is they want to survive, but OK, they wrote. Thunderbird loses users each day to rich ecosystems that are both products and services, such as Gmail and Office 365. Lock-ins through interoperability issues with third-party clients, and soft lock-ins through convenience and integration between their clients and services. It's our goal to eventually have a similar offering so that a 100% open-source, freedom-respecting, respecting alternative ecosystem is available for those who want it. We don't even care if you use our services with Thunderbird apps Go, use them with any email client. No lock in, no restrictions, all open standards. That is freedom.
So what are the services? They have? Thunderbird Appointment. Appointment, they write, is a scheduling tool that allows you to send a link to someone allowing them to pick a time on your calendar to meet. The repository for appointment has been public for a while and has seen pretty remarkable development so far. It's currently in a closed beta and we're letting more users in every day. Appointment has been developed to make meeting with others easier. We weren't happy with the existing tools, as they were either proprietary or too bloated, so we started building Appointment.
Then there's Send. Send is an end-to-end encrypted file sharing service that allows you to upload large files to the service and share links to download those files with others. Many Thunderbird users have expressed interest in the ability to share large files in a privacy-respecting way, and it was a problem we were eager to solve. Thunderbird Send is the rebirth of Firefox Send. Well, kind of. We've rebuilt much of the project to allow for a more direct method of sharing files from user to user without the need to share a link. We opened up the repo to the public earlier this week, so we encourage everyone interested to go and check it out. Thunderbirdsend is currently in alpha testing and will move to a closed beta very soon.
Thunderbird Assist Assist is an experiment developed in partnership with Flower AI, a flexible, open source framework for scalable, privacy-preserving federated learning that will enable users to take advantage of AI features. The hope is that processing can be done on devices that can support the models and for devices that are not powerful enough to run the language models locally, we are making use of Flower Confidential Remote Compute in order to ensure private remote processing, very similar to Apple's Private Cloud Compute. Private remote processing very similar to Apple's private cloud compute. Given some users' sensitivity to this, these types of features will always be optional and something that users will have to opt into. As a reminder, thunderbird will never train AI with your data. The repo for assist is not public yet, but it will be soon. And then Thunder Mail. Thunder Mail is an email service in search of a better name. Okay, that's not what it actually says I just think that Thunder Mail sounds dumb.
1:33:13 - Leo Laporte
Well, it's because it's Thunder Bird. I guess I understand, Right, you just can't put Thunder in front of everything. It's Thunder. Now it's Thunder. Now it's Thunderdome, steven Thunder.
1:33:24 - Steve Gibson
Gibson, oh God. Anyway, it also supports calendars and contacts as well as mail.
1:33:32 - Leo Laporte
I'm interested. I mean, I'm a Fastmail customer which does all the same things, but I'm very interested. I'd like to find out more.
1:33:39 - Steve Gibson
They said we want to provide email accounts to those who love Thunderbird and we believe that we're capable of providing a better service than the other providers out there Email that aligns with our values of privacy, freedom and respect for our users. No ads, no selling, no training AI on your data, just your email, and it is your email With Thundermail. It is our goal. Oh my God, please, you can't resist giggling.
It is our goal to create a next-generation email experience that is completely, 100% open source and built by all of us our contributors and users. Unlike the other services, there will not be a single repository where this work is done, but we will try and share relevant places to contribute. In future posts like this. The email domain for Thundermail will be Thundermailcom, thank God, or TBpro. Additionally, you will be able here it is to bring your own domain on day one of the service. Good, now that starts being interesting.
Having Mozilla behind a 100% open source, privacy respecting email service where we're also able to bring our own domain, presumably by pointing our own domains MX records at Mozilla, that would be cool. So everyone listening can head to Thundermailcom. The only thing there at Thundermailcom is a simple sign-up page, demonstrating their inherently techie nature. You'll see what I mean when you see the page. Yes, it's command line based, yes, and that allows you to sign up for their beta wait list, which will give you notification as soon as this thing is, you know, as soon as you're able to actually sign up for the service, and I did that immediately.
1:35:50 - Leo Laporte
Oh yeah, me too. Yeah, I'm very curious.
1:35:52 - Steve Gibson
So they said under final thoughts, don't services cost money to run? And they said you may be thinking this all sounds expensive. How will Thunderbird be able to pay for it? And they say and that's a great question, right, answering it or asking it of themselves. And they said services such as Send are actually quite expensive. Storage is costly. So here's the plan At the beginning there will be paid subscription plans at a few different tiers.
Once we have a sufficiently strong base of paying users to sustainably support our services, we plan to introduce a limited free tier to the public. You see this with other providers. Limitations are standard, as free email and file sharing are prone to abuse. Yes, yeah, it's also important to highlight again that Thunderbird Pro will be completely separate, will be a completely separate offering from the Thunderbird you already use or, in my case, once used, since I still am happily switched away from Thunderbird to EM client. They said while Thunderbird and the additional services may work together and complement each other for those who opt in, they will never replace, compromise or interfere with the core features and free availability of Thunderbird. Nothing about your current Thunderbird experience will change unless you choose to opt in and sign up with Thunderbird Pro. None of these features will be automatically integrated into Thunderbird Desktop or mobile, or activated without your knowledge.
This has been a long time coming, and the person who posted this wrote in the first person. It is my conviction that all of this should have been part of the Thunderbird universe a decade ago, but it's better late than never. Just like our Android client has expanded what Thunderbird is, as will our iOS client, so too will these services. Thunderbird is unique in the world. Our focus on open source, open standards, privacy and respect for our users is something that should be expressed in multiple forms. The absence of Thunderbird web services means that our users must make compromises that are often uncomfortable ones. This is how we correct that. In other words, they're going to be providing a complete suite of web services, like the other guys do. And he finished writing.
I hope that all of you will check out this work and share your thoughts and test these things out. What's exciting is that you can run send or appointment today on your own server. I thought that was interesting. You can run send Thunderbird send or Thunderbird appointment today on your own server. He said everything that we do will be out in the open and you can come and help us build it. Together, we can create amazing experiences that enhance how we manage our email, calendars, contacts and beyond. Thank you for being on the journey with us. And so we all want Mozilla to stay alive, if not for thunder or whatever, then for the sake of Firefox. So if their addition of cloud-based services appeals to people as a reasonable alternative to Office 365 and Gmail and that creates a revenue stream to support all of Mozilla, then I'm all for it. So, again, thundermailcom to sign up for the news, and yay.
A quick note is that, over in the category of age restrictions, meta has extended teen account protections. The existing teen account security protections which exist on Instagram are also being extended to Facebook and Facebook Messenger accounts. The feature prevents children under the age of 16 from modifying a series of privacy settings on their accounts without a parent's approval. This includes settings related to who can contact the account and what content they see on the sites. Meta is also expanding these restrictions so that, for example, teens won't be able to live stream on their sites without a parent's approval. So that's good, leo. We're at an hour and a half in. We got some more stuff to get to before we get to our main topic, but now would be a good time for one more break. I could not agree more. Our second to our last yes.
1:40:49 - Leo Laporte
And I'm glad to tell you about our sponsor for this segment of Security. Now, legato Security had a great conversation with these guys and I proposed some ways to talk about what they do. If you're a business, of course you must have I'm sure you do, we do uh, you know firewalls, protective devices, security, uh, that is constantly protecting you, but is somebody constantly monitoring it? In other words, if something bad happened on a christmas eve or during the weekend, would there be somebody there to see it? That's the important point. You wouldn't set up a burglar alarm and then not have somebody monitoring it right. That's why burglar alarm services have 24 7 monitoring. No business should be their own burglar alarm. But when it comes to cybersecurity, how many businesses can have 24-7 security operation centers operating and monitoring everything? Only the biggest right? Well, here's a great solution for small and medium-sized businesses Legato Security. They provide the same standard of security controls that the large enterprises have, without the cost of building an internal security operations center. You use Legatos. It's brilliant and you don't have to give up anything that you're using currently. It doesn't cost any jobs, it's just an adjunct, an assistant, so that you can finally go home for the weekend and turn off so that you can have your family with you for Easter Sunday and not worry about what's going on at work.
As a recognized leader by CRN and MSSP Alert in 2024, legato Security transforms how businesses approach their cybersecurity, and this is important. They're technology agnostic MSSP platform. It means that they're not going to install a whole new suite of tools for you. It provides your business with their own custom suite of security solutions that work with your existing solutions. Legato Security integrates seamlessly with all the tools you use existing right now, which means you don't have to do big, costly infrastructure overhaulsuls, but you do get this fantastic proprietary security operations platform they call it ensemble which takes all of those signals from all the tools you're already using and delivers a consolidated, prioritized, actionable alerts in real time via a single comprehensive pain. So everything you need is right there.
Right, but that's not all, because the bad guys don't take holidays. You know we talked about the fact that a hacking team modified a bunch of extensions I think for Chrome, on Christmas Eve, because they knew that would give them at least a day or two, if not a whole week, to operate freely. Right? Hackers don't take holidays. In fact, they love holidays. They start working when you clock off. Fortunately, legato Security's 100% US-based team is there 24-7, with proactive threat detection, triage, even remediation, 365 days a year. They have a purpose-built, beautiful SO beautiful soc. They're keeping an eye on everything so your team can focus elsewhere when it's time to clock out, spend time with your family and not have to worry about what's going on at work.
From entrepreneurs to fortune 100 companies, legato security creates custom mDR solutions that protect businesses so leaders can focus on growth. A recent customer said quote Legato Security is the only supplier that has delivered everything that they said they would and we didn't have to drive them. They just get it done. I love this. I said well, what happens if I have a problem? They said look, legato Security, we're not going to call you to say you have a problem. We're going to call you to say, well, you had a problem, we fixed the problem. We just want to let you know. Isn't that what you want? It and security professionals? Legato Securities MSSP is here to augment your security team, not replace them. They're the professionals that you want on your team to back up your existing cybersecurity forces, to fortify your proactive defenses 24-7, 365 days a year.
Security tools alone are not enough. You need the expertise to back it up. See if your defenses are as strong as you think. Actually, I got a great way to do this. Go to Legato's page. They've got Legato Security Free Risk Assessment. It's available right there on their website. You can go through it or, better yet, get your boss to go through it. And then your boss is going to say you know, we could use these guys, legatosecuritycom, discover how they can help you regain control and enjoy your weekends like you used to LegatoSecuritycom. You're going to love these guys, legatosecuritycom. We thank them for supporting Security Now and if they ask you, you tell them hey, I saw it on Security Now. Right, that helps us quite a bit.
1:45:55 - Steve Gibson
All right back to you, steve. Okay, so with our podcast two weeks ago falling on April Fool's Day, that made last week's podcast fall on the earliest possible Patch Tuesday day, april 8th. Looking back at the news of last week, microsoft patched 126 vulnerabilities. Wow, because you know Every month Every month.
1:46:20 - Leo Laporte
That's right, I mean. I guess it's good they're patching them.
1:46:24 - Steve Gibson
It's better than not. Vulnerabilities because, you know, every month, every month, that's right. I mean, I guess it's good they're patching them.
1:46:29 - Leo Laporte
It's better than not.
1:46:29 - Steve Gibson
Yeah, you know me, I wish they just leave it the heck alone and stop messing with it. But no one of those was an actively exploited zero day. It was an elevation of privilege in the Windows Common Log file system driver, which tends to be a vulnerability magnet. For some reason. They've had a lot of problems with that driver over the years. Microsoft security team I mean okay, so it's a log file system driver, probably some summer intern they said, hey, just go do that, you know, write the logging driver while you're here for the summer. We saw that happen with the color mapping that NT did once and it was a disaster. So anyway, you want to put your good guys on the things that are going to run in the kernel. Microsoft security team indicated that the now patched zero day was being exploited by the ransom EXX ransomware group, and that makes sense, since once you somehow arrange to get your code running on a well locked down Windows machine, that code will likely be running under the account of the user who somehow made a mistake that allowed it to come in and run with deliberately restricted privileges. So even though you may be in as a bad guy, it's still generally necessary to arrange to obtain admin privileges. If you're, you know, as in the case with a ransomware intrusion, your goal is to do a lot of damage. You need to get root on the machine to do that.
Google also patched a pair of zero days last week with Android. One of the fixes is a patch for a Celebrite exploit used by Serbian authorities to unlock the phones of journalists and anti-government protesters. The exploit and the hacks were first detailed in an Amnesty International report in February. There are no details on the second zero day, other than that it leverages an undisclosed flaw in the Android kernel USB audio driver, but being in the Android kernel suggests that it was likely a powerful root level exploit. This also makes it the third month in a row that Google has fixed zero days in the Android OS and, as we know, these things are complicated and it's very difficult to get every little detail right, but that's what security requires.
If I wasn't so excited about talking about device-bound session credentials today, as we will be shortly, I would be spending our time digging into a 25-page recently published piece of security research, which was just so juicy. It examined the status of the security of PLCs, the critical programmable logic controllers that generally contain just enough computational ability to figure out when to turn off the toilet paper rolling machine to then cut the paper and start on another roll, after first painting a little bit of glue onto the cardboard tube so that the new end of the paper sticks to it. You know, that's what these things do In a very real sense. Plcs are what actually run the world. We've talked about them extensively in the past on this podcast, specifically because they're silent workers that essentially make all of today's infrastructure go. In a very real sense, they are today's infrastructure and, as a consequence, their security is crucial. In the abstract of their 25-page paper, the team of researchers wrote Billions of people rely on essential utility and manufacturing infrastructures such as water treatment plants, energy management and food production, not to mention nuclear reactors.
Our dependence on reliable infrastructures makes them valuable targets for cyber attacks. One of the prime targets for adversaries attacking physical infrastructures are programmable logic controllers, because they connect the cyber and the physical worlds. In this study, we conduct the first comprehensive systematization of knowledge that explores the security of PLCs. We present an in-depth analysis of PLC attacks and defenses and discover trends in the security of PLCs from the last 17 years of research. We introduce a novel threat taxonomy for PLCs and industrial control systems. Finally, we identify and point out research gaps that, if left ignored, could lead to new catastrophic attacks against critical infrastructures.
Now, as I promised and as I said, I'm not digging into this. I mean I would love to, but we don't have time. But here's a brief summary of that research, written by a security reporter who did dig into it. He wrote A team of academics has conducted a review of 133 papers, 119 attack methods and 70 defense methods that target PLCs to assess the actual impact of a possible cyber attack targeting these devices. The research found that, even if most PLCs have built-in access control features, most of them have been shown to be ineffective. Where encryption has been used, the algorithms are often ineffective. Disabling unused protocols and monitoring is the best way to prevent and detect attacks. So if anyone is interested in more detail, I have a link to their 25-page research analysis in the show notes. Okay, I've got one that's pretty much guaranteed to make you just shake your head. And, leo, I know you already know about this Six researchers, four from the University of Texas at San Antonio, one from Virginia Tech and the last one from University of Oklahoma just published a paper titled.
We have a Package for you a comprehensive analysis of package hallucinations by code generating LLMs. You know large language models In their usage. Just to be clear, by package they mean a reference to some open source code library that would be handy to have and to add to a project in order to provide some missing functionality. So here's what this team of six wrote for their paper's abstract. I have a link to their entire paper in the show notes. They wrote the reliance of popular programming languages such as Python and JavaScript on centralized package repositories and open source software, combined with the emergence of code-generating large language models, llms, has created a new type of threat to the software supply chain package hallucinations.
These hallucinations, which arise from fact-conflicting errors when generating code using LLMs, enable a novel form of package confusion attack that poses a critical threat to the integrity of the software supply chain.
This paper conducts a rigorous and comprehensive evaluation of package hallucinations across different programming languages, settings and parameters, exploring how a diverse set of models and configurations affect the likelihood of generating erroneous package recommendations and identifying the root causes of this phenomenon, using 16 popular LLMs for code generation and two unique half a million 576,000 code samples in two programming languages that we analyze for package hallucinations of hallucinated packages is at least 5.2% for commercial large language models and 21.7% for open source large language models, including a staggering 205,474 unique examples of hallucinated package names, further underscoring the severity and pervasiveness of this threat.
To overcome this problem, we implement several hallucination mitigation strategies and show that they're able to significantly reduce the number of package hallucinations while maintaining code quality. Our experiments and findings highlight package hallucinations as a persistent and systemic phenomenon, while using state-of-the-art large language models for code generation and a significant challenge which deserves the research community's urgent attention. Okay, so that's part one. Llms are still just making stuff up, including the names of add-on packages that it would be nice to have, and, just as typosquatting has developed over time into a serious threat, researchers are warning that something which, unfortunately, is being called AI slop squatting is on the horizon.
1:57:14 - Leo Laporte
Let me see if this sounds better when I say it this way AI slop squatting.
1:57:20 - Steve Gibson
No, no, no, no, still bad. Here's what the risky business security newsletter wrote. They said security firms, open source experts and academics are warning about a new supply chain vector they're calling slop squatting. The technique's name is a combination of terms like AI, slop and typosquatting. It revolves around the increasing use of AI coding tools to generate blocks of source code that may sometimes make their way into production systems. A recent academic paper, and that's the one whose abstract I just shared, analyzed 16 AI coding models and found that these tools generate shoddy code that often includes and loads packages and libraries that don't exist.
Devsecops company Socket Security says that such behavior opens the door to slop squatting, where threat actors study the LLMs and then register package names hallucinated or likely to be hallucinated in the future. It turns out that's actually feasible. The attack looks farcical and impractical, but so did type squatting, they write, when it was first described years ago. Yet years later, it is one of the most pervasive and common sources of supply chain issues in the software development industry. It may sound ridiculous that developers would not spot a typo in the names of packages they install, but reality has shown that they don't. Does it actually sound that far off? He poses that developers would not spot non-existent packages in huge blocks of code they're using when cutting corners. Yeah, see, that's the problem right. Yes, the use of AI coding tools is increasing and the chances that developers may use code blocks generated through these tools is also growing exponentially, allowing along with the chances of a successful slop squatting attack. So that's what Risky Business wrote. This raised my curiosity, so I looked further.
The Socket Security folks further summarized some of the paper's findings. They wrote the researchers tested 16 leading code generation models, both commercial, like GPT-4 and GPT-3.5, and open source, like CodeLlama, deepseek, wizardcoder and Mistral, generating a total of 576,000 Python and JavaScript code samples. Their key findings were 19.7% of all recommended packages did not exist. Open source models hallucinated far more frequently 21.7% on average compared to commercial models at 5.2%. The worst offenders, code Llama 7B and Code Llama 34B, hallucinated in over a third of its outputs. Third of its outputs, gpt-4 Turbo had the best performance, with a hallucination rate of just 3.59%. Across all models, the researchers observed over 205,000 unique hallucinated package names.
These findings point to a systemic and repeatable pattern, not just isolated errors. And here's the key these hallucinations are not just one-offs. If they were, they could not be weaponized. Right, they are persistent and recurrent, the socket security guys explained. They said in follow-up experiments the researchers reran 500 prompts that had previously triggered hallucinations, 10 times each.
They found an interesting split when analyzing how often hallucinated packages reappeared in repeated code generations. When rerunning the same hallucination triggering prompt 10 times, 43% of hallucinated packages were repeated every time, while 39% never repeated at all. This stark contrast suggests a bimodal pattern in model behavior. Hallucinations are either highly stable or entirely unpredictable. Overall, 58% of hallucinated packages were repeated more than once across 10 runs, indicating that a majority of hallucinations are not just random noise but repeatable artifacts of how the models respond to certain prompts. That repeatability increases their value to attackers, making it easier to identify viable slop squatting targets by observing just a small number of model outputs. The consistency makes slop squatting more viable than one might expect. Attackers don't need to scrape massive prompt logs or brute force potential names. They can simply observe LLM behavior, identify commonly hallucinated names and register them.
So just a cautionary tale here about the potential for the weaponization of large language model outputs. We know that bad guys would like nothing more than to get their code included into high-profile product offerings If future coders become too comfortable with directly using LLM-created code without scrutinizing it carefully, I would argue, line by line, just copying and pasting and testing what the LLM produces. It's no longer far-fetched to imagine that the LLM's mistaken output itself might have been weaponized for the purpose of causing the download and inclusion of a malicious library. If we were to take this a step further, imagine arranging to seduce LLMs to train on tasty, valid libraries which they would tend to then invoke into their solutions, only to have any retrieval by a non-LLM return a malicious version of that package. There's no such thing as a free lunch coders. And how do you?
2:04:40 - Leo Laporte
test it, because you can't just say, well, does this exist? Because it does exist now because of slop squatting, and so now you have to validate all the libraries to make sure it's not doing anything malicious.
2:04:55 - Steve Gibson
What a mess, a real supply chain mess. What a mess, a real supply chain mess. Basically, the LLM has a knowledge that the coder lacks of available packages and is pulling stuff in from all over. So the coder either needs to truly educate themselves about the nature of the libraries that the LLM knows about and has invoked or just hope for the best.
And hoping for the best could really bite you in the what is not the best yes place wow, um, we wind up talking about wordpress because such a large portion of the internet's websites are running wordpress cms content management system code. Cms Content Management System Code. The core WordPress offering has become extremely solid over time, but its very large plugin ecosystem is another matter entirely. That plugin ecosystem is WordPress's primary attraction but also its primary weakness as a secure platform. Wordfence is an independent, wordpress-focused security firm.
During the previous year, security researchers at WordFence discovered and disclosed more than 8,000 WordPress site vulnerabilities 8,000 WordPress site vulnerabilities but fully one quarter of those have remained unpatched 2,000 unpatched today. Many of the affected plugins are obscure, but many are popular and unmaintained. But, as I noted, the WordPress core has grown increasingly solid, with only five of those 8,000 known issues disclosed last year impacting the WordPress core, and all of them were immediately fixed every time we've previously considered the important WordPress landscape. Be very, very careful about what you add to the base WordPress core offering. Only add those features you really need and will really use. And check to see the history of any add-ons maintenance to verify that someone is still around to maintain that code or that it really looks like it is sufficiently solid, because add-ons are the WordPress security Achilles heel, not the core offering itself.
2:07:36 - Leo Laporte
It's the plugins. Yeah, yep, but you really could generalize this advice to everything don't install apps. You don't say same same with your iphone. Yeah, don't use libraries you don't know that really is true. It that's that you know the, the, the browser you use is probably secure and the add-ons to the browser.
2:07:56 - Steve Gibson
the more crap you add to these things, the greater the probability that one you add will be bad, Especially nowadays, Holy cow. And there are of course, degrees of badness. And one could argue that WordPress add-ons. The problem is they're just written by Johnny in the closet. I mean, they're just random things.
2:08:20 - Leo Laporte
And what are they written in, Steve? They're written in PHP. They are Johnny in the closet using his personal homepage software.
2:08:30 - Steve Gibson
That's right and that's why the only server I have that is running any PHP has its own port on an isolated router and it doesn't get to talk to any of my other stuff at GRC, because I just do not trust it. It could melt down internally but it can't touch. You know GRCcom, where you know e-commerce and other things live, because you know I take my own advice. So, speaking of PHP's language interpreter, it just got a much welcome security audit, which it turns out was also much needed. You know WordPress, like a great many other web facing systems such as I was just talking about GRC's web forums, our email system, our link shortener all written in PHP. I love them, but they're on an isolated server. So also in the news was that PHP's language interpreter recently received a security audit.
Quark's lab received a commission to really examine the core component of PHP. Last Thursday they posted their results. They wrote the Open Source Technology Improvement Fund Inc. Thanks to funding provided by the Sovereign Tech Fund, engaged with Quark's lab to perform a security audit of PHP-SRC, the interpreter of the PHP language. The audit aimed to assist PHP's core developers and the communitySTIF, the Open Source Technology Improvement Fund teams. Based on this scope and the allocated timeframe for the audit.
An attack model was developed and approved by the PHP team, developed and approved by the PHP team. The assessment was conducted within a set time frame with the primary focus on identifying vulnerabilities and security issues in the code. According to the defined attack model, the following scope of work was defined by PHP Foundation and the OSTIF. The key tasks included base tooling evaluation. Improve SAST tooling to enhance the existing GitHub CI without extra cost and with low maintenance. Build fuzzers compatible with OSS Fuzz for potential critical functions that are not currently covered. Cryptographic and manual code review. High priority tasks were the PHP FPM master node and PHP FPM worker glue code. Those are the modules that invoke PHP for handling web queries. Also, fpm pool separation.
The MySQL native driver, rfc 1867, php header parsing and MIME handling. Pdo emulated prepares JSON parsing with a focus on JSON decode. Openssl external functions and its stream layer. External OpenSSL LIB sodium. Integration with EXT sodium. Functionalities related to passwords EXT standard password C. Functionalities related to hashing EXT hash and functionalities related to CS prring, the cryptographically secure pseudo-random number generator, extrandomcspringc. So that was their mission and scope.
How did they proceed? They wrote to assess the security of PHP source. Quark's lab team first needed to familiarize themselves with the structure of the project and understand the key tasks outlined in the audit scope. To achieve this, quark's lab experts gathered and reviewed the available documentation and project resources. With a clear understanding of the features to be evaluated, quark's lab developed an attack model that incorporated all the requested key tasks. This model was then presented to PHP's core developers and, once approved, the assessment began.
The evaluation employed a combination of the specified assessment targets. Dynamic analysis was used to complement the static review by speeding up the process through fuzzing and validating or refuting the hypothesis generated during the static analysis. So you know, and they're taking this formal approach because they've been contracted, essentially to perform this audit, and it would be easy to say, oh yeah, we did, but you know they're getting paid. So they need to say what do you want us to do? Okay, here's how we're going to do it. Okay, okay, now we're going to do it.
So what did they find? They wrote during the timeframe of the security audit, quark's lab has discovered several security issues and vulnerabilities, among which were two security issues considered high severity, six security issues considered medium severity, six security issues considered medium severity, nine security issues considered low severity and 10 issues considered informative. Most vulnerabilities have been shared. They wrote via security advisories on the PHP source GitHub repository. Other bugs and issues are provided only in this report. Four CVEs were issued, one for each of the two high severity vulnerabilities and two others for two of the nine low severity vulnerabilities.
Okay, so they produced a detailed oh boy, a very detailed 106 page full audit report and I have a link to it in the show notes for anyone who wants to dig in. However, they also wrote this audit report contains two security issues currently redacted while PHP maintainers are actively working on the fixes. Details will be provided after fixes are applied by PHP maintainers. Fixes are complex and in progress. In other words, two of the 17 security-related problems they discovered were too severe to publicly report until they have been fixed.
Although it's speculation at this point, this strongly suggests that many earlier releases of PHP are also very likely to be in identical trouble and that, depending upon what bad guys could do with it if they knew about it, we may be facing a critically important security update across all still supported release versions of PHP. So we will certainly be, you know, standing by and staying tuned and and see whether PHP needs an update. They're not talking about what they found, but it is very, very cool that a truly worthwhile audit was done at PHP and really you end up feeling a lot better about PHP 8.4, knowing that it has had this kind of audit. It's like back in the days of VeraCrypt or TrueCrypt that got audited and it's like, okay, people really did take a look at it and it came out the other end with no big problems found. So a couple of things need to get fixed, but once they are, yay and Leo, let's take our last break.
And then finally, we are going to get to. I've been waiting all day for this the unhyphenated device-bound session credentials.
2:17:20 - Leo Laporte
Well, it's about time.
2:17:21 - Steve Gibson
People may be a little glad that what we've done so far has been a little fluffy by comparison, because you're going to need to have conserved your strength for what's coming.
2:17:32 - Leo Laporte
I think all my session credentials are device-bound, but what do I know? Let's find out. None of them are None of no. Well, we'll find out more in just a bit. I'll tell you what's device not device bound is, uh, my fabulous bit warden password manager. Now that pass keys is here, I am not going to use my device to store my pass keys. Oh sure, apple would love you to use your iphone to store all your pass keys, but why do that when you can use Bitwarden and have your pass keys everywhere? By the way, as more and more sites are using pass keys, I am happier and happier that I've started using Bitwarden for GitHub, for Amazon, for everywhere that uses pass keys. It makes it fast mail, makes it so easy to log in. This episode of Security Now brought to you by Bitwarden, the trusted leader in passwords, passkeys and secrets too, by the way. In fact, tax day is a good day to remember that Bitwarden has more than 10 million users across 180 countries, over 50,000 business customers worldwide. It's consistently ranked number one in user satisfaction by G2, recognized as a leader by a software reviews data quadrant. Bitwarden protects thousands of businesses worldwide.
Now I mentioned Tax Day. Your tax preparer has probably sent you back your tax forms. Maybe you sent them your tax information, including your social security number. I hope you didn't use email. I hope you didn't use text messaging. Now you can use Bitwarden Send, which end-to-end encrypts all of your messages, whatever it is your forms that you're sending, completely protected and, by the way and I love this the recipient does not need an account to access them. Stop using risky email attachments. Instead, share confidential documents with you.
Get not just password protection, but you get expiration dates. If you didn't read this by April 15th, you're never going to view limits. You can look at it five times. That's it Gives you full control over who accesses your sensitive information. That's, it Gives you full control over who accesses your sensitive information. No-transcript say that 65% more than half, much more than half of businesses still rely on passwords alone, which is surprising and a little disappointing.
I really thought that passwordless was going to be the next big thing. Surely, single sign-on is, but no, they're still using passwords, and that's even with the fact that password management is cited as the top IAM challenge for 35% of organizations and only 21% implement passwordless authentication, which means these enterprises are facing ongoing credential security risks. For all we know the employees are writing the passwords on post-it notes and putting them on the monitor or underneath their blotter. Bitwarden offers enterprises a much better way to do it End-to-end encryption, multi-factor authentication, secure password sharing. No, we're not passing around post-it notes. It addresses both the current and future authentication needs because Bitwarden is always up-to to date, always on the cutting edge.
They've just announced they have received ISO 27001-2022 certification. That's a very important thing. It's an internationally recognized standard that assures enterprises, developers and security teams that Bitwarden's doing it right, they meet stringent security and compliance requirements, that Bitwarden's doing it right. They meet stringent security and compliance requirements. That complements their existing compliance with SOC 2, type 2, gdpr, hipaa, ccpa and on and on. Look, there's no question. Bitwarden is a trusted security partner for enterprises and it's easy to use. They prioritize simplicity, which is very important, because if a security tool isn't easy to use, most users aren't going to use it. It's easy to set up Bitwarden. It'll only take a few minutes.
Bitwarden supports importing from most password management solutions so you can move very easily to the Bitwarden. And, of course and this is really important to me, I hear this in the chat room all the time when we do these Bitwarden ads. Bitwarden's open source. That means anyone can inspect the code, verify it does exactly what it says. It does, no more, no less. They also, of course, have regular audits by third-party experts and they publish every word. So you know exactly where you stand with Bitwarden. Look, you and your businesses deserve an effective solution for enhanced online security.
Get started today with Bitwarden's free trial of a Teams or Enterprise plan. And if you're an individual and I know everybody listening to Security Now is using a password vault of some kind, but you should know that your friends and family probably aren't tell them. They can get started for free with bit warden. Free, forever, across all devices. Unlimited passwords. Pass keys yes, uh. Hardware authenticators yes, and individually, users can even host their own vaults if they want. Bitwardencom slash twit uh, it's what, it's the only one I use. I'm so happy with it. And uh, and you know, I tell everybody bit warden, that's the one bit warden dot com slash twit. We thank him so much for supporting security now and, uh, you support us when you use that address, so make sure you do. Bit warden dot com slash twit. All right. What are device bound session credentials, with or without their hyphen?
2:23:14 - Steve Gibson
So, as I said at the top, while I was scanning through recent events, I noted that Chrome had recently moved to added and changed. There were several truly new features added by the W3C, the World Wide Web Consortium, which Firefox and Safari are also echoing. The most interesting of them was something called device-bound session credentials. With something called device-bound session credentials, which is the soon-to-be-available feature that named today's podcast. Obviously, once I understood what this was about, that it was right and, given that this new technology is intended to be an extremely secure replacement for an aspect of session cookies not entirely, as we'll see, but the way you get them essentially, I knew we needed to update the record because session cookies would not, as they have been forever, not be long for this world, and that's a big deal that will change everything.
As we've had the discussion many times in the past, the entire model of the web is for a user client, typically an interactive web browser, to request some resource from the Internet using a URL which contains the unique address of the requested object Unique Internet wide. It's somewhere, there's something. The browser says I want that as a result of the browser's connection to it and then supplying the address of the browser's connection to it and then supplying the address of the requested object, a web server returns whatever it is that the browser requested and then they may, and often do, disconnect. When you think about it, it's to me incredible to consider how far we have stretched that simple basic query and reply model We've created the modern internet world with it. Browser asks for something, a server somewhere sends it back, says here you go, disconnects.
This original model. The thing that Sir Timothy John Berners-Lee first conceived of as the World Wide Web never had any notion of a session, you know that is there was no way originally for anyone to log on to anything, since doing so would require that this logged on state would be saved somewhere, and Tim's original idea was entirely stateless, interesting the web. I didn't realize that, yes, the web was just a mass of pages containing links to other pages, and that was it.
2:26:32 - Leo Laporte
But that's very limited.
2:26:35 - Steve Gibson
Yeah.
2:26:35 - Leo Laporte
Oh yeah, Because you can't identify yourself.
2:26:37 - Steve Gibson
All it was was like a big knowledge base, a big directory. And remember back then, Leo, like the original websites were like a list of links. They were just like link lists.
2:26:49 - Leo Laporte
It was hypertext, that's hypertext, that would take you to somewhere else.
2:26:54 - Steve Gibson
So, no memory nothing, no state nothing Right. All of that changed in June of 1994 when MCI asked Netscape to come up with some way for the user's browser to retain transaction data so that MCI would not need to retain it at their end.
2:27:18 - Leo Laporte
Otherwise you have to log in every time you go to MCI mail.
2:27:21 - Steve Gibson
Actually it's worse than that. Every query I mean you actually there isn't. You can't actually log on.
2:27:29 - Leo Laporte
Yeah, I don't know who this is.
2:27:31 - Steve Gibson
The server does not remember you ever. There's no memory of a previous query, and that's the way that Net originally was. So a Netscape engineer by the name of Lou Montulli came up with the idea of a web browser cookie that a web server would give to a visiting web browser and every time thereafter, if the web browser contained a cookie that matched the domain that the web browser was querying, the browser would voluntarily return that cookie token in all of its queries to the server.
2:28:12 - Leo Laporte
So you save state locally on your machine so the server doesn't have to do it, that you re-identify yourself. By the way, the original name for this was persistent client side state information and it to this day irks me. They didn't call them pixies instead of cookies, it should have been a pixie oh, that'd be much better much better. Yeah, although maybe it sounds a little scary that you have some pixies.
2:28:38 - Steve Gibson
Well, and you really can't do that. You can't do pixie, in in that monster voice of yours pixies no, you do it. You do it in this voice. Oh, that's good. Okay, so, believe it or not, leo? Even back then, when this was first introduced, it was somewhat controversial. Oh really, wow.
It suddenly meant that not every query from a browser was independently and entirely anonymous, as they originally were. Anonymous as they originally were. But by the same token, if you'll pardon my pun, the web server would usually have the browsing user's IP address. Still, people were aware of this back in the mid-90s that a cookie. Suddenly you lost a little bit of the anonymity that you had previously enjoyed. Now, through the years, the cookie specification was formalized and many new features were added. You know expiration of cookies and other various flags.
Many years ago we talked about the fire sheep hack, where HTTPS was only briefly used during login to a website like Facebook, after which the connections would drop back to less compute intensive plain text HTTP cookie, which is how the user was logged in, how the user's interaction with the remote Facebook server kept being re-identified as being them. That was the only way remote servers had to recognize a user's repeated activities, because all web queries stand alone otherwise. So if a bad guy were to sniff a cookie, they could instantly impersonate that logged in user. And they could, because the traffic was just plain text anybody looking at plain text, and you know, I remember doing it in my local Starbucks. I didn't log in as a person, but I saw a whole column down the right-hand side of the other people at Starbucks whose authentication tokens my browser had just sniffed was fixed, for example, by switching to always keeping all traffic encrypted using HTTPS, as we do now. As we know, virtually the entire internet has switched to always on HTTPS. But if a browser ever, even once, made the mistake of issuing an HTTP query to a to a remote server, whatever cookies it might be carrying for, that server's domain would still be set in the clear. So the formal cookie specification was again tweaked so that the server who's setting the cookie could set a secure flag with a cookie. This would instruct the browser to never send the cookie over any unencrypted HTTPS query. So today, all responsible cookie setting now also uses the secure flag to prevent any cookie leakage.
But if you stand back for a moment and consider how much work we're asking these poor old original cookies to do for us and how much more technology we have readily available to us today than we did 31 years ago back in 1994, especially our lovely crypto technology today, the need to replace these trusty and crusty old cookies, which are just dumb, pseudo, random bits of gibberish, with something far more powerful, resilient and resistant to abuse. It's hard to resist, and today it's something we can do easily. That session cookie replacement is now on the horizon. It's everything it could be, and it's called device bound session credentials, or DBSC for short, and it actually does a lot more than cookies ever could. Okay, so what are device-bound session cookies?
The World Wide Web Consortium's, the W3C's, public GitHub page, part of which I'm going to share, is quite dense and quite matter-of-fact, but don't worry, if some of this is initially confusing and flies over your head, it'll be flying over most of our heads. This is enough of a change from the way things have always been done for the past 31 years that it will likely take another podcast or two for all of what this means to sink in. We'll all get there together. I'm sure we'll be going back to this multiple times in the future.
2:33:57 - Leo Laporte
So this is going to be a cookie replacement. Is this going to be implemented?
2:34:00 - Steve Gibson
for sure, yes, it is already on Safari, firefox and Chrome are all working on it right now and it is in well, firefox, or Safari and Firefox have it. It is in well, safari and Firefox have it. And Chrome got it with 135, with the update that just happened.
2:34:24 - Leo Laporte
That's hysterical, because what are we going to do about all the cookie banners that we have to click through? Are?
2:34:29 - Steve Gibson
we going to have.
DBSC banners. Yeah, it's going to be a mess, Okay. So here's what the W3C considers to be their explainer, and I'll take a break here, because at one point what they're saying becomes more clear, so I'll end up explaining what's going on. So they write device-bound session credentials. Aims to reduce account hijacking caused by cookie theft. It does so by introducing a protocol and browser infrastructure to maintain and prove possession of a cryptographic key.
The main challenge with cookies as an authentication mechanism is that they only lend themselves to bearer token schemes Okay, that meaning where the browser is the bearer of and holder of a token, which is useful, but it's there's a lot. It can't do so. As I says, they only lend themselves to bearer token schemes on desktop operating systems. Application isolation is lacking and local malware can generally access anything that the browser itself can, and the browser must be able to access cookies. On the other hand, authentication with a private key allows the use of system level protection against key exfiltration. In other words, if we think about TPM and we think about having a private key and proving that we have it by signing a challenge and someone verifies our signature with our public key, that is, if we take this to a whole, nother level. All of these other mechanisms exist today and we've not been using them for the past 31 years. So they said, DBSC offers an API for websites to control the lifetime of such keys behind the abstraction of a session, and a protocol for periodically and automatically proving possession of those keys to the website's servers.
Now I should explain that, as I'm reading this now, because I understand what it is doing, this all makes sense to me. The first time I read it, I was like what? This all makes sense to me. The first time I read it, I was like what? Okay, so this is the first time everyone's hearing it, so I understand you're having my reactions like what? Anyway, this is going to get clear. So they said there is a separate key for each session and it should not be possible to detect if two different session keys are from one device. That's for privacy sake. One of the key goals is to enable drop-in integration with common types of current auth infrastructure, meaning the rest of the world doesn't. The browser can limit malware's ability to offload its abuse off the user's device, significantly increasing the chance that either the browser or server can detect and mitigate cookie theft. In other words, cookies are going to still exist, but they're going to be short-lived. And the key is not in the browser. The key is in the device.
2:37:54 - Leo Laporte
So this eliminates that whole fire sheep thing of. I got into your thing, I stole your Facebook cookie and now I can log on as you on my machine Because it's device bound. Correct, that makes sense, Correct, Although haven't we fixed that with HTTPS?
2:38:10 - Steve Gibson
No, all that is is the communication, it isn't the authentication. So it prevents somebody from All that is is the communication, it isn't the authentication.
2:38:15 - Leo Laporte
So it prevents somebody from getting in and stealing the cookie. But if they could still get the cookie, it would still be good.
2:38:21 - Steve Gibson
Right.
2:38:21 - Leo Laporte
Got it.
2:38:22 - Steve Gibson
But this periodically re-authenticates requires that cookies be re-authenticated To the device.
Yeah, To the device. So if someone takes them elsewhere, they can't use them for long and if there's any question about them, then a reauthentication can be required. Anyway. So this says DBSC is bound to a device with cryptographic keys that cannot be exported from the user's device. Under normal circumstances, this is called device binding. Unfortunately, it's not hyphenated in the rest of this document.
Dbsc provides an API that servers can use to create a session bound to a device, and this session can periodically be refreshed with an optional cryptographic proof. The session is still bound to the original device, which I didn't understand the first time I read it, but it'll get clear in a minute. At sign in, the API informs the browser that a session starts which triggers the key creation. It then instructs the browser that any time a request is made while the session is active, the browser should ensure the presence of certain cookies. If these cookies are not present, dbsc will hold network requests while querying and configured the configured endpoint for update updated cookies. Now, okay, let me stop, um, cause now I under. I didn't understand what the heck they were talking about the first time I read that. Now I get it. So we we're going to log in to a service. So in with DBSC present.
After the user authenticates themselves with a browser on a device, that causes the device's DBSC public key to be sent to the remote server, to the website server. So as part of the user authentication on the device, the DBSC public key is sent to the remote server. That's what it uses then to re-authenticate the user whenever necessary. And we also now need to think of not just a web server but an authentication side of the server, that is, they're sort of an asynchronous, separate authenticator on the website that that is running adjacent to the regular website. So what happens then is the website tells the browser you need to have session cookies API and says I need updated session cookies, please challenge me.
So that authenticating side sends a random blob to the browser. The browser uses the like, the, the systems, tpm, the trusted platform module to that maintains a private key that never leaves, that cannot leave, to sign that challenge. The blob is a challenge that will that has never existed before, never exist again and it all. It just be an always increasing random number Doesn't matter, just has to be unique. And that's a good way to get it unique. It signs it and sends it back signed so that proves to the authenticating portion, this DBSC authenticating portion, that it's still in communication. This browser is on the device that originally logged in because that's the only way that it could sign a challenge using the private key that exists only on that device.
And having performed that successfully performed that cryptographic challenge, that authenticating portion, the new authenticating portion of the website, then sends new, fresh but short lived session cookies old school cookies to the browser, which the browser then returns to the regular website saying hey, look, it's me and I've just reproven who I am. And so the website says oh good, okay, now we can proceed. So and that's where in what I just read, it said if these cookies are not present, dbsc will hold network requests, meaning keep them pending, like not answer them, while querying the configured endpoint for updated cookies. So it goes through all that to get the updated cookies. Then it's able to provide them and we proceed. So they wrote. Dbsc's goal is to reduce session theft by offering an alternative to long-lived cookie-bearer tokens. That's what we've always had up until now that allows session authentication that is bound to the user's device. This makes the internet safer for users and that it is less likely their identity is abused, since malware is forced to act locally and thus becomes easier to detect and mitigate. At the same time, the goal is to disrupt the cookie theft ecosystem and force it to adapt to new protections.
Dbsc's primary threat model is that of an attacker who can read and tamper with the user agent, such as with a malware-compromised browser or like, for example, bad extensions in your browser, in which the malware can read and modify browser memory and secrets stored on disk. In many operating systems. Malware may be able to obtain privileged root kernel etc. Access. Dbsc aims to address this threat by establishing a cryptographic protocol in which secrets can be stored in dedicated systems such as secure enclaves. Though DBSC does not specify how implementers should store backup or sync keys, as long as such storage is robust against the described threat.
Where an attacker can read or modify network traffic or HTTP server log leaks. Where a server mistakenly logs full HTTP request and response headers to logs which can be read by unprivileged insiders and, of course, if they had full headers, they would be seeing the cookies that are being transacted. In all of these scenarios, dbsc aims to enforce the specific constraint that temporary read-write access to a user agent or network traffic does not enable long-lived access to any established DBSC sessions malware running within a victim browser process. They should be unable to continue to authenticate as the victim browser once that malware has been removed. Note, however, that the definition of long-lived depends upon the configuration refresh period. Within that period, attackers may continue to have short-lived access to any established sessions.
And the reason for that is we're still. We're still using cookies, and the reason we're still using cookies is that it's still too expensive to use this crypto all the time. I mean it's it's important to understand what an insane number of queries our browsers are generating. I mean, it's just a flood of queries coming out of our browsers. They cannot be each individually cryptographically authenticated every time. It's still too expensive.
So the idea is we're going to compromise, we're going to be able to periodically re-authenticate short life cookies and, importantly, before something critical is done, like acknowledging a funding transfer or confirming a purchase or something, it's absolutely practical to ask for an updated reconfirmation of the device's authentication. So, on an interactive level, we certainly have the speed to do that, and so a compromise has been necessary. The previous approaches to replace cookies for binding sessions have failed because they were unwilling to make a compromise and it's just too expensive. So this is a nice solution, and the other important aspect of this is that most of the website doesn't need to change. Important aspect of this is that most of the website doesn't need to change. The most of the website, the all of the website. That is not about dbsc, it just sees session cookies, so it's got everything it's always had with. We're only adding a new authentication slice to the overall site.
So they said what are the non-goals? Dbsc will not prevent temporary access to any browser sessions while the attacker has ongoing access to a compromised user agent. Right, because we're still, you know, we're still using cookies, but not long. An attacker with ongoing access to a compromised user agent or decrypting middle box etc. Will be able to continuously access fresh DBSC controlled bearer tokens cookies, and an attacker with malware running on a compromised device will, on many modern operating systems, be able to treat even secure elements as a signing oracle, meaning able to get it to sign forth on their behalf in order to provide proof of possession of the DBSC secret keys. So, again, as do all modern security protocols, they clearly outline these are the things we do. These are the things we know we don't do and we're not claiming to be able to do everything, so they said so what makes device bound session credentials different? And they wrote DBSC is not the first proposal towards these goals, with a notable one being token binding.
This proposal offers two important features that we believe makes it easier to deploy than previous proposals. Dbsc provides application-level binding and browser-initiated refreshes that can make sure devices are still bound to the original device. For websites, device binding is most useful for securing authenticated sessions for users. Dbsc allows websites to closely couple the setup of bound sessions with user sign-in mechanisms, makes session and key lifetimes explicit and controllable, and allows servers to design infrastructure that places verification of session credentials close to where user credentials cookies are processed in their infrastructure. Other proposals have explored lower-level APIs for websites to create and use protected private keys, for example, via WebCrypto or APIs similar to WebAuthn.
While this works in theory, it puts a very large burden on the website to integrate with. In particular, since the cost of using protected keys is high, websites must design some infrastructure for collecting signatures only as often as needed. Signatures only as often as needed. This means either high-touch integrations where the keys are only used to protect sensitive operations like making a purchase, or a general ability to divert arbitrary requests to some endpoint that collects and verifies a signature, then retries the original request. The former doesn't protect the whole session and violates the principle of secure by default, while the latter can be prohibitively expensive for large websites built from current multiple components by multiple teams and may require non-trivial rewrites of web and RPC frameworks. Finally, they said, dbsc instead allows a website to consolidate the session, binding to a few points At sign in. It informs the browser that a session starts, which triggers the key creation. It then instructs the browser that any time a request is made while that session is active, the browser should ensure the presence of certain cookies. The browser does this by calling a dedicated refresh endpoint specified by the website whenever such cookies are needed, presenting that endpoint with a proof of possession of the private key. That endpoint, in turn, using existing standard set cookie headers, provides the browser with short-term cookies needed to make other requests. Okay, so again, there we finally get some sense for what's going on.
Many previous efforts, as I said, to replace cookies have been proposed. None have taken hold. This one demonstrates a carefully crafted compromise. Rather than constantly and continually using expensive public key crypto to prove its identity, dbsc sets up a secondary, essentially a cookie supplier for a website. The website tells the browser which cookies it needs to be providing. If the browser doesn't have those or if they're near expiring, then, and only then, it separately connects to the cookie supplier, where it uses rigorous, state-of-the-art crypto to authenticate its device not its browser, not its user its device to the hardware I mean the device's hardware to the website's cookie supplier. Having done so, the cookie supplier returns regular, old-fashioned cookies which the browser will then use when subsequently transacting with the main website's pages.
The explainer continues saying this provides two important benefits. First, session binding logic is consolidated in the sign-in mechanism and the new dedicated refresh endpoint. All other parts of the website continue to see cookies as their only authentication credentials. The only difference is that those cookies are now short-lived. This allows deployment on complex existing setups, often with no changes to non-auth-related endpoints. And second, if a browser is about to make a request where it has been instructed to include such a cookie but doesn't have one, it defers making that request until the refresh is done. While this may add latency to such cases, it also means non-auth endpoints do not need to tolerate unauthenticated requests or respond with any kind of retry logic or redirects. This again allows deployment with minimal changes to existing endpoints, they said. Note that the latency introduced by deferring of requests can be mitigated by the browser in other ways which will be discussed later and, interestingly, under TPM considerations.
You know a trusted platform module, they wrote. Dbsc depends on user devices having a way of signing challenges while protecting private keys from exfiltration by malware. This usually means the browser needs to have access to a trusted platform module on the device, which is not always available. Tpms also have a reputation for having a high latency, meaning they're not fast and not being dependable. Having a TPM is a requirement for installing Windows 11 and can be available on previous versions.
All our studies are for public key cryptography using Elliptic Curve DSA P256 algorithm. Chrome has done studies to understand TPM availability, to understand the feasibility of secure sessions Current data shows about 60% and currently growing of Windows users would be offered protections. Studies have also been done on the current populations of TPMs, both for latency and predictability. Currently the latency for signing operations averages 200 milliseconds, so one-fifth of a second, with only 5% of signing operations exceeding 600 milliseconds. And the error rate is very low, currently around 0.001%, and if you got an error you just retry. Based on this research, tpms are widely available with a latency and consistency that is acceptable for the proposed usage and, as we know, tpms are the future. Having some crypto engine as part of every device is absolutely the future. So the spec is here. We already have 60% coverage and that's only going to be going up over time.
So they ask what about privacy considerations? Going to be going up over time? So they ask what about privacy considerations? They said an important high-level goal of this protocol is to introduce no additional surface for user tracking. Implementing this API for a browser or enabling it for a website should not entail any significant user privacy trade-offs. There are a few obvious considerations to ensure we achieve that goal Lifetime of a session and key material. This should provide no additional client data storage, for example a pseudo cookie. As such, we require that browsers must clear sessions and keys when clearing other site data, like cookies. So like no DBSC residual will outlive cookie life.
Cross-site, cross-origin data leakage. It should be impossible for a site to use this API to circumvent the same origin policy and similar cookie policies. Implementing this API should not meaningful increase the entropy of heuristic device fingerprinting signals. Right, so you're not. I mean they're designing this very much with the state of the art of privacy in mind. This API, which allows background pings to the refresh endpoint when the user is not directly active, must not enable long-term tracking of a user when they've navigated away from the connected site. That's a very good point because there is a new communications protocol set up between the browser and the refresh endpoint to obtain updated cookies, but that only needs to be happening while the user is actively looking at that tab. On that site. Each session has a separate new key created and it should not be possible to detect that different sessions are from the same device, so the keys are all isolated.
Registration and refresh will only be performed over a secure connection or with local host for testing, they said. To achieve these goals, we add the following constraints to DBSC requests Registration and refresh are made in the context of the request that triggered them. For registration, this is the request serving the SEC session registration header. For refresh, this is the request deferred due to missing cookies, they said. Cookie refresh only occurs if the cookie is accessible. Dbsc will not attempt to refresh a third-party cookie if the third-party cookies are blocked, and proactive refreshes must only occur if any tab has a page from the site currently loaded.
And then, lastly, while DBSC addresses a general problem of session hijacking and can be applicable to any browser consumer, it is possible to expand this protocol to better support enterprise use cases. By adding specifics to key generation, we can provide a more secure environment for enterprise users. This is the goal of DBSCE, which is an extension to DBSC. The high-level design of DBSCE is described in the DBSCE overview. Dbsce removes the vulnerability DBSC has where a malware, if already present in the device during the key generation, can potentially take over a session. Dbs CE proposes to mitigate this vulnerability by introducing device key chaining.
Okay, so I am fully aware that what we've just done was a lot to digest and we're at the end of a lengthy podcast with no time to dig further into this, but at least the essence of this new system is probably now clear. Cookies still exist, but they are short-lived rather than persisting, as they often do these days, essentially forever. I mean, I can't remember the last time I logged into many services that I use, every day or two. They are staying current as cookies near what will now be their shorter end of life. The browser will be able to ping a website, a newly defined website endpoint, meaning you know something that is part of the specification where it'll be. You know some, some dot name directory off of the root where there were a specific service.
Newly defined service will always be available if DBSC is supported separately in order to obtain a refresh of the cookies that are about to be expiring and, at that time, re-authenticate its device to that remote site.
So to do this, that authenticating endpoint will send a cryptographic challenge that the browser must sign and return, and the browser can only do so using an unexportable private key that's buried in the hardware of the device that the browser is running on top of.
The only thing that can be done with that key is signing cryptographic challenges to prove that the device has the key. Once the browser returns the challenge properly signed, the cookie provider will refresh the cookies for the domain and the browser will then continue to be able to use the original website without trouble. The cleverness of this solution is that it minimizes the changes that are required for the rest of the website. By concentrating the new authentication scheme in one location and by using shorter lifetime old school cookies, it achieves compatibility with existing systems while also using the cookies as a form of short-term identity cache, so that the system's far, far slower crypto hardware is not overwhelmed and is only needed to occasionally refresh the cookies. Chrome, firefox and Safari have all added support for device-bound session credentials to their web browser offerings, for device-bound session credentials to their web browser offerings, so now people, websites, researchers can begin experimenting with this and start bringing this on board, and I'm sure we'll be talking about this more in the future.
3:04:45 - Leo Laporte
Is it a done deal? I mean, is this for sure? What's going to happen it?
3:04:49 - Steve Gibson
requires adoption like anything else. You were saying on MacBreak Weekly that you wish Passkeys. Sure what's going to happen? It requires adoption, like anything else. Yeah, yeah, you, you. You were saying, uh, on mac break weekly that you wish pass keys. Or maybe it was on our podcast that you know, uh, you wish pass keys had more adoption than they do, but recent surveys show less than half of people are using anything other than username and password. Yeah, so you know. So it. So it has to be in the browser. Um, it has to support a tpm. That's the first step. Then it's up to the web sites right to decide that it wants to adopt it.
Right, so it'll be. It'll be like you know. You know all the extra hoops you have to jump through if your financial advisor sends you email and you've got to authenticate, or your bank is making you do extra stuff. It'll be places where they really really care about knowing that you're using a particular device. But what's cool is once you create a binding, as they call them a binding between the private key in a device and a remote entity like a bank or your domain name supplier. Like I would like to have much stronger authentication between the computer I'm sitting at and hovercom between the computer I'm sitting at and hovercom, and so we have never had a mechanism to offer that. This offers that when I am setting up my account at hover, they could query this, get the public key for the private key in my device and that would be part of my Hover account, and then any time in the future, they could require me to be sitting at this computer in order to authenticate to Hovercom.
3:06:45 - Leo Laporte
Or they could say well, you're at that computer, so you don't have to go through the extra multi-factor authentication or something right, because right now with Hover, I have to do monthly factor every single time I log on, exactly, so it kind of makes sense that sites that do have this higher need for security might adopt it first. I'd love it if my bank adopted this. That'd be fantastic right? Yes.
3:07:05 - Steve Gibson
And essentially it would be. It is extremely good for short-term re-authentication of a device. You are at this device because we just gave you something and your device signed it for us, and only that one device in the galaxy could do so.
3:07:25 - Leo Laporte
Very, I think this sounds like a good idea. We need it. And this is no effort on the user's part. The user might not even be aware of it. You would never see it. It would be completely transparent. Love it. And this is no effort on the user's part. The user might not even be aware of it. You would never see it.
3:07:34 - Steve Gibson
It would be completely transparent, love it. It might say you know, we've just authenticated your device, you're done.
3:07:43 - Leo Laporte
You wouldn't need more captchas. Get rid of those captchas, you could reduce the number of MFA logins. You know, hover could say it once put that special cookie on my hard drive and then I wouldn't need to do it again on that device. I think that makes perfect sense.
3:07:59 - Steve Gibson
Actually, hover would receive the public key for this feature on your device and that's all they would ever need. It would be part of your account.
3:08:10 - Leo Laporte
You still would want to log in.
3:08:11 - Steve Gibson
I think they would still want a password and login yes, but uh so that's in order to authenticate that it was you at on your device right, yes, but but this allows cryptographic binding of device to remote account, I think this is good.
3:08:26 - Leo Laporte
I'm glad they're implementing it. Yeah, yeah, did this come from the ietf w3c? Was this w3c?
3:08:32 - Steve Gibson
and it's in all three browsers. It's in Safari, firefox and Chrome, and now all of our listeners know about it.
3:08:39 - Leo Laporte
And that presumably means it's in all the Chromium derivatives like Edge.
3:08:43 - Steve Gibson
Brave, and it's because it was just added to Chrome 135 that we're talking about it today. Yeah, great.
3:08:50 - Leo Laporte
You know what this wasn't so bad. This was great, as always, steve, about it today, yeah, great. You know what? This wasn't so bad. This was great, as always. Steve makes it clear, and I tell you what. That's why you listen to this show because it keeps you up to date on these kinds of things. I really appreciate that, steve. I don't think I doubt there's any other podcasts in the world that has spent any time on device bound session credentials at all. We're the first and we'll probably remain that way. This is why we listen every Tuesday, right about 1.30 pm Pacific, 4.30 Eastern, 20.30 UTC at least.
If you want the freshest version, the live version, we stream it on eight different platforms Discord for our club members, youtube, twitch, tiktok, xcom, facebook, linkedin and GIC. I hope you will watch live, but you don't have to. You can always download a copy of the show steve has uh really, it's almost now. There's like a fork in the road. You have your own unique versions a 16 kilobit audio version and a 64 kilobit audio version. That's the only place you can get that. He also has the show notes and elaine ferris's excellent transcriptions. All of those are unique to grccom, steve's website. So if you want any of those formats of the show, that's the place to go. While you're there, pick up a of Spinrite, the world's best mass storage, performance enhancing, recovery and maintenance utility 6.1, the current version. That's Steve's bread and butter. Go get a copy. There are lots of other free stuff at the website.
If you want to email Steve or comment on this on the show or submit maybe a picture of the of the week, the thing to do is to go to grccom slash email, validate your email, sign up. It's, uh, opt-in, but you can sign up there for a weekly email on the show notes and a very infrequent email about something new that's coming along. The next one will be probably um steve's new dns. Uh, I'm excited about this benchmark utility the pro version about to come out, so you don't get a lot of emails on that one, but it's worth signing up for those GRCcom slash email. Once you've validated your address, you can email Steve.
We also have 128 kilobit audio because we it's a complicated thing, but Apple apparently downsamples, so we wanted to have a higher quality, so Apple can downsample it. We also have video. No one else has that at our website, twittv slash SN. That's where you'll find a link to the YouTube channel for the show Great way to share clips. I know this show.
Of all the shows we do, people are most likely to want to say, oh, I've got to send that to my boss or to my friend. You can do all that on the YouTube channel very easily and, of course, you can always subscribe in your favorite podcast player and just get it automatically, choose audio or video. It's free. What I would like to invite you to do you can get a very special URL just for you that has no ads in it. If you're a member of Club Twit, ad-free versions of all the shows are $7 a month. You also get access to the Club Twit Discord, which is a great place to hang out.
We always have a lot of fun in the Club Twit Discord. We also, by the way, do a lot of special events in there. At some point. I want to get Steve to do a Vitamin D event in our club twit discord, but we also have coming up tomorrow Micah's crafting corner. Micah's making Lego succulents. Now, that doesn't mean you need to do Lego. You can do anything you want. Some nice. Listen to this nice music, chill converse. It's a crafting session for all kinds of crafts.
Tomorrow at 6 PM he does that every month, car I know you're a coffee fan steve coffee time with mark prince the coffee geek is back on friday, 1 pm. Pacific our guest will be liz happy beans, one of the big youtube coffee mavens, I know, isn't that a great name. So we're going to talk coffee. Uh, home theater geeks recording coming up with scott wilkinson. Our ai users group is the fourth friday of every month.
We also have stacy's book club just around the corner next month. The world the word for world is forest is the book that'll be may 16th. It's a. It's a novella, so you have plenty of time to read it. But don't wait. Ursula k le Guin's uh, we're award-winning science fiction novella and Mike and I have decided to start doing the keynote commentaries that we've done for so many years on Twit kind of a little bit more privately in the club, only to avoid lawyerly actions on the part of Apple.
So the WWDC keynote will be club only June 9th. You can join us there. The advantage of doing that is the club members will also get to participate, add their commentary to it. So that's all coming up in the club, not a member. Join please. Only $7 a month, $84 a year. Yes, we brought back the annual subscriptions. Do subscribe now. If we raise the price, we're contemplating it as revenue starts to diminish along with the, along with the tariffs. Uh, we may, we may indeed want to raise the price, but you will be grandfathered in, I can promise you. So if you are already a member, you'll continue to pay that price. Uh, seven bucks a month, eighty four dollars year. Twittv, slash club. Twit, steve Gibson. What a pleasure. Thank you so much. Thank, lori, for making you buy a new iPhone. I like my new phone. Yeah, see. See, she has some good ideas and we'll see you next week. On Security Now.
3:14:26 - Steve Gibson
Thanks, buddy Bye.
3:14:30 - Leo Laporte
Security Now.
Apr 15 2025 - Device Bound Session Credentials
Hotpatching in Win 11, Apple vs. U… All Transcripts posts Contact Advertise CC License Privacy Policy Ad Choices TOS Store Twitter Facebook Instgram YouTube Yes, like every site on the Internet, this site uses cookies. So now you know. Learn more Hide Home Schedule Subscribe Club TWiT About Club TWiT FAQ Access Account Members-Only Podcasts Update Payment Method Connect to Discord TWiT Blog Recent Posts Advertise Sponsors Store People About What is TWiT.tv Tickets Developer Program and API Tip jar Partners Contact Us