[00:00s-00:58s]: It's time for security now, Steve Gibson is here to talk about most importantly that Apple exploit that everybody said was unpatiable the end of the world. Steve says not so fast. Go fetch our topic next. What's security now? This episode is brought to you by Zscaler, the leader in cloud security. Cyber attackers are now using AI and creative ways to compromise users and breach organizations in a security landscape where you must fight AI with AI. The best AI protection comes from having the best data. Zscaler has extended its zero-trust architecture with powerful AI engines that are trained and tuned by 500 trillion daily signals. Learn more about Zscaler's zero-trust plus AI to prevent ransomware and AI attacks. Experience your world. Secured, visit zscaler.com. Slash zero-trust AI.

[01:01s-01:03s]: Podcasts you love.

[01:03s-01:04s]: From people you trust.

[01:05s-01:07s]: This is Twit.

[01:11s-03:29s]: This is Security Now with Steve Gibson, Episode 967. Recorded Tuesday, March 26th, 2024. Go fetch. This episode of Security Now is brought to you by BitWordin, the password manager, offering a cost-effective solution that can dramatically increase your chances of staying safe on line. BitWordin has just launched a new feature. I love this. Called Inline Auto Fill. That makes it easier than ever to log into websites. I noticed what had happened. I went, oh, this is great. A drop-down menu will appear when you select a username or password field in most sites, letting you quickly choose which login you want to use. Clicking on login, auto fills the user name and password, and you're in. And by the way, if you're on a site, I don't know, I use it with Google. I use it with GitHub that supports past keys. You'll like it even better. Click the link that says use your past key. BitWordin can store all your past keys, which is nice because you can bring it with you to every platform BitWordins on. Instant login. If you're a current user, you've got to turn this feature on. The auto fill feature, go to Settings, and select auto fill and use the drop-down box and show auto fill menu on the form fields. To pick which option works best for you. That's another thing I love about BitWordin. They give you a choice. It's open-source software, which means it's free for life for individual users. And that means as many passwords as you want, as many devices as you want. You can even use past keys and hardware and authentication keys, like you, but keys free forever. BitWordin named by Wired is best for most people. Honored by Fast Company is one of the 2023 brands that matter in security. And it's the only password manager, Steve, and I use. So don't wonder, BitWordin is the open-source password manager trusted by millions. Get started with BitWordin's free trial of a team or enterprise plan or get started for free across all the vices as an individual user. BitWordin.com slash twit. That's bitwarden.com slash twit. It's time for security now. Yay. The time I look forward to all weekend. In this case, for the last three weeks, thank you to Michael Sergeant for filling in.

[03:29s-03:36s]: Steve Gibson, the man about town is here to talk security. Michael did a great job.

[03:36s-03:44s]: He held down before. Yes, was engaging and good. I'm glad you like him because in about a year, he's going to be in charge of the whole dance thing.

[03:45s-03:54s]: I noticed you doing the Leonard Nimoy, so just want to tell you, it's live long and prosper day. Leonard Nimoy's birthday would be today, March 26th.

[03:55s-03:58s]: Yeah, boy, he was born in 31, I think.

[03:58s-04:03s]: So, you know, and last time we saw him, he was looking at it too.

[04:03s-04:20s]: But, you know, he and he and the old captain Kirk are still. Is Nimoy still alive? I thought he'd passed. He's still alive. That's right. I remember he did pass some birthday. Well, I haven't yet. And he and I have the same birthday. Oh, you were born in 1931, however. No, no, no, no.

[04:21s-04:22s]: Happy birthday.

[04:22s-04:24s]: I didn't know that. Happy birthday.

[04:25s-04:26s]: Yep.

[04:26s-04:29s]: Well, you are. So, that means you're four months older than me.

[04:30s-04:31s]: Yes, I am.

[04:31s-04:35s]: Well, and in a couple of years, right? No way, but I'm November 56.

[04:36s-04:46s]: You're March 55. So, yes, it's one year and a few months. Okay. Yeah. Okay. So, happy birthday. You can do anything special to celebrate.

[04:46s-04:46s]: Thank you.

[04:47s-04:57s]: We initially had some plans to go have a fancy dinner, but, you know, I, but I said to Lori yesterday, I said, you know, I just would rather have a nice steak at home.

[04:57s-05:03s]: So, she's out to do what you want. Picking up some beautiful stats, what she said, actually. Yeah. You make a great wife, Leo.

[05:05s-05:16s]: Well, it should be, you know, you should be. Yeah. We owe when I was a kid, my mom, there was a birthday dinner that was the same every year. And my mom would make for us. And I looked forward to that. It was wonderful.

[05:16s-05:17s]: Yeah. So, happy birthday.

[05:17s-05:23s]: So, we have a tremendous podcast today.

[05:23s-05:40s]: Of course, it's titled GoFetch, which is the name that's been given by the, I would call it the discoverers, but it's sort of the rediscoverers, because they first stumbled onto this two years ago.

[05:40s-05:56s]: Oh, interesting. And, oh. Brought it up. And, in fact, my theory is, it's the reason that the M3 chip has a switch, which M1 and M2 doesn't, because they kind of scared Apple, but then,

[05:56s-06:43s]: but they weren't really able to make a strong case. Well, boy, has that case been made now? And, in fact, we're going to start off when we talk about this here in an hour or so, about how wound up the tech press has gotten and, you know, miswound, because boy, did they get it wrong. But we'll have some fun with that. And, again, this is going to be one of our listeners' favorite types of episodes, because it's going to be a deep dive. So, get out your propeller cap, beanies, and wind them up, because by the time we're done, everyone is going to understand exactly what happened, why it happened, how it happened, what it means, and like, you could, you know, go to a cocktail party and really put your friends to sleep.

[06:44s-07:04s]: Well, I've been saying, because we've been talking about it, obviously, on Twitter, and today I'm accurate. We can have him saying, you know, I'm sure Steve will cover this in a much more accurately, and much more granularly. So, tune into security now today. So, I'm glad anybody will know. I didn't coordinate with you. I just figured, oh, he's going to jump into this one. So, go fix it.

[07:04s-07:50s]: I'm also going to jump in briefly, because I'm not a legal scholar or expert. Just I have a couple of things to say about the US Department of Justices, Anti-Trust Suit Against Apple. There are some arguments that they'll make about that are security related. So, it does impinge on us a little bit. But I just sort of have a little sort of an overview of that. And, you know, capitalism and monopolies and so forth. We're going to update on General Motors. I don't know if you heard about this Leo. This astonishing violation of their car owners privacy. Oh boy. Oh boy, that's unbelievable. Uh, also, we're going to look at, we're going to answer the question. What happy news is super sushi samurai celebrating today?

[07:50s-07:51s]: Okay.

[07:51s-07:57s]: I don't even know what that is. Okay. Whether Apple, we're also going to look at whether Apple has a band in its plans.

[07:57s-08:14s]: You were talking about this at the end of Mac break actually, for its home kit compatible routers. And what appears to be shaping up to take their place. Will our private networks, oh, this is cool. Going to be receiving their own domain names. I can has been busy.

[08:14s-08:28s]: And if so, what is it? The UN has spoken out about AI. Does anyone care? And what do I think the prospects are of us controlling AI? What's significant European country just blocked telegram?

[08:29s-08:50s]: Also, what did the just finished 2024 pwn-to-own competition teach us once again? Might the US be hacking back against China as they are against us? I've long been bemoaning the fact that we never hear anything about the other direction. Well, we've heard something.

[08:51s-08:56s]: And after a bit of interesting spin right update news and a bit of feedback from our listeners,

[08:57s-09:14s]: as I said, we're going to spend the rest of our time looking into last week's quite explosive headlines about the apparently horrific, unfixable toxic flaws in Apple's M series Silicon just how bad is it?

[09:15s-09:23s]: Okay, good. And I've been saying don't worry, but we'll find out what the real expert has to say in just a little bit.

[09:23s-09:28s]: I look forward to that. Of course, we do have a fantastic picture of the weeest courtesy of our marvelous listeners.

[09:28s-09:29s]: A great life hack, I think.

[09:29s-14:41s]: Something everybody might want to adopt. But first, let me tell you about something you definitely want to adopt, which is our favorite little honey pot, thinks canary. Now, the canary is designed by some very smart fellas who for years taught governments and companies how to avoid break ins. Actually, they taught them how to break into computers in some cases. They've learned a lot. And they know that one of the biggest threats to you and your network and to me and mine network and to all of us is not the perimeter defense, keeping the bad guys out. Because we know that eventually they get in or maybe you've got a malicious insider. The biggest threat is not knowing that they're there. And we hear about breaches all the time where companies say, yeah, they've been in there six months, a year. In some cases, a couple of years and we didn't know it. And boy, what bad guys can do if they have untrampled access to everything inside your network? I mean, they can exfiltrate information. That's why they ransomware now, extorts you. Before they encrypt you, it helps them do their encryption job by finding out all the places you back stuff up. But see, if you have a thinks canary or two or three in your network, like some banks and big operations have hundreds, you've got the best defense against malicious insiners and hackers who've gotten in. Because the minute they see that canary, they're going to think it's something valuable, not vulnerable, valuable. An IIS server that's maybe not been patched lately or a network attached storage device, a skated device, all kinds of things can be anything, a Linux box. You can light it up like a Christmas tree. Have every service turned on or judiciously just turn on a couple, knowing that the bad guys are going to say, oh, I can get into this one. But the minute they touch it, the minute they try to log in or access that server or open that file because you can also create files that you spread all over your network, you're going to get a notification, just the notifications that matter. Very few false positives. We've had thinks canaries running on our network for some time, never have had a false positive. The one time that went off in something like five or six years, the one time it went off, there really was something scanning all the ports on our network. Turns out it was inside the network. It was a kind of rogue device that we were reviewing. But we found it right away before it could do any damage. Thank you, thinks canary. If someone's asking your accessing your lore files, those trip wires you spread around, then by the way, they can be PDFs, they can be Excel file or they look like PDFs, Excel files. And as soon as the bad guy goes, let me open this, let me examine this, let's see what this is. You're going to get that notification. As soon as they try to log into your fake internet SSH or internal SSH server, they're going to immediately get a notification to you. You choose a profile for your thinks canary device. And by the way, you can change it. It's fun to play with it. If there are hundreds to choose from, it even, I mean, it's so accurate. It got down to the MAC address. You know, my Synology, fake Synology NAS honeypot actually has a Synology MAC address on it. The DSM is up to date. DSM 7, it looks real and it's authentic looking. It's really incredible. You set up your thinks canaries, choose the device you want, takes a second. You register it with the hosted console for monitoring and notifications. And you're done. You wait. Bad guy in your system, malicious insiders, any adversary will immediately let themselves know because that's what they're looking for. Is that stuff you've spread around? The thinks canary is genius. Visit canary.tools-twit. As I said, the number you have may vary. Let's start with five. Good good starting point. $7,500 a year, they're very affordable. You get five of them. Your own hosted console, you get upgrades, support, maintenance. Don't worry, you don't have to use their console, by the way, for notifications, email, text, web hooks, slack. There's an API. The sky's the only way. You can get notifications anyway. You prefer. Syslog, yeah, support. If you use the code, tweet, and the how did you hear about this box, by the way, 10% off forever. And if you had all nervous, you should be reassured. You can return your thinks canaries for a full refund anytime in the first 60 days. There's a two month full money back guarantee. But I have to tell you, they've been advertising on this show for years. All that time, nobody has ever asked for their money back. Once you get installed and you see how easy it is and you see the need for it, everybody says this is the best thing ever. In fact, if you go to canary.tools-love, you can see all the love people have for the canary canary.tools-twit. To sign up, you get your offer code, tweet in the how did you hear about this box for 10% off. You got to have this thing canary.tools-twit. We thank you so much for supporting Steve's vital work here at Security Now. So a picture of the week time.

[14:42s-14:52s]: So for all of my life, Leo, I have found code hanger wire to be really convenient.

[14:52s-15:08s]: So useful. It is. And you know, used to get the code hangers from the like back from the dry cleaners with your shirts on them and they've they have a little bit of a paper wrapping on them, but you can take that off. But that that gauge of code hanger is perfect.

[15:08s-15:17s]: You know, me, you can you can bend it into all kinds of use. You can turn the drain to pick up a to hook up a ring that somebody lost or exactly.

[15:17s-15:19s]: So you know, it's just super handy.

[15:20s-15:25s]: Well, here we have an application that I would not recommend.

[15:25s-15:27s]: Well, I think this is a great life hack.

[15:27s-15:29s]: Don't you think everybody should do this?

[15:33s-15:35s]: Oh, he showed people we're talking about here.

[15:37s-16:43s]: So somebody has has a usb charging cable, which is way too long. And maybe they need it to be long, but this is like a neat Nick person. And I think we're seeing sort of a theme here because they've they've they've coiled up this way too long. I mean, it's like, it's like, it's like 15 feet of of usb charging cable. But you know, you don't want to fly and around on the floor, right? So they've coiled it all up. Now, okay, now what are you going to do? You got this coil of usb charging cable. You need to hang it somewhere. So it doesn't really you can't really hang it on the charger because it'll fall off. It needs to be more secure than that. So this clever OCD person thought, hey, you know, I've always found co-tangered wire to be really handy for making stuff. So and it happened to have a pair of pliers around. So basically fashioned this beautiful, I mean, by all measures,

[16:43s-16:46s]: this is a beautiful hook.

[16:46s-16:50s]: He spent some time with his little pliers. They're bending and curving. It's gorgeous.

[16:50s-17:00s]: Yeah, it is great. And boy, does it work as a hook to hang around the prongs of that apple five watt

[17:00s-17:02s]: charger just goes right around those beautiful.

[17:02s-17:06s]: Therein. Beautifully lies the problem. Oh, what?

[17:06s-17:24s]: I've never I don't think recall ever actually touching the the leads of my ometer to to the this wire. It must be that they are that it is coated with some sort of a, you know, an insulating.

[17:25s-17:31s]: Is it varnish of some sort? Is it otherwise this would have already exploded because

[17:33s-17:38s]: notice though, there's a switch here. I think that he has not switched it on yet. Oh boy.

[17:38s-17:50s]: And I think you can get quite a surprise. Use it put your shoes on and use the toe of your shoe to turn this plug. Oh, yeah, another point because he looks like he really is, you know,

[17:50s-17:51s]: OCD and careful.

[17:51s-17:54s]: He has his old his plugs upside down.

[17:57s-17:58s]: Right.

[17:58s-18:05s]: And he got the yeah, the ground. A little face. Not smiling. Looking like a little happy. Yeah. Yeah. What's going on? Not good.

[18:06s-18:31s]: So anyway, so just so people are thinking that we're going to have them completely lost our mind. The the point is that this hook has two legs that go up, up behind this USB charger and then bend around, you know, in use shape, to hang over the two prongs of the AC plug. Yeah.

[18:31s-18:35s]: There you go. Wire on wire on wires. It's like they made it for this.

[18:36s-18:40s]: Oh, it's beautiful. I mean, it is. It is a beautiful. Construction.

[18:41s-18:45s]: But no, the men you plug in, what would happen?

[18:45s-18:45s]: Would it heat up?

[18:45s-18:49s]: Would it start to glow or would it actually short this thing? No, no, this one you would have it.

[18:49s-19:18s]: He made the good news is all homes ever made. Even when they had, you know, screw them in fuses in the fuse box in the basement, where they had some cut out such that if if any circuit suddenly drew too much power, rather than it exploding in your face down in the basement, something would go boom. And and then you'd now, of course, what you what you don't want is to run out of fuses.

[19:19s-19:49s]: Because you know, don't put a penny across it. No, that's right. Then what people did was like, oh shoot, we don't, you know, I don't know why this fuse blue, but it's inconvenient. So I don't I seem to be all out fresh out of fuses here. Yeah. Let's just stick a penny in the hole. Let's just stick a penny in the socket and screw the blown out circuit. You know, the pros, blown out fruze on fuse on top. Anyway, yes, folks, do not do this at home.

[19:49s-20:06s]: The only thing I can think Leo is that this there must be some some varnish on this, but as over time, as it's used, it's going to get moved back and forth, riding on the top of these, the prongs of this plug.

[20:07s-20:13s]: And it's just going to explode at some ever put metal around the prongs of your plug.

[20:13s-20:17s]: I learned that in eighth grade when Leo on that note,

[20:17s-20:23s]: yes, we are, we do have the cue, the picture cute up for next week. And it's another goodie.

[20:24s-20:30s]: Oh, no, it's a variation. It's not the same. We don't want to get repetitious here, but we're going to have just as much fun with it.

[20:30s-20:52s]: Somebody, somebody told me that that is the commercially preferred way of installing a plug socket is upside down like that. And then somebody else in the discord says that's how you know it's a switched circuit. I've never seen that before. But just to reason I'm saying that to preclude all the email that you and I never

[20:52s-20:58s]: will get from licensed electricians will say absolutely that's the way to do it correctly.

[20:58s-21:06s]: You are not overflowing my inbox. I also hope that I am not the subject of the picture of the week next week

[21:07s-21:15s]: because I installed yesterday, we had a little lighting problem and I and my brother-in-law

[21:15s-21:21s]: did a little electric work, electrical work, installing a new under counter lamp.

[21:21s-21:46s]: And you see that switch right there that's just right to the right of Joe there. As he was installing the wires, he accidentally backed into it and switched it on and got a little bit of a shock. Oh, yes, I see you're still wearing the avocado shirt from Sunday. I am wearing this was right after I got home Sunday. They said, get in here. And I am also wearing as sharp eyes will see the most useful device for a home handyman anywhere.

[21:46s-21:48s]: Yes, you have you have a head mounted lamp.

[21:48s-21:49s]: A head lamp.

[21:50s-21:50s]: Yep.

[21:54s-22:03s]: Please do not make that the picture of the week next week. I'm just begging of you, okay? Yes, sometimes when Laurie, oh, you've got one too. Look at you.

[22:04s-22:10s]: Well, I've got no, these are the magnifying. Oh, that's a, what do you wear that for, Steve?

[22:10s-22:11s]: Besides looking like an alien.

[22:13s-22:15s]: When I'm building things like this.

[22:16s-22:17s]: Oh, yes, you got to get very close.

[22:18s-22:20s]: That's right. Are you soldering with those on?

[22:20s-22:28s]: Those are little, those are little surface mount components. They're a little, itty bitty. So yeah, yeah, that's, that's a lot of work.

[22:28s-22:59s]: Anyway, take that off and let's continue. Believe it or not, we have news to get to. Yes. Last Thursday, March 21st was it was a, by all measures, a rough day for Apple. Not only as I mentioned, did the tech press explode with truly hair on fire headlines about critical and fixable, unpatchable, deeply rooted cryptographic flaws, rendering apples, recent M series, arm-based silicon, incapable of performing secure cryptographic operations? Incapable.

[22:59s-23:04s]: Incapable. Can't be done, which is the topic we'll be spending the rest of the day's podcast.

[23:04s-23:07s]: Looking at some detail, if once we get this thing started,

[23:13s-25:26s]: because actually it's super interesting. But before that, also last Thursday, the US Department of Justice was joined by 15 other states and the District of Columbia, which, which is it was a state, but isn't, in a lawsuit alleging that Apple has been willfully and deliberately violating section two of the Sherman Antitrust act. Now, I'm just going to share five sentences from the DOJ's comments, which were delivered last Thursday. They read, as are complaint alleges, Apple has made maintain monopoly power in the smartphone market, not simply by staying ahead of the competition on the merits, but by violating federal antitrust law period. Consumers should not have to pay higher prices because companies break the law. Okay? We allege that Apple has employed a strategy that relies on exclusionary, anti-competitive conduct that hurts both consumers and developers. For consumers, that has meant fewer choices, higher prices and fees, lower quality smartphones. Apps and accessories, and less innovation from Apple and its competitors. For developers, that is meant being forced to play by rules that insulate Apple from competition. Okay, now, this is not clearly a podcast about antitrust law. We all know I'm not an attorney nor am I trained in the law. So I have no specific legal opinion to render here. However, I've been a successful small business founder, owner, operator throughout my entire life. And I'm certainly a big fan and believer in the free enterprise system and in the principles of capitalism. But I also appreciate that this system of competition is inherently unstable. It has a natural tendency for the big to get bigger through acquisition and the application of economies of scale and leverage. That same system that creates an environment which promotes fair competition can be abused once sufficient power has been acquired.

[25:27s-29:20s]: Those of us of a certain age have watched Apple being born, then fall only to rise again from the ashes. My own first commercial success was the design development production and sales of a high speed high resolution light pen for the Apple II, which allowed its users to interact directly with the Apple II's screen. To my mind, there's no question that as a society, we are all richer for the influence that Apple's aggressive pursuit of perfection has had on the world. Things as simple as product packaging will never be the same. But for some time, we've been hearing complaints about Apple's having taken this too far. It's understandable for competitors to complain and to ask the government to step in and do something. At some point, that becomes the government's very necessary rule, just as we saw previously when the same thing happened with Microsoft. And some would argue it's ought to happen again with Microsoft. For many years, the US government has done nothing, while Apple has continued to grow and continued to aggressively use its market power to increase its shareholders' wealth. The question is, when does use of market power become abuse of market power? The next few years will be spent in endless depositions and expert testimony working to decide exactly what sort of cage Apple needs to be constrained within. One thing we know is that many of the arguments Apple will be making on its own behalf will involve security. The security inherent in its closed messaging system, the inherent security of its closed app store. Things we've touched on many times in this podcast. Apple will allege that by keeping its systems closed, it is protecting its users from unseen, nefarious forces. But, for example, the presence of signal and WhatsApp in the App Store and on Apple devices, which create freely interoperable, super secure, cross-platform messaging, suggested Apple's own messaging technology could work similarly if they wished it to. During the news coverage of this since Thursday, I've encountered snippets of evidence which suggests that the government has obtained clear proof of Apple's true motives where Apple's technology has been designed to support Apple's interests rather than those of its users. In any event, and maybe those are aligned. That's really the question, right? Are Apple's interests and its users' interests perfectly aligned? Nothing is going to happen on this front for a long time. Years will pass, and this podcast will be well into four digits. By the time anything is resolved with the DOJ's anti-trust lawsuit, the way things have been going, it seems to me much more likely that the laws being written and enacted within the European Union today will be forcing Apple's hand long before the DOJ finishes making its case. All that may eventually be required will be for the US to force Apple to do the same thing that they're already doing in over in Europe here as well. But, as for whether Apple designed Silicon cannot perform secure cryptographic operations, that is something this podcast can speak to authoritatively and will be doing so once we've caught up with some more interesting

[29:20s-29:27s]: news and feedback. I always said, back in the day, in fact, it was during, it was funny how you

[29:27s-29:45s]: began this with the good old days of Apple because back in the day when the Department of Justice was suing Microsoft, I always said, if Apple were as big and powerful as Microsoft, they'd be just as bad, but they aren't. In fact, they almost went out of business in 97, and now that they are,

[29:45s-29:50s]: even a little bit bigger than Microsoft, yeah, they're just as... It's what happens.

[29:50s-30:13s]: It is exactly what happens, and it's not that anybody is a bad person. They argue that their the executives argue that it's their job to maximize your older wealth. That's kind of... That's kind of... Yes, exactly. Exactly. And so it's a fundamental property that there needs,

[30:13s-30:30s]: that there need to be constraints. And of course, in the US, we have those. It's, boys, it paid full to get them. But, you know, it's interesting. And I think I heard Renee saying that he thought he was going to have to spin up another podcast in order to keep track of this. So, you know,

[30:30s-30:37s]: I'm not going to bother with that. No, we're not going to do it. Yeah. No. No. It's a...

[30:37s-30:43s]: Okay, so we'll mention it once in a while, and that'll be it. Right. It'll just thing will go for years.

[30:44s-31:53s]: No, it exactly isn't happened with Microsoft. So, last week, we shared the difficult, I mean, truly difficult to believe, but true story, that General Motors had actually been sharing. And by sharing, I'm pretty sure the proper term would be selling, the detailed driving record data of its car's owners, down to how rapidly the owner's car accelerated, how hard it breaked and its average speed from point A to point B. Leo, they literally have instrumentation in there that is monitoring everything the car does. And on these cars are all interconnected now, it was all being beamed back to GM, who it turns out was selling it to Lexus Nexus, a major data broker. Anyway, so what happened was, and this was a

[31:56s-32:39s]: New York Times or Washington Post, I think it was the New York Times piece last week that just blew the lid off this. Some guy, I think he was in Canada or maybe he was just up north. He saw his insurance go up 21% in one year, although he had never been in an accident and didn't have tickets. And so when he asked his insurance company, why they sort of hemmed and hawed, he also tried to obtain alternate insurance. And all the quotes that he got back from competing companies were the same. Finally, one of them said, well, you should check your Lexus Nexus

[32:39s-32:46s]:Lexus Nexus report because it's a little worried about your driving. So now there's a credit report,

[32:46s-32:51s]: there's now a car driving report. But you know what? In some ways, hey, I'm not surprised,

[32:51s-33:05s]: insurance companies have for years had offered good driver discounts. In the past, used to have an app and stuff. I'm not surprised to hear this. And honestly, you're literally installed app for like low mileage drivers where it would monitor a thing.

[33:05s-33:08s]: I'm sure we talked about it on the phone. Yeah, but this is good for you and me because

[33:08s-33:40s]: insurers, instead of this guy who really is not a safe driver, paying the same as you and me, who drive like little men because we are, we should get reduced, right? And they, he should pay more. It's fair. I think. And should it be done without consent? Well, in a way, I bet you, he did consent. I bet you there is somewhere, a document that he signed when he bought that car that said data is being collected. You saw the Mozilla report last year, we talked about it

[33:40s-33:46s]: about how cars are a privacy nightmare. Yeah, well, we were all wondering recently how your

[33:46s-33:53s]: sexual habits were being recorded by a car is like, what? Is it monitoring the suspension?

[33:53s-34:00s]: This car, as you will know, don't you be welcome? Okay, so the good news is this produced an

[34:00s-35:01s]: outcry which caused GM to immediately terminate this conduct. And no doubt, threats of lawsuits were involved too. They, they, they, they said GM is, is, is immediately stopping the sharing of this data with it with, with these brokers. The reports that after public outcry, General Motors had decided to stop sharing driving data from its connected cars with data brokers last week. News broke that, that customers enrolled in GM's on-star smart driver app have had their data shared with Lexus Nexus and Varisk. Those data brokers in turn shared the information with insurance companies, resulting in some drivers fighting a much harder or more expensive, exactly as you said Leo, to obtain insurance. To make matters much worse, customers allege, they never signed up for on-star smart driver in the first place, claiming the choice was made

[35:01s-35:07s]: for them by salespeople during the car buying process. Yeah, and you know what, it comes with the

[35:07s-35:18s]: car. And you know, it's good. It's all for your safety. That's why we put it in so that if you get an Iraqi, press the on-star button. That's right. That's why they did it. People will, people will come.

[35:18s-35:22s]: Yes. We're not big brother watching over you. No. No. Of course not. Okay, so

[35:25s-36:12s]: I saw this bit of happy cryptocurrency news that just made me smile. It seems that last week, the blockchain game. I didn't know you had a there was a blockchain game, but yes, someone has made a game out of blockchain and it's called Super Sushi Semurai. Super Sushi Semurai had $4.6 million worth of its tokens stolen. However, it just reported that they had all been recovered. So what happened? They explained that the hack was actually the work of a security researcher who exploited a bug in their code to move the funds out of harm's way to prevent future theft.

[36:12s-36:19s]: Yeah, that was a hoops. Yeah. That's right. Just want to move that on. Sushi Semurai described the incident

[36:19s-36:26s]: as a white hat rescue and has ended up hiring the white hat to be a technical advisor.

[36:26s-36:35s]: So that's what I call a G rated happy ending. Okay. Yeah. I believe it. Why not?

[36:36s-38:00s]: And also you guys touched on this on Macbreeke. Apple insider has some interesting coverage about apples apparently failed initiative to move their home kit technology up into home routers. I was a fan of this since it promised to provide router-enforced inter-device traffic isolation and the only place that can really be accomplished is at the router. Our listeners know that I've been advocating for the creation of isolated networks so that IoT devices would be kept separate from the household's PCs. But what Apple proposed five years ago back in 2019 would have additionally isolated each IoT device like with that level of granularity from all the others. So here's what Apple insider explained. They said Apple's home kit secure routers were announced in 2019. But we're never really taken up by manufacturers. And now some vendors are claiming Apple is no longer pursuing the technology and we'll get to why in a minute. Home kit secure routers they wrote were introduced by Craig for a Federica Federica. I know his name. The problem is you know I'm a big Star Trek person and I want

[38:00s-38:10s]: to say Ferengi which you know. Frank Sengi over there. At least have to stop from saying

[38:10s-38:17s]: it's not Ferengi. Come on Steve. It's funny. I would never have guessed that. Wow. So Craig

[38:18s-39:20s]: Federigi at worldwide developer conference 2019. And in the same breadth as at at the same time they introduced home kit secure video. The latter that is home kit secure video took time to reach the market. But it was used. And many manufacturers adopted it even if others would not. Okay now during this years just happened. CES 2024. Two router vendors separately told Apple insider that Apple is no longer accepting new routers into its program. If that claim is correct and it probably is since it came from the same rejected manufacturers. Given the lack of home kit secure routers on the market. Like is in five years not much happened. It appears that Apple has abandoned the idea even though Apple still has active support pages on the matter. However Apple insider noted that it also has support pages on airport routers too. And those are as they put it dead as a

[39:20s-39:26s]: door nail. It's really our dead. Yeah. I was so excited that Apple would offer the security

[39:26s-39:38s]: standard that we could you know have some confidence in the security and frankly firmware update ability of our routers. It's a little disappointing to me. Yeah. Anyway it's not going to happen

[39:39s-42:21s]: they they've backed out Apple inside of the long story short pulled the route the various routers that Apple listed. There is one link sis vellop ax4200 and an amplify alien router are apparently the only two that that are currently listed by Apple as being supported. The euro has a notice saying that it's euro pro six e and six plus do not support Apple home kit and they have no plans to offer Apple home kit router functionality. Anyway so it you know not everything that gets announced happens and asking router manufacturers to modify their firmware to incorporate the required home kit functionality and it appears that it may have taken some significant customization. It was just never going to get off the ground and this is probably for the better since it appears that we have already and oh thank god blessedly quickly moved beyond disparate proprietary closed IoT ecosystems which you know is where it looked like we were headed with amazon Alexa and apples home kit and google's home and samsung's smart things all creating their old let's do our own thing all the buzz appears to now be surrounding the interoperability technology known as matter this was formerly known as chip which stood for connected home over IP. It's now been rebranded as matter and everyone appears to be seeing the light nobody wants to be left out all those guys I just mentioned now Amazon with Alexa Apple with their home kit google with home and samsung smart things are all have announced and are supporting matter it's now at version 1.2 open open source license free anyone can create matter compatible devices if they follow the spec they will interoperate and more than 550 companies have announced their commitment to matter so you know this is done right I mean all of the biggies are going to be supporting matter they really have no choice and at this point I just wanted to make sure I brought it up because I wouldn't purchase something you know that that random AC plug that I got for shockingly I don't know it's $4 or something it's amazing how can this be an internet connect the device it's like what

[42:21s-42:26s]: the plastic in the fall and the you know the prongs would cost $4 it does report back on your

[42:26s-42:32s]: driving habits however so it's fall it's got a little eyeball in it the fall is you round the room

[42:32s-42:37s]: it's kind of freaky but does matter have though I mean the thing about apples home kits

[42:37s-42:43s]: router standard was it had security requirements built in and I but does matter have something like

[42:43s-42:47s]: that's what they were that you're right that's what they were going to produce I think matter is

[42:47s-42:59s]: about interconnectivity right right and which is not to say it couldn't be made more secure but you know that's not their focus right and Leo we're having so much fun I think we should take a

[42:59s-43:04s]: break so that I can recap and eight obviously I don't need more caffeine but what the heck fun

[43:04s-44:49s]: equals breaks is that what in your mind is that how it works are so today brought to you by panoptica panoptica Cisco's cloud application security solution provides end-to-end life cycle protection for cloud native application environments it empowers organizations to safeguard their APIs serverless functions containers and Kubernetes environments panoptica ensures comprehensive cloud security compliance and monitoring at scale offering deep visibility contextual risk assessments and actionable remediation insights for all your cloud assets powered by graph based technology panoptica's attack path engine prioritizes and offers dynamic remediation for vulnerable attack vectors helping security teams quickly identify and remediate potential risks across cloud infrastructures a unified cloud native security platform minimizes gaps for multiple solutions providing centralized management and reducing non-critical vulnerabilities from fragmented systems panoptica utilizes advanced attack path analysis root cause analysis and dynamic remediation techniques to reveal potential risks from an attacker's viewpoint this approach identifies new and known risks emphasizing critical attack paths and their potential impact this insights unique and difficult to glean from other sources of security telemetry such as network firewalls get more information on panoptica's website panoptica dot app more details on panoptica's website panoptica dot app we thank panoptica for their support of security now back to Steve

[44:49s-47:50s]: thank you my friend okay in a cool bit of news i can the internet corporation for assigned names and numbers is going to make an assignment it's in the process of designating and reserving get this a top-level domain specifically for use on private internal networks in other words are ten dot and are one nine two dot one six eight dot networks and there's a seventeen dot sixteen thing in there too will be obtaining an official tld of their own so local host may soon be less lonely here's the executive summary which explains it lays out the rationale behind i can'ts plans they wrote in this document the ss ac that's the security and stability advisory committee because you know that's what you want in your internet is some security and stability advising they recommend the reservation of a dns label that does not and cannot correspond to any current or future delegation from the root zone of the global dns which is the very long-winded way of saying we're going to get our own dot something tld they said this label can then serve as the top-level domain name of a privately resolvable name space that will not collide with the resolution of names delegated from the root zone that is you know the the public dns root zone in order for this to work properly this reserved private use tld must never be delegated in the global dns root currently many enterprises and device vendors make ad hoc use of tld's that are not present in the root zone when they intend the name for private use only this usage is uncordenated and can cause harm to internet users well my the dns has no explicit provision for internally scoped names and current advice is for the vendors or service providers to use a sub-dominant of a public domain name for internal or private use using subdomains of registered public domain names is still the best practice to name internal resources the ssa c concur with this best practice and encourages enterprises device vendors and others who require internally scoped names to use subdomains of registered public domain names wherever possible however this is not always feasible and there are legitimate use cases for private use tld's and i'll just note that you know for example an individual could register a domain with hover who i don't know if they should if they're still a sponsor of the twitch network they are still my domain name provider i moved everything

[47:50s-47:54s]: away from network solutions i became clear i don't think they're responding more but we still

[47:55s-50:07s]: yep they're the right guys anyway so you know you know johnny apple seed you could get that on go of course you can't get dot johnny apple seed so that wouldn't work but but you could get you know a dot com or some inexpensive subdomain of some some established top level domain and this you use that for your own purpose because you because you have that subdomain nobody else is is going to be able to to to use it publicly so you're here you're safe so that so that's what these guys are saying so they they continue the need for private use identifiers is not unique for domain names and a useful analogy can be drawn between the uses of private ip address space and those of a private use tld network operators use private ip address space to number resources not intended to be externally accessible and private use tld's are used by network operators in a similar fashion this document proposes reserving a string in a manner similar to the current use of private ip address space a similar rationale can be used to reserve more strings in case the need arises okay so they go on and on anyway finally after all the bureaucratic boilerplate has settled down i can wrote the internet assign numbers authority i a n a has made a provisional determination that dot internal should be reserved for private use and internal network applications prior to review and approval of this reservation by the i can board we're seeking feedback on whether the selection complies with their specified procedure from s a c one one three more bureaucracies and other observations that this string would be and to verify that it would be an appropriate selection for this purpose so it's all but certain that dot internal will be reserved and will never be used for any public purpose and therefore it would be safe for anyone to start

[50:07s-50:21s]: using it for any internal purpose yeah i think i have very cool dot internal we and i saw some commentary saying well it only took 30 years that's like that's true that's true take a moment

[50:21s-51:36s]: a while okay so last Thursday as i said earlier was a very busy day not only did the DOJ announce their their pursuit of apple and apples m series silicon was discovered to be useless for crypto but the united nations general assembly adopted a resolution on artificial intelligence not that anyone cares or that anyone could do anything about a i in any event but for the record you and officials formally called on tech companies to develop safe and reliable ai systems that comply with international human rights and i love this they said quote systems that don't comply should be taken offline so you know if you have a mean ai just unplug it folks official said the same rights that apply offline should also be protected online including against ai systems i've never said much about ai here just as i'm not trained as an attorney i do not have any expertise in ai systems what i do have however is stunned amazement as they would say over

[51:36s-51:44s]: in the uk i am gobsmacked by what i've seen it is impressive isn't it what do you know i've never

[51:44s-51:49s]: asked you and we talk about it all the time on the other shows but what do you think the future holds

[51:49s-51:59s]: well here i come oh i i so what i may lack in expertise appears to have been made up for by my intuition

[52:00s-52:55s]: which is which has been screaming at me ever since i spent some time chatting with chat gpt 4 my take on the whole ai mess and controversy can be summed up in just four words and they are good luck restraining anything yeah that's my attitude exactly yes i doubt that any part of this is restrainable at some point in the recent past we crossed over a tipping point and we're seeing something that no one would have believed possible even five years ago everyone knows there's no going back only people who have not been paying attention imagine that there's any hope of controlling what happens going forward i don't know and i can't predict what the future holds but

[52:55s-53:02s]: whatever is going to happen is going to happen and i'm pretty sure that it's bigger than us yes

[53:03s-53:14s]: we're not a sufficiently organized species to be able to control or contain this mm-hmm look what look how well we've done with the nuclear proliferation

[53:15s-53:22s]: yeah and that that's it's still incredibly hard to purify enough plutonium to make a bomb

[53:23s-53:31s]: it's trivially easy and and the process is well well known to make an l lm it's out it's out

[53:31s-53:37s]: you know it's not it would be like government saying whoops stop exporting crypto yeah like what

[53:37s-53:46s]: exactly you know and so you lila you and i are on the same page i mean it is and and if we don't

[53:47s-54:14s]: like do it we know north korea is not sitting around you i think they apparently have quite smart people yes it annoys me that they're so good at hacking but boy are they are serious hackers yeah and so you know you know it's gone again it's it is it i i would argue it already has and we just haven't it hasn't dawned on us yet yeah right like there there's some inertia of a recognition but

[54:14s-54:27s]: i for one i'm excited i mean this is sci-fi we're gonna live in i think i might even live to see it a very weird and different future it's coming yeah it's gonna be fun

[54:28s-54:37s]: buckle up that's exactly right i think that's exactly right okay so a few more points to get to

[54:37s-55:27s]: in a somewhat disturbing turn spain has joined the likes of china tailand pakistan aran and cuba to be blocking all use of and access to telegram across its territory this came after spain's four largest media companies successfully complained to the high court in spain that telegram was being used to propagate their copyrighted content without permission a judge with spain's high court had asked telegram to provide certain information relating to the case which apparently telegram just blew off and ignored they chose not to respond to the judges request so he ordered all telecommunications carriers to block all access to telegram throughout

[55:27s-55:35s]: the country that began yesterday so you know it's a problem i'd be very anxious to see how this holds

[55:35s-55:43s]: up because about i heard that about a third of spain uses telegram yes it has already created a huge

[55:43s-55:49s]: yes there's a huge consumer backlash against this as one would expect yeah remember Brazil tried to do

[55:49s-55:59s]: this and uh they ended up having to back down i think was for what's that but they ended up having to back down because it's can't we can't communicate what are you doing well have you seen the movie

[55:59s-56:06s]: brazilio that explains the whole problem that's right great yes wonderful movie so last week van

[56:06s-56:59s]: koever held its 2024 poned own hacking competition one security researcher by the name of manfred paul distinguished himself by successfully exploiting get this all four of the major web browser platforms he found exploits in chrome edge firefox and safari he became this years master of poned and took home two hundred and two thousand five hundred dollars in prize money overall and here's really the lesson the competing security researchers turned hackers successfully demonstrated twenty nine previously unknown zero days during the contest and took home a total of one point one million

[56:59s-57:05s]: dollars in prize money that money comes to the companies that they're poning pretty much right yes

[57:05s-06:53s]: yes twenty nine okay twenty nine previously unknown zero days were found and demonstrated to me this serves to demonstrate why i continue to believe that the best working model that's been presented for security and okay yes i'm the one who presented it is porosity porosity you know we don't want it to be but security is porous how else can we explain that one loan research hacker is able to take down all four of the industries fully patched browsers whenever someone offers him some cash to do so and that overall twenty nine new previously unknown zero days were revealed when others were similarly offered some cash prize incentive you know you push hard and you get in that's the definition of porous and that's the security we have i should also take a moment to give a shout out to mozilla's firefox team who had patched an updated firefox in fewer than twenty four hours following the vulnerability disclosure Frederick Braun posted on mastodon quote last night about twenty one hours ago manford paul demonstrated a security exploit targeting firefox one twenty four at poned to own in response we have just published firefox one twenty four dot zero dot one and firefox ESR 115 dot nine dot one containing the security fix please up dot he says please update your foxes kudos to all the countless people postponing their sleep and working toward resolving this so quickly really impressive work teamwork again also kudos to manfred for poning firefox again so you know this is the way security is supposed to work at the best of times white hat hackers are given some reason to look and compensated for their discoveries which makes the products safer for everyone and then the publishers of those products promptly respond to provide all of that products users the benefits of that discovery yay and in this welcome bit of news perhaps we and others are giving as good as we get i've often noted that we that all we ever hear about you know about uh attacks on our infrastructure our chinese state sponsored attacks that are successfully getting in you know and i note that naturally we never hear about our similar successes against china it's not like the nsa is going to brag so i've wanted to believe that we you know while we would not be destructive if we were to get in that that we'd only seek to have a presence inside chinese networks so that they understand that we're just not sitting here defenseless over on this side of the pacific well it turns out that last week china state security agency themselves urged their local companies to improve their cyber security defenses the ministry of state security said that foreign spy agencies have infiltrated hundreds of local businesses and government units so that does sound like we may be at parity in this weird cyber cold war that we're in i hate it but you know it's what we've got uh oh and just a reminder uh there has been a a an observed significant increase in tax season related fishing so i just wanted to remind everyone that as happens at every time this year uh you know fishing scams suddenly jumped with all kinds of like oh you just we received your electronically submitted return but uh it had a problem cleap please click here that's not from the irs so you know everybody put up your skepticism shields and and resist clicking um i have two quick notes of news on that i think everyone will find interesting on the spin right front one of the things that quickly became apparent as our listeners were wishing to obtain and use six one was that the world had changed in another way since spin right sixes release in back in 2004 back then linux was still largely a curiosity you know with a relatively small fan base and no real adoption not so today uh at least not among our listeners back in 2004 it was acceptable to require a spin right user i mean just assumed that a spin right user would have windows which they would use to set up the boot media since windows and mac was pretty much all there was and spin right was never really targeted at the mac market today we've encountered many would be users who do not have ready access to a windows machine and they've been having a problem so i needed to create a non windows setup facility that i have long envisioned but never needed until now today it exists um over at grc's uh pre-release.htm page is as before the downloadable windows doss hybrid executable and now also a downloadable zip file the zip file which is smaller than 400k contains the image of the front of a four gigabyte fat 32 doss partition so any spin right owner without access to windows because using windows is still easier may choose to instead download this zip file and it's personalized i've added on the fly partition creation and and uh spin right is added to the the file system it's then truncated and i've got on the fly zipping i've been busy um it contains about an eight point the zip file which is only which is outside less than 400k contains an eight point three megabyte file which is named sr61.img any linux user can you know dd copy that file onto any usb thumb drive to create an up to four gigabyte fat 32 partition that will immediately boot and run spin right but the tricky bit that i worked out last week is that when this drive is booted for the first time if the media onto which this image file was copied is smaller than the partition described by the image which is a four gig partition for example you know spin right owner copies the image to an old but trusted 256 megabyte thumb drive a little built-in utility named downsize kicks in examines the size of the partitions underlying physical drive and dynamically on the fly downsizes the partition to fit onto its host drive it's all transparent and automatic and since the same technology was also going to be needed for spin right seven it made sense to get it done so it's there now second point a new wrinkle to surface last week is bad ram over in grc's web forums a spin right six one user reported data verification errors being produced by spin right when running on is cute little zima board spin right always identified and logged the location of the apparent problem but from one run to the next there was no correlation in where the problems appeared to be occurring and when he ran the same drive under spin right on a different pc it passed spin rights most thorough level five testing without a single complaint and he was able to go back and forth to easily recreate the trouble multiple times on one system but never on the other the inhabitants of the forums jumped on this and suggested a bad or undersized power supply for his zima board flaky cabling and anything else they could think of all great suggestions finally I asked this user to try running the venerable mem test 86 on his brand new zima board and guess what yep memory errors there shouldn't ever be any but the first time he ran mem test 86 it found six

[06:54s-07:02s]: and the second time it found 101 seeing that we ran mem test 86 on all of our zima boards that is

[07:02s-08:08s]: all of the the developers and they all passed with zero errors as they all we should so this user had a zima board with a marginal DRAM memory subsystem there was no correlation in the locations of the errors that spin right was reporting from one memory from from one memory oh that that that that his mem test was reporting from one past to the next but there were always two specific bits out of the 32 that mem test 86 always identified as being the culprits they were soft and spin right was getting tripped up by this machine's bad ram when it was performing data verification that's available from spin rights levels four and five the problem was not the drive it was the machine hosting spin right and the drive so by this point our long time listeners who've grown to know me listening to this podcast know what I'm going to say next yep spin right 6 1 now

[08:08s-08:16s]: tests the memory of any machine it's running all ever wow he means mem test I got spin right that's

[08:16s-10:14s]: it works great it's it's it's like immediately found the errors this guy was having what's interesting is it's spin right 1.0 back in 1988 also built in a memory test back then it made sense to verify the RAM memory that would be used to temporarily hold a track's data while spin right was pattern testing the physical surface and giving it a fresh new low low new low level format but I don't know when it happened somewhere along the way I removed that feature from spin right we never heard of it ever being useful so my initially over cautious approach seemed to have been proven unnecessary until last week so late last week I implemented a very nice little DRAM memory tester right into spin right and then have the guy with the bad Zima board give it a try it's successfully determined that his machines memory was not reliable and spin right will then refuse to run on any such machine after making that determination you know it's just not safe to run it and of course no such machine should be trusted for actually doing anything else you know it's like a send it back to the manufacturer or if you can change the RAM or diagnose it so anyway this new built in RAM testing feature which is not yet present don't go download an updated copy of spin right it's not there yet not yet present in any spin right that's available for download but it'll appear along with a few other minor improvements that I've made shortly so I'm sure I'll be announcing it next week and I just have two little pieces of feedback from our listeners because we have lost distills talk about here I got a note from someone whose a handle is jazz man he said high Steve great show as always I work in a cell phone free environment not only no service but we're not

[10:14s-10:21s]: allowed to bring them we have internet computers but we're not trusted to install anything on them

[10:21s-13:03s]: the problem is I like to have two factor authentication to protect my email and other stuff my understanding is if I were to use past keys I need my phone I use bid warden with two factor authentication my question are there any good solutions for a for a cell free environment kind regards Bjorn okay so and then we've been talking about this for the last couple weeks whether to have you know two factor and now optionally past keys managed by your by your password manager or to keep it separate in a phone free environment I agree that relying upon bit warden for all authentication services is likely the best bet I think it's probably your only bet right you know we would usually prefer to have past keys or our authenticator on a separate device like a phone but where that's not possible merging those functions into a single password manager like bit warden makes sense and I should just note that you be keys are also past keys capable and they're able to store up to 25 past keys in a ubiky so a ubiky is another possibility if that someone limited past keys capacity doesn't pose a problem and finally William Ruckman he said hi Steve our past keys quantum safe I thought public key crypto was vulnerable and I we we'd also been speaking just recently about how the big difference between user name and password and past keys is the the essentially symmetric crypto secret keeping whereas past keys uses public key crypto which is why Williams asking so it's a terrific question because as we know it's the public key crypto that past keys offers which is why it's so valuable the good news is the phyto2 specification which underlies web off n which underlies past keys already provides for plug in future proof crypto so past keys and web off n slash phyto2 will all be able to move to quantum safe algorithms whenever that's appropriate and as soon as we settled on them and they've been standardized

[13:03s-13:09s]: so yes that's good news and it would be backwards it would be backward to all the past keys you

[13:09s-13:17s]: already are using and all that you would right no you'd have to regenerate yes if you change

[13:17s-14:02s]: the crypto you'll you would have to you'd have to regenerate the past keys because you're holding private keys with a specific algorithm and there is actually no way for the website even to help you I mean it might say you might go go through a user old past key now use your new past key and if you did that you know sequentially then it would get actually squirrel had a similar facility so if it would use a first authentication to assert your identity and and thus honor the second authentication which would be from the newfangled crypto and now it would have the public key under the new algorithm cool you have to worry about it yeah there's only about four sites that

[14:02s-14:11s]: use it I know I saw I saw in doing some some research just yesterday so I saw someone someone

[14:11s-14:24s]: who had something to sell they were trying to sell some equivalent of a ubiquit I think and it said since the majority of the internet's websites are now using past keys I thought are you on it in a

[14:24s-14:31s]: time machine what are you talking about oh usually on 2030 oh yeah maybe yeah maybe yeah I

[14:31s-14:37s]: uh there's a majority as long as you only log into four sites yeah right yeah there's literally

[14:37s-14:48s]: just a handful of sites that use it I know it's too bad because it's so easy when it works I heard you talked a lot about that last week with umica and yeah I agree with you I think it's it's

[14:48s-14:57s]: going to be a big improvement someday someday our prince will come okay after our final uh

[14:57s-15:05s]: announcement Leo oh boy we're gonna have some fun oh boy the get the beanies lubed I don't know

[15:05s-15:11s]: you say that yeah she said that out loud anyway uh unloom the beanies for a moment because we

[15:11s-17:07s]: are going to talk about our sponsor for the section collide I love collide KOL IDE yeah I know you've heard us talk a lot about collide I've sung its praises did you know they were just acquired by one password now I'm sure some people go oh no no that's good news these both companies are leading industry uh security experts creating solutions that put users first I mean it's a great it's a great partnership and you should be happy to know collide is going to continue doing exactly what's been doing for the last year or so collide device trust has helped companies using octa ensure that only known and secure very important devices can access their data and that's what they're going to still do just as part of one password that means more resources it's they can they can it's great news if you've got octa and you've been meaning to check out collide this is a perfect time to do it collide comes to the library prebuilt device posture checks or you can write your own custom checks for just about anything you can think of which means you can say to your users hey you got to fix that you got to fix that before we let you in the network you got to patch your stuff or get the latest web sir you know browser or update your operating system plus the I love it because you can use collide on pretty much anything without mdm so that means now your Linux fleet is included your contract your devices and of course every b y o d phone and laptop in your company now the collides part of one password it's just gonna get better check it out at k o l i d dot com slash security now collide dot com slash security now you can watch a demo there learn more about it it's a really smart idea collide k o l i d e dot com slash security now we thank him so much for supporting

[17:08s-17:16s]: Steve and the show and now let's talk about fetch go fetch so go fetch last Thursday

[17:17s-20:12s]: the world learned that apple had some problems with their with their cryptography unfortunately it would be impossible to determine for most of the tech presses coverage of this whether this was an apocalyptic event or just another bump in the road ours technical was apparently unable to resist becoming clickbait central with their headline unpatchable vulnerability in apple chip leaks secret encryption keys wow that would be bad if it was true fortunately it's not the least bit true it's it's not unpatchable and it's not a vulnerability in an apple chip Kim Zetter's zero day goes with apple chip flaw let's hacker steal encryption keys this chip flaw in air quotes theme seems to have become pretty popular even though nowhere did any of the actual researchers ever say anything about any chip flaw even apple insiders headline read apple silicon vulnerability leaks encryption keys and can't be patched easily what apple was told 107 days before the disclosure back on December 5th of last year apple is certainly quite aware of the issue and i'm sure they're taking it seriously and for their newer m3 chips all this needed is for a single bit to be flipped Tom's hardware went with new chip flaw hits apple silicon and steals cryptographic keys from system cash go fetch vulnerability attacks apple m1 m2 m3 processors can't be fixed in hardware oh dear except for a few details it's not new it's not a flaw nothing ever hit apple silicon and as for it not being fixable in apple m1 m2 or m3 processors if you have an m3 chip just flip the bit on during crypto operations and the unfixable problem is solved and finally as we'll see by the end of this topic today there are equally simple workarounds for the earlier m series processors okay so you know i could keep going because the material in this instance was endless not a single one of the headlines are the supposedly tech press stories that covered this characterized this even close to accurately it's not a flaw nothing is flawed everything is working just as it's supposed to it's not a vulnerability in apple silicon apple silicon is just fine and nothing needs to change and is certainly not unfixable or unpatchable cyber news headline was m series max can leak secrets due to inherent vulnerability the only thing that's inherently

[20:12s-20:19s]: vulnerable here is the credibility of the tech presses coverage of this holy cow it really has been

[20:19s-20:56s]: quite over the top after sitting back and thinking about it the only explanation i can come up with is that because what's actually going on with this wonderfully and subtly complex problem no one writing for the press really understood what the researchers have very carefully and reasonably explained so they just went with variations on ours technicas you know initial unpatchable vulnerability in apple chip nonsense under the assumption that ours must have actually

[20:56s-21:01s]: understood what was going on so everyone just a good and good nose if he doesn't that's right

[21:01s-21:08s]: you know dance on the ball typically but and we do know in fairness to dan he doesn't provide

[21:08s-43:40s]: the headlines it's what went back when i was writing the tech taught column for info world i was often really annoyed by what my columns were were were headline because that's not what i said in the text but you know some copy editor i guess that's what they're called you know gave it the headline that would get people to turn to the page so okay not dance fault okay the tl dr of this whole fiasco is that a handful of researchers built upon an earlier two year old discovery which three of them had been participants in back then that was dismissed at the time by apple no as being of only academic interest it's yet another form of side channel attack on otherwise very carefully designed to be side channel attack free constant time cryptographic algorithms the attacks surrounds an arm based performance optimization feature known as dmp and i was thinking boy if the acronym have been e m p that would have really blown the tech press right off the top anyway not e m p d m p um and a variation of the same type of optimization optimization is also present in the newest intel chips the razor or something or other anyway i'll get to that okay and so true to Bruce Schneier's observation that attacks never get worse they only ever get better about a year and a half after that initial discovery two years ago which never amounted to much it turned out that the presence of this dmp which i will be explaining in detail optimization feature actually did and does create an exploitable vulnerability that can be very cleverly leveraged to reveal a system's otherwise well protected cryptographic secrets after verifying that this was true the researchers did the responsible thing by informing apple and we have to assume apple decided what they wanted to do next um okay unfortunately that true story doesn't make for nearly as exciting a headline so none of the hyperventilating press explained it this way one important thing that sets this apart from the similar and related specter and meltdown vulnerabilities from yesterday year is that this new exploitation of the dmp optimizer is not purely theoretical all we had back in those early days of speculative execution vulnerabilities was a profound fear over what could be done over what this meant it was clear that intel had never intended for their chips internal operation to be probed in that fashion and not much not much imagination was required to envision how this might be abused but we lacked any concrete real world proof of concept not so today and not even post quantum crypto is safe from this attack since we're not attacking the strength of the crypto but rather the underlying keys are being revealed the go fetch proof of concept app running on an apple mac connects to the targeted app also on the same machine which contains the secrets it feeds the app a series of inputs that the app signs or decrypts or does something using its secret keys you know and basically inducing it to perform cryptographic operations that require it to use the secrets it's intending to keep as it's doing this the app monitors aspects of the processors caches and it shares the the the processors caches which it shares with the targeted app in order to obtain hints about the app's secret key okay so how bad is it as I mentioned the attack works against both pre and post quantum encryption the demo go fetch app requires less than an hour to extract a 2048 bit rsa key and a little over two hours to extract a 2048 bit difi helmet key the attack takes 54 minutes to extract the material required to later assemble a kiber five twelve bit key and about ten hours for a dilithium to key the sometime is also required afterwards for offline processing of the raw data that is collected in other words it is an attack that is practical to employ in the real world okay so what exactly is dmp what did the researchers discover and how do they arrange to make their max give up the closely held secrets being hidden inside the research paper is titled go fetch breaking constant time cryptographic implementations using data memory dependent pre fetters okay now that sounds more complex than it is we have breaking constant time cryptographic implementations we already know that a classic side channel vulnerability which is often present in poorly written crypto implementations is for an algorithm to in any way change its behavior depending upon the secret key it's using if that happens the key dependent behavior change can be used to infer some properties of the key so the first portion of the title tells us that this attack is effective against properly written constant time cryptographic implementations that do not change their behavior in any way that's not where things got screwed up the second part of the papers title is using data memory dependent pre fetters and that's what's new here if you guessed that the performance optimization technique known as dmp stands for data memory dependent pre fetters you'd be correct three of the seven co authors of today's paper co authored the earlier ground breaking research two years ago which described their reverse engineered discovery of this dmp facility residing inside apples m series arm derived chips back then they raised and waved a flag around noting that what this thing was doing seemed worrisome but they stopped short of coming up with any way to actually extract information and the information that they had was made public now we don't know for sure that sophisticated intelligence agencies somewhere might not have picked up on this and turned it into a working exploit as has now happened but we do know for sure that apple apparently didn't give this much thought or concern two years ago since every one of their mac m series chips was vulnerable to exploitation several years later okay i'm going to share today's research abstract today's the updated current research abstract and introduction since it's packed with information and and some valuable perspective and then i'll break it down so they wrote micro architectural side channel attacks have shaken the foundations of modern processor design the cornerstone defense against these attacks has been to ensure that security critical programs do not use secret dependent data addresses put simply do not pass secrets as addresses for example data memory instructions yet the discovery of data memory dependent prefetchers these dmps which turn program data into addresses directly from within the memory system calls into question whether this approach will continue to remain secure this paper shows that the security threat from dmps is significantly worse than was previously thought and demonstrates the first end to end attacks on security critical software using the apple m series dmps under girding our attacks is a new understanding of how dmps behave which shows among other things that the apple dmp will activate on behalf of any victim and attempt to leak any cash data that resembles a pointer from this understanding we design a new type of chosen input attack that uses the dmp to perform end to end to end key extraction on popular constant time implementations of classical and post quantum cryptography and by way of introduction for over a decade modern processors have faced a myriad of micro architectural side channel attacks for example through caches tlb's you know translation look aside buffers branch predictors on chip interconnects memory management units speculative execution voltage frequency scaling and more you know as we know even like the sound of the power supply changing can can leak information they said the most prominent class of these attacks occurs when the program's memory access pattern becomes dependent on secret data for example cash and tlb side channel attacks arise when the program's data memory access pattern becomes secret dependent other attacks for example those monitoring on chip interconnects can be viewed similarly with respect to the program's instruction memory access pattern this is led to the development of a wide range of defenses including the ubiquitous constant time programming model information flow based tracking and more all of which seek to prevent secret data from being used as an address to memory control flow instructions recently however augury that's what they called their first research two years ago AUG URI and it related to an auger being used demonstrated that apple m series CPUs undermine this programming model by introducing a data memory dependent pre-feature that will attempt to pre-fech addresses found in the contents of program memory thus in theory apples dmp leaks memory contents via cash side channels even if that memory is never passed as an address to a memory control flow instruction okay and I as again I will explain exactly what all that means I got a couple paragraphs left they said despite the apple dmp's novel leakage care capabilities its restrictive behavior has prevented it from being used in attacks in particular augury reported that the dmp only activates in the presence of a rather idiosyncratic program memory access pattern where the program streams through an array of pointers and architecturally de-references these pointers this access pattern is not typically found in security critical software such as side channel hardened constant time code hence making that code impervious to leakage through the dmp with the dmp's full security implications unclear in this paper we address the following two questions do dmp's create a critical security threat to high value software and can attacks use dmp's to bypass side channel countermeasures such as constant time programming this paper answers the above questions in the affirmative showing how apples dmp implementation poses severe risks to the constant time coding paradigm in particular we demonstrate end-to-end key extraction attacks against four state-of-the-art cryptographic implementations all deploying constant time programming and just to be clear when they say end-to-end attacks they mean they run something and they get the key meaning all the work is done nothing left for the reader to to to finish you know this thing works okay as we've had the occasion to discuss through the years on this podcast the performance of dram the dynamic ram memory that forms the bulk of our systems memory has lagged far behind the memory bandwidth demands of our processors through the years we've been able to significantly increase the density of dram but not its performance and as we know even the increase in density has met with challenges in the form of susceptibility to adjacent row interference which led to the various dram hammering attacks but on the performance side the saving grace has been the processor memory access patterns are not linear and non-repetitive they are typically highly repetitive the programs almost always loop meaning that they're executing the same code again and again over and over and that in turn means that if a much smaller but much faster cache of memory is inserted between the main dram and the processor the processors repetition of the same instructions and often the data for those instructions can be fulfilled much more quickly from the local cache than from main memory during our discussions of speculative execution we saw that another way to speed up our processors was to allow the processor to run well ahead of where execution was and if the code encountered a fork in the road in the in the codes flow it would fetch a head down both paths of the fork so that once the path to be taken became known whichever way that went the system would already have read the coded instructions for that path and have them ready to execute in practice this is accomplished by breaking our processors into several specialized pieces one being the prefetch engine whose job it is to keep the execution engines fed with data from main memory many instructions do not make any main memory accesses they might be working only within the processors internal registers or within what's already present in the processor's local cache so this gives the prefetching engine time to anticipate where the processor might go next and to guess at what it might need in a modern system there's never any reason to allow main memory to sit idly by not even for a single cycle a good prefetching system will always be working to anticipate its processor's needs and to have already loaded the contents of slower DRAM into the high speed cache when the processor gets to needing it okay now let's add one additional layer of complexity one of the features of all modern processor architectures is the concept of a pointer a location in memory or the contents of a register could contain an object's value itself or instead it could contain the memory address of the object in that second case we would say that the value in the memory or register contains instead of the value of the object itself a pointer to the object as a coder i cannot imagine my life without pointers they are absolutely everywhere in code because they are so useful we need one bit of new vocabulary to talk about pointers since a pointer is used to point to or refer to something else the pointer contains a reference to the object so we call the act of following a pointer to the object de-referencing the pointer we'll see the researchers using that jargon in a minute but first let's think about that cache filling prefetch engine its entire reason for existence is to anticipate the future needs of its processor so that whatever the processor wants will already be waiting for it and instantly available from its cache the processor the processor will think that its prefetch engine is magic so one evening probably about seven years ago some apple engineers are sitting around a white board with a bunch of half eaten pizzas their brainstorming ways to further speed up apples proprietary silicon given the time frame this would first be able to appear in their a14 bionic processor so one of them says you know we're already doing a great job of fetching the data that the processor is going to ask for but when we fetch data that contains what looks like pointers we're not fetching the data that those pointers are pointing to if the data really are pointers then there's a good chance that once the processor gets its hands on them it's going to be asking for that data next we could anticipate that and have it ready to just in case it might be useful I mean what's the whole point of being a prefetching engine I mean right that's the whole point that's what we're here for now at this point the pizza is forgotten and several in the group lean forward they're thinking about the kinds of cars they're going to be able to get with the raises this idea we'll earn them then they realize they need to make it work first although they're immediately hooked by the idea because they know there's something there one of them plays devil's advocate saying but the cash is context free what he means by that is that the prefetch engine sees everything as data it's all the same to it the prefetcher doesn't know what the data means it has no meaning in DRAM it's all just mixed bites of instructions and data it's a hodgepodge it's not until that data is fetched from the cash and is actually consumed by the processor that the data acquires context and meaning the answer to the but the cash is context free guy is yeah and so what if some data that's being added to the cash looks like a pointer and if it's pointing into valediram memory what's the harm in treating it as a pointer and going out and also grabbing the thing that it might be pointing to if we have time and we're right it's a win for the processor the processor won't believe it's luck in already having the thing it was just about to ask for already magically waiting there in its local cash so finally after their last dry erase marker stops working from the hastily scribble of diagrams on their whiteboards they're satisfied that they're really onto a useful next generation optimization so one of them asks okay this is good but it needs a name what are we going

[43:40s-43:49s]: to call it one of them says well how about data memory dependent prefetching or DMP for short

[43:50s-55:18s]: so here we've just seen a perfect example of where and how these next generation features are invented over pizza and dry erase markers and it's also easy to see that the security implications of this don't even make it onto the radar all they're doing after all is anticipating a possible future use of what might be a pointer and prefetching the thing it's pointing to in case they're right and it is a pointer and in case the processor might eventually ask for it it's disconnected from whatever the processor is doing right it's a data memory dependent prefetcher what this amounts to is a somewhat smarter prefetcher it cannot be certain whether it's fetching a pointer but in case it might be it'll just jump ahead even further to also prefetch the thing that what might be a pointer may be pointing to okay so now let's hear from the geniuses who likely also consume their share of pizza while they scratch the itch that apparently been lingering with at least three of them for a couple of years ever since that first bit of work when they discovered that apple had dropped this memory that this data memory dependent prefetcher into their silicon here's how they explain what they came up with they said we start by re-examining the findings in augery here we find that augery's analysis of the DMP activation model was overly restrictive and missed several DMP activation scenarios through new reverse engineering we find that the DMP activates on behalf of potentially any program and attempts to dereference the data brought into cache that resembles a pointer this behavior places a significant amount of program data at risk and eliminates the restrictions reported by prior work finally going beyond apple we confirm the existence of a similar DMP on intel's latest 13th generation rap door lake architecture with more restrictive activation criteria next we show how to exploit the DMP to break security critical software we demonstrate the widespread presence of code vulnerable to DMP aided attacks in state of the art constant time cryptographic software spanning classical to post quantum key exchange and signing algorithms okay and then finally this last bit is the key to everything i'll read it first then i'll take it apart they said our key insight is that while the DMP only dereferences pointers an attacker can craft program inputs so that when those inputs mix with cryptographic secrets the resulting intermediate state can be engineered to look like a pointer if and only if the secret satisfies an attacker chosen predicate for example they said imagine that a program has secret s takes x as input and computes and then stores y equals s x or with x to its program memory the attacker can craft different x's and infer partial or even complete information about s by observing whether the DMP is able to dereference y we first use this observation to break the guarantees of a standard constant time swap primitive recommended for using cryptographic implementations we then show how to break complete cryptographic implementations designed to be secure against chosen input attacks okay so they realized that apples DMP technology is far more aggressive than they initially appreciated it is busily examining all of the data that's being put into the cache for all of the processes running in the system it's looking for anything that looks pointer like and when found it's going to go out and pre-fetch that because it may be pointing to something that the process is going to ask for in the future their next step was to realize that since this pointer like behavior is highly prone to producing false positive hits which would pre-fetch miscellaneous bogus data and since it operates indiscriminately on any and all data in the system they can deliberately trick apples DMP system to misfire when it does it will pre-fetch data that wasn't really being pointed to and they can use standard well understood cache probing to determine whether or not the DMP did in fact misfire and pre-fetch since the cause of that mixes secrets with what they provide it reveals information about the secret they induce the isolated process containing the secrets to perform a large number of cryptographic operations on their deliberately crafted data while using the now well understood behavior of the DMP to create an inadvertent side channel that leaks the secret key even though the cryptographic code itself is being super careful not to behave differently in any way based upon the value of the secret key in other words it's being betrayed by this advanced operation of the pre-fetching cache that the codes care doesn't matter because the cryptographic code you know as I said is being betrayed what I just explained is a version of what these very clever researchers revealed to Apple back 107 days ago from last Thursday in early December last year so what does Apple do about this you know this does seem like the sort of thing Apple ought to be able to turn off one of the things we've learned is that these initial nifty seeming slick performance optimizations like Specter meltdown and all the others always seem to come back to bite us sooner or later so the lesson we absolutely as an industry have to take away and you know surprising we haven't yet is it anything like this should have an off switch and what do you know it may have been and likely was in reaction to these researchers initial augury DMP paper back in 2022 that Apple added that off switch to their M3 chip Apple announced it on October 30th last year the day before Halloween and that M3 has can have DMP turned off I've heard but I haven't confirmed that Apple's own crypto code is flipping DMP off during any and all of their own cryptographic operations so it may only be non-Apple crypto code running on max that are endangered on M3 based machines the researchers cite their compromise of the Diffie Helman key exchange in open SSL you know not an Apple library and the RSA key operations in the Go language library so again not Apple's so what about the non M3 chips the Apple A14 Bionic the M1 and the M2 well it turns out that these so-called SOC you know systems on a chip all have multiple cores and the cores are not all the same type only half of the cores are vulnerable because only half of them incorporate the DMP apples M series have two types of cores the bigger firestorm cores also known as a performance cores and the smaller ice storm cores also known as the efficiency cores on the M1 and M2 chips only the firestorm performance cores offer the problematic DMP prefetching system so all Apple needs to do is to move their crypto over to the smaller efficiency cores crypto operations will run more slowly there but they will be completely secure from this trouble so is Apple going to do any of these things have they already the press thinks that nothing has been done yet I find that curious given that the concerns are real and that solutions are available but so far all the press has reported now again Apple knew about this in early December all the press has reported that Apple has been curiously mute on the subject they Apple just says no comment this is doubly confounding given that Thursday's research disclosure came you know as no surprise to them right you know and also that the fire star that the firestorm of truly over the top apoplectic and apocalyptic headlines that have ensued as a result you know really does need a response I imagine that something will be forth coming from Apple soon until then for what it's worth the attack if it were to happen would be local and would be targeted and would require someone arranging to install malware onto the victim's machine it's not the end of the world and as I'm always saying around here anyone can make a mistake but Apple's customers would seem to need and deserve more than silence from Apple

[55:19s-55:30s]: so if we ought to hear something but at least now we understand exactly what's going on and by the way somebody can install that on your system they can also just put a keystroke logger on there

[55:30s-55:35s]: there's all sorts of ways they can get full access that's you know right in fact that's probably

[55:35s-55:40s]: a lot easier to do it some other way than a side channel tech does it take a lot of

[55:40s-55:47s]: monitoring and trial and error to have this site no no it doesn't take it takes an hour and you get

[55:47s-55:54s]: the key okay and so so you actually do get a secret that what was trying to be protected so I

[55:54s-56:04s]: could see a nation state saying oh good all right we'll do is we'll get this on there through some other malware exploit we'll run it and then we'll erase all traces guy I'll never know he was

[56:04s-56:09s]: hacked but we've got the key and we've got the key forever uh I'm not going to wait until he changes

[56:09s-56:16s]: and yeah and and the point I made was that you know when this became public two years ago

[56:17s-56:29s]: you know these guys apparently stopped their research we don't know that the NSA did the NSA might have gone hey that's interesting let's take a look at that oh okay if the NSA could

[56:29s-57:03s]: NSA has probably been working on the same thing forever right I mean they know about these side channel attacks they know about speculative execution they know what specter and meltdown produced on a x86 platforms I'm sure they were looking for it too just whose professors are better I guess yeah hopefully we have good props I think we have good props in the NSA good will hunting not with standing mr. Steve Gibson ladies and gentlemen happy birthday Steve thank you very very nice you're getting there one more year and it's going to be a big one we're going to have to big party for

[57:03s-57:23s]: you I know let's just I just hope there's no loss of function I want to know I know I know my current rate it's fine getting old's not so bad as long as the body understands it needs to continue doing everything properly and then you know well and and objectively the sad thing is I mean I

[57:23s-57:29s]: feel great I don't have lost any my energy or anything but objectively you look at 80 year old

[57:30s-57:37s]: and there they know they have not much you can do to slow that down my mom's 92

[57:38s-57:45s]: and 91 and I you know I you know she's still going strong I'd be happy if I were I were her shape

[57:45s-57:50s]: in 20 years she's in bed she's 13 years I don't think you'd be right and spin right 10

[57:51s-58:09s]: but let's hope you're doing some fishing I don't know I might keep like might keep the brain sharp I know look what I'm working on you know I'm trying to keep the brain sharp I'm I'm just going on here so I'm having a lot of fun with the code coding I feel like if I can do this I still have something

[58:09s-58:15s]: upstairs I love to code coding it's so much there's I'm so happy yeah really is so much fun

[58:17s-58:20s]: fact I had kind of a breakthrough this morning that's why I'm kind of looking at this

[58:21s-58:29s]: cool yeah day 19 on that kind of code it's a lot of fun Steve Gibson lives at grc.com the Gibson

[58:29s-59:55s]: research corporation.com that is where you'll find of course spin right the world's finest hard drive actually all mass storage maintenance and recovery utility six point ones out kids go on and get yourself a copy and if you already have a copy that will browse around there's all sorts other wonderful stuff including this show you'll find it actually a couple of unique versions of this show at grc.com the 16 kilobit audio which is the smallest audio version of the show he also has a 64 kilobit audio which sounds a lot better he also has transcripts handcrafted by Elaine Ferris so you can read along as you listen or search or do what is feed him to your AI and have make an a i Steve whatever it is that you need to do you can do it with those grc.com we are at twit.tv and of course the security now shows twit.tv slash s n we have 64 kilobit audio as well but our unique format is video you can watch Steve's smile and face you can watch us do the show every Tuesday right after mac break weekly usually works out to around 130 pm pacific 4 30 eastern 2030 UTC and we stream that live on youtube youtube.com slash twit so tune in when the show begins tune out when the show is over but though you know if you you know if you subscribe and you hit the bell

[59:55s-00:00s]: then you get a notification whenever that's about and try not to tune out before the show is over

[00:00s-00:05s]: well there I thought in the discord I noticed a couple of people saying okay I don't

[00:05s-00:10s]: understand I think I'll leave now I always just trying to let it drift over my head and hope that

[00:10s-00:15s]: it will see pin at some point that's that's exactly I've I've often suggested exactly that's

[00:15s-00:20s]: what goes more about the details you just get the feel for yeah I've learned a few things you know

[00:20s-00:25s]: from listening to the show over the last what is it 15 16 years something like that honey we're

[00:25s-00:33s]: on year 21 21 or the 19 20 yeah because we twit itself will hit it's 19th birthday is next month

[00:33s-00:39s]: isn't a couple of weeks it okay so you're a little younger than that just a tad so you are in

[00:39s-00:46s]: your 20th year you will be in your 20th year soon yep which is kind of mind-boggling I didn't even think

[00:46s-00:54s]: podcasting the last 20 months long time episode 967 yeah have a great birthday I hope you get some

[00:54s-01:05s]: cake you know I bet you Lori right now she's got the apron on she's she's whipping up the batter just going you know we should go make you a nice cake a little coconut cream icing on top

[01:05s-01:11s]: something she's gonna be cooking a nice medium rare steak that's all you care and a little cap

[01:11s-01:18s]: a little Santa Cruz mountain cab that's a great idea thank you Steve have a great week and all

[01:18s-01:28s]: of you thank you especially to our club to it members who make this show possible if you're not a member seven bucks a month to the TV slash club to it take care Steve bye buddy see you next week

[01:29s-01:34s]: oh is it still gonna be March or is it eight no it'll be April see you in April cool the

[01:34s-01:40s]: vlog and prosper mr gibson bye bye

[01:48s-02:18s]: waiting on a tax return hopefully it ends up in your hands fraudulent tax returns due to identity theft increased by 30% in 2023 if you're in a bind this tax season life lock and help our us based restoration specialists are experts dedicated to helping solve your identity theft issues and all life lock plans are backed by the million dollar protection package so we'll reimburse you up to the limits of your plan if you lose money due to identity theft help protect your information this tax season with life lock save up to 25% your first year at lifelock.com slash aware