SN 1048: Mic-E-Mouse - AWS Goes Down Hard

[00:00:00] It's time for Security Now. Steve Gibson is here. We're going to talk about a lawsuit aiming to block the new Texas age verification law. NIST finally gives up on its password policy, its long discredited password policy, the AWS outage, what caused it and what happened. And then is your mouse listening to you? It might be. That's coming up next on Security Now.

[00:00:32] Podcasts you love. From people you trust. This is TWiT. This is Security Now with Steve Gibson. Episode 1048, recorded Tuesday, October 21st, 2025. Mic-E-Mouse.

[00:00:54] It's time for Security Now. I know you wait all week for this fabulous show, the show where we cover the latest in security news, technology information, hacking, sci-fi, anything Steve Gibson's into, we're into. Right, Steve Gibson?

[00:01:12] We do try, Leo, my friend, to stay on topic because I recognize that's mostly security stuff, privacy, technology stuff is mostly what people come back for every week. But they do. We broke a record with yesterday's mailing of the show notes. We crossed 19,000 subscribers for the first time. 19,010 was our total.

[00:01:40] So I have to point out something. You are now like 4,000 more subscribers than Club Twit. So those 4,000 people, you're getting Steve's newsletter for free. You're getting the show for free. But wouldn't you like an ad-free version of it? Wouldn't you like to support it directly? Join the club, Club Twit, at twit.tv slash Club Twit. Then we can have 4,000. We should have as many members as you have newsletter subscribers. Don't you think? Feels fair.

[00:02:10] Of course, subscribing to the newsletter is free. That's what I'm saying. Oh, you think those 4,000 people are the cheapskates? I don't know what's going on. I'm just joking. We're glad to have you. Thank you. And I don't have a sense for what percentage of our listeners have subscribed. My sense is that it's even there. It's a low percentage of subscribers relative to the downloads. It's roughly 1.5% of the downloads.

[00:02:38] Yeah, I know. And so it's like the people want to listen. And I'm glad for that. You know, it's always a problem if you gave something away for free to suddenly say, hey, could you pay for it? Most people, I'm the same way. No, it's free. I'm going to stay free. And I'm going to find out about that, exactly that, when I commercialize the DNS benchmark. That's exactly right.

[00:03:02] I have no calibration on how many people would be willing to pay $10 for a dramatically improved. I mean, this thing, the thing we just did, and this is, oh God, I can't wait to talk about this at some point. I did a statistical analysis that demonstrated that there is so much uncertainty in DNS timing, not due to the resolvers at the other end, but due to the internet, which is in between,

[00:03:32] that to actually get statistically significant results requires many more tests than the benchmark has ever been performing. That's why every time you run, you ran the benchmark, you kind of got the same answers, but they differed not because the resolvers were of any different speed, but it turns out that, you know, statistics is weird.

[00:03:57] You, you, if you toss a coin, that should be the title of this show. I'm just going to say right now, statistics is weird. If you tossed a coin three times, there's a one in eight chance, actually one in four chance there, you know, 25% chance you would get all heads or all tails. Yes. So a three, a three toss coin, three coin toss, whatever, you know what I mean?

[00:04:24] You might be led to believe that there were heads on both sides or tails on both sides, that it was a bogus coin. That wasn't actually 50, 50, because in three tosses, 25% of the time, you're going to get all the same outcome. So what we've learned, and this was only just recently, I've, I've added the ability to dramatically increase the number of samples, which the benchmark takes.

[00:04:52] And we're getting far better results that, I mean, like consistent reports now where all of the resolvers from the same provider end up grouping together on the chart, which you'd kind of expect, but it actually happens now. But only when you take many more samples. Anyway, the point is that the, the, what I'm going to be offering soon for 10 bucks blows

[00:05:18] away the free one, but again, I don't have any idea how, I mean, free is free, right? And asking someone to pay anything is, is a heavy lift. I get it, but I have to think that you are a unique case that people will pay for something, even if they were getting it for free before, just because they want to support you. I really think this is true of you, Steve.

[00:05:43] I hope that's the case because I need the support in order to keep doing all this. I have, I have one note. They just, they just feel good about you and they just, you know, they're not, they're not looking for anything out of it. They just want to support you is my guess. Which is, I really appreciate it. It makes all this possible. It makes possible podcast number 1048 titled Mike E mouse, obviously a play on mighty mouse.

[00:06:10] And I had to ask, is it Mick E mouse or, and you said, no, this is a mic we're talking about. We're going to answer the question. Could your PC's mouse have much bigger ears than you know? Oh no. Oh, now I'm scared. Oh boy. You thought that bag of chips laying on the table might give away the conversation in the house. Turns out it's worse than that.

[00:06:37] We're going to look at the long awaited lawsuit to block Texas SB 2420, which happened last week, just after last week's podcast. When I mentioned that is, it's kind of odd that there's been no legal challenge to this very worrisome law that takes effect on January 1st. Um, uh, and also take a look at how it's going to affect Google play and their plans. We looked at Apple in detail last week.

[00:07:05] Oh my God, Leo, at long last NIST has formally modernized their password policy and they fixed it. You mean I don't have to change my password every three months? Isn't that insane? No, you no longer do. And we'll have something that all of our listeners can wave in the face of their employers, IT people and say, okay, fix this. This has always been dumb. Now it's officially dumb.

[00:07:35] Uh, also it turns out we now have much better proof that scattered lapses hunters group that their demise that I reported wrongly. It turns out a couple of weeks ago was indeed exaggerated. Uh, finally, China is claiming that the NSA has been hacking them. Yay. We'll explain that. Uh, it turns out. They've been hacking us. It's only turnabout is fair play. Yes. Come on.

[00:08:04] So, uh, it turns out also half of all geosynchronized, geosynchronous satellite traffic is unencrypted. Who knew? Yeah. Amazing. Yes. Uh, also I'm going to work. We'll touch on yesterday's AWS outage, which I agree with the take that the guardian had. It highlights the rising risk of something you and I have talked about relative to browsers

[00:08:33] often, which is any kind of an internet monoculture, you know, all the eggs in one basket go better not drop that basket. Um, and we got a collect, a terrific collection of listener feedback, and then we're going to look at, you know, another new side channel attack. Who would have ever imagined that people's mice could actually be picking up the audio of conversations around them? Wow. Uh, and guess what made it possible? I'm going to, I got to guess.

[00:09:03] Is it rattling balls? It's, uh, well, yeah, you want to, no, I don't think a rattling ball, the balls, the balls never had the resolution of a good old optical sensor. So, uh, Oh yeah, that's right. My, my balls, you ever roll them around your hands? They were neat. They were rubber. Yeah. They were heavy. They were metal with rubber coatings on them. Yeah. Yeah. I like those. Uh, we got a great picture. Excellent transducers for a microphone, but I guess since we don't have those, we'll find

[00:09:33] something else to rattle. If you will, let's, uh, let's move on. Shall we? Uh, we're going to get to that in just a moment, but first to end the picture of the week, which looks pretty funny. I haven't seen it. I haven't seen it. I like to preserve my virgin eyeballs. This will take a little bit of visual parsing, but you'll get, yeah. Okay. We'll see it together. I always see the caption, but I don't scroll up. So, Hmm. Hmm. Okay. Okay.

[00:10:02] First though, a word from our sponsor, Melissa. We love Melissa. They've been, you know, Melissa has been around since 1985, the trusted data quality expert. That's a long time, 40 years of experience and domain expertise. And Melissa puts every one of those years into every verified address worldwide. They are the best. I'll give you an example. Burbank, California, the city of Burbank.

[00:10:29] It's known as the media capital of the world, located in the LA area. The city has increased their address accuracy. And this is important because they use it for citizen services, for census data, for collaboration with the state and federal governments.

[00:10:46] The city's GIS manager loves Melissa had this to say, quote, Melissa's address formatting was in line with our existing data and GIS location accuracy matched 99.9% of the time. Far better than competitive solutions compared in testing. Melissa's address keys were precisely located on top of buildings, while alternatives wouldn't even land on the building or even register the correct street.

[00:11:13] You better believe Burbank uses Melissa. While address verification is, of course, Melissa's foundation, their bread and butter for 40 years. They are data scientists. So Melissa's data enrichment services go far beyond simple address validation. Organizations build a more comprehensive, accurate view of their business processes by using Melissa as part of their data management strategy. I'll give you an example. HealthLink Dimensions.

[00:11:38] They provide healthcare database products for the pharmacy, healthcare, medical device and insurance industries. They help them efficiently target their primary markets and so forth. HealthLink, it's a big operation. They have demographic files totaling over 2.3 million physicians and allied health professionals. That's pretty much all of them.

[00:11:59] To manage this complex data, HealthLink's director of database services needed the Melissa data quality suite's flexibility and ease of integration. This is the quote. This is from HealthLink. The main strength is Melissa's ability to easily integrate with our custom .NET applications and SQL procedures. We've written several internal applications and services that use each of the objects of the Melissa data quality suite.

[00:12:26] Actually, with both of those quotes, the important bit is it works with the stuff you already have, the data you already have, the processes you already have. And of course, you never have to worry about your data with Melissa. Your data is safe with them, compliant and secure. Melissa's services and solutions are GDPR and CCPA compliant. They're ISO 27001 certified. They meet SOC 2 and HIPAA high trust standards for information security management. Melissa's the best.

[00:12:55] Let's get started today with 1,000 records cleaned for free at melissa.com slash twit. That's melissa.com slash twit. We thank Melissa so much for supporting Steve and security now. All right. Let me see here. Do I have my extra camera? Yes, I do. All right. I'm ready to scroll up whenever you want to talk about it here. Our listeners had a lot of fun with this.

[00:13:23] Those who subscribe to the email and saw this yesterday. I gave this picture the title, when an interlock must be very clear and must absolutely, definitely never fail. Okay. All right. I don't know. I don't even know. We have. That looks dangerous, man. I hope that handles ice is somehow insulated. Well, I don't think it needs to be.

[00:13:53] It's not electrical? For those who don't see the picture, we have a pair of apparently very high current toggle switches, like light switches, where up is on and down is off.

[00:14:16] And for whatever reason, you'd absolutely never want them both to be on at the same time, or apparently there would be fire and explosions. I get it. I get it now. Wow. So somebody, and I don't know if this was an off-the-shelf handle. I doubt it. Oh, yeah. I mean, it's like you got it at the hardware store, for sure.

[00:14:43] It would be more like, you know, you talk about the horses escaping after the barn doors. Yeah, or your fence would have this. Your fence could have this. Some heavy-duty fence has this thing where a handle is used to slide a bar back and forth. Well, this has been jury-rigged in between these two big switches.

[00:15:04] And it's totally intentional because the switches are positioned on the wall exactly, precisely, so that the interlock fits right in that gap there. Yes, exactly. Yes. This was an intentional design. Yes. Wow. Somebody said there is no provision for absolutely making sure that these cannot both be on at the same time. Presumably, you know, who knows?

[00:15:33] They're feeding to the – I think maybe I'm seeing like a loop at the bottom. I didn't really look at it, but to me, it looks like maybe the bottoms of these are connected together. You sort of see it on the lower – on the left unit, the bottom right wire looks like it bends and then goes over to the other unit. So I'll bet you that these are two different feeds that go to the same place.

[00:16:03] And if you turn them both on, they would short those two feeds and, again, something would explode. So somebody said, okay, we need to be able to choose A or B, but we don't have an A or B choosing switch. We only have two on-off switches. How could we solve that, said Moe, Larry, and Curly. Exactly.

[00:16:27] Using a lock from a barn door from the 1920s. That's hysterical. Yeah. Thanks again to our listeners. It looks like something Burke might have designed. It does. It does. That's very funny. But Burke, your solutions work. And it does too. It works. Okay.

[00:16:48] So our coverage of the pending enactment of that new Texas SB2420 legislation galvanized our listeners and generated quite a bit of feedback. Because, I mean, this is a mess. Insane. I mentioned last Tuesday that there was still no sign of any legal challenge to that legislation. But then last Friday, to no one's surprise, that situation changed. Ars Technica's headline read,

[00:17:16] Big Tech sues Texas. Says age verification law is, quote, broad censorship regime. Ars gave it the teaser line, Texas app law compared to checking IDs at bookstores and shopping malls. So here's what they wrote to get a sense for the flavor of the attack.

[00:17:40] And this, by the way, well, in fact, they said Texas, they wrote, is being sued by a big tech lobby group over the state's new law that will require app stores to verify users' ages and impose restrictions on users under 18.

[00:17:57] The lawsuit brought by the consumer and communications industry association, the CCIA, alleges, quote, the Texas App Store Accountability Act imposes a broad censorship regime on the entire universe of mobile apps in a misguided attempt to protect minors. Texas has decided to require proof of age before anyone with a smartphone or tablet can download an app.

[00:18:27] Anyone under 18 must obtain parental consent for every app and in-app purchase they try to download from e-books to email to entertainment, unquote.

[00:18:40] Ours wrote, the CCIA said in a press release that the law violates the First Amendment by imposing, well, again, a lot of use out of our First Amendment, Leo, violates the First Amendment by imposing, quote, a sweeping age verification, parental consent, and compelled speech regime on both app stores and app developers, unquote.

[00:19:04] When app stores determine that a user is under age 18, quote, the law prohibits them from downloading virtually all apps and software programs and from making any in-app purchases unless their parent consents and is given control over the minors' account, unquote.

[00:19:26] The CCIA said, quote, minors who are unable to link their accounts with their parents or guardians or who do not receive permission would be prohibited from accessing app store content, unquote. OK, so, yes, as we understand it, that's all completely true. And it's, moreover, exactly the law's intent. It's not like the law was, you know, written in an overbroad fashion.

[00:19:55] No, they this is what they want in Texas. Ours continued saying the group said the law requires app developers, quote, to age rate their content into several subcategories and explain their decision in detail. And, quote, notify app stores in writing every time they improve or modify the functions, features or user experience of their apps, unquote.

[00:20:22] The lawsuit says the age rating system relies on vague and unworkable set of age restrictions. The lawsuit claims, quote, so here's the argument against the law in the lawsuit, which reads, our Constitution forbids this. None of our laws require businesses to card people before they can enter bookstores and shopping malls.

[00:20:48] The First Amendment prohibits such oppressive laws as much in cyberspace as it does in the physical world, unquote. Ours said the lawsuit was filed in the U.S. District Court for the Western District of Texas. CCIA members include Apple and Google, which have both said the law would reduce privacy for app users.

[00:21:12] The companies recently described their plans to comply, saying they would take steps to minimize the privacy risks. The Texas App Store Accountability Act is similar to laws enacted by Utah and Louisiana. The Texas law is scheduled to take effect on January 1st, 2026, while the Utah and Louisiana laws are set to be enforced starting in May and July, respectively.

[00:21:39] So we're only talking about Texas now because it's like 70 days away from today. And, you know, Utah and Louisiana will hopefully fall under the same umbrella, depending upon how this all happens. And there is something new and interesting. Ours also wrote, the Texas law is also being challenged in a different lawsuit filed by a student advocacy group and two Texas minors.

[00:22:09] Attorney Ambika Kumar of Davis Wright Tremaine LLP said in an announcement of the lawsuit, quote, The First Amendment does not permit the government to require teenagers to get their parents permission before accessing information, except in discrete categories like obscenity.

[00:22:31] The Constitution also forbids restricting adults access to speech in the name of protecting children. This law imposes a system of prior restraint on protected expression that is presumptively unconstitutional. Now, that's interesting. But that argument was also tried in the argument against Texas HB 1181, as we covered previously.

[00:23:01] Here are a few choice and chilling tidbits from those proceedings. The Supreme Court said the First Amendment leaves undisturbed states' traditional power to prevent children from accessing speech that is obscene from their perspective.

[00:23:19] Because no person, adult or child, has a First Amendment right to avoid age verification, the statute requires only what's known as intermediate scrutiny. And from the Supreme Court's further opinion, they wrote, submitting to age verification is a burden on the exercise of adults' right.

[00:23:44] But adults have no First Amendment right to avoid age verification, and the statute can readily be understood as an effort to restrict minors' access. In other words, the Supreme Court is agreeing with what Texas is doing and has said so in their formal opinion on HB 1181.

[00:24:08] And that sure does seem to cover what the Senate then, the Texas Senate, did with SB 2420. So this is really going to be interesting. Ours said, Davis Wright, Tremaine LLP said the law, quote, extends far beyond social media to mainstream educational, news, and creative applications, including Wikipedia, search apps, and internet browsers.

[00:24:37] Messaging services like WhatsApp and Slack, content libraries like Audible, Kindle, Netflix, Spotify, and YouTube. Educational platforms like Corsia, Code Academy, and Duolingo. News apps from the New York Times, the Wall Street Journal, ESPN, and The Atlantic. And published books like Substack, Medium, and CapCut.

[00:25:01] So, you know, sounds like there's some good counterargument and pushback here. And I'm sure they're correct. Although, unfortunately, this is exactly the law's intent. It's a feature, not a bug.

[00:25:19] They wrote, both lawsuits against Texas argue that the law is preempted by the Supreme Court's 2011 decision in Brown v. Entertainment Merchants Association, which struck down a California law restricting the sale of violent video games to children.

[00:25:40] The Supreme Court said in Brown that a state's power to protect children from harm does not include a free-floating power to restrict the ideas to which children may be exposed. So, the tech industry has sued Texas over multiple laws relating to content moderation, ours wrote.

[00:26:02] In 2022, the Supreme Court blocked the Texas law that prohibits large social media companies from moderating posts based on a user's viewpoint. Litigation in that case is ongoing. In a separate case decided in June of 2025, and this is the one, the House 1181 law, they said the Supreme Court upheld a Texas law that requires age verification on porn sites.

[00:26:31] So, it may be that the way this ends up cutting is that SB 2420, because it attempts to encompass all downloads of anything, is what will end up being ruled as too broad, and that it'll get pulled back so that it's only age-restricted content that needs to get parental approval. You know, that looks like that may be the way this thing survives.

[00:27:01] You're acting like this is all rational and that the courts are acting rationally. Look at what Australia is doing. On December 10th, if you're under 16, you will not be allowed to use social media in Australia. And they have made no provision for how that gets solved. And we've just seen that with Mississippi. That is the current law in Mississippi. Same thing. It's all social media for a minor. No.

[00:27:29] Seems like that would fail. I'm not taking a position or suggesting this is rational or not, Leo. I'm just looking. I'm just reporting like this is what's happening. You know, we were shocked. We were shocked when the Supreme Court said of the Texas pornography law, yeah, sorry, adults, you need to prove that you're an adult.

[00:27:54] And if that requires that you turn over your identity, then that's not an undue burden. That's insane. Of course it is. Yeah, because it means basically everybody, not just children, but everybody has to offer federal or state IDs, some sort of government ID. Adults need to prove they're not children. And there's no privacy enforcing way to do that today. Right. Right.

[00:28:22] So as I said, January 1st happens to be exactly to the day, 70 days away from today. Ten weeks. So not a lot of time for this to get resolved. But with any luck, it will be that time that will, you know, bring this to the court's attention. It'll run through appellate court and then probably get turned back over to the justices again with the Supreme Court.

[00:28:49] And last time they said, no, sorry, adults, you need to prove that you are an adult if you want to watch pornography. And so instead, the porn sites just left Texas. Yeah. The Supreme Court decision with Texas said the adults have no First Amendment right to avoid age verification. Exactly. Okay. Oh, wow. Yeah.

[00:29:20] Okay. So Google Play. They're going to be impacted by this in 10 weeks, in 70 days. We know that Apple has informed their developers that new APIs would be available, quote, later this year, even though there's not much left of this year to be later than. Okay. Okay. Okay. But, you know, these are not hard problems to solve in code. I'm sure Apple has this stuff commented out of their code. They just have to remove the comments.

[00:29:50] Meanwhile, Google just posted something similar for their Play Store app developers under their headline, changes to Google Play for upcoming app store bills, meaning legislation, legislation for users in applicable U.S. states.

[00:30:08] They wrote, a few U.S. states currently, Texas, Utah, and Louisiana, have recently passed verification laws requiring app stores to verify users' ages, obtain parental approval, and provide users' age information to developers. These laws also create new obligations for developers.

[00:30:31] And that's the other thing, Leo, is look at all the apps that are out there that are impacted by this. Again, legislation without any concern for the consequences to the ecosystem that exists. These laws, they wrote, also create new obligations for developers who distribute their apps through app stores in these states.

[00:30:57] The effective dates for these laws, applicable for both developers and Google Play, are quickly approaching and present short implementation timelines across the ecosystem. While we have user privacy and trust concerns with these new verification laws, Google Play is designing APIs, systems, and tools to help you meet your obligations.

[00:31:25] Given the significant implications of these changes across the ecosystem, we're working to keep play a trusted experience for everyone, while also providing you information to support your preparations. Our plan to support you is the first app store bill to take effect is Texas SB 2420 on 1 January 2026.

[00:31:51] We understand that significant work may be needed for you to make changes to your apps. To help you, we plan to provide, and they have three things. A new Play API. For users in these states, your app will be able to receive users' age verification or supervision status, age ranges, and other applicable signals.

[00:32:18] Okay, of course, something upstream has to make that possible, right? So this is an API that apps will be able to call upon to obtain information which the phone has, which the phone has to obtain somehow. So Google will be, you know, sourcing this information downstream to the apps running on its platform. Second, Play Console features.

[00:32:47] You will have the ability to notify Google Play of a significant change in Play Console without publishing a new version of your app. Additionally, you'll also get a report in Play Console showing when a parent revokes approval for your app, because that's also something that the law allows, is, you know, after-the-fact approval if a parent changes their mind. And third, trust and safety requirements.

[00:33:15] They said to protect users, your use of this new API must comply with Google Play's requirements governing how data from the API must be handled. They said more details, because all this is a moving target happening rapidly, more details on these features and requirements will be shared in the coming weeks. Planned dates and next steps subject to change.

[00:33:39] And so they said, October 2025, sometime here, requirements and a detailed integration guide with example code for the new Play API will be published for you to get started. And then, 1 January 2026, the new Play API will be live for applicable users in Texas when the Texas SB2420 bill takes effect.

[00:34:05] They said, if you'd like to learn more or have any additional questions, please contact our support team. You know, this points out the real issue with having these app stores as the only place you can get an app for your device, because now they're a choke point the government can use to enforce this.

[00:34:24] You can't do this on a computer because any, you know, are you going to go look at all, is the state going to go look at a million apps and see if they do it? They can't. It's not practicable. It's only possible because Apple and Google have these choke points, which are their app stores. And this is just another reason why those choke points are a bad idea. And another example of a monoculture of, you know, where too much is dependent upon a single point of failure.

[00:34:54] Yeah, it's Apple and Google. Right. And by the way, you can make sure you can enforce this law because there's only two companies you have to penalize. Right. It's very simple. Right. So I'm not an attorney. We all know that.

[00:35:10] But no one needs legal training to get a definite sinking feeling from reading the opinion of the Supreme Court in that previous very similar challenge to to the previous Texas HB 1181 legislation.

[00:35:26] The court explicitly supported the requirement that anyone wishing to view age restricted content could reasonably be asked to prove their age, even if doing so required them to reveal their identity and would certainly have the effect of limiting access to content, even among those whose age would make such success and access legal. Doesn't matter.

[00:35:56] It's like, I don't want to tell you who I am. It's none of your business. You know, I've only got any hair left and it's gray. The Supreme Court said adults have no First Amendment right to avoid age verification. Wow. That's really shocking. It is. And that was Justice Thomas, who reports were enjoyed some of that kind of content. That's right.

[00:36:24] Long dong silver. I remember that. That's right. Yeah. So all that said, though, you know, with the law is a complex instrument and there could well be other factors in play with SB 2420. We won't know until we do, but we'll certainly be letting everyone know what happens as it transpires. I mean, it's true that desktop computers are a huge loophole in all this. You cannot age gate. Wait.

[00:36:52] Something doesn't have a locked in app store. Right. And you can try, but there's just. I looked at the legislation and it does. It is explicit. It is expressly and explicitly. I think this comes up in one of our feedback questions today. It is only aimed at mobile devices. Tablets, phones and tablets. Kids don't use computers. Exactly. It's like nothing else exists. Gaming platforms are excluded. TVs, PCs.

[00:37:22] It's targeted only at that, which is really like, OK, then kids are going to use their laptop. Right. This is why open computing is so important. And look, I don't want kids to be able to access pornography. That's not what we're talking about here. Absolutely. No one should get confused about that. No, we don't want government to be able to say this is what you can and cannot do.

[00:37:49] It starts with pornography, but there's then it goes to social networks. Then it goes to, I don't know, news sources or I mean, there's a lot of things government would like to restrict. And if there is a single point of failure that they can put pressure on, they can do it, but they can't do it on a general purpose, open computing platform. Nope. That's very sad.

[00:38:16] I suppose we're going to have to see this tied into biometrics as well, right? This is more than just here's a picture of my photo ID. How do we how do it? Right. Yeah. So that's what I was always wondering is through the months our listeners have heard me saying if we're going to have any kind of effective age verification, it needs to have a biometric tie, which was why it was so odd to me that the the the system was at Italy. I can't remember now.

[00:38:45] I talked about a country a couple of weeks ago. It was Spain. Yes. They have a national ID system. Yes. And it's all you need is that is that a pin in order to in order to verify your identity. It's like, oh, what? But there is. Fortunately, there's no way that teenagers can distribute things like pins on the Internet. That's never been heard of. You would never find a pin written on the inside of a restroom wall.

[00:39:12] No, no, no, no. But there is a there is a requirement in the Texas legislation, the the the HB 111181 of the defines a session during which you're authenticated of no more than 60 minutes. So you are required to re-authenticate. Continual re-authentication. Yes. This is nuts. And they would have done it every 10 minutes if it was feasible.

[00:39:40] But right now, even that even they thought, well, we can't ask that. Yeah. OK, we're going to talk about NIST finally catching up with their password policy. And who among us might have been a little ahead of the curve? We take a sponsor break. Can you say hey, Stacks? If you've been listening to this show, you know that we have sensible password concepts.

[00:40:08] But NIST, for some reason, well, you know, the whole thing about well, we'll talk about it in a bit. It's a favorite topic of mine. Our show today brought to you by Hawks Hunt. As a security leader, you get paid to protect your company, get cyber attacks, right? That's job one these days. But it's getting harder and harder, more cyber attacks than ever. And of course, phishing emails are perfect now. They're generated with AI. No grammatical errors. Nothing wrong. It looks exactly like the real deal.

[00:40:39] This is why your legacy one-size-fits-all awareness program doesn't really stand a chance. At most, they send four generic trainings a year. Most employees ignore them. And if somebody actually clicks, then, you know, clicks one of the phishing emails, then they're forced to do embarrassing training programs that feel more like punishment. Nobody learns from something that feels like punishment. That's why more and more organizations are trying Hawks Hunt.

[00:41:07] Hawks Hunt actually makes it fun to learn. They go beyond security awareness. They actually change behavior and they do it in a time-honored fashion by rewarding good clicks and coaching away the bad clicks. This really works. Whenever an employee suspects an email might be a scam, click that button. Hawks Hunt will tell them instantly. And, you know, you get like a gold star. It's like, oh, you get a dopamine rush.

[00:41:37] This incents your people to click, to learn, to protect your company. They're actually having fun. That's the way to learn. And you'll love it. As an admin, Hawks Hunt makes it easy to automatically deliver phishing simulations in every way possible. Email, Slack, Teams. You can even use Hawks Hunt's built-in AI to mimic the latest real-world attacks. So it's different every time, right? It's fun, actually, for both sides.

[00:42:07] It's a little game you're playing. Simulations are actually personalized to each employee. Based on department location and more. So they're really effective. And then instead of like some burdensome flash slideshow that somebody has to go through twice a year to learn, you've got instant micro-trainings that are fun. They're fast. They solidify understanding. They drive lasting, safe behaviors. Hawks Hunt really works. You could trigger gamified security awareness training

[00:42:36] that awards employees with stars and badges. I know it sounds silly, but that really works. It boosts completion rates. It ensures compliance. And Hawks Hunt has a huge library of customizable training packages. You can even use their AI to generate your own. It's very flexible. Hawks Hunt. H-O-X-H-U-N-T. It has everything you need to run effective security training in one platform,

[00:43:02] meaning it's easy to measurably reduce your human cyber risk at scale. You don't have to take my word for it. Over 3,000 user reviews on G2 make Hawks Hunt the top-rated security training platform for the enterprise, including easiest to use and best results. It's also recognized as a customer's choice by Gartner. And thousands of companies like Qualcomm, AES, and Nokia use it to train millions of employees all over the globe. It's tried and true. It's tested.

[00:43:31] Visit hawkshunt.com slash security now today to learn why modern, secure companies are making the switch to Hawks Hunt. That's hawkshunt.com slash security now. H-O-X-H-U-N-T dot com slash security now. Thank you, Hawks Hunt, for the job you're doing. Very important. And for supporting the job Steve's doing. Also very important on security now. Okay, Steve. Let's show everyone how you knew you were right from the very beginning.

[00:44:01] As all of our longtime listeners will recall, about 13 years ago, back in 2012, after spending some time on the podcast examining and sharing the details of what was then modern password cracking using high-speed hardware-assisted hashing systems,

[00:44:22] I hit upon the idea that a password's length was far more important to its provision of cracking resistance than its complexity. The idea was that if some hashing system was going to be trying every possible password of a certain minimum assumed length

[00:44:44] and then increase its guest length by one after exhausting all possible passwords of that initial length and so on until it succeeded, then the easiest means of preventing this form of password cracking would simply be to use longer passwords, so that anyone attempting to brute force crack the password would give up long before they reached a password of the length you had chosen.

[00:45:13] The essential revelation was that if all possible passwords were going to be checked, it made no difference what characters those passwords contained since they would all be checked eventually anyway. The only thing that mattered was the password's length. This could be summed up in the time-honored way, size does matter.

[00:45:42] Searching for a name for this concept, someone in GRC's news groups suggested the proverbial needle in the haystack, which I loved. And of course, we coined that password haystacks on the webpage that I created. That page has helped people appreciate the power of the math behind the idea

[00:46:10] that longer passwords will take much longer to crack. And that was 9.3 million visits ago. So that page has been quite popular and hundreds of people visit it every day. I'm mentioning this today because although it took 13 years for NIST, the U.S. National Institute of Standards and Technology, to catch up with this idea, they finally have.

[00:46:39] Friday before last, Malwarebytes picked up on this news with their headline, your passwords don't need so many fiddly characters, NIST says. Malwarebytes wrote, it's once again time to change your passwords. But if one government agency has its way, this might be the very last time you do it.

[00:47:04] Nearly four years of work to update and modernize its guidance for how to talk about bureaucracy after nearly four years of work. To update and modernize its guidance for how companies, organizations, and businesses should protect their systems and their employees, the U.S. National Institute of Standards and Technology has released its latest guidelines for password creation. And it comes with some serious changes.

[00:47:33] Gone, they write, are the days of resetting your and your employees' passwords every month or so. And no longer should you or your small business worry about requiring special characters, numbers, and capital letters when creating those passwords. Further, password hints and basic security questions are no longer suitable means

[00:48:00] of password recovery and password length above all other factors, they write, is the most meaningful measure of strength. The newly published rules will not only change the security best practices at government agencies, they will also influence the many industries that are subject to regulatory compliance,

[00:48:23] as several data protection laws require that organizations employ modern security standards on an evolving basis. In short, here's what NIST has included in its updated guidelines. They have six points, six bullet points. Password complexity, special characters, numbers, is out. Password length is in.

[00:48:51] As it has been for years, they said. Regularly scheduled password resets are out. Password resets used strictly as a response to a security breach are in. Yes. Basic security questions and hints for password recovery are out. Password recovery links and authentication codes are in.

[00:49:20] They said the guidelines are not mandatory for everyday businesses, and so there's no deadline to work against. But small businesses should heed the guidelines as probably the strongest and simplest best practices they can quickly adopt to protect themselves and their employees from hackers, thieves, and online scammers. In fact, according to Verizon's 2025 data breach investigations report,

[00:49:48] credential abuse, which includes theft and brute force attacks against passwords, is still the most common vector in small business breaches. And I wonder if that includes phishing, because technically, you know, you get somebody's credential through phishing them. But anyway, malware bytes then went on into some additional detail, which I'm going to share because it was interesting and relevant.

[00:50:13] So they said, here's what some of NIST's guidelines mean for password security and management, just to be clear. So first, the longer the password, the stronger the defense. They wrote, password length is a primary factor in characterizing password strength, which, of course, is the point that the password haystack page has been making for 13 years. They wrote, NIST said in its new guidance,

[00:50:41] But exactly how long a password should be will depend on its use. If a password can be used as the only form of authentication, meaning that an employee doesn't need to also send a one-time passcode or to confirm their login through a separate app on a smartphone, then those passwords should be, at a minimum, 15 characters in length.

[00:51:07] If a password is just one piece of a multi-factor authentication setup, then passwords can be as few as eight characters. Also, employees should be able to create passwords as long as, wait for it, 64 characters. Yikes. Number two, less emphasis on complexity. Requiring employees to use special characters,

[00:51:36] ampersand, tilde, percent sign, number sign, so forth, numbers and capital letters, does not lead to increased security, NIST said. Instead, it just leads to predictable bad passwords. Quote, a user who might have chosen password as their password would be relatively likely to choose password and follow by the numeral one

[00:52:04] if required to include an uppercase P password and a one on the end, if required to include an uppercase letter and a number or uppercase P password one exclamation point, if a symbol is also required, the agency said. Since users' password choices are often predictable,

[00:52:29] attackers are likely to guess passwords that have previously proven successful. In response, organizations should change any rules that require password complexity and instead set up rules that favor password length. Third, no more regularly scheduled password resets.

[00:52:54] They wrote, in the mid-2010s, it wasn't unusual to learn about an office that changed its Wi-Fi password, oh gosh, every week. Now, this extreme... Yeah, how handy is that? Yeah, right. Go to the coffee room or the water cooler to get today's corporate password written above on the chalkboard. Yeah, right. Wow.

[00:53:21] They said, now this extreme rotation is coming to a stop. According to NIST's latest guidance, passwords should only be reset after they have been compromised. Here, NIST was also firm in its recommendation. A compromised password must lead to a password reset by an organization or business. So, definitely if it's compromised, duh.

[00:53:50] But otherwise, never. Just make it really strong. Fourth, no more password hints or security questions. Decades ago, they wrote, users could set up little password hints to, you know, like what was your first grade, your favorite first grade teacher name or that kind of crap to jog their memory if they forgot a password. And they could even set up answers to biographical questions to access a forgotten password.

[00:54:19] But these types of questions like, what street did you grow up on? And what is your mother's maiden name are easy enough to fraudulently answer in today's data-breached world. In other words, it's easy to do some research on a person to get the actual answers of where they grew up and who their mother's maiden name was. Password recovery, they wrote, should instead be deployed through recovery codes or links sent to a user

[00:54:46] through email, text, voice, or even the postal service in extreme cases. And I think that actually our credit bureaus often use postal mail in order to do that. And fifth and final, password block lists should be used. They said, just because a password fits a list of requirements doesn't make it strong. To protect against this, NIST recommended that organizations should have a password block list,

[00:55:16] a set of words and phrases that will be rejected if an employee tries to use them when creating a password. Quote, this list should include passwords from previous breach corpuses, dictionary words used as passwords, and specific words, for example, the name of the service itself, that users are likely to choose, unquote, said NIST. So, this qualifies as big news.

[00:55:45] What NIST says, paradoxically, matters, since it drives official corporate and government policy. Although NIST has slowly been coming around for some time, through the years, we've heard from so many of our listeners whose employers have been enforcing NIST's earliest, arguably crazy guidelines,

[00:56:13] which required, for example, passwords to be changed regularly every 60 to 90 days, that we know it's widespread. I've obviously invested a great deal of time thinking about this stuff. And, Leo, I have never understood what problem this periodic enforced password change was ever supposed to solve

[00:56:40] and why it would have ever had any effect other than reducing security. It was created, as I remember, by a guy about 40 years ago writing password recommendations for NIST. And when somebody asked him about it, he said, yeah, I just thought it was a good idea. It was never justified in any way by any logic or reason.

[00:57:05] It's not as if passwords are osmotically seeping out of the storage location that held them so that a new password should be put into effect before the entire previous password has had time to finish fully seeping out of its storage. You know, none of it ever made any sense. His name was Bill Burr, B-U-R-R. A Burr in my butt.

[00:57:33] There's a story from the BBC here. I'll show it to you. Let me, oh, I've got to turn on my camera again. That's right. I left and came back. There's a story. This is a few years ago, but I remember in 2017 reading this and it stuck with me. So, by the way, 2017, eight years ago, this guy who wrote it, he had advised users to change your password every 90 days and to muddle up words by adding capital letters, numbers,

[00:58:03] and symbols. The problem is the theory came unstuck in practice. This was in 2003. He now says, I was barking up the wrong tree. It was, the original advice was distributed by NIST. And it became hacker speak, right? Like, there's an example. Leet speak. Yeah. Which every, by the way, password cracking tool immediately tries. Yep. Turn the O into zero.

[00:58:31] Turn the E into three and so forth. Yeah. He even knew this was a mistake in 2017, but took NIST all his time. So, you know, things are now significantly more sane as of now. We have new official NIST guidelines that can be, as I said earlier, waved around in front

[00:59:00] of the IT department of anyone's employer. That's the problem. Is that the IT department doesn't, they're not reading these updates. No. They changed their policy back in the day and they ain't going to fix it, right? So, I made this today's GRC shortcut of the week. Good. So, anyone can get the new NIST guidelines by going to grc.sc slash 1048. Now, tell your IT department. Slash 1048.

[00:59:30] That will take you to the browser page of the NIST website for special publication 800-63B, as in Baker. And I've also got the full link in the show notes. Anyway, thank goodness. And, you know, if any of our listeners are being driven nuts by being under this 60 to 90-day password chain. I mean, we've heard, like, there are, like, so much resources gone into this, right?

[00:59:59] Like, you can't, oh, you can't use any password of the last five. And so, we've had people who, because they're so annoyed by this, they will make five password changes in a row and then immediately go back to their original password to flush the MRU, the most recently used password list, out of the system so that they can just stay with the password that they want.

[01:00:24] I mean, it just, this is the kind of crazy workaround behavior that bad policy begets. So, so nice that this is over officially. So, now we just have to flush it out of the rest of the system. We know that won't take, like, it won't be overnight. But again, grc.sc slash 1048, that'll get you the new guidelines. It'll get your IT department the new guidelines and tell them, okay, kill this. I mean, they can just turn that off. That's got to be easy to do, right?

[01:00:53] Just not like they have to implement anything new. Just turn off the timer on the, on the password reset enforcement. Ugh. So, as I mentioned, news of scattered lapsus hunters' demise was greatly exaggerated. A couple weeks back, I reported that the group, scattered lapsus hunters, which we know is the

[01:01:17] amalgam of several other prominent groups, had declared itself, officially declared itself done and disbanding. But then, some of just last week's news brought that claim into question. And now we have pretty clear evidence that the group remains a going concern. Last Thursday, Joseph Cox, with the highly respected 404 Media Group, published a short piece with the headline,

[01:01:46] Hackers Docs, Hundreds of DHS, ICE, FBI, and DOJ Officials. And the subhead was scattered lapsus hunters, one of the latest amalgamations of typically young, reckless, and English-speaking hackers, posted the apparent phone numbers and addresses of hundreds of government officials, including nearly 700 from DHS,

[01:02:16] the Department of Homeland Security in the U.S. So, not much more is known about that at this time. But I did want to formally take back any suggestion that scattered lapsus hunters had, in fact, disbanded. All of the evidence since we saw that claim suggests they just threw that out for shits and giggles. Who knows why? Just, you know, it's just not at all true.

[01:02:44] Okay, now, did the NSA hack into China? As our listeners know, I've often bemoaned the lack of any news of offensive U.S. cyber operations being carried out by the U.S. and aimed at our cyber adversaries, of which we have a few.

[01:03:09] Just to be clear, I would much prefer that no one was attacking anyone else. Let's just not have any of this. But since we've been buried in reports of Russian, North Korean, and especially China's state-sponsored cyber attacks against the West, I'll admit that it was not unwelcome to encounter the Associated Press headline, quote,

[01:03:37] China accuses U.S. of cyber attack on National Time Center. That's kind of welcome news, though it, you know, might have been more useful if it's both true and if the U.S. had not been caught, because you want this to be happening but not to get caught at it. So here's what the Associated Press reported out of Beijing day before yesterday. They said,

[01:04:32] WeChat post that the U.S. agency had exploited vulnerabilities in the messaging services of a foreign mobile phone brand to steal sensitive information from devices of the National Time Service Center's staff in 2022. So three years ago.

[01:04:53] And so this sounds like apps, insecure apps in some mobile phone was used to infiltrate the devices of staff at the National Time Service Center, probably obtained their authentication credentials and then began to have some fun. There was no specification as to the phone brand.

[01:05:20] They wrote the U.S. agency also uses, I love this, 42 types of special cyber attack weapons. That's good. You know, we got it. We got a few. It said it had evidence but did not provide it in the post on WeChat.

[01:05:51] It said the Time Center is responsible for generating and distributing China's standard time, as you would expect maybe a Time Center would, in addition to providing timing services to industries such as communications, finance, power, transport, and defense. It had provided guidance to the center to eliminate the risks, meaning the Ministry of Security provided guidance to the Time Center. It said, quote,

[01:06:19] the U.S. is accusing others of what it does itself. Yay. Repeatedly hyping up claims about Chinese cyber threats. While they don't seem very hyped up, they seem quite real. You know, we were talking about the consequences of them all the time. Western governments in recent years, they wrote, quote, have alleged hackers linked to the Chinese government have targeted officials, journalists, corporations, and others.

[01:06:44] The ministry's statement could fuel tensions between Washington and Beijing on top of trade, technology, and Taiwan issues. The U.S. Embassy, for its part, did not immediately comment. So, as we know, it's certainly true that the West has been moaning about Chinese state-sponsored attacks for a long time.

[01:07:09] So, I'm not unhappy to finally hear Chinese authorities complaining that the NSA has similarly been crawling around inside their networks for many years. As it turns out, it would be better to have, you know, peace maintained for reasons other than mutually assured destruction.

[01:07:33] But if that's the only way we can have peace in a world with mutually aggressive governments, then at least we should have some peace, even though it might be somewhat less stable than it could be. So, again, as I've often said, it would be nice to know that we're giving as much as we're getting, and maybe we are.

[01:07:54] So, if I had a dream job, Leo, patriotic as I am, I, you know, hacking legally, boy, what fun would that be? So, we're at an hour in. Let's take a break. And then we're going to look at an instance of security through obscurity. And you're muted. Yeah. How about that? There you are.

[01:08:24] Hi. Sorry about that. Yes. Let's take a break. And then we will talk about your, what did you say? Security through obscurity. Why would satellites bother encrypting everything that's raining down on our heads? Because they're up in the sky. Nobody ever looks up there. I can't see them. I looked up there. I didn't see them. They're invisible. No. Our show today brought to you by ThreatLocker. If you're in business, you're not invisible to hackers.

[01:08:53] They're out there, man. They're going after you. Ransomware is rampant. You know that, right? Harming businesses worldwide. How are they doing it? Well, every way possible. Phishing emails, infected downloads, malicious websites, malvertising, RDP exploits. Look, don't be the next victim. ThreatLocker's zero trust platform. That should, by the way, as soon as I say zero trust, you should get a little chill down your back. Like, yes, the gold standard.

[01:09:22] ThreatLocker's zero trust platform takes a proactive, and these are the three key words here, deny by default. Love that. They take a proactive, deny by default approach that blocks. It just blocks every action unless you explicitly authorize it. Every unauthorized action blocked. Protecting you from both known and unknown threats. That's why companies that can't afford to be down for even one minute trust ThreatLocker.

[01:09:51] Global enterprises like JetBlue, the Port of Vancouver. You don't want the Port of Vancouver shut down by ransomware. They don't either. That's why they use ThreatLocker. ThreatLocker shields them and can shield you from zero-day exploits and supply chain attacks while providing complete audit trails for compliance. ThreatLocker's innovative ring-fencing technology isolates critical applications from weaponization. See, we've just assumed if somebody's in the network, oh, they must be one of us. Let them have it.

[01:10:21] No. No, that's why zero trust is so effective. Applications are shielded. This completely stops ransomware. It limits lateral movement within your network. ThreatLocker works in every industry. It supports PCs and Macs. It provides 24-7 support from the U.S. And they enable comprehensive visibility and control, which is great for your compliance. Ask Mark Tolson. He's the IT director for the city of Champaign, Illinois.

[01:10:50] He knows city governments are often the target of ransomware attacks. That's why he chose ThreatLocker. He says, quote, ThreatLocker provides that extra key to block anomalies that nothing else can do. If bad actors got in and tried to execute something, I take comfort in knowing ThreatLocker will stop that. That's the key. Stop worrying about cyber threats. Get unprecedented protection quickly, easily, and cost-effectively with ThreatLocker. Visit ThreatLocker.com slash twit.

[01:11:20] Get a free 30-day trial. Learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's ThreatLocker.com slash twit. We thank them so much for their support of security now. We love zero trust, and this is the easiest, most effective, cost-effective way to do it. ThreatLocker.com slash twit. Steve?

[01:11:44] So when I heard the news of this next story, my first thought was that it was a classic example of security through obscurity. Our listeners know that I've sometimes decried the pronouncements of online tech weenies whose sole chant issued to anyone who hides anything is security through obscurity is no security.

[01:12:09] You know, it's as if after being exposed to that one concept, they feel like now they're a security expert every time they echo it. And, you know, such flippant remarks are annoying because actual security mechanisms are not so simple, right? For example, the gold standard of flexible encryption is public key crypto. Its power is that one of its two keys is made public by design.

[01:12:39] But then we go to extreme lengths to keep their matching private keys secret. So is that security through obscurity? No, it's security through secrecy. Since all security inherently depends somewhere upon secrecy and secrets, the actual security provided by any security system depends upon our ability to keep those dependent secrets a secret.

[01:13:09] So I started off saying that when I heard the news of the story, I was put in mind of security through obscurity because in contrast to the misuse, misuse of that phrase, which I see all the time. There are certainly some instances where a system was just assumed to be secure only because no one had even ever bothered to check to see if anyone had locked the door.

[01:13:34] Boy, researchers from the universities of San Diego and Maryland thought to aim a commercial off the shelf satellite dish upward, which, you know, being an antenna dish for talking to satellites in the sky is sort of the obvious direction to point it. But what they discovered is perhaps the best definition of security through obscurity imaginable. Talk about not locking the door.

[01:14:04] Apparently, because most people do not have their own satellite dishes aimed at the sky. And even when they do, it's hooked to some box that's selecting only what it should out of what's available. An astonishing amount of important data turns out not to be encrypted and is in no way protected. Obscure? Kind of.

[01:14:33] Secure? Secure? Secure? Not even a little bit. Details of what they discovered were recently announced by the universities whose members perform the research. The summary of their findings reads, quote, We pointed a commercial off-the-shelf satellite dish at the sky and carried out the most comprehensive public study to date of geostationary.

[01:14:59] They abbreviated that geo, geo, geo, geostationary satellite communication.

[01:15:05] This is them saying, a shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens' voice calls and SMS, and consumer internet traffic from in-flight Wi-Fi and mobile networks.

[01:15:32] This data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware. There are thousands of geostationary satellite transponders globally. And data from a single transponder may be visible from an area as large as 40% of the surface of the Earth. So these are not just beams going down.

[01:16:00] They're just widespread spray of radio, unencrypted, in-the-clear data, being blindly and widely beamed down onto us from above, including critical infrastructure, internal corporate and government communications, private citizens' voice calls and SMS. Consumer internet traffic, consumer internet traffic, and more.

[01:16:28] And all apparently happening because no one ever thought to look up. So under their topic, what type of network traffic was exposed? They broke it down into six categories. We've got cellular backhaul.

[01:16:44] They said, we observed unencrypted cellular backhaul data sent from the core network of multiple telecom providers and destined for specific cell towers in remote areas.

[01:16:59] This traffic included unencrypted calls, SMS, and end-user internet traffic, hardware IDs, you know, the IMSI numbers, and cellular, get this, cellular communication encryption keys. All for the taking. Also, we have military and government.

[01:17:22] They said, we observed unencrypted VOIP and internet traffic and encrypted internal communications from ships, unencrypted military traffic, traffic for military systems, with detailed tracking data for coastal vessel surveillance and operations of a police force. Then there was in-flight Wi-Fi.

[01:17:50] We observed unprotected passenger internet traffic destined for in-flight Wi-Fi users on airplanes. Visible traffic included passenger web browsing, DNS lookups, and HTTPS traffic, encrypted pilot flight information systems, and in-flight entertainment. VoIP. VoIP.

[01:18:13] Multiple VoIP providers were using unencrypted satellite backhaul, exposing unencrypted call audio and metadata from end-users. Internal commercial networks. Internal commercial networks. Retail, financial, and banking companies. Retail, financial, and banking companies, they wrote, all used unencrypted satellite communication for their internal networks.

[01:18:41] We observed unencrypted login credentials, corporate emails, inventory records, and ATM networking information. And, you know, as I'm reading this, I'm thinking, maybe China should be the least of our worries. Because we're not even protecting ourselves. No. You don't have to do any hacking. They don't have to spy on us. They just buy a $750 device and listen. Yeah.

[01:19:10] You know, with today's new SDRs, software-defined radios, and the inexpensive availability of satellite dish antennas, I think it would be kind of a fun pastime. Some people have, like, high-power telescopes, optical telescopes. Get yourself a dish and see what lands. You know who used to do this?

[01:19:32] By the way, Steve Wozniak, very famously, I remember him talking about sitting in his living room, listening to unencrypted phone conversations back in the earliest days of cell phone communications. And it's only gotten juicier since. Yeah. He loved it. I think it would be fun. Anyway, finally, critical infrastructure.

[01:19:54] Power utility companies and oil and gas pipelines use geo-satellite links to support remotely operated SCADA infrastructure and power grid repair tickets. All there for the viewing.

[01:20:07] So, the researcher's paper, which will be published in the proceedings of the 32nd ACM Conference on Computer and Communications Security, or lack thereof, which will be held in Taipei, Taiwan, is titled, Don't Look Up. There are sensitive internal links in the clear on geo-satellites. So, I've included a link to their full paper in the show notes.

[01:20:36] But just to give everyone a bit of additional feel of flavor for the content of the data that's constantly pouring down over all of our heads, here's what the paper's abstract explains. It says, geo-synchronous satellite links provide IP backhaul to remote critical infrastructure for utilities, telecom, government, military, and commercial users. So, just to clarify.

[01:21:05] So, they're saying that in isolated areas where you can't run fiber or any kind of electrical communications lines, like the boonies, what is often done is a satellite dish is stuck there, aimed up at a geosynchronous satellite,

[01:21:28] which is used to connect this out-of-the-way backwater zone into a larger network. And unfortunately, because whatever it is that device is used to being connected to a private network, even though this is now being bounced through the sky in order to reach it, the network is still treated as if it were private, meaning unencrypted.

[01:21:57] So, you get to see what's on this private network. They wrote, To date, academic studies of geo-infrastructure have focused on a handful of satellites and specific use cases. We perform the first broad scan of IP traffic on 39 geo-satellites across 25 distinct longitudes

[01:22:22] with 411 transponders using consumer-grade equipment. Nothing fancy here. We overcome the poor signal quality plaguing prior work and build the first general parser that can handle the diverse protocols in use by heterogeneous endpoints.

[01:22:43] We found 50%, 5-0%, half of geo-links, meaning data links, contained clear text, IP traffic. While link layer encryption has been standard practice in satellite TV for decades, IP links typically lacked encryption at both the link and the network layers.

[01:23:10] This gives us a unique view into the internal network security practices of these organizations, which is a kind way of putting they didn't bother. We observed unencrypted cellular backhaul traffic from several providers, including clear text call and text contents, exactly like you were saying, Leo Wozniak, listening to people talking on the phone, job scheduling and industrial control systems for utility infrastructure,

[01:23:37] military asset tracking, inventory management for global retail stores, and in-flight Wi-Fi. So, in other words, no one really took the trouble before now to look closely at what was going on. These guys did. And what they discovered was a profound lack of security.

[01:24:03] Satellite television has always been encrypted because that was always part of its business model. Pirating early satellite TV was a cottage industry. But what we see of the IP, the internet protocol traffic, is the same thing we see of the internet itself.

[01:24:25] As we know, the internet's networking, just like internal corporate networking at the link layer, that is the physical layer, is still today and always has been entirely unencrypted. Encryption was added as an afterthought only where it was deemed necessary and only at the application layer. It still doesn't exist at the link layer.

[01:24:52] So, what appears to have happened is that satellite links have been used as simple network extenders, extending the reach of existing industrial corporate major retail. Actually, it was Walmart, it turns out. In the paper, it's made clear.

[01:25:11] And even military networks through satellite links, where those links themselves have never been and to this day remain completely in the clear and unencrypted. So, they have an 18-page paper. And I cannot recommend that our listeners look at this thing. It is chock full of really interesting tidbits. It's fantastic work.

[01:25:38] And I could easily spend several podcasts just detailing all of the nuances and motivations that they discovered in this paper. But there's much more that needs our attention. So, for what it's worth, the researchers acted responsibly and they worked to notify all of the affected parties that they encountered. And there were many.

[01:26:04] If shining a very bright light on this doesn't get it fixed, then nothing will. And it appears to me that nothing will. Anyway, there is a link to their full paper. It's a PDF, 18 pages near the top of page 11 of the show notes. Again, I had a hard time not spending more time on this because there's so much cool stuff in this 18-page paper.

[01:26:32] And seriously, what's the law, Leo? If something is being broadcast to our home and we have an antenna, I think it's legal to listen to it. You can pick it up. Absolutely. Yeah. Yeah. So, what a fun project for maybe a mom. I mean, maybe a techie mom. But I think of it, I guess, like for a youngster who's precocious.

[01:27:03] Set up an antenna there. Yeah. Yeah. Get the kid involved. Aim a dish at the sky. Stem. Yeah. Yeah, exactly. Well, you know, when you were a kid, I'm sure you did this. I did this. I had a shortwave radio. And it was so much fun at night to tune up and down the dial and get radio stations from all over the world. Now kids can listen to, you know, important corporate phone calls. Just tune down the dial.

[01:27:28] And I definitely had a radio at one point later when I was a young adult, which could receive cell phone frequencies. Oh. And what was interesting was that you only heard one half of the conversation. That's what Waz would say. But you could infer the other half. Well, yes. And I heard clear evidence of men giving their wives excuses for why they weren't coming right home.

[01:27:56] It was, you know, odd conversations in the afternoon. You learn a lot. See, kids? You can learn a lot. You don't need that social network account on your phone. Just get a satellite listening device. Old school, baby. Old school had something going for it. Old school. It's only $750 worth of equipment. Anyone can do it. And I'll bet you get on eBay. You should do it, Steve. You should do it. If I had the time, I got other priorities. What would you need?

[01:28:25] That would be fun for retirement. Yeah. Yeah. You just need an SDR and a satellite dish. I think you could probably do it for a couple hundred bucks. Probably could. Yeah. A software-defined radio. So most ham radios are software-defined these days. And certainly there's software out there that you can use to do that. So, yeah. Great little hobby. And all the documentation is in the public. All of this, all the protocols, all the frequencies. You probably just asked Claude or something.

[01:28:52] Write me some code and what are the frequencies that I need to scan? And, you know, you'll get it. What would you listen to? Sellback Hall, military, vessel tracker, telecom, retail, power. Internal corporate email. That would probably be interesting. It'd be fun. Yeah. It'd be fun. Aviation. Yeah. Yeah. I mean, a lot of this stuff is unencrypted radio traffic on the radio waves, right? Yeah.

[01:29:21] Maybe you'll find like random numbers being beamed down from the skies. Like, what are these? Why? The numbers stations. If you ever find out what that's about, I hope you will share that with us. I'd like to know myself. Okay. Okay. So we've often commented that security and other risks accrue anytime everyone is using the same solution. You were just talking about the fact that the government can clamp down on app downloads because they only come from two stores.

[01:29:53] So this is generically referred to as a dependence upon a model culture. Diversity brings huge benefits. We've worried about, you know, for example, the world becoming Chromium browser centric, where all web browsers are essentially based on a single code base. So far, Safari and Firefox have been maintaining their own. So that's good.

[01:30:18] And one of the most powerful design benefits of the internet's autonomous packet routing architecture has been its resilience in the face of trouble. If links to one router go down, packets can route around the trouble, taking different paths to still reach their destination. That was part of the original design.

[01:30:44] Problems can arise when this massively decentralized and inherently resilient design is eschewed in the pursuit of market dominance. Much as I love Cloudflare and so much of the work they do, I'm always made a bit nervous by the outsized power they inherently wield by virtue of their size and the percentage of the

[01:31:09] world that's being serviced by a single organization, any single organization. You could say the same thing for Google. It's always bugged me that Google's enforcing these. Admittedly, you know, HTTPS everywhere is a good idea, but Google shouldn't have so much power that they can do. Right. Yeah. Yeah. Yeah. And of course, this, the, the, the, you know, Google might have our interests, you know, in mind, although I love what you are. Right.

[01:31:37] I love what you're talking about, or I guess you and, um, uh, the guys over on Mac break weekly talking about how, unfortunately, Alexa is just a consumer sewer. Yeah. I, you know, it's an, it's an ad network. I just said the A word, sorry, but tough. That's okay. Yeah, it is. It, it, it's all about selling you stuff. And no, I was thinking that maybe I would use that to, for my, for my own home automation,

[01:32:02] but no way am I going to, you know, put up with, I have a zero tolerance for being used an iPhone. So I think, yeah, you, you'll be there. I think that's going to be the way to go once it gets more sophisticated and Apple in indicates they're really going to put a, go for a push for it. So I'm glad for that. Yeah. So anyway, problems can arise when, uh, when there's too much of this centralization, um,

[01:32:34] what Cloudflare and others have grown into, however, is not the internet way. That's every bit as true for Amazon's AWS services as it is for Cloudflare. And just yesterday, the entire internet learned exactly what can happen. Yes. When the aggregated services offered by a single provider are inadvertently withdrawn from the world.

[01:33:03] The Verge's headline yesterday was major AWS outage took down Fortnite, Alexa, Snapchat, and more with the subhead. The cause of the AWS outage is currently unclear. Okay. So now the first trouble I experienced, and you know, many people did yesterday morning when I attempted, what was when I attempted to get to the IMDB website and received a 503 bad gateway error.

[01:33:33] It's like, what? But now, you know, but it was the guardians coverage of this and their take on yesterday's serious outage that really resonated the most for me. The guardians headline was Amazon web services outage shows internet users at mercy of too few

[01:33:54] providers, experts warn, with a subhead crash that hit apps and websites around the world demonstrates urgent need for diversification in cloud computing. Okay. I just want to mention that since this, several of our listeners who got yesterday's show notes early have sent me some feedback, a couple of them noting there was actually a, a, uh, computerized

[01:34:23] bed somewhere that where it's you, you stopped being able to raise and lower the bed because of the AWS outage. You believe it or not, the user, like the, but the buttons that the user pressed had to go out on the internet in order for the, for the signal to come back to the bed in order

[01:34:48] to lift or lower the, the, the footrest or the back of it or something. I mean, so at some point you also have to accuse, you know, designers of doing a bad job of design because the idea of your bed requiring internet connectivity strikes me as a little extreme, but yeah. Okay. I bet there's a lot of it. I bet there's a lot of it. Like, yeah. Yeah.

[01:35:14] I mean, I would imagine outlet plugs and lights and things that are, that are on timers. Yes. So the guardian wrote experts have warned of the perils of relying on a small number of companies for operating the global internet after a glitch at Amazon's cloud computing service brought down apps and websites around the world. And I should mention not the first glitch. There was a, there, there've been a few through the years and we just all come rushing back.

[01:35:42] They wrote the affected platforms include Snapchat, Roblox, signal and Duolingo, as well as a host of Amazon owned operations, including its main retail site, Ouch, and the ring doorbell company. More than 1000 companies worldwide were affected according to down detector, a site that monitors internet outages with 6.5 million reports of problems from users, including more than

[01:36:12] 1 million reports in the U S 400,000 in the UK and 200,000 in Australia. In the UK, Lloyd's bank was affected as well as its subsidiaries, Halifax and bank of Scotland. While there were also problems accessing the HM revenue and customs website on Monday morning.

[01:36:34] Also in the UK ring users complained on social media that their doorbells were not working in the UK alone. Reports of problems on individual apps ran into the tens of thousands for each platform. Tens of thousands. Other affected platforms around the world included Wordle, Coinbase, Duolingo, Slack, Pokemon Go, Epic Games, PlayStation Network and Peloton.

[01:37:03] Not Pokemon Go. No. I know. What are you going to do? No. By 1030 AM UK time, Amazon was reporting that the problem, which first emerged at about 8 AM, was being resolved as AWS was, quote, seeking or seeing significant signs of recovery.

[01:37:24] Referring to the U S East coast region at 11 AM, it added, quote, we can confirm global services and features that rely on us hyphen east hyphen one. That's the designation for that chunk of AWS have also recovered. Although actually I can confirm that recovery was actually quite slow.

[01:37:45] They said, experts said the outage underlined the dangers of the internet's reliance on a small number of tech companies with Amazon, Microsoft and Google playing a key role in the cloud market. Dr. Corinne Cath-Steff, the head of digital at Human Rights Organization, Article 19, said the outage underlined the dangers of placing too much digital infrastructure in a small number of hands.

[01:38:14] She said, quote, we urgently need diversification and cloud computing. The infrastructure underpinning democratic discourse, independent journalism and secure communications cannot be dependent on a handful of companies, unquote. Corey Kreider, the executive director of the Future of Technology Institute, a think tank that supports a sovereign technology framework for Europe, said, quote,

[01:38:40] The UK cannot keep leaving its critical infrastructure at the mercy of U S tech giants with Amazon Web Services down. We've seen the lights go out across the modern economy from banking to communications, unquote. Madeline Carr, professor of digital politics, I'm sorry, global politics and cybersecurity at University College London,

[01:39:02] said it was hard to disagree with warnings about the over-reliance of the global internet on a small number of companies. The counterargument is that it's these large, hyper-scaling companies that have the financial resources to provide a secure, global and resilient service. But most people outside those companies would argue that this is a risky position for the world to be in.

[01:39:29] Amazon reported that the problem originated in the east coast of the U S at Amazon Web Services, a unit that provides vital web infrastructure for a host of companies which rent out space on Amazon servers. AWS is the world's largest cloud computing platform. Shortly after midnight Pacific daylight time in the U S 8 AM BST,

[01:39:54] Amazon confirmed increased error rates and latencies for AWS services in a region on the east coast of the U S. The ripple effect appeared to hit services around the world with down detector reporting problems with the same sites on multiple continents. Cisco's thousand eyes service that tracks internet outages also reported a surge in problems on Monday morning, with many of them located in Virginia,

[01:40:24] the location of Amazon's U S East region where AWS said the problems began or AWS has a number of data centers. Rafe piling, the director of threat intelligence at the security firm Sophos said the outage appeared to be an I T issue rather than a cyber attack. And we, we know that's the case now it mess. It was a DNS problem that was really bad. Uh, and that affected access to a critical database that Amazon, that AWS runs.

[01:40:54] They said, AWS online health dashboard referred to dynamo DB. That's it. It's database system where AWS customers store their data. He said, when anything like this happens, the concern is that it's a cyber incident and that's understandable. AWS has a far reaching and intricate footprint. So any issue can cause a major upset. In this case, it looks like it's an I T issue on the database side and they'll be working to remedy it as an absolute priority.

[01:41:24] The UK government has said it's in contact with Amazon over Monday's internet outage. A government spokesman said, quote, we're aware of an incident affecting Amazon web services and several online services, which rely on their infrastructure. Through our established incident response arrangements, we're in contact with the company who are working to restore services as quickly as possible. So, okay. When I hear these people saying, Oh, you know,

[01:41:53] it's really a problem that there's this over-reliance. It's like, no one's forcing you to use AWS, right? I mean, there are a lot of alternatives. There are a lot of smaller outfits. There are a lot of, you know, big other ways you could go. There's many choices when it comes to cloud. Yeah. Right. And so, AWS is just the default, isn't it? It's just, yes, it's like, it's like IBM in the old days. Exactly.

[01:42:21] No one ever got fired for choosing IBM was the, what was the saying back then? Yeah. And for the most part, it's, it's up, it's reliable, it's strong. I'm sure the price is right, which is why everyone uses them. The, unfortunately, the flip side is everybody goes down. It takes everybody down. Yeah. That's pretty amazing. Wow. And it was, so it was an IT error. It wasn't border gateway protocol or something.

[01:42:49] It was just some misconfigured DNS. It was a misconfigured DNS and it propagated. And then it, it, it disconnected their dynamo DB that everything depends upon. And everything just kind of, it was a, it was funny. There was in the day and the AWS announcement that I saw, they saw, uh, they listed the various systems that were affected and then the specific AWS systems. And it was like, it went on and on and on.

[01:43:19] And then I saw the total. It was 143 different AWS systems. Which essentially is just all of them. Just cascading failure. We're gone. We're off the net. Yeah. Okay. Leo, it's feedback time after we take a break and then, Oh boy. Uh, this first bit of feedback is one that many of our listeners picked up on that. I missed last week. I apparently I did too. I didn't. Okay.

[01:43:48] I thought you would do it. I thought last week's show was absolutely letter. Perfect. Not one single problem. Now. Wow. I'm shocked. We are, we are human and maybe there's a little bit of senile dementia creeping in maybe. Okay. Okay. We're stuck on the same floor. Yeah. Okay. Well, we'll, we'll get to the feedback section in just a moment, but first I got some feedback for you. Our sponsor. If you've, uh, delete me.

[01:44:17] If you've ever looked on the internet for your name, don't. Okay. Don't. But if you've ever wondered how much personal data is out there on the internet, I can tell you more than you think your name, your contact info, your social security number. Yes. Your home address, even information about your family members. And the thing is, this is just kind of randomly showing up on the internet. This is being compiled by hundreds of companies.

[01:44:46] They're called data brokers who collect this information about you and then sell it online to the highest bidder. And that could be anybody from a neighbor who just wants to know how much money you make to law enforcement who wants to figure out, you know, what you've been up to, to foreign governments. You know, we talk about China spying on us. They don't need to think and just buy it on the internet. Anyone, anywhere on the web can buy your private details.

[01:45:16] And you can imagine the consequences, everything from identity theft to phishing attempts. You ever wonder why you at your phone number, keep getting, you know, text messages from people who say they know you, doxing harassment. Well, now you can protect your privacy with our sponsor. Delete me. Look, I am in the public. I tell people what I think all the time. Our company is a public company, right?

[01:45:45] And our executives are as a result, somewhat in the public. This all came home to us when we got phishing text messages purporting to be from Lisa to her direct report saying, Hey, I'm in a meeting, go buy some Amazon gift cards and mail it to this address for a client. And fortunately we have a very smart staff, but that was a very compelling text message because it had her name. It had her phone number, her phone number,

[01:46:15] their phone number. It had a lot of information. That's what, you know, this, these phishing folks, the more they know about you, the easier it is to hack you. That's when we decided to subscribe to delete me. And it really works. It is so easy to find personal information about people online. So I recommend we use delete me. Delete me is a subscription service that removes that personal information from hundreds of data brokers. It is not illegal to be a data broker. Surprisingly,

[01:46:45] it's not even illegal to sell somebody social security number. You should, that should be illegal, but there is one little loophole. There is a law that requires data brokers to have a removal page somewhere hidden somewhere on their site. The problem is it's in a different place everywhere. If you find it good, now you've got that data broker. Now there's only several hundred more to visit and find and delete. And then there's even more problems because guess what?

[01:47:15] Those data brokers just don't go, Oh yeah, you're right. I'll never do that again. No, they start collecting the information all over again. Plus there's new data brokers every day. It's such a profitable business. So here's what you need to do. You need to sign up with delete me. You give them some information that you, the stuff that you want deleted. Their experts take it from there. They know where to go for each and every data broker and they will get it taken down. And then they will continue to monitor and continue to take it down.

[01:47:44] You'll get regular personalized privacy reports from delete me showing what they found, where they found it, what they removed. So, you know, they're at work. And again, it's not a one-time service and it shouldn't be. It needs to be a kind of continual process. And delete me is always doing that. They're always working for you, constantly monitoring and removing the personal information that you don't want on the internet. By the way, that's important. Just the stuff you say no to. So you have a lot of control over what they're, what they're taking down.

[01:48:14] To put it simply, delete me does all the hard work of wiping you and your family's personal information from data broker websites. And they keep it doing it again and again and again to make sure your privacy is protected. Take control of your data and keep your private life private by signing up for delete me. We've got a special discount for our listeners today. Get 20% off your delete me plan. When you go to join, delete me.com slash twit and use the promo code tweet at checkout. Now,

[01:48:43] the only way to get 20% off is to visit join, delete me.com slash twit and use the code tweet at checkout. Join, delete me.com slash twit offer code tweet. Don't Google delete me or go to delete me.com. There's a European company at that address. It's not the same thing. You got to go to the right address. And I found this out because somebody said, you know, I went to delete me.com. They don't do what you said that they do. That's a different company. And because it's in Europe, I guess nothing we can do about it.

[01:49:12] So make sure you do the right address. Join, delete me all one word, join, delete me.com slash twit offer code tweet. These are the guys that will remove your information from data brokers and they'll keep on doing it. Join, delete me.com slash twit offer code tweet for 20% off. All individual privacy plan. All right. All right. Now back to Steve Gibson, the error prone. No,

[01:49:40] I was tempted to title today's podcast. You forgot to press star. After reading one of our listeners, you know, uh-huh. Brilliant. They're right. Yes, they are. Several less senile and more sharp eyed listeners than we posted to GRC's security.

[01:50:05] Now news group and many listeners send feedback email about something I missed last week. Uh, and I do hope this is not a sign of our early onset dementia. you know what? No, no, no, no. I went right along with it too. I think that makes sense. I saw that the first word of each of the first four lines of our picture of the week last week was, you know, if you know, for access to elevator,

[01:50:32] one must ask the desk to get the new code seven times to remember. And then it said, starry blue skies ahead. And I remember thinking, okay, well, that's kind of odd, but I figured it was just thrown in there to make the rest of it seem a little less obvious. No, the keypad has a star and a pound key. Of course. So I have a feeling that you and I would be stuck on that floor. We'd be saying,

[01:51:01] where's my starry skies? I don't see any starry blue skies. Why didn't the elevator come? I pressed the four digits. Yeah. Why didn't the elevator come? I don't know. Anyway, thank you listeners. Yes, you were on the ball. You noted that we didn't read the last line of the secret. Well, we read it. We just didn't understand it. Fooled us. So if we're ever on the memory care ward, we're going to be stuck there. I hate to tell you, Steve. I'm going to try to remember to do the last line too. I know there's something I'm forgetting.

[01:51:31] Stephen Palm said, it seems like this was inappropriately focused on, Apple products and specifically iPhones. He said, it should be noted that Google, Microsoft and some Linux distribute. Oh, he's talking about Texas SB 2420. He must've had that in the subject line. He said, Google, Microsoft, some Linux distributions, Amazon, Docker, Synology, Netgear routers, game consoles, modern digital cameras like Sony, HP printers, smart TVs,

[01:52:00] and a lot more. He forgot the garage door opener. Have a marketplace where you can shop and pay for an app or expansion or upgrade of some sort, even some cars. He said, the legislation is doomed. Okay. So we now know that the legislation's constitutionality has been challenged, even though, as I noted earlier, my guess is that it's, it may be survivable in some state,

[01:52:30] although maybe get trimmed down, uh, and, and survive much as HB 1181 did before it. But Stephen's note about like all of these other things made me curious about what SB 2420's legal definition of an app store was. And indeed, it's frighteningly broad. The legislation reads quote, and this is from clause two of the actual legislation,

[01:52:58] which I tracked down app store means a publicly available internet website, software application, or other electronic service that distributes software applications from the owner or developer of a software application to the user of a mobile device. Okay. So at least we have mobile device as a, as a parameter there, uh, but still internet website,

[01:53:28] software application, or other electronic service that distributes software applications, um, from the owner or developer of a software application. So that is a broad definition. This means that it is at least constrained to platforms that distribute software applications to mobile devices. And we know that what the legislation's intent is, is it's squarely aimed at the major app stores as Leo, as you said,

[01:53:57] for Apple iPhones and Android smartphones, thus Google play. Um, so it's probably less dire than Stephen was suggesting in, in his note. Uh, and on the receiving end of this download, the legislation defines mobile device. That's their paragraph four at the top of the legislation, which reads mobile device means a portable wireless electronic device,

[01:54:24] including a tablet or smartphone capable of transmitting, receiving processing, and storing information wirelessly that runs an operating system designed to manage hardware resources and perform common services for software applications on handheld electronic devices. Okay. So that's also pretty tightly specified. And it means, um,

[01:54:52] that as Stephen enumerated, Synology NAS, Netgear routers, game consoles, modern digital cameras, printers, and smart TVs would not be swept up by SB 2420. It's only that's just that law because California has an ID law that says any operating system. Yeah. Oh, it really depends how the law is written, right? Yeah. It's a mess. Well, and where, right? Cause that, cause even,

[01:55:23] even with all this, it's only currently Texas and then eventually Utah and, right. And Louisiana or somewhere, wherever it was. So I mean, this is a mess. And of course, federally, there's nothing happening. I mean, in more ways than one, uh, with any of this. So it's being all left up to the States, which just creates a mess. So, you know, with all, well, and, and like we have Mississippi where it's just blanket social media.

[01:55:53] And so blue sky had to go dark in Mississippi. Wow. I mean, we're going through a tough time. Yeah. Jason, uh, Joel said, hi, Steven Leo. First, thank you for 20 great years of security. Now I've been a listener since the very beginning. I just finished listening to SN 10 47. So that's last week. And I'm confused about something. F droid is worried about Google's changes to the play store,

[01:56:21] but they seem very quiet about SB 24 20. Wouldn't SB 24 20 be even more detrimental to F droid than the changes to the play store. Thanks Jason. And I would say, yes, the homepage of the F droid site asks the question, what is F droid? And then answers it writing F droid is an installable catalog of FOSS free and open source.

[01:56:51] software applications for the Android platform. The client makes it easy to browse, install and keep track of updates on your device. But this raises an intriguing loophole question, right? The F droid app itself would first need to be obtained from the Google play store under the new restrictions. And for that,

[01:57:17] any and every minor aged person would need a parent's approval. But the F droid app itself offers an installable catalog of FOSS applications for Android. So technically it's an application which accesses a repository. It's not a store. So the letter of the law doesn't quite encompass the F droid case. But to Jason's point,

[01:57:47] I would not want to be an F droid shoes here because one thing Texas SB 24 20 does clearly state is that each and every software download and installation must receive parental consent. The F droid app once installed and obtained allows for unrestricted application use from F droid repository. So, you know, it could be a lawsuit waiting to happen.

[01:58:14] And you would think that F droid would probably need to incorporate the API, which Google play will be making available to, to apps. And then that would allow F droid to then gate the access of its sort of sub apps, you know, the, the, the FOSS apps that it's allowing the download of through the, the, the forthcoming play store API.

[01:58:41] So it doesn't seem like it would be a horrible thing to have happen, but it's going to require them to, to at least take a look at it and, and basically protect their app download in the same way that the play store is doing. So for the, for the primary F droid app, Fleming Hansen and Denmark wrote EU chat control would be useless. He said, in my view,

[01:59:05] it would be relatively straightforward to bypass the proposed EU chat control measures, which of course we now know failed for in a vote, which never even happened because it was known that the vote would not pass. He said, an individual could encrypt an illicit image on a desktop computer, transmit the encrypted file via an app subject to chat control.

[01:59:32] And the recipient could then decrypt it on a computer to restore the original image. Kind regards. And of course he's, he's absolutely right. You know, not nearly as convenient, but clearly true. That would work. It's a variation on the old theme of, uh, if the use of encryption is criminalized, only criminals will use encryption. In this case, of course,

[01:59:59] it's the use of a smartphone to converse that is at issue. So, uh, I, I certainly he's right. It would be, I wouldn't, I would not argue that it would be useless. It's a good thing. It didn't happen, but it could certainly be bypassed. Ray Nomer wrote, thought I'd let you know, Oh, this is the guy I mentioned before. I just purchased 6.1, meaning of course, spin, right? He said, I've owned previous versions for many years and it saved my bet,

[02:00:29] my butt. And he said, parens data many, many times. I realized I could take advantage of the upgrade path, but I would rather support your work and the effort that goes into your weekly podcast. So I bought 6.1. Keep up the great work, please. Ray. That's true. It's worth it. Yeah. well, depending upon what's at risk and also for the, even for the, the performance enhancement that, that 6.1 has now proven to offer.

[02:00:56] But I chose to show that not because I expect anyone else to do the same, but because I wanted to give Ray's generosity, some wider recognition, because apparently he's a listener. While I appreciate his extra purchase, my plan is to give everyone new stuff to purchase, which add stuff that they want, which will hopefully benefit their lives as much as spin, right? Has been able to for the past 36 years. To that end, as I mentioned,

[02:01:23] I'm working every day to get the DNS benchmark wrapped up. I am very excited about it. What hit it, what it has evolved into. So after nearly 10 months of work on it, I'm very close. So again, thank you, Ray. I appreciate that. Duncan said, hi, Steven Leo, longtime listener, propeller head and spin right user. He says friends, which paid for itself a hundred fold by restoring my daughter's crashed. Mac book,

[02:01:51] hard drive weeks before her final school exams. Oh boy. Duncan said, I've been listening with interest to your coverage of the age verification topic alongside developments in the imminent Australian social media restrictions planned for December 2025. While I'm sure your listeners want to protect the innocence and mental health of our children.

[02:02:16] They also appreciate the technological challenges involved and the fact that any solution will require all adults to verify their age, not just minors. Right. Because adults have to prove they're not minors. He said, my reason for writing is to make a point that seems to have been overlooked in this whole debate. The older brother loophole.

[02:02:44] Existing laws around the globe were drawn up in a physical world where it is possible to physically identify someone entering an adult pub, club or movie theater or purchasing alcohol, cigarettes, magazines or other restricted activities. However, in the physical world, there was nothing to stop an older brother or friend from purchasing alcohol, cigarettes,

[02:03:10] movies or magazines and sharing those with minors after purchase. We all know this happens in real life. Away from the point of sale. There's nothing that could be done about this apart from vigilant parenting or big brother policing in your own home. The technological world is no different. You can put all the electronic age restrictions you want on minors themselves,

[02:03:36] but you can't stop them watching or reading information on their older brothers or friends phone, computer or TV or the unlocked iPad sitting in the family room. People often talk about savvy kids using VPNs to override national or regional restrictions, but there will be endless other ways for older brothers and friends to lend their age verification,

[02:04:04] credentials or device to a minor that makes the whole exercise futile from the start with the obvious cost and risk to everyone else's privacy. I can't envision, he says, a feasible technological solution to this problem until our devices are constantly surveilling their viewers,

[02:04:26] eyeballs or brains to ensure no minors are watching their screens at any point in time. I look forward to you covering this big brother world in episode 1984. He said, hopefully this brings another angle to your ongoing analysis of this interesting challenge. Keep up the great work. Regards, Duncan in Sydney, Australia. And of course,

[02:04:53] Duncan's note about the need for continual surveillance in the cyber world reminded me, as I mentioned, of that, that clause in the, um, the protecting Tennessee miners act, which does require constant reauthentication. They, they define a session as 60 minutes and you must reauthenticate within a 60 minute window in order to stay within the, the letter of the law. So, yeah, 1984. 1984. Indeed.

[02:05:23] It might, I mean, you can imagine Leo, like something like the camera looking at you constantly doing a retina verification. It's inevitable. This is the end game. This is, you know, remember 1984, the TVs watched you, right? Yeah. And you had to have them on at all times. And I really think we're headed in that, uh, direction. It's just, it's just, um, well, it's, and by the way, he's got a good point. It's forget big brother. It's unenforceable. Yeah. Harper Reed was on twit on the Sunday.

[02:05:52] He's kind of a bit of a hacker himself. He said, this is great. Australia is going to breed a whole generation of kids to who know how to hack stuff. This is going to be the best thing. Seriously. He's right. Yeah. This is how it starts. They won't take it for granted. They will, they will, uh, get your engineering apps on and figure a way around. And there are multiple ways around it and they will find them. Yeah. Yeah. Uh, Matt storms wrote,

[02:06:20] is it possible that discord needed to keep the age verification data as proof of verification? He said, parens in case of audit or lawsuit or proof of compliance with regulations, which is a great question. Looking at the recent legislation regarding age gated access to internet content,

[02:06:40] there is very clear and explicit language stating that any and all personally identifying information, you know, now called PII, including image or data derived from images must be deleted immediately after it has been used for age verification. And even discord's own support information says, quote,

[02:07:11] discord and K hyphen ID, which is the organization they use, do not permanently store personal identity documents or your video selfies. The image of your identity document and the ID face match selfie are deleted directly after your age group is confirmed. And the video selfie used for facial age estimation never leaves your device. Okay.

[02:07:41] Now, unfortunately for those more than 70,000 users whose identity documents discord acknowledged were leaked, this doesn't appear to be true. And given how sensitive people understandably are about having their identity documents leaked onto the internet, coupled with how litigious the world has become, this might be a mistake that gets discord's provider in some very hot water.

[02:08:09] Cause you can imagine lawsuits will be flowing after the, any of these 70,000 users learned that the provider, whoever discord used the actual provider in this instance seemed to be somebody else, not this K ID group. So I don't understand, you know, maybe K ID uses a third party themselves. Anyway, one way or another, this stuff wasn't deleted after it was used. It was kept around and the hat, the hackers got ahold of it.

[02:08:39] So one wonders also if the fine print of whatever agreement, the age verifier might have had its users click on, might provide some legal loophole and maneuvering room for them. I don't know. Uh, so what little good news there is amid all of this recent age gated legislation,

[02:09:01] at least the legal verbiage stipulates that whatever information is used for the determination must be immediately deleted. The legislators got that right. At least now, of course, the techies have to abide by that law. And I would imagine they really need to, because there'll be upset people who are saying, Hey, you said you deleted this. How did the bad guys get it? Well, how did they? Uh,

[02:09:32] right. Uh, I guess they weren't. Oh, we forgot to empty our, our trash can. Oh, that's it. We put it in the recycling bin. That's right. It's in the recycling bin. What are you going to do? Brian Orm wrote, Steve, I'm listening to 10 47 right now and had to pause it to send you a note. I'm a father of three kids. My youngest is a teenager and my two, my older two are now adults. While this new Texas law is at least a step,

[02:10:01] it won't help much. I'm hopeful that an age validation standard will be established. That's secure and simple. This is a hard problem since it hits the center bullseye of the definition, of personally identifiable information. He's certainly right about that. He said, raising my older two, there is one obvious fact. And this is to your point, Leo.

[02:10:27] Our children are not like us who grew up without the internet. Kids grew up with the internet. Like we grew up with electricity. They live it, eat it, and breathe it. They can get around everything. They buy reloadable credit cards at dollar general to appear as adults.

[02:10:50] My 18 year old son told me he simply used my birthday whenever he registered for a service to get around all the filters. He's not the same last name. Right. On that note, the problem with this new law is that they are locking the gate on the two foot tall fence while neglecting to lock the house doors. Once kids have a child friendly app installed,

[02:11:16] the problem is what happens inside the app and developers neglect of monitoring their own services. This is especially true when developers incorporate the app with some ability for users to communicate among themselves. It was recently discovered that a friend's son was being groomed via Pinterest chat by a woman halfway across the United States.

[02:11:44] I'm thankful for his mother's parents. Who noticed behavior changes and took action. But who would have ever thought when their child asked permission to install Pinterest that this age appropriate app would have the ability to cause such harm. The same obviously goes for Microsoft, I'm sorry, Minecraft, Roblox, and many, many other apps.

[02:12:12] The age requirement in this and most cases is truly useless. Require all the age verification you want. It will not help the issue except for a small fraction of extreme apps and websites. The complexity for parents to set up child accounts thus far is so frustrating that even myself, a certified security professional, just gave up. A case in point,

[02:12:41] while auditing my subscriptions recently, I realized that I was paying for three separate Spotify family accounts. I don't have answers, just some parental observations trying to raise kids in this digital world. These new requirements will be ineffective until developers and store owners. And he has three points. First, make it stupid simple for parents to create and manage family accounts. Second,

[02:13:11] enable parents visibility and proactive notifications into what's actually happening inside the apps. And three, force developers to either shut down or actively monitor and be held accountable for their in-app communication services. Of course, no app, no, no developers want to have any responsibility for what is transacted, you know, inter-app. That would be a huge burden. And he, he finishes,

[02:13:40] until these things happen, this age verification service will only be an annoying speed bump. Thank, thank you for all you and Leo do each week. Signed, Brian. So I thought, you know, the points Brian made were very good ones. I'll be interested to see how, you know, internet savvy miners arranged to circumvent these new restrictions. But Brian's point about the social networking content carried within otherwise innocuous apps is clearly important.

[02:14:10] It's unclear how that will eventually be addressed, but it seems that it would need be. We know that apps such as Facebook or X do not in and of themselves have any age specific rating. It's the content they communicate that these Texas legislation folks appear to be completely naive about. As we know, the state of Mississippi, you know, dealt with this simply by saying no to all social media stuff.

[02:14:40] And I want to finish before our last break. And we talk about Mikey mouse, just by noting that Leo, you and I are both huge fans of a Netflix series, the diplomat. Oh, yeah. Um, so much so that I'm sure we've mentioned it in, you know, on the podcast previously. I just wanted to make sure that anyone who loves it as much as we do is aware that last Thursday,

[02:15:08] Netflix released the entire eight episode third season. I've already ingested it. Uh, Lori and I binged on it. You watched the whole thing already? Yeah. Yeah. I get it that it's not for everyone, but if you loved the first season, I want to make sure that everybody knew that the third season is out and it's just as good as the previous two. You finished it. And it's already been, uh, a fourth season has already been commissioned.

[02:15:37] So there will be, there will be a fourth season. It is. I, I just, it's everything I want in a, the way the second season ended, I just loved, I just, just everything I like in the world. And it was so good. And I just can't wait to see where it goes after that. It's, it's number three is really good. Leo. So you have a lot, you have a big tree store for you. And I want to make sure that our listeners knew that they do too. And if you, if again, I get it, you know, there's something for everyone. This may not be for, for you,

[02:16:07] but if, but if you have a Netflix subscription, you never even saw it, give the first episode a try. If it doesn't grab you in one or two, then, you know, you'll know that. But yeah, a lot of fun. Yeah. It's not every, everybody. Yeah. Everybody has different. We're all different. Yeah. I mean, there, there's so much comedy that I just, that just, I look at and I go, that's not even funny. Like, you know, so, Hey, I like Jim Carrey. Don't you be knocking Jim Carrey.

[02:16:36] How did I know you were talking about Jim Carrey? All right. One last break. And then we will get to the Mikey, whatever Mikey mouse, whatever that is. Look at that picture that I have. It's the one that AI generated from a, from a simple query that generated the, the, the, are we going to get in trouble with the, the Disney corporation here? Uh, as a result, I didn't, they just lose their rights or that was just to, uh, no, just to the very first one.

[02:17:05] Steamboat Willie. I think. Yeah. Let me just look at it. Cause yeah, that, you know, you can generate a lot of, Oh, that's funny. You did that. No, no, no, no. They did. Oh, they did. It's definitely AI. Yeah. But somebody, yeah. A sponsor that, you know, and I know, and we love, and it's of course, Bitwarden, the trusted leader in password, pass key and secrets management. I,

[02:17:35] I always mentioned that. I mean, Bitwarden is a password manager, of course, but it's really more than that. It is an encrypted store that you can put anything in. And trust. And so I put my passport in it, in it, the image of it, my driver's license, my social security numbers, because it's, it's, it's strong encrypted. And it's, and it's private and it's a great place to store stuff. And because it's on every device I have, I have all those secrets with me.

[02:18:05] Bitwarden recently added SSH keys. It will generate private and public SSH keys and let you upload the SSH public key to your SSH server and handle it for you with the logins and everything. It's just like, Oh, you guys are geeks. You guys know what we want. Bitwarden is consistently ranked number one. And user satisfaction, not just geeks, but everybody by G2 and software reviews, more than 10 million users across 180 countries, 50,000 businesses too. Now, if you use AI,

[02:18:35] you're going to really like this. If you, you've used this new agentic AI and you probably immediately, when you say launch an agentic browser or your own AI to go out and do stuff for you on the web, you immediately see the problem with credential management, right? If that AI is going to log into your GitHub, is it going to transmit your GitHub password privately? Actually, I use pass keys, so I don't have to worry about that.

[02:18:59] But now Bitwarden has made this much simpler with an MCP server, a credential MCP server that's available on the Bitwarden GitHub. It enables secure integration between AI agents and credential workflows. So you don't have to send that password out over the public airwaves. Expanded documentation distribution are coming. We wanted to tell you about it now so you can go check it out if something you need. And it is, if you're using agentic AI, it's a secure,

[02:19:28] standardized way for agents to communicate with Bitwarden. Now, your benefits, obviously, you get a local first architecture, which means it's more secure. The Bitwarden MCP server runs on your local machine, keeping all client interactions within the local environment and minimizing exposure to external threats. Oh, and I love this. It integrates with the Bitwarden command line interface. I'm a CLI guy. And I just love that about Bitwarden. Users can also opt for self-hosted deployments.

[02:19:58] If you are an individual and you want to host your vault, you don't want to put your vault in the Bitwarden cloud, you can do that. In fact, because Bitwarden's open source, they're even really good, a third party vault software that's compatible with Bitwarden. I mean, there's of course the Bitwarden official distribution. Flexibility, that's what's built into open source, right? You have greater control over system configuration and data residency.

[02:20:27] So let's talk again about the new MCP server. MCP is an open protocol for AI assistants. You probably know this. The servers let your AI system interact with commonly used applications. And that can include content repositories like GitHub and GitLab and, you know, SourceForge and so on. It also includes business platforms, developer environments. It gives you a consistent open interface. It drives secure integration with agentic AI.

[02:20:56] The Bitwarden MCP server represents a foundational step towards secure agentic AI adoption. And why am I not surprised that Bitwarden was the first to do it? Of course they were. Of course they were. They're the best. If you're thinking about getting Bitwarden in your enterprise, and I strongly encourage that, you might want to read Infotech Research Group's new paper, Streamline Security and Protect Your Organization.

[02:21:19] It's a report that highlights how enterprises in the Forbes Global 2000 are actually turning to Bitwarden to secure identity and access at scale. The report talks about the growing security complexity we're facing. You've got globally distributed teams. You've got fragmented infrastructure, cloud and on-prem and so forth. You've got credentials dispersed across teams, contractors, devices. So enterprise need to handle credential management gaps and strengthen their security posture.

[02:21:48] Best way to do it? Invest in scalable enterprise-grade solutions. And I might add, open source solutions like Bitwarden. Bitwarden's setup is easy. It's so simple to move to Bitwarden. Steve and I both did it. It was a few minutes work. Bitwarden supports. It's actually easier now. They have built-in import now for most password management solutions. The Bitwarden open source code, and again, I want to emphasize this, GPL open source. It's regularly audited by third-party experts.

[02:22:17] Bitwarden meets SOC 2, Type 2, GDPR, HIPAA, CCPA compliant. That's ISO 27001-2002 certified. It's just the best. For passkeys, for secrets, for passwords, for anything you want to keep encrypted and private. Get started today with Bitwarden's free trial of a Teams or enterprise plan, or get started for free across all devices. It is an individual user at bitwarden.com slash twit. That's bitwarden.com slash twit.

[02:22:47] I am really proud to support Bitwarden because it's exactly the way a password manager should be. Easy to use, open source, absolutely secure. Bitwarden.com slash twit. Okay, Steve. I've got the Mickey. Very nice.

[02:23:10] So, through the years of this podcast, we've had a lot of fun examining a range of bizarre and often surprising side-channel attacks that have been able to exfiltrate a surprising amount of information from the surrounding environment.

[02:23:31] It turns out that not only can you bounce a laser interferometry beam off a vibrating window, as spies are known to do, to recover the spoken audio on the other side of the glass inside a room a long ways away.

[02:23:47] But a laser can also be, and has been, bounced off a large plant leaf, a balloon, a bag of chips, and even an exposed light bulb innocuously hanging in the room. We've seen keyboard keystrokes recovered with the aid of an inconspicuously placed nearby smartphone.

[02:24:11] We've even seen the reflections of Wi-Fi radio signals used to locate people moving around inside a room on the other side of a solid wall. We've seen the power supply's fan speeds controlled to change its sound to transmit low-bandwidth information, and the sounds made by its switching power supply similarly modulated for the covert transmission of information.

[02:24:38] So perhaps we should not be overly surprised to learn that today's contemporary desktop mouse, thanks to the ever-growing demands of high-speed gaming, has become so sensitive to its surroundings that it, too, is able to detect, pick up, and transmit the sounds of ambient conversations. Now, it's not a microphone. It's far from it.

[02:25:08] But a team of five researchers in the Department of Electrical Engineering at, just, I can see it from my balcony, the University of California at Irvine, have worked to create Mikey Mouse, a mouse turned into a microphone of sorts, thanks to its ability to perceive a room's vibrations.

[02:25:33] Now, I say of sorts because what these guys had to go through to make this work was some serious gymnastics. Before I go any further, for the sake of strict scientific accuracy, I feel that I should note, just for the record, that this is not actually the first time we've seen someone speaking into a mouse, Leo.

[02:26:07] I would play it if I could, but they'll take us down. Hello, computer. The enterprise's chief engineer, Montgomery Scott, first pick up and spoke into the mouse of an Apple Macintosh PC, naturally assuming it to be a microphone and that the computer would be able to take his verbal instructions to show the molecular design of transparent aluminum. Of course, at the time, that was just science fiction, right?

[02:26:37] And it was meant to be humorous and was. But as we also so often see, what was once a flight of science fiction fancy has now become all too real. The researchers feel that the threat potential from covert eavesdropping and spying through mice is today all too real. The abstract of their paper explains, writing,

[02:27:04] modern optical mouse sensors, with their advanced precision and a high responsiveness, possess an often overlooked vulnerability. They can be exploited for side channel attacks. This paper introduces Mike E-Mouse, the first ever side channel attack that targets high performance optical mouse sensors to covertly eavesdrop on users.

[02:27:33] We demonstrate that audio signals can induce subtle surface vibrations detectable by a mouse's optical sensor. Remarkably, user space software on operating systems can collect and broadcast this sensitive side channel, granting attackers access to raw mouse data without requiring direct system level permissions.

[02:28:01] Initially, the vibration signals extracted from mouse data are of poor quality due to non-uniform sampling, a non-linear frequency response, and significant quantization. Now, of course, it's not designed as a microphone. So it is, to coin a term, a crappy microphone. They wrote, to overcome these limitations,

[02:28:28] Mikey Mouse employs a sophisticated end-to-end data filtering pipeline that combines Wiener filtering, resampling corrections, and an innovative encoder-only spectrogram neural filtering technique. In other words, AI. They wrote, We evaluate the attacks efficiency across diverse conditions,

[02:28:54] including speaking volume, mouse polling rate, and DPI, surface materials, speaker languages, and environmental noise. In controlled environments, Mikey Mouse improves the signal-to-noise ratio by up to 19 dB for speech reconstruction. Furthermore, our results demonstrate a speech recognition accuracy

[02:29:19] of roughly 42 to 61 percent on the audio MNIST and VCTK datasets. All our code and datasets are publicly accessible on the Mike E.Mouse website. And that's sites.google.com slash view slash Mike-MIC-E-M-O-U-S-E. Okay.

[02:29:47] M-O-U-S-E. Yeah. So in other words, modern optical mice will respond to the surface vibrations of the surface they're resting on, and any standard app running within that machine can monitor the mouse closely enough

[02:30:10] to capture and exfiltrate that raw and rough vibration data to an outside eavesdropper. From there, although this is just the beginning, you know, bringing the power of today's massive data processing to bear, what the mouse has heard to cause it to report the vibrations that it transmitted can then be determined.

[02:30:40] Now, I am reminded as I'm reading this of some of the different data reconstruction research we've covered where the up, remember that where the upshot was that visually blurring the text in order to obscure it was no longer considered safe. Yeah. Because although the text's image could not be algorithmically unblurred,

[02:31:11] that is, there is no way to bring back the information that the blurring lost. If the text's font were known, which is often not difficult, the amount of blur could be determined and modeled. At that point, a brute force attack could be launched by rapidly trying all possible underlying characters one at a time from left to right. Looking for a match.

[02:31:41] Until, yes, until you got an exact blur match, and eventually the entire message could be de-blurred. Similarly, even if a mouse's vibrations are nowhere near audio quality, and they are really not, mapping the audio that would have resulted in those vibrations solves the same problem.

[02:32:09] Is this an example of a use of AI? Yes. Yes. How interesting. They trained OpenAI's whisper model in order to solve this problem. Good. In order to solve this problem. Wow. So, to put some meat on these bones, here's what the researchers are explaining. They said, the proliferation of low-cost, high-fidelity sensors in consumer devices has greatly improved user experience in common computing tasks.

[02:32:36] From lower response times to more adaptive workflows, these devices have been, Oh, my God. And, Leo, the technology in a mouse today is just astonishing. I mean, it's like doing so much digital signal processing, you know, DSP computation, using image, the images, high-resolution images from today's sensors. It's just, it's incredible. What we just take for granted, we just, you know,

[02:33:04] shoop around on the desk under our hands. They said the lion's share. 61% is amazing. I mean, that's really good. Yes. Holy cow. They said the lion's share of these improvements is found in the category of user input devices, including styli, mice, and monitors. More specifically, improvements in mouse sensor technologies have allowed commercial offerings to operate with a sample rate of 4 kilohertz with a growing selection of products

[02:33:33] that also support 8 kilohertz. Consumer-grade mice with high-fidelity sensors are already available for under 50 U.S. dollars. As improvements in process technology and sensor development continue, it's reasonable to expect future price declines. Furthermore, mouse sensors' resolution and tracking accuracy also follow the same pattern with steady improvements each year. Ultimately,

[02:34:01] as lower-performance mice leave the consumer space, these developments lead to increased usage of vulnerable mice by consumers, vulnerable meaning higher precision, by consumers, companies, and government entities, expanding the attack surface of potential vulnerabilities in these advanced sensor technologies. The rise in work-from-home policies has led to the widespread adoption of new technologies and practices,

[02:34:30] making it more difficult for employers and government institutions to control the physical operating environments of their workforces. Meanwhile, these arrangements often boost employee sentiment and productivity. The security implications of work-from-home policies are still being understood. Specifically, attacks exploiting personal peripherals on work computers, such as keyboards, microphones, styli, earphones, mechanical hard drives, and even USB devices, have become increasingly complicated.

[02:35:00] Even in relatively secure office environments, the threat posed by these exploits is still significant, especially for unknown or poorly understood attack vectors. We posit that the seemingly innocuous computer mouse is the source of yet another vulnerability. Importantly, we claim that recent advancements in mouse sensor resolution can be sufficient

[02:35:28] to enable a side-channel attack capable of extracting user speech. Through our mic-e-mouse pipeline, vibrations detected by the mouse on the victim's user's desk are transformed into comprehensive audio, allowing an attacker to eavesdrop on confidential conversations. This process is stealthy, since the vibration signals collection is invisible to the victim user

[02:35:57] and does not require high privileges on the attacker's side. Right. Whoever thought that tightly watching mouse position could be a security vulnerability? They said, potential adversaries can collect user space mouse signals and remotely use the mic-e-mouse pipeline to convert raw data packets into audio. Okay, now I'm going to interrupt here just to observe that websites

[02:36:27] are also able to obtain mouse coordinates in real time. So it might be that just visiting a site which innocently downloads and runs some high-performance WebSAM code might now be sufficient to collect sufficient mouse vibration data while you're visiting the site to later reverse-engineer the speech that was taking place during that visit.

[02:36:57] You know, you would assume that having your microphone disconnected or muted would be sufficient, but perhaps not. The researchers continue, modern optical mouse mice employ various methods to provide precise movement tracking under different sensitivity settings. Over the past two decades, optical mice leveraging a high-performance CMOS camera

[02:37:24] with an onboard digital signal processor have become the preferred design choice. Generally, optical sensors enhance reliability and fidelity through the use of self-illumination, typically from an independent diode or an integrated laser. By taking thousands of snapshots of the illuminated surface under the mouse, the DSP can then compare each successive image in order to determine

[02:37:53] the direction of movement. The rate at which this process happens is determined by the sensor's frame rate, measured in frames per second. Each frame is processed via an on-chip correlation algorithm to provide a two-dimensional displacement to the host computer. The described process can be broken down into two key elements, the imaging sensors and the image processing and movement detection algorithm. Rather than relying on extensive charge-coupled device,

[02:38:22] CCD sensors, the sensor in an optical mouse is typically a CMOS, complementary metal oxide semiconductor image sensor, collecting up to 30 by 30 pixels worth of data per frame, where each pixel represents the intensity of the reflected light at that point. This basic mini camera is a critical component of implementing speckle pattern detection. Some sensor models

[02:38:50] such as the PixArt PMW3552 capture data using an 18 by 18 pixel grid, while others can record up to 30 by 30 pixels depending upon the manufacturer's specifications. For visualization purposes, we destructively studied a PixArt PMW3552 sensor in our institutional lab. This sensor features an 18 by 18 CMOS pixel grid and is designed to interface

[02:39:20] directly via USB. Speckle patterns are random granular intensity patterns produced when coherent light, such as laser light, is scattered by a rough surface. When an optical mouse is moved over a surface, the speckle pattern on the surface changes smoothly and reliably. That's how mice are now able to scan over glass. The CMOS sensor captures these changes in the speckle pattern

[02:39:49] frame by frame and processes them to detect movement. These movement detection algorithms allow for the translation of data into corresponding coordinate deltas. So, the researchers go into an extreme level of detail which should satisfy anyone wishing to deeply understand their work. Anyone listening who wants more than I'm going to share here on the podcast is invited to follow the links at the end of the show notes which points to

[02:40:18] all of their research including all of the code they developed to pull this off. It's all in the public domain. The important point I wanted to make, however, is that none of this would have even been remotely possible without what we now know of as AI. A crucial aspect of their system's success was that so-called mic e-mouse signal processing chain was their ability

[02:40:47] to retrain an existing OpenAI Whisper model using the X and Y movement outputs from actual mice. Whisper is OpenAI's open-source speech recognition system. It's specifically designed to take input material representing spoken audio and convert it into text. This team was able to cleverly retrain and repurpose Whisper

[02:41:16] to accept incredibly low-quality audio. I mean, you really have a hard time calling it audio, barely recognizable as anything, and obtain up to 65% word recognition accuracy. So, bottom line is we may need to be careful about what secrets we utter around our mice. You may not want to repeat important passwords

[02:41:45] out loud. Your mouse might indeed have very big ears. You know, it's funny, I often, how can I say this without giving away? I often use passwords, oh, let's not show that there. I often use passwords that are lyrics from songs or soliloquies from Shakespeare plays, that kind of thing, and so I'll frequently sing it out loud as I'm saying it. I'm going to have to stop

[02:42:15] doing that. I always get nervous, like, is anybody listening? So I try to hum, hum, hum, hum, under my breath. Wow. And I do, you know, I often buy these gaming mice that have very high resolution rates. We know, Leo, you had the highest frame rate, highest resolution gaming mouse available moment to moment. Only the best. All in the best. Now, to be clear, they'd have to

[02:42:44] get software on your system. Like, they'd have to have a compromise. Yes. But a browser can do it. Oh. Yes. It could be a plug-in, you mean? No, oh, no, a website you visit, because now we all download WebASM. Yep. And that's got all the power that it needs in order to do a high-speed extraction and exfiltration of the movement data. WebASM. WebASM. Wow. We've really made these

[02:43:14] browsers way too powerful. If you can do that, that's scary. That's really scary. Steve, you've done it again, my friend. As always, you're just the best. We do security now Tuesday, right after Mac Break Weekly. We try to get in here about 1.30 p.m. Pacific. That's 4.30 Eastern. That's 20.30. Sometimes you need a little time to get your Dungeons and Dragons stuff set up. You saw that, did you? Yeah, I'm working on my character for Friday. We're going to have a lot of fun. By the way,

[02:43:44] if you're not a Club Twit member and you want to watch our Club Twit D&D game on Friday, 2 p.m. Pacific, 5 p.m. Eastern, 2100 UTC, you've got to be a club member. Go to twit.tv slash club twit. That's not the real reason to join. It's a good reason, but the and really your support makes all the difference in keeping these shows

[02:44:13] on the air. So we really would love to have you join. If you're one of those 4,000 people who subscribe to Steve's newsletter, there, but don't join the club, please. Twit.tv slash club twit. Now, let's talk about where you get the show. I did mention we stream it live. That's why I told you the lifetimes. It's in the Club Twit Discord, of course, but many people prefer because Discord is not great on live video to watch on YouTube, so we stream it there. Twitch, we stream on x.com, Facebook, LinkedIn, and Kick.

[02:44:44] So, you know, and you can chat with us in all of those places. I'm watching the chat. We always have very active, especially in this show, very active chats going on on all of those platforms. You don't have to watch live though. That's just if you want to be participating in the latest, you know, version of the show. We make it available online. Steve has copies of the show, 100. He has three unique copies, a 16 kilobit audio version, which is a little scratchy, but it has the merit of being very small, a much

[02:45:13] bigger but much higher quality 64 kilobit audio that sounds even better than if it were recorded on a mouse. It's the 16 bit might sound a little bit like a mouse recording. He also has the show notes, which are great. You can read along. He's got lots of links. The show notes, that's the best show notes I've ever seen for any show, bar none. And, you know, you can get that, download those and download Elaine's transcriptions. Elaine Ferris does very nice transcriptions of every show.

[02:45:43] all of those at Steve's site, grc.com. If you go to grc.com slash email, you can get your email whitelisted, just put it in there, and that way you can send him suggestions for pictures of the week. I think that's where he gets a lot of them. You can comment to Steve and so forth, grc.com slash email. And you'll see right below it when you enter in your email, there's two checkboxes, one for the newsletter, that's the show notes every week, that's a weekly newsletter. The other might be important these

[02:46:12] days, it's his announcement email. He's only sent out one in his entire life, but I think another is imminent. The minute the DNS benchmark pro comes out, he's going to email all of you, so sign up for that, grc.com slash email, but of course because it's Steve, neither is checked by default. You have to explicitly sign up for those newsletters. While you're there, you might as well pick up a copy of Spinrite, the world's best storage maintenance recovery and performance enhancing

[02:46:42] utility. Even if you pay for it before, do like our listener did and pay for it again. It's well worth it. Steve's bread and butter and it'll save your bacon like it did that father whose kid had lost her hard drive right before the exams. Yikes! grc.com We have copies of the show, our own unique flavor, 128 kilobit audio, which I admit is audio overkill. Sounds much better than a mouse recording. We also have video

[02:47:12] at our website, twit.tv slash sn. There's a YouTube channel dedicated to security now and that we do really for one main reason. You can easily clip and share parts of the show from YouTube. And since everybody, you know, even your grandma knows how to use YouTube, that's a great way to tell people stuff that we talk about. For instance, if your IT department sends you an email saying it's time to change your password every 90 days,

[02:47:42] you might want to send them that little bit of the show explaining it's not necessary, it's a bad idea, bad idea. So use YouTube for that. And of course, if you really care about the show, you'll probably want every episode, right? There's only 1,048. Start your collection now by subscribing to your favorite podcast client and that way you'll automatically as soon as it's ready. And in fact, if your podcast catcher has a review section, leave us a nice review, will you? Tell the world

[02:48:12] about the best darn show. I think this podcast is a must listen for anybody who wants to keep safe and secure on. Steve, have a wonderful week. I'd suggest you watch The Diplomat, but you've already finished it. I did. Now I can't wait for the next one. I will go watch it. I can't wait. It's an alternate universe in which the government works. It's a remarkable thing. It actually committed intelligent civil

[02:48:41] servants are working on our behalf. It's an amazing thing. I love the way. frustrated with it though. Yeah, but I like the new president. I don't know what happened after the last part. Oh boy. Yeah. There's more? Okay. The guy from Spinal Tap had a heart attack. I'll leave you with that. That makes no sense if you don't know what I'm talking about. Thank you everybody for joining us. Have a wonderful week. We'll see you next time on

[02:49:11] Security Now. Bye. What was his name in Spinal Tap? He was the president of the Diplomat, which cracks me up. Yeah. Michael McKean. I can't remember his Spinal Tap. Good memory. Yeah. All right, Steve. Okay, buddy. Enjoy. See you next week on October 28th as we wrap up Are you going to wear a costume for us? Why don't you wear a hoodie and be a wily hacker? I can change your voice.

[02:49:43] I'll do that. I'll wear my twit hoodie and talk like this the whole time. I can't tell you what I look for. All right. Thank you, Steve. Take care. Bye. Bye. Bye. Security Now.