SHOWTEASE:It'stimeforSecurityNow!
.
I'mback.
SteveGibson'shere.
Andwehavealottotalkabout,includingalittlemoreinformationabouthowApple'sFaceIDworks.
Ajudgewhosays,no,theFBIdoesn'thavetotellyouanythingabouthowitunlockedthatiPhone.
AndMoxieMarlinspikeinanotherdiscovery,thistimeSignalsthevictim.
Plusthesecretlifeofbees.
It'sallcomingupnextonSecurityNow!
.
TranscriptofEpisode#631PrivateContactDiscoveryDescription:ThisweekwediscusssomeaspectsofiOSv11,theemergenceofbrowserhijackcryptocurrencymining,newinformationabouttheEquifaxhack,GooglesecurityresearchandGmailimprovements,breakingDKIMwithoutbreakingit,concernsovermanyserversinsmallroutersandagingunpatchedmotherboardEFIfirmware,anewprivacyleakagebuginIE,abitofmiscellany,somelong-awaitedclosing-the-loopfeedbackfromourlisteners,andacloselookintoabeautifulpieceofworkbyMoxie&Co.
onSignal.
Highquality(64kbps)mp3audiofileURL:http://media.
GRC.
com/sn/SN-631.
mp3Quartersize(16kbps)mp3audiofileURL:http://media.
GRC.
com/sn/sn-631-lq.
mp3LeoLaporte:ThisisSecurityNow!
withSteveGibson,Episode631,recordedTuesday,October3rd,2017:PrivateContactDiscovery.
It'stimeforSecurityNow!
,theshowwherewecoverthelatestnewsfromthesecurityfront.
Itisafront.
It'sawaroutthere.
ThankgoodnessGeneralGibsonishere,CommanderinChief.
SteveGibson:Welcomebackfromyourtwo-weekcruisearoundtheworld,whereveritwasyouwentLeo:No,Ijustwentuptheriver,that'sall.
Steve:Uptheriver,okay.
Leo:Uptheriver.
Butitwasanicevacation.
Page1of32SecurityNow!
TranscriptofEpisode#631Steve:Well,fortunatelyyoucamebackdowntheriver.
Leo:Yeah,andthankstoFatherRobert,whoeverybodyagreesshouldbehostingtheshowfromnowon.
It'sokay.
It'sokay.
Itdoesn'thurtmyfeelingsmuch.
ButIamgladtobehere.
Steve:Well,youdidannounceyouwerelovingyourvacationsandyourtravel.
Leo:I'mnotgivingupthisshow.
Steve:No.
Leo:We'vebeendoingthis13years.
Steve:Yes,weareinour13thyear.
Leo:Unbelievable.
Andthegoodnewsisnosecurityproblemsatallthisweek.
Steve:Yeah,yeah.
We'rejustgoingto.
.
.
Leo:Didyousee,there'sonethatjustbrokethatishysterical.
Ithasnothingtosayaboutit.
ButYahoonowadmitsthateveryaccountwashacked.
Threebillion,witha"B,"accountswerehackedinthat2013exfiltration.
Steve:AndIlikedyourcommentonMacBreakWeekly,thatthatwouldbethelargestever.
Andonereasonisthatthereusedtobemuchmoreconcentrationintoasingleprovider.
Andnowwehaveamuchmoreheterogeneousenvironment,wherenoteverybodyisatYahoothewaytheyusedtobe.
SoIthinkitisthecasethatnooneoutfitwillbeabletobeasdevastating.
SoEpisode631today.
AsIwaspullingthingstogether,oneinterestingbitstoodoutthatacquiredthetitle,whichisthereasonthisiscalled"PrivateContactDiscovery.
"OurfriendMoxieMarlinspikeandhisgangworkingonSignalhavetackledtheproblemofconcealingcontactmetadata,whichisanunsolvedproblem,really,untilnow.
We'vetalked,forexample,abouthow,evenwhen,forexample,emailcontentisencrypted,thefactofthemailmovingfrompersonAtopersonBcannotreallybehidden.
Andsoit'softenthecasethatwhoyou'retalkingtoisasmuchausefulpieceofinformationand,unfortunately,abreachofprivacyaswhatitisyousay.
Andintheworldofinstantmessaging,whichMoxie'sSignalprotocoladdresses-andwe'vetalkedaboutSignal'sratchetmechanismandwhataperfectjobtheyhavedone,somuchsothatotherplatformshaveadoptedtheopenSignalProtocolforthemselvesbecauseit'ssogood.
OneoftheremainingproblemshasbeenhowdoesanewpersonjointheSignalecosystem,ortheSignaluniverse,anddiscoverwhointheircontactsareotherSignaluserswithoutthecentralrepositorythatgluesallthistogetherknowingthatPage2of32SecurityNow!
TranscriptofEpisode#631they'vedoneso,likeknowingwhatcontactstheyhaveincommon.
Anyway,theyfiguredhowtodothis.
Sowe'llwrapupthepodcasttalkingaboutthat.
Butofcoursewedohaveourweek'sworthofnews.
We'regoingtotalkabout-IhavetotalkalittlebitaboutmyexperienceswithiOSv11.
Won'ttakeupmuchtime,butIjustwanttokindofgoonrecordwithwhatIhavefound.
Also,foracoupleweekstherehavebeenanumberofstoriesaboutvariousinstancesofbrowserhijackcryptocurrencymining.
AndsoIwanttotalksortofgenericallyabouttheemergenceofthisasathingandwhatitmeans.
WehavesomeadditionalinformationabouttheEquifaxhack,someamazingcoveragethankstoBloomberg.
Google'ssecurityresearchisuncoveringnewproblems.
Theyhavealso,anonymously,somepeopleatGooglehaveannouncedsomeplansforimprovementsofGmailsecurityasaconsequenceessentiallyofthisemergingawarenessofhowmuchRussiawasinvolvedinthispastpresidentialelection.
Thereweresomespeciousrumors,well,actuallystoriesaboutbreakingDKIM,whichistheemailauthenticationprotocolthatwe'veactuallybeentalkingaboutnottoolongago.
Turnsoutitwasn'tbroken,butwe'llexplainwhathappened.
Alsothere'ssomenewconcernsovermanysmallserversinrouterswhichareexploitable.
AndyoualsoweretalkingonMacBreakaboutmotherboardEFIfirmwareconcerns,mostlyfocusedonApple,asyousaid,becausetheresearcherswereabletomoreeasilyexplorevariousAppleMacsystemsandthefirmwarethattheyhad.
Butthis-we'regoingtobroadenit,ofcourse,forthispodcastandtalkaboutalsotheimpactonWindowsandLinux-basedhardware.
There'saprivacyleakagebuginIE.
We'lldosomemiscellany.
We'vegotabunchofinteresting,andIthinkprettyquick,closing-the-loopfeedbackfromourlisteners.
Andthenwe'regoingtotakeacloselookatthisbeautifulworkthatMoxieandhisgroupatSignalhavedoneinordertoprotectthediscoveryofotherpeopleinyourexistingcontactswhoyouwanttoconversewithoverSignalwithoutdisclosingthefactthatyouhavefoundthem,whichturnsouttobeamuchharderproblemthanonewouldexpect.
SoIthinkagreatpodcast.
Leo:Yes.
Steve:OurPictureoftheWeekjustcrackedmeup.
Itcaughtmebysurprise.
Someonetweetedittome,andit'saproposofthedatadisclosuresthatwe'vebeenhavinglately.
Itshowssomebeesflyingaroundinahive,andthecaptionsays,"SecurityFailure:EpiPen'sDatabaseofEveryoneWho'sAllergictoBeesHasBeenObtainedbyBees.
"Leo:[Laughing]That'sgood.
That'sgood.
Steve:Ijustthoughtitwasperfect.
Leo:Oh,you'reintroublenow,boy.
Thebeesknowwhoyouare.
Steve:Yeah,thebeesknowwhoyouare.
Theyknowhowtoselectivelystingbecausetheyonlygetoneshotatthat,Ithink.
Page3of32SecurityNow!
TranscriptofEpisode#631Leo:Thatisfunny.
Steve:Ithoughtthatwasgreat,yeah.
Leo:Wow.
Steve:Sojustbriefly,oniOS11,Idon'tknowyethow11.
0.
1compares.
ButrightoutofthegateitwasthebuggiestreleaseofiOSIhaveeverexperienced.
Leo:WhatproblemsdidyouexperienceSteve:Oh,mygod.
LikeeverythingItried,everyoneofmydevices-Ihave,Idon'tknow,likesevenpadsandmyphone-andtheywerealldoingbizarrethings.
Leo:Oh,dear.
Steve:LikeIrememberiniMessageoneoftheballoonsgotstucksothat,whenIchangedtoadifferentmessagechannel,theotheroneswerescrollingunderneaththis.
.
.
Leo:Oh,I'veseen,yeah,I'veseenweirdcosmeticthingslikethat,yeah.
Steve:Yes.
Andthedockgotstuckontheverticalside.
AndasIrotated,everythingelserotatedaround,butthedockjuststuckwhereitwas.
Andononeofmypads,wheneverthepreview,whenthescreenislockedwhereyou'reabletoseethings,everytimeItouchittoscrollit,itflasheswhitereallybrieflyandthenkindofsettlesdown.
Imean,justifJobswerestillaround,headswouldberolling,ortheywouldn'thaveshippedit.
Idon'tknow.
But,Imean,Iwasjust,youknow,IloveiOS.
IuseitasmuchasIuseWindows.
Anditjustcompletelycollapsed.
Leo:SowhatdidyoudoDidyourollbackSteve:No,Ijustkindofshookthepadsmoreandturned-Ioftenturnthemoffandbackon,andthenit'sokayforawhile.
Imean,it'sreally-andI'mhopingthat11.
0.
1thatcameout,what,latelastweek,hopingthatit'sgoingtobeanimprovement.
AndIthinkit'lltakeafewtimes.
Imean,it'sabigchange.
AndI'veheardyoulovingtheControlCenter,asIdo,too,nowthatI'vekindofgotthehangofswitchingandgoingtotheControlCenterandallthat.
Sothere'ssomelearningstuff.
ButtheotherproblemIhave,andthisisnotsomethingtheycanfix,isit'sreallysloweronolderhardware.
Andso,Imean,again,thisissortofanaturalthingthat'shappeningisthey'rewantingtodomoreaggressive,deeperfeaturesthatareinherentlysynchronizedwiththeevermorepowerfulchipsthatthey'rereleasingintheirnewerhardware.
Page4of32SecurityNow!
TranscriptofEpisode#631Theproblemisthey'reupdatingolderhardwarewiththenewersoftware.
AndforawhileIwasmisunderstandingitslackofresponseasitwasn'tgettingmyscreenclicks.
Andthereisnofeedback.
It'snotlikeitgoesclickwhenyoutapthescreen.
Theassumptionisitsresponsewillbeimmediate,soyougetvisualconfirmationthatyoupressedtherightthing.
AndsowhatI'velearnedonmyolderpadsthatareallnow,Imean,ImovedtoiOS11oneverything,isyoutap,andyoujustkindofbepatient.
Youwaitforawhile,andthenitgoesplinkanddoeswhateveryouaskitto.
But,Imean,it'sanoticeabledelay.
It'sbeautifulonthelatesthardware;but,boy,youcanreallyfeelitontheolderhardware.
SoIdon'tthinkthere'sasolutionforthat.
Applecontinuestowanttobeontheabsolutebleedingedgewiththeirhardware.
They'rewantingtoleveragethenewerhardware.
Butthey'realsonotwanting,forexample,tocontinuetosupportiOS9or10inperpetuity.
AndIunderstandthat.
But,boy,theolderhardwarejustdoesn'thavethehorsepowertokeepupwithwhatthelatesthardwareisdoing.
Youreallydoneedthenewerhardware.
AndofcourseApplewantsyoutobuythatbecausethey'reinthehardware-sellingbusiness,asweknow.
Soanyway,justmyfewcents'worthoniOS11.
Ilovewhatthey'vedone,butyoureally-andIcanseemyselfmaybemovingtoanewerphone,notbecausethere'sanythingwrongwithmy6Swhateveritis,or6Plus.
Leo:Justthespeed,yeah.
Steve:It'sjustgettingolder,yeah.
Leo:Imean,youlookatthebenchmarksforthenewprocessor,theA11.
.
.
Steve:The11,yes.
Leo:Andit'sthroughtheroof.
It'salmostMacBookProspeed.
Steve:Yup.
Leo:Andthere'snorealneedforthat.
But,yeah,youhavetofigurethat,oncethey'vegotit,peoplewillfindwaystouseit.
We'veseenthat,remember,withWindows;andwe'veseenthatforyears.
Steve:Yes,yes.
AndIactuallythinkthat'soneofthethingsthathappenedwherewewerehavingtheaudioproblemswasthatwemoved-wethoughtthatmaybetheoldUSBinterfaceIwasusingwasgettingjustalittleglitchy.
Itwas12yearsold.
Ihadn'tchangeditthroughtheentirelifeofthepodcast.
Soweswitchedtoanewer,moreaggressiveinterface,andthatoldermachinedidn'thavethehorsepowertodriveit.
Leo:Interesting.
Thatmakessense,yeah.
Page5of32SecurityNow!
TranscriptofEpisode#631Steve:So,yeah.
Leo:That'sthewayoftheworld,alas.
Steve:Yeah,itis.
Andyouknowme,IstickwithwhatI'vegotuntilI'mfinallydrivenoffofit.
Leo:Getoffofit.
You'vegottogetoffofit.
Steve:I'mnowfeelinglike,well,okay.
AndI'msurethattheiPhoneXisgoingtobegorgeous.
SoIwillhaveskippedthe6Sandthe7andthe8andprobably.
.
.
Leo:Oh,you'regoingtoseeabigdifference.
Oh,mygosh.
You'reona6Steve:Yeah.
Leo:Oh,my.
Oh,my.
Steve:AndI'mwaiting.
Iclick,andItouchandwait.
Leo:Oh,my,yeah.
Steve:Yeah.
SoApplepublishedaninterestingsecurityguideforFaceIDthatdidn'thaveatonofnewinformationinit,butitwasinteresting.
Weknowthatitemployswhattheycalltheir"TrueDepthcamerasystem.
"ButoneofthethingsthatIappreciatedthatIwanttosharewithourlisteners,becauseIreadthewholethingcarefully,isthatitdemonstratesatrulygratifyingfocus,ifyou'llpardonthepun,onsecurity,wherethingstheydiddemonstratedthat,Imean,itwasaboveandbeyond.
Forexample,weknowthattheyprojectaninfrareddotgridontotheuser'sfacethatanIRcamerasees.
Andtheyusethatessentiallyinordertoputlittlespotsallovertheperson,likechickenpoxspots,inordertousethataspartoftheirrecognition.
Well,forexample,thesequenceinwhichthedotsaredrawnisdevice-specificonpurposesothat-becausewhatthey'redoingisthey'reactuallyscanningwithadotsequence,andsothecamerapicksupwhereeachdotisinthreespace;andthesequenceisdevicespecificsothatyoucannotcapturethedatafromonedeviceandthensomehowarrangetoplayitintoanotherdeviceinordertospoofit.
Itwon'tgetfooledbecausethesequencewillbewrong.
Sotheyuseaper-devicepseudorandomsequence.
Imean,andjustthatdemonstrates,okay,somebodyreallyspentsometimetothinkabouthowtomakethisasrobustagainsthackingaspossible.
So,andotherinformation,justtosortofassurepeople,isthatitisexplicitlylocalauthentication,meaningthatthefacialrecognitionstuffneverleavesthatdevice.
Ithasthiscrazy,aswewerejusttalking,thisA11processorwithahardwareassistneuralnetwork,whattheycalltheir"neuralengine.
"Andsowhatdotheycallit,a"bioneuralPage6of32SecurityNow!
TranscriptofEpisode#631chip"orsomething.
Thereasonthebio-nessisinthereisthankstothefactthatitusesaneuralnetworkaspartoftheprocessingofthisimagedata.
But,forexample,it'sbeencontroversialthatdeviceslikeAmazon'sEcho,afteryoudothe"hello"wordinordertoactivateit,thenitstreamsyourvoicetothecloudforrecognition.
Andsothepointisthatthephonehassomuchhorsepower,somuchprocessingpower,theiPhoneX,thatit'salldonelocally.
Sononeofyourfacialimages,noneofthatthatthecameraseesduringthisprocess,everleavesthecamera.
Itstaysthere,andalltheprocessingisdonelocally.
Andthentheotherthingthattheyhavedone,andthewaytheydescribeditIwantedtoquotethisbecause,again,itdemonstratesarealthoughtfulsetoftradeoffs.
Theysaid:"TouseFaceID,youmustsetupiPhoneXsothatapasscodeisrequiredtounlockit.
WhenFaceIDdetectsandmatchesyourface,iPhoneXunlockswithoutaskingforthedevicepasscode.
FaceIDmakesusingalonger,morecomplexpasscodefarmorepracticalbecauseyoudon'tneedtoenteritasfrequently.
FaceIDdoesn'treplaceyourpasscode,butprovideseasyaccesstoiPhoneXwithinthoughtfulboundariesandtimeconstraints.
Thisisimportant,"theywrite,"becauseastrongpasscodeformsthefoundationofyouriOSdevice'scryptographicprotection.
"AndwhatthatputmeinmindofwasthatIhadmadeexactlythesamesetoftradeoffsintheSQRLclient.
Thatis,youareencouragedtocreateastrongpassphrasetoauthenticateyourselftoSQRL.
Butonceyou'vedoneso,youarethen,withincertainconditions,allowedtouseamuchshorter,infact,youjustusethefirstNcharactersofyourmuchstrongerpasscodetoreauthenticateyourselfonceyouhavefirstauthenticatedyourself.
AndApplehasdoneexactlythesamething.
Forexample,weknow,we'reallfamiliarwithhowtheyhandleTouchIDandhowyoumust,ifyouhaven'tusedaTouchID-baseddevicefortwodays,youmustthenreenteryourfullpassphrase.
Well,thathasacoupleconsequences.
Oneisit'sgoodforsecurity.
Italsokeepsyoufrompermanentlyforgettingwhatyourlongerpassphraseis,ifyou'renotconstantlyusingyourdevice.
Sothey'vedonethesamesortofthing,evenonadevicewhichisFaceIDunlocked,sothatthepasscodeisstillrequiredinasetofdifferentcircumstances:afterit'sjustbeenturnedonorrestarted;againifithasn'tbeenusedfortwodays,for48hours;ifthepasscodehasn'tbeenusedtounlockthedeviceinthelastsixandahalfdays,sojustshyofoneweek(forsomereasontheychose156hours);andFaceIDhasnotunlockedthedeviceinthelastfourhours.
Soagain,asetofinterestingsortofheuristicsthattheysettledoninordertocreatesortofaflexiblesecurityboundarybasedonhowactiveyouare,butalsotocontinuerefreshingyouruseofyourfaceandyourweeklyuseofyouroriginalpasscodebecausethat'stheultimateunlock.
Andthentheyhavemoreaccessible,shortertermunlocksaslongasyoudoitoftenenough.
AndIgetthatbecauseit'sthesamesortofthingthatIhavejustrecentlydoneinordertoreachacompromisebetweenhavingapasscodewhichisstrongenoughtoberesistantagainstcracking,yetoffersatradeoff,muchasFaceIDdoes,tostillallowyoutouseyourdevicefrequentlyandconvenientlyeverytimeyoupickitup.
Andasforthiswholeoneinamillionthatthey'renowclaimingforfacialrecognitionversusonein50,000forTouchID,it'slike,well,Ithinkwe'llhavetoseehowthatgoes.
I'msurepeoplewillbeexperimentingwithtryingtohackit,muchaswesawwithTouchID,wheretheywereimmediatelyusinggummibearsandthingsinordertoliftprintsandcreatefakethumbsandsoforth.
SoIthinkwe'llhavetosortofseehowthisplaysout.
But,boy,Icouldn'tbehappierwiththeclearattentionthatApplehaspaidtogettingthisright,rightoutofthegate.
Andofcoursewehaven'tseenityet.
It'llbesometimePage7of32SecurityNow!
TranscriptofEpisode#631beforewedo,Iguess.
Butanyway,very,veryimpressed.
Andthatgridis30,000infrareddotswhichareused-notjust100,30,000-inordertoformwhattheycalla"depthmap"inordertodifferentiateyouractualphysicalfacefroma2Dinfraredimage.
Andtheyalsodopupiltrackingdynamicallytodeterminethatyouarelookingatthecamera,soyoucan'tbelookingawayorhaveyoureyesclosedandhavethisfunction.
Sothat'showthekidsarepreventedfromholdingMommy'scameraupinfrontofherwhileshe'ssleepingandunlockingthephone.
Nope,Mom'seyeshavetobeopen,andtheyhavetobepointedatthephone,sopupilrecognitionisusedinordertoverifythatyoureyesarefocusedonthedeviceitself.
Soagain,Ithinktheydideverythingthattheyreasonablycould.
We'llhavetojustseeovertimehowthisevolvesintotheactualuserexperience.
Sointhelastcoupleweekstherehasbeenanumberofarticlesabout"malicious"adsdoingcryptocurrencyminingonusers'browsersunwittingly,thatis,unknowntotheuser,whentheywerevisitingasite.
AndthenmostrecentlyShowtime,severalShowtimedomainswerefoundtobealsocovertlyminingcryptocurrency.
Thiswasn'tShowtimetryingtoaugmenttheirrevenues,thiswassomebadguysgotintotheShowtimeserverandaddedcryptominingtechnologytowhatwasproducedwhenauserwenttotheShowtimepropertiesanddownloadedaShowtimepage.
So,okay.
SoIjustsortofwantedtoaddressthewholeideaofthisalittlemorebroadly.
Sofirstofall,whatwerememberfromourinitialdiscussionofbitcoinminingisthatavariable,wecouldcallit"variablehardness,"butit'sreallyavariableprobabilityproblemisbeingsolvedbyacryptocurrencyminer.
Thatis,theideaisarandomnumberisbeingchosen,andovertimetheprobabilityofguessingcorrectlyisdecreased,makingitharderandhardertoguessthemagicnumber.
AndthusminersthathavegonefromjustCPUstoGPUstoFPGAstocustomhardware,they'vegottenfasteratguessing,theideabeingthattheprobabilityofguessingcorrectlyisvanishinglysmallnow,sothemoretimesyou'reabletoguesspersecond,thegreaterthechancethatthisdiminishingpercentageofchancewillbecorrect.
Andifyouguesscorrectly,youwinacoinorafractionofacoin,andthat'schangingovertime,too.
Everybodyremembershow,whenIfirstdidthepodcastonbitcoin,Istartedupaminer-infactitwasonthatmachine,Leo,themachinethat'snowtoosloweventorunaudioforSkypesufficientlywell.
Iwokeupthenextmorningandtherewere50bitcoinssittingthere.
Itwaslike,oh.
Leo:Butthatwaskindofluck;rightItwasn'tthatitwasworkingsohard.
Steve:Precisely.
Precisely.
Ididn'texpectit.
Leo:Itwaslikeajackpot.
Steve:Andit'sluckforeverybody,andI'mgladyousaidthatbecausethat'sexactlywhat'shappeninghere.
Sotheideaisthatbadguysareputtingcryptocurrency-miningJavaScriptintousers'browsers,intoadsorstuffingthemontowebsitesthatarehackable,likeapparentlyShowtime'swas.
Andthey'regettingallthevisitorsofShowtimeorallthepeoplewhodisplaythishijackedadtodoalittlecryptominingforthem.
Andthechancesare,Imean,firstofall,abrowserisabadminer.
Imean,it'slikesofardownthecurveyoucan'tevenfindit.
Youdon'twanttobedoingcryptocurrencyPage8of32SecurityNow!
TranscriptofEpisode#631mininginyourbrowser.
Leo:No,youwantcustomASICsandmassiveGPUsandSLI,yeah.
Steve:Precisely.
Butitcoststhemnothingto.
.
.
Leo:Well,that'stheotherwaytodoit.
Gomassivelyparallel;rightSteve:Exactly.
Exactly.
Andsohere'stheotherproblem,andIrealizedasIwasputtingthistogetherthatIhaven'tcheckedinwithMarkThompson.
.
.
Leo:Iwasgoingtoask,yeah.
Steve:.
.
.
who'smygoodfriendandfellowmassiveminer,becauseasweknowthere'sbeenahugegrowthinthevalue,forexample,ofbitcoinrecently.
Andlasttimewetalked,asIhavesaidonthispodcast,youcouldnotmineinCaliforniabecauseourpowercostsmorethantheelectricityrequiredtoearn/minebitcoins.
ButinPhoenix,forwhateverreason,powerischeap.
AndsoitmadesenseforhimtobemininginArizona,butyoucan'tdoitinCalifornia.
ButyoucandoitunderNiagaraFallswhere,again,powerisveryinexpensive.
AndsoIdon'tknowhowthathaschangedasbitcoin,forexample,hasgonecrazyinvaluetothepointnowwherethose50bitcoins,Ireallydohavetofindthembecausethey'renowapproachingaquartermilliondollars'worthofvalue.
Ofcourse,I've.
.
.
Leo:WhatSteve:Yeah,itis,believeitornot.
It'slike$4,300nowforabitcoin.
Leo:Butyoudon'twanttobetheguywhohad50bitcoinsandtradedinforaquarterofamillionwheninfiveyearsit'sworth100million.
Steve:That'stheproblem,too.
Leo:It'slikeanystock.
You'vegottoknowwhentosellit.
Steve:ButI'malsoaBoyScout.
HowdoesthatgoIsthattheBoyScoutsaluteSoIwillbereportingmybitcoinstotheIRSbecauseI'mnotgoingtoscrewaroundwiththat.
They'renowgettingveryannoyedwithpeoplewhoarecashingintheirbitcoinsandnotreportingthemasincome.
Leo:IsitregularincomeIguessitis.
Page9of32SecurityNow!
TranscriptofEpisode#631Steve:Yeah.
Leo:It'slikewinningthelottery.
Steve:Exactly.
So,yeah.
Verymuchso.
So,yes.
I'mnotinanyhurrytodoanythingwiththem.
Butitwouldbenicetoknowwheretheyare.
Leo:Youshouldfindthem.
IknowIhavemywalletbackedupsomewhere,andIcan'trememberthepassword.
Ionlyhavefive,though.
IfIhad50,Imightmakemoreofaconcertedeffort.
Steve:Yeah,it'salittlemotivation.
Leo:Yeah.
Steve:Soanyway,whatIwantedtosaytopeopleisthat-sowhat'sannoyingisthatsomebodyisusingyourCPU.
Ontheotherhand,okay,soareyou.
Leo:Soiseveryad.
Soisevery-yeah.
Steve:Exact-yes.
Andtheautoplayvideos,thosearepeggingpeople'sCPUsjustasmuchascryptocurrencyminingis.
Soourbrowsers.
.
.
Leo:HowmuchtimedoyouspendontheShowtimesite,anywaySteve:Precisely.
Leo:IsitthewatchingamovieShowtimesite,orjusttheloggingintoShowtimesiteSteve:Itwasseveraldifferentdomains,soprobablygoing.
.
.
Leo:ShowtimeAnytimeor.
.
.
Steve:Yeah.
Leo:See,ifitwas.
.
.
Steve:Well,it'sprobablywhenyou'relookingatsomethinginyourbrowser,andthey'rePage10of32SecurityNow!
TranscriptofEpisode#631havingachancetorunJavaScript.
Soanyway,soit'sanannoyance.
Iguessit'snotsurprising.
SoIguessthepointisthatourbrowsersarehardenedagainstJavaScriptbeingabletohurtus,likeasinmalware.
Butthey'renothardenedagainstJavaScriptbeingabletodoworkbecause,Imean,that'swhatit'sforisdoingwork.
Andsothey'relike,well,okay.
Maybethisuserisatawebsitethat'sgoingtopaythemiftheirbrowserscoresacoin.
No,butitcouldbe.
Soanyway,that'swhat'sgoingonwiththat.
It'slike,yeah,okay.
So,yeah,it'susingsomeofyourpowerandsomeofyourprocessor.
Butsoareyouwhenyou'redoinganything.
Sonobiggie,really.
WecoveredextensivelyovertheyearstheSanBernardinoterroristattackwhereSyedFarookhadhistwophones,andofcourseApplefamouslyrefusedtohelptheFBItounlockthisphone,whichapparently.
.
.
Leo:Iwonderiftheywouldstillhavethatattitudetoday.
Seriously.
Steve:Really.
Leo:WhatiftheVegasshooterhadaphoneSteve:Oh.
Leo:Seriously.
Steve:Goodpoint,yeah.
Leo:Itwouldbepoliticallyverydifficultforthemtosaynonow.
Steve:Really,yes.
Yeah,that'sagoodpoint.
WhathappenedinthewakeofthisisthattheAP(theAssociatedPress),USAToday,andViceMediaallsuedundertheFreedomofInformationAct(FOIA)intheU.
S.
fordisclosurebytheFBIofwhoitwastheyworkedwithandhowmuchtheypaidbecausethosearetaxpayerdollars.
Andtheargumentwas,hey,thisisataxpayer-fundedoperation.
Wewanttoknow.
Now,JamesComey,aswe'llremember,theformerFBIdirectordidindirectlydisclosethattheypaidsomethingaround$1.
3millionforthishackingtoolfromanundisclosedcompany.
Sowereallydon'tknowwhoitwas.
Wenevergotanexactamount.
Butthesepresscompanies,thesepressagencieswantedtoknow.
OnSaturdayoflastweekend,aU.
S.
districtjudgeinD.
C.
,theDistrictofColumbiaintheU.
S.
,TanyaChutkan,disagreedwiththesuitthatwasbroughtbythesecompaniesandsaid,no,theFBIhasnoobligation,evenunderFOIA,tomakethisdisclosure.
Shesaidinherdecisionthat,"Itislogicalandplausiblethatthevendormaybeless"-thevendormeaningtheonethattheFBIpaid-"thatthevendor,undisclosedvendormaybelesscapablethantheFBIofprotectingitsproprietaryinformationinthefaceofacyberattack.
"Therefore,anargumentforallowingthisvendor,whoreceivedtaxpayermoney,toremainanonymous.
Page11of32SecurityNow!
TranscriptofEpisode#631Shealsowrote:"TheFBI'sconclusionthatreleasingthenameofthevendortothegeneralpubliccouldputthevendor'ssystemsandthereforecrucialinformationaboutthetechnologyatriskofincursionisreasonable,sotheymightbesubjectedtoanattack.
"Andthenregardingthecostofthehackingtool,TanyaagreedwiththeU.
S.
governmentthatrevealingthepricethegovernmentpaidforunlockingtheiPhonecouldharmnationalsecurity,saying:"ReleasingthepurchasepricewoulddesignateafinitevalueforthetechnologyandhelpadversariesdeterminewhethertheFBIcanbroadlyutilizethetechnologytoaccesstheirencrypteddevices.
"Okay.
SotranslationistheFBIaskedtokeepthisinformationprivate,anditgotitsway.
Sowe'renotgoingtofindoutwhotheygotitfromandwhattheypaid,andthat'ssortofclosed.
Andrememberalsothatit'snotatallclearthateventhen,ifitweren'taniPhone5c,thatitwouldhavebeenpossibletomakethishappen.
WhatIrememberfromthetimewasthatitwasthefactthatitwasa5cthatfittogetherwithmaybesomeknownexploitsagainstthatparticularmakeandmodelthatallowedathirdpartytogetinandtohaveabigpaydayforthemselvesbecausethiswas,asyousaid,itwasatthetimeverypoliticallysensitive.
Andyouraisedagoodquestion,Ithink,Leo,whetherinthewakeoftheLasVegasshooting,ifasimilarthinghappened,whetherApplewouldbeabletosayno.
Orwould.
Leo:Behardforthem;rightBehard.
Steve:Yeah.
Leo:Bedifficult.
Steve:Yeah.
Leo:Bytheway,thisjustin,andyou'lllovethis,theIRShasjustawardeda$7.
25millionfraudpreventioncontracttoEquifaxsothatEquifaxwillletthemknowifanyrefundrequestscomefromcompromisedEquifaxinformation.
Steve:Boy,talkaboutmakingmoneycomingandgoing.
Leo:Butweknewthey'dmakemoneyonthisbreachbecausetheywerepushingpeopletowardsafor-one-year-freeidentitytheftmonitoringservice,whenofcourseinanotheryearyou'dbepayingforit.
It'sjust,god,thisis[crosstalk].
Steve:Iknow.
SoIknowthateveryoneis,like,fedupwithhearingaboutEquifax.
Leo:Oy.
Steve:Butwhileyouwereonvacation,Leo,Iattendedaprivatesecurityconference.
Page12of32SecurityNow!
TranscriptofEpisode#631Leo:Iheardyousaythat,yeah.
Steve:Wheretherewassomeinsidescuttlebuttsuggestingthatthiswaslookingmoreandmorelikeastate-sponsoredattack.
Leo:YouthoughtitwasChina.
Steve:Yes,andthatseemstobetheconsensus.
That'sbeginningtosurface.
Andthegoodnews-andthere'ssortofamixedblessingthatitsuggeststhat,ifit'samajoractor,theyreallydon'tcare.
Leo:It'snotaboutcreditcardforthem,creditcardfraud,yeah.
Steve:Yes.
Theydon'tcareaboutthe143millionofus.
Whattheydocareaboutarespecificpeoplewhoarehigh-profiletargets.
AndBloomberghadsomefabulouscoverage.
I'mnotgoingtogothroughthewholethingbecauseit'slong,butthelinkisintheshownotesforanyonewhowantsmore.
ButIwanttogiveourlistenersasenseforjustfourparagraphsfromtheircoverage.
Theywrite:"NikeZheng,aChinesecybersecurityresearcherfrom"-andthisestablishessortofthehistoryandthebackground,whichwasn'tclearbefore-"fromabustlingindustrialcenternearShanghai,probablyknewlittleaboutEquifax,"writesBloomberg,"orthevalueofthedatapulsingthroughitsserverswhenheexposedaflawinpopularbackendsoftwareforwebapplicationscalledApacheStruts.
"Whichofcoursewetalkedaboutweeksago.
That'stheJava-basedserver-sideplatformfordevelopingwebapplicationsthatEquifax,amongmanyotherpeople,areusing.
Theywrite:"InformationheprovidedtoApache,whichpublisheditalongwithafixonMarch6[2017]showedhowtheflawcouldbeusedtostealdatafromanycompanyusingthesoftware.
TheaverageAmerican,"Bloombergwrites,"hadnoreasontonoticeApache'spost,butitcaughttheattentionoftheglobalhackingcommunity.
Within24hours,theinformationwaspostedtoFreeBuf.
com,aChinesesecuritywebsite,andshowedupthesamedayinMetasploit,"whichasweknowisapopularfreehackingtool.
"OnMarch10th"-sofourdaysafterthedisclosure-"hackersscannedtheInternetforcomputersystemsvulnerabletotheattackandgotahitonanEquifaxserverinAtlanta,accordingtopeoplefamiliarwiththeinvestigation.
"Sofourdaysafterthedisclosure,Apachedideverythingtheycouldresponsibly.
Theysaid,"Whoops,wehaveaproblem.
Here'sthefix.
"AndfourdayslaterInternetwasscanned;Equifaxwasidentifiedasatarget.
"Beforelong,"Bloombergwrites,"hackershadpenetratedEquifax.
Theymaynothaveimmediatelygraspedthevalueoftheirdiscovery;but,astheattackescalatedoverthefollowingmonths,thatfirstgroup"-getthis-"knownasan'entrycrew'handedofftoamoresophisticatedteamofhackers.
Theyhomedinonabountyofstaggeringscale:thefinancialdata-SocialSecuritynumbers,birthdates,addressesandmore-ofatleast143millionAmericans.
Bythetimetheyweredone"-andhere'snews-"theattackershadaccesseddozensofsensitivedatabasesandcreatedmorethan30separateentrypointsintoEquifax'scomputersystems.
"MeaningthatthisinitialApacheStrutswasjustameansofgainingafoothold.
Andoncetheydid,theyestablished30otherpresencesPage13of32SecurityNow!
TranscriptofEpisode#631thatwouldprotectthemincaseofthediscovery.
SoBloombergwrites:"ThehackerswerefinallydiscoveredonJuly29th,butweresodeeplyembeddedthatthecompanywasforcedtotakeaconsumercomplaintportalofflinefor11days"-becauseitwassomassivelycompromised-"whilethesecurityteamfoundandclosedthebackdoorstheintrudershadsetup.
"Andthen,finally:"ThehandofftomoresophisticatedhackersisamongtheevidencethatledsomeinvestigatorsinsideEquifaxtosuspectanation-statewasbehindthehack.
"Thatis,thepeoplewhodiscovereditweren'tthepeoplewhocontinuedexploiting.
Rather,theyfoundit,andthentheybasicallypasseditupstairstoamoresophisticatednext-levelgroup,whothencrawledinsideandbegantoexploit.
Theywrite:"ManyofthetoolsusedwereChinese,andthesepeoplesaytheEquifaxbreachhasthehallmarksofsimilarintrusionsinrecentyearsatthegianthealthinsurerAnthem"-whichofcourseis,remember,18monthsagoisthereasonwefirsttoldeverybodytolockdowntheircreditreportsatthetime-"andtheU.
S.
OfficeofPersonnelManagement.
BothwereultimatelyattributedtohackersworkingforChineseintelligence.
"Sothisisthewaythesethingsarenowbeingdone.
And,Imean,it'snotgoodthat143millionAmericansandsomeCanadianandU.
K.
citizenshadthisdetailedpersonaldataexfiltratedfromEquifax.
Butasyousaid,Leo,itsuggeststhatwe'renotallinimmediatethreat.
It'snotasifsomehackerwaslooking,somemoney-oriented,financiallyorientedhackerwouldbesellingthisinbulkinordertoimmediatelyturnitintoprofit.
Itseemsmuchmorelikelythat,ifthisisinfactChina,amongthis143millionarealotof,tothem,veryvaluableinformation,whichtheycouldthenusefortargetingspecificindividuals.
Sonotgoodforthosetargetedpeople,butsomewhatbetterfortherestofus,wecanhope.
Leo:Geez.
Steve:Yeah.
We'vetalkedoverthecourseofthelastmonthortwoabouttheBroadcomfirmwareproblemthatessentiallybesetallofourmobiledevices.
BothAndroidandiOSdeviceswerevulnerable.
GoogleandtheirPixeldeviceswerefirsttopatch,andpatchedveryquickly.
I'mnotsure,Idon'tremembernowwhereSamsungwasonthis.
Butwecoveredseveral,aseriesofpatchesthatiOSreleasedandfinishedwith10.
3.
3wasthemostrecentbeforejumpingto11.
0.
1.
ThiscomesbacktoourattentionbecauseaGoogleresearcherhaspublishedaproof-of-conceptexploitthatisfunctionalagainstAppleiPhoneWiFiBroadcomchipspriortoiOSv10.
3.
3.
Sothegoodnewsisyoudon'thavetoupdateto11tobeprotectedagainstthis.
Leo:IsthatbecauseApplediscovereditandfixeditOrjustintheprocessofupdatingitfixedsomeissuesSteve:No.
Theydiddiscoverit.
Leo:Theyknewaboutit,okay.
Steve:Oritwasreportedandfixed.
Page14of32SecurityNow!
TranscriptofEpisode#631Leo:Gotit.
Steve:Sotheydiditin10,in10.
3.
3.
Rememberwehad10.
3.
2,andwethought-andtherewassomeBroadcomfixthere.
Andwepresumedthatthatwasthisbigone.
Butitturnsout,no,itwasn'tuntil10.
3.
3,whichwasthefinalv10iOSbeforejumpingto11.
Soforpeoplewho,forwhateverreason,areholdingoffonmovingto11-anddespiteallmycomplaints,likeyou,Leo,Ireallylike11.
I'mlikingthethingsthattheydid,althoughasIsaiditcomesatacostofperformanceonolderhardware.
Butsomebodywhowantstostayat10,aslongasyou'recurrent,whichputsyouat10.
3.
3,thenthisisfixed.
Butthesignificantthingisthatnowwithapublicproofofconcept,thatmeansanybodywhowantstoattackapre-10.
3.
3iOSdevicehasatemplatefordoingso,anditisapotentattack.
Rememberthatyoudon'tneedtobeassociatedwiththeWiFidevice.
Yourphonejusthastobewithinrange,thatis,radiorange.
Yourphoneandtheattacker'sradioneedtobeabletoreacheachother,andsoyoudon'thavetologinoruseamaliciousaccesspoint.
Youjusthavetobeabletobeenumerated,essentially,bytheBroadcomchip.
Andthat'senoughforyourphonetobetakenover.
SoIimagine,Imean,thegoodnewsisApplepushestheseupdatesout,andsothey'rereallygoodaboutkeepingtheirphones'OScurrentandpatchingthefirmwareintherelateddevices,likethisBroadcomchip.
Butthisissomethingeverybodywantstodobecauseitdoesmaketheattacksmuchmorelikelynow.
AndIheardyoutalkingonMacBreakWeekly,Leo,aboutjustingeneralaboutthisevolvingawarenessofhowmuchRussiahadtheirtentaclesintothemostrecentU.
S.
presidentialelection.
We'veseennewsinthepressaboutFacebooktakingrealstepstounderstandhowmuchRussiawaspurchasingadsonFacebook.
Twitterhasdonethesamething,recognizingtheextenttowhichtheywereunwittingaccomplicesinRussianinvolvement.
AndnowGooglehassaid,althoughit'snotofficialyet,andtheGooglepersonnelwhohavebeentalkingtothepresshaverequestedanonymitybecausetheplansarenotyetofficiallypublic.
ButGooglewillbeofferingwhattheycalltheAPPforGmail,theAdvancedProtectionProgram.
AndtheideaisthatitisgoingtobeasupersecureservicethatwillbeanoptionalfeatureforGmail,targetedatcorporateexecutives,politicians,andotherswithheightenedsecurityconcerns.
AndthisisprobablytokeeppeoplefromleavingGmail.
Googlewouldliketonothavepeoplethink,oh,well,it'sfree,andsoit'snotverysecure.
Ifwereallywantsecureemail,we'vegottogosomewhereelse.
Instead,Googleissayingno,we'regoingtorequiretwoseparatephysicalsecuritykeysofsomesort.
Rightnow,asweknow,theydoofferasecond-factortechnology,forexampleusingYubico'stechnologyandoneofthevariantsofFIDOasanoption.
They'regoingto,aspartofthisAdvancedProtectionProgram,requiretwodifferentphysicalsecuritykeys;andnothird-partyappswillbeabletogainaccesstoyourGmailservice.
Soyourfreedomandyourflexibilityofwhatyoucandowillbedramaticallycurtailed.
Butforpeoplewhoreallywantsecurity,that'sarequirement.
Youhavetosilomailandnotallowappstobeabletogetaccesstoyouraccount,andthenthey'regoingtoreallycrankuptheauthenticationleveltocreatethislevelofsecurity.
Again,noideawhen.
It'snotofficialyet.
Andifithappens,apparentlyit'sgoingtobecalledAdvancedProtectionProgram.
Soagain,inthewakeofwhatwelearned,Googleissaying,okay,we'regoingtoprovideasmuch,arguablymoresecuritythananybodyelse,andalotforacloud-Page15of32SecurityNow!
TranscriptofEpisode#631basedservice.
AndIdon'tknowwhetherit'llbefree,orwhetherit'llbe.
.
.
Leo:Ithinkit'sfortheGoogleAppsowners.
It'sforGSuite.
Idon'tthinkit'sreallyforus.
Steve:Ah,okay.
Thatdoesmakesense,yes.
Leo:Ithinkit'sforbusinessfolk,yeah.
Steve:Itdoesmakesense.
Therewasabunchofmistakennews,butclickbaitheadlines,talkingabouthowDKIMhadbeenbroken.
That'sthedomainkeytechnologythatwe'vebeentalkingaboutrecently,theideabeingthatamaildomain-I'llusemine,GRC.
com-canpublishthroughDNSitspublickey.
Andasit'ssendingemailfromitsSMTPserver,itsignstheoutgoingmail.
Thatis,itaddsasignatureusingitssecretprivatekeytoeveryoutboundmail.
AndthenthereceivingSMTPserverisabletosimilarlyuseDNStogetthematchingpublickeyandthenverifythesignatureonemailclaimingtobefromGRC.
cominordertoverifyit.
Thiswasdesignedasanantispoofingmeasure,thatis,theideabeingthatnoonecouldsaythatemailwasfromApple.
comorMicrosoft.
comoranymajorpresumablytrustedsender.
Therecipientwouldbeabletoverify.
Andaswesaidwhenweweretalkingaboutthisafewweeksago,therearesomeemailclientsorbrowseradd-onsoremailclientadd-onsthatwillindependentlychecktheDKIMsignature.
Normallythat'sdoneattheSMTPserverlevel,whereincomingmailwillberejectedifthesignaturedoesn'tmatch.
Sowhathasbeenclaimedinthenewsrecentlyisthatit'sbeenbroken.
Well,ithasnotbeenbroken.
Thecryptoisstrongandwasdoneright.
Whatwasbrokenisthatemailitselfhasalwayshadaproblemsortofwithitsownsecurity.
Wehavethisnotionofmultipartextensionsandtheconceptofamailenvelope,thatbeingthething,sortofanabstractionoftheemailcontentandtheheadersformsanenvelope.
Well,that'swhatthesender'sprivatekeyissigning.
Well,itturnsoutthatitispossibletospoofthesignature,thatis,tospoofthecontentsoftheenvelopesothatit'spossibletoaddyourowndifferentmessage,keeptherealmessagefrombeingseen,yetstillhavetheDKIMsignatureshownasvaliddespitethefactthatwhattheuserisseeingisnotthecontentsoftheenvelopethatwassecurelysigned,butsomethingthataspooferattachedtotheemail.
Sotheupshotisthattheassurancethatyoubelieveyou'regettingfromDKIMisbypassedsothat,ifyouremailreaderistellingyouthatit'scheckingtheemailsignature,itcouldshowitbeingvalid,butthecontentsofwhatitshowsyouisnotwhatwassignedintheenvelope,soit'saspoofattack.
Andthisisoneofthethingswe'reseeingissortoflike,aswekeepgettingbetterandbetterwithsecurity,wekeepclosingloopholesandclosingbackdoorsandgettingbetter,thewholeproblemofspoofingremainselusivebecauseourclientsarestill,inthiscase,stillnotstrongenoughtobehardenedagainstthatbecausethey'retryingtobeflexibleenoughtogiveusthefeaturesthatwewantinemailwhichwereextendedovertimewithoutthinkingaboutsecurityascloselyastheyshouldhavebeen.
Soanyway,Igotabunchoftweetsfrompeoplesaying,oh,mygoodness,DKIMisbroken.
Well,no,butitisspoofable,unfortunately.
AndovertimeIthinkwe'llseethatPage16of32SecurityNow!
TranscriptofEpisode#631gethardenedup.
Butforthemoment,itisthecasethatsomeonecouldsendyousomethingwherewhatyouseeisnotwhatwassigned,andthereforeitcouldsayanythingandcauseyoutobemisled.
Forexample,itcouldcontainamaliciouslinkwhereyoutrustthelinkbecauseyou'relookingupatyourDKIMmonitor,andit'ssayinggreen.
It'ssaying,yes,thisistrustedemail.
Andsoyougo,oh,fine,andthenyouclickthelink,andyoucouldgetcompromisedasaconsequence.
So,Imean,it'snotgood,butitisnotthecasethattheDKIMsystemitselfwasbroken.
Itwasbasicallyjustbypassed.
Someoneranabypass.
And,finally,therewasanotherGoogleresearchersortofgotaroundtotakingalookataverypopularsmallsuiteofservices.
It'sknownasDNSMASQ,D-N-S-M-A-S-Q,DNSMASQ.
It'sverypopularinsmallnetworks,insmallrouters,anythingwhereyouhaveasmallfootprintserverwhereyouwanttoprovidelocalDNSandDHCPservices.
So,forexample,Imean,it'swhatweprobablyhaveinmanyofourhomeWiFiroutersorstandalonerouters.
TherearelightweightservicestoprovidelocalDNScachingandlookupanddynamichostconfigurationprotocol,DHCP,whichistheobtainIPaddressautomaticallyservice.
It'swidelyusedfortetheringsmartphonesandportablehotspots.
ManyvirtualnetworkingvirtualizationframeworksuseDNSMASQastheirvirtualmachineDNSandDHCPsystems.
It'ssupportedunderLinux,Android,thevariousBSDs,andMacOSX.
It'sincludedinmostLinuxdistributions,andthereareportsforitforFreeBSD,OpenBSD,andNetBSD.
Soitiswidespreadandpopular.
Ubuntuusesit,forexample,bydefaultfortheirservices.
Sowhatwasfoundwas,Ithinkitwassevenoreightremotecodeexecutionvulnerabilities,butremoteinthesenseofremotefromthedevice,notinthesenseofInternetfacing.
ThesearealllocalLAN-sideattackssolesstobeconcernedabout.
Itdoesn'tmeanthatsuddenlythere'sanewvulnerabilityforallofourroutersthatweneedtoworryabout.
Theseare,becausetheseservicesareLAN-facingforclientsonaLAN,clientsofarouteronaLANtypically,itmeansthat,ifyouhadamaliciousdevice,maybeamaliciousIoTdevicethathadbeenupdatedwithsomemaliciousfirmware,itcouldarrangetoexecutecodeonyourrouter.
Well,that'snotgood.
That'scertainlynotgood.
Butit'slessbadthanifanybodyanywhereintheworldwereabletoscanforthisvulnerability,whichisprobablyverywidespread.
Soourtakeaway-oh,andthisisjustyesterdaythatthiscametolight.
Ourtakeawayisthat,tobelookingforfirmwareupdatesforourvariousdevices,hopefullypeoplewillstartpointingfingersatspecificvendors.
Thisisjust-becausethisislessthan24hoursold,wedon'tyetknowmodelnumbersandmakesandfirmwareversionsandsoforththatarevulnerable.
Ithinkprobablywe'llbetalkingaboutthisnextweekasmoreinformationcomestolight.
It'dbefunalsotofindsomethingthatcanidentifywhethertheroutersthatwe'reusingarevulnerable.
Muchasmaliciousclientscouldexploitthem,wemaybeabletodothat.
Buttheyareremotecodeexecution,sowhatIthinkwe'llneedtofindisbelookingforupdatestofirmwareforthedevicesweuse.
Andinthiscaseitwouldbeagoodthingtoapplythembecauseyoudon'twantasinglemaliciousdevicetobeabletotakeoveryourrouterandthenpotentiallyhaveaccesstobothyourinternalnetworkandopenittotheoutsideworld.
AndLeo,IheardyoutalkingabouttheEFIfirmwarevulnerabilities.
Leo:Yeah.
Iwanttogetsomeclarificationfromyouonthatone.
Page17of32SecurityNow!
TranscriptofEpisode#631Steve:Yes.
Soatechfirmhastakenalookatthepervasiveproblemthroughouttheentireindustry.
TheproblemisnotjustMac-specific.
It'sDuoLabs.
AndtheseguystookalookatawholebunchofMacmachines.
Itwas,like,morethan-itwastensofthousandsofMacmachines.
Iwanttosay43,000.
Leo:Yeah,Ithinkitwassomethinglikethat.
Steve:Somethinglikethat,yeah.
Andtheyfound,like,anoverwhelmingnumberofspecificMacmodelswerevulnerable,meaningthattheywererunningEFIcodetodaywithknownvulnerabilities.
Now,okay.
That'snotimmediatelyaproblembecauseanEFIvulnerability,firstofall,isverydifficulttoexploit.
It'smoresomeonegetsphysicalaccesstoyourmachineandtinkerswithyoursysteminordertogetsomethinginstalledinEFI.
Soit'sdifficulttoexploit,thoughverypowerfulifexploited,butdifficultfortheaverageusertodealwithbecauseit'ssortof-it'spreboot.
ButwhatitmeansisthatAVsoftwarecan'treallyseemalwaretherebecauseit'sunderneaththeOS.
Andwhatitenables,whatEFIexploits,ifthey'reexploited,enablearevirtuallyundetectablesuperrootkit-styleprebootattackswherepowerbeingturnedon,beforethesystemboots,EFIisrunningaroundsettingthingsup,gettingthehardwaregoing,andhasfullaccesstothesystem.
It'swhatthenchooseswhichdrivetoboot,findsthebootablepartition,andloadsitintomemoryandgivesitcontrol.
Soifthat'sbeenmadeevil,that'sreallybad.
Sotheproblemisthat,firstofall,there'smaybealackoffocusandattentiononthis.
It'salsothecase,asyoumentionedduringMacBreakWeekly,Leo,thatattemptstoupgradefirmwaresometimesfailsilently.
Andonceitfails,likeitdoesn'tpasstherequiredchecks,theremaynotberoominavailableflashmemorytoinstallthefirmwarebecausealotofotherdrivershavebeenaddedovertime,Imean,therearejustmanydifferentfailuremodes.
Andsoit'ssortoflike,Imean,IhavetheexperiencebecauseIhaveasmalliPadwhereitcomplains,itwascomplainingforawhilethatIcouldn'tupdateiOSbecausetherewasn'tenoughroom.
NowApplehassolvedthatbyallowingsomeappstoberemovedtemporarilytomakespaceforanupdate,andthenthey'rebroughtbackin,whichiskindofacleverworkaround.
Wedon'thavethatcapabilityforEFI.
Soasaconsequence,whattheseguysfound,whatDuoLabsfoundwasthatthereisawidespreadlackofcurrentfirmwareinMacs,butnotonlyMacs.
AlltheylookedatwasMacs.
ButIwouldarguethat,becausethegeneralPCmarket,whetherit'srunningWindowsorLinux,hasagreaterdisconnectionbetweentheOSandthemotherboard.
Forexample,Microsoftdoesn'tcareaboutEFIbecausethey'reprovidingWindows.
ApplecaresaboutEFIbecausethey'resellingthehardwareandallthesoftwarethatgoesontop.
Soit'sreallyuptoyourmotherboardmanufacturertodealwithEFI,andmotherboardmanufacturersdon'treallycarethatmuch.
Imean,theymayhaveupdates,butthenit'suptotheusertogogetthem.
Sowe'resortofinamesswiththis,whichiswhyit'sgoodthatthevulnerabilities,iftheyexist,aredifficulttoexploit,andunfortunatethatit'sdifficultforaverageuserstodealwith.
ThebesttakeawayIhaveisthat,fortheMac'sEFIfirmware,thereisafreetoolthatyoucanusetocheckwhat'sknownaboutyourEFIunderneathyourMac.
It'scalledEFIgyasacutelittleplayonEFI.
It'sE-F-I-G-YdotI-O.
EFIgy,E-F-I-G-YdotI-O.
That'sashortcutthattakesyoutoaGitHubpagewheretheseguysareusinganEFIgyAPIinordertotellusersaboutthestateoftheirfirmware.
Thisisstillunderdevelopment,andPage18of32SecurityNow!
TranscriptofEpisode#631whatweneednowisamaturedatabasetoconnectMacmakesandmodelstothisfirmwaretheyshouldhaveinordertocomparetothefirmwaretheydohave.
Thisthingwillshowyouwhatyoudohave.
Itprovidesameansforgainingsomeinsightintothat.
AndIthinkovertimewe'llbeseeingthismature.
Unfortunately,thisisMac-specific-well,unfortunateforPCusers,non-Macusers.
It'sMac-specific.
Allyoucanreallydoistaketheefforttocheckinwithyourmotherboardmanufacturerandalmost,Imean,ifyouhaven'tcheckedforacoupleyears,andreallywhodoesbecauseit'snotautomatic,checktosee.
NormallyyourbootscreenwillshowyouwhatversionofEFIyou'vegotwhileyoursystemisbooting.
Gotoyourmotherboardmanufacturer,seeifthere'snewfirmware.
TheoldwisdomIwouldargue,andthiswasthewisdomformotherboardfirmware,ifit'snotbroken,leaveitalone.
Well,unfortunately,allEFIfirmwareisprobablybroken.
It'sworking,butit'svulnerablenow.
Sowe'vemovedfromaworldof,ifit'snotbroke,don'tfixit,toa,ifit'sold,it'sprobablybroke,andyoudon'tknowit,soit'sworthpatchingitwiththelatestversion.
SoIthinktheadvicenowneedstobespecifically-because,asweknow,attacksnevergetweaker,theyonlygetstronger.
Soit'sworthknowingthatyourmotherboardisrunningthemostrecentEFIfirmwarethatyourmotherboard'smanufacturermakes.
Andthegoodnewsis.
.
.
Leo:Youknow,theinterestingthingontheMac,Idon'tthinkthere'sanywaytomanuallyforceanEFIupdate.
Steve:No.
Leo:It'snotlikeaPCmotherboardwhereyoucangotothemanufactureranddownloadthefirmware.
Steve:Yes.
Andthat'stheperfectseguebecauseIwasjustgoingtosaythatthegoodnewsisApplehasrespondedtothepresscoverage,andthey'vesaid-they'rekindofdodgingitatthemomentbecausetheydon'thaveananswerimmediately.
Butthishasshinedabrightlightonthis,andApplecanandprobablywilltakeresponsibility.
SoarguablyMacusershavealittlebitofaspotlightonthematthemoment,butApplecanstepupandgivethisbetterattention.
Andthenyou'regladyou'reaMacuserbecauseApplecantakecareofitforyou.
You'lljustgetanupdate,andyouwon'tknowwhy,butthingswillspinaroundonthescreenforawhileandthensettledown,andyou'llbesafeagain.
Sothat'sgood.
Leo:Yeah.
They'veputthatinHighSierra,too.
SoifyouhaveHighSierra,oryoudon'thaveHighSierra,mightbeanotherreasontoupgradetothelatestversionofmacOSbecausethere'sanEFIchecker.
Theycheckweeklynow.
Steve:JustarealquicklittlementionofanIEbug.
I'mnot,youknow,IEissortof,well,Iguessthoseofuswhoarenotyeton10arestillusingIEoneverythingbefore-unlesswe'reusingChromeorFirefoxorOperaoranythingelse.
ItcametolightthatthereisabuginInternetExplorer'shandlingoftheURLbar.
Andit'skindofcoolandsubtle.
Andagain,it'soneofthosethingsthateveryoneisgoingtojumponuntilitgetsfixed.
JavaScriptrunningonanyadorpageyou'revisitingcaninterceptwhenyouhittheEnterPage19of32SecurityNow!
TranscriptofEpisode#631keyafterenteringanewsearchtermorURLasyou'releavingthatpage.
Whoops.
Soitmeansyou'resomewhere,andyougo,okay,you'redonebeingthere.
SoyoutypesomethingnewintotheURLfield,eitherasaURLtogotoawebsiteorasasearchterm.
WhenyouhitEnter,beforeleavingwhereyouare,scriptonthatpagecancapturewhatyoutypedandsenditbacktothesiteyouwerevisitingoranyoftheadsuppliers,whichisnotbehaviorthatyouwant.
OnlyIEdoesthis.
It'sabug.
It'llgetfixed.
Idon'tknowhowsoon,probablynotbynextTuesday.
That'sgoingtobethesecondTuesdayofthemonthsincetodayisthefirstTuesdayofthemonth.
Soitseemslikethatdoesn'tgiveMicrosoftmuchtime.
Maybetheycandoitintime.
Itwouldbenice.
Butagain,itonlyaffectsIEusers.
Butit'sthekindofthingthatmightprovidesomeinformationthebadguyswouldwant.
Andifyou'reusingIE,theycangetituntilMicrosoftgetsthatpatched.
Ihadonelittlebitofmiscellany.
Leo,whileyouwereaway,twosci-fishowspremiered.
Leo:AndIhaven'tseeneither.
Steve:"TheOrville"and.
.
.
Leo:And"Discovery,"yeah.
Steve:.
.
.
"StarTrek:Discovery.
"Iwasnegativeabout"Discovery"withFatherRobertbecauseI'donlyseenthefirstfiveminutesofit,anditwassopainfulthatIjustsaid,okay,let'sswitchbacktowhatever.
.
.
Leo:Itgotalotofbadreviews,though.
Itwasn'tjustyou.
Steve:Yeah,Iknow.
AndI'mnotsurprised.
Ididsitdownandwatchthewholethingagain.
Igaveitatry.
AndthenI'mrememberinghowbadthefirstfewepisodesof"TheNextGeneration"were.
Leo:Oh,okay.
Steve:EvenwithPatrickStewartandFrakesandthewhole,youknow,thecorecrew,itwasbadforthefirst,oh,maybehalfaseason.
Theywere,like,shoutingateachotheracrossthebridge,andPicardwasbeingreallyannoying.
Theyfoundtheirgroove,anditwasarguablyoneofthebetterfranchisesthatwehad.
SoIwanttogivethemthebenefitofthedoubt.
AndIalso-myplanistowaitforthefirstseasontobefinishedandthendomyCBSall-accessandwatch,notonlyallof"Discovery,"ifIenduphearingthatit'sworthwhile,butalsothe"TheGoodFight,"whichwasthecontinuationof"TheGoodWife"thatwasonCBSforsomanyseasonsandsoworthwhile.
AndLeo,Ididn'tmakeitpast10minutesof"TheOrville.
"Page20of32SecurityNow!
TranscriptofEpisode#631Leo:Oh,reallyOh,that'stheonlyoneIreallywanttosee.
Butyouhavetobeafan.
Ifyoudon'tlikehishumor,SethMcFarland'shumor.
.
.
Steve:Yes.
AndIrecognizeI'mveryfinickyabouthumor.
Ilike"Seinfeld"and.
.
.
Leo:Ilove"FamilyGuy,"soIthinkIwouldlike"Orville.
"Steve:Giveitatrybecauseitcertainlyissci-fisettingforthat.
Butitwasn'tmykindofhumor.
Leo:He'sanacquiredtaste,tosaytheleast.
Steve:Yeah.
IhadareallyfunstoryaboutSpinRiteandDrobofromStevenPerry,who'saCISSP,orhashisCISSP.
He'sinCharlotte,NorthCarolina.
Andthesubject,itwasdatedemailincomingSeptember28,sojustlastweek,said:"SpinRiteSavesaDrobo.
"Andthere'saninterestinglessonhere.
Hesaid:"Hi,Steve.
HaveaSpinRitetestimonialforyou.
Youcouldtitlethisone'SpinRiteSavesaDrobo.
'IhaveaDroboFSNASdevicethatisaboutfiveyearsoldnow.
WhenIsetuptheDrobo,Imadesurethateachofthefive2TBWD[WesternDigital]BlackdrivespassedSpinRitebeforetheywereinstalledintheDrobo.
ThispastSundaythefirstdrivebitthedust.
"Okay,now,remember,theDroboisaRAID,sothat'sokay.
Youcanloseadrive,andit'llsay,whoops,wegotaproblemhere,butwecanstillreadallyourdata.
Sohesays:"Iswappedoutmyspare2TBdrive"-sohehadanotheronestandingby,asheshould-"thathadalsopassedSpinRite,andduringtherebuildprocessoneoftheotherdrives.
.
.
"Leo:Oh.
Steve:Yup,"wentoffline,andDrobowassettingoffalertsthattoomanydriveshadfailedorbeenremoved.
"Thatis,thedrivejustcompletelydied.
Hesays:"IwasabletosafelyshutdowntheDrobo,removethedriveitthoughtwasmissing,runitthroughaLevel2passfromSpinRite,"hesays,"whichtook11hourstocomplete.
ThedrivewasthenreturnedtotheDrobo,poweredontofindtheDrobowasnowseeingthedriveandwasabletosuccessfullyrebuildthenewdrive,andallisgoodagain.
"Soessentially,asweknow,aRAID5allowsyoutoloseonedrive.
Oranotherwaytolookatitisanygivensectorononedrivecanbesortofrecreatedbyusingtheotherdrivestocalculatethelostdatainasinglesectorofonedrive.
Oryoucouldloseallthesectorsofonedrive,andthentheotherdrivescanbeusedtocalculatethelostdrive'scontents.
ThatgivesyoutheredundancyofRAID5.
Butyoucannotlosetwo.
Andthat'swhynowwe'reseeingincreaseduseofRAID6becausedriveshavegottensohugethatexactlywhathappenedtoStevenPerryisbeginningtobeseen,andthatisthefirstdrivedies,youswapinagoodone,andduringtherebuildprocess,whereyoutemporarilyhavezerotoleranceofanyfailure,anotherdrivedies.
Page21of32SecurityNow!
TranscriptofEpisode#631Andthat'swhy,forexample,atGRCI'mrunningRAID6.
SoI'vegot-it'sexpensiveintermsofyoudon'tgetthedatanowoftwodrives.
Ontheotherhand,yougetdoubleredundancy.
WithRAID6,Ihaveafour-driveRAID6,andanytwocanfail,andI'mstillokay.
Andremember,becausewe'vetalkedabouttheDrobobefore,althoughagainit'sexpensive,theDrobodoesallowyoutouseextraredundancy.
It'lltakeawayachunkofyourstorage;butyoucansay,no,Ineedextra,extrasafety.
Mostpeopledon'tdothat.
Theyfigure,asStevedid,hey,I'vegotRAID5,andI'vegotSpinRite.
Asithappens,thankstohavingSpinRite,hewasabletorecoverfromthatwindowwheretherewaszerotolerance.
Hecouldnotaffordtoloseanotherdrive,andhedid.
ButSpinRitegotitback.
TheDrobowasabletorebuild.
Nowhe'sbackuptofullredundancy.
Leo:Andheshouldturnonthetwo-drivebackup.
Steve:Andmaybethatwouldbegood.
Leo:IdothatonallmyDrobosandmySynology,aswell.
Ifyouhavethatas[crosstalk].
.
.
Steve:Beltandsuspenders.
BeltandsuspendersandSpinRite.
Leo:AlthoughIsupposethreedrivescouldfail.
Butitgetsdiminishinglysmall.
Wehadafunny-goahead.
Steve:Yeah,goahead.
Leo:Well,wehadafunnythinghappenbecausewehadadrivethatwasalittleflaky.
WeusedaWesternDigitalGoldforrerunplayback.
Anditwasflaky.
Andtheypulledit.
Theyweregoingtogetanewone.
Andthensomebody,IthinkRussell,verysharp-eyed,noticedthatthelabelontheGoldspelled"thailand"withalowercase"t.
"It'samadein[lowercase]thailand.
Andhethought,hmm.
WegotthemonAmazon,butfromareselleronAmazon.
Andhethought,hmm.
Sotheyopenitup,anditisacounterfeitWesternDigitaldrive.
WeboughtitonAmazon,butfromathirdparty,notfromAmazondirectly.
Andyou'dhavetolookreallycloselywithamagnifyingglasstosee"Productofthailand.
"But,wow.
Imean,really.
Sosomebody'stakingcrapdrivesandjustslappingastickeronthemandsellingthemasenterprise-grade2TBWesternDigitaldrives.
Steve:Wow.
Leo:Sobecareful.
Youknow,I'vesaidthis-bytheway,thisisthestickertheyputonitsowewouldn'tusethis,says"FakeNews.
"Imean,youwouldjustassume,well,IgotitonAmazon.
Butreallyyou'vegottobecarefulonAmazonbecausealotoftimesyou'renotgettingitfromAmazon,you'regettingitfromathirdparty.
AnditmeanssometimesgettingitonAmazondoesn'tmeananythingmorethangettingPage22of32SecurityNow!
TranscriptofEpisode#631itoneBay.
Steve:Right.
Leo:Andyouwouldn'treallybuyharddrivesoneBay,wouldyou.
Steve:No.
Leo:No.
It'snotthatitwasmadeinThailandCR1,it'sthatit'salowercase"t"in"thailand.
"Ihadawatchforalongtime,aRolexthatsaid"MadeinJeneva"witha"J.
"ThatwashowIknew.
Butitwasonly$10inNewYork.
Allright,Steve.
Ithinkit'stimetogettothetopicathand.
Steve:Well,we'vegotacoupleofclosing-the-loopbitsfromourlisteners.
Leo:Yes,sir.
Steve:SoMarkHavassent:"Regardingyourprinting2FAcodestohavethemonpaper,wouldyoukeeptheimagesinapasswordmanagerlike1PasswordThanksinadvance.
"And,okay.
Soit'sinteresting.
Idon'tunderstand,andI'mnotpickingonMarkatallbecausemanypeople,Imean,he'sjustasking,buteveryoneseemssoresistanttotheideaofprintingtheirQRcodefortheirauthenticator.
AndIdon'tunderstandit.
Itmaybethatwe'reallhookedonelectronicsorautomationorcloudorsomething.
Butsowejustsortofkeepseemingtocirclearoundthis.
Igetitthatpeoplewantashortcut.
Theywantmoreeaseofuse.
Butofflinemeansoffline,notonline.
Ifit'soffline,itcannotbehacked.
Ifit'sonline,itcanbe.
SoI'mnotsayingitwillbe,butitcanbe.
Soifyou'vegotallyourtwo-factorauthenticationQRcodesinanywhereonline,thenRussiahasaconnection.
Theymaynotbeabletouseit,theymaynotbeabletodecryptit,butonlinemeansonline.
AndsoIhavenoproblemifpeoplesay,oh,well,Iwanttostoretheminmypasswordmanager.
Okay.
I'mnotstoringtheminmypasswordmanager.
Whileyouweretalking,Leo,Ilookedatthisquestion.
AndI'mnotfacingthemtowardthecamera,buthere'smysetofQRcodes.
Leo:Wheredoyoustickthose,SteveItworriesmethattheywerethatavailable.
AretheyjustinapileonyourdeskSteve:Yes,andRussiacannotgetthem.
Leo:Yeah,butmaybeyoucan'teitherifyouputsomemorestuffonyourdesk.
Steve:No,Iknowexactlywheretheyare.
Theyareoffline.
Page23of32SecurityNow!
TranscriptofEpisode#631Leo:Yeah.
No,that'sanexcellentpoint.
Steve:Andthat'smypoint.
AndI'malittleworriedaboutthisbecauseSQRLhassomeofthesameimperatives.
Andit'slike,no,writethisdownonce,printthisonce,becausethenit'soffline.
It'slikepeopledon'tgetthatanymore.
It'slike,oh,everything'ssupposedtobeonline.
It'slike,yes,Russiawantsthat.
Sookay.
Leo:AndIuseAuthy,whichmeansit'sonline.
Butyou'reabsolutelyright.
Imean,Ihadalittlescarethismorning.
IgotacallfromHover.
James,veryniceguyfromHoversaid,"Youraccount'sbeencompromised,andsomebodyhaschangedyouremailforwarding.
"IuseHovertoforwardmyemailaddressbecausetheyown,theyregisterthedomainname.
Andtheyadded,somebodyaddedanotheremailaddress.
Theydidn'ttaketheoldoneout,thankgoodness.
ButIguesstheideawastobesurreptitious;rightSteve:Sotheywerecc'ingthemselvesoneverything.
Leo:Theywerecc'ingallmyemailtothem.
Andtheideawasthattheywouldthenaskforpasswordresets,andthey'dgetthem.
AndImightnotice,gee,there'salotofpasswordresets,buttherealwayshavebeen.
Imean,peoplearealwaysattackingme.
ButIhavemyemailaddress,andtheycan'tgetthem.
Sotheyfoundit.
Iguesstheyhadmonitoring.
Iknowyouweretalkinglastweekaboutmonitoring,howimportantmonitoringis.
Theymusthavebeenmonitoring,andtheydiscoveredthehack.
Theyreverseditandnotifiedmeimmediately.
Hover,Godblessyou.
Steve:Yup.
Leo:Iwentandlooked,andtherewasoneTwitterresetemailanhourbeforehecalled.
ButIhavetwo-factorturnedon,soitdidn'tdothemanygood.
Theygotmypassword,buttheycouldn'tgetmyaccountbecauseIhadtwo-factorturnedon.
Anditjustreallyunderscoredforme,notonlyhowimportanttwo-factorisbut,toyourpoint,howimportantitisthattwo-factorbereallyseparate.
Soifyou'recompromisedinsomeway-andI'llgiveyouanexample.
TheycouldhavetriedtogetmyAuthylogin;rightSteve:Right.
Leo:Andthen,now,inthiscaseit'sfinebecauseAuthyusesTrustNoOneencryption.
OnlyIknowthepassphrasethatunencryptsmyAuthydatabase.
Soevenhadthey,I'dbesafe.
Butiftheyhad-butthat'sanexample.
Thesethingscascade.
Theygetyouremail,andthentheycanuseyouremailtogetsomethingelse.
Andiftheywereabletofigureoutwhatyourpasswordsandyourtwo-factorwouldbe,thentherewouldbenopointinhavingtwo-factor.
Steve:Well,yes.
Andaswe'vebeensaying,oneofthemosttroublesomethingsisthatPage24of32SecurityNow!
TranscriptofEpisode#631emailisthetypicalpasswordrecoverysystem.
Thatis,again,thisisoneofthetradeoffsthatSQRLusesisthere'snoonetocomplainto.
There'snoonetosay,oh,Iforgotmypassword.
I'velostmyidentity.
Imean,wemakeitreallyhardtogetyourselfintrouble,butnotimpossible.
Andthere'sjust-ifyouwantsecurity,thenyoucannottrustathirdparty,ortheycouldbesubjecttoasubpoena.
Soit'llbeinterestingtoseehowthisplaysout.
ButI'venotcutanycorners.
I'vesaid,no,I'mgoingtooffertheworldatrulysecuresystem.
We'llseeifthat'stoomuchforeveryonetohandle.
Andit'snotlikeeveryonehasto.
Peoplewhoaresecurityconsciouscanchoosetodothat,andeverybodyelsecancontinueusingtheiremail.
Buttheproblemisthat,howmanytimes,"Iforgotmypassword.
"WhatdotheydoTheyemailyoualink.
Well,ifsomebodyhadyouremailaccount.
.
.
Leo:That'sexactlyright.
That'sright.
Steve:.
.
.
andtheythensaidthey'velosttheir-theyforgotyourpassword,becausethey'rebadpeople,thenyouwouldgetapasswordrecoverylinkwhichtheywouldgrab.
Theywouldclickonitbeforeyouknewanyofthiswasgoingonandtakeoveryouraccount.
Leo:Yeah.
Ijust-I'msogladIlistentothisshowandIhavetwo-factorturnedoneverywhere.
Steve:Yeah.
Leo:Ifeelmuchmoresecure.
Steve:Thisisreallyaquickie.
Ijustgotakickoutofthis.
Jamie,whosehandleonTwitteris@LinkLayer,hesaid:"MyCSprofanticipatedfuzzingin1976.
"Wetalkedlastweekextensivelyaboutfuzzing.
Andhesaid:"Hesaidtotestinputhandlingwithpunchcardsfromthetrashandsweptupfromthefloor.
"Leo:That'sagoodidea.
Randomdata.
Steve:Itmaynotbetrue,ormaybeitwas.
Yes,exactly.
Justgrabpunchcardsfromwhereveryoucanandfeedthemintoyourprogramandmakesuretheydon'tcrashit.
MichaelJohnsonasked,hesaid:"HowaboutasegmentontakingalaptoponaflightoutoftheUSA,working,andreturningWhat'sthebestwaytodothiswithnoborderhassles"Well,okay.
Sotherearetwoproblemswithtakingyourlaptopsomewhere.
Oneistheprivacyofhavingitscontentssomehowexposed.
Thesecondispossiblygettingitinfectedandbringinganinfectionhome.
Soprivacycouldbeobtainedusinganadd-onthatwe'vetalkedaboutoften,likeVeraCrypt,whichencryptsthewholeharddrive.
Buttheotherthingyoucoulddowouldbetomakeacopyoftheharddrive,ifthedriveisremovablefromyourlaptop.
Cloneit.
Andthenleavetheoriginaldrivehome,whichistheentirestateofyourlaptopbeforeyourtrip.
Thenencrypttheoneyou'retravelingwithforitssafety,thenstickitinthelaptopanduseit.
NowyouhavethebenefitofPage25of32SecurityNow!
TranscriptofEpisode#631encryption,soonlyunderyourcontrolcananyoneseeintoit.
Andif,whileit'sdecrypted,itweretogetmalwareinfected,thentheideais,whenyoubringithome,youjusttakeitoutofthelaptopandputitaside.
Andthen,oh,youalsowantto,dependinguponwhatworkyoudo,puttheworkupinthecloudbeforeyoutakethedriveoutsothatyou'vemovedyourtransientworksomewheresafe.
Yankoutthedrive,whichisencrypted,whichmaynotbeconvenientforyounormallyandmighthaveunknowncontentsonit.
Maybesomeforeigngovernmentbrieflygotitattheborderandinstalledsomemalwareonitorsomething.
Sothepointisyoucannolongertrustit.
Well,youdon'thaveto.
Soyouyankitoutofyourlaptop.
Youputthedrivethatstayedhomeinsafetyintoyourlaptop.
Sonowyou'verestoredyourlaptoptoexactlythewayitwasbeforeyoueverflewanywhere,orbeforeyoutraveled.
Now,grabtheworkyoudidbackfromthecloud,andyou'resafe,havingessentiallyremovedanypossibility,removingtheinconvenienceofhavingthedriveencryptedifyoudon'tnormallywantittobe,andanypossibilitythatyoubroughtmorebackwithyouthanyouintended.
And,finally.
.
.
Leo:Ofcourse,iftheyputanEFIviruson,you'rescrewednomatterwhat.
Steve:Yes.
Leo:Inotherwords,don'tletanybodyhaveyourlaptop.
Steve:Really,ifyoucanavoidit,youdon'twanttolosecontrol,physicalcontrolofyourlaptop.
AndIdidwanttojustadd,ifremovingyourdriveisnotpossible,thenyoucoulduseatoollikeImageforWindowstotakeafulldrivesnapshottoanexternaldrivebeforeyourtrip.
Whenyougetback,andbeforeyouhookittoyournetwork-donothookittoyournetwork-restorethefulldrivesnapshotbacktoyourlaptopinordertowipeoutanythingthatmayhavehappenedwhileyouweretraveling.
Sothat'sreallythebest,Ithink,youcando.
Yougetencryptiontokeepanyonewhomightbecuriousfrompokingintothedrive;andyou'realsoprotectedif,whileit'sunlockedanddecrypted,asithastobeinordertouseit,frompickingupanythingmalicious.
Manypeople,naturally,becauseoftheall-timefavoritepodcast,"ThePortableDogKiller"episode,havebeentweetingmeandwritingtomeabouttheU.
S.
EmbassyinCuba,IguessitwasinHavana,whereallofthediplomatsaresufferingserioushearingloss.
Andofcoursethey'resaying,wow,doessomebodytherehavetheequivalentoftheportabledogkillertechnologyAndofcourse,well,no.
It'scertainlydifferent.
Rememberthatthiswashigh-frequency,butaudibletodogsandus,whichiswhyMr.
ArchibaldhearditwhenIzappedhimwithitattheendofthedayinthestory.
Thosewhodon'tknowwhatwe'retalkingaboutmaywanttolookbackintoandfindthatepisode[SN-248].
Butanyway,Ijustwantedtoacknowledgeeverybody's,Imean,I'vegottensomuchinputfrompeoplesaying,hey,Steve,looksliketheyhadaversionofthePDK.
Andit'slike,well,whateverthey'redoingisunfortunateandcertainlyverymalicious,toimpairsomeone'shearingbywhoknowswhatthey'redoing.
Scary.
JamesParsonstweeted:"IfSQRLrequiresapasswordre-entryeverysession,itencouragesweakpasswords,especiallyonmobile.
"Hesays,"Specialcharsaredifficultonphones.
"Again,I'lljustsay,becauseIalreadydidcoverthis,thelongpasswordisPage26of32SecurityNow!
TranscriptofEpisode#631onlyneededoncetotellthesystemyou'reyou,whichwehavetohavetomakeithackproof.
Andthenafterwardsyoudoaper-authenticationshortversion.
Andthegoodnewsiseveryonewillbeabletoplaywiththisverysoon.
Andasforphones,inthecaseofJeffArthur,whoistheauthoroftheiOSclient,youdoneed,again,toauthenticateyourselfonce.
ButthenthatenablesTouchID,andnodoubthe'llbesupportingFacewhenitcomesalong.
Andsothenyou'reabletojustauthenticatewithyourfingerprint,justasyouwouldexpect.
Soagain,asetoftradeoffsexactlylikewhatApplehasdesignedisthesamethingwe'redoingforthesakeofsecurityandtomakeitnotcumbersome.
ImentionedthepaymentAPIacoupleweeksago,andsomeonetweetedthequestion,doesthismeanalladoptingonlineretailerscanstopstoringourcreditcardsBreacheswouldbefarlessharmful.
No,itdoesn'tmeanthat.
AllthepaymentAPImeans,whichwillbecomingtoallofourbrowsers,isthatratherthanushavingtoredundantlyfilloutpaymentformsacrosstheInternet,ourbrowserscanbeasecurerepositoryofthatinformation,cancontainourbillingaddress,thecreditcardnumber,theexpirationdateandsoforth.
AndtheAPIallowsawebsitetorequestthroughanestablishedprotocolthatinformation.
It'llpopupastandarddialoguewhichwe'llgetusedto.
Sothestandardizationattheusersideisveryuseful,willverifythestuffwe'reallowingourbrowsertosend,andthenjustsayyes.
Andthatwillgothentotheremotesiteinauniformformattoessentiallycircumventthewholeformfill-outthing.
Soallitis,isaunificationandsortofastandardizationofoursubmissionofrepetitivesimilarinformationtomakeitsecureanduniformtotheuserandsmoother,tosmooththecheckoutprocessandthepaymentprocessforthewebsite.
Soit'sagoodthing.
Butwhattheserverdoes,whattheremotewebserverdoesonceitgetstheinformationisstilloutofourcontrol.
ForthatyouneedPayPalorsomethird-partypaymentprocessorifyouwanttokeepthesitesblindedtothatinformation.
Butstillaverynicething.
Sonowlet'stalkaboutwhatMoxieMarlinspikeandhisgangwhoaredevelopingSignalhavedone.
Okay.
MatthewGreen,ourfriendandcryptographeratJohnsHopkins,saidofwhatI'mgoingtodiscuss,hesaid:"PrivatecontactdiscoveryforSignal.
Makenomistake,whatMoxieisdoinghereisgoingtorevolutionizemessaging.
"I'vegotalinkforallthedetails,whichI'mnotgoingtogointobecauseit'slots,likepseudocodewherethey'retalkingaboutshowingsamplecodetoimplementthesedifferentthings.
Buthere'swhat'sgoingon.
AsIsaidatthetopoftheshow,werecognizethatit'sonethingtoencryptthecommunications,andadifferentthingtoencryptthemetadata,meaningthatIcouldhaveencryptedemailwhichIsendtosomebody,butthefactthatI'msendingitisnotencryptable.
Theenvelopethatcontainsthemailhastohaveheadersforthedestination.
Andtypicallythesender,inorderforittogofrompointAtopointB,ithastobeaddressed.
Andthisistrueeverywhere.
We'vetalkedabout,forexample,evenhowHTTPS,thestandardencryptedprotocolfortheweb,itencryptsthecontentsandencryptssomeofthemetadata,butnotall.
PeoplestillknowwhatIPyou'regoingtobecauseyourtrafficisgoingthere.
Andinsomecasesthefirstpacketidentifiesthewebsitethatyou'reaskingfor,whichishowtheserverknowswhichcertificatetomatchforyourconnection.
Sothere'sstill-there'salwaysstillsomemetadataleakage.
Thatwasn'tgoodenoughforMoxieandhisgang.
Sotheysaid,okay,weneedtosolvePage27of32SecurityNow!
TranscriptofEpisode#631thisproblemofanewSignaluserwantingtofindoutwhichpeopleintheirowncontactlistontheirphone,forexample,areSignalusers.
Howdowedothatinawaythatleaksnothing,eventotheserverthatisprovidingtheintercommunicationBecause,remember,thisisallend-to-endencryption,meaningthatthey'vedesignedasystemsothattheserverisblindtothecontents.
Theyalsowantedtoblindittothisaspect,thissocialgraphmetadata.
Soonethingtheycoulddo,forexample,istohashthephonenumbersofeverybodyinyourcontactslist.
Andsowhatyouwouldbedoingisyouwouldbesubmittingalistofhashesofallthephonenumbers.
Sendthemuptothecentralserver,anditthenlooksthroughyourhashesforthehashesofalltheothersubscribersofthissystemforanymatches.
Andifthehashesmatch,thenweknowthatthephonenumbersmatch.
Andsothatsaysthatyouhavethephonenumberinyourcontactslistthatmatchesanotherphonenumberofasubscriber;andso,yay,they'reaSignaluser,andyoucouldconnecttothem.
Theproblemwiththisisthatthereisn'tenoughentropy.
There'snotenoughrandomnessinaphonenumbertopreventitfrombeingbrute-forced.
Weknowthatyoucannotgobackwardsfromahash,fromthehashbacktothephonenumber.
Butyoucanputinallpossiblephonenumbersandgetallhashesthatmatchthosephonenumbers.
Andthatwouldn'tbethathard.
There'sjustnotthatmanyphonenumbers,andhashingisveryfastnow,thankstothecryptocurrencypeoplethathave,like,movedallthisdowntosilicon.
Soitdoesn'tworktohashalow-entropyitemlikeaphonenumberandusethatforsecurity.
It'sjustnotenoughsecurity.
SoMoxieandcompanyunderstoodthat.
Whattheycameupwithwasveryclever.
IntelhasasetoffeaturesforeverythingfromSkylakeon,whichislikethreegenerationsago.
Remember,SkylakewasthelaptopIpurchased,mylastLenovo.
AndtheWindows7machinethatIbuiltacoupleyearsagowhenweheardthatMicrosoftwasnotgoingtobesupportingtheolderprocessorsmovingforward-or,wait,yeah,wasnotsupportingthe-oh,wait,thenewerprocessorsontheolderOSes.
IwanttostillbeusingWindows7foralongtime,butIthought,uh-oh.
I'vegottogetaSkylakeprocessornow,whichIdidforbothmynextmainmachineandmylaptop.
SoSkylakeand,what,there'saHaswellandsomethingsince.
Theyallhavethis,what'scalledSGX,SoftwareGuardExtensions.
AndthisisverysimilartowhattheARMguyshavebuiltinto,knownasTrustZone.
It'sanextensiontotheIntelarchitecturewhichallowsthecreationofprotectedsoftwarecontainers.
Thetotalsizeislimitedto128MB,soit'snotgigs,butit'sstilllarge.
AnditcreatesaprotectedenclaveinanIntelchip,muchasApplehasdoneontheiriOSdevices,wheretheyhaveacryptographicenclavewheretheycanstoresecrets.
Thisisameans,supportedsinceSkylake,fordoingthesamethingonanyofoursystemsthatwehave.
SoitwasdesignedtosupportDRM,whichnoneofusarebigfansof.
ButtheideawasthattheactualcontentsofthisregionofRAMwouldbeencryptedsothatitcouldnotbeinspected.
Ifitwasinspectedfromoutsidetheenclave,itwouldjustbegibberish.
Itwouldbeencrypted.
Butfromcoderunninginsidetheenclave,insideofthissoftwareguard,itwouldbeIntelinstructionsanddata,whichcouldbeviewed.
Theotherpartofthisisitcanbe-thetechnicaltermis"attestedto.
"Itsupportsattestationsothatsomeoneconnectingtothisfromoutside,likeinthecaseofDRM,acontentprovidercouldbeassuredthatnochangeshadbeenmadetothissoftwareguardextensionenclavesothattheencrypteddatagoinginisbeingdecryptedandisonlygoingtobeplayedonce-not,forexample,exportedasatorrentandthenputontheInternet.
Soallofthisexistsandisinplace.
Butthisisallclientside.
Page28of32SecurityNow!
TranscriptofEpisode#631WhatMoxieandcompanyfiguredoutwasthatthiscouldalsobedoneontheserversidetocreateaprovablytrusted,essentially-thetermwe'veusedisanHSM,aHardwareSecurityModule-createavirtualHSMjustusingIntelchipfeaturestocreateacontainerwherethishashingcouldbeperformedinasecurefashion.
Thatis,abunchofphonenumberswouldbehashed,andthenthatblobwouldbeencryptedtopreventthehashesfrombeingreversed.
Thisencryptedblobwouldthengoinuptotheserver,uptothesignalcentralizedserver,intotheSoftwareGuardExtensionsenclave,whereitwouldbedecryptedbackintoalistofhashes.
Now,theyworkedallthisout.
Theproblemisthat,eventhoughyoucannotdecrypt-eventhoughsomethingoutsidecannotseein,itcandetectmemoryaccesspatterns.
Sotheyrecognizedthatthatwouldcreate,technically,asweknow,knownasasidechannelleak.
Sojustbyinferringfromthepatternofmemoryfetches,there'senoughinformationtheretoleakwhat'sgoingoninside.
Sothen,andthisiswhereIgetintothepseudocodethattheyshowintheircoverageofthis,theyworkedout,theycarefullyworkedoutawaytosortofdesignametahashmatchingsystemthatdeliberatelydecouplestheworkbeingdonetomatchthehasheswiththememoryfetcheswhichareusedtodothework.
Andthesetoftradeoffstheycameupwithwasonewherethere'sarelativelylargesetuptime,whichisrequiredinordertoobfuscatewhereeverythingisinthisscramble.
Thattakesawhile.
Butoncethat'sdoneyoucanbatchallofthevariousclientsthatwanttocomparetheirhashesagainstthismasterlistbecauseit'sthemasterlistthatneedstobeobscured.
Thatcanbesetuponcesoitdoesn'tmatterhowlongittakes.
Andwhattheyendedupverifyingwasthattheycoulddo-theycouldessentiallyscaletooverabillionusersusingthistechnology,essentiallymakingthealgorithmawareofthecachingandcachelines,explicitlyawaresothatitwoulddefeattheabilityofanyoneoutsidetoobservememoryfetchpatternsandtiming,thustheneedtobecachingaware,tobeabletomakesurethatcachehitandmissesaren'talsoleakinganyinformation.
AndessentiallywhatthismeansisthatSignalusersusingaSignalserverwiththistechnology-oh,andbytheway,it'sonGitHub.
Itexists.
It'sinbetaatthispointbutitisfreelypublished.
TheideawouldbethattheSignalserverwouldimplementthisintheserverhardwareusingIntelsoftwareguardextensions,andtheclientwouldbeabletoverifytheintegrityofthiscontainerbeforeencryptingthehashesofitscontacts'phonenumbersandsendingthemintothecontainerfordecryptionandmatchingandthenweedingout.
Whatthenhappensiswhat'sreturnedisasubsetofthecontextoftheuser'scontacts,whichareasubsetofhashes,whicharethenreencryptedandreturnedtotheclient,whereit'sthenabletocomparethehashesofallthephonenumbersinitscontactlisttothesmallersubsetthatareSignalusersandflagallthecontacts,alloftheusersinthecontactslistasSignaluserswheretheyare,andthentheycanconnectwiththemwithabsolutelyzeroleakagethatanyoftheuser'ssocialgraphhasbeenexposed.
SobravotoMoxie,andthisiswhatwewant.
I'mjustthrilledtoseethiskindofattentionbeingpaidtosecurity.
Overthecourseofthispodcastwe'vegonefromsortoftrainingwheelssecurity,whereit'slike,oh,look,it'sencrypted,we'redone,tooh,no,no,no,it'sencryptedandwe'rejustgettingstarted.
Becauseourunderstandingthatencryptionisjustasmallpieceofthewholeproblemhasreallymaturedoverthelastdecadeplus.
Verycool.
Leo:Onceagain,MoxieMarlinspiketotherescue.
Steve,I'msogladtobeback.
Imissedthisshow,andImissedthechancetoaskyou.
.
.
Page29of32SecurityNow!
TranscriptofEpisode#631Steve:Gladtohaveyouback,Leo.
Leo:.
.
.
allthequestionsaboutmysecuritywoesandsharemyissueswithyou.
Wedothisshowevery,well,actuallywe'renotconstrainedbytimequiteasmuchasweusedto,sothat'skindofnice.
Butthetheoryiswe'lldothisTuesdaysat1:30Pacific.
We'realittlelate,andnowyouknowwhywewerelate.
IwasbusilygoingthroughallmyaccountstomakesureIhadn'tbeencompromised.
Ididn'twantaMatHonan.
Iwasafraid.
Steve:No.
Leo:Yeah.
Itellyou,two-factor,baby.
Ifyou'renotusingit,useit.
WedothisshoweveryTuesday,1:30Pacific,4:30Eastern,20:30UTC.
Ifyouwanttotuneinlive,byallmeansalsojoinusinthechatroom.
They'reagreatgroup.
MashedPotatoessaysnicetohavethefullmoustacheback,Steve.
Irc.
twit.
tvforthechatroom.
Youdon'tneedtohaveanIRCclient;but,bygod,ifyou'relisteningtothisshow,youdamnwellbetter.
Icouldn'tunderstandwhyyouwouldn't.
Youalsocangeton-demandversionsatSteve'ssite,GRC.
com.
Hehasaniceaudioversion.
Plusit'stheonlyplaceyoucangetawrittentranscriptofeverythingStevesays.
DoesElainetakeouttheuhsandthe,youknow-youdon'tsay"uh.
"Steve:Itoldhertodoso,andshebalkedalittlebit12yearsagobecauseshewantedittobeexactly-Isaid,"Thisisnotamedical.
.
.
"Leo:It'snotcourt.
We'renottalkingcourthere.
Steve:Right,right,right.
Leo:She'sacourtreporter.
Ithinkthat'sprobablywhereshegetsthat.
Steve:AndIshouldmentionthatherhusbandishavingsomemedicalchallenges.
Leo:Oh,no.
Steve:Yeah,Bennett.
Leo:Sorry,Elaine.
Steve:Sothetranscript,shewarnedmeyesterday,maybenotavailabletilltheweekend.
SoIalreadynotifiedthepeopleintheSecurityNow!
newsgroupatGRC.
Andit'llprobablyaffectherforthenextweekortwo.
Page30of32SecurityNow!
TranscriptofEpisode#631Leo:Oh,I'msorry,Elaine.
Steve:Soit'skindofmajor,yeah.
Leo:Okay.
Well,we'rethinkingaboutyou.
Steve:Yup.
Leo:Shedoessuchagoodjob.
Twelveyearsshe'sbeendoingthisThat'skindofamazing.
Steve:Yup.
Leo:She'sbeendoingitalmostaslongaswehave.
Steve:Everyone.
Leo:JustgotoGRC.
comtofindthatandalltheothergreatfreestuffStevegivesaway.
Andofcoursehisbreadandbutter,andifyoulikeSteve,supporthimbybuyingacopyofSpinRite.
You'llbegladyoudid.
GRC.
com.
It'stheworld'sbestharddrivemaintenanceandrecoveryutility.
Now,wehaveaudioandvideo.
IknowI'llnever-itbafflesme.
Youdidn'tunderstandwhywe'redoingvideo,Idon'tunderstandwhywespendallthatmoneyonvideo.
Butpeopledolikevideo.
Andifyouwanttowatch,ifyouwanttoseeStevewaveanddohis"livelongandprosper"properlywiththethumbout,hedoesitright,andhedoesitwiththerighthand.
No,you'redoingitwithyourlefthand.
ShouldIdoitwithmyrightormyleftSteve:Idon'tknow.
Leo:DoesitmatterIcan'tdoitwithmyleft.
Steve:Unfortunately,yeah,myrighthandisbehindthe.
.
.
Leo:Yeah.
Youcoulddoitwithbothhands,whichshowsonething:amisspentyouth.
IfyouwantthevideogotoTWiT.
tv/snforSecurityNow!
.
OrIthinkthebestthingtodoissubscribe.
Youcouldsubscribetoaudioorvideoversionsinanypodcastapplication:Overcast;PocketCastsisIthinknumbertwoafteriTunes;Stitcher;Slacker;TuneIn.
Youcanevenlisten,youknow,ifyouhaveanAmazonEchooraGoogleHome,youcanjustsay,ontheEcho,yousay"Echo,listentoPage31of32SecurityNow!
TranscriptofEpisode#631SecurityNow!
onTuneIn,"andyoucanhearthelatestepisode.
Increasingly,Ithinkthat'showpeoplearegoingtobelisteningtopodcastsathome.
It'sjustaskingforitontheirEchoortheir-itworkswithGoogleHome.
Thesyntaxisslightlydifferent.
Ican'trememberwhatitis.
UsedtobeyoucouldwatchitifyouhadanEchowithascreen,butYouTube'sturnedthatfeatureoff.
Butlisteningisfine.
Youcouldalsolistentoourlivestreamifyouwanttojoinuslivebysaying,"Echo,listentoTWiTLiveonTuneIn.
"TWiTLiveisthelivestream.
DoesthattakecareofallofourbusinessIthinkitdoes.
Ithinkit'stimeforme,sadly,tosaygoodbye,andlivelongandprosper.
Steve:Well,untilnextweek,myfriend.
Leo:Whatdotheysayon"TheOrville"Steve:Luckily,Idon'tknow.
Leo:Youhavenoidea,andyou'reglad.
Steve:I'mnevergoingtoknow.
Leo:It'sprobablyprofane.
Thanks.
We'llseeyounexttimeonSecurityNow!
,Steve.
Steve:Thanks,buddy.
Copyright(c)2014bySteveGibsonandLeoLaporte.
SOMERIGHTSRESERVEDThisworkislicensedforthegoodoftheInternetCommunityundertheCreativeCommonsLicensev2.
5.
SeethefollowingWebpagefordetails:http://creativecommons.
org/licenses/by-nc-sa/2.
5/Page32of32SecurityNow!
TranscriptofEpisode#631
iON Cloud怎么样?iON Cloud是Krypt旗下的云服务器品牌,成立于2019年,是美国老牌机房(1998~)krypt旗下的VPS云服务器品牌,主打国外VPS云服务器业务,均采用KVM架构,整体性能配置较高,云服务器产品质量靠谱,在线率高,国内直连线路,适合建站等用途,支付宝、微信付款购买。支持Windows server 2012、2016、2019中英文版本以及主流Linux发行...
pacificrack发布了7月最新vps优惠,新款促销便宜vps采用的是魔方管理,也就是PR-M系列。提一下有意思的是这次支持Windows server 2003、2008R2、2012R2、2016、2019、Windows 7、Windows 10,当然啦,常规Linux系统是必不可少的!1Gbps带宽、KVM虚拟、纯SSD raid10、自家QN机房洛杉矶数据中心...支持PayPal、...
atcloud主要提供常规cloud(VPS)和storage(大硬盘存储)系列VPS,其数据中心分布在美国(俄勒冈、弗吉尼亚)、加拿大、英国、法国、德国、新加坡,所有VPS默认提供480Gbps的超高DDoS防御+不限流量,杜绝DDoS攻击骚扰,比较适合海外建站等相关业务。ATCLOUD.NET是一家成立于2020年的海外主机商,主要提供KVM架构的VPS产品、LXC容器化产品、权威DNS智能解...
iphonewifi为你推荐
贵州省127pqqgraph由陈可辛率领的《武侠》大军仪器win7点击ipad支持ipad支持ipad重庆宽带测速重庆云阳电信宽带测速网址谁知道,帮个忙?css下拉菜单CSS如何把下拉菜单改为上拉菜单联通版iphone4s怎样看苹果4S是联通版还是电信版
免费域名注册网站 上海服务器租用 香港ufo qq云存储 hawkhost优惠码 国外php主机 搜狗12306抢票助手 php免费空间 网盘申请 qq云端 空间合租 酷番云 Updog 双线机房 域名dns 什么是web服务器 石家庄服务器 zcloud globalsign 超低价 更多