SN 998: The Endless Journey to IPv6 - AI-Driven Encryption, Session Messenger, IPv6
00:00 Share

This week on security. Now apple wants to shorten the life of your S. S. L. certificate. Steps up in arms about that.

We ll talk about a very nice new messenger program that Steve says is made me Better than signal. And they will take a look at I, P, V six. Whatever happened to IT IT looks like it's going to another twenty years. Steve explains why that's okay. It's i'll coming up next on security now.

Podcasts you love from people .

you trust, this is twit. This is security now with Steve gibson episode nine and nine eight recorded tuesday, october twenty nine, twenty twenty four the endless journey to IP visx as cyber security now the show we cover the latest security and privacy news keep you up to date on the legget's tacks, and we get a little sighed and health in there as well. Because mr. Steve gibson is what we call a Polly mass. He is fascinated by at all.

Hi Steve. Hello, my friend. A speaking of science fiction is not on the show notes, but I am at forty percent into exist hamilton's acidic.

And I have to say i'm glad it's long because IT is, it's come together there. There are so many things. I mean, I could talk .

to john sellin and .

I guess because all, wow, he shot through and he's reading IT again he said the second time through he knows who the people are so because I mean it's hamilton doesn't write thin size I but there are so many really interesting concepts like and this is there's no spoilers here um. Faster than light travel is never invented. So we never have F, T, L.

But what we have is, well, okay, also, this is set like fifty thousand years in the future. So so there, so we're in an environment where there are the so called remnant wars that have left behind like dead planets and derick like hugely up armored like technologies. And and we've gone so far in the future that we've lost some of the knowledge that was there during the the peak war time.

So like so they're like finding this stuff that they don't understand, but they kind of like, you know give IT power and see see what IT does. And but the other thing is cool is that there are the this one elevated old old race created what's known as the gates of heaven. And they're like their their their gates, which draw on a huge source of energy to bring their ships up to zero point nine, nine, nine, nine light speed.

I mean, like right up to sea, but not quite because you can't actually know, takes infant energy to get all the way there. But what that does is IT, of course, creates huge real tiles, tic time compression, so that the people who are traveling at point nine of sea, they, you know, IT, was a one week trip for them. Meanwhile, four generations are gone.

So, anyway, so I know, but again, it's just, this is a whole another he did IT again, there's a whole another rich tapestry of really good hard size. I you know how hamilton style. And as I said, I forty percent.

I have no idea. You can't even begin to guess what's going to have. I no idea what's going to happen, but as I do not wanted to end because it's just it's just really solid entertainment.

Books I have pushed my mum. It's like a local motive. I think where IT starts slow, maybe the first couple of pages that .

we'll spin a little couple but yeah, if you have to sisters to hold your breath and you do want to read the early history, because because he, like sublime es the history .

in a preface, I listened to that, and then I got to the dramatic persona, and i'm listening, yes, well.

on for a while. Oh my god. And people, the problem is you don't have any.

There's no reference point. Everybody is defined in their relationships to each other. So that's like spinning.

But the three looking forward much, but I just got passed that.

So looking forward to you, let me tell you, I mean, since I don't listen, I read, I I don't I can't relate to that experience, but where we are is really good. I might get the .

book version of .

IT IT is just i'd at again, I wasn't onna start until that the number two was ready. But john, when john said the art finished and I am reading IT again, I think okay.

we're talking about for those just joining us Peter f. Hamilton, one of our favorite size .

I authors he .

remarked engine and it's .

called exist of two is duo logy yeah and oh wow okay. So we've got a great episode. Um apple has whose a member of the C A browser forum has proposed that over time we bring max maximum certificate life down to forty five days at which I say, please no don't do IT that's pretty call.

The c has found four companies for downplaying the severity of the consequences of the solar winds attack on them, which is interesting. Google has added five new features or will be so a couple are in beta to a messenger, the the google messenger APP, including inappropriate content warnings, which is interesting because, of course, apple did that a few years ago. Uh, and this brought me to an interesting question and that is whether A I driven local device side filtering could be the resolution to the encryption dilema forever, that is, solve the end to end encysted problem.

Anyway, what will talk about that also? Uh, I I tripped over as a consequence of some news of them relocating, something i've never been aware before. A very nice looking messenger APP called session, which is what you get if you were to marry signal and union routing from tour.

That's very interesting. I imagine our listeners are going na be jump up on this. Also, I just a quick look at uh, the E, U, software liability moves there.

A couple other people uh, produced some commentary that we did. We talked about that last week. We've got fake north korean employees actually found to have been installing malware in at some black chain stuff.

Also answering a lister's question about whether he needed spin right to speed up in SSD no, you don't. I'll touch on that. Uh also uh using ChatGPT to review and suggest improvements of code. Another thought from a listener um and then I I want to spend some time looking at the internet governance that has been trying to move the internet to I P V six for yes, low the past twenty five years but the internet just does not want to go why not will IT ever what's happened?

The guy at a ap neck the asia pacific uh, network registry, has a really interesting take on the way the internet has evolved such that well first, first of all, from some technology standpoints, we don't actually have the problem anymore that they were worried about needing I P V six to solve. And why getting to places is no longer about addresses. It's about names. So oh, and to cap all this off, as I said that we had that is a great podcast. But this picture the week O M G IT is I just gave at the caption, their there really are no words, but this is when it's a suit lussi bro, you got ta look at her for a minute and just think, oh, what I have.

I haven't looked at yet. It's on my screen. It's ready to be screwed up into view. We will do that together in moments, and I can't wait. It's always fun, but we should mention if you want to get the show notes, easiest thing to do go to Steve site, grc that come go to the podcast page. Every podcast has a very nice PDF of shown notes, include that image, or go to G, C to come sash email and sign up for his newsletter. That way you can get IT automatically .

head of time. I don't know if you looked at the timestamp on the email that you got. IT was yesterday afternoon.

So Steve's wife is making him do this, I think, convinced this, lorries said, you gotten, get this done. So we go out to dinner or so.

So I on by sunday, late morning, I had finished the project I had been working on, which is the a malgamite tion of the e commerce system and the in the new emAiling system. I didn't have them communicating yet, and they had to. So they saw that we didn't have the, the, the data bases d synching ized, right.

And so I thought, okay, i'm going to start working on the podcast. And as IT turns out, that went well, that there is lots of material. And by yesterday afternoon, monday afternoon, I was done. And so I thought i'm just gonna. Actually IT was eleven thousand seven hundred and seventeen subscribers got IT had a day ahead has been doing that more.

more lately. So it's worth subscribing.

Yeah, you do you really well. And in fact, I am not to step on IT, but one of our listeners mentioned a benefit of that, that I hadn't occurred to me before. So anyway, we got a great podcast and get ready for the picture the week after you tell us who is supporting this find work, a sponsor .

for this first segment of security. Now in the name, you know, well, even with this for many years now, the thinks can ari, it's an hypos. It's kind of appropriate because one of our very first shows was about honeypot, and we've interviewed built chez mark, who created the first honeypot.

In fact, we did a panel with him in boston some couple years ago. He wrote the first honey pot. And IT was a big, massive effort.

A honeypot is a system that looks like it's valuable, but really is just an attractive to hackers. And when they go to the honey pot, they get draft or you get notification or something happens. Well, you don't have to be an expert more to deploy very, very good honeypot from things.

Canary, these are honey pots can be deployed in minutes. They can, they can impersonate anything from an essa lover to a windows server, the iis. They can be a gated device.

Minds of synodical nas. And they really go the extra mt. To make these impersonations very realistic.

They look identical to the real thing. My nas has a psychology mack address. You know, the first few digits are correct for synod.

Gy, so a Willy hacker looking at this isn't going to say, oh, I could tell that's a funny. They don't look vulnerable. They look valuable.

You can also create lower files with the things canary, little PDF or excells or dog axes or whatever. And we have some excel spread sheet that say things like payroll information, employee addresses. I mean, we're not as black ness in social security numbers, but you could.

The thing is, these aren't real. If a bad guy, somebody accessing inside your network, excesses those lower files, or tries to attack your fake internal S S H server, you're gonna get notifications, and they will tell you immediately you have a problem. Only real posible ert, no false alerts, and you get in any way you want email, text, they support web hooks is in API sisa, whatever works for you.

But but it's great because it's a way of knowing that somebody he's inside your network. No, i'm sure you have excEllent premier offences. We all do. I do here.

But if somebody penetrates or maybe you've got a licious insider in your company, look at around, do you how would you know that they're there? That's the thinks canary. Just choose a profile for your thinks kiner device registered with a hosted console for monitoring and notifications and then you just sit back and relax.

Attackers will break your network of mutius, insiders or other adversaries. They can help but make themselves known. They say, oh, I got ta get in that and immediately you'll get a notification, just a notification that matter.

This is a vital tool for your security. On average, companies don't know that they've been reached for ninety one days. You want to know the minute somebody dies in there.

That's why you need this incredible honeypot that think it's canary. Go to canary, dut tools slashed to its C A N A Y. Dut tools slashed.

Twit, you know, big companies might have hundreds of them spread out all over the globe of, in fact, canaries are in Operation on all seven content ents. So that tells you something. A smaller company like cars might just have a handful.

Let's say you need five, seven thousand, five hundred dollars a year. You get five things to, can you get your own hosted in console? All the upgrades, all the support, all the maintenance is included.

And by the way, if using offer code, twit t wit, and how did you hear about us box? That's not a commentator on you, by the way. That's the name of our network OK twit.

Realized people why you secure now may not know, but put twitter there and you'll get ten percent off the Price for life. Now here's another thing it'll reassure you if you're going, I don't know, do these things really work as they say they do. And I can watch form, but you can always return your things.

Can every day have a two months, sixty day money back here and t for a full refine, every penny? I have to point out though that during all the years, twitters partner with things kanary. Although all the years we've been doing these ads, that refund guarantee has not been claimed, not once ever, because once people get this and once they have IT, they go all, yeah, yeah, you have to have this visit kanary that tools slash twit and to the code twit. And how do you hear about this box we think thinks canary for supporting this show and all their users with excEllent security tool that everybody should have. Now I am going to.

how should I do this? Scroll l up first.

Before I show everybody else, I need to scroll up.

consider what you see.

And the, and the caption is there really are no words. I see a fire truck. I see a fire, old dear. Okay, okay, that's good. I'm showing you the picture now, everybody, Steve, you wanted describe IT for our audio listings.

So if you. If you if you have if you were a fire company and you needed to have a hose go across an area where cars would be driving over IT, you you might. And and we've seen this like with electrical chords that that have to go across the across the the the floor, you put up a protector around IT, kind of like a little ramp up and down on either side so that you know you can roll over IT, you won't get stuck on IT.

Uh, you won, you won't squash IT, you know you'll protect IT. So we have that scenario here in today's picture of the week for a security now number nine ninety eight um where a firehose is being protected with similar sort of uh little kind of raps. The problem is they're not being protected from my car tires rolling over the hose.

They're being protected from a train. This is crossing a train track. And anybody you know who thought much about the way trains work, you know, they have they have wheel that have flanges on the inside, which are the things that keep the wheel on the track. And so the last thing you want to do is do anything to force those fields up out of the the groups.

I think in all likelihood, there's a train to just go right over the top of that and cut in how.

I don't know.

I an .

mean slice si right?

Yeah.

because those way as a sharp just cooked, I hope there is a sharp because you want that much, rather have your host cut than to have the train derail. Ed, which is the alternative.

have emergency to attend to very quickly.

IT is unbelievable, unbelievable to me. This looks like maybe like england, I don't know why I to have an english feeling to IT, but you like we don't have IT looks like there is a crossing gate and that the light is over all. I know why it's aimed away from us and it's on the on the right side be on the left side if you are driving on the .

left side of the road .

yeah so and IT looks like like you see White water coming out of the back left.

I see that yeah what what is that?

We don't know what is going on, but it's not good if any train is going to be coming down the tracks. good. Holy .

moly. Anyway.

one of our Better pictures, I just say with me, what could possibly go on possible? Go wrong. Actually, that would have been a much Better company. That would have been a perfect time in this picture. okay. So as our long time listeners know, many years ago, we spent many podcasts looking at the fix go that was, and sadly still is, certificate revocation, noting that the system we had in place using grs certificate revocation lists was totally broken, and I put, I put grc revoked that gr c document server online, specifically for the purpose of vividly demonstrating the lie we were being told that IT just does IT work.

Now at the time, the O C S P solution online certificate status protocol seem to be the best idea, but if users browsers quad for O C S P status like real time, you know, and the idea was that you could do IT online. The browser could ask the C A, is this certificate i've just received from the web server still good? The problem was IT created both performance problems because of this extra need to do a query, and privacy issues because the C.

A would know, would know everywhere that users were going based on their queries back to the, to the C. A. series. So the solution of that was O C S B stapling, where the websites own server would make the O C S B query, you know, thus no privacy concern there.

And then, as the term was staple, meaning, you know, in some means, electronically attach these fresh o csp results to the certificate that IT was serving to the web browser so the web browser wouldn't have to go out, make A A second request. Great solution. But IT seems that asking every web server in the world to do that was too high a barter reach because while some did, mine was, uh, most world.

So despite its promise and partial success, the C A browser form, which sets the industries of standards, recently decided. And we covered this a few, I guess, about a month ago, to backtrack and return to the previous, the earlier use and formal endorsement of the earlier certificate revocation list system, which would move all of the website certificate checking to the browser. This has the benefit of allowing us um to offer a terrific podcast explaining ing the technology of bloom filters, which everyone enjoyed.

And that technology very cleverly allows the users browser to locally and very quickly determine the revocation status of any incoming certificates for acidic. okay. So so that's where we are.

Now when you think about IT for certificate to be valid, two things must be true. First of all, we must be between the certificates not valid before and not valid after dates. And you know, there must be no other indication that this thus otherwise valid certificate has nevertheless been revoked for some reason, doesn't matter why, is no longer good.

So the conjunction of these two requirements means that the certificate revocation lists, which are the things that will tell us if there's an exception to the validity period test, they only need to cover any certificates that would otherwise be voted right. This means that expire certificates will be automatically distrusted due to their exploration and can thereby be safely removed from the next update to the industry's bloom filter based C, R. L lists.

Okay, so if we want to keep the sizes of our bloom filters carls down, shortening the lives of certificates is the way to do that. Or if, you know if this still doesn't come to pass because, no, we've been at this for a quite a while and we've never got any any form of revocation that actually works. So maybe just shortening is a good thing in general.

And this brings us to last week's news of a proposal by apple, who is, as I mentioned, the top of the show, an active, very active member of the C A browser forum. They're proposing to gradually reduce maximum web server certificate life from its current duration of three hundred and ninety eight days, basically a year plus a month, all the way down to just forty five days. If this proposal were to be adopted, certificates would have their lives reduced in four steps, starting one year from now and ending in April of twenty twenty seven.

IT would go this way. We're currently at three hundred ninety eight days. That comfortable three hundred and ninety eight days will be cut nearly in half to two hundred days, one year from now in september of twenty twenty five, then a year actually a month ago, right, because we're in october here in a second anyway. Then a year later in september twenty twenty six, IT would be reduced by half again from two hundred to one hundred days. And the final reduction would occur seven months later in April of twenty twenty seven, which would see web server certificate maximum lifespans reduced to just forty five days.

Okay, now the only reason lets encrypt ninety days certificate lifetimes are workable is through automation, right? So apple must be assuming that by setting a clear schedule on the plan to decrease certificate life spans, anyone who is not yet fully automated their servers certificate issuance with the acai protocol, which is the the the standard that the industry is adopted for allowing a web server to automatically request a new certificate. Anyone who hasn't already done that will be motivated to do so, because, you know, the end is coming.

You know who who wants to manually update their certificates with go short of forty five days? nobody. So the problem is this creates some potential edge case problems since it's not only web servers that depend upon tls certificates, for example, just I have one of personal interest that comes to to mind.

G R C, as we know, signs its outbound email using a mail server that manually configured to use the same certificate files that are valid for the G R C D com domain. That's what you have to do to get D M working. And then D, K, N, S, P, F, F, as we talked about recently together, allows you to obtain d mark certification.

And then the world believes the email coming from G R C actually did because it's signed. Well, let's signed with the same certificate that digit created for me for G R C web server, because it's from the G R C docs domain at the moment. I only need to up update the emails copy of those certificates annually. So it's manageable to do that through the email service. U I, which is what is the mechanism provides for that.

I don't know what would happen if I were to change the content of the files out from under the email server without IT knowing, you know, using acme style, uh, updates for all I know IT has private copies of the certificates, which IT might be holding open, you know, holding the files open to for to improve their speed of access, which would prevent them from being changed. There's currently no programmatic way to inform the email server that IT needs to change its certs, since this has never been a problem or a necessity until now. Remember, once upon a time, there was three years, and way back IT was ten years that we had certificates life.

So, you know, IT happens that i'm able to write code so I could see that I might wind up having to add a new customer service to watch for my web server autonomously changing its certificates, then shut down the email server, update its copies of the search and restarted. My point is, you know, that's what's known as a royal f clue. And IT is no way to around the world.

And make no mistake, my email server is just a trivial example of the much larger problem on the horizon. Think of all the non acme aware or non acme capable, non web server appliances we have today that have proferred in the past decade and which now also needs certificates of their own. What do they do? So you perhaps this is the Price we pay for progress.

But I question, you know, this brought to mind, I question why this should be imposed upon us. And upon me is my certificate IT represents my domain of G R C dot com. Why is IT not also my choice? How long that representation should be allowed to endure? Okay, if i'm some big organization like amazon dot com, bank of america, paypal, where a great deal of image could be done, if a certificate guy loose, I can see the problem.

So such organizations ought to be given the option to shorten their certificate lives in the interest of their own security. And in, in fact, they can do that today, when i'm creating certificates of digital, i'm prompted for the certificates. Duration three hundred ninety eight days is the current maximum lifetime allowed, but there's no minimum.

And digital supports the acme protocol. So automation for short live certificates is available from them. But why are short lived certificates going to be imposed upon websites by the ca browser forum and the industry's web browsers? And let's get real here.

As we know, revocation has never worked. Never it's always been a feel good fantasy. And the world didn't end when we only needed to reissue certificates once every three years with no effective ability to revoke them.

Now the industry wants to radically reduce that to every six weeks. How are we not trying to solve a problem that doesn't actually exist, while the same time creating a whole new range of new problems we've never had before? I'll bet there are myriad other instances, such as with my email server, where super short live certificates will not be practical.

This sure seems like a mess being created without full consideration of its implications. Do these folks that the ca browser forum failed to appreciate that web servers are no longer the only things that require T, L, S. Connections and the certificates that authenticates them and provide their privacy.

And many of these devices that what needs certificates for domain may not be able to run the acme protocol because you, they are D V domain validation search. I dropped my use of E, V certificates because that became wasted money. Once browsers no longer awarded those websites using E, V certificates with any special U.

I treatment, you didn't get little Green glow up there in the U I bar, but i've continued using O V. Those are organization validation certificates since they're one noch up from the lowest form of certificate, the domain validation dv search, which lets encrypt ses because that's all it's doing is just validating. Yes, you're in control of that domain.

But if we're all forced to automate certificate issuance, I can't see any reason then why everyone won't be pushed down to the lowest common denominator of domain validation certificates, the issuance of which lets encysted has successfully automated. At that point, certificates all become free and today's certificate authorities lose a huge chunk of their recurrence ring business. How's that good for them? And the fact is, simple domain validation provides a lesser level of assurance, an organization validation.

So how is forcing every went down to that lowest common denominator good for the overall security of the world? I suppose that apple, with their entirely closed ecosystem, may see some advantage to this. So fine, they're welcome to have whatever super short live certificates they want for their own domains. But more than anything, i'm left wondering why the lifetime of the certificates I I use to validate the validity of my own domain in all of its various applications, draw email and so forth, why that's not my business and why that's not being left up to me.

So if they were google saying this, I might worry, because google has this power to force its fact up plans all the time but it's apple who cares that is there any chance that the this is gonna .

come the room yes um remember that apple when we went to three hundred and ninety eight days, they said they would this honor any certificate that had a longer life because well exactly all of their eye devices the certificate has both a not before and are not valid after so if those two dates are further than three hundred ninety eight days apart, apple just says, sorry.

this is not the unilaterally impose a forty five day limit. They would want the brothers, the ca brothers form to agree yes.

And so that's what's happened, is that there's a thread in the other, a thread discussing this, which is suggesting this timeline for bringing IT down to forty five days. And I just I do not see the logic in that. I see huge downside .

currently.

And why is there any of their business? How long I want my certificate to assert G R C. Dot comfort, I will take responsibility for that.

It's in an H S. M. IT is safe. IT. IT cannot be stolen and revocation. You know it's maybe it's gonna coming back with bloom filters. We hope so if the worst happened, we could still revoke. But the idea that that that like I won't be able to purchase A A trust and certificate from A C A longer than forty five days, that's not a good place.

Just what is the rational? What why does apple .

want to make a social IT can only be so that you are constantly having to reserve your your control over the domain and and the certificate.

And so for the the health of the internet, then.

yes, and you see a big problem there. There is no big problem there. When I used to be for three years and everything was just fine, we're still here and we never had revocation that worked IT wasn't a problem.

So they are solving a problem that doesn't exist with a solution that causes many more problem.

I I think I think they're going to end up people just going to say, no.

I hope so because we're just .

come down from three years to one year. And now and at the time, I said the only good thing I could see about this, leo, is that every three years i'd forgotten how to do IT. You know, there was so much time between, I was like, you know, I to I have to run this through S, S, L, S line, get A S form. And every three years.

and now every years.

I all can got to do this again. But so IT has the advantage of O N you know, of course, how many times have we seen websites where they like wops are certificate expired because I was you know, that three years ago, you know, paul worked here. Well, paul no longer here and he was a guy who did the certificate, right?

But we still see that lets encrypt has had real success with with the scripted oh my god.

they've taken over the tls market is like sick. It's like three quarters of or two thirds of of all certificates because but he wants to pay is I wait, I can get IT for free.

I just and the scripturally automatically, you don't even have to think about IT and you do not have to wear about paul anymore because you just read up every body every what .

is at ninety days is ninety days for lets. For lets.

I don't see any reason though to make a half that that's crazy .

IT is I don't see IT either. And remember, you can still get a certificate even if you're using lets encrypt for your your web browsers. You can still buy a one year shirt for other things and so like so all the appliances that we have that want to do T L S connections, you can still purchase a longer uh, live certificate.

So and and when I was thinking this through IT, one possibility would be to allow non web search to have a longer life, where because because in every sear certificate, yeah IT does state what the what the users of the third are. So so automation reissues could have a shorter life. But then IT doesn't solve the problem because if what you're worried about is this certificate being stolen, apparently there they are worried about anything with longer than forty five days being anywhere.

It's like I just I do not understand, I just and again, why is IT their business? This is we had three years. We had no problems except, you know paul leading the company.

Did paul leaves .

the company and worked hf an hour in leos st? Take a break and talk about the sec levering fines for against four companies who lied.

Oh, shame on then.

You want to do that .

to the how dare they, those lion liars, our show that they brought you by experts, exchange where the truth rains may remember. I did when I met them, so I used to use you guys all the time. Well, we're still here, they said.

And we want more people to know about IT, especially now when so much of the information on the internet is crap and so much of IT is AI generated. When you have a question about technology, would that be nice to be in network of trustworthy, talented tech professionals who can answer your questions, give you advice and industry insights? People actually using the products in your stack instead of paying for expensive and honestly, sometimes not so good enterprise level tech support.

That's what experts exchange is all about, is the tech community. For people tired of the AI sellout, experts exchange is ready to help Carry the fight for the future of human intelligence. Because there's a bunch of intelligent humans, experts, if you will, on experts exchange, they give you access to professionals in over four hundred different fields.

I'm talking coating microsoft A W S dev up, cisco on on on. And unlike maybe those other sites, you say, well, you know I can ask questions. You know on other sites I want name names, but because i'm in a slimmer unlike those other sites, there's no sark.

You know you go to those other side, you ask a question half the time. There was a duplicate, a question next another rest the time I saying, well, I wouldn't do IT that way. Here's how I would do IT.

Or you're a dummy or insult you, right? Not that experts exchange duplicate questions. You are encouraged. There are no dumb questions.

The contributors and experts exchange love tech, and they understand that the real reward of their expertise of knowing deeply, knowing how a cco wouter works, for instance, the reward of that is, is being able to show your expertise to pass IT on, not to mark somebody, but to say, let me help you to pay IT forward. They love graciously answering your questions. One member said, I never had gp.

T stop and ask me a question before, but that happens on E, E. That's what it's friends call IT E, E. All the time.

Experts exchange is proudly committed to Fostering a community where human collaboration is fundamental. Humans, they are, I love you, I love you. I mean, really, that's that's what you want to answer your questions or expert directly is full of.

Experts help you find what you need. Steve, you will be glad to know that roddy barn harness are regular security. Now listeners there.

He's a vm where v expert Edward one bidon, who's a microsoft MVP in an ethical hacker, was trying to get the pronunciation of IT worth's last name went to us. He's got a lot of really great youtube videos. And of course, she's on experts exchange and says this is ed or this is ed, what I never says his last name.

So ed, is there cisco design professionals in their executive I T directors. That's actually another thing is not just technical information. You can get you advice on how to run your company.

You can advice on how to handle employees and motivate. There are really experts there who love talking about what they do and helping you do IT too. And here's something really important.

Other platforms. Most of the other platforms betray their contributors by selling their country to train AI models. Read IT does IT a linked in, just started doing IT at experts exchange.

Your privacy is not for sale. They stand against the patricio of contributors worldwide. They have never and will never sell your data, your content or your.

They block and strictly prohibited our companies from scraping content from their site for training their allies. The moderators strictly forbid the direct use of elm content. Their threads.

Experts deserve a place where they can confidently share their knowledge without worrying about a CoOperation, stealing IT IT effects to increase shareholder value. And humanity deserves a safe haven from AI, and you deserve real answers to your legitimate questions from true experts. That's what you get an experts exchange.

Now they know, you know, there are people like me who have tried IT a while. They know that maybe you've never even heard of IT. So there's gonna give you in ninety days free.

You don't know. You need to give credit card three months to try IT to see if it's what you're looking for. I think IT is ninety days free when you go to e dash e dot com slashed with that's e dash e dot com slash to IT. You know they've been a around for a while the'd got .

a three .

letter doc com domain. Those are rare than hand tea visit com to learn more experts exchange thank you. Experts exchange for supporting our local expert here, mister Steve gibson, and thanks to you for using that address.

They know you thought on security. now. Experts exchange.

E, ash, eat, come slashed. Twit, on we go. Mister.

mister je, so one of the rules of the road is that companies that are owned by the public through publicly traded stock have a fiduciary, ty, to tell the truth to their stock holders.

Witness, be nice.

yes. When something occurs that could meaningfully affect the company's value, yes. For example, on december fourteenth twenty twenty, the day after the washington post reported that multiple government agencies have been breached through solar winds or yon software, the company itself, solar winds stated in sec filing that fewer than eighteen, fewer than eighteen thousand of its thirty three thousand or ryan customers were affected.

Still, eighteen thousand customers affected made IT a monumenta breach, and there was plenty of fault to be found in solar wind's previous and subsequent behavior. But they fessed up. They said, okay, this is what happened. But I didn't bring this up to talk about them. I wanted to share some interesting reporting by cyberwar.

P, whose headline a week ago was esc hits four companies with fines for misleading disclosures about solar winds hack, in other words, for misleading the public about the impact their use of solar winds or yon software had on their businesses and how IT might affect, you know, their shareholders value. Cyberspace p's subhead was union is a via checkpoint, and mindless ast will pay fines to settle charges that they are downplayed in S. C.

C. filings. The extent of the compromise, this is the point that I wanted to make.

The management of companies owned by the public need to tell the truth. So let's take a closer look at this cyberspace. P rote. The security is an exchange commission, you know, S, C C said he has reached a settlement with four companies for making materially misleading statements about the impact of the twenty twenty solar winds orion software breach on their businesses.

The regulator charge the four companies union is a via a via holdings corp, checkpoint software technologies and mm cast limited with quote, minimizing the compromise or describing the damage to internal systems and data as theoretical, despite knowing that substantial amounts of of information had been stolen. In other words, they out right lie to their shareholders, cyberspace, roup said. The acting director of the sec division of enforcement said in a statement, as today's enforcement actions reflect, while public companies may become targets of cyber attacks, it's incoming upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cyber security incidents they've encountered here.

The esc s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of those incidents. As part of the settlement agreement reached, the companies have agreed to pay fines with no admission of wrongdoing. okay.

So the first in the first place, they're not having to say we lied. So okay, so there's that. But then I was unsuppressed Frankly by the amounts. University will pay four million dollars a via one million checkpoint, nine hundred and ninety five thousand and mm cast nine hundred and ninety thousand, according to the sec, by december twenty twenty a via, for example, already knew that at least one cloud server holding customer data and another server for their lab network had both been breached by hackers working for the russian government. Later that month, a third party service provider alert of the company, that is, cloud email and file sharing systems had also been breached.

Likely by the same group and through means other than the solar winds are yon software follow up investigation identified more than one hundred and forty five shared files, accessed the threat actor, along with evidence of the russian group known as A P T twenty nine A K A cozy bear, monitored the emails of the company's cyber security incident responders. So they were deeply penetrated and they knew IT. Despite this, in a february twenty, twenty one quarterly report a couple months later, a via described the impact in far more muted terms, saying the evidence showed the threat actors access only quote a limited number of company email messages okay, that's a little gray.

And there was, quote, no current evidence of unauthorized access in our other internal systems. okay. So you could call into question the word current, right? Um they knew that those report representations were flatly false. Unius sis investigation uncovered that following the disclosure of a device running or ryan multiple systems, seven network and thirty four cloud based accounts, including some with admin privileges, were accessed over the course of sixteen months.

The threat actors also repeatedly connected to their network and transferred more than thirty three gig of data, but the sea season to this order stated that unser had, quote, accurately described the existence of successful intrusions and the risk of unauthorized access to data and information in hypothetical terms despite knowing that intrusion had actually happened and in fact involved unauthorized access and x filtration of confidential and or propriety information on quote. The company also appeared to have no formal procedures in place for identifying and communicating high risk breaches to executive leadership for disclosure anyway, and there are similar in instances at checkpoint in mind cast. The problem here is i'd like to be able to draw a clear moral to this story as IT sort of started out seeming.

But given the extremely modest size of these settlements relative to each company's revenue, it's not at all clear to me that the moral of our story here is that they should have divulged more during the heat of the moment. The short term impact upon their stock Price may have been more severe than these fines. And coming four years after the event, it's reduced to a drug.

So I doubt that this outcome will wind up teaching any other companies any important lessons and any companies that did the right thing at the time and were then purified by their stock holders for telling the truth might actually take away the opposite lesson. Let's just lie, sweep, IT all under the rug for now. And then if three or four years later, you know, after we're hit with a modest tax. For having done that, you know the world will have moved on anyway, will happily pay IT and will have lost less money than if we had told the truth right up front. I mean, that's the takeaway .

from its the cost of doing business. These companies always say, yeah, the cost of lying door stock alters. Wow.

okay. So last tuesday, google security blog posted the news of five new protections being added to their google messages APP. Although google postings are often a bit, you know, too full of marketing hype for my own taste, I thought this one would be worth sharing and its not due long so google wrote and here's the on the marketing intro every day over a billion people use google messages to communicate.

That's why we've made security a top priority, building in powerful on device A I powered filters and advances security that protects users from two billion suspicious messages a month. With the end end encysted rcs conversations, you can communicate privately with other google messages rcs users, and we're not stopping there. We're committed to constantly developing new controls and features to make your conversations on google messages even more secure and private as part of cyber s security awareness month they're getting in, in just before halloween when IT ends.

We're sharing five new protections to help keep you safe when using google messages on android, okay, so that we've got enhance detection protects you from package delivery and job scams. And i'm going to skip the paragraph describing IT because we all know what IT means. You know there they're looking at the the messages coming in and they're going to do some filtering to recognize when this is basically spam and then flag IT war knew whatever they have all number two intelligent warnings alert you about potentially dangerous links.

Same thing there they're going to they're getting in to your encrypted messaging using um device side A I powered filters to deal with that. But this was short, they said in the past year, we've been piloting more protections for google messages users when they receive text messages with potentially dangerous links. Again, incoming text messages being examined, they said.

In india, thailand, malaysia and singapore, google messages warns users when they get a link from unknown senders and blocks messages with links from suspicious centers. Where in the process of expanding this feature globally later this year. So then there's not much of this year left so that i'll be coming soon to google messages for everybody else.

Uh, controls to turn off messages from unknown international centers. Another benefit, but IT was number four that most caught my attention. Sensitive content warnings give you control, overseeing and sending images that may contain nudity, they said. At google, we aim to provide users with a variety of ways to protect themselves against unwanted content while keeping them in control of their data. This is why we're introducing sensitive content warnings for google messages.

Sensitive content warnings is an optional feature that blurs images that may contain nudity before viewing, and then prompts with a speed bump is the way they raised IT that contains help finding resources and options, including to view the content when the feature is enabled, and an image that may contain nudity is about to be sent or forwarded. IT also provides a speed bump to remind users of the risks of sending nude imagery and preventing accidental shares. All of this happens on device to protect your privacy and keep end to end encysted message content private to only center and recipient sensitive content warnings does not allow google access to the content of your images, nor does google know that neutrality may have been detected.

This feature is opt in for adults, manage via android settings and is opt out for users under eighteen years of age. In other words, on by default for kids, sensitive content warnings will be rolled out to android nine plus devices, including android go devices with google messages in the coming months. So i'll get back to that in a second.

The last piece of the five was more information about who who you're messaging. Basically, they're allowing an out of band explicit public key verification for messaging, which you know other messages you know notably three ma was what was a leader in this pack who were doing, you know, traditional standard style cripp graphs where we knew what a public key was and you know, verifying somebodies shared public key was useful. So that's the fifth thing.

okay. But I want to get back, as I said, to that force new feature sensitive content warnings. Apple announced their sensitive context warnings in IOS fifteen, where the smart phone would detect probably sensitive content and warn its user before displaying IT.

Despite that potentially privacy invading feature, which is now but in place for several years, we are all still here, just like we are without certificate revocation, the world did not end. Not only did not end, you know, when smart phones began looking at what their users were doing, IT didn't even slow down. So the idea of device side image recognition and detection has not proven to be a problem, and google has clearly decided to follow.

But I believe there may be a larger story here. I suspect that this will be the way the world ultimately resolves that thorney end to end encysted dilema that we've been looking at for several years now. As we know, apple initially really stepped in IT by telling people that their phones would be preloaded with an exhaustive library of the world's most horrible known c sam, you know, child sexual abuse material.

No one wanted anything to do with having that crap on their phone and even explaining that that would be fuzzy matching hashes rather than actual images, did nothing to modify those who said, apple, thanks. Anyway, i'll go get an android phone before I let, I let you put anything like that on my iphone. Apple received that message loud and clear and quickly dropped the effort.

But then right in the middle of the various european governments, and especially the uk's very public struggles over this issue, facing serious push back from every encrypted messaging vendor, saying they would rather leave, then compromise their user security, A I suddenly emerges on the scene and pretty much blows everyone's mind with its capabilities and with what that means for the world's future. If there's been any explicit mention of what A I might mean to highly effective local on device filtering a personal messaging content. I've missed IT, but the application seems uteri obvious.

And I think this solves the problem in a way that everyone can feel quite comfortable with. The politicians get to tell their constituents that, quote, next generation A, I will be watching everything their kids smartphones send and receive. And we ll be able to take whatever actions are necessary without ever needing to interfere with or break any of the protections provided by full, true and end encryption unquote.

So everyone retains their privacy with full encryption. And the bad guys will soon learn that they're no longer able to use any off the shelf smart phones to send or receive that crap IT. Seems to me this really does put that particular in tractor problem to rest. And just in the nick of time, i'll know one more thing about this is foreseeable that the behavior recognition provided by A I based on device filtering will eventually and probably, excuse me, and inevitably be extended to encompass additional unlawful behavior.

We know that governments and their intelligence agencies have been incredibly arguing the terrorists are using inpenetrable encysted to organize their criminal activities, so I would not be surprised if future AI driven device side detection were not further expanded to encompass more than just the protection of children. This, of course, raises the spector of big brother, you know, monitoring our behavior and profiling, which is creepy all by itself, and are not suggesting that an entirely good thing, because IT dos create a slippy slope. But at least there we can apply some calibration and implement whatever policies we choose as a society.

What is an entirely good thing is that those governments and their intelligence agencies who have been insisting that breaking encryption and monitoring their population is the only way to be safe, well, have had those arguments short circuit by AI. Those arguments will finally be put to rest with encryption having survived intact and arguably giving the intelligence agencies what they need. So anyway, I just had occurred to me, leo, before then, before now. But IT IT seems to me that that's a powerful thing that A I on the device can do, and IT really can and should satisfy everybody. No.

well, i'm like google doing what they're doing. And I think that seems like a sensible plane. yes. And IT, as you notice, opt in for adults and opt out bt for kids, which is exactly how I should be.

Yeah, yeah. agree. yeah. okay. I stumbled on a surprising APP that I was never aware of so well were on the subject, encrypted, encrypted apps, an APP known as session a.

Anybody who is listings live wants to jump ahead, get session. That orgues is the U R, L. An above. As session is a small but increasingly popular encrypted messaging. APP session announced that he would be moving its Operations outside of australia. Get this, leo, after the country's federal law enforcement agency visited and employees, residents and ask them questions about the APP and about a particular user of the APP as a result of that nighttime intrusion, session will henceforth be maintained by a neutral organization based what's are not good. Yes, that's appalling.

IT is IT was like, wow oh you know you know a knock on your door and there's you know australian federal law enforcement saying you work for this sessions company right? So um we need some information about one of your users. Well wait to you here. How impossible IT is for them to answer that question. Four or four media noted that this move signals the increasing pressure on maintainers of encrypted messaging apps, both when IT comes to government seeking more data on APP users as well as targeting messaging APP companies themselves.

They cited the recent arrest telegram CEO in france last August, uh, alex linton, the president of the newly formed session technology foundation, which will publish the session APP from switzerland, told four or four media in a statement quote, ultimately we were given the choice between remaining in australia or relocating to a more privacy friendly jurisdiction such as switzerland. The APP was still function in australia, but we won't. okay.

So I wasn't aware of the session messaging APP at all until I picked up on the news of this departure, but IT looks quite interesting, and I wanted to put her on everyone's radar. IT appears to be what you would get if you were to combine the ultra robust and well proven signal protocol, which session forked on github with the distributed I P hiding tour style union routing, which we briefly discussed again recently. And on top of all, that session is one hundred percent open source.

And as I mentioned, all of IT lives on github. So it's all of this peaked my curiosity. I tracked down a recent White paper describing session from which was written in july of this year.

It's titled session end to end encysted conversations with minimal metadata leakage. And that's the key. The White paper s abstract describes session in a couple sentences. IT says session is an open source public key based secure messaging application, which uses a set of decentralized storage servers and an unending ding protocol to send and and cryptic messages with minimal exposure of user meta data. IT does this while providing the common features expected of mainstream messaging applications such as multiple vice, sinking offline in boxes and voice slash video calling.

Uh, okay, well, I would imagine that the australian feds were probably left quite unsatisfied by the answers anyone knowledgeable of session's design would have provided to them at all. During their visit in the evening, they would have explained that session messaging transport was deliberately designed like chores to hide each n points I P address through a multihull globally distributed server network, and that the entire content of the messages used the triable signal protocol used by signal and WhatsApp to exchange authenticate messages between the parties. And if this did already sound wonderful, listen to the system's mission statement from the White paper 的 introduction。 They said, over the past ten years, there's been a significant increase in the usage of instant messages, with the most widely used messengers each having a mask over one billion users.

The potential privacy and security shortfalls of many popular messaging applications have been widely discussed. Most current methods are protecting user data, are focused on encrypting the contents of messages, an approach which has been relatively successful. The widespread deployment of end to end encryption does increase user privacy.

However, IT largely fails to address the growing use of meta data by corporate and state level actors as a method of tracking user activity in the context of private messaging, meta data can include the I P addresses and phone numbers of the partitions are part participants. Excuse me, the time and quantity of sent messages and the relationship each account has with other accounts increasingly IT is the existence and analysis of this metadata that poses a significant privacy risk to journalists, protesters and human rights activists. Session is in large part a response to this growing risk.

IT provides robust meta data protection on top of existing cypher graphic protocols, which have already been proven to be effective in providing secure communication channels. Session reduces metadata collection in three key ways. First session does not require users to provide a phone number, email address or any other similar identifier when registering a new account, in fact, no identify, i've done instead su danna ious public private key pairs are the basis of an account identity and the old basis.

Secondly, session makes IT difficult to link I P addresses to accounts or messages sent or received by users through the use of an onion routing protocol, same thing toward does. And third session does not rely on central servers, a decentralized network of thousands of economically incentivize nodes performs all core messaging functionality for those services where desent realization is in practical, like storage of large attachments and hosting of large group chat channels. Session allows users to self host infrastructure and rely on build an encryption and meddle a protection to mitigate trust, trust concerns.

And other words, wow, as we know, pull, derail. The telegram guy freed himself by agreeing to were warranted, share I P addresses and whatever other meta data telegram collected with law enforcement. And we know that apple signal and WhatsApp all similarly keep themselves out of hot water with governments and law enforcement by CoOperating to the degree they're able to and they are able to, they're able to provide I P addresses and related party identifiers.

They may not be able to peer into the content of conversations, but the fact of those conversations and the identity of the party's conversing is noble, shared and sharing. And I occurred to me, ah so since I put this down, another perfect example of the power of meta data is crypto currency and the block chain. Much was made of the fact they're oh, it's completely anonymous.

Worry about this. It's just a little. It's just a you you have your, you have your your key in the block chain. All transactions anonymous.

Well, we know how well that worked, right? We're able to to see money moving and perform associations when IT comes out of the crypt to the currency realm. So again, we're not we're not able to see who but there's metadata that's been left behind. Session was created to to as to every degree possible also private meta data leakage.

So I suppose we should not be surprised that the guys who married the signal messaging protocol with tres onion routing to deliberately create a hyper private messaging system saw the clear handwriting on the wall and decided after that visit from their local friends that they would need to move from australia sooner later. So that might well be the messaging APP again, is called a session and is available in several flavors for android and IOS smart phones as well as for windows, mac and linux desktops. From here, IT appears to be a total win.

Establishing an anonymous I did any with a public private key pair is exactly the right way to go, and that's exactly what they do plus much more and will all their source code being openly managed on github? In addition to the thirty four page technical White paper, there's also a highly accessible five page light paper, as they called IT, which Carries their slogan, send messages, not mea data. So the URL once again is get session dog, where you'll find a software download page. It's that get sessions dot org slashed download as well as links to both that five page light paper and the full thirty four page White paper. So IT looks like a complete wind to me.

So I have a couple of questions for you about this prompted by some folks in our youtube chat. We have chat now in eight different platforms. So this i'm trying to monitor IT at all.

They emerged or I have emerged of you. So I can see IT immersion in our youtube set. Chat says, note, the session has removed perfect forward secrecy and deniability from the signal protocol.

And they did that a few years ago. They say you don't need p fs, because that would require full access to your device. And if you had full access, you know really the jackets up no matter what. And deniability is not necessary because they don't keep any metadata about you so that you don't have to worry about that.

Is that seem true to you? I think that's corrected that the concern with perfect forward secrecy y is that the nsa is filling that large server farm.

They say all that.

yes, that massive data, that massive data warehouse. And at some point in the future, if and when we actually do get quantum computing able to break today's current public key technology, then they could retroactively go back and crack that unfortunately or fortunately rather signal has already gone to a post quantum technology.

So the again the the the concern is that you if you're not so perfect forward secrecy, if you're constantly reaching um cuts off somebody who manages to to uh penetrate uh public key technology for the duration of your use of that key that allows them to to get the the symmetric key and developed. That chunk of conversation is not clear at all today whether there's ever gonna be a way to do that, if anywhere, anybody using the signal protocol where you're using both pre post quantum, a public key technology. So so that .

really matter.

They needed to do that in order to add the features that they wanted to do.

right? That makes sense. okay. I think that I mean, the only real disappoint tages that you'll be the only one in your family using IT.

can you? Yes, yes. And so IT would be where you have a situation where where you have some specific people that you want to have A A really guaranteed private conversation with.

You know it's not gonna be like, oh you know what's your signal handle and then you add them to single a to signal. But still for for somebody who really wants you know true uh true private communications. And this goes further now than anything we've seen so far. They've got the state of the art best messaging encryption technology in signal marry to unended ting again and .

no server has the full message. That's the interesting thing.

right? Yeah, it's completely decentralized.

I think that's so cool and and I always bothered the signal, my phone number, I just I didn't feel like.

yeah and I think they announced .

they are backing away from that yeah of user names they saying.

yeah, yeah and it's like, okay, you know, and will IT be a many to many. I know that I I was able to have them on one phone and one deaths top, but I but I wasn't able to have on two phones and multiple decks top. So you some arbitrary limitations. I I downloaded this thing, uh, and it's on all of my phones and desktops and then they .

found with the same private key. Yes, so you're able to propagate its other devices.

Yeah, that's cool. Yes, when it's created, IT gives you A A A Q R code. IT shows IT to you in hacks and in that word salad form, you know, bunny, go for them on artistic areas and and so I copied that and just and then tasted that into a different device. And I found me, is that up here you are, and I got my picture.

Everything worked. I'm going to .

install IT right now. It's slick. And again, all three desktop platform's windows, mac and end and in linux and both phone platform. Nice, let's take another break. And then we're going to revisit software reliability briefly um and then and then close the loop and pan into this question of the future of the internet. And does anyone ever even care about bbb six anymore?

Wow you know, used to event sir phone. He was like, trump, bang in the drum. We're onna run out I P addresses. We're gona run out I P address. I was really interesting .

as the chart of the U. S. Adoption will get there.

I can't wait. All right. But right now, a word from our sponsor, the folks, the great folks, I talked to a threat locker.

Threat locker is a very, very good way to do in point security. And I explain how. Just a second, but first, let me ask you a rtw ical question, because I already know the answer.

Do zero day exploits and supply chain attacks keep you up at night? They do. If you are in charge the network, right? Well, worry no more because you can harden your security.

I mean, really with threats locker worldwide, companies like jet blue, for instance, trust threat locker to secure their data and keep their business Operations flying high, if you will. The key with threat logger is, this is zero trust, which is such a clever way to handle of a very big issue. Imagine taking a proactive, and these are the key words are denied by default.

Then I buy default approach to cyber security. You block every action, you block every process, you block every user unless authorized by your team. So that lucky helps you do that and provides a full. Audit of every action, which is really great to have for risk management and compliance. Of course, they're twenty four, seven U S.

Based supporting fully supports on gardening or on boarding and beyond dell, be with every step of the way you can stop the exploit of trusted applications within your organization and keep your business secure and protected from ransome. Are all using a very simple concept, zero trust, organic. And have you were talking about solar winds? Listen to this, Steve.

Organizations across any industry can benefit from threat lockers, rain fencing, ring fencing isolates s critical and trusted applications from unintended uses, weapon zable that limits attackers lateral movement throughout their network. Threat rockers ring fencing was able to foil a number of attacks. They were not stopped by traditional edr.

And that specifically, that solar winds, orion tech, we are talking about foiled by ring fencing. And if you think about that makes sense because you're you're blocking that lateral movement without explicit authorization. Oh, and threat locker works for max to so IT doesn't matter what you've got on your network.

Threat locker can help you keep IT safe, get unprecedented possibility and control of your cyber security quickly, easily and cost effectively. Thread lockers zero trust end point protection platform offers a unified approach to protecting users, devices and networks against the exploitation zero day vulnerabilities. This is such a great solution.

Get a free thirty day trial. Learn more how threat locker can help mitigate unknown threats, and at the same time ensure compliance. Visit thread ker dot com.

Easy to remember, you put in everything inside the threat locker, threat locker dot com. We thank him so much for their support. We've talked about a zero trust on the show before and you know it's clear how this helps.

But now there's an easy way to do IT. And by the way, you can be very expensive tools. You should check IT out.

IT doesn't. It's not just for big companies. You can do IT small company too, very easily. Great locker dock com. Steven.

you are turn, so thank you. The e used proposed wholesale revision of the software liability issue has not surprisingly draw a huge amount of attention from the tech press. We gave IT enough attention here last week, but I was glad to see that I didn't miss state or misinterpret the effect and intent of this new eu directive.

Uh, IT really is what IT appears to be one reporter about this route. The eu and us are taking very different approaches to the introduction of liability for software products while the U. S.

Kicks the can down the road, the eu is rolling a hg renae down IT to see what happens under the status quote. The software industry is extensively protected from liability for defects or issues. And this results in, I love this systemic under investment in product security.

Authorities believe that by making software companies liable for damages when they pedal crap wear, those companies will be motivated to improve product security. And of course, we can only hope. And I also wanted to share part of what another writer wrote for the record.

He wrote, six years after congress tasted group of cyber security experts, U. S. Congress, with reimagining america's approach to digital security, get this. Virtually all of that group's proposals have been implemented, but there is one glaring exception that is especially bedevilled policymakers and advocates a proposal to make software companies legally liable for major failures caused by flawed code.

Software reliability, he writes, was a landmark recommendation of the cyber space sodium commission, a bay partisan team of lawmakers and outside experts that dramatically elevated the government's attention, the siber policy, through an influential report that has seen roughly eighty percent of its eighty two recommendations adopted. Recent hacks and outages, including adele, adding vendors like microsoft and crowd strike, have demonstrated the urgent need to hold software companies accountable according to advocates for software liability standards. But despite the solarium commission's high profile backing and the avoid interest of the bad administration, this long discussed idea has not born fruit.

Interviews with legal experts, technologies and tech industry representatives reveal why soft liability is extremely difficult to design with multiple competing approaches, and the industry warns that IT will reach innovation and even undermine security. Jim dempsey, senior policy advisor at stand for universities program on geopolitics, technology and government, said, quote, the solarium commission and congress knew that this was going to be a multiyear effort to get this done. This is a very, very, very hard problem.

A recent spate of massive cyber attacks and global disruptions, including the solar winds, supply chain attack, the move IT ransome ware campaign, the havana hacks, the crowd strike outage and microsoft parade of breaches, has shined a spotlight on the world's vulnerability to widely distributed but sometimes poorly written code, desi added. Quote, there's a widespread recognition that some things got a change where way too heavily dependent on software that has way too many vulnerabilities unquote the software industries. Repeated failures have exasperated experts who see little urgency to address the roots of the problem, but bring companies to heal will, but bringing companies to heal will be extremely difficult.

And associate professor at ford m law school or school of law, who specializes in cyber security and platform liability, said, quote, we have literally protected software from almost all forms of liability comprehensively since the inception of the industries decades ago. It's just a golden child industry. Virtually all software licenses contain causes immunizing vendors from liability.

Policymakers originally accepted this practice as the cost of helping a nco industry flourished, but now that the industry is mature and its products power all kinds of critical services, IT will be an appeal battle to untangle what dempsey called, quote, the intersecting legal doctor's that have insulated software developers from the consequences of the flaws in their products. So leo, are we this podcast certainly have not been alone. And like just observing over the last twenty years that we've been doing this like this is wrong.

This has to change, but also change is hard. In other words, I P V six. no. okay. One last little point that I thought was interesting. As we know a occurring event in security news recent has been the industries in advert hiring of fake IT workers.

Generally those uh proportion to come well proportional to be domestic but actually IT turns out working and working for north korea or least north korean interests. Um hopefully this has not been happening for long you know undetected since there really seems to be a lot of IT going around. Maybe we're just suddenly you know shining a light on IT.

So we're seeing a lot of IT. Um I shared the hoops that I had to jump through recently during that one way video conference with a digit agent following his instructions as I move my hands around my face uh you know just holding up the the government uh issued I D card and demonstrating that I was me. As far as I know, the coverage of this has not actually reveal that is the coverage of the the north korean identity.

Spooky hasn't actually revealed any malfeasance on the part of these north korean employees before. Now IT is certainly illegal to hire them, but you know, they were faking their identities. IT turns out that changed.

The creator of a block chain known as Cosmos, the Cosmos blok k chain, has admitted that the company independently hired in north korean IT worker. The company said the FBI notified the project about the north korean worker, but get this. The individual at the company who received the notification did not report the incident to his managers.

what. And moreover, Cosmos says that the code contributed by the north korean worker did contain at least one major vulnerability. The companies now performing a security on IT to review all the code for other issues. So we can only hope that these now continuing revelations will lead to many more real time video conferences, such the one that I had a digit to prove that I was actually me you know just sending you forwarding a file with some head shots that's not going do IT and no longer um oh H I imagine this at the top a listener suggested something I hadn't thought before up his name is brian. He said, please add me to your security now podcast grc list.

He said, i'm an occasional listener and appreciate all of your information and tip shared regards brian, it's always said, but I wanted to share this because brian is a mode of listener who can obtain a value from grc weekly podcasts, some options mAiling that i'd never considered I often do here, from listeners who have fAllen behind in listening or who aren't always able to find the time to listen. So brian's note made me realize that the weekly mAilings, which, as I said at the top of the show, went out to eleven thousand seven hundred and seventeen people yesterday afternoon in this case, um uh can come in quite handy when making a determination about how to invest one's time. You look at the list, you go, oh, they're look there. There are couple of things here that I want to hear about and then, uh you you grab the podcast. So thank you, brian, for the idea.

And it's good for us to remember there are people who don't listen to every single show. Yes, I think that's excEllent point.

And in this data, there is a lot of competition for sure. This time and attention .

IT always wears me. You know, that people would give up on the show if they couldn't listen to everyone. You know, I stops describing to the new yorker, consider of being such a big pile of magazines and there's this guilt like you have to read every issue instead of just stepping into IT so don't feel guilty it's okay and that .

listen every episode right and and by if if you subscribe to the G R C list, you know just go to G R C dot com, slash mail and a and sign up, add yourself to the to the security knowledge and that we have two ones only for security now listeners and the other is just general g rc news. I'm sure that i'll be talking about anything i'm doing A G R C, uh, oh speaking which uh, I I forgot to mention that because I finished the podcast yesterday afternoon.

Yesterday evening, I updated G C S technology for four digits of podcast numbering. So when we go from nine, nine, nine to one, zero, zero, zero, everything should work smoothly. So that is now in place.

So, uh, okay, ah two more pieces. Martin and denmark said a high Steve love the podcast been with you guys from episode zero. Unfortunately, I do wish we had started zero. Leo just didn't occur to me, you know, we were Green .

back and know bees.

I thought thought i'm we're never going to get to nine, nine, nine. We're not even get to three hundred ds. So here we are.

But I just want to point out as a coder, there's a language that I love in every respect called Julia. My biggest complaint is its accounts to raised from one, not zero. And I feel like i'm sorry, I just I can't do that. I just can't do that in every other respect of wonderful language. But that's a bridge too far.

Yeah, it's supposed to be an offset not and is that a number or an offset?

right? right.

Oh, well, so Martin and danmark says, I have a question about the stuff spin, right? Does when quotes speeding up in S. S, D.

Unquote is that my computers do for a reformat and a reinstall of windows. Windows are slowing down as IT does. But IT seems worse than usual. He has in quotes. So I think my SSD could use a little help since i'm going to knock the drive anyway. Is there a way to do the same stuff that spin right does without spin right? He said, I assumed that using windows installer or disk part to click the disk just wipes the file system slash partition table and does nothing else.

Am I right that a poor man's solution would be to delete the partisans on the drive and make a new one, and then fill IT with random data? I don't know, spend, right? He said parents money reasons and was just wondering if there is another way as I don't care about the data on the drive regards mart and denmark so here's what I wrote in reply to marten's email, which was written to me at security now at G, R, C.

Docs, which is the way anybody who is registered with G, R, C, the email system is able to send me email like I just read. I wrote, hi Martin. You don't need spin right for that at all.

The only magic spin right does, aside from perhaps helping hugely to recover from any trouble encountered in the process, is rewriting the data on an S S D. But it's the writing, not the rewriting. That's the key here.

So if you're going to be reinstalled windows, that act of reinstallation will inherently be overriding. And us writing, which is the goal. And I said we've discovered red that SSD can grow surprisingly slow without otherwise complaining as the years go by, without regions of their media ever being rewritten.

Spin, right, makes refreshing SSD with data in place easy, but if retaining an s SSD current data is not needed that neither is been right, a standard reinstallation of windows will entirely do the trick for you. So just a heads up. Anybody else you may be in Martins situation.

You know i'm bill. Happy to share that. Um we're seeing like example after example of people saying, oh, M G, I can't believe how much faster my laptop is after I ran spin right over IT.

So there is certainly easier to to do that in a couple hours then then reinstall windows. But Martin wants to do that anyway. Oh, i've forgot to mention that he got the show notes yesterday afternoon.

He saw my reply in the show notes and he roll back and said, uh, just wanted, let you know, I reinstalled windows and, oh my god, is IT faster. He said, IT is more, more faster than I expected IT to be. So indeed.

he's in the youtube. He's watching on youtube, right, is in the chat. He said, that's my question.

What time is IT in denmark .

right now? Yes, pretty late, almost midnight.

okay. And our last bit of feedback, a lane guyer. Oh, and leo, he is a fellow ham.

K, six. A, C, G, is his call sign. He said, hi Steve, i'm really liking the emails versus x. Thank you for switching.

He said, I do lots of python programing and really like the code creation process, so I don't use ChatGPT to write my initial code, but I use IT after i've written a function. I just paced in and ask ChatGPT to describe what IT does. If I like the result, I ask you if there is any way to improve the code i've written.

He said, I do have my ChatGPT customers so that IT prefers reliability, descriptive functions, slash variable names at seta over shorter or potentially more cryptic code. This process fits well into my development flow and results in higher quality code. Is that I hope this can help other people.

It's been working well for me. Alane, okay. One of things, quoters are always being told, is that there is no Better way to improve ones craft than to spend serious time reading other people's code. Successful novels. Sts will have always spent their early lives reading other people's novels, and music composers grew up listening intently to endless compositions that preceded them, so IT should be no surprise that reading others code would be every bit as valuable to quoters. It's for this reason that I think elle's idea is very interesting and useful.

ChatGPT has already been trained by reading vast quantities of other people's code, so I think IT absolutely makes sense to ask an A I like ChatGPT whether you can see any way to improve upon code that was just written. And that peals to me far more than asking IT to do the work first if you're coding for the sheer pleasure of doing so. As certainly a lane has said he is, and as I do, they don't give that up, but then also take the opportunity to learn by testing your creation against the distil wisdom of everyone who previously posted their code to the internet and influenced ChatGPT training model. I think that makes a lot of sense yeah effect.

What I do when I do is coming up, by the way, the event of code december first, our annual twenty five day coding chAllenge, which I ve yet to finish, came the day twenty two last year. I'm hoping to gets twenty five this year. But one of the things I often do is I write, I act to write IT first without looking anybody's code.

But then you, I look at all the other people who solved IT, and look at ways they solve that, and very often get great ideas, great insights. And if I find, can find some people doing IT in commons, there are a handful. I love looking at how they do IT because that really, that's been the best way to improve my a commonest is to look at these masters in the, in the gray beers and the stuff they do.

It's very amazing, not just clever, but really, you smart. I love IT. yeah. Would you like to take a break before we get to VP, six? Ipp, six.

Let's do IT. So we not not interpret this by our last week. And I think everyone's going to find this really interesting. There are some new thoughts in here that are that are intriguing.

Well, I mean, every device I have now pretty much will handle I pv six, and I can use I pv six addresses and so forth. But that doesn't seem to be the same pressure to give up .

ipv for there was less than half of the top one thousand websites today can be reached by I P. V. six. Interesting, less than half of the .

top one thousand. Yeah and I got a lots. As before, you, vince and others did not anticipate the success of Carrier net and isp using you know that at their end.

yeah. So anyway, we'll get to that in the second. But at first, a word from our sponsor, this part of security.

Now abb route by those great folks at one passport I want everybody knows when password, but but one password is a new thing that is so cool. It's so smart. Let me ask you a question, do you? And do, this is such a dumb question, do you? I love every time I ask a dear and users, they always work on company own devices, right, and use IT approved debs right then ever bring their phone and .

laptop into the office, right?

So obviously they don't, right. So how do you keep your company's data safe when they may be sitting on almost unmanaged apps as unmanaged devices? One password has an answer that's really cool.

They called IT extended access management eam one password extended access management helps you to cure every sign in for every APP on every device. IT solves the problem. Traditional im md just cannot touch.

If you think of your company security as the quality of a college campus, there are the nice brick pads between the buildings the company owned, devices that IT approved apps that managed employee identities. It's all nice and perfect, right? But but there are always the past.

People actually use the shortcuts, warn through the grass that actually are those. They're not people aren't dumb. They're actually the straitest line from building a to building b.

People going to do what people going to do. This is like one of your pictures, Steve. Those are the unmanaged devices, the shadow IT apps, the non employee identities like contractors on your network.

And most security tools think we live in this world of happy brick pads, but a lot of security problems take place. Let's face IT on the shortcuts. That's why you need one password extended access management.

It's the first security solution that brings all these on imagined devices and apps and identities under your control. IT ensures that every user credential is strong and protected, every devices known and healthy and every APP is visible. It's security for the way we really work today, and it's now generally available.

The companies that use octave or microsoft and truth or authentication ation IT kind of adds to IT. And in beta, right after google workspace customers, I think you need to check IT out, go to one password that com slash security. Now that's the number one P A S S word, one password dot com slash security now one passer extended access management. It's really an idea whose time has come. Now speaking of an idea whose .

time hasn't come.

keep keeps coming but hasn't arrived. I P V six, Steve, okay.

So I know the majority of our listeners ers need no introduction to the difference in I pv four and I pv six, but I want to share some of a wonderful recent blog posting made by A P nick labs. And since IT assumes complete comfort with I P V four versus I P V six, I want to for share a very quick orientation.

IP stance for internet protocol and version four of the internet protocol is the original version that took off and became the worldwide standard by the midd one thousand nine hundred nineties. The folks who created this first successful internet, we're already starting to worry about its growth because the growth was exponential at that point. So they started working on its successor replacement that became known as I P V six or version six of the internet protocol, although I P V six changes a bunch of sort of insignificant things from ipv.

The most prominent and significant um is addressing internet addresses are expressed by a set of binary bits, and any set of binary bits can only have so many possible combination change. The original IP v four protocol uses thirty two bits. The original .

doted quote is for two hundred and fifty six or four .

sets of eight bits. exactly. So back before the internet happened, when I was still just a what if experiment, IT was believed that these thirty two bits, which allowed for four billion, two hundred and ninety four million, nine hundred and sixty seven thousand, two hundred and ninety six individual internet addresses.

you know, never more.

That no, almost four point three billion get serious, right? That mean what we have we have five main frame computers .

to something back you can anticipate is that leo report would have a hundred I.

P vast devices in his house. So that's true, right? Um so you know they thought that would be more than apple. okay? But as we're going na find out today, around twenty billion devices are attached to the internet and many people feel that the internet is in trouble.

If anyone wonders how this is possible, consider the number of internet connected devices in the average home to your point, leo, and thanks to the miracle of net routing, network address translation and at, they're all able to comparably share the households single I S P assigned I P address indication of of ipv for. So the way to think about this is that the ipv for protocol also set aside sixteen bits for port numbers. Thus, at any given thirty two bit I P V four address, an additional sixteen bits are then used to specify the port number at that address.

So when you think about this, if you think about the internet as publicly addressing by port number rather than by host I P, port based addressing yields and effective forty eight bits of total addressing, thirty two bits for the I P, plus sixteen bits for the port at that I P. Thus, what net routing does is borough bits from ipv force port numbering and reuses them as additional addressing bits. This works, but IT really upsets the internet purists. These guys hate the idea with a passion um because no, they just say that's not the way we designed .

IT to work. I don't know.

are not happy. In fact, i've got some some quotes from them here. They are not happy about that. So okay, refocusing on today's topic. Everyone agrees that I P V four is being stretched and stretched way past is expected in of life.

But why without I P V six since the nineteen nineties? So what's the hold up at this point? Two podcasts away from episode one thousand.

Would any of our listeners be surprised to learn that it's nothing more than resistance and inertia and the fact that port addressing works well enough? okay. So first of all, who are the people who wrote this blog posting?

What is A P nick? Ap nic is the regional internet address registry for the asia pacific region. Thus ap. It's one of the world's five regional internet registries, abbreviated R I S.

So we can think of this as where the I P address assignments come from because, well, it's where they come from. So here's what the guys in charge of the I P address space have to say as of one week ago, last tuesday when this was written. And since jeff writes in the first person, IT only seems right to introduce him by name as jeff houston.

He is the chief scientist at a picnic, where he undertakes research on internet infrastructure, IP technologies and address distribution policies, among other topics. He is widely regarded as the preeminent researcher on I pv for exhaustion. IT is routinely referenced by international agencies and frequently quoted by the media.

So jeff is the guy we want to hear from about this. Here's what he had to say last tuesday. He said, I wrote an article in may twenty twenty two asking, are we there yet about the transition to I P V six at the time? I concluded the article on an optimistic note, observing that we may not be ending the transition just yet, but we are closing in.

I thought of the time that we wouldn't reach the end of this transition to I P V six with a bang, but with a winter a couple of years later. I'd like to revise these conclusions with some different thoughts about where we are heading and why the state of the transition to I P V six within the public internet continues to confound us. Rfc twenty four sixty, the first complete specification of the I P V six protocol, was published in december nineteen ninety eight.

Over twenty five years ago, the entire point of I P V six was to specify a successor protocol to I P V four. Due to the prospect of depleting the ipv for address pool. We depleted the pool of available ipv for addresses more than a decade ago.

Yet the internet is largely sustained through the use of I P V four. The transition to I P V six has been under way for twenty five years. And while the exhaust of IP v for addresses should have created a sense of urgency, we've been living with IT for so long that we've become desensitized to the issue.

It's probably time to ask the question again, how much longer is this transition to I P V six got to take at A P nick labs? We've been measuring the uptake of I P V six for more than a decade now. We use a measurement approach that looks at the network from the perspective of the internet user base.

What we measure is the proportion of users who can reach a published service when the only means to do so is by using I, P, V six, the data is gathered using a measurement script embedded in an online ad and and the ad placements are configured to sample a diverse collection of end users on an ongoing basis. The I P V six adoption report showing our measures of I P V six adoption across the internet users base from twenty fourteen to the present is shown in the figure. And this is the the chart that I have yet at the top of this.

So IT is a very nice looking from twenty fourteen to twenty twenty. Well, through twenty twenty hours are basically a decade. And here we are nearing the end of twenty twenty four. So almost eleven years. And I got a little bit of a sluggers start and then IT picked up a little bit in twenty seventeen and then pretty much a straight upward .

moving mine. That's a good adoption curve. What are the weird Spike though?

I think those are just measured .

outages just like no something .

wasn't working. Ah okay. So he says on the one hand, the figure is one of those classic up and to the right internet curves that show continual growth in the adoption of I P V six.

The problem is in the values in the y access scale. The issue here is that in twenty twenty four we are only at a level we're slightly more than one third a the internet user base can access and I P V six only service. Everyone else is still on an I P V four only internet.

Only a third are able to access. That's good. No.

that's shocking actually. Ah those are looking at machines, routers. What are they looking at?

What is that? So it's it's a it's it's server which is sitting somewhere that only accepts incoming I P V six traffic. So they're .

looking at receivers versus quarriers my not my machine in my browser. They're looking at .

the server and correct. So so so and there are again, you make IT a good point. There are many different ways we could consider what does what does I P, V six adoption mean.

So what there's specifically saying is and and he he said this here, we're going to we're going to chart the the the the percentage of the internet user base who are able to reach a service which is only available over I P V six. And right now, as he says, as one third of of users on the internet can can contact a server that you can only get to over the six. And I don't note that their approaches, I think, very clever.

They've scattered ads around the internet as that means of running a bit of their own script in the users browser. The script probably queried two servers, one using I pv for addressing, and on another using ipu six addressing. And presumably the visitors whose browsers pull these ads and run the script are widely diverse.

Anyway, jeff continues. He says this seems to be a completely anomalous situation. It's been over a decade since the supply of new I, P, V, four addresses has been exhausted. Mean, there just are no more to give out. And the internet, he says, has not only been running on empty, but also being tasked to spend an ever increasing collection of connected devices without collapsing in late twenty twenty four, is variously estimated that some twenty billion devices use the internet, yet the internet s ipv for routing table only encompasses some three point zero three billion unique I pv for addresses.

I just note that the reason for the disparity between the total number of addresses in thirty two bits, which is nearly four point three billion, and the internet current routing table spending three points, zero three billion, is management overhead in the fact that network allocations always leave some headroom. Just, you know, you can have two few hosts internetworking you just not good if you have too many, you can do that. So so here comes the purest part of the argument.

Jeff rights, the original, and he calls at the end to end. The end to end architecture of the internet assumed that every device was you nearly addressed with its own I P address. Yet the internet is now sharing each individual I P V four address across an average of seven devices.

And apparently IT all seems to be working if end end was the sustaining principle of the internet architecture that as far as the users of I P V four based access and services are concerned, it's all over. I P V four, he writes, was meant to address these issues, and the one twenty eight bit wide address fields in the protocol have sufficient address space to allow every connected device to use its own unique address. The design of I P V six was intentionally very conservative, meaning they went way big.

They, we're going to make the same mistake twice, he says. At a basic level, I P V six is simply I P V four with bigger addresses on quote. There are also some changes to fragmentation controls. Changes to the address acquisition protocols are perverse s neighbor discovery and changes to the IP options field ds, but the upper level transport protocols, meaning that run on top of IP, the I P packets, are unchanged.

I P V six was intended to be a largely invisible change to a single level in the protocol stack, and definitely not intended to be a massive shift to an entirely novel networking in the sense of representing a very modest incremental change to I P V four. I P V six design achieved its objective, but in doing so, IT necessarily provided little in the way of any marginal improvement in protocol use and performance. I P V six was no faster, no more visible, no more secure than I P V four.

The major benefit of I P V six was to mitigate the future risk of ipv for pull depletion. In most markets, including the internet, future risks are often heavily discounted. In other words, no one really cares about the future. The result is that the level of motivation to undertake this transition is highly variable, given that the expenditure to deploy this second protocol does not realize tangible benefits in terms of lower cost, greater revenue or greater market share.

In a networking context where market based coordinates of individual actions is essential, this level of diversity of views on the value of running a dool stack network leads to reluctance on the part of individual actors and slug ish progress of the common outcome of the transition. As a result, there is no common sense of urgency. I'll just note that when he refers to a dool stack, he means using a machine that size multi eusden runs both I P V four N, I P V six protocols, which is entirely possible. Everyone running modern desktop machines today is running a dual stack. Yeah, I if I open but yeah.

I mean, that's how my writer is, is my best top is I can choose I P V six, right? I just don't need to.

if even for me, if I open a command prompt on the windows seven machine that's in front of me right now and under the command I P C O N F I G I P config, I see that my machine has both I P V four and I P V six addresses, as well as I P V four and I P V six default gateways.

So that means my I S P cox cable is providing both ipv for an I P V six support, which is flowing through my cable modem to my P F sense firewall router, which is distributing both flavors of the internet to all of the machines in my local network, thus dual stack. So jeff point here is that the only significant thing I P V six was intended to provide, aside from minor fixes around the edges, was significantly greater addressing space and a nurses being what IT is that was not sufficient to drive its adoption. My guess is what we're seeing is what I would call adoption by attrition, the same way we're getting windows eleven when windows ten machines die and it's impossible to get another windows ten machine, in other words, for reasons other than desire or demand.

Jeff says, to illustrate this, we can look at the time series shown in the figure below and ask the question, if the growth trend of I P V six adoption continues at its current rate, how long will IT take for every device to be I PVC capable? He says, this is the same as looking at a linear trend placed over the data series used in the first figure, basically extrapolating, right? He says, looking for the date when this trend line reaches one hundred percent, using a least squares best fit for this data set from january twenty twenty to the present day, and using a liner AR trend line, we come up with figure too.

And leo, you've got that on the the screen and it's in the showed tes. This exercise predicts that will see completion of this transition in late twenty, forty five or some twenty years into the future. And i'll just.

Take i'll take issue with that, but we will get that a minute. I don't think we will ever be there, he says. IT must be noted that there is no deep modeling of the actions of various service providers, consumers and network entities behind this prediction. The only assumption that drives this prediction is that the forces that shaped the immediate recent past are unaltered when looking into the future. In other words, this exercise simply assumes that tomorrow is going to a be a lot like today.

The projected date in the second figure is less of a concern than the observation that this model predicts a continuation of this transition for a further two decades if the goal of I P V six was to restore a unified address system for all internet connected devices. But this model of unique addressing is delayed for thirty years from around twenty fifteen to twenty forty five. IT raises questions about the relevance and value of such a framework in the first place.

Steve, I want to point out that you and I have some idea of what twenty years means, and it's sooner than you think .

that is true, right?

That mean we are reapproaching episode one thousand and two.

That mean the world i'll be at two thousand.

yeah. When we, in twenty years.

in twenty years, when this.

this T V, six. Finally, and then we can convert the whole thing to a cold. What is IT collen sex?

But I hate those addresses, leo, so they just make your eyes cross their hacks.

first of all, their hacks and and their four hacks, digits separated by Collins.

And they're of those six groups well, and and they're so long that they are weird. They are like previous systems have been created in order.

though I know I hate that previous because there's a lot of zeros in many VP IP v six addresses. So you just collapse those.

It's it's it's not good, not good. So he says, if we can Operate a fully functional internet without such a coherent and device address architecture for three decades, then why would we feel the need to restore address coherence at some future point in the future?

What's the point of I P V six if it's not address sed coherence, something he writes has gone very wrong with this I P V six transition and that's what i'd like to examine in this article. okay. So um he goes on at great link uh more than this podcast even can handle.

So i'm going to skip some things, but i'm going to share some, some highlights. Let's look back a bit to see what these internet pioneer saw during the nineteen nineties. He says by nineteen ninety, IT was clear that IP had a problem.

IT was still a tiny internet at the time, but the growth patterns were exponential, doubling in size every twelve months. Now there are two things that have happened that they did not foresee, and those two things solve this problem. That's only one of them.

Not only on the client side, um he says we were stressed out the the the pool of class b ipv four addresses and in the absence of any corrective measures, this address pool would be fully depleted. In in nineteen ninety four. okay.

So so they were at nineteen ninety and they were charting the the rate of class b network allocation consumption. And I have a picture here that was taken IT was from the proceedings of the ietf in August nineteen ninety. And it's so because they were still like drawing things by hand um you know it's like written out did you know my hand? I just adorable wow.

Like in nineteen nineteen knew we really didn't have laser printers. So we had to do IT by hand like a back of a napkin yeah.

And that was that those are from the official proceedings is called this titled to internet growth by Frank ski proceedings of the ietf, August nineteen ninety.

This Frank used a ruler for the graph.

Yeah, he did. Yeah, but not, but not the title in the headlines, you know, and other products by hand. So jeffrey explains that the ie.

tf. Was panicking in the early nineteen nineties because the internet original design was designed. IT was destined to collapse, never leave. Back then, there were only three classes of network allocation, and that was a big problem, he says.

There was a collection of short, medium and longer m responses that were adopted in in the ietf to address the problem. In the short term, the ietf expressed with the class based I pv for a dress plan and instead adopted a variably sized address prefix model, he said. Routing protocols, including B, G, P were quickly modified to support these classless address prefixes variably sized address prefixes add an additional burdens to the address allocation process.

And in the medium turn, the internet community adopted the organ anzac measure of the regional internet registry structure to allow each region to resource that that the increasingly detailed Operation of address allocation and registry functions for their these measures increased the specificity of address allocations and provided the allocation process with a more exact alignment to determine adequate resource allocations that permitted a more dilling gent application, a relatively conservative address allocation practices. These measures realized a significant increase in address realization efficiency. The concept of address sharing using network address translation nets also gained some traction in the I.

S. P world. Not only did this dramatically simplify the address administration processes in I S P S, but that also played a major role in reducing the pressures on overall address consumption. The adoption of these measures across the early ninety ninety pushed a two year imminent crisis into a more manageable decade long scenario of depletion. However, they were not considered to be a stable long term response. IT was thought at the time that an effective long term response really needed to extend the thirty two bit address field used in ipv 4 at the time， the transition from mainframe to laptop .

from main frame .

leo .

main frames were.

So the the tradition from mainframe, the laptop was well underway in the computing world. Yeah and the work to further or or and the prospect of further reductions in size and expansion of deployment in smaller embedded devices was clear at the time and address space of four billion was just not large enough for what was likely to occur in the coming years in the computing world. And of course, if you absolutely did require every device yeah to have their own address, that's what yeah absolutely true. We are at twenty billion and growing fast, easy here.

I mean, I can imagine somebody saying, oh my god, they're giving to start their own net address. We're got a problem here.

It's going to be.

it's to die. I mean, laptops, forget laptops. What about IoT? I mean, this is about to explode. You have light switches .

that have I P addresses. Yes, exactly. yeah. So so to what? To the point he just made about class A, B and c networks, we should remember that the origin inal internet divided the entire network space.

Thirty two bits on bite boundaries. I, P, V, four addresses have, as we said, four, eight bit bites. So a class a network had IT was numbered by its most significant bit. The most significant bite was the was the network number, so you couldn't have many of them. And then the remaining twenty four bits to the right of that most significant bit, where the host machine within that massive .

network have fifty two, fifty five class.

class .

networks.

Class b networks had used two bites for the network ID, and then sixty bits for the individual host machines with each within each one of those class b networks. And finally, class sc networks had three bites for their network ID, and then just one bite for host machines. So they can only have two hundred and fifty four because you need zero, you know, all zero s and all ones are are reserved for cast and things.

So anyway, the problem that jeff is referring to is that this created massive granularity, massively granular network allocations. The adoption of the so called classless, because you don't have classes, A, B and c, classless inter domain routing, or sider C, I D R, where the division between the network ID on the left and the host machines number in that network on the right could now fall on any bit boundary, rather than being only on bite boundaries. That massively increased the load on the internet routers and on the routing tables.

But in return, IT meant that the size of individual network allocation could much more closely track and Better fit the number of host machines within that network. So that was a huge win that bought them a decade basically. Uh, because I mean, otherwise if they would you know just couldn't have that money network, let alone that many machines. But jeff mentioned the emergence of net routing and a fascination of mine has always been what's wrong with that?

IT works. Yeah, jeff, here's what jeff.

Oh my god, we have to have IT. Here's what jeff has to say about that. He says at this point, there was no choice for the internet and a sustained growth in the ipv for network.

While we were waiting for I pv six together, momentum returned to nets. Nets were a chAllenging subject for the ietf. The entire concept of coherent and to and communications was to issue active middle are in the network.

They wanted everything, have a unique dress, every single thing on the night.

The original concept was point to point ow address to address, and they did not want to let that go.

Phone numbers without area codes. IT would just be.

you know, just they said that this is wrong. This is not the way it's supposed to be. So he says that created a point of disruption in this model, creating a critical dependency upon network elements.

They removed elements of network flexibility from the network and at the same time reduce the set of transport options to T C P N U D P. huh? And when you think about that, you can't paying like arbitrary devices behind right a net roughton, and you're most be able to paying any device on the internet.

The really makes you think if they adopted I P V six from the very first IT would be a very different.

Oh, IT would be completely different.

And so many other things to be possible.

Yes, many, many other things. That's exactly right.

You could fgc every device .

if you does that work, but you can query .

devices very much. All be publicly as a .

security would be maybe .

a little more chAllenging. I mean, that protects us.

doesn't IT behind. Oh my god, IT is a wonderful firewall technology. So we said the I but it's the fact that it's a firewall like as a side effect is their complaint yeah they don't like that you if you could have one, but you shouldn't be like like there's no what they actually you cannot not have one exactly.

Yeah and as we know, you cannot put a machine on on the raw internet today. It's taken over in seconds. Yeah okay.

So he says the ietf resisted any efforts to standardize the behavior of nets, fearing perhaps that standard specifications of np behavior would bestow legitimacy on the use of nets and outcome that several ietf participants and you know they have bears we're very keen to avoid um he said this aversion did not reduce the level of impetus behind that development. In other words, sorry, we don't care what you guys do. We need them.

Yes, he said we had run out of ipv four addresses, and I, P, V, six was still a distant prospect. So that were the most convenient solution. What this action did achieve was to create a large variance of np behaviors in various implementations.

And in other words, since they were unwilling to standardize them, what we just got was a mess because everyone just had to invent this stuff for themselves. And everybody did IT a little bit differently. He said. What this action did achieve was to create a large variance of np behaviors in various implementations, particularly concerning udp behaviors.

This was was this has exacted a cost in software complexity, where an application needs to do dynamically discover the type of net or nuts in the network path if he wants to perform anything more complex than a simple two party TCP connection. Despite these issues, nuts were a low friction response to ipv for address depletion, where individual deployment could be undertaken without incurring external dependencies. On the other hand, the deployment of I P V six was dependent on other networks and servers.

Also, deploying I P V six that s made a highly efficient use of a dress space for clients is not only could a net use the single not, not only could the net use the sixteen bit source port field, but by time sharing, the binding nats achieved an even greater level of address efficiency. Basic reusing this space, a major reason why we've been able to sustain an internet with tens of billions of connected devices is a widespread use of nets. okay.

So that's over on the client side of connections. The solutions that the industry has evolved over on the server side is something we've covered previously but never really thought about in this context. Jeff, rights server architectures were evolving as well with the introduction of T, L, S, transparent layer security in web servers.

A step was added during T, L, S, session establishment where the client informs the server of the service name IT intends to connect to. Not only did this allow T, L, S to validate the authenticity of the service point, but is also allowed a server platform to host an extremely large collection of services from a single platform and a single platform I P address, and perform individual service selection via this T L S server name indication S N I. The result is that server platforms perform service selection by name based, distinguishes D, N, S names in the session handshake, allowing a single server platform to serve large numbers of individual servers.

The implications of the widespread use of maps for clients and the use of service of server sharing in service platforms have taken the pressure off the entire ipv for address environment. And I have a perfect example of this, a grc I don't have in less IP s given to me from level three. You know, I clutching the, the, the set that I have dearly, but through the years, the range of services I have wanted to offer his grown thanks to server name indication I have.

I just checked thirteen different webs services, sharing a single I P address D N S points, thirteen different domains to a single I P. And any web browser that wishes to connect indicates the machine is looking for during that connection handshake. So that's really something I hadn't focused on.

But IT is absolutely true. Both ends of the ipv for connection the client side has nt that allows, you know for practical purposes, limitless expansion there on the client side and on the server side. Sni allows hosting providers to have a modest number of I P addresses.

D, N, S is now redundant. Is redundantly pointing a huge jury of of DNS names at a subset, uh at a small number of ipv addresses. And it's all of this this ambiguity of uh from from domain name to I P address occurs thanks to the tls S N I handshake where the the browser says this is the host time looking for i've told it's A I P address.

Well yes, IT and hundreds others are all there. So it's a it's a really cool scheme and IT actually works. okay. So jeff goes on in substantially greater detail for anyone is interested, the interests of time. As I said, I deliberately skipped over a lot of jeff truly interesting discussion, but he eventually gets to examining the question, how much longer he says, now that we are somewhere in the middle of this transition, the question becomes, how much longer is this transition going going to take? He says, this seems like a simple question, but IT does need a little more explanation.

What is the end point when we can declare this transition to be complete? Is IT a time when there is no more ipv for based traffic on the internet? Is IT a time when there is no requirement for I P V four in public services on the internet? Or do we mean the point when I P V six only services are viable? Or perhaps we should look at the market for ipv for addresses and define the end point of this transition at the time when the Price of acquiring a new ipv for address completely collapses.

Perhaps we should take a more pragmatic approach, and instead of defining completion as the total elimination of I P V four, we could consider a complete when I P V four is no longer necessary. This would imply that when a service provider can Operate a viable internet service using only I P V six and having no supported ipv for access mechanisms at all, then we would have completed this transition. What does this imply? Certainly, the I S P needs to provide I P V six, obviously.

But as well, all the connected edge networks and the hosts in these networks also need to support I P V six. After all, the I S P has no I P V for services at this point of completion of the transition. IT also applies that all the services used by the clients of this I S P must be accessible over I P V six.

Yes, this includes all the popular cloud services and cloud platforms, all the content streamers and all the content distribution platforms. IT also includes specialized platforms such as slack, zero, atlason and similar. The data published on internet societies pulse reports that only forty seven percent of the top one thousand websites are reached over I P V six today.

And clearly, a lot of service platforms have work to do, and this will take more time when we look at the ipv six adoption data for the us, there's another curious anomaly. And leo, that's the the last chart that I talked about. Look at that. It's I think it's very interesting.

It's flat.

IT is flat for since A A little Better in the .

is stopped growing .

old boy IT went in twenty fourteen IT came off the ground that about little over IT looks like a over five percent, maybe six percent, climbed up to around fifty five, sixty and then flat line.

I know this is websites that.

No, this is their probe, which showed linear growth. Same probe shows for us, IT is flat. Oh.

this is U. S. Compared to the lobby graph that we are ously. I know .

that we previously observed that much of the I, P, V six growth has been in, you know, elsewhere in the world. Developing nations, for example, which are just obtaining internet access, are naturally acquiring I P V six access since they have no inertia, and I P V six is certainly available. But where we previously observed a surprisingly straight upward moving line of total global adoption, the charge showing only U.

S. Based adoption is an entirely different animal for the past six years, since around the start of twenty nineteen and through twenty twenty four, the united states I P V six has been flat, showing no growth, none. Jeff draws the really interesting conclusion that the services and the service model of the internet are changing and that, in a very real sense, DNS has evolved into our routing protocol, alluding to what I was I mentioned before.

He explains, he says its domain names that Operate as service identifiers. IT was supposed to be I, P. S. No, it's domain names that Operate a service identifies, and it's here. This is him and its domain names that underpin the user tests of authenticity of the online service.

It's the DNS that increasingly is used to steer users to the best service delivery point for content or service. From this perspective, addresses I P V four or I P V six are not the critical resource for a service and its users. The currency of this form of cdn network is names.

yeah. So where are we in twenty twenty four? Today's public internet is largely a service delivery network using cdn to push content and services as close to the user edge as possible. The multiplexing of multiple services on to underlying service platforms is an application level function tied largely to tls and and service selection using the S N I field of the til as handshake, we use DNS for closest match service platform selection, aiming for cdn to connect directly to the access networks where users are located. This results in a cdn routing table with an average path link design to converge on one.

From this aspect, the D N S has supplemented the role of routing while we don't route names on today's internet IT functions in a way that is largely equivalent to a named data network. In other words, no longer addresses, but names. There are a few additional implications of this architectural change for the internet tls, like IT or not, and there is much to criticize about.

The robust of T N S is the sole underpinning of the authenticity in the internet. D N S sec has not gathered much momentum to date. D N S sec is too complex, too fragile and just too slow to use for most services and their users.

Some value is benefits highly enough that they're prepared to live with its shortcomings, but that's not the case for most name holders and most users. And no amount of passionate exhortations about D, N, S, sec will change this. IT supports the view that is not the mapping of a name to an I P address.

That's critical. What is critical is that the named service can demonstrate that IT is Operated by the owner of the name. In other words, certificates.

Secondly, the routing P K I, the framework for securing information being passed in the B G P routing protocol, is really not all that useful in our network where there is no routing. The implication of these observations is the transition to I P V six is progressing very slowly, not because this industry is chronically short sited. There is something else going on here.

I P V six alone is not critical to a large set of end user service delivery environments. We've been able to take a nineteen eighties address based architecture and scale IT more than a billion fold by altering the core reliance on distinguished tokens from addresses to names. There was no real lasting benefit in trying to leap across to just another nineteen eighties address based architecture, meaning I P V six, with only a few annoying, stupid differences, apart from longer addresses.

So to give this something of a summary, what's happened is the internet has become the web net. IT is mostly all about the worldwide web. And even where IT isn't most in points are still being secured by the webs. T, L, S. What's happened is that both ends of the web have independently solved their ipv for resource depletion problem.

Over on the client end, we have net routing, which is we've noted earlier, effectively borrows excess bits from the sixteen bits of port addressing to allow many clients side devices to share a single public thirty two bit ipv for address. And over on the server side, we have server name indication sni, which allows grc, for example, to host thirteen different named services from a single I P address. name.

Is the key that the key. And this is the point that I think jeff brilliantly observes. We are now using names rather than addresses to access the services we need and to see that, you know, fewer than half of on, on, on, on top of that, fewer than half of the top one thousand websites today are reached at all over I P V.

Six, certainly all of them over I P V four, but I P V six fewer than half. That suggests that the majority still feel very little pressure to invest in something that will literally make no difference in the services they deliver. And finally, even before seeing that, the U.

S. Adoption of I pv six has been completely flat and static for the past five years, we know that no straight line continues straight out to the end. That's just not the way the world works.

That line was a percentage of I P V six adoption. So that rate of adoption is absolutely going to slow down. And probably not long from now, nothing ever gets to one hundred percent. So my guess is that IT will begin flattening out and will assume topically approach ninety percent over a great many more decades. And that's fine too, since I think it's clear that I P V four will never die.

I this should be in the title of the show. I P V four will never die. Well, that you know what you're right.

I was thinking I don't is Steve really going to be able to turn this in? Is something interest and IT is is quite interesting actually. And the way the internet has rounded around the problem and solved kind of organically and effectively is very, very interesting. So without the the real issue is without the pressure to go to IP v six, nobody is like metric body.

You well.

there's no access that the us. Is a legend here.

no. And notice that it's in our desk tops. We didn't ask for IT, right? But it's just there. So is IT easy to build IT in?

I mean, is that is that the kind of thing where it's well, we can implement IT on the client and easily?

Yeah I mean, there there there is open source code. All of the various jobs, you know IP stacks support IT now. So it's just there and so it'll it'll end up getting used. There is a preferential use of IT when both are available. I PVC is chosen so that four is now become the fall back I had heard .

is probably awkward that I P V six is faster. That's not faster.

It's say there there's nothing about IT. You could argue with a little slower because it's got a little more addressing overhead.

Yeah, yeah, yeah.

And that this point, if IT was faster, IT would have bit to die.

right? There just was no real no. yeah.

All all IT is is offering something that turns out we don't need.

So do you think we'll never .

get there? Well, i'm still a nervous about the client end because four billion, you know, we still need four billion client. Now Carrier net, as you said, Carrier net solves that right now.

I have a public I P addressing cox is like thirty eight does something about something or or seventy not something, something. So I have a public I P for ipv for address. Some people are getting ten dot addresses from their I S.

P. S. So because I are manning them, but the I S. P is doing the net wow. And so it's double net.

I S P is noted and they get one IP and then their their residential net router is nanning. But so again, IT solves the problem. If the I S P has more customers than it's able to get I peas from its upstream supplier, IT just applies Carrier. Great net.

fascinating. This is now I know there are people watching. I could tell because I see in tiktok stuff.

Leo, I started watching you and I was sixteen and i'm thirty five now I know there are people who, leo, you're on tiktok, so I know there are people watching who maybe have not seen our podcast. We've been doing this kids for twenty years, Steven. I this in a couple other shows.

Two twitches passed its one thousand episode, and we're so glad that you could watch. We only recently figured out how we could stream to eight different platforms. Very cool, which I love.

Let me see there are six hundred and seventeen people watching on youtube, twitch, tiktok, welcome tiktok. That's pretty awesome. Uh, x 点 com linked in facebook， of course, our own kick and our own club, twit discord makes IT.

But if you are watching this in the live version, and that's great, that's like getting Stephen email a day early. The real finished polished product is available for download because IT is ultimately a podcast Steve has his version of at the sixty four killed a bit audio file that's kind of the canonical audio version. He also has sixteen killed bit audio, so it's much smaller for quick downadup.

As for people on limited band with and he has, of course, transcripts, which he commissions, the inference does. Those takes a few days, but those are writing by humans, not A I. So by a human, not A I.

So they are really good, and they do a great job of capturing the show. All of that is at grc dot com. Now, while you're there, don't forget the's bread button.

The thing that he does for a living, it's not this is spinal. Now in six point one, the current version just came out six point one upgrades for previous owners. But if your new owner go to grc that come get yourself a copy is spin right?

If you have mass storage, you need IT. IT is a mass storage maintenance recovery and as we talked about earlier, performance enhancing tool that really everybody should have. So get a copy of spin right? Ware grc document.

Sign up for his email. Actually he's very clever. He he has well, it's jersey that comes as email. And by default, if you go there, I will just register your email so that you can email him, because otherwise he doesn't want to hear from me.

So security now at grc dot com, right, is not posted anywhere and no one or all of us.

right? And I will bounce anything is not validate through that system ahead time. G, R, C, that comes like email, but you will notice unchecked a couple of the newsletters you can subscribe you but you got got to check the box because Steve is very much an opt in kind of guy.

He doesn't want to you know, sneakily send you the emails. So if you want the newsletter for what the showut, you can download the shown up at his website, but you can also get them a day early via email. So you'll be very, you could be very no at all with your friends.

And so I know all about Carry a nt. I really shown us. We have, of course, at our website, copies of the show, twitter TV slash, sn for security.

Now, clever. Uh, there is youtube. Well, before I say anything, there is a video version in our site that steep does not have.

So if you want to see what he looks like, like the pictures and stuff that we have, we also have the audio version. We have a link there to the youtube chain, which is video, obviously. But that is a great little thing for you to share with the boss clients is friend's family.

If you hear Steve says something, you think all, man, I going to send this just youtube makes IT easy to clip IT and send IT never brays got youtube. So it's a very a friction free way of sharing the show. And when you do that, by the way, that helps us, because that introduced new people to Stephen's good works here we also have a it's a podcast.

So we have a downadup version you could subscribe to and your favorite podcast player, but either audio or video or kip box. Why not? They're free.

They are at supported support our advertisers. And if you want IT without ads, you can get IT by going to twitter that TV slash club twit joining our club. You don't just get add free versions that shows you get access to the club twit discord, which is a great hang lovely people.

They're all just as smart as you are, just is hang. It's a great hang. I'm on the tiktok. So only that .

hip or artifical. No.

you know, it's funny. Almost all the other shows the discord is late with animated gifts. The people, is the security now, a very text focused.

Look at that. No pictures, just text. This a very different group of people. That's kind of interesting. A lot of good conversation is a great way to to learn more kind of if you remember the club get into that discard .

and IT help most up up.

I I spoke too fast like that. The interactive .

pod cash lio, they're .

actually listening. It's a wonderful to have all of our club members, all of you watching live subscribed the show. You don't want to miss an episode. And guess what? kids? Next episode .

of nine, nine, nine. wow.

For those of you knew to us that would have been the last show for years.

Steve said amending IT at nine.

nine, nine. I don't have room for four digit.

Nobody needs more than that.

But we Carry on that at Steve s.

Brain and now get a four digit .

show starting in two weeks. So the kind of quasi last show will be next week. That's good. That's good.

Yeah, Steve, what do you do? Dress up as halloween is enorme you? What do you do for alloweth?

We we're in neighborhood that has no kids or that they are. If they are, they go down to a mall, kids trek or treat.

No, they don't go.

Yeah so it's just quiet and yeah and then we have a wonderful .

week and read some more Peter of hamilton, and we will see you back here. As always, two days. We're after MC break quickly. That's roughly two pm pacific, five pm stern. And because we are finally changing to daylight to standard time, rather from daylight saving time, I will be twenty two hundred UTC .

this coming weekend. Yeah.

I think so. Oh, no, it's not this weekend. It's next weekend.

Wait a minute. No, what is this weekend? I think, oh.

I don't know whether ever IT happens. Know what? I used to be a big deal, but now all of our devices, no, just do IT is not amazing. It's like all reset. Anything used to forget and you to work microwave was wrong for about the first months and a half.

Everything fixes itself. Now thanks to net h reversal.

I expect I think before this time next week, I will be announcing that i'm starting work on a new commercial product. Wow, not spend, right. seven.

Oh, my yeah. Well, let's reason to tune next week.

I think that I will, I will be in a position that, I mean, work should be under way. I am doing something fun. Not on the, no, we never talked about, not beyond recalled either. I thought .

I was oh, because we have talked about the other recall .

beyond all will have to after that and then spend right seven. But i'm going to do something first that I think we will be interesting.

interesting. So well, we have to say Steve and excEllent health so he may well make two.

one hundred it's funny do because as you in the thing he sells.

it's like, well OK. So bread and butter okay, good. Oh, I can't wait next week. Join us for security now.

Nine, nine, nine. Security now, now.