SN 723: Encrypting DNS


it's time for security now steve gibson is here he has an update on microsoft's patch tuesday update he also talks about laporte county it was struck by riach and our i._t. professionals prepared for ransomware plus plus we'll talk about in more detail d._n._s. over h._t._t._p._s. it's all coming up next on security now that casts you love from people you trust this is this is security now is steve gibson episode seven hundred twenty three recorded tuesday july sixteenth twenty nineteen encrypting d._n._s. d._n._s. security now is brought to you by net scout once in your network attackers spread quietly and systematically often going undetected with net scouts visibility without borders the attackers can't can't hide detect mitigate and prevent threats before it's too late see what you're missing at net scout dot com and by i._t. pro tv providing effective training with access to virtual apps and practice tests us visit go dot i._t. pro dot tv slash security now take advantage of their lowest prices ever for an additional thirty percent off the lifetime of your active subscription use s. n. thirty at checkout and by helm home take back your e mail files and photos and own your data withheld a secure personal server that enables you to own your own online identity go to the hell dot com slash security now to say fifty dollars off the helm personal server it's time for security now ladies and gentlemen here he is the star of our show steven gibson research corporation king of the hill when it comes to security now hi steve elliott great to be with view again episodes seven hundred and twenty three and in in my era i have a note from elaine because she heard me stumbling over what year this was and so she just said by the way you will be beginning year fifteen while august on august twentieth so we're closing in on the end of our fourteenth year and last week's mention i you know we talked about mozilla adoption of of encrypting d._n._s. for privacy and the u._k.'s pushback the i s i s p._s. whatever that was the association of internet service providers and the villain uh of the years the villain of the year yes one of three not nominated for as villain of the year and my conversation about that generated so as much interest as we've seen in a long longtime so i decided okay let's sort of take a look at where we are because we haven't talked about this since the early days of open d._n._s. and d._n._s. crypt which i mean we've we've touched on it up a little bit here and there but not given it any time so today's topic is encrypting d._n._s. which we will get to <hes> but first we're going to talk about a few bullet points from last tuesday's patch tuesday tuesday which interestingly adobe chose not to synchronize themselves with normally they're doing their patches on the same tuesday as microsoft but not this time i'm also there was a little bit of upset caused for some windows windows seven users i just wanted to mention it in passing because it was interesting that microsoft has has probably deliberately done something they said they would not do <hes> we'll track some interesting ongoing ransomware news and there's even a county with your name leo that has been attacked will get around i'll tell ya they do <hes> we're gonna look at the mixed blessing of finding companies his for self reporting breaches why i i'm not that sanguine about the idea of major fines being levied against one this case it's marriott and it's big and it's the g._d._p. are regulation being used against them which i dunno feels wrong but we'll see <hes> we need oh there was an interesting survey that so foes commissioned an independent survey of the of thirty one hundred i._t. ah about the problems they have which are producing some interesting statistics and graphs that will take a look at also some update on additional mozilla firefox fox news a paper paper being released in two days at the i i don't know eighty fourth could be eighty four maybe not <hes> anyway i i have it in the notes i tripoli conference on something or other about one yet another way of exfiltration data from a p._c. and it's annoyingly obvious but to these guys credit they really russell this thing to the ground i mean so there's like no stone unturned so in dealing with something obvious and i'm thinking that next week hot water have them research the optimal dixie cup size for connecting to paper cups together by string <hes> but we'll see <hes> and also what should the tensile strength be and may be less elastic medium than than cloth string and so forth because i'm sure they could really do that justice <hes> for setting up a simple telephone system anyway we also to have a bit of a radha some miscellany closing the loop feedback with our listeners and then we as i said we'll take a look at where the world stands with encrypting d._n._s. <hes> so i think in other great podcasts listener lots to talk about <hes> i are sponsored today is very apropos do you know about a security solution trusted by ninety percent of the fortune one hundred companies in a hundred and twenty countries a comp a company that protects you <hes> detects mitigates and prevents threats before they bite <hes> these days is really a case of whether you're going to get hacked it's when you'll be hacked and that's why yup i mean who could not agree with your under attack today right now this minute that's why you need net scout net scott's visibility without borders i love this name visibility without borders detects mitigates it's end prevents those threats before it's too late because once a hacker gets pasture defenses the first thing they do they cover their tracks they systematically infiltrate your network they they they snoop around steal information and maybe they shut your business down with ransomware maybe they collect all the passwords and try to do worse more often than not they're going to do it quietly they're going to do it methodically how about exposing the hacker there's one source of truth that can expose that hacker that's the packets on the network the packets outbound packets contain the information necessary to understand where the hacker could be what they're stealing where they're going next how much how much data was exfiltrated phil traded from sony over the six or seven months that the that they were in there was i as i remember terabytes terabytes and no one noticed net scout smart data approach gives you high resolution consistent assistant and continuous monitoring everywhere in the i._t. infrastructure at any workload that's why they call visibility without borders solutions detect the most comprehensive array of threats and provide visibility to any place a hacker might travel even if they're going up to the public cloud with net scott's visibility without borders you get the visibility you need to see across any network any data center in the cloud five g. and more time to rethink the way securities delivered clearly we all need to do this if you're if you're digitally transformed business is not using it scout get a clear view at net scout dot com n._e._t. s._e._o. u._t. net scout dot com it's visibility ability without mortars and i think our audience is exactly the right audience to be thinking about this and right now it's exactly the right time steve our picture of the week <hes> pretty much sums is up what you were just saying yeah we have securities of binary issue that's right yeah we have some giving a presentation to a group with he's got an over he's got a front view who are affront projecting <hes> screen and a little pointer and he's <hes> we have the caption we've narrowed our security risks down to these two groups and we have the first group group everyone who works here the second group everyone who doesn't that's that's it they've narrowed it that oh that much that's the covers the territory so <hes> last tuesday was patched tuesday day and there were you know your typical bunch of things that were two zero days which were in being exploited by russian hackers at the time in addition to fifteen critical flaws that were fixed <hes> a total of seventy seven vulnerabilities which affected windows a range of of ben well and <hes> i e direct x x and the graphical subsystem of those seventy seven vulnerabilities as i mentioned sixteen of those were critical sixty were were claim to be important and one was given moderate severity most of the critical vulnerabilities allow the attackers to execute remote code so those were our c._e.'s remote code execution vulnerabilities on the user system and nineteen of the <music> only important vulnerabilities could be used for local privilege elevation however as we've seen although sort of privilege elevation seems like a less of a big deal than remote code execution they are very valuable and in fact these these two zero days were privilege elevation exploits that were important enough to be inactive use the that one moderate problem which resolved was an authentication bypass for applications using windows communication foundation <hes> and the identity foundation a._p._i. but they're so the of the two that were zero days one was a an elevation of privileges i mentioned in the win thirty two k component <hes> <hes> a null pointer de reference and the other other was in the <hes> the the printer spoiler of all things so <hes> anyway the wha- what what was interesting was the attacker gets <hes> <hes> elevated or they get they were able to get in us for for the purpose of elevating their privilege with any of six browser memory corruption in vulnerabilities or five <hes> chakra engine vulnerabilities so so again the privilege the privilege of elevation was sort of allowed them to gain a foothold after these he's brow <hes> basically eleven different browser vulnerabilities which microsoft fixed <hes> <hes> allow them to get in in the first place so i'm sorry i sound a little bit fragmented i got distracted by something else going on in my environment i'm anyway if an attacker were to cause a victim to visit a malicious website they could execute remote code in the context of the user's browser then gain full control over the machine using either of these two zero days so anyway those patches have been applied and as i said adobe for whatever reason did not synchronize <hes> their updates we saw some significant updates a to to adobe that we talked about a couple of weeks ago so i guess they just weren't ready for another round and i mentioned that there was one thing that happened that upset some stalwart windows seven users who based based on the reporting <hes> got pretty worked up an annoyed <hes> to receive a non security update after specifically asking microsoft only to deliver security updates dates that is microsoft gave them a windows telemetry update on windows seven machines even though it was labeled as a security only monthly patch <hes> recall back in two thousand sixteen when microsoft simplified it's patching of windows versions by offering windows seven and eight point one users two types of updates you could either get the monthly roll up which is what i do because it's you know why not <hes> which is both security and non security patches <hes> so for i e you know like for for for for bugs and for reliability but the second option was to say i don't want any feature changes i don't want anything other than security patches for my system so you could you could ask for security only updates on and and receive a minimal package will turns out that last week on july ninth patch tuesday there was a security only update k b four five oh seven four five six fix which actually contained something called the compatibility appraiser tool which was slipped in and our friend woody leonard writing in his woody on windows column <hes> for computerworld posted under the title new windows seven's quote security only unquote update installs telemetry slash snooping feature and he and the the sub head of his p says three years ago microsoft promised to keep windows seven and eight point one updated with two tracks of patches monthly roll ups that include everything and security only patches that are supposed to be limited to security fixes then he says guess what happened <hes> anyway for anyone who's interested would he's article has a ton of good information for people who want to know more and he's he's sites a security expert <hes> who tweets as vests s. on security dr vesa bond chev- who's who said he tweeted i've officially stopped updating my wind seven machine this guy tweets i no longer trust microsoft's updating process they are protected from any existing and future vulnerabilities with my other defenses as well as i can and he signs off with f._u. and he didn't say f. <hes> microsoft and polite an woody politely left that ending out of his <hes> copying of this guys tweet my feeling is <hes> the all we can be as informed right i mean that's what we do on this podcast that's why we're here i choose to use windows seven which i do with my eyes wide open the job microsoft is doing frankly i think is impossible all i don't want that job no one wants it and given the messy legacy of windows code the fact that it is using a barely windows literate user base i mean i know we techies who listen to this podcast when we're we're trying to help our other windows friends were like okay do you understand what this button does no just that they don't want to know and as we talk about every week we have in there is an incredibly an increasingly hostile environment for which windows attempts to protect its users so i give microsoft a lot of credit for doing you know all things considered i think an amazing job and clearly this whatever this compatibility appraisal tool thing was is something that they felt they needed due to put into for whatever reason some telemetry in preparation for the fact that as we know windows seven will stop receiving any of these things in six months in february very of twenty twenty so <hes> i feel like i should take a moment to talk about windows seven and windows ten and me because security updates will stop flowing to windows seven six months from now in february <hes> that is unless microsoft changes their mind again and pushes that deadline further back which could still happen you know we've seen them do it before it was gonna gonna be cut off earlier but nobody but you know windows seven was still the majority operating system despite all their efforts to push people to windows ten so <hes> we know that at the beginning of this this year only just in january between the the the snapshot in december of two thousand eighteen and january twenty nineteen windows ten finally outpaced windows seven there were finally based on a snapshot of of an installs in the world seven and ten traded places but even today six months later seven months later they're they're still neck and neck windows ten sits at forty point six one percent with windows seven at thirty eight point zero six percent of of market share so so they're still near niller near parody <hes> over time we're going to see windows seven systems disappear but probably only because you can't buy any new hardware aware that runs windows seven that windows seven with you have to go jump through real hoops to install windows seven on a machine that supports u._s._b. three and all i mean in every machine for a long time has so it's it's very difficult to get window seven running on contemporary hardware and the newer chipsets don't support it at all so as as hardware dies dies or gets recycled or replace just because of its age even though windows seven is just fine you won't be you know it's going to have to be running windows ten it won't have any choice and as our long term security now listeners know i won't be moving my main workstations i have to at each of my main residential locations i won't be moving them to windows those ten even after window seven stops being supported <hes> i do have windows ten laptops for testing when i go out to present squirrel to a group that went that laptop is running running windows ten i leo are skyping over a windows ten machine <hes> but i know We'll continue to happily per away for many years. <hes> even without constant nursing constant nursing from Microsoft Windows defender has never found anything on any of my machines other than false positive annoyances from my own code that I've written that it doesn't know about that it protects me from <hes> or old well marked mark viruses in email archives. When I you know sometimes it fires off and I think Oh crap found something and I look I'll know it for some reason it went and sniff some old directory somewhere where I have some some virus repositories that I'm keeping and they're well marked and known besides they don't? I'm not even sure they infect anything like windows seven or ten any longer being there really old <hes> but it will stop being updated in six months and I'll miss it. It's nice to have defender sort of watching my back. Even though it's never found anything but I think I'll be okay <hes> and we just talked about all of the ways bad stuff was getting in which Microsoft just patched last week were browser vulnerabilities in I e an edge <hes> and I won't I will continue not using them in the future so I'll stick with fire Fox and I probably be okay and as I've said before my backups have backups and I I also so keep a rolling off machine incremental file change backup of all the projects I'm working on as well as monthly static off line deep-freeze Snapshot Images so I'm well protected affected on the other hand. I'm not your average user and for what it's worth neither are the listeners of this podcast <hes> also I love so many of the APPS that I have running on windows. I'm just like I'm extraordinarily happy. Happy with them. <hes> there there are APPs that I've been moving forward through the years from machine to machine the move away from X.. P. And the loss of native sixteen bit support was traumatic for me but it finally finally had to be done because even I even fire Fox and chrome finally were refusing to update themselves on X. P. so I thought okay fine. You know I'll do that but I'll continue using windows. Seven and Fire Fox and chrome will continue will continue to keep me being safe but the one thing I want to say because I get the sense that that maybe people are suggesting us that believe I'm suggesting this is okay for everyone and so I'm not saying that I know that there are listeners within our audience that feel the way I do that are going to that. I mean look at half. The world world is I mean literally. Just just half of the window systems. Even today are running windows seven as opposed to ten despite all the pressure that there is is there and there has been to move to ten and of course that's GonNa. That's GonNa Ratchet up through the rest of this year until I imagine the <hes> there will be people who don't feel as I do that it is for whatever ever were for whatever reason safe to continue using windows seven without this constant drip drip drip of of fixes to things that Microsoft finds that are wrong but so I am not suggesting that anyone else follow my example <hes> and one of the reasons is in this before is my use of windows is boring compared to most others <hes> I I don't use use my machine for entertainment or gaming. I don't watch youtube videos or like just follow random link trails to see what's out there on the Internet. I'm really not very interested in most of what is out there. So you know my main win. Seven workstations are while they're not technically air gapped from the Internet they are Steve gapped because I just don't do much with them. I mean oh I- i- i- assemble my own code and and design P._C.. Circuit boards and I use it as a workstation rather than as a toy and so so the my exposure her to danger is I think reduced from the typical windows machine but anyway I just wanted to say that you know here we are six months away from from the from the end of updates for windows seven. I think it is remarkable. Remarkable that windows seven versus ten is at thirty eight percent versus not quite forty one percent. I mean people just don't want windows ten so it'll be fun on detract this as we move forward and we certainly will and Leo Laporte County Michigan Relationship De la Porte in every state of the Union. Is that true yeah look for traders and we go around. I'm going to say about that anyway. <hes> the Porte County <hes> the Michigan City News dispatch reported D- Last Tuesday the ninth quote their headline was malware attack on county computers LaPorte county website government email servers out of operation the smirking the family name <hes> <hes> I got on well and be interesting to see how this goes <hes> the the paraphrasing and trimmed down from this article <hes> the the report was all the Porte County government email female and the county website remained out of commission late Tuesday that is last Tuesday following a malware virus attack that affected the system on Saturday morning <hes> the LaPorte Short County Board of Commissioners President someone by the name Irk me. Aren't you know Gibson Township goes down Dr Vidya Cora said Saturday evening <hes> the system will be inoperable as authorities respond to quote a malicious malware attack that has disabled our computer and email systems then a few days days later last Tuesday county attorney's Shaw Friedman confirmed that county government computers were quote impacted by a sophisticated ransomware virus early Saturday morning sophisticated or we wouldn't have fallen <unk> own pray at that's right. It was a batty he said fortunately our I._T.. Team reacted quickly unplugging quick although although after the fact of course and shut shut down much of the system. I know he's even if they did they unplugging even though it was a weekend so yes our I._T.. Team is on the job even on the on aww weekend he said less than seven percent of our laptops have been infected however it did hit our two domain controllers which means no server can access network services whoops G. at Actually Leo it also got their backups yeah and insurance policy taken out last year <hes> chorus said will help county recover. He said fortunately our county liability agent of record John Jones last year recommended a cybersecurity insurance policy. I bet there's a lot of those recommendations going around you. GotTa Get Insurance Policy which the county commissioners authorized from travelers insurance he said we informed travelers insurance late Saturday while while while we're still busily unplugging machines up north of the malware attack and they immediately referred us to the Wayne Pennsylvania Incident Response Law Firm of Mullen McLoughlin l._l._C. that specializes in response to such cyber attacks and coordinate system repairs and protection of our computers from such virus infections Friedman said quote the forensic investigation firm firm has been retained to determine the nature and scope of the incident including how the county could have been infected actually they'd never did find out but he's as we're developing a game plan to respond to the attacks route. I know you gotTa have a game plan and come up with an approach to repair our system's and protect them from further damage right after the plug them back in the county's I._T.. Department has been working long hours. We're pumping that up long hours to try and get things operation of US getting this in exactly please we. We don't want to follow what what was his name Brian Rice. He's gone but <hes> he's yeah he's looking. I don't hire and goes to pray and he goes to Gibson. Can it says they've been working long hours doors to try and get things operational including Leo spending Sunday oh to even on Sunday. They never get direct those I._T.. People to ensure that the courts and prosecutor's office remained functional because we got to prosecute somebody after we figure out who did this to us so this this particular ransomware variant known as Rieck no kidding. Oh Yeah I heard that name before R Y U K is is especially insidious as it seeks to delete or encrypt system backups whoops how how dare days but but Leo he said we are exhausting all possibilities. We're going to be exhausted as our holler drive in the closet. Somebody forgot to connect said we're even tapping tapping the F._B._i.. Is cybersecurity unit and reviewing all work arounds. We're going to review those work arounds in order to determine how to restore the county to a full operational status status so you know we're glad we voted for this guy because you know even on Sunday so staff from this firm that all the law firm McCullough coughlan arrived in LaPorte at LaPorte in LaPorte on Sunday night night even Leo notion dating no sleeping too they will help prepare documentation to report the attack back to the F._B._i.. And other appropriate law enforcement agencies Cora and Friedman both praised the efforts of the I._T.. Department Chorus said I commend our director Darlene Hail while she she still has her job and her team for shutting for shutting down our systems Saturday afternoon as she came right in as soon as the malware virus was detected unfortunately at least half our servers have been infected because you know that virus that Bauer is quick speed of light speed. Oh that's so that's so unfortunate and it will take some time to fully restore service. I ask for patients from the public as we seek to become fully operational again. They like that phrase Friedman echoed that sentiment saying Darlene Hale and her team have been working working fifteen hour days Leo fifteen hours since this virus hit to try to restore portions okay. We're getting a little more modest now. Portions of our system that can be restored because of course you cannot restore those portions that can't be restored because they can't be restored. We ask for patience from all concerned okay so that was the incident reporting then a week later bleeping computer reports reports a forensic investigation firm and the F._B._i.. Were involved but attempts to recover the data encrypted by the malware without paying the ransom. We're fruitless. The cybercriminals got about one hundred thirty thousand dollars in Bitcoin from this attack boy with one hundred thousand being covered by insurance so the impact may may not be immediate they they right but it does create some ripples in the long run. The decision to pay cybercriminals came after seeing that the decryption keys from the F._B._i.. I guess they must have had some from previous. React site. <hes> has is one of those malware that sometimes could be reversed. I don't think so I don't riot somehow. Somebody sent us an email saying yeah we do this and sometimes I think there were some versions <hes> I may be confusing using it with a different one but anyway according to a local report from W._S._b.. T A local station the county had backup servers but the malware encrypted them so oh you don't want you don't want to you know you don't want your backup servers to be on your network all the time <hes> so we now know that insurance companies are bearing the brunt of the payouts for these attacks so I'll bet that we're not far from the time when the conditions of continued insurance ric require regular training and reviews periodic security audits and more reliable backup cup solutions. I'll bet that we're in other words. We're going to be hearing from insurance. Companies quote something like will ensure your municipality but unless you want the insurance premiums to be really <unk> sky high you need to get much more proactive about protecting yourself from these threats and when you come calling for a payout the first thing we will do is audit to figure out why none of the multiple safeguards you You promised to put in place and maintain or effective in this instance and only if we find that you are not at fault given the terms of this insurance. Are we GONNA pay so. I think we're going to see something happened and then I got a kick out of this also in the news U._S.. Mayors adopted a resolution not to pay any more ransoms to hackers who they have adopted a resolution Leo <hes> it turns out that just just just happened the two that twenty nineteen adopted resolutions of the eighty seventh annual meeting. Oh that's the eighty seven hours probably thinking not the i Tripoli because that'd be a long time to have Tripoli meetings but the eighty seventh annual meeting of the United States Conference of mayors of the Committee for Criminal and Social Justice this included the resolution to quote oppose payment to ransomware attack perpetrators and actually the the the the conference the proposal adopted resolutions stuff is pretty humorous so I put a link in the show notes but what I've and I had to scroll down through AU- like endless adopted things finally got down to opposing payment to ransomware attack doc perpetrators and so they're seven points. They said one whereas targeted ransomware attacks on local U._S.. Government entities are on the rise and to whereas at least one hundred and seventy one seven zero county city or state government systems have experienced a ransomware attack since two thousand thirteen and three whereas twenty two of those attacks have occurred in twenty nineteen alone including the cities of Baltimore and Albany and the counties of Fisher Texas and genesee Michigan and four whereas ransomware attacks ax can cost localities millions of dollars and lead two months of work to repair disrupted technology systems and files and five whereas paying ransomware attackers encourages continued attacks on other government systems as perpetrators financially benefit and six whereas the United States Conference of mayors has a vested interest in D. incentivizing these attacks to prevent further harm yeah seven now therefore be it resolved that the United States conference of mayors stands against unified ride stand united yes united against paying ransoms in the event of an I._T.. Security breach in other words were saying don't do it anymore. We're yeah we we stand united against paying what we're going to be paying. We're not we're not happy so anyway ransomware. I'm again it. It's right electronically air. They're all definitely we're against it unhappy where we're really somebody's Kassim help yeah so we got an email from a guy and I can't vet it so maybe I don't know you can or something named Brett Callo. He works for a company New Zealand Company. <hes> called MC soft his his point was a K.. Reoccupies is hard coded keys that sometimes are reused and those are the keys probably referred to by the F._B._i.. Absolutely it was unclear. He wanted to get the word out that you know they offer a download her that will check it against the keys that are known own. You know this is this is the website. I don't know anything about it. They say it's free of charge but the point being that he said I just wanted to get the word out that sometimes there is there you can get a key to decrypt it used and it may work and certainly should do that before you pay anybody any money. Yeah especially you know lots of bitcoin man. That's a lot of money wow. How long is this sure insurance going to be offered? I mean it's GONNA e E. That's that's exactly right. I I mean it. The premiums are going to start going up and or and it's the fact that the insurance company paid the round number one hundred thousand makes it sound like that was the cap on their payout for in that for this this particular county so you know it in fact the county may have decided well boy you know to get full coverage. It's going to cost the premiums are going to be too high so will will accept a cap of one hundred thousand because does whatever anyway believe it or not. Leo This problem not surprisingly actually has has created well. We already saw that created a law firm that specializes now resting yeah yes and now we have code aware DOT COM ransomeware remediation. They say so it C. O. V. E. W. A. R. E. DOT COM. We are the first responders to your ransomware handsome wear recovery cove where aggregates global ransomware data to minimize your ransomware related costs and downtime let our I._T.. Security professionals manage your ransomware incident. Response they say how do we restore your encrypted data. Well one explore free remediation options identify ransomware type find free decrypt or tools like what you're just talking about free initial assessment risk identified the threat actor group then second Bain Point threat actor negotiations secure and safe negotiations complete a transparent communications determine risks and outcomes so so basically we we now have an industry which is establishing itself as professional ransomware remediation <hes> and like negotiation. They may have experienced with this so I'm sure I'm sure they've got the they have the the threat actors number and know how to contact them and say okay look <hes> Let let's. Let's see what we can do here. Ben Number Three ransomware settlement one hundred percent transparency reimbursed costs transparent documentation compliance checks. I presume dude that means that they get paid out of what they had like. You know I out of insurance or or or settlement and then four restore data and end downtime professional I._T.. Support Insurance Documentation seven so you know so they're able to to have <hes> their costs paid by <hes> by the <unk> municipalities insurance and you know role experts in who are able to to apply the decryption tools and bring the systems backup so so <hes> if your local I._T.. Staff or not up to it now. There's cove wear that you can contact than they've they sign off on their web page saying minimize your ransomware downtime. Let us manage your ransomware recovery unbelievable. It's really a business. It really is a business one more time. I feel like I've asked this many times. Is it not the case that you could probably probably prevent this with good I._T.. I know you might get infected right. I mean that's sometimes they'll sneak through but if you had good cold backups I mean it seems to me. This would be avoidable avoidable but maybe not I've had a lot of feedback from our listeners while we've been talking about this. I mean like from our from our listeners who are on the I._T.. Front line and who say you know you guys as need to stop saying that this is as easy as backing up all the systems there are tr- act. There are real logistical problems to doing that for example. You know there are servers that and so I don't have those jobs. I can't definitively say but what I'm hearing from from our listeners is that there are servers that can't be taken down. There are workstations that that they for whatever reason can't be logged off of the backups cannot be done on the fly. There are like open files that prevent themselves from being backed up and we know that that can happen where you just you can't take a snapshot of a system. That's in use you have to stop it in order to snapshot in some instances and there are systems that just that can't be taken down I for what it's worth. Leo I'm absolutely lutely sure that that it is not an impossible problem to solve but it is it is it's probably takes a lot more than his practical given the resources that these people have and in fact this takes us perfectly into the next topic which is this survey that so folks commissioned from a U._k.. Research based firm <unk> after our second break. We will talk about it yeah. I don't mean to diminish the efforts and the difficulty of this. It seems like it would be doing it man. I signed preventing it right. I really really do think that it is a bit. It's a trade off you know there is how much <hes> how much time and effort and money and staff do you commit to mitigating but you're looking at get some of the gun that's GonNa hit China I know but but I'm sure I'm sure the I._T.. People are saying it every meeting the C._I._O.. We need more money. We need more money and the and the boss says okay okay yeah but you know you gotta do what you can with what you've got because we don't have any more to give. You and I'm sure they're saying look <hes> everything was good yesterday. Everything is good today. Let's we're going to hope that that everything's good tomorrow and of course I so we've not been hit by ransomware. Knock on wood knock on wood and hit by ransomware knock on wood. We're we're in a worst. You have one person opening your email. We have twenty employees opening emails for probably been targeted. I would imagine we have will Lille. I live in fear. I I would love to have servers statically mapped and I'm disconnecting from them all the time because I because I mean this is the problem that we face today and so I mean it is is it is really I mean it's it is the problem is that that something gets in and encrypt the data and also ransomware is more sophisticated than it used to people in the chat room who were saying <hes> web. One await says we had to ransomware more attacks in two thousand seventeen we contain them restored. No loss of timer data Beta Faure says my company's been affected by Crypto where twice we've been wiped we have wiped rebuilt and restored with the loss of a maximum of one day's work so but but it may be the case also ransomware thanks to blue. What is it Blue Heaven Blue <hes> as you know in various tools that are now out there that make it easier to keep Luke Luke warm? Its Way through your network. Maybe it's more virulent than it used to be. It feels like there's things you should do. Maybe you can't prevent it one hundred percent but it feels like it's well understood what you need to do well for example. I as I've said being you know my computer could explode and I'd be up. I have an entirely separate physical redundant machine just sitting here waiting to be commissioned so you don't you're not you're not running a active server. That's doing oh transactions a second or anything like that and I and I said a long time ago. I don't want the job of keeping Sony Safe. I nobody wants that job. I told you we had the guy who who protects does cybersecurity for West Point the Military Terry Academy at West Point and he said it's tough because we only have to make one mistake right. They're attacking all the time. It only takes one mistake now. He's lucky because you are B armies cyber. Defense Command is also there so they help out a little bit but still you're right. I wouldn't want that job. We're not saying you guys are dopes. No <hes> no no no. I mean I mean and I know I._T.. People who in all their lives are you know is like that Mailman Mailman <hes> we talked about last week. He's happy he's delivering the mail life is he's occasional dogs. Yeah well and I won't talk about what we do but we have a fairly I mean we have <hes> a number of barriers to the the outside world. <hes> you know we use g mail which says they google says we filter against known malware attacks <hes>. I don't know I feel like I dunno watch because tomorrow I'll be saying Steve. We can't do the show. All our servers are <hes> encrypted. Do you know any good malware authors it one of those Dixie Cups with strange so we can talk to each other. Yeah our show today brought to you by the guys who protect detect your borders those great I._T.. Professionals out there yeah. It's a tough job but you know what it's a challenge and you do it right. You got a job for Life I._T.. Pro TV is creating being I._T.. Professionals with the best training out there and keeping I._T.. Professionals working with comprehensive training at the click of a mouse. I we are such fans I._T.. Pro TV timid don started about five years ago <hes> and <hes> you know we kind of started doing their ads at the very beginning now they have hundreds of thousands of subscribers. It is a great way to learn the Best I._T.. I._T.. Pro TV is now. Competency is official video training training partner. That's great. They've twelve COMP T. on demand courses come to you of course as eight plus network plus security plus very valuable search when you're getting that first job he got that cert- that employers looking for that it's a way of them knowing even if you have no experience at least have the knowledge they're going to be at the Channel Con in Vegas. The twenty nine hundred channel cons coming up if you've registered for it I._T.. Pro TV and COMP Tia are taking a whole this is cool taking a road trip on the way to channel Con. They could be making a pit stop and your city. They're stopping by offices and saying thank you to those hardworking I._T.. Pros around the country the UNSUNG heroes of every company man I I we get down on our knees to Russell and say thank every single day. You could follow their journey on the I._T.. Pro TV Youtube Channel <hes> or go to the channel Con Online site to get behind the scenes interviews daily wraps and more and of course learn new skills earn C. E.. U.'s you don't WanNa miss out on this I._T.. Pro TV. This is a family these I mean not literally but it's it's a group of people like us who share a common interest in I._T.. Of getting the job done right of of doing doing it with full integrity keeping their knowledge ups is why like this why you should hire people who trained in I._T.. Pro TV because they care and they're learning it constantly with I._T.. Pro TV you can watch on your big screen T._v.. You Can Watch watch on your computer. You're watching your iphone. Your android phone your Roku Fire TV. You can listen in the car. You could be getting ninety training your whole day long and many I._T.. Pro TV subscribers do that become a member of the I._T.. Pro TV family purchased a standard membership membership. That's just all the videos. They're making new videos every day. They've got a bunch of studios any five studios working Monday through Friday nine to five cranking out the best training from Real I._T.. Professionals working in the industry who also happen to be great trainers Rayner's. That's just twenty eight fifty a month that is a great deal upgrade to the premium membership video plus labs so you can actually set up without any risks servers and clients and try stuff out. They also have the practice exams. You could take the exam before you take the exam. That's a great way to prepare. That's just forty two dollars a month and I think goes prices are very fair but I._T.. Pro TV is still honoring the twit offer thirty percent off off for the lifetime of your active membership that means a standard membership is nineteen ninety five a month less than two hundred bucks a year. That's there's no look would you are you willing to spend two hundred bucks a year to get the best I._T.. Training to keep up on your pro in your profession or to get a job in that profession of course you are the premiums less than three hundred bucks a year I go dot I._T.. Pro Dot TV slash security now so remember that offer code S. N.. Thirty that's thirty percent off either standard or premium membership go dot I._T.. Pro Dot TV slash security now use the code S. N. thirty an initial thirty percent off the lifetime of your active subscription I._T.. Pro T. V. build or expand your I._T.. Career and enjoy the journey while you're doing it and don't forget to catch I._T.. Pro on their way to channel Konin Vegas. That sounds like a lot of fun to back to Steve Gibson so so foes <hes> commissioned a an independent survey of thirty one hundred I._T.. Managers <hes> they they use the U._K.. Based Research House Vanson Bourne <hes> and this <music> survey was conducted at the end of last year to the beginning of this year so December twenty eighteen to January twenty nineteen <hes> to provide a representative size split <hes> they chose the same number her of organizations between one hundred thousand people and one thousand and five thousand people so sort of an even mix of smaller and larger organizations and what they found whereas <hes> none of is really very surprising but we have some nice numbers <hes> respondents who had been victims of a cyber attack in the last year were were asked how the most significant cyber attack got into their environment. The results revealed that where respondents knew how the attack got in and they didn't always know not surprisingly email was the number one most common attack vector which was used in one third thirty three percent of the attacks and of course we know that that's conducted with fishing where email is sent that is designed for someone to think that it's authentic in typically and targeted attacks somebody clicks the link and in some cases like somebody else's somebody else's email account could compromise so the email is actually coming from someone you trust but it's malicious malicious and the rest is what we talk about all the time. The web is also a major vector which was used in three out of ten attacks so thirty percent just slightly less than email so again as we've often said the browser is the is today's attack surface. It's why I made the comment when I talked about Serv Kennel continuing to use windows seven in the future I'll be using fire Fox or chrome firefox probably <hes> which is being kept constantly updated even after windows seven stops being updated because well and for that matter of you know <hes> <hes> Thunderbird for e e mail <hes> both that that are being constantly early <hes> maintained even if the underlying O._S. isn't I._T.. Managers however cannot just folk focus on email and the web twenty three percent of attacks got in via a software. We're vulnerable of some kind and fourteen percent through a U._S._B.. Stick or external attached device so those things we don't really talk about those very much but those are still happening. You know back at the beginning of the PODCAST. <hes> windows was infamous for running a program when you stuck a U._S._B.. Device on the machine so it was very easy back into drive-by attacks anyway so thirty three percent email thirty percent through the web twenty three percent through some software vulnerability and fourteen percent through U._S._B.. Or some other device and in one out of five instances no one knew they did not know how something got in they were unable to identify the way something happened and you know in a sufficiently large organization <hes> I can understand where something happens and you just say well. You know we looked everywhere and we were never able to determine how something happened to me. Even I don't know is you know you'd like to know but it's it's hard to know in every case also what was interesting is that these cyber attacks that we're seeing as you said Leo they are becoming increasingly sophisticated which says they may not just us one thing they may be multi-stage the stage at coordinated and blended respondents whose organizations had been victim of a cyberattack revealed that they had suffered a range of attack so for example the second graphic that I have shows fifty three percent fishing forty one percent data breach thirty five percent militias code thirty five percent software are exploit thirty percent ransomware and twenty one percent credential theft well fifty three forty one thirty five thirty five thirty twenty one that adds up to way more than one hundred percent meaning that what what they were seeing was that many of these attacks used multiple means of obtaining their goals not just you know not just one type of vulnerability on it could be phishing email that then leverage the software exploit and of course we see that for example where fishing email leverages scripting and word where there's vulnerability in word where if the if you coax the user to taking it out of protected mode owed it will run the word macro and then leverage a one or two other vulnerabilities that exist somewhere so it's a it's a complex <hes> <hes> you know sort of multipronged attack because you know one thing anymore is sufficient because our systems overall in you know the the the various ways that things can happen are are increasing in their security but by by combining multiple vulnerabilities owner abilities people are still able to get in <hes> <hes> of the twenty one hundred and nine okay so so thirty one hundred organizations were surveyed twenty one hundred and nine of those they were hit by a cyber attack in two thousand eighteen over half fifty three percent were victims of fishing so that is still you know the most lucrative love the most high return attack across across all of this survey and there was some variation <hes> based on country on the the nature of <hes> <hes> software exploits <hes> over a third thirty five percent suffer from an exploit taking advantage of a vulnerability in software they were using thing <hes> in in interestingly in Mexico over half the organizations that fell victim to a cyber attack experience a software exploit which was double the number of those in Brazil Zil at twenty two and South Africa and Japan both at twenty three so there is for whatever reason there was like a statistically significant difference <hes> by country <hes> and end the survey asked the question as I as I mentioned about <hes> technology talent technology talent and time <hes> and concluded that they were in short supply in this report they said as we've seen organizations face a wide range of attacks and need to secure multiple threat vectors. They revealed that on average I._T.. Team spend twenty six percent so one just just a one percent over a quarter twenty six percent of their time managing cybersecurity so think about that twenty six percent of the I._T.. Team time is cybersecurity related and they concluded that for the majority of respondents. This is not the correct ratio meaning that it should be higher <hes> and then again there was some variation by country organizations in India spent the most time at thirty. Two percent and Japanese teams the least at nineteen percent organizations that had been hit by. By a cyber attack I guess not surprisingly spent a little more time now on I._T.. Security twenty-eight percent over those who had never experienced an attack but the yet we're still spending a substantial time twenty three percent so maybe that's accounts for the fact that they had not yet been hit they and the reports that given the variety and complexity of threats. It's not surprising that eighty six six percent eighty six percent of respondents said they need greater cybersecurity skills within their organization those organizations that had experienced an attack have even greater greater need for cybersecurity experience than those that hadn't eighty nine percent versus seventy nine percent but but so still even those who had not been hit seventy nine percent those organizations said we need to be doing more than we are able to <hes> anyway so they said that bringing the expertise to fill these GRA- these gaps is a major challenge challenge eight and ten organizations say they struggle to recruit the right skills so they're they're struggling to find people who have the skill set is that when it comes to recruitment India faces the greatest challenge challenge at eighty nine percent of the organization saying they cannot find people who have the skills they need and Germany the least but still to in three two out of three German I._T.. Managers <music> sixty six percent say they struggle to bring in the right skills <hes> so anyway I just thought that was interesting to to get some sense for the fact that that <hes> I mean this is this given the all the stuff that we cover and the way we cover it. <hes> this fits everything that we believe in terms of the weight of the the major threats that we're seeing the way these threats get in <hes> and how difficult it is in practice <hes> and to to counter act and the fact that I._T.. Organizations <hes> it may just be that there's a little bit of a brain drain to I know that a lot of our listeners sometimes I ask you know is are there jobs in an the insecurity. I think it's very clear that somebody who focuses on security can increasingly find work there in the future and we're seeing that fines are beginning to happen. <hes> where mistakes are starting to cost organizations more than just reputation damage and I'm of two minds about fines we really do want major organizations to act responsibly with the personal and Ab- usable data that they collect about us through their normal course of justifiable business operations but but we also want a need them to self report when despite their best efforts they fail to live up to their and our hopes for their ability to keep our data safe and given that responsible self reporting is inherently voluntary unless a breach is discovered externally which is much less common than internal discovery levying burdensome and abusive abusive fines on those organizations may not actually improve end user security and privacy <hes> which you know the reason I'm I I'm talking about. This is that as I mentioned at the top of the show the U._K.'s <hes> Information Commissioner's office the I._C._A._O.. Has announced that it intends to impose a hefty fine it. It's a ninety nine million two hundred thousand three hundred ninety six euros <hes> or on Oh man I'm sorry pounds <hes> which is in this case <hes> a hundred and twenty three a million seven hundred five thousand eight hundred seventy dollars a one hundred twenty more nearly one hundred twenty four million dollar fine on Marriott the hotel chain over last year's. Here's data breach as we know in reported at the time last November twenty eighteen Marriott self reported that hackers had had access to the starwood guest asked reservation database over a period of four years since twenty fourteen <hes> Starwood was at a different chain of hotels which Marriott it had acquired in two thousand sixteen so the breach occurred two years before Marriott acquired it <hes> Marriott initially reported that hackers had stolen the details of and the and it was a rough estimate Emmett half a ab- sorry half a billion so a big breach five hundred million hotel guests which they subsequently reduced to three hundred and eighty three million after a more thorough investigation and remember that there were also passports involved <hes> there were three hundred eighty three million guest records eighteen point five million encrypted passport numbers five point two five live million unencrypted passport numbers <hes> nine point one million encrypted payment card numbers and three hundred eighty five card numbers that were still valid at the time of the breach each and had not been encrypted so unfortunately in this day and age class action lawsuits began piling up with an hours of Marriott's announced security breach and I suppose not surprisingly now with the G._D._p.. Are The U._K.'s Information Commissioner's office which is in charge of such things has stated that Marriott's security practices are in violation of the E.. U.'S G._D._p.. Are <hes> and it'll be interesting to follow this to see whether that's actually the case <hes> <hes> you know I. I have no opinion one way or the other. We don't <hes> without much more <hes> information. The good news is that Marriott has stated that they are going to oppose this fine. They filed a a note with the U._S.. U._S. Securities Exchange Commission that they're going to <hes> <hes> formerly oppose it the the Marriott international's president and CEO Arne Sorenson said we are disappointed with this. I notice of intent from the I._C._O.. Which we will contest we deeply regret this incident happened? We take the privacy and security of guest information very seriously and continue to work hard to to meet the standard of excellence that our guests expect from Marriott and he did say that the Marriott had retired and we mentioned at the time the starwood guest reservation system earlier this year so it's is no longer in use so I don't know how I I guess. I don't know how to feel about the E._U.. Stomping on Marriott for a violation of G._D._p.. Are which which occurred for over a period of time involved an organization that that they didn't own at the time <hes> that they're now you know slapping them with a big fine over and again. It's you know we want organizations to responsibly disclose breaches rather than to fix them quietly eh and not acknowledged that there was a leak that could affect their customers yet having the G._D._p.. Are abused in this way really seems to put cold water on that so so <hes> it'll be interesting to see. They owe the day before that also by the way <hes> the I._C._A._O.. In the U._K.. Also announced plans to hit British Airways with a two hundred and thirty million dollar fine after they failed British Airways failed to protect their website which was infected with a web based card skimmer <hes> which was collecting payment card details from British Airways customers <hes> for let's see April May and June for three months <hes> back in twenty eighteen. I didn't know there was such a thing as a web based card skimmer. That's awesome yeah so it was it was infected Java script right which got in there and was capturing there you know all of their credit card information while they were putting it in so I don't know <hes> seems you feel like they're being scapegoated because they're big names and yeah and they've got deep pockets and like to add a sinks idea instead of finding him in collecting him in you know blinding your coffers. Make them spend that money on security saying like good now. You'RE GONNA spend ninety nine million dollars to make your system more secure and we want to seats. I think that makes a lot go better yeah. You know I guess if they're not sitting up paying attention to the hacks. Maybe the fine would get companies pay attention but doesn't feel like that no and <hes> did this information commissioner Elizabeth Denim in the U._k.. She she said the G._D._p.. Are makes it clear that organizations must be accountable for the personal data they hold biscuit include carrying out proper due diligence when making a corporate acquisition and an putting in place proper accountability measures to assess that only what personal data has been acquired but also how it is protected personal data she says has a real value so organizations have illegal duty to ensure. I'm sure it security just like they do with any other asset. If that doesn't happen we will not hesitate to take strong action when necessary to protect the rights of the public so you know I guess S. I guess I hope that they can't simply levy a fine. They I hope that that if for example in this case Marriott says no prove that we were negligent then there will be an investigation that the that that I see oh has to like you know <hes> <hes> undertake in order to demonstrate eight Marriott's negligence post acquisition 'cause she saying that they have an obligation even for organizations that they acquire so you know you imagine Marietta did something I mean we talked about at the time there was some you know looking at what it is that they're getting. They missed it clearly but you know everyone makes mistakes anyway. It'll be interesting to see how this how this plays out but I agree with you. Just telling them you you. We're we're going to we're going to force you to spend this money to make yourself stronger like well okay. We didn't want to spend it that way but it's better than you guys having it as you said the alighting the coffers didn't seem right speaking of fines although in this case of it's it's a different different nature because it was a policy decision that they are being hit with remember a few months ago. When we talked about Mark Mark Mark Mark Mark Zuckerberg addressing his shareholders and stating that they had set aside? I think those were his words some billions with a B. of dollars for an expected Federal Trade Commission fine in a settlement of the in the infamous Cambridge at Politica tied Privacy Violations Well The Wall Street Journal just reported that F._t._C. Commissioners have voted and approved a five five billion dollar settlement with facebook so there's a slap and <hes> you know certainly I in this case. No one would argue that <hes> you know these guys. This wasn't mistake. This was facebook. You know selling their information so bill. They're paying the price <hes> Mozilla as we as we actually was you mentioned it while I was talking about the I._S._P._A.. Because it was just happening as this as as we were recording a podcast you mentioned last week that the I._S._p.. Had reversed their position on Mozilla Yeah <hes> Paul Duckling who is a writer for so fo's naked security <hes>. He followed his earlier column about that Nutty I._S._P._A.. Nominate should of Mozilla as Internet villain of the year with a column titled Mozilla Aren't Villains after all at in his piece he nicely summarized is why I'm quoting it. Why Unprotected D._N._S. over U._D._p.? Is a problem in the first place he wrote if I- unlawfully Sniff Your D._N._S. traffic so I know where you went can't I'm violating your privacy merely by knowing where you served without getting any details of what you actually surfed. I can infer an awful lot about you. I can probably piece together your daily routine both at work and at home figure out your likes and fears learn which companies you do business with which bank you use the shops you frequent the clubs you belong to the hobbies you enjoy the the medical surgery you're registered with the sports teams you support and much more so anyway I I like that that brief summary <hes> as we all know there are many other means for blocking <unk> access to unwanted sites. Just SORTA wanted to follow up on this before we'll be talking about encrypting D._N._S. in a minute but you know as I as what we know is that they U._k.. Is Unhappy with Mozilla Mozilla for for making it so easy as the only way I can read this making it so easy to blind eye there I._S._p.'s to the D._N._S. queries that that Mozilla customers are making <hes> since and so. I thought I'd just say for a minute since D._N._S. to I._p.. Mapping some TA sometimes changes an I._S._P.'s content blocking device rather than doing a match on D._N._S.. Queries could periodically make the same D._N._S. queries their customers make retrieve the D._N._S. Look I._P.. A._p. and dynamically manage in I._p.. Filter blocking list in order to keep those connections from being completed after the user's browser tries to make them or redirect them to prohibited content page or whatever or some concerned organization could perform the look ups and communicate I._P.. Address additions and removals too concerned concerned I._S._P.'s or I._S._P.'s could subscribe to a published blocked list in the same way as spam has been thwarted since way back in nineteen ninety seven with rb els real-time blacklists of of the I._p.'s of known spammers so my point is there are a great many ways to solve this problem that are just as robust as filtering turing on D._N._S. and <hes> certainly those organizations being filtered that as the ones that are being blocked no already know that by changing their domain names they they can sidestep the filtering until it again catches up with them so you know yeah enhancing the privacy of all web browsing users at the by by encrypting encrypting D._N._S. at the expense of asking I._S._P.'s to change the details of the way they selectively block access so so that some domains which haven't yet change their names to avoid the blocking <hes> get blocked to me makes a great deal of sense and I'm glad the I._S._P._A.. I Yeah I._S._P._A.. Came to their senses on this and speaking of Mozilla recall that we previously covered that shady organization who chose to name themselves dark matter which was petitioning Mozilla to include glued there route C._a.. Certificate in fire foxes trusted Cert- S- store possibly go wrong. What could possibly go wrong at the time cybersecurity security experts and privacy advocates were strongly cautioning and urging Microsoft Mozilla against doing so stating the dark matter could abuse its position Shen yeah to help its surveillance operations? Remember it is a manufacturer of those middle boxes which are used to intercept <hes> H._T._T._p._S. connections and right now. If it's if it's middle box certificate is not trusted than users would get a warning and or have to trust its certificate but if they are able to get into the into the root store than their middle boxes could be issued certificates which would raise no alarm which we don't want <hes> some of these operations that is of dark matter. These surveillance operations have been previously reported so this not just it could happen. This is what dark matter has done in the past <hes> in reports from Reuters the New York Times and the intercept and other sources have detailed alleged dark doc matter orchestrated hacking operations against human rights activists journalists and foreign governments which dark matter carried out at the behest of the U._A._e.. United arid Arab Emirate government so <hes> these guys don't sound like anybody you want to have in your route store. I mean Hong Kong Post Office. That's benign compared to these guys so in a Latte. Get at this Leo in a just recently in a last ditch effort to have it's to find a way to get it. Sir Certificates Trusted Inside Fire Fox dark matter attempt to create a spinoff off certificate authority business called Digital Trust but much better. I like better my Yuka their digital at trustworthy that's right unfortunately both both dark matter and digital trust were run by the same C._E._o.. These guys seem kind of clueless. You know if you're going to set up. Try to have a different organization. It's it's really really not your name. We don't like your name dark matter but that's not why we said no so creating a spinoff run by the same guy called digital trust okay I trust us know so taking everything into consideration having given plenty of time for contemplation and you know because they really don't want to deny anybody who should have this privilege out of hand. Hand Mozilla has finally announced its decision last week in Google Groups Discussion Wayne Fair Certificate Authority Program Manager at Mozilla said quote are far most responsibility it is to protect individuals who rely on Mozilla products he said I believe this framing strongly supports a decision to revoke trust in dark matters inter existing existing intermediate certificates. He says while there are solid arguments on both sides of this decision it is I guess the argument on the on the pro side as well. Maybe they aren't bad <hes> he's as it. It is reasonable to conclude that continuing to place trust in dark. Matter is a significant risk to our users. He says I will be opening a bug. Requesting the distrust of dark matters. There's subordinate C._A.'s that is the intermediate certificates and will also recommend denial of the pending inclusion request and any new requests from digital trust so anyway that distrust of the supported see as that Wayne was referring to <hes> was something we also talked about before dark matter had been issuing certificates which would be trusted by Fire Fox using an intermediate an intermediate see a certificate which had been signed by quo Vadasz which is trusted so those certificates that intermediate C._A. is going to be killed as well world wants. Mozilla removes the quo vadasz intermediate certificates from Fire Fox in a future update all websites that use T._i.. Certificates acquired from dark matter will show you know up to standard illegal certificate warnings in fire Fox <hes> warning and blocking users from accessing their content so what I'm wondering now because we don't know I haven't seen and is what windows and other route stores are GonNa do recall that in order to prevent problems with third party Av Mozilla stated that they unin some conditions they will be importing the windows. See a route and trusting <hes> asserts signed by those route so if you're in the specific conditions are if you're on windows eight or windows ten with a recent fire Fox and who isn't recent <hes> anything since sixty six and I think we're at sixty eight now <hes> and you have a non windows defender Av registered with the system in that in those cases windows windows eight or not want to nine. There's no nine windows eight or ten and you're using a non windows defender Av then Fire Fox may be and I think is what I can't test it here because I don't have <hes> a non windows defender Av Fire Fox may be turning on the option to trust the windows route store <hes> if twitter if windows is trusting dark matter cert- s- and I don't know whether it is either way and or their previously issued quo vadasz intermediate cert- then your fire your than your fire Fox would to <hes> there is the the the the switch the <hes> the option switch that we talked about before maybe you can inspect it and see if it is set if you if your situation matches that that is you're probably using windows ten and you if you're using a non windows defender Av go to about colon can fig in your address bar and put in security dot enterprise that will bring up one entry security dot enterprise underscore roots dot enabled doubled. I checked it and for me. It was set it was set a default of false but as I understand it fire Fox in in those circumstances because they don't WanNa be causing problems alums with not recognizing search that are installed by these a vis which are wanting to filter H._T._T._p._S. T. L. S. connections they will be bringing the roots which are registered with windows into the Fire Air Fox store and that that's switch will be set to true so it'll be interesting to find out whether other routes file follow Mozilla 's lead and do not trust dark dark matter asserts <hes> Oh and one other lot nice <hes> forthcoming Mozilla feature the next release of Fire Fox sixty nine will add a tracker blocking report <hes> it when when we get sixty nine and I'm not sure when that scheduled <hes> pudding about colon protections into the U._R._l.. Will bring up a graphical display showing how many and of what type of trackers fire Fox has auto blocked during the previous seven days <hes>. We didn't talk about this one at happened since so much was happening that particular week but it it was last month. Mozilla has decided I guess pretty clearly to differentiate itself from the chromium based browsers by focusing upon privacy through proactive anti tracking hacking they released the the full version of their enhanced tracking protection. They Call E. T. P. in fire Fox sixty seven last month it added default blocking for cross site. I tracking which are as we know small bits of Java script embedded in websites by advertisers <hes> those bits of code send back our location to monitor what we're doing across the web for the purposes of generating profiles profiles at the same time <hes> Fire Fox released an updated version of its facebook container which stops facebook from tracking people in the same way so all of those share and like buttons which appear ubiquitously across the web which report back to facebook even if they are never clicked are now also completely blocked by the updated fire Fox container along with all the other connections to facebook's servers the might happen so in May Oh and also in May Fire Fox began blocking crypto mining for us and also is now blocking fingerprinting so so all of those things are now being handled by by default by fire Fox and in Fire Fox sixty nine will get a very nice graphic. I have a picture of the a snapshot from the from the proposed just graphic in the show notes for anyone who's interested and it it breaks out all of the different classify types of blocking and how many of these trackers have been blocked over the course of the last seven days so you know chrome is a great browser and it now as we know has the majority of the Internet <hes> but we also know how Google makes its money <hes> I love their search engine and this show notes document was created using they're very slick online tools but I am more closely aligned with fire foxes philosophy. I love having it's tiny tabs down all along the side Bar. <hes> Hi and Fire Fox works perfectly for me so I expect to be sticking with Fire Fox for the <hes> foreseeable future and now leo in this week's installment of wrestling a simple bill idea to the ground. We have the paper which will be delivered this Thursday. During I was the forty third I couldn't be eighty seventh. It was the i Tripoli forty third annual computer software and IT APPLICATIONS CONFERENCE WHICH IS COMP Sack C._o._M.. P._S._A. See titled Control Alt- L._E._d.. Leaking data from air gapped computers this via keyboard L._e._D.'s at my first thought about hearing this was it should have been named <hes> rather than control all l._e._d.. Control alt- Duh because okay it's obvious to all of us that if software can be if software can blink a keyboards l._e._D.'s you know how keyboards have what caps lock scroll lock and Numb Lock L._e._D.'s so if you can put those under software control and you can and you can install malicious software in a computer and we know that happens and you can arrange to have something watching the L._e._D.'s over time obviously at a time when there's no one sitting there because otherwise they'll let think what the heck's what the hell Mike Computers just gone beserk. My lights are blinking on my keyboard like crazy <hes>. If all of those preconditions can be set up then yeah you could send data you could exfiltration feel trade data from the computer now to their credit and Leo you're scrolling this on the screen right now. I haven't in the show notes. They really did solve the problem as I said I WANNA put them. I'm on the task of figuring out what the best communications medium to us is between the bottoms of to Dixie cups which are stretched so that when so that when we talk we get the most clear your communication and for that matter since since it's really not a really clear communication maybe which language would be best used for <hes> increasing intelligibility of of a Dixie Cup telephone and because of you know these are the guys you WanNa put on that project. They really wrestled this thing to the ground <hes> that they have looked at the the nature of the of the Radiation Radiation Pattern as a function of angle from dead on <hes> the Lampien Earl Lamberton lamberty and radiation pattern <hes> the transmitted power as a function of how far off of the axis you are from the l._e._d.. <hes> if you have a camera lens which is imaging multiple L._e._D.'s <hes> are to what degree are you able to to differentiate between the L._e._D.'s spatially when the L._e._d.. Illumination falls onto the camera sensor they have a wide range of camera types that they have experimented with and what about if you have a non imaging receiver if you have something that could only deter detect the illumination but doesn't have a focusing lens so all you can see all you can detect as a subtle change in brightness in the room for example and they wrestled it all the way down to which keyboards produced the highest bit rate believe it or not <hes> looking get del <hes> with a single l._e._d.. Versus Multiple L._E._d.. <hes> Lenovo the same conditions logitech keyboards or silverline and for anyone who is worried about this the silver line keyboards allowed them the at a at a relatively low bit error rate of three point one zero percent they were able to very cleverly managed an exfiltration of a little more than five k bits per second so that's you know that's not bad. That's way over Morris Code <hes> anyway for anyone who's interested or worried. I guess you could I mean I never really used those lights on my keyboard. You you cannot only stick a post it note over your one more thing to tape up Webcam exactly and these guys are the blinking light experts they. They're the people we've talked about before who worried that hard drive Dr activity lights could be used for for exfiltrated data and remember. We talked about them saying that the lights on routers could be used and I said what you know maybe if the data bits were were exposed on the L._e._d.. But routers don't put the data bits they like sort of aggregate them together and just blink the light slowly. If anything is happening at all so I don't know <hes> they they do ten on the limits Yulia says what about the flash on your camera that could probably be used to yeah on your camera phone right. You know yeah wow anyway so they they really wrestled the problem to the grounds gangs they are and we're going to talk about erratic miscellany and closing the loop after our final break and then we will wrap up with D._N._S.. Encryption indeed we will my friend our show today brought to you by hi and I've talked about it before I hope you maybe you know it's funny because I think everybody listens to this show listens to every episode of the show so they probably already know about the helm personal server but if for some reason you missed it. Let me tell you about this. This is such a great product. I use the helm for email. I haven't put next cloud on it yet. How the whole idea the helm and it's cool looking triangular <hes> file server that goes in your house thus connects up via Wi fi or Ethernet has one hundred twenty eight gigs of storage although helmets working on making it expandable to up to five terabytes of storage? There are two U._S._B.. Ports on the back. There's a U._S._B.. Port Word on the top and I I love the point on the top because it's for one reason only I guess you could use it for other things but it's there so that you can back up your helm recovery keys. Let me tell you what the helmet it's a server that will send and receive receiving mail so you no longer have to store your e Mail on Google or Yahoo or some third party server. You can have it in your house. Yes it will send email does it. It's very very clever because the helm and you can read more about this at the helm dot com. The Helms solves the most important issue of having a home server which is that most is people block port twenty five. That's outbound mail plus even if you could get it through the I._S._p.. Most inbound mail servers will look at a home mm I._S._p.. Address in fact any I._P.. Address within an I._S._P.'s range and say well that's Spam no-one runs a mail server through comcast or or spectrum and they'll block it so what Helms done is very clever so you've got this great server on there but you also have an I._p.. Connection back to the helm servers. Your data is encrypted highly encrypted so it is not visible to helm but it pass your emails pass through helm so that they can make make sure that they have an I._p.. Address for your outbound mail that is working that in fact they carefully groomed the I._p.. Address before they put it on your server so that it actually will get through to all the big email companies and all the smalley mill companies so they've solved that that's the number one problem in running your own email server. They've also made it very simple. They are also security guys so they made it very secure for instance. It uses hardware authentication. You use your smartphone in proximity to your server to set it up to provision it to create accounts in fact if you can have as many accounts as you want. I really love that as many domains one as many accounts as you want and if you setting up a family email server or server for a small small business for instance you bring each person in and you say okay. You're going to put the helm APP on your phone. You're going to authenticate through your phone. Now you have an account on there. It's great you still get an admin account. You still have complete admin access of course helm is awesome awesome because it has uncompromising data privacy and data security and now they've made it even better by adding next cloud cloud file servers a great open source file service. You get file sharing photo backup they can easily upload view and share your files and photos securely not giving them to Google or dropbox or anybody else. This is a great alternative. It's completely private to Google drive to dropbox. They do email right to they use D Mark S._p._F.. Email authentication Haitian. I it's so easy to set up just taking five minutes. It's accessible anywhere in the world. There's a great if you want to read more. There's also a great review of the Helm Server Michael Lee who is an expert privacy security and bought a helm wrote his article April thirtieth of April on the intercept at the hip dot com you can search for the intercept and help talking about how the helm works he can go into he goes into more detail about the technology and stuff. It's just great <hes> it uses T. L. S. encryption <hes> with let's encrypt which is awesome full disk encryption keys are managed by secure enclave. You get recovery keys and you put them on this U._S._B.. which you then bring somewhere put in a safe deposit box of bring the work case you know you have to get a new server for instance and you want to swap <hes> it's secure boot so it is highly secure? I love the two factor authentication. I love the encrypted. Oh yeah your emails and your files are always encrypted and always backed up on the health servers off site so even if your home where to get burned in the flames of of a massive fire you've lost nothing no email no files and this private security key means that you'll be able to get back to it anytime you want. Privacy is a right not a setting protect what matters with helm for limited time you can say fifty dollars on the helm personal server by visiting the helm dot com slash security now. They're catching up. They've been huge demand for this. This is a very successful idea. <hes> Giri do the issue sure. Nevada did a great job of putting this together with his team and they were sold out. They are making them as fast as they can. If you order to in months past you're going to be getting yours any minute now and if you order today you can expect it to get it by at the end of August. I just wanted to give you a heads up about six weeks to get it out to the helm dot com slash security. Now I use it. It is awesome. We actually keep it here. In the studio. <hes> it is just an incredible device at the helm dot COM com slash security now. Take control of your data if your privacy focused it's part. It's been part about you know I moved off g mail moved everything onto the hell <hes> I it's part of my whole data hygiene thing sure I know I still use Google and a lot of different ways but why give the Google anymore than you have to and you don't have to anymore with with actually a fantastic file server and email server from the helm the helm dot com slash security now. What are you smiling? Goo Goo Goo the good the good because your friend why give them more than you need. You know <hes> shoot so I I had the note in a rat of that that I already mentioned. was that a lane hearing US talk about how long we've been doing the show <hes> corrected me and saying no see I think I've maybe I said we were in year thirteen or something. She said no year fifteen will begin hidden next month in August twentieth so we'll be right here. You can listen to number one right at twitter dot TV slash as everyone from then on the veil. They're all there and I try to numeric numeric numbering so n one s and to us in three S S N. What is it seven twenty-three seven twenty-three? Yes my friend and I just I did want to just make mention that I- Laurie and I managed to slug. elgar way through stranger things three <hes> <hes> that's bad yeah it was a disappointment i'm so glad i two it'd be hard you know it's hard to keep yes that quality and and it was really a op annoying was it seemed like such a commercial play you know there were clear product placements throughout the entire thing i mean the fact that it was held in a mall where you were seeing the various stores advertised and a lot of those stores were were eighties vintage stores and no longer exist than they asked somebody rebuild that home all they created it yeah yeah yeah so anyway a couple of beat pieces of closing the loop uh-huh and this is relevant to our topic today chuck posted a g._r._c. security now newsgroup <hes> he said i enjoyed show seven twenty two yesterday last night i checked the fire fox setting to enable d._n._s. over h._t._t._p._s. d._o. h dole though <hes> adult he so he said i chose a location in europe and he says i chose a v._p._n. location in europe and started browsing he he says there was a dramatic improvement in speed with which website started loading on the screen he says i mean really fast he's tonight i'm going to do some une checking and rechecking to confirm the d._o. h is responsible danceable is improving the efficiency of a v._p._n. connection and then he said he followed up exactly twenty four hours later with i disabled d._n._s. over h._t._t._p._s. in fire fox last night web page loading mm performance slowed considerably he's as naturally i turned it back on and the joy of quickly loading webpages returned so that company has a slow d._n._s. server i guess right yes exactly and so so it will it may well be that by by turning the tunneling on your avoiding the slow d._n._s. serve as you were using by default and got a big acceleration so a lot of i._s._p.'s have crapped in a servers yes it's it's sort of of an afterthought you know it's not like the l. way we got the best d._n._s. is like yeah we had to plug one in so as over there in the corner amana just you know it's it's not very glamorous so it is often the case that even though the i._s._p.'s d._n._s. 'services almost by definition the closest server to you in terms of the connection <hes> it may not be the fastest one to deliver a response well that's why you wrote your dentist benchmark yep you can easily tested our topic encrypting d._n._s. there's there's four things we have we have d._n._s. sek d._n._s. crypt technically we have d._n._s. curve but that never ever that's sort of been replaced by crypt d._n._s. over h._t._t._p._s. and d._n._s. over t. l. s. so let's talk about each of those to sort of clarify where they stand what's going on what they do <hes> <hes> d._n._s. sec i because it's not encryption it provides cryptographic lee signed d._n._s. records which allows d._n._s. sek aware oh s.'s to verify that the d._n._s. response which was received <hes> which may have been cashed and forwarded from the it's it's originating authoritative d._n._s. server has not been tampered with or altered in any way so it's just a signature that's all it is since it signed with a private key which no forger can have this essentially essentially means that we're assured that they received d._n._s. reply is authentic it hasn't been tampered with so that's all good but what d._n._s. sec does not do is encrypt it was never intended to provide privacy only authenticity so the records are signed and as i said they cannot be tampered with but anyone watching the traffic will still see the d._n._s. clients queries he's and their replies just as if d._n._s. sec was not in use because all it does is it adds a signature record to the existing d._n._s. reply which allows a d._n._s. sek aware client to check the signature oh but before i go on i'll note that all three of the full encryption options that is the other three things d._n._s. crip d._n._s. over date she'd e._p._s. indiana's over t. l. s. all three of those are now compatible with d._n._a. sec the earliest versions of d._n._s. crypt were not compatible with d._n._s. equitas what you remembered from the from our original coverage of this leo back in the old days but an update to d._n._s. crypt <hes> allowed essentially a full encapsulation d._n._s. so it became d._n._s. set compatible <hes> so that wa that's not been true all the time it is true now so d._n._s. can be used with all of the of the three encryption solutions <hes> so so we i described discussed d._n._s. crypt back in the context of open d._n._s. which was subsequently purchased by cisco <hes> d._n._s. crypt uses the same fast lean and secure crypto that i chose to use with squirrel that's dan bernstein's elliptic curve to five five one nine <hes> it successfully provides encryption for privacy privacy but it is not nearly as attack an att anne hack resistant as we would wish a contemporary protocol to be since it does not use any of the existing public <unk> certificate infrastructure the server's public key is published over d._n._s. and it's implicitly trusted though it can be verified with d._n._a. sec so when so when d._n._s. script added d._n._a. sec than it does it does allow for privacy and protection and you can verify the servers public key in order to to to provide protection but <hes> what it really means is the d._n._s. crypt was simple and lightweight it was you know it was like it was the the progenitor of the these later full tunneling pulling protocols <hes> it could ride atop either to you dp or t._c._p. which was a benefit <hes> unlike the connection oriented protocols <hes> it required much lighter server resources so it was very easy to implement did not require a full t. l. s. stack <hes> and the security troubles that we have as we know that implementing full t. l. s. can bring with it <hes> but it never made it to the i._e._t._f. standards does not have an r f c and and was never taken up by the i._e._t._f.'s river standardization so <hes> it's it's there there are providers for it <hes> it was a pioneer in in encrypting d._n._s. but my sense is that it just it sort of wasn't the right solution <hes> <hes> there is a d._n._s. crypt there is a tool known as d._n._s. crypt proxy which is written by frank dennis <hes> he wrote it in go lang it supports both oth d._n._s. crypt and d._n._s. over h._t._t._p._s. <hes> and and we'll we're going to be referring to that in a minute because it ends up being probably the right solution it provides client services for lennox b._s._d. windows mac o._s. android and others and there are whole bunch of binary distributions ready to run i've got the link to it <hes> the the the get hub link in the show notes again it's d._n._s. crypt hyphen proxy so i'm sure if you just google d._n._s. c. r. y. p. t. hyphen p._r. o x y you'll be able to find it and there is if you're a windows user there is a simple configuration tool for for it called simple d._n._s. crypt which provides a very nice looking front end okay so <hes> so the second to the last is deal d._n._s. over t. l. us <hes> and as we know h. t. t. p. s. runs over t. l. s. which runs on top of t._c._p. so d._n._s. over tia less is as it sounds a protocol for encrypting and wrapping d._n._s. queries and their replies in a tunnel so that means that we get both privacy via tijuana's encryption and authentication via t alexis support for the entire public infrastructure all the routes shirts and and certificates on all so this prevents eavesdropping thanks to encryption at any manipulation of d._n._s. via man in the middle attacks which as we know simple d._n._s. over are you dp is extremely prone to cloudflare i._b._m.'s quad nine google there's an accompany quadrant information security and clean browsing are providing public blick d._n._s. revolver services via d._n._s. over t. l. s. so it's broadly available from from some big well connected services cloudflare quad nine and google back in april twenty eighteen google announced that android pie would include support for d._n._s. over t ls and it does i'll get to that in a second there's d._n._s. dissed dissed from power d._n._s. also announced support for d._n._s. over t ls in its latest version users of the older bind d._n._s. server can forget d._n._s. over tia less by proxy being through s tunnel so that is to say it's just d._n._s. running through a t. n. s. a. t. l. s. tunnel that's all it is and the newer unbound d._n._s. server <hes> which which is in the the various b._s._d.'s now it has supported d._n._s. over t. l._s. natively since early last year so that's definitely something to consider d._n._s. over t. l. s. us is a nice option especially if your client platform like android pie supports it natively there there's a link in the show notes here to a cloudflare <hes> post about doing exactly that they say i go to setting an android pie <hes> and probably subsequent go to settings under network insecurity advanced and you'll find the under advanced private d._n._s. select the private d._n._s. provider host name option enter o. n. e. dot o. n. e. dot o. n. e. dot o. n. e. or one d._o._t. one d._o._t. one d._o._t. d._o._t. one dot cleared flyer cloudflare hyphen d._n._s. dot com and hit save then visit one dot one dot one dot one slash help to verify d._n._s. over t. l. s. is enabled bold and has just that simple so my goodness if you're an android user why would you not turn this on and immediately have your all of your <hes> android smartphone or other android device <hes> d._n._s. <hes> tunneled through d._n._s. over t. alaska cloudflare oh and last week i misspoke about the p._f. sense firewall support i said it was d._n._s. over h._t._t._p._s. e._p._s. that's what we were talking about last week it wasn't it's d._n._s. over t. l. s. but again there's plenty of support for it and so <hes> and essentially provides all of the same services as as d._n._s. s. over h._t._t._p._s. as long as you have a provider on the other end and there are plenty of providers and so finally this brings us to d._n._s. over h._t._t._p._s. <hes> it is a proposed i._e._t._f. standard as i mentioned last week specified under r f c eighty four eighty four it uses h._t._t._p. slash two or h._t._t._p._s. and supports the the on the wire format of d._n._s. responses so <hes> exactly as are returned by existing you dp responses meaning that you just take exactly cle- what a d._n._s. standard d._n._s. server would send back in a u._d. packet you stick that you reply over h._t._t._p._s. the same thing that means that it is extremely simple to bring up on a on a web server two to four to allow a web server to host d._n._s. over its existing protocols <hes> it defines a new h._t._t._p._s. g._p._s. payload type with a mime type of application slash d._n._s. hyphen message so you know how mime types typically are like you know <hes> plane slash taxed or applications vacations slash something excel or word or something this is application slash d._n._s. hyphen message to identify it as d._n._s. content when h._d._d. p. slash two is used just because of the features of h._d._p. slash to the the server can even push d._n._s. answers that haven't been queried yet because remember the h._t._t._p. a._d._p. allows you to do to send ahead <hes> so it's able to push <hes> values that it anticipates the client may find useful in advance so it feels to me like either d._n._s. <unk> over t. l. s. or d._n._s. over h._t._t._p._s. depending upon your platform <hes> is the one you want to use and that the client i mentioned before you even though it still has the name d._n._s. the n._s. crypt d._n._s. crypt supports d._o. h d._n._s. over h._t._t._p._s. so for users who like for window well actually for it's widely supported lennox b._s._d. windows mac android and more you can install d._n._s. crypt hyphen proxy which you can get a binary from making it easy you don't have to go to to build it yourself from get hub you install that and configure it on your o._s. and you will get because it also not only supports d._n._s. descript but full d._n._s. over h._t._t._p._s. and there are plenty of all of those other providers all of the big <hes> d._n._s. providers also support like cloudflare and quad nine and and google support d._n._s. over h._t._t._p._s. and if you're a windows user you can use simple d._n._s. crypt dot org h._t._t._p._s. colon slash slash simple d._n._s. crypt crypt dot org is a front end a very nice configuration front end for the d._n._s. crypt proxy <hes> on windows and so what that essentially means and the reason i wanted to discuss this is that not not only with a fire fox browser can you now flip a switch and have your fire fox d._n._s. protected from snooping but it is entirely practical to to install d._n._s. crypt on any o._s. platform <hes> configure it to use the d._n._s. the big d._n._s. provider of your choice and you go dark to anyone your i._s._p. or anybody else who may be sniffing your traffic and it sure looks like you suffer nothing in terms of performance loss so we'll not not anybody else but anybody else in between you and the d._n._s. server at that point correct you exactly you are are all your queries are emerging and are known to for example google or gook the who knows who knows all especially if you choose them as your d._n._s. over h._t._t._p._s. endpoint right right well he then there's horizon you could choose them they're they're known for their privacy policies <hes> i would use ida quad nine we still don't know who who's running quad nine ibm oh it's i._b._m. they offered offered at they offered it as the service yeah i do too they have as good quad one yep yep for sure yeah and you know i was just <hes> again talking the ilya who's been very font of information in here google pixel phones come with <hes> similar to two one dot one dot one built into the phone so you can turn that on to nice d._n._s. queries but it goes back to quite eight because back to google it's it's basically eight right right you can change it oh i'll have to look in the settings you could change something else if you want quite one instead away from the google google the google knows way too much why give them more that's my philosophy steve great episode i'm gonna run at home and watch the mall episode of stranger things plays you said he said when i'll you can see one brand of cereal you could see clearly in the across the aisle everything's blurred out yes yes i mean it was it was yeah it was all cereal all by one by one manufacturer is running low on money you got to help them out a little bit here yeah yeah <hes> we do this show every tuesday would try to get in here about one thirty pacific usually pretty good but if we're a little late will you'll understand that's four thirty eastern time twenty thirty u._t. see tuesday's you can watch it live at twit dot tv slash live or listen we've got live audio and video streams there you if you're doing that to chat with us at i._r._c. dot twit tv always a good bunch of people in the chatroom during security now smart people also often really great people in the studio audience it was nice to have you here <hes> if you want to be in our studio audience he's waving at u._c. all you have to do is <hes> email tickets at twitter dot tv steve's waving back and we'll be glad to put a chair out for you this is a pretty small studio <hes> so any of the shows like windows weekly security now the tech guy show that i do in here <hes> it's a very good idea they mail ahead because sometimes it can fill up and we don't really have an overflow studio for you the big studio you can always get one more person in there <hes> if you wanna get versions of the show after the fact there's several places you can go start with jesus steve site g._r._c. he dot com effect while you're there pick up <hes> you got transcripts you got audio and you can also pick up a copy spin right the world's best hard-drive recovery and maintenance utility and steve's bread and butter that's the best way to support steve and by the way you get some value out of that some real value out of that squirrels there too a lot of other great stuff g._r._c. dot com steve is at s g g._r._c. on twitter <hes> you can d._m. him there he's open to e._m.'s if you have

Coming up next