 Hello folks. We're about to do a special episode because Steve Gibson was nice enough to show up. Thank you Steve Well, you were nice enough to ask so any time Tom my pleasure. All right. Here we go three two This is the Daily Tech news show special edition. I'm Tom Merrant and joining me today Host of security now and security researcher Steve Gibson is with us from grc.com Steve Thank you for joining us. Hey, Tom. It's my pleasure. Thanks for asking I'm happy to spend some time with you and your listeners now if you if you don't know Steve and I occasionally would host security down the twit network back of the day when I was there and I think it was 2013 is when Steve started to develop an idea for password replacement username replacement and I actually did a couple of shows where you talked about it and recently I did a show where we talked about why the big companies weren't talking about password authentication at their developers conferences This year and a bunch of people said you need to get Steve back on to talk about squirrel So let's let's talk about not squirrels, but sqrl For the uninitiated for the folks out there who don't know what is squirrel So the what happened was as you said, I think it was like november of 2013 I was because of security now. I had security on my Brain and I was working on spin right on the next version of spin right, but during breakfast This idea just kind of landed And I slide it sort of took my breath away and I thought okay wait now that can't work and So that began the story um The concept is you know, everyone is talking about how we need a solution to The log in problem to the problem of identifying ourselves Remotely over a network, you know, if you walk into the pharmacy you wave to the pharmacist and identification is not a problem Facial recognition works really well in that case. Yeah, yeah exactly and but the problem is when you can't see someone this this anonymity which can be a huge benefit of Remote computing and networking. Well, when you when you want to identify yourself That's a problem. And so the long-standing solution has been as we all know Use a username and a secret So who you are and something that only you know That you have shared previously with a site where you want to say see it's still me. I'm proving to you It's me coming back When the site can't see you so The problem with all of the current solutions even the second factor solutions Is like for example that the newest craze is the time based one time token where you get that six digit code That changes every 30 seconds. The problem is It too is based on a secret the site knows the key Your authenticator knows the key and so from knowing what time of day it is They get they get a synchronized six digits that that again, it's better than not having it but it still is a problem and The biggest problem of our current system is the hacking of sites We keep seeing sites lose their password databases and then that's how we know how bad people's passwords are Yeah, and how badly hashed the company did those bad passwords exactly so so squirrel is based on A it's just standard crypto. I didn't invent any Cryptography, but I I just kind of came up with a different way of putting it together That no one has done before and the concept is kind of simple rather than Rather than sharing a secret with Sites that you want to log into um, it uses the concept of signatures where you Cryptographically sign something and that's a that we we understand in crypto land how to do that that we have an understanding of that So the idea is a site Where you have previously? Set up your squirrel identity It in the process of logging in it gets a it generates a never before seen blob of noise ran it's a big random number And it sends it to you and says here Sign this to prove you're really you and so all you do is cryptographically sign this blob Of randomness and send it back. Well the fact that the fact that that random blob has never occurred before And the site just received a a valid signature Of that blob Proves that that the person that signed it had the secret That allowed them to make that signature But what's key is that you're not in this process You're not giving the site any secret to keep you're only it all it can do is it can Verify the signature It can't make its own it can't sign on your behalf It can't it can't impersonate you whereas if a site had your password It could impersonate you. Yeah, so so so it it And oh the other thing too is that this isn't a an additional factor This is all you need. That is the only reason we need Multi-factor is that none of the factors we have are sufficiently strong. They're not strong enough. Yeah And so you figure well, we got a bunch of weak factors. Let's put them all together and make an and Can you know connection where they all have to be right in order to prove something this with with squirrel This cryptographic signature is so strong It's all you need to as your username and your password and it replaces the whole ecosystem Now if if folks out there are a little confused if you understand public key cryptography Then this is all gonna make sense to you if if you're a little confused and you don't understand it We're not going to get into public key cryptography. Steve has some excellent episodes of security now that can explain that for you But think of it and tell me steve if this is accurate Think of it as the same thing that happens when you have a secure https connection There is a public key and a private key and your browser is is just making sure Hey, is that really the site and the site now says yes, I am and the browser trusts it It's a similar situation. Actually, it's almost identical The idea in in your example is that there's a certificate authority that has signed A certificate that the site is presenting to you and so you know how to verify The signatures of those certificates. So in the same way the user is saying is Dynamically signing something that is that random noise that has never been presented before And only if they have the the the the what's in in public key cryptos called the private key Can they do that and so I mean so so for example If somebody is if somebody catches that transaction in the network then They can't replay your signature Because a site will never use the same. It's called a cryptographic challenge where they send you that that that randomness They're challenging you to prove your identity by by by signing that they will never send the same one again So somebody snooping on your connection Whereas with a username and password they could they would catch your username and password They could use it all they wanted to this is there's only one opportunity to to to sign that challenge So it closes all of these holes Oh, and uh, and we had a little freeze freeze action happen It closed all the holes except for that that particular moment where where steve is going to explain It it closing all the holes. So hopefully we'll get him back here in a second Uh, but if I if I could take it up for a second from from you steve I'm not sure if you can still hear me or not uh, the The the key one of the keys here is that you just need the master key Locally, uh, and it doesn't have to be an application as I understand it What steve is doing is creating an app because people are used to having apps So you could put the app on your phone you could put it on your desktop But you just have to have that key that you guard Uh, and that is just yours and it's encrypted, uh and used So that you could have it scan a qr code. You could have it click a link You could have a tap a link and then in practice all you need is A squirrel app. Uh, it's open source. So it could be from from different folks Uh, you want to be careful who you get it from of course, and then you'd be able to just tap that Uh and log in, uh, it sounds quite a bit like magic When you think of it that way so hopefully we get steve back here in a second, uh, and It looks like he's playing around with his his camera. I don't know if if the camera froze or the internet froze or what? Uh, but but we will uh, we'll try to get him back here in a second The other thing and I'll just go from steve's notes here. Uh, while we kill some time Uh, is the development of this so, uh, steve says even though it has been running for about 18 months It's been in development longer than that, but it's been running They've been running actual versions of it for 18 months We have significantly improved it during the past 18 months and what it has grown into in the lab far exceeds my original concept He says we believe that it is done in terms of how it works and what it does I'm now adding the install update remove wrapper so that it provides the application experience users Have become accustomed to and that's what I was talking about there Just a second ago is that it wouldn't have to be you could actually have it running locally without a a typical app situation, but He is putting an app wrapper on it because it just makes it easier and and that's what you need With passwords is an easier way for people to adopt it The reason that passwords are weak is because it's hard to manage and remember and maintain complex long passwords so They just uh, they just use one two three four five So you have to do things that either force people To take the effort to make themselves secure or you have to make the system easier And what steve's attempting to do here would be to make the system easier if you want to find out a little more about Squirrel you can go to gipson research corporation steve's company grc.com And take a look around it's secure quick reliable login if you're wondering what what squirrel stands for s q r l and It's it's it's a really really interesting situation and the fact that they're they're pretty close to being able to launch it Is is a very very good thing. So I Sorry, we're not going to be able to get steve back right away, but For those of you watching the video Hang out and and we'll see if we can get him back And for those of you watching the audio That you'll either hear me end the show with an apology or we will magically have him return. So Hang on for just a moment Roger you even uh, you even yes, sorry, I did kick out, but um, I actually had a one question So this is this I understand how the basics of squirrel work Who does the user or does the website keep the master key? That's a great question. Uh, I believe the user has it The the master key is never stored on the on the client. I think steve will back me up on that. So the you you don't have to Have anything stored at the server you're logging into They just need to see your public key same way. You don't have to have anything stored For a browser to make a secure connection to a website Uh, it's just it's a it's a public key from the certificate authority and a public key from from the website And they match them up with their private keys and again, you'd have to understand more about public key cryptography But that is a very solid and secure Well, I mean this solves a lot of the current issues as you you and steve were discussing with current authentication Methods, especially when you come on with two factor. I mean, I mean Steve hit the nail on the head when he said that it's essentially A failsafe because we know how easily passwords and logins can can be Uh usurped or taken over by by other people I mean, I get that issue right now for some reason my login to my log mean account is being passed around on some web Because every week someone from brazil ukraine china Thailand when you say you're logging you mean your user id right my user id not the password Not the password just the user id is is passed around and you know every week I get a logs like you log in attempt failed. Yeah, because they don't have the password and I had that happen with uh with email addresses where The email address starts to get people logging in because they've seen the email address in one of those cracked databases out there And it's not a person sitting down typing in my email address. It's a script That's just going through that entire database and trying a combination of those usurnames and passwords to see where they can log in And I think um squirrel actually It's it's so weird in that it's very simple like it's not complex it isn't It isn't like some weird Byzantine maze of layered You know algorithms and stuff. It's like it conceptually and this is why I think It's so compelling conceptually. It's very straightforward. Right. You don't you that there isn't a lot of stuff that The user needs to do and there isn't a lot of stuff that the the site the holder or whatever Needs to do I think it's pretty cool. I'm just I think as as someone who Tends to think of the worst. I'm I'm trying to see where the where the Where the the the cut the chain link fence is yeah, right? And and I think one of them and this is what was going to be my next question to steve is the master key Being unchangeable You know, how do you how do you handle key revocation? And I know he's got some answers to that So I I wanted to ask him about that But you know this this idea of a single point of failure, right? One of the things about two factors is if your password gets compromised That second factor is a backup now as steve said the reason that that exists is because your password is likely to get compromised So this is not likely to get compromised. So you don't need the second factor for that reason, but Everything in the world that can happen will happen So if your master key were to leak out What what is the position for that or if you just you know You just want to change it up because you're you want to do some preventative? Trust no one kind of behavior. How does that work? Yeah, I'm wondering if there's uh, I mean you would still have two factor, but it would be kind of a reverse System where this you you you call to a higher authority that keeps the master key Well, some of that some of that would require you know the sir the the account itself can ask permission to attach Information to your id they can say look this is your squirrel id and yes It's anonymous and we don't need to know anything about you But would you like to associate an email address to it so we could give you a recovery option perhaps and associate it with a There he is. Let's see if he comes back and then I can hide Thanks for helping me fill the time well, but I think I mean yeah I'm really curious to know because the master key resides with the user not the site the the issue of updating the key at some point um, because I mean even with that you'd still want to update it, uh, but Yeah, how would you handle that? I mean you could you could you could do it a couple ways You could you could say yes associate with an email address And then let me associate a different id with that email address in certain cases It's very uh, it's it's I really like this And I'm not saying that because steve's on but I mean like Because it's the it makes a lot of uh Sense very straightforward Master yeah, and and necessary. I mean that that's the other thing is is whether this is it or some other Some other version of it or something. It's it's an important thing to do. Hey steve Well, that's never it's never happened before so so for the for the patrons I've just kept going and roger and I were kicking around a few ideas For the saturday version that'll go out. I've stopped recording and I'm gonna pick back up here Funny because that was my ups it crapped out and I realized it had happened before I when I when I Started the day a couple days ago. My system had rebooted and I thought well, that's never happened because I Leave it on 24 hours. And so the batteries have apparently given up and it's getting a little flaky So anyway, we'll get this done then I'll go take care of that problem. Yeah, sorry about that That's one of those things I hate too and it's good when you're it's like, but that's my backup All right, uh, let me pick it up here in just a second Okay, so we've got steve back. Hooray. He persevered. Uh, thank you steve And and where I wanted to go next and it's something that the roger and I have been talking about So you have a master key Stored locally with you right the the server doesn't have it or the the places you're trying to log into don't have it That's correct. Uh, we we call it your squirrel identity and that's the thing that allows you to To identify yourself to sites you go to And the other thing that's cool is that it uses the the website's domain As part of the key So you have one squirrel identity, but you appear as a different As as as the different pseudo random string to every site So they there's no trackability. There's no linkability you know the the Technical turner is pseudonymous. You are you know, you you have a Sort of a new identity And then you you as you choose you can associate your squirrel identity with your Your existing identity. So for example, if amazon were to support squirrel You would say, you know, I want to connect squirrel to amazon so I can use it to log in in the future And so once you do that that amazon Knows that this squirrel identity is you Now, how do you handle? Loss of the master key whether it's compromised or whether it just gets deleted or or you know This could be a bad single point of failure. How how what's the backup to that? Correct. So there's we have a A bunch of things that are built into the system to solve the problem But it is important to to appreciate that either Either you have someone you can go crying to Or you don't And in all of the systems we have today There's someone you can go crying to you can say, you know gets amazon on the phone or in fact There was a famous story a couple weeks ago where a bad guy got verizon on the phone And managed to change the phone the the phone of of somebody And then that allowed them to receive their second factors and so forth. So right this whole Account recovery thing is is a dilemma. And so the point is either You are not responsible Or you are and if you are not responsible that is if there is some External entity that you can go crying to well, then you open yourself to Bad guys pretending to be you and crying on your behalf So so what we've done is so with squirrel it is it is just you and the sites you authenticate to there is no Third party to appeal to so when you create your identity Um, we give we walk you through the process We you're able to print out a sheet of paper which contains that identity and Put it on a you know put it in a drawer somewhere You're able to back up your identity to to a file and these are all encrypted There's also something that we call the rescue code Which is it's a it's like it looks like a credit card number, but we needed a little more Strengths so it's a credit card number and a half. It's 24 digits You only need you just write it down once and that's sort of like your get out get out of jail free card So so there is all of this Um built into the system to help you not hurt yourself to you know So your identity gets backed up There's a rescue code if you if you forget the password that you use to tell squirrel you are you Then the rescue code will solve that problem. We even have a solution Which allows if somebody Stole your identity if they did get your squirrel identity There's a system that allows you to take it back That is a a a squirrel identity is is sort of locked on a website But there's a process for you to rekey your identity and replace it in a secure way So it's it's all there, but it is a different system. It is I mean everyone says they want more security The and and this gives it to them. I mean this really robustly solves the problem But with the one caveat that you have to take a few steps in the beginning in order to To protect yourself against loss and and I recognize the challenge of that because of course I've been selling spin right for 30 years And you know the reason I've had time to do to develop squirrel is that there's so many people who are not backing up their hard drives Well, I want them to I want them to back up their squirrel identity And and so I think there may be A challenge to get started because people will Initially want to just sort of play with it and then they'll start using it Well, if they are in the beginning they play with it and don't take it seriously. They may not Have their their their identity backed up. So we even believe it or not have a solution for that I mean this is why it's taken a while to come up with a system where it's like, okay But what this but but but but and so we've got a solution I think to every one of those questions, but There is the question is do people Actually want that responsibility? And and a lot of research has suggested that well, you know, if you give a person an ice cream cone They'll give you their password, you know, it's like, uh, okay, but this does solve the problem Yeah, and I think for a lot of folks in our audience too that knowing that there is a way to Take back the ID if it were to get compromised Is important even if even if the chances of it getting compromised or low, it's that trust no one Approach so if you want to learn more about that go to grc.com And you can find it. Steve does a great job of documenting All of this stuff there Before we go one last thing. When do we get it? When when can you start using it? When could site start implementing it? Where are where are we there? Okay, so The people in grc's news group. We have a we we have old school Network news forums, you know the old nntp like usenet forums. There there's a squirrel forum there I've produced 89 Public releases of this over the last couple years. It's been working for more than a year But I mean, you know me I'm a I'm a measure 12 times Cut once person and so I and I recognize I don't want this thing to stumble when it comes out of the gate So I'm working to get it right. I'm but as far as we know It's done It you can use it today But it but for example I'm adding the installer update or remover stuff sort of the the window dressing that people are used to having um On this it does require server side support. That is a website would have to decide they want to support this The good news is all of the work is in the is in the user side in the so-called client There's one running for ios now and that's been around for a while I've written the one for windows that runs also under wine So linux and mac users who have wine emulators can use it and there are some people working on android clients There's also a lot of people working on the server side stuff a php implementation is completely done and ready And so there will be drop-in code for those sites that want to support it And of course you don't have to use squirrel So for example, you might only use it for your important things where you really care about Not having your identity stolen on the flip side though Um, it's so easy to use the users. I didn't really we didn't talk about the user experience You when you're going to a site that supports squirrel You'll see the regular user name and password Because not everyone will have it and then there's a a a qr code that people are are used to seeing If you're logging in on the system That where where squirrel is you just click the qr code with with the mouse And and then you do get a password prompt But that's from a squirrel itself because somebody else could have wandered by and clicked that qr code on your computer So you want to tell squirrel You're you and then it's able to log you into the site The reason we use a visual qr code is if you went if you were at your friend's house And they don't have squirrel well or more importantly your your squirrel identity is not in their computer But it is in your phone. You're able to scan the qr code on their monitor And you you're logged in to your that site As you as you without having touched the keyboard So this is safe even in kiosk situations or in airports and or in hotels where there could be a keystroke Logger recording everything that you're doing you're able to log in without touching the computer So it's I mean the the longer I go the more cool things I remember that we've built into this thing So as to when I really don't know we're getting closer. I can only tell you we're moving in that right direction But you know kind of like a month or two Well, that's that's amazing. So keep an eye on grc.com follow steve on twitter And of course keep tuning in to security now. It's on tuesdays at 4 30 eastern 130 pacific at twit.tv Slash sn. Uh, I follow you on twitter, but remind me what the actual id is Oh, it's it's uh at sg g rc sg g rc steve gibson gibson research corporation Steve, thank you so much for taking the time to chat with me. Yeah, this is great Tom it's great to see you and thanks for asking Absolutely. Thanks everyone for watching or listening as well and supporting us on patreon patreon.com slash dts The regular show is also monday through friday 4 30 p.m eastern 130 pacific at daily tech news show.com slash live or diamond club Dot tv or alpha geek radio dot com. We will be back again soon talk to you then Show is part of the frog pants network Get more at frog pants dot com Club hopes you have enjoyed this brover Bye video people