Phorm article extracted from www.grc.com/sn/sn-151.htm Original article is (c)by Steve Gibson and Leo Laporte. All Ive done is cut out part of the show that doesnt relate to phorm and copyright is still retained by and credited to the orginal author. ------------------------------------ LEO: Let's talk about Phorms. Is it P-h-o-r-m-s? STEVE: No "s," P-h-o-r-m. LEO: Phorm, okay. STEVE: Okay. So this is a company that we began discussing in overview two weeks ago that pays ISPs to have their equipment installed in the ISP's data center for the purpose of monitoring the actions of the ISP's customers and aggregating profiles for the purpose of understanding what kind of websites the customers visit. It's then an advertising networking company much like DoubleClick and so many others, which then places ads - they sell ad space on websites. And the idea is that, for example, using Google ads as we were saying two weeks ago, when you go to a page, the Google ads you see are relevant to the page you're on. What's different about the Phorm system, and there's a whole bunch, a collection of next-generation nightmare companies like this, they track the user, not the page. So they figure out, by profiling what pages you look at, they figure out and divide you into categories. And their marketing brochures talk about how they have, like, a thousand different categories that users get check-marked in. And then when you're on any website which is using ads hosted by this advertising network, you're not getting ads relevant or relative to the page, but to you because they're tracking you separately from where you go. So as I mentioned, a couple years ago Phorm began this work in '06. And they stumbled a bunch because they were trying to inject JavaScript inline into people's web pages so that when you would go to a page, the page you received from the server had actually been altered by this spy technology, for lack of a better term. I don't know, I mean, that's what it is. They would insert code that your browser would execute. The problem is they weren't very good at it. Maybe it can't be done in a robust fashion, you know, nothing I even want to think about. But as a consequence people would find that this - they were pasting this JavaScript into Web 2.0 blog entries and things. It was like, it was leaking out and being seen. IE would hang and go into an infinite loop and had to be shut down by using Task Manager to lock it down because it would use 100 percent of the machine's resources. I mean, there's, like, all these problems. And what really annoyed people is that this was all being done surreptitiously with, I think it was BT, one of the top three ISPs in the U.K. was, like, allowing Phorm to use their customers unwittingly, causing them all these problems. So and these are also - this Phorm is a renamed company. It used to be Media something, like Media 247 or something... LEO: I'm thinking of a bad word that I'm just not going to say. STEVE: Anyway, so these are not good people. And back then they were doing rootkit spyware that was installing itself in people's machines, profiling them and hooking the kernel in order to hide from anyone being able to see the randomly named directories that they created. So there's just a history of badness here. Okay. So come forward to current time. Now we're in today. Phorm somehow has continued to exist and is causing a huge kerfuffle in the U.K. because the main three ISPs have been seduced by the money that they'll be able to make. The idea is, you know, ISPs would like to make some money rather than just selling bandwidth to end-users. And these other companies come along and say, hey, we'll pay you. We're going to anonymize everything we do. We're going to respect your customers' privacy. We're going to put our hardware, insert it into your network flow, and we'll pay you. Doesn't that sound like a win-win-win? And unfortunately ISPs are saying yes. As you mentioned, Charter here in the U.S. has been made gun shy of this in the case of a partnership with NebuAd because this was really upsetting people. So what I want to talk about, the reason I warned people to bring their propeller hats, beanies, is what it is that Phorm is doing now in order to forcibly track ISP users without any JavaScript injection. JavaScript injection is the easier way to do it. But that can - people are - maybe people who listen to the podcast are disabling JavaScript. Or they've just never found a way to do it safely. Or the idea of modifying the web page that I download from CNET, you know, just really, really crosses the line. The good news is that U.K. apparently has substantially more stringent privacy guidelines than we do in the U.S. And so, I mean, there are all kinds of people getting ready to talk lawsuit here about just the idea that I go to CNET and get a page, and secretly some spy machine in my ISP is injecting code into the page I retrieve for the purpose of tracking me and profiling me over time. So Phorm came up with a solution which is amazing, amazing in how... LEO: Increasingly awful, yeah. STEVE: Amazingly awful. Okay, so here's how it works. I'm an ISP. I'm a customer of an ISP that has subcontracted this system with Phorm. So Phorm has installed a bunch of hardware in the ISP's facility. When I go to - and we'll just use CNET as an example. I started with that. We go to www.cnet.com. My request - oh, and let me back up a little bit, give a little quick background on cookies. This is a quick refresher. Cookies, as we know, are little tokens which are offered by servers and are then returned by the browser for subsequent queries to the same server. The server is identified by domain. So, for example, if you go to CNET.com, like with a virgin browser, it's got no cookies in it, it's never seen the Internet before, you put in the URL www.cnet.com. The CNET server, in responding to you with a page, will include in the headers that you never see, that's not part of the page content, but it's things like the expiration time of the page, how long the page should live, and how many bytes long the page is. And there's a bunch of sort of metadata that is sent out first that helps the browser display the page. One of those things is a cookie header which is offered by the server. The browser will retain the cookie for varying lengths of time, depending upon how the browser and/or the cookie is formatted. And with subsequent requests to CNET.com the browser will - it'll look at all the cookies it has, and it remembers cookies by domain. So as it's making a request for an asset from CNET.com, it'll check to see if it has any CNET.com cookies. And, if so, it adds them to the requests and sends them back. So that's how they work. So all of that is called a "first-party cookie." A third-party cookie... LEO: And I just might add that I don't think there's anything wrong with first-party cookies. This is really how the web works. STEVE: I agree. I agree. And in fact it's because of the fact that there's no enduring relationship with your browser from one page to the next... LEO: We call it "state." STEVE: A state, right. I put in a URL, and it gives me a page. Well, then, if I put in another URL, it gives me another page. It doesn't know I'm the same person unless I hand back the token it gave me. And then it goes, oh, that's that guy, okay. And in fact that's the way you're able to log into eBay or to PayPal or to, you know, virtually anything that requires you to have some credentials. I went back to the WallStreetJournal.com yesterday to look up an article that was in there, and it said, oh, hi, Steve. And I'm thinking, isn't that nice. I mean, I'm glad it remembers me. If I went there with a different machine, I'd have to give it my username and password again. But I told it remember me on this machine, and it did so by giving my browser a cookie, which I then send back. So for low security sorts of authentication, like staying logged in at WallStreetJournal.com, that makes a lot of sense. It's a convenience. The thing that originators at Netscape, I don't think they thought about this, I think it just sort of slipped through, is what if a website offered ads by somebody else? That is, the actual ad URL on the web page said www.doubleclick.net? Well, it turns out that the server whose domain you're on, like CNET, that's the first party. We call assets which come from other servers "third parties" because they're not - the server's the first party, I'm the second party, and this random other thing is the third party. Well, it turns out they're able to do cookies, too. In the normal configuration of browsers, third-party cookies are enabled except in the case of Safari. LEO: I think that's because... STEVE: [Indiscernible]. LEO: But I think that's because they're kind of seen as owning part of that page. So it's, you know, you've gone to a page, and there's - because these banners are coming from another site. It's almost as if there's a little frame on the page, and that's another site you're looking at there. STEVE: Correct. LEO: That's the thinking, anyway. STEVE: Well, and so here's the problem with that is that the clever marketing guys, I mean, and these marketing guys are nothing if not clever, they realized that if they gave me a cookie, they DoubleClick, for example, gave me a cookie because an ad was displayed when I went to pull up a CNET page, the cookie that I get is for DoubleClick.net. That's the domain that the cookie's for. Well, that means if I then later go over to the WallStreetJournal.com, and The Wall Street Journal is also buying ad space from DoubleClick and displays a DoubleClick ad, my DoubleClick cookie that I received at CNET goes back to DoubleClick while I'm at the WallStreetJournal.com. And one of the things that is part of the headers in a query, that is, when I'm sending a request to something, like when the ad is being requested from DoubleClick, the URL of the parent page is so-called the "referrer." So DoubleClick knows what I'm looking at. That is, it knows not only who I am anonymously, but from this token it knows that somebody was at CNET who was later at The Wall Street Journal and knows what articles I'm looking at and what pages I'm pulling up. And so you can see that if DoubleClick succeeded significantly so that they had ads spread all over the Internet, over time they would be able to build up a history of all the places I had been that were serving their ads. LEO: I mean, it's not everywhere you've been. Again, just places that... STEVE: That were serving their ads. LEO: ...served those ads, right, right. STEVE: Yes. But now... LEO: Of course sites like DoubleClick, now owned by Google, are in so many places, that can be a pretty bleak picture. STEVE: Okay. So that's the model. Now, notice that, okay, it has to use third-party cookies. Now, people who are privacy aware are turning third-party cookies off. I'm going to be coming out very strong with a facility for allowing people to verify. And I will be autonomously letting people know who come by GRC to, like, run/use ShieldsUP! or for any purpose, I'll just notify them, oh, by the way, you've got third-party cookies turned on. If you're interested in turning them off, click here, and I'll show you how to do that. Because there's just no purpose for them. They should be turned off. They're used for tracking people around the 'Net. The other problem with the profiles generated by DoubleClick is that they only have visibility into me, as you said, Leo, for all the sites who are serving ads. They don't know anything about me for all the sites I go to that are not using DoubleClick ads. Well, except there are variations on that. For example, as we've seen when you go to PayPal, many PayPal links actually redirect you through DoubleClick. So there's another way that DoubleClick is able to access a user by actually using a redirected link. LEO: Could you block it in other ways than by turning off third-party cookies? For instance, using a hosts file to say block DoubleClick? STEVE: Absolutely. That would null any of the ads which were being served because your browsers looks in the hosts file first. It would not get the IP address for DoubleClick. The problem is that there are side effects, like none of the PayPal links would work. You couldn't click on a DoubleClick.net PayPal link because... LEO: And as we know now, some of those links lead to pages you need to get to. They're not just to ads. STEVE: Right. And so it's a way of... LEO: I think that's why they do that. STEVE: ...enforcing that not being done. LEO: That's why they do that. STEVE: Okay. So now imagine... LEO: I bet DoubleClick pays them. Now we understand why that DoubleClick referral is in there. STEVE: Well, there's even something worse. And that's called "cross-context leakage." But I'm going to leave that for the episode where we really get in and talk about first- and third-party cookies because it's possible for browsers that do not block outbound cookies, but only block inbound - and, by the way, that's IE and Safari - it's possible for them to receive a cookie in the first party and then subsequently leak it out through the third party, even when you've got third-party cookies disabled. LEO: Sounds like a legal document. The party of the first part just leaving cookies that the party of the third part is going to get. STEVE: Okay. So now we understand, we've got some background for cookies. Now listen to what Phorm is doing. The only nice thing about DoubleClick is that they're relatively hands-off. They're not involved with the ISP. They have a relationship with the website that you go to. And they have sort of a forced relationship with your browser because they're putting cookies in there, and you're displaying their ads. But, you know, they're still - they're not nearly as invasive as what we're seeing now with this next new generation of advertisers. So I'm a customer of an ISP using the Phorm system. I go to www.cnet.com. I put that URL into my browser and send a query out to the Internet. Well, my ISP receives it because that's what my ISP is there for. They're the way I get to the Internet. Equipment that has been installed by Phorm in the ISP's facility intercepts this query. And it looks to see whether my browser has a cookie that is in the CNET.com domain for something called WebWise. WebWise.net is the domain owned by Phorm. So WebWise - and if you look WebWise.net up in WhoIs, you'll see Phorm, Inc., in New York, NY, and the names of the technical and administrative contacts for Phorm. So they're intercepting my bringing up a CNET page to see whether I have a CNET cookie that they planted in the CNET domain. Now, let's take this from the beginning. So initially I would not. If there's not, if I don't have a WebWise cookie in the CNET domain, they block my access to CNET. A server steps in and - get this, Leo - pretends to be CNET. LEO: Oh, see, that should be completely prohibited, banned. STEVE: It pretends to be www.cnet.com... LEO: Because it's a proxy, you can do that. STEVE: Well, it's in the ISP's facility. It answers the connection and this query that I've made. LEO: If I were CNET I'd be - all right. STEVE: Oh, wait, we're just getting warmed up here. And so it responds as the CNET server and returns what's called a "307 temporary redirect." A 307 - normally when you bring up a web page you get a 200 response, 200 and, like, an okay, which is like, here's the page you asked for, no problem. A 307 response tells your browser that that URL you have asked for has been temporarily relocated to somewhere else. It tells it that it has been relocated to WebWise.net. So the CNET request you made comes back to your browser from this intercepting server, and your ISP is saying, oh, CNET is moved. It's now WebWise.net. And then there's a - then it says /bind/ and a question mark, and then some parameters which include the original URL at CNET that you were trying to access because they have to hold onto that since they've just intercepted you and redirected you. So now your browser, not knowing anything the wiser, goes, oh, the page I want is moved. So it now makes a query to WebWise.net with this fancy thing on the end which contains the original CNET URL and parameters that you tried to access. The reason it does that is, if your browser has a WebWise.net cookie, that it will give it up. That is, that WebWise.net cookie that your browser has will then be sent along with this redirected query to WebWise.net. Once again, that's intercepted at the ISP, doesn't actually go to WebWise.net. Their server located at the ISP intercepts it and checks to see whether that redirection query contained a WebWise.net cookie. If so, they now know who you are. That is, there's a WebWise.net domain cookie on your machine if you've ever used this ISP before. So then they know who you are. If there's not a WebWise.net... LEO: When you say "who you are," you don't just mean, oh, they've seen you in another session before. They know who you are, Steve Gibson, Leo Laporte. They know who you are. STEVE: Well, your ISP... LEO: Because you're their customer. STEVE: Exactly. Your ISP knows everything about you. LEO: Right. So they know where you live, they know your credit card number, they know who you are. STEVE: Right. Now, there can be and probably is a hands-on relationship between your ISP and the Phorm people. LEO: I hope so. STEVE: But again... LEO: But who knows? STEVE: That's the kind of thing that changes in the fine print of the license agreement. And then, oh, wait, you didn't read the license agreement? Okay. So now if there's not a WebWise cookie, which there would not be if you were just like, you know, Mr. Virgin, never used the Internet before, they would assign you one. That's a 128-bit pseudorandom value. So it's just a random token, but it uniquely identifies you to their system. So they respond to this, your access to WebWise.net, by again giving your browser a 307 temporary redirect response, this time back to CNET, to a special fake page at CNET. But since it's the WebWise.net pseudoserver which is serving you, if you didn't have a WebWise.net cookie, you do now. And notice that it's a first-party cookie because you went directly, your browser went to WebWise.net, requesting a resource from that URL. So it's a first-party, most privileged cookie which your browser has now received. LEO: So unless you block all cookies, you've got it. STEVE: Yes. So now your browser receives another redirect, a 307, from WebWise.net, telling it, oh, we were wrong, CNET turns out to be where you want to go after all. Except it's another fake page at CNET. Now your browser re-requests a CNET.com address. Because of the way it's formatted, the technology, the Phorm technology again steps in, pretends to be CNET, fakes it out, and answers the query. In that fancy URL is still hanging on there for dear life the original URL you tried to go to at CNET. And encoded is the unique ID for WebWise in this query. That allows the server, which is again for the second time pretending to be CNET even though it's not, that allows it to obtain from your CNET query the WebWise UID, unique ID, and it sets a - this is where it sets a WebWise cookie in the CNET domain because your browser thinks it's at CNET. And a server has stood in and intercepted the CNET server and is faking it out. So your browser, in getting the response back, back comes a WebWise cookie for the CNET domain containing your unique ID. And that response is another 307 temporary redirect, finally, to the actual page you wanted to go to on CNET. So your browser receives that along with the WebWise.net cookie, which is now in the CNET domain, and makes the request to CNET. Now every time your browser brings up any CNET assets, it includes, in addition to any cookies, the real CNET cookies which CNET has given it; a WebWise cookie containing your Phorm unique ID. And so all of the work you do on the 'Net, any time your browser is making a query, there's this spy server that checks to query to see if the query contains for that domain, no matter where you're going, Apple.com, CNET, CNN, MSNBC, TWiT.tv, no matter where you go, what's happened is essentially every single site you visit is given an extra cookie. So your browser ends up filled with these WebWise cookies for every single domain you visit. And those are first-party cookies. And any query you make outbound is checked for the presence of one of these WebWise.net cookies. If it's missing, it sends you on that multiple server dance, the triple 307 temporary redirect dance, jumping you around between fake servers in order to get your WebWise cookie, in order that it can essentially migrate that over from the WebWise.net domain into the domain you're attempting to go to. LEO: So is the whole process, the intent of the whole process just to get these cookies, these WebWise cookies on your system for every site you visit? STEVE: Yes. That's the whole... LEO: That's why they're doing this dance. STEVE: That's what these people have achieved with this horrible... LEO: And a first-party cookie, to boot. STEVE: First-party cookie planted in the domain of every domain you visit, and one in the WebWise.net domain which is essentially replicated among all the other domains that your browser ever visits. LEO: With your unique ID. STEVE: With your unique ID. Now, imagine a couple things. LEO: Now, I just - I want to say something because there's some confusion in the chatroom because you used CNET as an example. CNET has nothing to do with this. No site you visit has anything to do with this. This is Phorm doing this. STEVE: Yes. In fact... LEO: In fact, I'm sure CNET would hate this. STEVE: Well, yes, because your relationship with them is being polluted by a cookie that they never set for your browser and that someone else's server is pretending to be them, giving your browser multiple redirection commands, bouncing it around URL space for the purpose of planting cookies across all the domains you visit. LEO: Now, there are some companies that do want this because there's no value in doing this unless you can sell this information to an advertiser. STEVE: Well, okay. So notice that what this does - okay. The other thing happening. So now imagine a query to CNET that does contain the WebWise cookie, as it will after this three-redirect dance that your browser is taken on. So now finally the result of that final third redirect is you actually - the browser is allowed to contact CNET. In the process, this system removes the WebWise cookie component from the query. So CNET does not see the WebWise cookie that is essentially - they're trying to corral it so it only stays between you and the ISP in sort of an ISP, you and ISP private dialogue. So they do remove the WebWise cookie if they can. When can't they? Well, if I take my laptop to Starbucks, and I'm on T-Mobile... LEO: You're not using their ISP. STEVE: I'm not using my ISP at home that was the source of this infection. So every site I visit cannot have that WebWise cookie stripped out on the fly. It goes out. And so this ID that I've been assigned is visible to every site that I visit. And that's a common ID. Normally sites give you their own ID per site. There's no aggregation. This aggregates your identity across all the sites that you might visit because your browser has been polluted with a common cookie for every domain you've visited while you were under the influence of this Phorm-based ISP. The other instance where they are unable to strip out their cookie is over secure connection because they're not, at this point in the game - and god help us if our ISPs ever start requiring us to accept an SSL certificate as part of our agreement to use the ISP because that would allow them to intercept our secure socket connections. But at this point the whole system is blind to any secure conversations we have, any secure traffic. So any time I am using HTTPS, I am bypassing, even from my ISP, my Phorm-ridden ISP, I am bypassing that technology, and the WebWise cookie again is leaking out and is visible to any sites I'm visiting over a secure connection because there's no way that the Phorm system can filter SSL connections at this point. LEO: So again, to underscore this, this isn't CNET doing anything. This isn't TWiT.tv doing anything. This is your ISP in collaboration with Phorm doing something to essentially track what you're doing on the Internet. STEVE: Yes. A highly comprehensive, cross-Internet tracking. LEO: It goes far beyond anything third-party cookies ever could do. STEVE: Oh, yeah. Well, because, now, look what else happens. So finally my request to the real CNN page gets through because it's been - it's had this WebWise cookie embedded in the domain that my browser is carrying. When the page comes back, this system inspects the page. This system reads the page that is being sent back to me and does an analysis of it to determine what I'm interested in. So it's reading - this is where the spying really comes in, beyond identity tagging. Now it's reading everything I'm reading and building a profile of who I am and associating it with this tag which it has built up. And over time it builds a database of it knows every page that I go to. They say they are not maintaining a record of that. What they're doing is they're scanning the page, doing some sort of semantic analysis, determining within categories, they say they have over a thousand... LEO: They're looking for keywords. STEVE: Yeah. Well, they have a thousand categories. And so they, like, put checkmarks in categories for people of, like, oh, this person is interested in the following sorts of things, based on their history of their Internet usage. LEO: But that's not what this is limited to. They could do more. That just happens to be what they say they're doing. STEVE: Well, and there again, I mean, this notion of inserting themselves in the pipeline means, well, wouldn't it be more valuable if I could also read this person's email coming and going between the ISP? You know, web, oh, that's, you know, that's really not as specific because these are those pages that have been pre-prepared. Imagine if I could read the email content of the conversations. And oh, don't worry, we're not going to save it. We're not going to keep it. We're just going to scan and analyze it, determine more about who you are. So one of the things that's different about this from DoubleClick is the level of visibility. That is, say that only one, only one company hosted ads from Phorm. Well, that one company has the advantage of all of your surfing. That is, the ad being served is about you, even if only one, only if you go to one place. Whereas DoubleClick needs to - it's only able to build up a profile based on the places you go. This system builds a profile based on everywhere you go and makes that available to any of the people who are using their ad network for advertising revenue. LEO: Is any Internet Service Provider in the U.S. currently using Phorm? STEVE: I don't know. The hope is... LEO: Nobody would admit to it, probably. STEVE: Well, I mean, this has now become a real hot potato. Our guest in two weeks is going to give us the inside skinny on what's been going on over in the U.K. LEO: It's illegal in the U.K., isn't it? STEVE: Well, I mean, there are people who are really up in arms. And I'm glad. I mean, again, my role is to explain what this thing does, what the technology is. There can certainly be people who say, well, wow, I like the idea of more relevant ads. Or I like the idea of... LEO: Well, that's the other side of this, which I was going to get into; but we've gone way over, so I don't want to get into it too much. And that's the case that, for instance, Charter was making, is all it does is give you ads about stuff you care about. What's wrong with that? STEVE: Right. LEO: I mean, we're not trying to steal your personal information. I guess your point is that the technology could do that. STEVE: The technology could. And I'm concerned about drift and migration of capability. LEO: Right. STEVE: I would have no problem, for example, if this was an opt-in system. If you had to go to your ISP's page or a Phorm page and say hey, I'd like a $3 a month discount on my bandwidth, please. I'm happy to contribute my profiling habits on behalf of this technology in return for a discount on my bandwidth. I mean, if it were an opt-in system, that makes sense. I love that the language I read somewhere said, well, the reason we made it opt-out is that we feel that more people will be able to benefit from it than an opt-in system. What happens, of course, is that people are furious when they find out that this kind of game is being played. LEO: Yeah, well, I'm furious already, and I'm really glad that you actually raised the issue and talked about this because this is pretty appalling. But as you say, it's not necessarily how it's used. And I think that this is why people like Charter are kind of surprised when we stand up on our hind legs and say, well, wait a minute, we don't want that. STEVE: Yeah, this is not for us, this is for them. This is for Charter. Charter is getting [indiscernible]... LEO: Benefit to them, yes. STEVE: ...from Phorm in return for letting Phorm profile us. LEO: But their spin was totally this is to your benefit because you're going to get ads that are more targeted at you. STEVE: And my feeling is, fine, make it opt-in. LEO: Yeah. Simple. STEVE: Intercept the first time I try to go to the 'Net. I mean, they have the capability of intercepting, you know, god himself. So the first time I go to the Internet, my access to CNET.com is blocked, and I get this wacky page, I go what the heck is this. And it says, hey there, we're offering a new service that will allow advertising by selected advertisers on websites to target you and serve you ads that are more specific, blah blah blah. So, I mean... LEO: I got a big bulls-eye pointed on my forehead, that's what they mean. STEVE: Entirely possible for them to make it an opt-in where... LEO: Well, I love the idea they can say we'll cut five bucks off your bill every month. They're going to make a hundred bucks. But, you know, give me some. STEVE: And I guarantee you a lot of people would say heck, yeah, I don't care about privacy, I care about my wallet. And so I don't mind that. LEO: And we should really underscore that we are at the mercy of our ISP anyway. I mean, they see everything we do. If they you know, the FBI put boxes in every Internet Service Provider's center years ago. STEVE: In order to scan email. LEO: Yeah. So the Internet Service Provider has all this information; right? STEVE: Yup. LEO: All right. I'm not going to get angry, and I'm going to keep my blood pressure down. Steve, thank you so much. What a great show. It was a lot of fun. Fun. I mean fun in the sense that we get to really understand, as usual on this program, a very deep and a difficult topic. You've done a great job of explaining it and of raising our awareness about it, too. STEVE: I just - it's horrific what these guys have done. LEO: And, you know, I don't think there's any - there's no mainstream media outlet anywhere that can explain how this works. And this is where we're really, I think, increasingly in a situation where technology has outpaced the general public's ability to understand what's being done to them. And I think we're doing a very important job getting the word out. Now, all the geeks who are listening who understand this, now you need to figure out a way to explain it to your friends and family and to stand up to your Internet Service Providers and let them know this is not something we want. STEVE: Yeah. The good news is there does seem to be a lot of outrage that this is causing. It's certainly causing the ISPs to back off and, you know, rethink that this is - oh, look, it's free money. No. LEO: Right. It isn't free money. We're going to get the money out of them in one way or the other. Make them let us have the choice, I guess is the idea. Hey, if you want 16KB versions of this show - I know some people say, oh, the audio quality's good, but it's big, I'm on dialup. We have listeners all over the world, many of whom don't have the high speed that you might want for the large version. We do have a small version. It's available at Steve's site, GRC.com. You can go there and download that. He also has transcripts. And I think on a show like this it's very helpful to be able to read along as Steve's talking. You can find transcripts, the 16KB version, complete show notes, and of course SpinRite, Steve's bread and butter, his ultimate disk recovery and maintenance utility. It's all at GRC.com. And Wizmo, too. How would you find Wizmo? You just go to the front page there, Steve, is that... STEVE: Yeah, GRC has now a really nice sitewide menu, you may remember, that does not use any scripting. And so under - I'm not even sure where it is now. But it's right there under the top-level menu, under freeware and utilities, is Wizmo. And that'll get you there. And I'll remind people who are inspired to send in a question or write for next week's Q&A, by all means, please do, GRC.com/feedback. And I will read your stuff, and we'll do 12 questions next week. LEO: That'll be a lot of fun. And that way we get a little more variety. We've spent a lot of time with Phorm. And we're not done with this topic, I think. STEVE: Nope. I think, well, clearly people are passionate enough. I think it'll be fun to talk with a Phorm world insider who has been, I mean, who is rapidly anti-Phorm. We're going to do that in two weeks. LEO: Good. All right, Steve Gibson. Thank you very much. Thank you all for being here. A little side note, you can also watch us do this show live if you're so inclined. We record on Tuesdays at 11:00 a.m. Pacific - that's 2:00 p.m. Eastern time, or 18:00 UTC - at TWiTLive.tv. And everybody was saying, Steve, in the chatroom, as you were talking, they loved watching you because you gesticulate with your hands. They said it's actually easier to understand Steve because you can see his thought process. You can see how he's working. And they really enjoyed it. So I thank you for allowing us to do the video. I think it's really great. They want to know if you're Italian. STEVE: We figured out - there is some Italian in there, yeah. We figured out a way to do video and audio both over separate Skype channels. LEO: And the audio quality is great. We're back to our usual audio quality. I think that's really what's most important, yeah, because most people listen to it in audio. But, you know, there are around 3,000 people who are watching and enjoying your performance, your bravissimo performance every Tuesday on TWiTLive.tv. Thank you, Steve. We'll talk to you again next week. STEVE: Thanks, Leo. Copyright (c) 2008 by Steve Gibson and Leo Laporte. SOME RIGHTS RESERVED. This work is licensed for the good of the Internet Community under the Creative Commons License v2.5. See the following Web page for details: http://creativecommons.org/licenses/by-nc-sa/2.5/.