SN 1041: Covering All the Bases - SHAKEN Networks, Uncontrollable AI, and Robocall Reckoning

[00:00:00] It's time for Security Now. I know you look forward to it. It's a listener question episode. Yes, we'll cover some of the news, including breaking news about the Google monopoly lawsuit and a big birthday celebration and a very positive review from a few years back. Steve will celebrate next on Security Now. Podcasts you love. From people you trust.

[00:00:28] This is TWIT. This is Security Now with Steve Gibson, episode 1041, recorded Tuesday, September 2nd, 2025. Covering all the bases.

[00:00:45] It's time for Security Now, the show we protect you. Well, I don't do anything. I sit here and listen while Steve Gibson protects you and your hardware, your software and your Internet and your privacy and all that stuff. The man of the hour, Mr. Steve Gibson. Hi, Steve. Steve Gibson, Hi, Leo. It's great to be with you. Okay. So yes, I don't protect everyone. I do what I can to help everybody. You give us the information we need to do it for ourselves, which is the best. Yes.

[00:01:15] We have a great podcast. I know I've been saying that a lot lately. I think they maybe have been a little better than usual. I think after, you know, the first thousand, as I've said, we kind of have the hang of it. No big news overwhelmed the week. So I also so I wanted to take the opportunity to spend a little more time than I have been recently with our listeners feedback.

[00:01:40] So about half of the podcast is that because there was so much interesting, good stuff, some some corrections of things I had said before, some some additional information on topic. So lots of good stuff there. Also, some interesting news and one big event that I thought would be fun to spend a little time on, which is the picture of the week event.

[00:02:04] So as a consequence, I just called this podcast number one thousand forty one covering all the bases since it's just a potpourri of interesting security and privacy related stuff. So I could call it the world's greatest toy, but we'll save that for the picture of the week. I thought that was well now. Yes, the world's greatest toy without any context, without any context, that could be dangerous.

[00:02:31] So what is it? We're digital. The world's greatest digital toy, I would say. It's a pretty good toy generally in every possible respect. Indeed, it is. Yes. All right. And some sci fi and a lot of good stuff coming up. I'm excited. Lots of interesting news stuff. All right. So we will get to that and the world's greatest toy, our picture of the week in just a bit.

[00:02:59] But first, a word from our sponsor, if you don't mind, and the good folks at Acronis. And we certainly talk about the Acronis Threat Research Unit from time to time. They do such good work. You deserve, you IT professional, you. You deserve fewer headaches in your life, right? Who doesn't? Nowadays, even something as simple as watching TV can be a headache when your favorite shows are scattered across all the different streaming services. And they keep moving around. It's impossible to find one place where it has everything you need.

[00:03:29] And that kind of is true with cybersecurity, or is it? Acronis is taking the headache out of cybersecurity with a natively integrated platform that offers comprehensive cyber protection in a single console. And if you want to know what's happening in cybersecurity, nobody better than the Acronis Threat Research Unit, or TRU. That's the place to go. It's your one-stop source for cybersecurity research.

[00:03:55] TRU also helps MSPs stop threats before they can damage you or your client's organization. And that's kind of part of your job. That's a good thing to have some help with, right? Acronis' Threat Research Unit, the TRU, is a dedicated unit composed of experienced cybersecurity experts. Imagine, you lie a team of Steve Gibsons, including cross-functional experts in cybersecurity and AI and threat intelligence. TRU conducts deep, intelligence-driven research into emerging cyber threats,

[00:04:24] proactively manages cyber risks, and responds to incidents. And provides security best practices to assist IT teams in building robust security frameworks. It's like having the aid team backing you up. They also offer threat intelligence reports, custom security recommendations, even educational workshops. Whether you're an MSP looking to protect your clients, or you need to safeguard data in your own organization, Acronis has what you need.

[00:04:51] And it's all there in Acronis' Cyber Protect Cloud. You get EDR, XDR, remote monitoring and managing, managed detection and response, email security, Microsoft 365 security, even security awareness training. And it's all available in a single platform with a single point of control for everything, which makes it easy to deploy and manage. If managing cybersecurity gives you a headache, it's time to check out Acronis.

[00:05:19] Now you can know what's going on in the cybersecurity world by visiting go.acronis.com slash twit. And take the headache out of cybersecurity. That's go.acronis.com slash twit. A-C-R-O-N-I-S. Go.acronis.com slash twit. We thank you so much for their support of security now. Time for a toy. And I realized that what I normally do, I've skipped over,

[00:05:46] which is to sort of run through a quick enumeration of coming attractions. That's okay. I mean, I was ready. I was ready to jump to the ad. Do you want to do it now? Well, I just, I was, I was saying, okay, our listeners might want to know that we've got, we're going to talk about the enforcement of the shaken and stir telecom protocols, the inherent dangers of consolidating authentication. Look at the question of whether AI can even be controlled.

[00:06:16] And that Vivaldi says a big no to AI enhanced web browsers. We now know how WhatsApp figured into Apple's recent zero day attacks that we talked about. You know, we talked about the update, the emergency update last week. Also, we've had an instance now of leveraging AI as an attack aid, and it's creepy. Also, news on the latest TransUnion breach. Two scummy websites sue the UK.

[00:06:47] Good luck with that. Over age requirement that they're enforcing with their online safety act. Open SSH has decided to remind its users to adopt post-quantum crypto. The DOD, the U.S. Department of Defense, was found to be using open source, which is being maintained by a Russian. What could possibly go wrong with that? Oh, my God. And after, as you mentioned, a bunch of great feedback from our listeners,

[00:07:16] we've got a little bit of sci-fi news from one of our favorite authors, the Frontiers Saga, and how his relationship, Leo, with Amazon has soured much as yours apparently has. So, anyway, I think, as I said, a great podcast for our listeners. Which brings us to our toy. Our first topic, our favorite toy. And it probably is at this point, especially as you get older.

[00:07:45] Our picture of the week is, I gave this the topic 50 years ago. Literally, it was 50 years ago this month, now that we're in September of 2025, issue number one of Byte Magazine declares computers the world's greatest toy. Yes. And I got a kick out of the fact that it was $1.50 for, you know. That was probably expensive in 1975. Probably was. Yeah, you were paying your dues.

[00:08:14] Mad Magazine was 35 cents, so I think it was. Yeah. Although, when you consider the quality of the information. Anyway, 1975. So, I was two years out of high school at that point. I was just going into college myself. I was a junior. Yes, right. The cover says, which microprocessor for you? Because back then, no one had really, you know, settled on any particular thing. Cassette interface. Cassette interface.

[00:08:41] Your key to inexpensive bulk memory. Assembling your assembler. Can you use surplus keyboards? You bet you can. And then finally. I have a whole drawer now of surplus keyboards. Well, and by these, we mean like some weird keyboard from a radar set. It's from wide terminals and stuff. Yeah, exactly. For like, what the hell? This doesn't even have all the ASCII characters on it.

[00:09:10] And then it finishes by saying, by declaring computers in all caps, the world's greatest toy. So, you got to remember, 75, this is before the Apple II. This is before anything. This is when microcomputers are first starting. Yes. In fact, it's such an interesting walk for those of us who are around our age, Leo.

[00:09:35] I think it's really worth taking a look inside the inaugural issue, which we're able to thanks to the Internet's archive. Well, I wanted to show you there's many places you can get by magazines, including the Internet Archive. But my favorite now is somebody's put these online. Let me go back to the website. This is a visual archive of all the byte covers.

[00:10:00] If you zoom in, you can actually see the contents resolving themselves. But what I like about it is it has a regular expression search. Oh. So, for instance, I can look for Leo Laporte. Wow. And it says no matches. Well, let me try that again because I know there's a match. Oh, well, maybe not. There was a match the last time I did this. What happens if you look for Spinrite? Oh, yeah. Let's see.

[00:10:28] The first article I wrote for a byte was in 1984. There's something wrong with this site because I know Spinrite. Let's try it again. Spinrite. Spinrite. Ah, yeah. There's something wrong with the site, unfortunately. But I know Spinrite's in there. And you probably could search through it in an archive and find it faster as well. It's pretty cool.

[00:10:50] This is really anybody who's interested in the history of technology should absolutely take advantage of these various archives. So, it's incredible. Even in this first issue, you'll find, among other tips, tips for desoldering multi-legged integrated circuits from a circuit board because, you know, they were rare back then. That happens.

[00:11:14] You might need to repurpose that 2102 Intel 1K dynamic RAM chip. 1K bit, sorry. Not even bytes. They talk about how to decipher the wiring of a random surplus keyboard to use it for the computer that, of course, you are building around 1975. How to choose the right microprocessor family for that computer.

[00:11:41] They've got a kit for building a working system. A tutorial on how asynchronous serial data communications is formatted. The fundamentals of assemblers and how to take the first steps toward writing your own assembler for the chip that you chose two pages earlier in the book.

[00:12:02] We find an article even back then on coding strategies for implementing John Horton Conway's famous Game of Life. Oh, the Game of Life. Yeah. There's also some great material titled What is Byte? I mean, this is the inaugural issue. So, like they're saying, you know, basically that that talks about what is a byte and why they named themselves byte and how it started.

[00:12:28] Along with a request for contributions to this, you know, nascent magazine. I mean, it's just happening. This is so long ago. Jerry Pornell wasn't even writing for it yet. Correct. Eventually, the Chaos Manor column became a must read. Steve's CRC is a library. And did you write for Byte as well? Did not write for Byte. Yeah. You wrote for Infoworld.

[00:12:54] Then, for example, hobbyist mass storage, mass storage was pure fantasy. Yeah. So, you know, you got to love the inaugural issues description of a cassette of implementing your own cassette interface where it talks about frequency shift keying in order to to store differing tones on an audio cassette tape. Because it was an audio medium. So, you had to turn bits into it.

[00:13:20] It was basically you were creating a modem for that you would use to dump your program out of your solid state memory. Because, you know, I mean, core existed, but hobbyists didn't have core memory. No. You know, we had only a little bit of. Well, there was RAM. I mean, these devices had RAM in them, like the Mitz Altair. That's.

[00:13:45] Anyway, it says describing it as your key to inexpensive bulk memory. And, of course, the early kit machines of the time often supported cassette IO. And that was also built into the Apple II machines. Mm-hmm. So. And the Atari. I used a cassette interface to load and save programs from my old Atari. Now, of course, the lack of mass storage did not. Stay that way for long.

[00:14:10] 13 years later, we all owned PCs with hard drives. I know that because after launching that first issue, Byte grew into the PC industry's magazine of record. I mean, it was that one. So when, 13 years later, Byte's November 1988 issue reviewed Spinrite with, frankly, gushing praise. It ended.

[00:14:40] The review ended with the sentence, Spinrite is what the word must was invented for. I mean, and then two months later, they awarded, Byte awarded Spinrite the 1989 Award of Distinction. And, of course, because of what Byte magazine was then, it really put Spinrite on the map.

[00:15:03] Anyway, Byte's perfectly timed inception in 1975, which, again, 50 years ago to this month. It was triggered by the realization that individuals, not only huge corporations, could own and use their own stored program computers.

[00:15:26] And, you know, I think it's astonishing today, Leo, 50 years later, we're now holding conversational dialogues with these machines that are virtually indistinguishable from living human beings. And it is easy to forget that it is all still just a big pile of transistors. You know, what's amazing is that the Spinrite interface looks exactly the same.

[00:15:55] Yes, just as GRC's website looks exactly. I'm just teasing you. But, yeah, we've come a long, long, long way. Rich Grand's review of Spinrite says, I ran Spinrite on an EverX 38620's internal 30 megabyte hard disk drive. Wow. He was pretty wealthy to have a 30 megabyte drive back then. That was something. That was a fancy system.

[00:16:22] Well, and remember, we were taking 20, there was a 20 megabyte drive, which could actually handle RLL. So you got 50% more storage. And that was part of Steve's dream machine that I had developed over at InfoWorld at the same time. Anyway, I created a GRC shortcut for our listeners to that first inaugural issue, which is, again, it is really worth flipping through the pages.

[00:16:48] If you go to grc.sc slash byte, B-Y-T-E, that will bounce your browser to the Internet Archive's page-turning display, where it's easy just to flip through the pages of that first byte. You know, the ads are interesting. You know, they've got an open frame power supply on page four or something for, you know, because you've got to have one of those. I mean, it's just great. And I thought, wow, 50 years, Leo. Amazing.

[00:17:18] You know, the podcast has been here for 20 of those 50. So for a couple of times. You put it that way. It's a good point. Holy cow. Yeah. Yeah. So, wow. And for you youngsters who weren't born in 75, take a look at what your elders were doing. Because grc.sc slash byte will take you to that first issue. Very cool. It's a kick. It is.

[00:17:47] I think it's good for young people to read these stories. It really is. And, you know, here's asynchronous serial communications. Nothing has changed. That's the other kind of spooky thing. Is it, it's odd how, like the, the assembling your own assembler, the, the, you know, you still, sometimes you have to desolder a chip. Well, here's how to do that. Back in 1975. That hasn't changed. Yeah. Yeah.

[00:18:12] But, but, but, but, but, but asynchronous communications has not changed since then. That's the way RS-232 still operates. So, and it's one of the points that I've wanted to make about the early episodes of this podcast. When we talk about how processors work, how the internet works, all of those early episodes where we were doing a lot of tutorial stuff. It's 100% relevant today.

[00:18:36] So, anyway, several years ago, we spent some time examining the development and presence of the so-called shaken and stir protocols. The obvious naming follows from Ian Fleming's James Bond character, who preferred to have their preparers of his martinis shake them and not stir them.

[00:19:01] I'm, I'm a neophyte on the martini front, so I can't tell you what the difference might be, but the stir protocol existed first as a means of authenticating the originators of VOIP, voice over IP connections. Stir stands for secure telephone identity revisited. Again, they were, you know, stretching to get these acronyms to work.

[00:19:30] So, stir, secure telephone identity revisited. It's specified in a series of four RFC standards documents by an IETF working group. And it functions by attaching a digital certificate, and we all know what those are now, to the SIP, the session initiation protocol. And boy, I wonder if SIP is meant to be like part of this martini. Oh, I never thought of that.

[00:20:00] I never did either until I was just looking at that. Maybe they're trying. Wow, that's going back. Anyway, so it, so the stir attaches a digital certificate to the SIP session initiation protocol information, which is used to initiate and route calls in VOIP systems. The problem for authentication is that not everyone or not everything is VOIP.

[00:20:29] Specifically, the bulk of especially early telephony was all just switched network, which, you know, stayed within the telephone system network, which had nothing to do with IP, at least at the subscriber interface.

[00:20:44] So, if authentication of a caller was desired, it would be necessary to somehow retrofit something like the stir protocol for VOIP onto non-VOIP connections. Already having stir and knowing of James Bond, the designers of this second protocol had little choice other than to somehow arrange to name it SHAKEN.

[00:21:12] Unfortunately, not all acronyms go willingly. And this one put up a fight. The designers figured that SHAKEN had to stand for something. So, what we got was secure base. I'm sorry. Signature based. There's the S. Handling H. Of asserted. We got the A now. Now, we have a problem with the Ken.

[00:21:37] So, we're going to go signature based handling of asserted information using tokens. Oh, please. Yeah, it's not inspired, but it works. Oh, my. Okay.

[00:21:53] So, together, SHAKEN and STIR, add something our telephony system has never, what was never designed to provide, which is a practical mechanism to provide verified information about the calling party as well as the origin of the call.

[00:22:11] Giving service providers the tools needed to sign and verify calling numbers makes it possible for businesses and consumers to know before answering what the calls, you know, that the calls that they're receiving are coming from legitimate parties.

[00:22:30] However, everyone familiar with the subject of this podcast knows the difficulties that arise when we attempt to retrofit security onto a system that wasn't designed to accommodate it and which works even if you don't. Creating the specifications and the implementation is only at the start of the battle, right? Getting everyone to adopt it generally turns out to be the much heavier lift.

[00:22:59] And so, it has been for the adoption of these caller identifying standards. There's no benefit to the carrier because the ultimate consequence of strong caller authentication will be the end of call spoofing and robocalling, which are sources of revenue for the carriers. So, they're not in a big hurry to shut all that down, although it's driving their subscribers bonkers.

[00:23:27] You know, I finally had to suspend my two landlines because no one ever called me that I knew it was all just garbage calls, which was just infuriating because I knew that didn't have to be that way.

[00:23:40] After many years of waiting for the adoption of stir and shaken, four years ago in June of 2021, the U.S. Federal Communications Commission, our FCC, began requiring large carriers to use the protocols.

[00:23:58] And Canada's Canadian Radio, Television and Telecommunications Commission, their equivalent, which is the CRTC, has required the use of the protocols ever since November 30th of 2021. So, a few months later. What was the result? Not much. No one seemed to care. It's always a pain to make any changes. And no one in the Biden administration's FCC appeared to care enough to force the issue.

[00:24:28] We're talking about this today because, perhaps not surprisingly, the Trump administration's FCC is taking a somewhat different approach. Last Thursday, the FCC, get this, terminated more than 1,200 voice service providers from the U.S. telephone network for their failure to deploy robocall mitigations.

[00:24:57] Perhaps, you know, that order from 2021, which is now more than four years old, should have been taken a little more seriously. The text of the order, which I found and reviewed, is quite clear. At one point, it states, removal of a company's certification requires all intermediate providers and voice service providers to cease accepting all calls directly from the company.

[00:25:25] No telephone network for you. That 1,200 number is nearly half of the 2,411 voice providers the FCC notified and ordered last year to become compliant. So, again, they've, like, had several warnings and, like, this is it or else? We're serious this time? No, really? We mean it now? No. Like, this is it. Please take us seriously. That was in the summer of 2021.

[00:25:55] Nothing happened back then. And they renewed that last year. So, I imagine that last year's refresh of the requirement was just as ignored as the previous ones and considered to be just more saber-rattling. But not today's FCC. There's a new sheriff in town.

[00:26:14] So, since last Thursday, I would imagine that any companies of those 1,200 that don't just want to give up and go away, maybe, like, all of their business is about crap that nobody wants to receive.

[00:26:31] They're scurrying to implement the, you know, stir and shaken protocols, scrambling to add the required support to their network so that they can get back on with, you know, into the rest of the phone network.

[00:26:46] But in the meantime, since they are unable to provide service into the U.S. telephony networks, any legitimate customers they may have are likely abandoning them in droves and switching to providers that have remained connected, those that responsibly implemented this protocol so that these unwanted calls can be identified and controlled.

[00:27:09] The near-term upshot of the fact that Trump's FCC is willing to do what's necessary is that the U.S. telephone network may finally get itself cleaned up. And that will be a huge win for all of its users. I think this has been long overdue. So, bravo. Yeah, it was scheduled as a slow rollout. So, they initially did it for companies of the largest companies. And then it was a stepped rollout for the smallest companies. And now we're at that final stage.

[00:27:38] Where these are the very smallest of, as you can see, I mean, there's 2,411 voice providers. It's not like AT&T. Yeah. AT&T went along with it early on. But obviously, you have to get all of them because the spammers will just move to whoever still can get away without the verification. So, I'm glad this has finally happened. I was wondering how, you know, when this was going to finally take place. I don't want to interrupt, but there is a breaking story that we probably should cover.

[00:28:06] Well, it's been nearly a year since Judge Mehta ruled that Google was a monopoly. He said at that time that he was going to put out his judgment on the penalties by the end of August. Well, it's a little past the end of August. But today, Judge Mehta did rule the penalty phase of the Google versus the U.S. Department of Justice lawsuit that Google lost last year.

[00:28:34] And the news is, I think, fairly good for Google. One of the Justice Department was asking for, as you remember, things like Google being forced to sell its browser or even Android. The judge said Google will not be required to divest Chrome, nor will the court include a contingent divestiture of the Android operating system in the final judgment. Judge Ahmed Mehta said plaintiffs overreached.

[00:28:58] That's the Department of Justice in seeking forced divestiture of these key assets, which Google did not use to affect any illegal restraints. Furthermore, they can continue to pay the estimated $20 billion a year they spend to Apple and many millions to Mozilla and to Samsung to preload products or to preload the Google search engine.

[00:29:22] In fact, the only thing Google has to stop is the practice of compelled syndication, which is making deals with companies to ensure the search engine is the default choice. I don't I'm unclear on this and we'll have to get more details whether that means they stop paying Apple. I don't think it does because I don't think it's compelled. Right. I think it's just a payment.

[00:29:48] The real issue was Android handset manufacturers who were using the free operating system. But then Google said, but if you want to have the Google store on there, you've got to be put Chrome on there and you've got to use our search engine. So they were tying search. There was time. Exactly. I see. Right. I think that that's I suspect, but I'll have to get more details. This just literally just came in 20 minutes ago. So this is not even that long. 15. Breaking news on security. So now we've been waiting.

[00:30:17] We knew that this this this penalty phase had ended. Now Google has said that they would appeal. But I think based on their success in this, it seems that they may just settle. In fact, the stock market is giving them a big reward of four percent increase in Alphabet's stock. Google will not. OK, here's the further information. Google would not be barred from making payments or offering other consideration to distribution partners for preloading or placement of Google search Chrome or its Gen AI products.

[00:30:46] The judge said cutting off payments from Google would impose substantial, in some case, crippling downstream harms to distribution partners. That's true. Firefox Mozilla says if we don't get that payment, we've got no company. So that he made the right decision. In fact, it sounds like he did the right things. No, Google says we're going to appeal anyway, because as long as it's being appealed, nothing will happen. And that probably is what they want. So I think really a success.

[00:31:15] Oh, you mean as long as it's in appeal, then no change will have changes. Right. So they figure, well, we might as well continue to appeal this. So in a sense, I think a victory for Google, given that was ruled a monopoly, the limitations there that the judge decided to put on Google were as minimal as they could possibly be. Anyway, sorry to interrupt, but I know that everybody's been watching with interest on this story. And so the other shoe has dropped. On we go.

[00:31:44] So last week, we learned that a firm we've not talked about before called Sales Loft, which is a sales AI and automation platform, was breached by hackers. Unfortunately, the breach of Sales Loft created an opportunity for hackers to pivot to its customers' sales force accounts.

[00:32:11] This enabled the attackers to harvest Salesforce data from those accounts and other credentials and to then pivot to other cloud platforms. Google says the attackers pivoted to Salesforce using OAuth tokens from the Sales Loft AI chat agent, after which Sales Loft revoked all Drift Salesforce connections and asked their customers to re-authenticate and reconnect their apps.

[00:32:41] The industry subsequently learned that the hack was larger than was initially believed, with the attackers who pivoted from Sales Loft's network into Salesforce accounts also pivoting to Google Workspace, Slack, and Pardot integrations.

[00:32:59] One of the consequences of the convenience of centralized authentication and credential reuse is, you know, and what do we preach here with our browser extensions, our password managers, is do not reuse your credentials, right? Unique password for every site. That's the whole point. Unique password for every site. But we're not really following our own advice here because of the way we're using OAuth today.

[00:33:27] As I said, one of the consequences of the convenience of centralized authentication and credential reuse is all of this so-called pivoting that winds up being immediately enabled. When I went over to the Pardot website, for example, I was presented with a login with Salesforce screen.

[00:33:47] So when attackers obtained sales lofts customers' Salesforce OAuth tokens, they were immediately able to reuse those stolen tokens to log into many other services that would accept Salesforce's authentication.

[00:34:06] Anytime we're being presented with the convenience of login with Google or login with Facebook or any of the other major identity providers, it's worth remembering that a compromise of that single credential potentially compromises our authentication at all of the other sites that know us that way. That's a problem.

[00:34:30] Yes. Again, this is not the first time we've talked about that, but it's worth a refresh, I think. It's nearly always the case that convenience brings some non-obvious risks. And here's another one. Yeah, it's convenient to be able to just reuse my Google authentication or my Facebook identity, but if that's ever compromised, it's not just Facebook that you lose control of.

[00:34:58] It's everybody who knows you through your Facebook ID. And that's what happened here. Wow. So after our next break, Leo, we're going to look at the question of can we control AI? And I have an interesting perspective that I think might be useful. Good. I look forward to it. You're watching Security Now with Mr. Steve Gibson, our show, this portion of our show brought to you by ThreatLocker.

[00:35:25] If you listen to this show at all, you know we need help out there in the real world. Ransomware is killing businesses worldwide. ThreatLocker can prevent you from becoming the next victim. ThreatLocker's zero-trust platform, that's the key, takes a proactive, and here are the three words you want to hear, deny-by-default approach. Deny-by-default blocks every unauthorized action.

[00:35:50] Every action you have not explicitly authorized, protecting you from both known and unknown threats. Zero days can't get through because you didn't authorize that. Trusted by global enterprises like JetBlue and the Port of Vancouver, ThreatLocker shields you from zero-day exploits and supply chain attacks while providing complete audit trails for compliance. As more cybercriminals turn to malvertising, you're going to need more than just traditional security tools.

[00:36:16] Attackers are creating convincing fake websites, impersonating popular brands like AI tools and software applications, distributed through social media ads and hijacked accounts. Then, they use legitimate ad networks to deliver malware, affecting anyone who browses on work systems. Traditional security tools often miss these attacks because they use file-less payloads that run in memory and exploit trusted services that bypass typical filters.

[00:36:42] ThreatLocker's innovative ring-fencing technology strengthens endpoint defense by controlling what applications and scripts can access or execute, containing potential threats even if malicious ads successfully reach the device. ThreatLocker works across all industries. It supports Mac PCs and more, provides 24-7 U.S.-based support, and enables comprehensive visibility and control.

[00:37:07] Just ask Jack Senesap, director of IT infrastructure and security at Redner's Market. Jack says, quote, when it comes to ThreatLocker, the team stands by their product. ThreatLocker's onboarding phase was very good, a very good experience, and they were very hands-on. ThreatLocker was able to help me and guide me to where I am in our environment today, end quote. Get unprecedented protection quickly and easily and cost-effectively with ThreatLocker.

[00:37:33] ThreatLocker. Visit ThreatLocker.com slash twit to get a free 30-day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's ThreatLocker.com slash twit. I have to warn you, though, you're going to install this, and you're not going to want to ever uninstall it. It's that good. So give it a try. ThreatLocker.com slash twit. ThreatLocker.com slash twit. We thank you so much for supporting Steve's work here at Security Now.

[00:38:02] Steve's a guy who told me about Zero Trust first before anyone else. On we go, sir. Okay. So I first want to share – we're going to talk about the question, can we control AI? I first want to share the opening of a much longer Reuters news agency piece they published last Friday. Oh, that's going to be so mad. Yes. Then I want to return to one of my thoughts about AI.

[00:38:29] So Reuters wrote, August 29, Reuters. Meta has appropriated the names and likenesses of celebrities, including Taylor Swift, Scarlett Johansson, Anne Hathaway, and Selena Gomez, to create dozens of flirty social media chatbots without their permission, Reuters has found.

[00:38:50] While many were created by users with a meta tool for building chatbots, Reuters discovered that a meta employee had produced at least three, including two Taylor Swift parody bots. Reuters also found that meta had allowed users to create publicly available chatbots of child celebrities, including Walker Schobell, a 16-year-old film star.

[00:39:16] Asked for a picture of the teen actor at the beach, the bot produced a lifelike shirtless image, writing beneath the picture, pretty cute, huh? All of the virtual celebrities have been shared on Meta's Facebook, Instagram, and WhatsApp platforms. In several weeks of Reuters testing to observe the bots' behavior, the avatars often insisted they were the real actors and artists.

[00:39:43] The bots routinely made sexual advances, often inviting a test user for meetups. Some of the AI-generated celebrity content was particularly risque. Asked for intimate pictures of themselves, the adult chatbots produced photorealistic images of their namesakes posing in bathtubs or dressed in lingerie with their legs spread.

[00:40:08] Meta spokesman Andy Stone told Reuters that Meta's AI tools should not have created intimate images of the famous adults or any pictures of child celebrities. He also blamed Meta's production of images of female celebrities wearing lingerie on failures of the company's enforcement of its own policies, which prohibit such content. Anyway, the article goes on at much greater length, but everyone gets the idea.

[00:40:37] Over the course of the past year, I've invested some time studying the operation of large language model generative conversational AI. And I've been using them continuously while watching and marveling at their output, which to me remains astonishing.

[00:40:56] That Reuters piece brings me back to a feeling I've expressed here before, which is that the nature of the way AI generates its output to me means that it is inherently uncontrollable. Which explains why the AI industry is having so much difficulty controlling it.

[00:41:20] The information that is acquired, stored, and modeled within a large language model is almost stored holographically, with no single fact residing in any one place. So it's not possible to pluck it out from the hole. In struggling to find a useful analogy, the classic photographic hologram came to mind.

[00:41:45] What I recall about a hologram is that it's not possible to readily edit its image contents because every part of the image is stored everywhere else. Each small region of a hologram contains information about the entire scene, though with proportionally less detail.

[00:42:06] So if, for example, we were to cut a hologram in half, each half would still depict the entire scene, albeit with lower resolution and with a reduced field of view, like looking through only part of a window. This is very much the way large language models store their information.

[00:42:27] The other inherent problem with what we want when we say that we want to control an AI is that the boundaries between what we would consider acceptable and unacceptable are beyond blurry and fuzzy. We may be able to make a go-no-go determination, but how do we describe it?

[00:42:50] U.S. Supreme Court Justice Potter Stewart was unable to define what was and was not pornographic and was finally reduced to saying, I may not be able to define it, but I know it when I see it. So on the one hand, it's unclear how we even describe to an AI what it is and is not allowed to produce. And even if we could, it's not at all clear to me how we edit a hologram.

[00:43:19] Which is, I think, a very good analogy for the way information is stored inside of a large language model, having taken some time to look at the way they are trained. I just think, Leo, that it is, you know, I've talked about like maybe having another AI look at the output of the main AI before its output is made public.

[00:43:45] I just like, it's just seems so difficult to me. I mean, I get how hard a problem it is to edit it. It's very much like telling the AI, okay, don't say anything that's wrong. Well, it's been trained on a whole bunch of wrong stuff. So it doesn't know what's right or wrong. I mean, it doesn't know, you know, anything. It's just producing content based on the way it's been trained.

[00:44:14] So, I mean, I agree with you. What Reuters uncovered is, frankly, it's not surprising, but it is very disturbing. And speaking of AI, last Thursday, the Vivaldi browser folks took an interesting stand on the issue of AI permeating the web browsing space and their feelings about that.

[00:44:40] Their post was titled, Vivaldi takes a stand. Keep browsing human. And, you know, that was followed by their teaser intro, which read, Browsing should push you to explore, chase ideas, and make your own decisions. It should light up your brain. Vivaldi is taking a stand.

[00:45:02] We choose humans over hype, and we will not turn the joy of exploring into inactive spectatorship. Whoa, no AI for you. So here's what they wrote. They said, just like society, the web moves forward when people think, compare, and discover for themselves. Vivaldi believes the act of browsing is an active one.

[00:45:28] It is about seeking, questioning, and making up your own mind. Across the industry, artificial assistants are being embedded directly into browsers and pitched as a quicker path to answers. Google is bringing Gemini into Chrome to summarize pages and, in future, work across tabs and navigate sites on a user's behalf.

[00:45:53] Microsoft is promoting Edge as an AI browser, including new modes that scan what's on screen and anticipate user actions. These moves are reshaping the address bar into an assistant prompt, turning the joy of exploring into inactive spectatorship. This shift has major consequences for the web as we know it.

[00:46:20] Independent research shows users are less likely to click through to original sources when an AI summary is present, which means fewer visits for publishers, creators, and communities that keep the web vibrant. A recent study by Pew Research found users clicked traditional results roughly half as often when AI summaries appeared.

[00:46:45] Publishers warn of dramatic traffic losses when AI overviews sit above links. And I'll just interrupt to say as far as we know, that's all true. And we've been exploring the various consequences of that for the past several weeks. Vivaldi continues, The stakes are high. New AI native browsers and agent platforms are arriving, while regulators debate remedies that could reshape how people reach information online.

[00:47:15] The next phase of the browser wars is not about tab speed. It's about who intermediates knowledge, who benefits from attention, who controls the pathway to information, and who gets to monetize you. Today, as other browsers race to build AI that controls how you experience the web, we are making a clear promise.

[00:47:42] We're taking a stand, choosing humans over hype, and we will not turn the joy of exploring into inactive spectatorship. Without exploration, the web becomes far less interesting. Our curiosity loses oxygen, and the diversity of the web dies.

[00:48:03] The field of machine learning in general remains an exciting one and may lead to features that are actually useful. But right now, there is enough misinformation going around to risk adding more to the pile.

[00:48:19] We will not use an LLM to add a chatbot, a summarization solution, or a suggestion engine to fill up forms for you until more rigorous ways to do these things are available. Vivaldi is the haven for people who still want to explore. We will continue building a browser for curious minds, power users, researchers, and anyone who values autonomy.

[00:48:49] If AI contributes to that goal without stealing intellectual property, compromising privacy, or the open web, we will use it. If it turns people into passive consumers, we will not. We will stay true to our identity, giving users control and enabling people to use the browser in combination with whatever tools they wish to use.

[00:49:15] Our focus is on building a powerful personal and private browser for you to explore the web on your own terms. We will not turn exploration into passive consumption. We're fighting for a better web. Okay. Okay. Okay. So I guess there will be a web browser for anyone who hates AI. I certainly am not an AI hater. I think it's a marvelous and amazing emergent phenomenon.

[00:49:45] And I make great use of it as a quick reference source while I'm coding. I actually feel a bit guilty now asking it dumb things that I could easily go look up for myself and would have had to a couple of years ago. But if open AI wants to lose money allowing me to ask it why the sky is blue, I'll happily pay them 20 bucks a month for the privilege.

[00:50:11] Today, I'm still using Google and I check out its AI overview to see whether that's all I need while never forgetting that it could be wrong. You know, the other day, ChatGPT produced a snippet of Windows code for me and it just made up a Windows message that never existed. I immediately knew it was wrong, but the way it was wrong was interesting.

[00:50:37] And it made sense to me since, you know, there's nothing in there that actually understands what it's spewing out. It's just language. And that's what makes, you know, what it's able to do so miraculous. So my feeling is it is certainly way more useful than not. And that's why I tend to think that Vivaldi's anti-AI stance is probably a mistake.

[00:51:06] I think it's just marketing. You think so? I mean, notice they have a lot of things like until it's good. When it's good, we're going to use it. As soon as it's OK, we'll start. They left a lot of space for them to change their minds. True. And do you think that, like, there will be people attracted to the lack of it? Really? Oh, yeah. To the lack of, like, AI overview. You know, the last poll I saw said 71% of people don't trust AI.

[00:51:35] I think that there is. Look, Vivaldi's got a tough row to hoe. They're, like, fourth or fifth. No, they're not even that. Opera's fourth. They're way down the list of popular browsers. Chrome is, like, 80%. Then it's Edge. Then it's, you know, Safari, Firefox, Opera. I don't even see Vivaldi on that list. So having something that differentiates them is a good thing. So it's like saying we're the anti-AI browser.

[00:52:03] If you don't want AI, we got something for you. But they noticed they didn't rule it out forever. They just said until it's good, until it's safe, until it's OK. Then we might use it. You know, good on them. And there are definitely people who don't want it. You know, I don't blame them. I'm with you, though. I'm your camp. I've, you know, there's also, I saw somebody said, this is like the invention of electricity. This is, you know, you got to, you know, there are people who overhype it as well.

[00:52:32] So we kind of walk down the middle, I think. I wonder if I can find really quickly this. I sent this to two friends of mine this morning. This was, I was just astonished by this. Again, I just, so here's the kind of, here's the kind of way I use chat GPT. I was puzzled by something. So here's my prompt. Yeah.

[00:53:01] I have the vscroll style specified on a Windows static control. The scroll bar displays and its scroll thumb scales and works. I have subclassed the control in order to manage its messages, but I'm not receiving any of the WM vscroll messaging for mouse or keyboard actions on the static Windows control. I dislike asking leading questions of LLMAI since it tends to bias your reply.

[00:53:31] But the only thing I can think is that perhaps the staticness, and I put that in quotes, the staticness of the control prevents its responding to the system's mouse and keyboard. What do you think? So this. That's a great prompt. That's the way I write these things. I mean, I. You're having a conversation. Yes. Yeah. The point. What's interesting is you would have done this as a search in many, many steps.

[00:54:01] You know, you narrowed it down, narrowed it down, and you would have done the same basic kind of thing as a search. Yes. So it's, that's why I say if they want to, if they want to let me, you know, ask why is the skies blue? And it, you know, so. Okay. Did you get a good answer? Oh my God. Now just listen to the nuance, Leo. It thought for 52 seconds. Wow. And it said, you've got it, colon. The static hyphen ness is the issue.

[00:54:30] Static, which it highlighted because that, that, that, that, that's a token. It's immutable. Static doesn't implement scrolling. Yeah. Just listen to the words though. You can stick WS underscore V scroll on it and user slash GDI will happily, it used the word happily paint and track a scroll bar in the non-client area.

[00:54:57] Parens, hence the thumb moves and sizes correctly. When you call set scroll info, close parens, but the static class never routes the user's interactions to your window proc as WM underscore V scroll. In other words, colon, the visual is there. The messages aren't.

[00:55:23] Subclassing the static won't help because the window class proc simply doesn't generate those scroll notifications. I mean, it is, it is like, how, how can this exist? That's what an expert would tell you. That's like if you had a professor in a coding class or something, that's exactly the answer you wanted. It was very nicely explained. It was very good. It's astonishing. Yeah. Yeah. And it's just language. It doesn't know what it's saying. It has no idea what it's saying.

[00:55:52] No, but it's like, and, and that's why a couple of like last, last week it made up a, a, a WM underscore NC scroll, uh, which is, um, uh, non-client, non-client scroll. The moment I saw that, I thought there's no WM non-client scroll message that doesn't exist, but, but because it's language and it doesn't understand what it's doing. There's no idea. It doesn't know.

[00:56:21] So it, yes, it can make mistakes, but listen to that. I mean, just the language, you know, it, oh my God, you know, it will happily paint and track a scroll bar. It's windows is happily doing that. It's, and I've noticed that, you know, it also remembers who I am. It's maintaining long-term awareness. So like it asks me if you would like some MASM slash win 32 code.

[00:56:49] It knows that's what I, that's what I want. Yeah. Wow. I know it's pretty cool. It is just. I'm realizing, I think part of the problem is that, uh, it's trained on so much stuff. It's trained on as much incorrect stuff as correct stuff because that's the nature of humans. Which is to say the web. Yeah. So I've, when I do see errors like that, I, I can almost always attribute it to either. It appears somewhere. Yeah.

[00:57:15] It appeared somewhere and either the AI misinterpreted it or misapplied it, or the guy who was answering the question was just made the same mistake was dumb. And the AI doesn't know any better repeats it. But so it's actually not surprising that it's making mistakes. Think about how much the internet, how much crap there is on the internet. Well, Reddit is now charging people, charging AI to train. Well, I've read Reddit and boy, we just interviewed yesterday for Intelligent Machines.

[00:57:45] It's going to appear on tomorrow's show. Karen Howe wrote an incredible book about the history of open AI called Empire of AI. And she points out in the early days, they were training almost entirely on Reddit. Reddit was a very valuable resource for them. Well, yeah. So guess what? There's going to be a lot of crap in that training data. They, they, that's the part of the problem that they faced is, is trying to find quality information. And you can't.

[00:58:12] Leo, imagine when we're looking back on this as like the old days, imagine when this is working right. Like, like when it's like, when it's factually correct. You know, a lot of people think it never will get there. I'm kind of with you. I feel like we've seen so much progress and such a kind of surprising progress. In a year. And it's unexpected. It's like, there's some, almost something magical about it that I've, I would be not,

[00:58:40] I would not be the first person to say, oh, you'll never make it. But I, I think it's a good chance that it's going to be pretty amazing in a few years. Already. We don't know. Again, already. I, I, I ask it these sorts of questions. It's because it saves me 15 minutes of digging around looking for the source material. If nothing else. Yes. That's hugely valuable. That's been my point all along. But Ms. Howe had some very interesting things to say.

[00:59:08] I encourage you to, if you get a chance to read the book, otherwise listen to the interview tomorrow on intelligent machines. I'll read the book. I'm a book reader. Oh, and you will like it because there's a lot of detail. A lot of interesting. She has a, a bachelor in science in mechanical engineering from MIT and worked as a coder for Google. So she has an engineering background. Oh, yay. Yeah. Wrote at the MIT technology review, wrote for the wall street journal. She's both. And what is the book?

[00:59:34] It's called empire of AI by Karen Howe, H A O. And it's the, it's really the, it's interesting because she said, I started writing this book to kind of critique the colonialism of open AI halfway through my writing of it. They fired Sam Allman and suddenly, you know, her whole focus had had to change. She said, the good news is all the people that I, hundreds of people that I had made connections

[01:00:02] with in the research for the book were very willing to tell me what really happened behind the scenes. They were like anxious to get the story out. So she's got the story. It's quite good. It's really interesting. Anyway. Sorry. Do you want to interrupt? You know, sometimes when I look at bite magazine, I think how much I enjoy working within constrained environments. I mean, I write an assembler.

[01:00:30] I like having, you know, a, a limit to, to in which to craft my solution. So I've, I've sometimes wondered if I wouldn't have really loved like when computers were relays and it was, you know, like there was even, even less, you know, even more constraint. Right. But then that would have meant I was older than I am and I might be missing now.

[01:00:57] And now is an amazing time. I agree. I mean, we get to finish off our lives, Leo, watching this emergence of maybe consciousness from, from this technology. Yeah. You know, where we used to be like de-soldering chips from it because we were needing to reuse them. That's something you said very early on. I asked you, well, do you think there's something special humans do in the consciousness reflects that is different?

[01:01:26] And you said, no, we're just machines like anything else. And I think that that's the, that's the thing that really means maybe it is possible. You throw enough compute at it, enough memory at it. I think it's an emergent property of complexity. You get a consciousness, maybe an emergent property of complexity. Exactly. Yep. We'll see. I think we're going to be here to see. I think so. Cause it's certainly, it's certainly not waiting for us. It's happening. It's moving. Wow. Okay.

[01:01:55] So we got some more detail, uh, about the exploit chain that wound up leveraging that recently patched Apple zero day. Remember that was CD 2025, four 30, 300. Uh, we talked about this last week. Clever bad guys had discovered that Apple's implementation of the JPEG lossless decompression,

[01:02:17] an interpreter, uh, that would be called upon to display an image in Adobe's DNG file format contained a critical flaw. If the provided image data did not match what was described in the files, metadata header and out of bounds, right could be triggered, which could lead to a compromise of the user's device. But how do you get the image to the user?

[01:02:46] What we now know is that an unrelated flaw in Meta's WhatsApp was also implicated as the carrier of the image. Last week, Meta updated their WhatsApp messenger to cure what their number CVE 2025, uh, 551 77.

[01:03:08] And about this, they wrote incomplete authorization of linked device synchronization messages in WhatsApp for iOS, WhatsApp business for iOS and WhatsApp for Mac could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device.

[01:03:33] We assess that this vulnerability in combination with an OS level vulnerability on Apple platforms. And that's the four 30, 300 CVE may have been exploited in a sophisticated attack against specific targeted users. And as always, we know to immediately replace the phrase may have been exploited with was definitely

[01:04:02] found to be exploited. Certainly without any doubt. Because I presume that every corporate attorney has made abundantly clear that vulnerability at advisories are not the place to admit responsibility for anything. Yeah. So what we know, uh, is that representatives of Amnesty International tweeted last Friday morning

[01:04:28] that both of those two zero days, apples and metas had been employed in quote, an advanced spyware campaign over the last 90 days. So that also suggests that tells us something we didn't know before. And that is the consequence of the exploitation of those two critical vulnerabilities was the

[01:04:55] installation of spyware into targeted phones. So again, you know, I mean, that's the Holy grail, right? Is, is, is, you know, all of these, these, these companies are selling their technology to governments that are wanting to install spyware into, you know, uh, journalists and, and, uh, political activists and so forth, uh, uh, phones. I also saw one interesting story.

[01:05:24] I didn't put it in the show notes, Leo, but I, I got, I thought you'd get a kick out of it. Turns out that, that Israel has been very effective in locating Iranian, uh, officials because their bodyguards are not exercising good cell phone, good, a smartphone hygiene. Yeah.

[01:05:50] And of course the bodyguards are always going to be physically in proximity to, to, to, to the people that whose, whose bodies they're guarding. And unfortunately that doesn't help them if the bodyguard can be targeted. So I'll give you one more story related that broke this morning. Apparently we didn't know this, but the Biden administration had ordered, uh, the U S, uh, law enforcement to not use Paragon's spyware.

[01:06:19] Uh, but apparently the Trump administration has reversed that and ice will now have access to Paragon's, uh, zero click, uh, exploits. Uh, yeah. Uh, in the United States. And, uh, that's, uh, somewhat concerning. Uh, although frankly, I didn't realize that they were not allowed to use it. I just assumed that they were. Yeah. Yeah. Yeah. Wow. So now we know they are or will. Yeah.

[01:06:49] Um, we're at an hour. Uh, let's take another break and then we're going to look at this next piece, which I just said at the top of the show is very spooky. This is an, the far first example, as far as I know of AI having been actively leveraged in an attack in a way that will give you some chills. Oh, okay. Okay. Coming up on security. Now our show brought to you, this portion of our show brought to you today by our good

[01:07:18] friends at Bitwarden. Bitwarden. We love Bitwarden. We love Bitwarden, the trusted leader in password, passkey and secrets management. Frankly, it's a password manager I use. In fact, every time I do this ad almost universally, our hosts say, yeah, I use that. I use that. Yeah. I use it too. Everybody does. Bitwarden is consistently ranked number one in user satisfaction by G2 and by software reviews, more than 10 million users across 180 countries and over 50,000 businesses.

[01:07:48] Now, if you're interested in AI, you might be interested in this news. I think this is fantastic. Bitwarden has just launched an MCP server. If you don't think about AI or know anything about AI, that may not be meaningful. But if you do, this is really interesting. It's now available on the Bitwarden GitHub. What it means is you have an AI agent. Many browsers now have AI agents built in. They are going out and doing stuff on your behalf, maybe logging into websites.

[01:08:19] Bitwarden, because they now have an MCP server, will integrate with those AI agents to provide secure credential workflows. This is huge. You know it's a big problem. People are often hard coding their API secrets or their passwords into their code. It often gets pushed up to GitHub because they don't know of any other way to do this securely. Well, now with Bitwarden's MCP server, there is a way.

[01:08:47] They also, it's brand new, just happened. They want you to know their document. They're working on expanded documentation. They're also working on a way of distributing this. But right now you can go to the GitHub and see it and download it if you want. It's a secure, standardized way for AI agents to communicate with Bitwarden. And, you know, for credential purposes, users benefit from a local first architecture for security

[01:09:14] because the Bitwarden MCP server runs on your local machine, which means all those client interactions with it are kept within the local environment. Very important to minimize exposure to external threats. It integrates with the Bitwarden command line interface. By the way, another reason I love Bitwarden, they've got a command line interface. So if you're using cloud code, something like that, very simple to integrate the MCP server. And users can also opt for a self-hosted deployment for greater control over system configuration

[01:09:44] and data residency. This is so important to the idea of agentic AI. An open protocol for AI assistance. MCP servers enable AI systems to interact with commonly used applications. And that can be a variety of things, content repositories, business platforms, developer environments through a consistent open interface. But now it can integrate with your credential management in Bitwarden.

[01:10:12] Driving secure integration with agentic AI. The Bitwarden MCP server represents a foundational steps towards secure agentic AI adoption. Very important. Anyway, I like to, in these ads, talk about new stuff from Bitwarden. They're always adding new features. This is where open source really benefits them. Infotech's research group published a report called Streamline Security and Protect Your Organization.

[01:10:39] It highlights how enterprises in the Forbes Global 2000 are turning to Bitwarden. To secure identity and access its scale. A report emphasizes, you know, the problems we all know about growing security complexity, especially with globally distributed teams and fragmented infrastructure. Credentials are dispersed across teams, contractors, and devices. This is a challenge for enterprises. They're starting to address these credential management gaps and strengthening their security posture

[01:11:07] by investing in scalable enterprise-grade solutions like our sponsor, Bitwarden. If you want to set up Bitwarden in your enterprise, it's easy. Bitwarden supports importing from most password management solutions. Steve and I both moved to Bitwarden in just a minute or two. It was a very quick and easy move. And by the way, I don't know about you, Steve, but I never looked back. This was incredible. The Bitwarden open source code regularly audited by third-party experts. It's right there on GitHub. You can see it for yourself.

[01:11:35] And of course, Bitwarden meets SOC 2, Type 2, GDPR, HIPAA, CCPA compliance. It's ISO 27001-2002 certified. They're getting, they do this every year, their big open source security summit. This is their sixth annual open source security summit. It's coming up September 25th. And it's virtual. And it's free. So you can go. You should go. Register now for this virtual free industry event at Open Source Security Summit. It's all one word.

[01:12:05] Open Source Security Summit dot com. To explore advancements in open source security and see how open source tools can help you build your trust with consumers. Get started today with Bitwarden's free trial of a Teams or Enterprise plan or get started for free across all devices as an individual user. Bitwarden dot com slash Twitter. Bitwarden dot com slash Twitter. We thank them so much for supporting security now. Back to you, Steve. It's interesting.

[01:12:33] I heard you use the phrase, get it at the GitHub. And I've, you know, it's like. Maybe that's just me. Kind of like I never thought of it that way. I mean, it's a hub of, it's a hub of gits. It's a hub of gits. Yeah. It's sort of like the Ukraine versus Ukraine. Well, you're not supposed to say the Ukraine. Apparently that's a, that's kind of a colonial, colonialist way of talking about like it's a province of the Soviet Union. Right. Which it's not. Yeah. So, but the GitHub is a, yeah, it's power.

[01:13:02] That kind of works. It's a hub of gits. I like that. So we all knew. We talked about this at like day one that AI would almost naturally somehow wind up being used by bad guys to further their evil ends. So get a load of this one, which just happened last week.

[01:13:26] It took the form of a supply chain attack against the users of the popular NX tool, which is used to automate CICD development flow. You know, CICD for those who don't know stands for continuous integration, continuous delivery and deployment. So it's about software deployment automation.

[01:13:49] Last Tuesday, an unknown threat actor compromised the NPM identity authentication token of one of the NX developers and used their then authenticated access to release malicious updates for several of the NX tools to the NPM package repository. Now that alone is horrifying.

[01:14:15] The NX tools are very popular, seeing around 4.6 million weekly downloads. So that was a serious breach of a trusted NPM developer, which allowed malicious code to flow out of the trusted repository. But listen to what the malware did.

[01:14:34] The altered NPM packages contained a malicious script that attempted to run a prompt on a local AI command line tool like Claude, Gemini or Q. And the prompt instructed the local AI agents on that machine to search the local file system,

[01:15:03] which it had access to, for text-based files that might contain GitHub tokens, NPM tokens, SSH keys, .env secrets, and wallet files. And all the data discovered locally was then encrypted and written to a file.

[01:15:22] The subsequent command then used the GitHub API to create a new public repository on the infected user's GitHub account and upload the file with all the stolen data. So, you know, you get your local trusted AI agent to scan your own machine for its secrets, then encrypt them before posting them publicly.

[01:15:51] And since they're encrypted, no one else is able to decrypt them and get a hold of the secrets. So, talk about diabolical. All of the public GitHub repos, which were created containing stolen data, used the same prefix, which was singularity with a numeral one for the I in singular. Singularity hyphen repository hyphen was the prefix.

[01:16:19] That made them easy to find on GitHub, which is probably how the attacker collected the stolen data. According to a GitHub search, there were around 1,400 GitHub repositories with that prefix, which was roughly the same number of users the attacker had infected before the malicious NX libraries were taken off NPM.

[01:16:44] So, around 1,400 developers had their local machines scoured by their own local AI agents for any juicy tidbit secrets, with everything found posted back to their GitHub accounts where they were collected and then decrypted by the bad guys. Wow. That is a very clever hack. That is really interesting. Wow. Yeah. Yeah.

[01:17:14] Not that it really matters anymore, since all of everyone's data has probably long ago leaked onto the internet and been vacuumed up into a growing dark web database. But for the record, TransUnion had all of the data of their 4.4 million customers stolen by the prolific Shiny Hunters hacking group, which, as we know, they've recently been succeeding so well using phishing attacks.

[01:17:43] So, we can now add TransUnion to the likes of Google, Farmer's Insurance, Alliance Life, Workday, Pandora, Cisco, Chanel, and Qantas. Of course, TransUnion has everything, right? Yeah, exactly. They're like the galactic thing. Exactly. The vault of all of our secrets. Great. All those companies have reported breaches linked to Salesforce-connected applications. Oh, this was another Salesforce breach? Yeah. Yeah.

[01:18:14] Yeah. Oh, yeah, yeah. Okay. Now, here's a weird one. Two rather disreputable websites, 4chan and Kiwi Farms, have brought a lawsuit against the United Kingdom's Office of Communications, often abbreviated Ofcom. I'd heard of 4chan. I had never heard of Kiwi Farms. So, I asked the internet. And now, I wish I hadn't. Yeah. Yeah.

[01:18:44] A little blurb summary that I received read, Kiwi Farms, established in 2013 by Joshua Connor Moon, functions as an online forum for discussion and harassment. Initially targeting webcomic artist Christine Weston Chandler, The site is known for organized group trolling, stalking, and real-life harassment, often directed at transgender individuals,

[01:19:11] those with disabilities and neurodivergent people. The platform has been connected to several suicides and has received criticism and service terminations due to its controversial content and association with harassment. Yuck. Yuck. So, these two disreputable websites, 4chan and this Kiwi Farms, are suing the UK's Ofcom, good luck, over their online safety act,

[01:19:40] which requires websites and social media platforms to perform age verification checks on their users. As we've been discussing, because the web industry has not yet solved this problem in a way that would be possible and practical, users are currently being required to upload an ID, have their face scanned or otherwise give away their personal information in order to access large portions of the internet.

[01:20:10] Any sites that do not comply are subject to significant fines under the UK's law now, regardless of where they're based, including in the United States, where we enjoy strong First Amendment speech protections. However, as we also know, our own Supreme Court recently decided that asking for the same sort of proof of age would not unduly encumber our First Amendment protections.

[01:20:39] Many people disagree. Opponents of the UK's Online Safety Act note that this is resulting in an internet where users must provide scans of their faces to access, for example, certain music videos on Spotify. The lawsuit brought by 4chan and Kiwi Farms calls Ofcom an, quote,

[01:21:03] industry-funded global censorship bureau saying Ofcom's ambitions are to regulate internet communications for the entire world, regardless of where these websites are based or whether they have any connection to the UK.

[01:21:20] On its website, Ofcom states that over, now, so they're saying that Ofcom's website states that over 100,000 online services are likely to be in scope of the Online Safety Act, from the largest social media platforms to the smallest community forum, unquote, from Ofcom.

[01:21:43] So, I doubt that the Electronic Frontier Foundation would choose to have anything to do with helping these two sites in their lawsuit, but the EFF has said that the Online Safety Act, quote, is a threat to the privacy of users, restricts free expression by arbitrating speech online, exposes users to algorithmic discrimination through face checks,

[01:22:09] and leaves millions of people without a personal device or form of ID excluded from accessing the internet. In my research for today's podcast, I also ran across some other news, which was that, not surprisingly, those websites that were obeying these new laws by replacing their,

[01:22:32] you betcha, I'm 18 buttons, with full, strict, unspoofable age verification technology, had seen, are seeing an astounding drop-off in their site traffic. Not surprisingly, nearly everyone who is being hit with that is simply going elsewhere, and there's an elsewhere to go to.

[01:22:56] The same reporting noted that other famous porn sites are experiencing a doubling or tripling in their traffic. So, as I've been noting, we're very nearly having all of the pieces that we need in place. We just need to get our act together as an industry. I assume that the folks who are working on this for the World Wide Web Consortium, the W3C,

[01:23:26] which is where the standard needs to emerge from, I hope they are staying up late at night and working through the weekends. You know, that TrueAge system that we looked at is very close to what we need, but it needs to have all of its trackability removed. And we heard that TrueAge had contributed its technology to the W3C. I don't, okay, that's good, I guess. Even though this is not a difficult problem to solve,

[01:23:55] it just needs someone in the right place to do it. So, you know, quite suddenly, nearly overnight, thanks to this legislation, which has been, you know, it's been pending and it's been percolating, the world has suddenly become in very desperate need of privacy-preserving solutions for online age verification. And, you know, we need it yesterday.

[01:24:22] So, I really hope that this is getting the attention that it needs. It must be because there's just, Leo, there's so much of this in the news now. You know, with like, you know, blue sky, dark in Mississippi. Well, I think there's some real question of if it's even possible to do that. I mean, I guess. Well, somebody needs to know who you are. For example, in my case, California, I have a driver's license. California knows who I am.

[01:24:51] But it is possible to blind anybody else to an assertion of my age. So, with this California digital ID, it would be entirely possible to design a system where my phone scans a QR code and California then asserts to that site that I am of a certain age. And so, I mean, utterly possible.

[01:25:21] It is absolutely to the case. Yeah, but then you have to require everybody to have a California ID. I mean, I'm not saying it's simple. I'm just saying that— It's not even okay. I mean, there are plenty of people who will not have a California ID. Especially if there are people between 16 and 18 who will not have a California ID. Right. Then they're not able to assert that they are over 18. Well, see, different jurisdictions have different age limits. Right. Not all 18. Right.

[01:25:51] Yeah. Okay. So, we're going to set up a state system that will know everybody's identity and age. I don't think that's going to happen. So, I certainly wouldn't advocate for it. In that case, well, I mean, I guess what I'm saying is that the way to solve this is for someone to know your age and then for that someone to anonymously assert that— I understand the technical solution. Yeah.

[01:26:20] I'm saying politically, who would that someone be? I mean, okay, I guess you could say you have to have a driver's license in order to go to a porn site. Does everyone have a social security card? Yeah. Presumably, everybody has. Almost everybody does. Yeah. I got mine when I was pretty young. There are laws against using— There's good reason for there's laws against using that for identification. But this is not for identification.

[01:26:50] The idea would be that that would allow the government to make an assertion on your behalf of your age and to do so anonymously. I mean, again, what is the choice? I mean— The choice is not to do this. Period. Period. So to get— I think it's like saying, oh, there's got to be a backdoor to crypto somehow because what's—the choice is not to have age verification. Okay. I mean, I hear you. I would wish that these laws were not happening.

[01:27:19] But we know what our Supreme Court just did. So I don't know where we go. Although, interestingly, and we talked about this on Sunday. Of course, Cory Doctorow was on. He's a very strong advocate on this. He pointed out the Supreme Court did not, in fact, say the Mississippi law was okay with the Fourth or First Amendment. They just said net choices, opposition was improperly formed, and they threw it out on that basis.

[01:27:45] They said, in fact, it's very likely if this were brought to us properly, we would have to uphold the plaintiffs because it is a violation of the First Amendment. Yay. Yeah. Good. I don't know if there's a good way out of it. And you're right. Governments are going to want to do this. But, you know, historically in the United States, we've resisted these kinds of national attempts at identification. Yeah. And, you know, like why all of a sudden?

[01:28:14] It's not like anything got worse, right? I mean, this is— We've had this around for decades now. Well, what did get worse is the Internet's put it in everybody's home, right? It used to be if you went into the drugstore and you tried to read the Playboy, the guy would say, get out of here, you kid. You're too young. Now it's everywhere. It's in everybody's house. And I think that's what's really irritating parents. Yeah. I don't blame them. Yeah. Okay. Okay.

[01:28:41] So an announcement on the OpenSSH site was refreshing. It said, OpenSSH supports a number of cryptographic key agreement algorithms considered to be safe against attacks from quantum computers. We recommend that all SSH connections use these algorithms.

[01:29:02] OpenSSH has offered post-quantum key agreement, the Kex algorithms, by default since release 9. That was in April of 2022. More recently, in OpenSSH 9.9, we added a second post-quantum key agreement, and it was made the new default scheme in OpenSSH 10, April 2025. To encourage migration to these stronger algorithms—

[01:29:32] Remember that both ends of the connection, the OpenSSH client and the server need to support the— They negotiate the strongest algorithm that they can. So it's what— If you upgrade one, it doesn't do any good if you don't upgrade the other end. So they said,

[01:29:50] To encourage migration to these stronger algorithms, OpenSSH 10.1 will warn the user when a non-post-quantum key agreement scheme has been selected with the following message. Warning. Warning. Connection is not using a post-quantum key exchange algorithm. This session may be vulnerable to store-now-decrypt-later attacks.

[01:30:19] The server may need to be upgraded, see, and then they give a URL for OpenSSH.com slash pq.html. And they finish saying, This warning is displayed by default, but may be disabled via the warn-weak-crypto option in SSH underscore config. So it occurs to me that as an industry, we're beginning to learn how to do this.

[01:30:49] After Pete Gutman's recent revelations regarding the truth of how far away we still are from anything even approaching practical quantum factorization, we almost certainly have plenty of time. But now that we've developed practical post-quantum solutions, there's no reason not to get them deployed. You know, why not? We know that this will never happen without a bit of deliberate urging.

[01:31:17] So adding a little reminder notice when connecting with old-style pre-quantum crypto will serve to provide the nudge that's needed. So I thought that was a neat thing that they were doing. Just a little reminder. And it's not like your current session is going to be decrypted. No, it's the store-now-decrypt-later. And that's something that should give people, you know, second thoughts and some chill.

[01:31:45] So for this week's what could possibly go wrong segment, we have NextGov reporting under their headline, Russia-based Yandex employee oversees open source software approved, and not just approved, but widely in use. But they didn't say that. Software approved for DOD use. Here's what NextGov shared.

[01:32:14] A Russia-based Yandex employee is the sole maintainer of a widely used open source tool embedded in at least 30 pre-built software packages in the Department of Defense, raising potential risks of covert data exfiltration through sensitive digital tools used by the U.S. military, according to research first seen by NextGov.

[01:32:44] The tool, dubbed FastGlob, helps software developers operate on groups of files, globs, without having to write extra code, making it the preferred method for quickly searching and organizing project files. It's used in over 5,000 projects worldwide and has downloaded some 70, 7-0 million times per week,

[01:33:13] according to findings published Wednesday by software supply chain security firm Hunted Labs. The maintainer is listed as Dennis Malochikin. As of publishing time, there's no known malicious code inside FastGlob, according to Hayden Smith, Hunted Labs co-founder, who added that Mellow Chicken appears innocuous,

[01:33:37] though his standing as the only maintainer of the popular software package raises red flags. And they're red. Hayden said, A project that is popular should not be maintained by just one person. Even if you remove all of the geolocation and geopolitical atmospherics, having a solo maintainer for any project you critically depend upon is extremely risky, unquote.

[01:34:08] The DOD's office of the chief information officer, which advises the defense secretary on information technology, was alerted to the matter about three weeks ago, Smith added. NextGov has reached out to the DOD, the Defense Information Systems Agency, and Defense Counterintelligence and Security Agency for comment. The FastGlob package is listed inside Platform 1's Iron Bank,

[01:34:35] the Pentagon's vetted repository of... I know, Leo. That's exactly my reaction when I read the Pentagon's vetted repository of software building blocks used by the U.S. military's software publishers and contractors to craft digital tools and applications. According to multiple people familiar with the matter,

[01:35:01] the people were granted anonymity to be candid about its use inside DOD software systems. Okay, now wait. What's wrong with the phrase, Pentagon's vetted repository of software building blocks used by the U.S. military software developers? Then follow that up by explaining that some of this Pentagon vetted software

[01:35:27] also happens to be open source and being updated at will by some random Yandex employee in Russia. Do we see any problem here? Then we see what NextGov reminds us of next as we continue with their reporting, writing, Yandex is a major Russian technology company

[01:35:53] that has been found to have extensive ties to the Kremlin and has promoted misinformation about Russia's war in Ukraine. The setup, as is, could allow the Kremlin to carry out a state-sponsored intrusion into multiple projects that rely on FastGlob and force Mallow Chicken to make malicious,

[01:36:23] surreptitious changes without oversight from any other users. The report states that Mallow Chicken is, quote, more likely to encounter Russia's federal security service or state security individuals in their day-to-day duties and could be susceptible to coercion, unquote. In an email sent to NextGov, Mallow Chicken said

[01:36:47] that he has been developing and maintaining FastGlob for over seven years, which began prior to his employment at Yandex. He said the tool's source code is fully open and auditable by potential users and that his development or support has never been a part of his professional duties at his current job. He wrote, quote, Nobody has ever asked me to manipulate FastGlob,

[01:37:15] introduce hidden changes to the project, or collect and share system data. I believe that open source is built on trust and diversity, unquote. Now, I have zero doubt that all of that's true. And I don't imagine that anyone doubts Dennis' sincerity and integrity. But FastGlob's future may not be entirely in his hands.

[01:37:43] What he's going to do, you know, or what is he going to do if scary Russian state security knocks on his door? I'm sure that's not a position he would want to be in. But the fault here does not lie one bit with Dennis. The fault is entirely ours. The Pentagon and the U.S. Department of Defense is using open source code libraries,

[01:38:11] presumably in mission critical applications, over which it does not have absolute control. The fact that in this case, one of those libraries is being maintained by a developer located in a country with which the U.S. currently has strained political relations is beside the point. But it does help to capture everyone's attention. NextGov's story provides some additional intriguing reporting. They wrote,

[01:39:03] That memo came after, ProPublica reported Microsoft had relied on China-based engineers to support its cloud services for the DoD. Microsoft has since severed those arrangements. And of course, we covered that Microsoft-China connection thoroughly at the time. NextGov writes, Open source projects rely on contributions from community members to keep them updated with patches.

[01:39:33] The updates are often discussed on forums with volunteer software maintainers. Historically, community practices have operated under the premise that all contributors are benevolent. That notion was challenged last February when a user dubbed Giatown tried to quietly plant a backdoor into XZutils,

[01:40:00] a file transfer tool used in several Linux builds that power software in leading global companies. George Barnes, the former deputy director of the National Security Agency, said, If you're a nation state, you have a bunch of stuff that you're doing fast, but you have other stuff that you're doing very methodically, slowly, or positioning strategically.

[01:40:26] So I think his intention was to creep us out about the potential for sleeper installation of software. Russia's state-centered economy, writes NextGov, also allows the Kremlin to compel firms to act on behalf of the nation's interest, including the use of hacking and disinformation campaigns. Yandex is one of several major domestic tech companies that the Russian government can rely heavily on.

[01:40:56] Barnes said, This piece of code has no known vulnerabilities. It's ubiquitously leveraged and used globally, and it happens to have one maintainer sitting in Russia, and the maintainer might be totally fine. But that situation subordinates him to a legal framework that's not under his control. Chinese, Russian, and North Korean-affiliated hackers are covertly working

[01:41:25] to insert backdoor hijacks and exploits into major publicly available software used by countless organizations, developers, and governments around the world, according to findings from Strider Technologies released earlier this month. Russia has continued broader cyber activities despite recent U.S. efforts to bring the Kremlin to the negotiating table with Ukraine. An FSB-linked group has attempted to spy on foreign embassies in Moscow

[01:41:54] by targeting local internet and telecom infrastructure used by diplomatic personnel, Microsoft said in late July. And of course, we covered that at the time, too. That was that tricking embassy staff to install malicious root certificates into their machines through a web portal attack. So I hope this news gets the attention of the right cyber people in the U.S. government.

[01:42:19] As we know, supply chain attacks present a very serious attack vector, and it sure appears as though this is a vector that's been grossly overlooked, Leo, because, you know, we're all relying on open source libraries, and, you know, they're in U.S. DOD software. I have to, I mean, first of all, you'd think that this iron bank would only include software

[01:42:47] written by the Defense Department, but since it doesn't, it is open source, and I would think FastGlob isn't so complicated that somebody can't keep an eye on it and make sure that, but Mr. Mallow Chicken, which I don't think is how he says his name, but I like it, I like it. I think it's probably Malinochkin, but anyway. Thank you. You're much better with the Russian accent. The Mallow Chicken. But I like the Mallow Chicken.

[01:43:14] I mean, that's a guy you really don't want working on your Defense Department software. That's what I have to say about that. Would you like me to take a break? We're going to take a break, then it's time for listener feedback. Like Mr. Mallow Chicken. Watch out, Mallow Chicken. I get my eye on you. This episode of Security Now brought to you by BigID, the next generation AI-powered data security and compliance solution.

[01:43:43] BigID is the first and only leading data security and compliance solution to uncover dark data using AI classification. Using AI classification. To identify and manage risk. To remediate and remediate the way you want to. You get to choose to map and monitor access controls and to scale your data security strategy. It's really amazing what BigID does. Along with unmatched coverage for cloud and on-prem data sources,

[01:44:12] BigID also seamlessly integrates with your existing tech stack and allows you to coordinate security and remediation workflows. You can take action on data risks to protect against breaches, annotate, delete, quarantine, and more based on the data. All while maintaining an audit trail. And it works with everything you use. Partners include ServiceNow, Palo Alto Networks, Microsoft, Google, AWS, and more. You don't have to change anything. With BigID's advanced AI models, you can reduce risk,

[01:44:42] accelerate time to insight, and gain visibility and control over all your data. That's probably why Intuit named it the number one platform for data classification and accuracy, speed, and scalability. And I love this customer testimonial because it comes from a group that probably has more dark data than anybody else. After 250 years, you can imagine the U.S. Army has collected data in every nook and cranny from, you know,

[01:45:10] the quartermaster's closet to the cloud and everywhere in between. BigID equipped the U.S. Army to illuminate dark data, to accelerate their mandated cloud migration, to minimize redundancy, and to automate data retention. And it worked so well, they actually got this testimonial. This is from U.S. Army Training and Doctrine Command. Quote, The first wow moment with BigID came with being able to have that single interface,

[01:45:38] the inventories, a variety of data holdings, including unstructured and structured data across emails, zip files, SharePoint databases, and more. To see that mass and to be able to correlate across those is completely novel. U.S. Army Training and Doctrine Command said this, I've never seen a capability that brings this together like BigID does. And you can imagine, I can't think of another place that might be better able to use BigID, right?

[01:46:07] CNBC recognized BigID as one of the top 25 startups for the enterprise. They were named to the Inc. 5000 and Deloitte 500, not just once, but for four years in a row. The publisher of Cyber Defense Magazine says, BigID embodies the three major features we judges look for to become winners. Understanding tomorrow's threats today, providing a cost-effective solution, and innovating in unexpected ways that it can help mitigate cyber risk

[01:46:36] and get one step ahead of the next breach. End quote. Start protecting your sensitive data wherever your data lives at bigid.com slash security now. Get a free demo to see how BigID can help your organization reduce data risk and accelerate the adoption of generative AI. Again, that's bigid.com slash security now. Also get an exclusive invite to BigID's virtual .com summit on October 9th,

[01:47:04] where you can hear a keynote featuring Forrester Research, plus panels with experts from JP Morgan, Manulife, and Nokia. Tackle the most urgent challenges in AI security and risk at bigid.com slash security. Now, bigid.com slash security. Now, we thank them so much for their support of security now. Now, back to Steve. An anonymous listener. I don't know why he wanted to be anonymous, but I don't. Okay, I always honor those requests, of course.

[01:47:34] He said, Hey, Steve, thought you and your listeners would appreciate this. There's a new Apple device backup solution called Parachute Backup Mobile. Simply put, it's a fantastic tool. If you're one that has gigs of photos or files that you'd rather backup locally versus iCloud. I have it backing up to my NAS on a schedule. You should check it out on the App Store. It's for macOS, iOS, and iPadOS.

[01:48:03] Oh, and the best part, he writes, $3.99 for life. This app developer gets it. He says, P.S., if you read this, I'd like to stay anonymous. So, I checked it out. As an iPhone user myself, I love the idea of being able to clone my massive and growing iCloud library, mostly photos, to another storage location under my own control. Just because, you know, we all have lots of storage these days, so why not?

[01:48:33] Apple provides an export option from iCloud. So, if someone had an iPhone for years, collected a library of photos, and wished to switch over to Android, for example, and Google Photos, it is possible to schedule their transfer from Apple to Google. But I'm remaining with Apple, and I still like the idea of having another copy under my own control. So, as I said, I checked out Parachute Backup, and I like it.

[01:49:01] I maintain a very low-volume transaction Amazon S3 account, where, for example, all of this podcast's audio is archived, just to have one, you know, master off-site source. It turns out that Amazon mostly charges for transfer bandwidth and nearly nothing for storage.

[01:49:25] So, it's perfect for external, hands-off, redundant archival storage. And this Parachute Backup supports Amazon's S3 backup. It can also backup to the user's own local NAS or external storage. In the case of NAS backup, I never realized that it's possible to use the iPhone's built-in files app to connect to network storage.

[01:49:52] So, you do that first to create a folder on your iPhone that's connected to a shared folder on your NAS. Then you instruct Parachute to maintain a synchronized backup of your iCloud and other iPhone, iPad, or Mac OS goodies with that folder. It looks like a terrific, it's a terrific little six megabyte app. It was released at version 1.0 just two and a half weeks ago on August 14th.

[01:50:22] And it's been evolving rapidly ever since, adding features and fixing bugs. So, you might want to wait, let it mature for another couple months. Microsoft OneDrive support was added the day after its release. Amazon S3 support was added on August 23rd and then further refined. At the time of this writing, it's at version 1.3.3. And our listener is correct about the price.

[01:50:48] It's $3.99 one time, and you own it for as long as it's around. So, anyway, just wanted to make a pointer to that app, because it looks like it's a great solution for iPhone, you know, iOS devices, and for Mac OS too. Stephen Adams wrote, Steve, you mentioned in your section about data brokers

[01:51:15] that nobody authorized the credit bureaus to collect our information. That's incorrect. You expressly gave your permission when you applied for or continued to use credit or receive service from a utility, electric, phone, mobile gas, etc. Or a credit card, for that matter. Yes. Each and every application or terms of service document states, this will be done. And when you sign the application,

[01:51:43] you agree to sharing your information with the credit bureaus. He said, here's the language from my latest JPMorgan Chase credit agreement. And it reads, we may obtain and review your credit history from credit reporting agencies and others. We may, from time to time, obtain employment and income data from third parties to assist us in the ongoing administration of your account. We may also provide information about you and your credit,

[01:52:10] your, and your account to credit reporting agencies and others. We may provide information to credit reporting agencies about this account in the name of an authorized user. If you think we provided incorrect information, write to us and we will investigate. So he finishes saying, there is no opt-out for reporting your information to the credit bureau. The only way to clear your credit report is to have no credit and wait seven plus years for everything to age off. As long as you have credit,

[01:52:40] you've authorized collection of that data. Signed, Stephen. So Stephen, I stand corrected and I am glad to be. So thank you very much for that. This is certainly an important part of the whole credit bureau story. You know, in the fine print of the credit agreements, we voluntarily signed with all of the many various sources of credit we use and take for granted in our modern lives. And as you said, Leo, who doesn't have like at least a credit card these days, you know,

[01:53:09] we gave these credit grantors our permission to disclose and share what they learned of us. So, you know, they need to learn about us by asking these aggregators what's known. And in return, they report about us under our contractually granted consent. So unfortunately, as we know, they're not good at keeping it to themselves. Yeah. Which is another problem. Vladimir. I don't know how to pronounce his last name, Leo. E L I S E E V.

[01:53:40] Am I going to be the Russian? You're my Russian interpreter. I'm going to say it's Vladimir. I'll say it. Nice. I like that. I'll just do Vladimir from that. Just call him Vlad. Vlad. I like that. Hi, Steve. My name is Vladimir. I live in Russia and, and here we were just talking about last week, how we have listeners in Russia and China, right? Oh yeah. He says, I live in Russia and I really enjoy listening to security.

[01:54:05] Now I'd like to add to your comment in episode 10 40 about the problems with Google meet. The reason for the blocking of Google meet is the launch of the max messenger, which is under state control. In this way, Russia continues down the path of internet isolation, a process that Russians themselves call, uh, creating the chebernet. Uh, he said a blend of,

[01:54:35] uh, chebuer haska and internet. Uh, I don't know what chebuer haska is, but, uh, so yeah, you should look it up. I did. It's a little furry bear creature. So Vladimir, thank you so much for your note. Just as I feel self-conscious talking negatively about China, while we have so many Chinese listeners, I feel equally awkward talking about Russia in derogatory terms and for the same reasons,

[01:55:01] but my own us government's hands are also certainly not clean. So I think we can all assume that whatever we're talking about, or whenever we're talking about the actions of Russia, China, or the U S we're never talking about the actions of a country's people, whether or not we may have voted for our various governments representatives. And regardless of how we may feel about their actions, they are not us.

[01:55:27] So I also very much appreciate hearing from our listeners in other countries to obtain their perspectives. I poked around a bit looking for Chebaroska, which appears to be a fictional character from Russian literature. Yeah. There's a picture of it with the big ears. Yeah. Yeah. Next to an alligator. That's actually a crocodile. A Russia official Russian 20 ruble coin.

[01:55:53] So he is Chebaroska is beloved in, uh, in Russia. Okay. Comrade. It comes from, it comes from the word for tumble off the table. Yeah. And it's a roly poly toy. So the Chebar net is not, uh, regarded. It's the internet that tumbled off the table. That's right. Oh, I see. Soviet census tried to stifle the Chebaroska films because they made fun of nitpicking bureaucrats, factory directors,

[01:56:23] and the young pioneers. Uh, all right. So it was kind of a subversive piece. So Vladimir, thank you for bringing that little bit of, of Russian history background to the podcast. We appreciate it. Hans Bornich said, hi, Steve, regular listener and club twit member here. Thank you for all your hard work on the show and everything else you do. I especially look forward to an UEFI, uh, native version of spin,

[01:56:53] That'll be coming for windows, which I will be purchasing on day one. Anyway, I stumbled upon a link. I thought you might find interesting. I thought I knew what a valid email. Oh, Leo, you're going to have fun with this, what a valid email address was, but boy, was I wrong. If this site is right. And I can say now that it is, he said, I wonder what your score will be. No cheating. He said, I scored a measly 12. Yeah. I,

[01:57:22] I've took this a couple of weeks ago when I first saw it and I didn't do well at all. I'm amazed at some of the things the RFC allows. I am too. Yeah. So Hans is correct. It is a difficult test and I did not do much better than his 12. I scored 15 out of a total possible of 21. Uh, and I've written more than my share of email address parsers in my time. So you should know,

[01:57:48] there are some very worthwhile and tricky examples on the test. So for anyone who's listening, it's, uh, E hyphen mail. WTF. E hyphen M A I L dot WTF. Uh, it is a great site. Uh, you can't have spaces in the first part of an email address, but you could have spaces before and after who would have thunk the spaces get ignored, but I think email clients may not be,

[01:58:18] we knew a lot. We know about dots, but it turns out there's a subtlety there. Also, you can't have a dot at the end. It's one that I missed. Yep. Yep. No, no, no success. This is hard, but we're also giving it away, Leo. So we have to be, Oh yeah. Okay. I'll stop now. Question nine and let everybody fail on the rest of them. Yes. E hyphen mail dot WTF. It's very good. Uh, I really, anyway, and they've got another one. Uh, when you're done with that, um, there's a link to something else. Uh,

[01:58:47] they have another test. I didn't, I don't remember now what it was, but you have to get to the end, huh? I think so. Unless you scroll, is there something at the bottom of, you have to get to, you have to finish it to see. Yeah, I did. I did see a link to yet another test. You can take Matthew Turner shared, uh, the thinking that I'm sure we've all had. He wrote, so would recording a TV program and fast forwarding through the ads be illegal?

[01:59:15] What about stepping out of the room during an ad or what about watching live TV and muting the ads because there's so much louder than the program. Um, although charging AI for content would likely make the AI much more accurate. So I wish charging AI for content would make it more accurate. But as, as we noted, Reddit has been licensing its content now for AI modeling.

[01:59:42] And it's not as if AI is only being trained on the cyclopedia Britannica, which is, you know, a highly credible source of actual information. Um, and as for the whole question of any implied obligation to be exposed to a show's advertising, I think Matthew's examples helped to highlight the dilemma. You know, we may have signed a contract with a lender to allow them to obtain our credit

[02:00:10] data and return anything more. They learn about us to the credit bureau, but no one watching live TV ever agreed not to get up and pee during commercials. That's what they're for. Isn't that exactly? Not only do we have no obligation to sit still during commercials, but they're widely regarded as conveniently placed opportunities to transfer the clothes from the washer to the dryer,

[02:00:39] to feed the dog, to make sure the front door is locked, you know, and to take care of numerous other things that make up our evenings. You know, when I use a web browser, I'm rarely confronted with a site that notices my browser is not displaying all of its advertising and asks me to please disable my ad blogger. But it has happened. When it does happen, I'm more than likely to just leave and go somewhere else.

[02:01:07] So I suspect that most sites that may have tried that for a while noticed that the practice resulted in a drop in their revenue rather than the reverse. So they decided to take the high road and accept what revenue they can get without attempting to force the issue. Anyway, yes, Matthew, it is a mess. And again, it's unresolved at this point. Tom Apelonek said,

[02:01:37] hi, Steve, great show as always. A couple of observations on copyright and ad blockers or AIs. He said, the ad blockers modified, he has in quotes, code and display of a webpage is only being displayed to the person who bought or is using the ad blocker. It is not being republished to anyone else. Books are also protected by copyright law,

[02:02:05] by the German court's logic, highlighting or underlining passages in a book that you own and the purchase of pens or highlighters for that purpose should also be illegal. I had, okay, so I had to reread that and think about, you know, that a bit to obtain all of Tom's logic, but I can see his point. It would be illegal to make a few changes to a copyrighted novel, for example,

[02:02:34] and to then resell it as one's own work. But it's certainly not against the law to rewrite a novel, tear out pages, or do whatever you wish to a copyrighted work that you own. So Tom is suggesting that having a webpage displayed is the delivery of a copyrighted work,

[02:02:57] that its recipient has every right then to change however they may wish. What they cannot do is capture and republish that modified work for their own benefit. And of course, no one's doing that. We're just choosing to modify that webpage, which we received for our own consumption. That feels like a pretty sound argument to me. Yeah, it does. Yeah. Well,

[02:03:26] somebody should write to the German court. Yeah. His email continues. Also, you described AIs as the ultimate super ad blockers, given their need to eventually show a profit. Oh, I fear this is probably short-lived. I suspect that AI dialogues will start changing in the near future to something like this. The prompt says,

[02:03:52] How can I get my Wi-Fi to reach to the end of my backyard? The answer from the AI, There are several options, including Wi-Fi extenders, long-range routers, blah, blah, blah. By the way, did you know that Best Buy has the Model XYZ router on sale this week for $69? Would you like me to provide you a link to the ad on their website? He says,

[02:04:19] Or maybe it will just show you the ad directly at the end of the answer. In any case, it will be interesting, if not disappointing, to see how this all shakes out. Thanks to all you and Leo, thanks to you and Leo for a great show and for keeping us all up to date on the latest security news. Tom, and he signs off Leo with WA2IVD, his call sign. 73W2IVD, WA2. And so,

[02:04:48] that made me remember. Remember how super clean and simple and straightforward and frankly beautiful Google's original search results were in the beginning? Just a white page with wonderful links to exactly what we were looking for. But those days are long gone. Now the page is encrusted with sponsorship barnacles and the link you'd love to have

[02:05:17] instead of being right there at the top of the page is buried beneath AI overview, a bunch of sponsored and not always on point tangential references that are trying to take you somewhere else. And eventually, you may find the link you're seeking. Sadly, I would bet, I would bet some money on Tom's vision of the future of AI chatbots turning into a massive advertising revenue generator. Or maybe the free version will be that and we're going to have to pay

[02:05:46] probably more than we are right now in order to get one that isn't, you know, advertising barnacle encumbered. I probably would do that, I think, because I'm finding this so useful. But yeah, I do imagine, I mean, Leo, can you imagine a better, more potent vehicle for ad delivery than an AI chatbot? I'm convinced that this is just around the corner. I think Complexity will do it.

[02:06:15] But I'm surprised they haven't done it yet, to be honest. Yeah. Because it's exactly what advertisers would love. Yes. Because you get all the context of the user. You know what the person is asking about. I mean, it's made. Nothing has ever been more made for delivering, you know, context-aware advertising. Yeah. Yeah. I do think it's inescapably our future. Someone calling himself

[02:06:45] Zaphod Zaphod Bebelbrox. Zaphod Bebelbrox, yes. This is from The Hitchhiker's Guide to the Galaxy. Yeah. He's Zaphod Bebelbrox I. Yes. So, just to be clear. Not a dissident. Amazing pangalactic gargle blaster and was the coolest fruit in the universe. So, just so you know. See, it's not fair, Leo, because you listen to audiobooks, so you know how these things are pronounced. Oh, you knew it was Zaphod Bebelbrox, you just didn't know how to pronounce it. I get it. Oh, I knew exactly

[02:07:15] who this was. You betcha, baby. President of the universe. he says, hey Steve, he says, hey Steve, RE ads on websites. As you switch to Brave, their BAT, B-A-T, idea, may interest you. It stands for Basic Attention Token. Basically, a crypto mind with attention. Something like this could make sense. It was also used years ago, but called crypto jacking, and now most browsers

[02:07:45] block it. ASIC resistant coins like Monero, which you may like for its privacy features, can be CPU mined, and therefore paid directly to the websites with no tracking. AI companies could also do something similar and pay every time their AI uses data scraping from that site. The economics could be tricky, and Beanie Babies aren't the best example, but if people really want BAT, the price will go up. Same way if people

[02:08:15] want U.S. dollars, the value goes up. It could be a good way to pay without paying. I don't think they could require a specific amount to go to a site, though because phones could generate minimal amounts. Okay, so to take his concept, we've touched on this before, it's truly, if nothing else, academically interesting. Cryptocurrency is here, and it's not going away anytime soon, if ever. Any cryptocurrency

[02:08:44] that can now be mined can be exchanged for actual government-backed non-cryptocurrency, you know, fiat currency. So imagine that while visiting a website, the visiting user's PC is tasked with performing mining work that directly yields value to the site. viewed from the perspective of a website, all of the potentially tens of thousands of visitors

[02:09:12] who are currently there looking at a site's content are also collectively mining crypto for the site. No single browser mines much, but collectively and continuously, it adds up. From the standpoint of the user, what's going on is that some of their electricity is being inefficiently converted through the process of micromining into currency that serves

[02:09:42] to reimburse the site for the cost of the visitor's presence and for the information they obtain. So this forms an interesting channel for moving some money web surfers pay for electricity by using that electricity to spin up more cores inside their CPUs which is used to perform work on behalf of the site which that site is then able to liquidate back into

[02:10:12] fungible cache. I haven't examined the economics of the idea to see whether it actually might make sense but Zafod tells us that the brave browser folks have done the math. So, if nothing else it's kind of interesting. Leo, we're at two hours let's take our last break and then we will continue with feedback from our listeners. Yes, indeed. Gladly. Our show today this is our last break brought to you by and it's a very

[02:10:41] appropriate sponsor Delete Me! Hello friends. Are you concerned about all the data breaches going on right now? No doubt you are. We just talked about the new transunion breach but here's an interesting point. Those data breaches by themselves really aren't as harmful as they could be. What it takes is a distribution network companies that are willing to take that information

[02:11:11] and then sell it on to the highest bidder. In this country it's legal. We call them data brokers. If you've ever wondered how much of your personal data is out there on the internet I think we now know it's all out there right? Your name your contact info your social security number even things like your home address information about your family members it's not only is it out there it's compiled by data brokers from all those sources and then sold online to the highest bidder which can be anybody

[02:11:41] advertisers marketers sure but also governments law enforcement anyone on the web can buy your private details this can lead to all sorts of nasty consequences identity theft phishing attempts doxing harassment but now you can protect your privacy with delete me well I look I live in public I share my opinions online I definitely want to keep some personal information

[02:12:10] like where I live private and I think it's really important if you have a company even if you're not a public figure if you think about it because your managers are the first line of defense and the first line of attack for bad guys for phishing attacks we got phished this was really an eye opener for us a couple of years ago people impersonated our CEO sent text messages from her phone number to her direct reports

[02:12:40] phone numbers saying hey I'm stuck in a meeting I need you to go out and buy 100 Amazon gift cards and send them this address pronto fortunately we have smart employees but when I saw that it really it concerned me I thought how do they know who Lisa is what her phone number is her personal phone number what her who her direct reports are what their phone numbers are then I realized it's easy this is the problem that information is widely available

[02:13:09] for pennies it's easier than ever to find personal information about people online and this is why we use at twit and we recommend delete me we immediately sign up for delete me for Lisa and she still gets notifications emails every few months from delete me saying hey we found this we're deleting it now it's a subscription service it removes your personal info from hundreds of data brokers we know there are what was it Steve 499 data brokers in California California alone alone

[02:13:40] and that was last month you know there's probably 100 more because it's a very lucrative business and it's an easy business to get in so what you do is you sign up you provide delete me with exactly the information you want deleted because you may not want everything deleted but just what you want deleted their experts take it from there they will send you as we you know know because we get them regular personalized privacy reports showing what info they found where they found it and what they removed because delete me

[02:14:09] isn't just a one-time service it's always working for you it has to because there's always new data brokers that that information gets repopulated constantly delete me constantly monitors and removes that information you don't want on the internet to put it simply delete me does all the hard work yeah I guess you could do it if you wanted to if you knew who all those data brokers were and you wanted to keep track of them all and you wanted to visit them on a regular basis delete me does this for you wiping you and your family's personal information and your company's

[02:14:38] and your manager's personal information from data broker websites take control of your data keep your private life private by signing up for delete me a special discount just for our listeners right now get 20% off your delete me plan when you go to join delete me dot com slash twit and use the promo code twit at checkout and the only way to get it 20% off is to go to join delete me dot com slash twit and enter the code twit at checkout join delete me dot com slash twit and use the offer code twit

[02:15:07] now I got an email from a listener who said I went to delete me dot com and they don't delete that's a different company so it's really important you do this right there's a European company with the same name I don't know how they get away with this I don't know how long they'll be in business but they do GDPR takedown requests that is not enough that does not stop data brokers and it doesn't work in the US delete me our delete me does but you have to go to the right website join delete me dot com slash twit go to the right one sign up

[02:15:37] take advantage of this it's a must it's a must all right Steve your turn Ian in Ottawa Canada says hi Steve he's referring to a feedback from last week he said just like Joshua I too have had some AI realizations but I reached two opposite conclusions from what I've heard we have a few low traffic WordPress sites hosted with a correspondingly small hosting plan

[02:16:07] but recently many AI crawlers have been ingesting 20 plus years of blog posts with many dozens of page loads per second of course this periodically maxes out our CPU quota as the pages are dynamically assembled by the WordPress site and also consumes our bandwidth quota if it were just one crawler fine but there now seems to be a continual parade of crawlers sucking up everything they can find

[02:16:37] so opposite conclusion number one AI is not good for small sites he said parens I'd be more inclined to move to a simple static site on AWS with their Cloudflint CDN for publishing content info and self-aggrandizement he said on the topic of AI summaries taking over I see a silver lining if I have a product or service that I want people to be able to understand perhaps now I can just write one

[02:17:06] big pure text authoritative document hopefully with a way to draw attention of the AI crawlers no need for high res images of happy people or acres of white space or a designer to tell me to use all lowercase headings with an exotic downloaded font displaying in medium gray on a light gray background or any of the other fluff that a good page needs nowadays which leads us to opposite conclusion number two

[02:17:35] AI summaries can free many of us from the burden of visual site design at this point I imagine that some of our listeners are thinking that GRC site was never very much burdened by the exigencies of visual site design and they would be correct I very much like solid red and blue on white with lots of rule lines and boxes and you use google fonts right for all your fonts and I just use like

[02:18:05] you don't even say I think it is yeah just whatever font they got whatever it is yeah Ian finishes am I just being provocative or could that be in our future I'm not sure thanks for all the work you and Leo do best regards Ian in Ottawa Canada so Leo you guys had a guy from Common Crawl oh yes Rich Screnta on your Thinking Machines podcast their mission is to deal with exactly

[02:18:35] the problem that Ian is having while the web is operating as you know every bot for themselves our websites are being redundantly visited by every bot of every company in single file the idea of Common Crawl is to crawl all that data into a series of online internet web snapshots that anyone is able to obtain it's kind of like internet archive but it's for

[02:19:05] AI right or researchers yeah common crawl dot org so their homepage explains they said Common Crawl maintains a free open repository of web crawl data that can be used by anyone Common Crawl is a 501c3 non-profit founded in 2007 we make wholesale extraction transformation and analysis of open web data accessible

[02:19:34] to researchers over 300 billion pages spanning 18 years free and open corpus since 2007 cited in over 10,000 research paper and 3 to 5 billion new pages added each month they said the corpus contains raw webpage data metadata extracts and text extracts common crawl data is stored on Amazon web

[02:20:04] services public data sets and on multiple academic cloud platforms across the world access to the corpus hosted by Amazon is free you may use Amazon's cloud platform to run analysis jobs directly against it or you can download it whole or in part you can search for pages in our corpus using the common crawl URL index so in this era of big

[02:20:34] data data storage is so plentiful and vast that there's no longer any need for individual companies to redundantly crawl the web doing so oneself is not simple and it requires the assembly and maintenance of a sophisticated web crawling infrastructure to pull all of that widely distributed data from across the globe and as we've noted having everyone rolling their own separately

[02:21:04] is expensive it's time consuming and it's redundant it makes so much sense to have a single centralized non-profit that everyone can easily reference as a single stored database I think it's kind of brilliant so I wanted to yes I agree yeah to note Ian's observation and and also to note that you know the guy you had on last week was you know which is really cool yeah

[02:21:34] a neat solution for this yeah Ed Hands said hello Steve as an IT manager security is always our top priority I recently listened to security now podcast 1040 last week and found the discussion about Germany possibly banning ad blockers particularly compelling I share your concerns regarding privacy and third party cookies however my primary concern extends beyond those issues in managing approximately 2000 endpoints

[02:22:03] and users our network has been hit by ransomware twice thanks to comprehensive policies procedures and security software we were able to prevent significant damage what concerns me most get this is that the ransomware was introduced through advertising delivery networks malvertising we're just talking about that yep he said you may have heard me yelling at the radio in the car

[02:22:32] about this that was probably while he was listening to last week's episode he said given this context if Germany passes legislation banning ad blockers it seems to me the case could be made that the advertising networks could or should be held financially liable for any malware distributed through their platforms it seems that such accountability would be appropriate thank you Steve and Leo for all you do with security now here's to the next

[02:23:02] 20 years of security now best regards ed h so yes malvertising we've talked about it its possibilities and dangers but it's still sobering to hear from a listener who has actually had first hand field experience and now more than just once with advertising being used as the entry vector for a ransomware scale compromise it doesn't seem as though that's

[02:23:32] something that receives sufficient attention accountability however you know the accountability chains essentially are difficult to manage and they become near to impossible to litigate when it's possible for multiple parties to point fingers at each other I've served as an expert witness in a few technical jury trials and it's been quite disheartening to see clever opposing counsel spin a jury and leave them unsure of their own names

[02:24:02] in these you know he said she said cases juries often choose not to award damages since they're unable to determine fault so I don't have much faith in the practical ability to hold an advertiser accountable though I love the idea you know they'll just say well we're just the conduit we're not responsible for the ads we show we know we get those from someone else it's like okay yeah great yeah Tom Herman said hello Steve

[02:24:31] as probably others already said sync thing supports encryption of the data on untrusted peers already he said I've been using this for many years for sync thing to my own NAS and other peers as I'm a bit paranoid and want to prevent any unencrypted data at rest you can see it in the settings of every folder when selecting the sync peers peers can be marked as

[02:25:01] untrusted and then a strong password needs to be set untrusted peers can even sync encrypted data among them if the same password is used with all untrusted peers also peers themselves can be marked untrusted in the settings and then the UI forces a password to be set when you want to share any folder with those peers regards Tom listener since day one time and Tom is absolutely correct

[02:25:31] I went and looked the option to set a password is right there staring us in the face at any sync thing user at the same time our previous listener may have been referring to the fact that at the top of the sync thing documentation page it states warning this feature should still be considered beta testing only and what that

[02:26:00] untrusted peers documentation page says is exactly what Tom just explained and it's what the UI shows so okay so first of all the operation is quite cool and in fact I sat down first thing I did this morning I looked at my Windows 7 sync thing whose version I froze because it's Windows 7 back in July of 2021 so it is more than four

[02:26:30] years old it is at version 1.18.1 and it has this so this this ability to encrypt the peer has been around for more than four years I suspect they just nobody's taken that warning message down from the documentation page because it got old and it didn't expire so what happens is the sync

[02:27:00] thing always uses a folder ID which is a short little random token it's not cryptographically strong but it does provide uniqueness for every folder name instead of human folder names it's the way sync thing knows the folder your password and that little blurch of pseudo random stuff are combined and hashed into a symmetric key which is

[02:27:30] used by probably a NAS or in Joshua's use case from last week his friend's storage where he wants to back up all of his data at home but not worry about it might getting out of control over there so that store never has the key all it's storing is

[02:28:00] complete pseudo random noise and it's his his syncing peer that knows the that holds the access password and the sync thing name of the folder which is syncing with which then allows it to always recreate the static symmetric key which is used to encrypt and decrypt the data and multiple clients can all

[02:28:29] peer to that common store as long as they have the same password and you're even allowed to have for example in my use case two NASAs synchronizing this pseudo random data without ever knowing what it is and peers then peering to those two NASAs so this is completely supported it has been for more than four years and it works wonderfully so just another reason that sink thing

[02:28:59] is as they used to say and I'm sure they don't name more Leo the cat's meow really that was their slogan the cats no but you know like I don't know beach baby Barbara or I didn't know that was I just I thought maybe you say that was their slogan I believe everything you say Steve I just you know I try the cats Dave in Seattle said hi Steve thanks for the tip and the

[02:29:29] free gig upgrade on sync dot com I've been looking for just such a solution wanting to avoid the big cloud and cloud services plus Canada what's not to love I thought you'd like to smart and something I've not seen anywhere

[02:29:59] else and Dave attached a screenshot to his note showing that the option to enable email based password recovery is set off by default I didn't recall that I just knew that they offered it as an option and I agree that having that off is just the way to do it you know you're going to if you're syncing to the cloud you take your security seriously you can set up multi-factor authentication as I have on my link.com account on my

[02:30:28] device which is not sharing its data anywhere else so it's a fully separate device and you've got the best security you can along with a super strong password of course finally Dan Dapkus wants to defend Microsoft and I'm all for hearing his defense he said hi Steve and Leo I've been a software engineer database administrator dev team manager

[02:30:58] director of app dev for over 30 years and a fan of your show for about 10 I hadn't heard of it before then I think yours is the only podcast to which I've consistently listened for such a long period of time I'm not sure where I'd begin if I were to go on complimenting both of you Steve your deep technical mathematical knowledge is remarkable and Leo your broad industry knowledge and experience are a perfect compliment I look forward to the show every week including

[02:31:28] the commercials because they are too often interesting and informative I've been thinking about writing this email no this criticism for years and episode 1038 finally knocked me over the edge and so I'm writing cutting to the chase you both qualify as Microsoft bashers throughout my career I've observed this phenomenon of IT pros who take various opportunities to

[02:31:58] rant and rave about all the deficiencies of Microsoft without acknowledging the blatantly obvious essential exculpatory context the following is the exculpatory context to which I refer he has in all caps for the first one Microsoft creates and supports multiple business and personal operating systems and software for much of the world and has done so successfully for decades

[02:32:28] okay that was all caps then he turned his caps lock off for the following points monthly Microsoft roll and first of all of course he's right about that monthly Microsoft rolls out cumulative updates to over 1.5 billion Windows 10 and 11 endpoints worldwide there are

[02:33:01] mine mine mine mine as their web server hundreds of thousands or millions more host their websites on Azure Microsoft .NET which is now cross platform is used by millions of developers worldwide 34% of all websites run on .NET technologies and Microsoft patches it monthly Microsoft Secure is one of the world's premier database systems SQL server and its PAS

[02:33:31] version Azure SQL database there are an estimated 8 to 10 million instances worldwide Microsoft Secure is one of the world's dominant office productivity suites Microsoft 365 there are 345 million paid subscribers Microsoft has an uniquely large attack surface and they diligently patch it it's inconvenient for everyone involved no

[02:34:01] one forces anyone to use Microsoft products if some perfectly secure inexpensive wonderful alternatives exist companies and individuals are free to adopt them and then shall be liberated of the need to complain about Microsoft well I will say that not everyone who uses Microsoft products has a choice because they work for companies that mandate what they use so that's the vast majority of people

[02:34:31] who use Microsoft Windows and Microsoft products are not given the from the transcript you said quote so I mean it is the way to do this but no one's doing it yet and he said Microsoft however has been doing it and more for years in Azure with its web app firewall which supports

[02:35:01] not only geo, filtering but also OWASP threat detection and blocking at the network perimeter read about it here and just for the record what I was referring to was requiring it not having it available somewhere in the background like putting it on the UI and asking making developers do something about it so he finishes saying Microsoft's task is Herculean and I think they generally

[02:35:31] do a good job can you think of another company that you trust and would expect to behave more responsibly and competently and less greedily with Microsoft's responsibilities thanks again for your hard work and for many more episodes of security now best damn Dupkus so Dan I think makes some valid points which I wanted to share with everyone on the podcast I know I know I am hard

[02:36:01] on Microsoft and I do acknowledge that GRC runs on Microsoft servers with one free BSD Unix exception and we all know that I'm exclusively a Microsoft software developer so I'm very aware that I beat up on them weekly and that's W-E-E-K-L-Y while I have said there are

[02:36:31] decisions not mistakes which anyone can make that I have great difficulty swallowing which are their choice we're told that Windows 11 will run faster than Windows 10 on the same hardware because it's more efficient but that Windows 11 won't run on all of the same machines that are handily running Windows 10 today and that TPM 1.2 versus 2.0 requirement is pure nonsense

[02:37:01] TPM 1.2 has always been just fine and it still is and we all know that Windows 11 can be tricked into running on older quote incompatible unquote hardware this promises to create a huge problem for the next few years for many people who would just like to Windows 10 but Microsoft says no that's by design and the idea of charging some users to receive

[02:37:31] patches for flaws for which perfectly well working patches have been created is just wrong if a patch exists to repair a product defect Microsoft product defect that they created it should be provided to that product users period full stop charging anyone extra to fix product defects is never going to sit well with me so I suppose

[02:38:00] my overall complaint is that while Microsoft has every right to be self interested they are so ridiculously massive massive massive for most companies there really is not any effective alternative and I'm certain that's something that our listener appreciates given that and the nature of capitalism Microsoft will not may will abuse the power they have for their own self interest they're going

[02:38:30] to do it just because they can I'm not leaving Microsoft and Windows I can't and I don't want to but I'm very glad to see that large European countries are becoming fed up with Microsoft shenanigans I mean just as Dan said people can leave

[02:39:02] that has no effective alternative Microsoft is in an enviable position they've earned it but it takes a great deal of institutional ethics to resist abusing it they're walking a fine line and I would defend the fact that it's our job to talk about the issues that occur and everybody recognizes that Microsoft has a massive job but are you saying we should just give them a pass because of that and

[02:39:32] not mention anything that they do wrong or we think they could do better I think that's part of our job is to say what they could do better and unlike you Steve I refuse to use Microsoft products so I do not and I think I've found better alternatives but I'm not required to by my company I used to

[02:41:01] fan operation we're not fan boys that's not our job here we're users and we represent users not these companies and so when a company could do better we we'd say you could do better that's I don't think that's unfair I really took them to task when XP was going to be shipped with raw sockets I went nuts trying to prevent that disaster and it wasn't until service pack 3 that they finally turned it off after they got attacked by their own raw sockets I got raped

[02:41:31] by the register and Microsoft themselves you right you were absolutely right as Microsoft ultimately had to admit so look you don't want us to see here constantly praising everything certainly not in security now this is a show about things that aren't going well we talk about mistakes here and Microsoft makes their fair share because they're they're they're like the platform to make what to do they're what everybody uses

[02:42:08] it's that job I couldn't do it no okay and our last piece an update and I'll be interested to hear about you and Amazon here in a second Leo but first on Sunday while I was assembling today's podcast two days ago the iPhone I have resting on a stand next to me alerted me to a Facebook posting by Rick Brown and by the way Leo we need to get Jeff some meds I think why because

[02:42:38] his postings I mean I'm afraid he's going to give himself an aneurysm or he has a bad ticker and yet he tell him just turn off the TV stop watching Morning Joe and I know I be nice to yourself Jeff I don't look I gave up on watching

[02:43:08] the news unfortunately it's kind of part of my job and it bleeds over into the news the tech news that I have to research and cover but yeah it's it's hard anyway my phone my most favorite long running science fiction series known as the

[02:43:38] Frontiers Saga that's plural Frontiers Saga when he embarked upon his writing he conceived of five long story arcs where each one would receive a 15 novel treatment he's currently one novel away from finishing the third story arc which would make that next novel his 45th and he's near to finishing novel 45 I've read them all waiting for the

[02:44:08] 45th one and what because I've had to wait in through some periods I've read much of them three or four times I

[02:45:02] into confrontations with non humans that's going to be something so I know that Rick has many fans among our listeners because I often hear from many of you who are enjoying the many characters he's created every bit as much as I am so I wanted to share Rick's Facebook posting from two days ago since he's soured on Amazon's Kindle unlimited service and things will be changing for the two final story

[02:45:32] first started Kindle unlimited I was still being compensated for reads through Kindle unlimited at a rate of about 70% of what I would make on a purchase the entire system is rather arbitrary and has become so polluted and gamed over the years as to be laughable the amount of compensation for reads through Kindle unlimited is now down to a mere 30% which means that every

[02:46:02] time someone reads one of my books through Kindle unlimited instead of buying it and they're not expensive I'm losing on average about 60 to 70% in sales revenue while I do not begrudge anyone for using the least expensive way to satiate their need to read in the end I'm running a business and my

[02:46:32] part four of the saga my books will no longer be available in Kindle unlimited I'm hoping that if you read this far in my series you won't mind spending a few bucks and that's all they are every three to four months for a new episode if you have been reading part three through Kindle unlimited and are not up to date I would suggest you download them as soon as possible as they will begin dropping out of Kindle unlimited as soon as September 2nd

[02:47:02] that's today by the way I will put the final episode of part three in Kindle unlimited for three months after publishing so that those of you who must use Kindle unlimited in order to afford reading my stories will at least be able to finish through part three but by the end of 2025 all parts two and three will no longer be available through unlimited although I will be leaving all of part one in unlimited for now

[02:47:31] in order to attract new readers eventually most if not all of those titles will also be taken out this is not without risk as Amazon unfairly waits unlimited reads towards sales rankings even though a Kindle unlimited read is not a sale and it could cause my rankings to tank and for me to lose revenue but it has to be done Amazon is ripping us off

[02:48:01] and the only other way I can combat this is to write faster which means poorer quality and or to raise prices now is the best time for me with my new Astra Nullis project and a small inheritance from my late mother I had the best chance of weathering the storm that will without doubt be created by removing my books from unlimited however if I can publish my works on other

[02:48:31] platforms as many of you have asked me to do to those of you who purchased my books even though you could read them through kindle unlimited I thank you without you I would not have made it this far rick rick yeah so I I Leo I know that you've soured on amazon and you no longer wanting to support them we knew this would happen we knew that the and this is what cory doctor talks about in his book and shitification we

[02:49:14] about milking the customers and they become such a monopoly they're an absolute monopoly in audiobooks and you know so it's funny because one of the people we love Dennis E. Taylor the Boboverse guy is an Amazon exclusive and he says you know that's one of the problems with Kindle unlimited is you have to agree you won't be anywhere else that Kindle is your exclusive oh that's okay well

[02:49:44] he said when I self published outland I went wide Kobo EPUB Google Play he says but I didn't make any money I made money with Amazon exclusivity and Kindle unlimited and this is the issue is it's a monopoly and it's not good for us as users I would like I prefer to use Kobo I buy my audiobooks from Libro.fm instead of

[02:50:14] it's an audible exclusive I wanted to read Dungeon Crawler Carl which is a very popular sci-fi series right now and it's only on audible because Amazon insists on these exclusives and I think those authors maybe are well compensated but in the long run it's bad for users because I like to buy them on Libro.fm because it supports our local bookstore and it's the

[02:50:45] squeezing really hard to make sure that they're the only place you can buy these books or listen to these books and I don't think in the long run that's good and as soon as they do have that monopoly of course the price goes up and the author payments go down the other problem a lot of people reported with Kindle Unlimited is the amount of AI stuff that's on there and even non Kindle and Rick's going to experience this even if

[02:51:26] percentages many of the books are not written Amazon does nothing to stop that I mean there's a human behind it it's not the AI is not doing it on its own go baby go but the human is not writing it it's not good it's not good they're not good books that's going to become more and more of a problem too as we search for books to read about

[02:51:56] the Mississippi River there's a lot of nonsense that's not real history but it's hard to distinguish it wow so and this is I think this is my biggest problem is that it's just the sheer power the sheer market power that Amazon wields well I'm as we know I believe in capitalism but I also maturely understand that our system is not stable because big companies tend to get bigger and you know as I finished when I was just there talking about Microsoft

[02:52:26] I said you know Microsoft is in an enviable position they've earned it but it takes a great deal of institutional ethics to resist abusing it right and that's what ends up not happening and when you've got a board of directors and C C they want their profits their quarterly payouts they want their dividends they want the stock buybacks

[02:52:55] but in the long run all of this is bad and this is I mean we've known this for 100 years since the Sherman Antitrust Act that yes capitalism is good until it becomes a monopoly and then it needs to be regulated right and unfortunately it's it's unfortunately anyway yeah you can't

[02:53:25] wean yourself off of Amazon despite the you know as much as I can but there's stuff I can't for instance the things you need are only there yeah or it's very convenient so you mentioned I should be taking this lithium orotate and I it would have been very easy to get it on Amazon and have it arrive the next day but I decided no I'm going to someone else I'm going to a vitamin shop and order my vitamins from them moved everything off subscribe and save as best I can but I acknowledge it's very

[02:54:17] that you you look it up on Amazon and you just go to the front door I don't know how they do it it is amazing and so it spoils you I need a left handed slime widget and there it is

[02:54:49] yeah yeah I feel for Rick I wish him well I hope so I hope everybody who is like Rick Brown these great authors like Dennis Taylor and Rick Brown are able to create and get paid properly for the stuff they create we work really hard to make sure that you know our our hosts get compensated and our employees get compensated we pay a living wage we try very hard to do it it is not easy for what it's worth Rick Brown Frontiers saga I it's one of my

[02:55:18] favorite favorite series I mean we have done Honor Harrington and the Lost Fleet series we've done a bunch of fleets and if you'd like to consume a lot of sci-fi there's 45 books now I always tell myself I'm not going to start until one of his arcs is finished because I always outpace him of course so but still waiting for Peter Hamilton second volume yes and I don't really care that was so

[02:55:48] complicated with all those weird creatures and far future and I have a problem when it's so far in the future that they're not even human trans humans and they're still using contemporary idioms it's like come on it throws me out of it it's so different well that's alright you know some people like it we get to choose

[02:56:17] we do indeed and we will recommend what and warn people away from what it's just our opinion we're just some guys with a microphone yep steve gibson is at grc.com and if you like what he does there's a couple of ways you can support him of course his bread and butter is his fabulous spin right program which

[02:57:22] on track zero. And when I low level formatted that, that the outcome was not good. So I had to fix that quickly. But anyway, yeah, those were good days. It's great. While you're there, by the way, grc.com, there's a couple other things you can do if you want to get the, I got it yesterday. It's great to see it. Get the show notes the day before often. Steve will email them to you. He's got a little newsletter. But the way you do this is interesting because Steve is a privacy focused

[02:57:51] guy. You go to grc.com. First thing you can do there is validate your email address. This is his anti-spam solution. It's brilliant. He validates the address, then you can send him email. Otherwise, he's not going to see it. So go there, get your email address validated. And when you're there on that page, you'll see two checkboxes below, unchecked by default, one for the weekly email for the show notes. Nice to get them ahead of time. And they're very complete. Does the best

[02:58:17] show notes on Twitter? All the details, links, everything, images. Also, though, he's got a, he's only sent out one email on this mailing list. There might be another soon, though. This is his announcement mailing list. We're waiting for announcement for his DNS Benchmark Pro, which should come out any day now. So if you check those two boxes, you'll get those emails. Nothing else. Steve promises. You can also get a copy of the show there. Steve has unique versions of the show

[02:58:45] because, well, of course, he's got a 16 kilobit audio version for people who really want the smallest possible version of the show. He also has a 64 kilobit audio. That's full fidelity. That's really the assembly language version of the show. Just the bits. Nothing else. Just the bits. Not even all the bits. Most of the bits. It's not all of them. He also has really well-written transcripts

[02:59:09] by Elaine Ferris, an actual human being, a court reporter, in fact, who does a great job transcribing every bit of this show in a beautiful way. And you can download that. Those are all free. And it's easy to get all three of them if you want or get the show and the notes or get the show and the transcript. The transcript's great to read along, but it's also useful for searching. We have the show on our website,

[02:59:34] twit.tv slash sn. Now, our versions are different. The audio version's a little bigger, 128 kilobits. That's because of the way Apple does transcoding. We have to do that. We also do a video version. You can get that at Twit. There's a YouTube channel dedicated to the video version, which is extremely useful if you want to clip something. You heard a story and thought, I got to send this to the IT department. They need to know about this or whatever. It's easy to do that in YouTube, and everybody has

[03:00:01] the capability of watching a YouTube video. That's kind of universal. Best way to get the show, though, in my opinion, is to subscribe. It's a podcast. That means you can get the RSS, get it automatically downloaded as soon as it's available on a Tuesday. Just look at any podcast client. You'll see it. Leave us a good review. Leave us a five-star review. Help spread the word. Everybody should know about security now. Very important. You can even watch us live if you're really anxious to get the freshest version of the show with breaking news and all. We stream live

[03:00:30] right after MacBreak Weekly on Tuesday afternoon, 1.30 Pacific, 4.30 Eastern, 20.30 UTC. Those times are approximate. In fact, next week, we might be a little late, Steve, because we're going to be doing the Apple phone event. That probably pushed MacBreak Weekly back. We might have to start at 2 or 2.30 Pacific next week, just a heads up. But you can watch us live if you're in the club, and I hope you are, because that really supports us. It supports Steve. It's 25% of our operating

[03:00:58] income right now. It's very important to us. You get ad-free versions of the show. You get access to the Club Twit Discord, which I am from now. I'm going to call the Club Twit Disco. Although Mallow Chicken is close. It's right in there. It's a possible runner-up. If you are in the club, you can watch us live in the Club Twit Discord. Chat along with us as you watch. But we're also

[03:01:20] available to the public at that time on YouTube, TikTok, Facebook, LinkedIn, x.com, kick, and I'm missing one. Anyway, many other places. Anywhere that streams, you can find us. Facebook, LinkedIn, x.com, TikTok. Anyway, YouTube, twitch.tv. Anyway, all of those places. I think that does it for the business end of this show. I think it's time to say goodnight to our

[03:01:49] family and you, Steve Gibson. We'll see you next week on Security Now. Right-o. And we have you until, let's see. I will be here. I'm leaving the 20th. So I'll be here through the, what is that? The 18th? No, the 17th. Okay. Two more weeks. Two more weeks. Yeah. Cool. And then you're three years gone for three. 16th, I guess it is. And did you, and the, the, the stucco is dry and painted?

[03:02:15] No, no, no. The, the, right now what we're in the midst of is we're waiting to find out. It's possible. Lisa will say, oh, I have to stick around. Which case I will be searching for the source of the Mississippi river. I was going to get my pith helmet. I will be searching a source of the Mississippi river all on my own looking for Dr. Livingston. Otherwise, Lisa will accompany me and the stucco be damned. And that's what I'm trying to persuade her. You might go solo.

[03:02:45] You might. Well, I decided I, even if I have to go solo, I really want to do this. So. Oh, okay. Somebody's got to find the source of this river. I mean, it's just driving me crazy. You know, it, cause it moves around. Yeah. It's hot in that pith helmet. I thought it was supposed to be cool in the pith helmet. Steve. Well, we want you to have a nice vacation and to return refreshed and rejuvenated and recharged. I think Micah's filling in for me when I'm gone. So. Yep. Cool. You'll still have a wonderful, wonderful time. And we will see. Okay.

[03:03:14] I'll be back for two more weeks through the 16th. Good. Take care, Steve. Okay, buddy. Bye. Security now.