SN 1051: Amazon Sues Perplexity - Nevada's Ransomware Comeback

[00:00:00] It's time for Security Now. Steve Gibson is here. FFmpeg says, you ought to be using assembly language. Steve says, right on. Why would Chrome, the Chrome browser, start to offer to fill in your driver's licenses? Steve has a theory. Microsoft discovers a wild way you can get information out of LLMs. And finally, Steve takes a look at the fact that Amazon is suing Perplexity because they're using their agentic browser to buy things on Amazon.

[00:00:30] What's that all about? That and a whole lot more coming up next on Security Now. Podcasts you love. From people you trust. This is TWIT. This is Security Now with Steve Gibson, Episode 1051, recorded Tuesday, November 11th, 2025. Amazon sues Perplexity.

[00:00:58] Podcasts you have a great day. It's time once again for Security Now, the show you wait, I wait, all week for. Every Tuesday, we get together with this guy right here, Mr. Steve Gibson, to find out what's new in the world of security. More than a hundred thousand people listen every week, Steve. Steve Gibson Gibson, CEO of the United States of America, and I wait for it as much as they do. What is going to happen this week? Well, let me guess. Ransomware, security flaws.

[00:01:27] Actually, you've got a story. Your big story is a little different than the usual, but I'll let you tease what's coming up. It is because it's sort of the, well, if you had three feet, it would be the other shoe. It would be the shoe after the other shoe. Yeah. After you run out of your two feet, you're still holding this shoe and then you dropped it. Because why do I have a third shoe? I only have two feet.

[00:01:57] The third shoe will drop later in the show. Yes, it will. We have not yet looked at the whole different issue of agency as regards what our browsers may do for us. And it turns out that's different than the robots.txt file controversy that we got into with Cloudflare earlier,

[00:02:20] or the AI browser getting confused with text from the internet versus text from its commander in the prompt injection issue. This is different. Today's podcast, I just titled, and actually, Leo, this started out as just the first topic of news for the week. But as I fleshed out all the other news, it stayed big. And I thought, okay, let's just, let's focus on that as our main issue.

[00:02:49] So today's title is Amazon Sues Perplexity, which is, well, first of all, boy, if you Google that, your browser explodes with hits. I mean, the whole internet went nuts over this because everyone recognizes that this is a big issue,

[00:03:12] which we're going to get to for our 11-11-2025 Veterans Day episode of Security Now, 1051. But what? We've got more stuff to talk about. We've got FFMPEG surprising everyone by deciding they need to teach people assembly language in order to get FFMPEG's performance up where it needs to be.

[00:03:38] And they made some claims that some notable industry people said, well, I don't think that's right. We'll talk about that. We've got the state of Nevada bragging, boasting about their recovery after not paying any ransom. Also, oh, a rounding error netted a very clever attacker 128 plus million dollars in some DeFi.

[00:04:08] Who knows what the hell is going on? But we'll talk about that. Also, why would Chrome decide to start auto-filling driver's license numbers? That's an interesting question. Don't want. The UK's six major telecom providers have decided that they're going to block number spoofing within the UK. Why didn't we think of that?

[00:04:37] That XSLT is a feature that is being removed from all the browsers, but not tomorrow, soon. But the question is, will anyone notice? And if it's something that you depend upon, well, you need to stop depending upon it, kind of like Flash was once upon a time. Also, Firefox has decided to introduce paid support options for organizations. What?

[00:05:03] Russia continues to fight against the non-Russian internet. Okay. I'm sad for Russian citizens, I guess. Google has acquired another internet security company. We'll talk about that. Oh, Leo. The EU looks like they're going to fix this whole cookie pop-up banner nonsense. Oh, my God. No. Yes. Be still my heart. I know. It's going to go away.

[00:05:32] You know, it took them a few, what, years, many years to fix it. But it's, yes, it's coming. Yes. Also, more countries are dropping Microsoft Office in favor of open alternatives. We've got more countries worrying about Chinese-made buses phoning home.

[00:05:52] Microsoft has come up with a really interesting, at first it looks like, what, yeah, what, leakage from LLM by looking at encrypted LLM conversation TLS packets. But the darn thing actually works. And then we're going to look at what Amazon's lawsuit against perplexities agents mean for our next generation browsers. So, lots of good stuff to talk about.

[00:06:22] I've got a little update. I have a nice bit of feedback from one of our listeners about Spinrite. An update on my DNS project at one year. We're done. And there was a third thing. I don't remember, but we'll get to it. And, of course, a great picture of the week. So, I think maybe, you know, a good podcast. Once in a while, you got to, you know, keep making them. Some of them will turn out. I'm just joking. They're always great.

[00:06:50] And we are excited about the security now. Now. Now. Security now. Now. Now it's security. Now. Now. But first, it'll be security in a minute. So, sort of now. But first. Security now. Insecurity in a minute. Insecurity temporarily. Actually, this is a solution you're going to want to know about if you are worried about ransomware.

[00:07:16] I often wonder, how is it that these companies don't have some sort of data resiliency plan? You know, how is it that they are so vulnerable? Maybe they haven't heard about Veeam. Our sponsor for this section of security now. When your data goes dark, Veeam turns the lights back on. Veeam keeps enterprise businesses running when digital disruptions like ransomware strike. How do they do it?

[00:07:45] By giving businesses powerful data recovery options that ensure you have the right tool for any scenario. Even the worst case scenario. Broad, flexible workload coverage from clouds to containers and everything in between. That's, I think, one of the reasons it's challenging these days to have data resiliency. Your data is living in a lot of different places. With Veeam, you get full visibility into the security readiness of every single part of your data ecosystem. It's tested.

[00:08:14] It's documented. And it's proven. In fact, you're going to use Veeam to make provable recovery plans that can be deployed with the click of a button. Verified recovery plans. Plans you know will work. That's why Veeam is the number one global market leader in data resilience. Look, just call them the global leader in helping you stay calm under pressure. With Veeam, it's all good. Keep your business running at Veeam.com.

[00:08:43] That's V-E-E-A-M.com. And if, you know, ransomware has brought your business down and you're looking at paying millions of dollars in ransomware, don't look at me. I told you, Veeam.com. All right, Mr. Gibson, picture of the week time. Picture of the week. So, I gave this one the headline,

[00:09:07] An important consideration when you're able to decide where you should have your emergency. Okay, let's take a look. Emergency phone not installed. That is absurd. Please do not have an emergency at this location. Okay.

[00:09:34] Again, an important consideration when you're able to decide where you should have your emergency. Okay. So, for those who are not seeing the video, we have a partially installed emergency phone kiosk. But only the external framework is there. The phone equipment has, you know, I mean, obviously that mechanical structure has to go in first.

[00:10:01] Then the phone installers come along and put the guts in. So, this has no guts at this point. So, somebody who didn't want the appearance of this bright yellow emergency kiosk, which is probably familiar to those in the area from other similar bright yellow emergency kiosk, didn't want anyone to believe that they could actually rely on this to report their emergency. Don't run over there.

[00:10:56] Noted that there was a strange droid with a lightsaber in the background. It's a fire hydrant, folks. Come on. Yeah. And so, I guess this must be like a heavy snow area. Exactly. Don't you normally have like those things to indicate where the curbs are? And in this case, I guess if there was a fire and there was a lot of snow that was covering up the fire hydrant, which looks kind of stubby, actually. This is not. I'm wondering about this picture.

[00:11:26] It looks too much like a droid with a lightsaber. I'm starting to think. There's a little tongue firmly planted in cheek. I do think that that is a pole, a bright red pole sticking up from a fire hydrant so that the fire equipment, you know, people. I've also known as firemen are able. We'll know. We'll know where the buried, not very tall fire hydrant is.

[00:11:55] If you take about what? Two feet. About two feet of snowfall to cover up that hydrant. And then you'd think, I know there's we know that there's no emergency phone service in this location, but there's got to be a fire hydrant around here somewhere. Fortunately, if there's a red post sticking up out of the snow, you go, ah, that's the fire droid that we could use to hook our hoses up to. So, anyway, at this point, we're exhausted. It's time for another sponsor break. No, just kidding. All right.

[00:12:24] The news is that assembly language lives, which, of course, is a topic near and dear to me. Last Wednesday on the 5th, the official FFmpeg X account tweeted, FFmpeg makes extensive use of handwritten assembly code for huge, and they have in parens 10 to 50X speed increases.

[00:12:52] And so we are providing assembly lessons to teach a new generation of assembly language programmers. Learn more here. And they have a link to a GitHub account and page. And then a big picture in their tweet, FFmpeg, a sem lessons. And it generated a lot of interest.

[00:13:20] This was November 4th, early in the morning. So, OK. People who posted to that thread, which this FFmpeg posting started, questioned that 10 to 50X speed improvement could possibly arise from coding in assembly versus an efficient high-level language.

[00:13:45] And much as I love assembly and choose it for all of my own work, I agree. What I suspect must be going on is a very unfair comparison.

[00:13:59] All modern processor instruction sets have extremely powerful and fast, special-purpose vector and array handling streaming instructions, which are heavily pipelined and designed to do the kinds of things that FFmpeg needs to do with audio and video.

[00:14:24] And those can be used when the entire solution has been deliberately designed around using them. So, by comparison, any sort of more generic solution that did not use those super special purpose, you really can't do anything else with them but this, instructions, would be massively handicapped by comparison.

[00:14:50] So, any naive implementation, which did accomplish the same function, which was written in a high-level language, but did not also take advantage of those special purposes, you know, like special purpose processor acceleration features, would absolutely not have a chance. But you don't have to not take advantage of those instructions if you're using a high-level language. You could use those.

[00:15:20] You have to sometimes, you know, drop down briefly and manually request that instruction. But the current high-level languages all allow you to drop down and hand code some things because it is recognized that there are some places where assembly language still can be the right way to solve a problem when it isn't explicit.

[00:15:44] And then, like, when there isn't some explicit special casing that was done in the high-level language for a given processor architecture. So, anyway, I wanted to share this X posting from the FFmpeg group because those tutorials posted over on GitHub, both of all available in French, Spanish, and English, might be of interest to anyone who's curious about assembly language.

[00:16:11] Since our listeners know that assembler is my preference. I'm often asked by our listeners how they should get started in pursuing, you know, some, you know, if nothing else, just sort of, you know, dipping their toes into the water of assembly. So, it might be that these FFmpeg SM lessons would be worth looking at.

[00:16:36] And they do offer a Discord server for asking and receiving questions that might arise. So, I have the link there in the show notes on page, at the bottom of page two. And I just wanted to put it on everybody's radar. Last May, an employee with the state of Nevada made the mistake of clicking on a malicious search engine ad,

[00:17:03] which installed a malicious sysadmin tool from a spoofed website. The employee didn't know any better. And this was back in May. Three months later, Nevada received ransomware demands, which it declined to pay. Having finally recovered in full last Wednesday, the state's press release carried the headline,

[00:17:31] Nevada completes 28-day recovery from statewide cyber incident, refuses ransom, and releases after-action report. What they said was the following. Carson City, Nevada, November 5th, 2025.

[00:17:50] The Governor's Technology Office, the GTO, today released the 2025 statewide cyber incident after-action report, detailing Nevada's 28-day recovery from an August ransomware attack. Guided by pre-established incident playbooks and vendor agreements, the state did not pay a ransom. Amate

[00:18:17] controlled statewide services within four weeks. And actually, they initially restored much more quickly. Well, I want to cover this in detail because there's a template here that is useful and actually kind of impressive. And recovered approximately 90 percent of impacted data that the other 20 they're not trusting yet. So they want to be careful with that.

[00:18:39] The remaining items, while still in control of the state, were not required for service restoration and are undergoing risk-based review with continued monitoring. The state will take appropriate notification or remediation actions if new information emerges. They said Governor Joe Lombardo said, quote, Nevada's team's protected core services paid our employees on time and recovered quickly without paying criminals.

[00:19:09] This is what disciplined planning, talented public servants, and strong participants deliver for Nevadans. State CIO Timothy D. Galuzzi said, we executed, then communicated. Our staff and agency partners worked around the clock with expert vendors to contain the threat, rebuild securely, and bring services back online in measured phases.

[00:19:36] The numbers are 28 days to full service restoration across affected platforms, around 90% of impacted data recovered, residual items under risk-based review with enhanced monitoring, no ransom paid, response executed under cyber insurance and pre-negotiated vendor agreements,

[00:20:01] 4,212 overtime hours by 50 state employees at $210,600 direct overtime wages, fully loaded estimated at $259,000.

[00:20:28] $1.314 million obligated to specialized partners, forensic recovery, legal engineering, to accelerate containment and rebuild. And they said how Nevada stepped up. Continuity of operations, payroll processed on schedule, high-impact public safety, and citizen-facing systems were restored in phased order. Speed and discipline. Speed and discipline.

[00:20:55] Around the clock, state teams executed 24-7 playbooks alongside partners, enabling a 28-day full restoration faster than many public sector timelines for incidents of similar scope. Fiscal responsibility. Surge work was led by state staff.

[00:21:15] Even using conservative, fully loaded overtime costs, the state avoided hundreds of thousands of dollars versus an all-contractor model, meaning they kept it in-house largely, while retaining institutional knowledge and tighter change control.

[00:21:34] Within hours, Nevada engaged, and I have a timeline I'll go over in a second, but they wrote, engaged prepositioned experts for forensics recovery and legal privacy support, including Mandiant, Microsoft Dart, Dell, SHI Palo Alto, Baker Hostetler, that's their law firm, and local engineering support from Eris. Under cyber insurance, under cyber insurance and statewide contracts.

[00:22:01] The complete after-action report outlines next phase hardening and modernization, including the pursuit of a centrally managed security operations center, an SOC, unified endpoint detection and response, EDR, identity hardening, OS and application control, and expanded workforce training to sustain resilience against evolving threats.

[00:22:25] In other words, as a consequence of their direct hands-on involvement in this, rather than just throwing up their hands and bringing in outside people, they got a bunch of takeaways which are informing them how to do better next time. Acknowledging that these threats are evolving. I cut out a lot of the glad-handing that was in that announcement. They seem rather pleased with themselves over this.

[00:22:56] I was unable to find any indication of the size of the ransom demand they declined. I think it was never made public. But given the reporting of the event at the end of August, I imagine that the demand was hefty because the bad guys did knock the entire state off its knees. I mean, they were down. All of the automated services went offline. I mean, it was a sweeping attack.

[00:23:25] The Associated Press' headline at the time was, Cyber attack shuts down Nevada state offices and websites, governor's office says. And Reuters' headline read at the time, Nevada state offices close after a wide-ranging, quote, network security event. You betcha, unquote. So the most interesting data comes from their complete 30-page after-action report,

[00:23:54] which I'm not going to drag everyone through. But among that, there were a couple of interesting tidbits. We learn on August 24th, 2025, get this, at 1.50 a.m. Pacific Daylight Time, the state of Nevada governor's technology office identified a system outage that resulted in multiple virtual machines going offline.

[00:24:23] Okay, 1.50 a.m. PDT on August 24th. Guess what day of the week August 24th is? If you said Sunday. Friday? Saturday? Yeah, Sunday. Sunday morning, 1.50 a.m., because you want nobody around. You want to surprise as much as possible. You want to get as much dastardly deeds done during as much time as you have

[00:24:52] before anybody is able to wake up to this. So very much like New Year's Eve or Christmas Eve sort of thing. So they wrote, initially locked out of the systems, the GTO team successfully, that's the governor's technology office team, successfully regained access using backup credentials and discovered encrypted files alongside a ransom note. They isolated the affected VMs

[00:25:21] to prevent further spread of the ransomware. Legal counsel from Baker Hostetler, LLP, was engaged and promptly brought in Mandiant, a leader cybersecurity firm under Google Cloud. Remember, we talked about Google's purchase of Mandiant a while ago. to conduct a privileged forensic investigation. The investigation revealed that the threat actor had infiltrated the system as early as May 14th of that year,

[00:25:51] of this year, 2025, when a state employee unknowingly downloaded a malware-laced system admin tool from a spoofed website. This tool installed a hidden backdoor, which remained active despite Symantec endpoint protection, quarantining the tool on June 26th. The attacker escalated their access by installing a commercial remote monitoring software on multiple systems,

[00:26:21] compromising both standard and privileged user accounts. By mid-August, the attacker had established encrypted tunnels and used remote desktop protocol, RDP, to move laterally across critical systems, accessing sensitive directories, including the password vault server. On August 24th, the attacker deleted backup volumes and deployed ransomware, encrypting VMs

[00:26:50] and disrupting critical services. And elsewhere, the report says, between August 16th and August 24th, the threat actor accessed multiple critical servers, including the password vault server, and retrieved credentials from 26 accounts. They meticulously cleared event logs to obscure their activities. On the day of the ransomware deployment, the attacker deleted backup volumes

[00:27:20] and altered security settings to facilitate the execution of unauthorized code. At 1.30 a.m. PDT, ransomware was deployed, encrypting VMs and disrupting critical services. And as I said, not surprisingly, August 24th was a Sunday. So very deliberately, at 1.30 a.m. on a Sunday morning, the attackers uncloaked and attacked.

[00:27:50] They relied upon no one being around and minimal, if any, crew, even later in the morning on a Sunday to enable their active attack to go unnoticed for as long as possible. This report, as I said, pats themselves on the back frequently, and I've removed most of that since it's not informative and it's frankly somewhat nauseating because they're like, okay, we get it, guys. But in all fairness, Nevada's IT response

[00:28:19] was very impressive. On that Sunday morning, at 1.52 a.m., the VMs that run the state were encrypted and went offline, crippling systems statewide. By 7.37 a.m., on that same Sunday morning, the incident had been escalated to the CIO and governor's office. Only a little over two hours later, by 9.51 a.m.,

[00:28:48] the credential lockout was lifted using backup credentials and access to the internal systems was obtained. Encrypted files and that ransom note then were discovered. Two and a half hours after that, by 12.37 in the early Sunday afternoon, the affected VMs had been isolated to prevent further malware spread. Four hours later, by 4.44 p.m., Nevada's legal counsel was added

[00:29:18] and they added Google's Mandiant forensic group to the effort. And 15 minutes after that, at 5.03 p.m., on that same Sunday, recovery protocols were initiated and post-attack recovery had begun. State government employees took an unplanned two-day vacation that following Monday and Tuesday, by which time systems were beginning to come back up

[00:29:48] and online and they were able to return to work on Wednesday. So we're talking about a full rallying response by dinner time of the day it happened. The full recovery did take four weeks. It seems as though that might have been a bit faster. We don't know the details of where that time went, but it does sound like they didn't overpower their response.

[00:30:17] They didn't bring in outside people who actually would need to be brought up to speed. They paid a ton of overtime, $1.3 million in overtime to their own people in order to get this, you know, get back up on an online quickly. But overall, Nevada is saying they spent $1.5 million rather than whatever the ransom was.

[00:30:47] And you can imagine it was, you know, more than that. Yeah. Oh, yeah. Ten. Easily $10 million for a state to be, you know, you know, decrypted and, you know, the decryption keys possessed. Obviously, Nevada had good backups and they were offline and they did not get encrypted because they paid no ransom, which means they never got any keys from any bad guys. Good. So, you know, overall, I would say

[00:31:16] this is quite an impressive response. This is what you would expect. And you have to imagine that they also showed their cyber security insurance firm that they were worth insuring, that, you know, that they were going to be responsible, that they were not going to spend a ton of money. And so, I would say that Nevada taxpayers should be impressed with this. This is the way it, I mean, you'd rather not had that guy click the link, but as we've said before,

[00:31:46] this is now the low-hanging fruit. Um, I, I sent a note out to a bunch of, of my, actually, it's, it's a group I've talked about before, my, my, my group of high school buddies that I'm still in touch with because Ars Technica had a piece this morning about a threat that we've discussed several times already, but it's still so unknown. And that was Ars Technica's point was this, this very little known there, they're calling it

[00:32:15] the click fix attack. It's where you are, you believe you're trying to prove that you're human through a new, a new style of captcha. And of course, captchas change from time to time. And so you're instructed to, to, to press the button to copy something from your browser onto your clipboard, then to open the run field down in your, in Windows and paste that command. Well, again, none of our,

[00:32:45] hopefully, no one listening to this podcast would do this, but, but it turns out this is becoming extremely effective because it, you are, and the way I explained it to my group who are non-technical, I said, our contemporary browsers are all about containment. They are, they are doing a very good job of containing all of the horrors and crap and, and malicious intent

[00:33:15] that is out on the internet within the browser, within the browser's boundaries. But, if you copy something out of the browser into Windows, you've violated that content, that containment, and nothing prevents that from happening, unfortunately, at the moment. If, you know, if the, the browser assumes if you, that you, you want to copy something that you've seen online, oh, okay, a URL

[00:33:44] or some text off a page. You know what you're doing. Yeah. It's your machine. Go ahead. So, it's, you know, so what, what we're going to need to have is some sort of, of, um, uh, uh, uh, uh, God, I'm, I'm blanking on the word. Something. We're going to need something. That's for sure. Yeah, that's definitely the case. Uh, you copy something to

[00:34:13] your clipboard. Clipboard is the word I was looking for. We're going to need a, a clipboard source identification. Yes. So that if something is pasted from a browser, it's tagged as, as like, like special caution. And so that, for example, you just can't drop it into the run field of windows and say paste without all kinds of warning sirens and stuff going off to prevent

[00:34:43] this kind of problem. So, you know, the, the, the, the, the, the, the, the clipboard got its contents is going to start need is going to where we're going to need to start tracking rather than, as you said, and Leo, just assuming that the user knows what they're doing because, uh, no, yeah, no, we clearly, that's not going to ask you too much. That's getting way too much. But anyway, you know, props for Nevada. They, uh, they, you don't want to, you don't want to get hit by malware, but if you do, you want to be able

[00:35:12] to recover. You don't want to have to trust bad guys to, uh, to, to give you your, your keys back. And we've seen that even when you get the keys from the bad guys, as they pointed out and they weren't wrong, private sector firms still take months to recover. So look, look at Jaguar, you know, what a disaster. Yeah. So good job. Okay. Now this is really interesting and, and wow.

[00:35:42] Okay. Uh, last week, checkpoint research published an incident report describing an arcane attack on a defy, a decentralized finance platform called balancer. And it, it occurs to me that saying arcane attack on a defy platform is an oxymoron. I mean, is like, or, or, or redundant. I don't,

[00:36:12] I don't know. I mean, cause it's like the, I mean, we have seen dumb, like authentication mistakes being made where, where, uh, a third party system was attached to the API. And so that, that credential got, uh, abused, which allowed them to, to sneak code into the devs of the defy platform. You know, we talked about all that. That's not this. I'm not going to expend

[00:36:41] any great amount of effort in either me understanding the details or expecting anyone listening to this too. My strongest advice to everyone listening would be not, don't worry about the details. Uh, and after you hear why I imagine that you'll agree, but what happened here is still so very cool, even if it's borderline incomprehensible that I, I wanted to share it. Okay. So checkpoint

[00:37:11] titled their report how an attacker drained, and I would argue earned, but we'll see drained 128 million dollars from Balancer through a rounding error exploit. Leo, this is just, this is so cool. Okay. I, again, I don't even understand. I can't begin to understand the details, but I'm going to share them so everyone can not understand them with me.

[00:37:41] Apparently, some attackers did understand this, and they literally leveraged, because this is somehow about leverage. They leveraged the crap out of it. So here's what, that's a technical term, I believe. That's a technical term. Yes. Checkpoint said on November 3rd, right? So this just happened, 2025, checkpoint researches blockchain monitoring systems. Cool that they're even, we even have such things now,

[00:38:11] detected a sophisticated exploit targeting balancer V2's composable stable pool contracts, whatever that is. The attacker exploited arithmetic precision loss in pool invariant calculations. Well, again, okay, you know, when you're going to have some invariant pool leakage,

[00:38:39] that's not good, right, to drain 128.64 million dollars across six blockchain networks in under 30 minutes. They wrote, the attack leveraged a rounding error vulnerability in the underscore upscale array function that, when combined with carefully crafted batch swap

[00:39:09] operations, allowed the attacker to artificially suppress BPT, the balancer pool token prices, and extract value through repeated arbitrage cycles. The exploitation occurred primarily during attacker smart contract deployment with the constructor executing 65

[00:39:38] micro swaps that compounded precision loss to devastating effect. Yes, I would imagine. That was just the overview, folks. The fact that they even figured this out is amazing, right? That's why I would say, arguably, they earned this money. They earned it. Yeah. Okay. So, they said, balancer V2, just to add insult to injury, I'll give you a little more. Balancer

[00:40:08] V2 uses a centralized vault contract that holds all tokens across all pools, of course, separating token storage from pool logic to reduce gas costs. It's like, what? Is that a typo? It's reducing gas costs. That's the reason. that's right. And enable capital efficiency, which you would want. This shared liquidity design meant a single

[00:40:38] vulnerability in pool math could affect all composable stable pools simultaneously, of course, which is exactly what happened in this attack. Balancer V2's internal balance system allows users to deposit tokens once and use them across multiple operations without repeated ERC-20 transfers. Naturally. This sounds like the

[00:41:07] decompobulator thing. This is crazy. I know, and it's true. This system became critical to the attack. The exploit contract accumulated stolen funds in its internal balance during deployment, then withdrew them to the final recipient address in subsequent transactions. Composable stable pools use curves stable swap invariant formula to maintain

[00:41:37] price stability between similar assets. The invariant D, that's capital D, for those who are following along, represents total pool value, and BPT price is calculated as D divided by total supply. However, the scaling operations that prepare balances for invariant calculations introduce rounding errors, wouldn't you know? The

[00:42:07] mole down function performs integer division that rounds down. When balances are small in the 8-9 way range, that's WEI, we'll get to that in a second, this rounding creates significant relative errors, but relative is important here, up to 10% precision loss per operation.

[00:42:37] Okay, now, the term WEI, WEI, is important. A WEI is the smallest possible unit of Ethereum. One, get this, one Ethereum is 10 to the 18th WEI. So, one way is far less than one trillionth of a cent in value. So, some super clever individual

[00:43:06] realized that by using these incredibly small balances, the rounding error, which would normally be utterly insignificant, would result in up to a 10% precision loss per operation down at the 8 to 9 way range. I'm sure not giving these people any of my money. Checkpoint

[00:43:36] then finishes their explanation by writing, this precision error propagates to the invariant decalculation causing abnormal reduction in the calculated value. Since BPT price equals D divided by total supply, the reduced D directly lowers BPT price, creating arbitrage opportunities for the attacker. Individual swaps produce

[00:44:06] negligible precision loss, but within a single batch swap transaction containing 65 operations, these losses compound dramatically, I'll say. The lack of invariant change validation allowed the attacker to systematically suppress BPT price through accumulated precision errors, extracting millions in value per pool. Okay.

[00:44:36] Wow. As I said, I'm not sure that I would call this an attack at all. I mean, technically, maybe. an extremely clever bad guy understood enough of the inner workings of this system. And apparently we're the minority, or maybe not, Leo. I wouldn't call us a minority, but there are others. Obviously, Checkpoint has some people who understand this gobbledygook. So,

[00:45:06] okay. But this guy understood the inner workings of the system to design an exploit of its inherent rounding error. And doing some other background research, it turns out this is understood. The fact that there's this rounding error down there has been known for quite a while. No one had figured out how to exploit it. He clearly started with a purely theoretical concept and made it work.

[00:45:36] And for his trouble, he's now slightly more than $128 million richer, whoever he is and wherever he is. So, I'm not completely certain that he didn't earn it. What I am certain of is that none of my money, nor any money belonging to anyone I care about and have any influence over, is ever going to get anywhere near any of that wacky arcane technology. It all

[00:46:06] gives me the heebie-jeebies, which is another technical term. So, no thank you. I suppose I'm old fashioned, but I want to understand where I put my money, even if it's under a mattress. Because, wow, where did it go? We don't know. What do you mean you don't know? Well, it was a rounding error. A rounding error worth $128 million? Where's my money? Well, we don't know.

[00:46:35] It drained out. It's gone. People paid for some monkey icons or something, and now Kevin is a lot richer than he used to be. I don't know. What I do know, Leo, is that we Oh, I suspect I know, too. I suspect you do. Oh, and stay tuned, because after that, we're going to find out why Chrome thinks it's a good idea to begin auto filling people's driver's license

[00:47:05] numbers and states where they obtain them. Nuts. Just nuts. And we know why, don't we? Yes, we do. Do we? I don't know. I'm going to find out. I don't know if I don't know find out. I'm sorry, Anthony, but I appreciate it.

[00:47:35] I could have sworn I flipped that switch myself earlier, but anyway. Probably in the other direction. Yeah, probably. You know, they need big buttons to say on and off. Good, bad. Good, bad. For me and the people who work in the fine state of Nevada government offices. Actually, here's an ad for somebody who might be in the IT department in the state of Nevada. There's something you ought to know about. Hawks Hunt, our sponsor for this segment security now. Hawks

[00:48:04] Hunt, as a security leader, your job, you get paid to protect your company against cyber attacks. I know. And you have our sympathy. I mean, if you listen to the show, we know it's getting harder and harder with more cyber attacks than ever. And here's the real problem. These phishing emails, they're generated with AI now and they are letter perfect. You can't look at one and say, oh, it's a fake look at the English grammar or whatever. No, they

[00:48:33] duplicate a real email and they fool people. Here's the problem. Legacy, these traditional one size fits all awareness programs you're probably using, they don't stand a chance against today's phishing attacks. At most, they're going to send four kind of generic trainings every year and most employees hate them. I mean, just ask. Ask your team. They ignore them. You know what they really hate when somebody clicks on a

[00:49:02] training email thinking it's, oh, they fall for it? Then they're forced into embarrassing training programs. They feel like punishment and nobody ever learns from punishment. That's why more and more organizations are trying Hoxhunt. H-O-X-H-U-N-T. Hoxhunt goes way beyond traditional security awareness. They actually change behaviors by gamifying it. They reward good clicks. They coach away the bad clicks. When an

[00:49:31] employee suspects an email might be a scam, Hoxhunt will tell them instantly. They highlight it. They practically set off bells and whistles and boom, you get a dopamine rush that gets your people. They're happy. They go, oh, I did it! To learn to click to protect your company. This is the secret, is to make it fun. People learn when they're having fun as an admin. Fun's not the right word, but they learn when they're engaged, right? And they're not going to be engaged and they

[00:50:01] feel like they're being spanked. As an admin, you'll love Hoxhunt too. You're not being spanked either. It makes it easy to automatically deliver phishing simulations. And not just email, but Slack, Teams. You can use the same AI the bad guys are using to mimic the latest real world attacks. You can make perfect phishing emails. And by the way, Hoxhunt lets you personalize the simulations to each employee based on department, location, things you already know.

[00:50:30] So it makes these, by the way, the hackers know all this stuff too, right? It makes these really effective. And then the instant micro trainings, little trainings, little fun things, solidify understanding and drive lasting safe behaviors. You can trigger gamified security awareness training that awards employees with stars and badges, boosting completion rates and ensuring compliance. It may sound silly, but think about it. We are all motivated by that. You feel good when you're protecting your company. You did the right thing.

[00:51:00] You found the bad guy. Getting that reward, that acknowledgement, goes a long way. You'll be able to choose from a huge library of customizable training packages or as I said, you can use their AI to generate your own. Hoxhunt. It has everything you need to run effective security training in one platform, meaning it's easy to measurably reduce your human cyber risk at scale. But you don't have to take my word for it. There are over 3,000 user reviews on G2, making

[00:51:29] Hoxhunt the top rated security training platform for enterprise. Hoxhunt's number one and easiest to use, best results, also recognized as a customer's choice by Gartner, and it's used by thousands of companies, big ones like Qualcomm, AES, Nokia. They're using it to train millions of employees all over the globe. It really works. Visit hoxhunt.com slash security now right now to learn why modern, secure companies are making the switch to

[00:51:59] Hoxhunt. hoxhunt.com slash security now. We thank them so much for supporting the good works Steve does and is doing here at security now. All right, Steve. So, a little blurb from Google about a new feature in Chrome caught my eye and not in a good way. Get a load of this one. Google wrote,

[00:52:28] Chrome now helps you fill in passport, driver's license, vehicle information, and more. No. They said, Chrome already saves you time every day by securely filling in your addresses, passwords, and payment information. Today, we're making it even more helpful. For desktop users with enhanced autofill enabled, Chrome can now also fill in your passport and driver's license number,

[00:52:59] vehicle info, like license plate or VIN, and more. It can also better understand complex forms and varied formatting requirements, improving accuracy across the web. We've designed enhanced autofill to be private and secure. When you enter relevant info into a form, Chrome will save this data only with your permission and protect it through encryption. And before filling in saved info on your behalf, Chrome will also ask you to confirm keeping you in full control of your data.

[00:53:29] Starting today, these updates are available globally in all languages, and we plan to support even more data types over the coming months. Okay, and then their little sample screenshot shows a form being filled in with fields for driver's license number and issuing state. Huh. Gee, you know, we've all gotten along so well until now without that. How often

[00:53:58] do we see websites asking us to provide them with our state-issued identification such as a driver's license number and the issuing state? It does kind of make you wonder why the Chrome devs might all of a sudden be thinking that making government identification data easier to fill out for websites

[00:54:28] might suddenly be useful and convenient when it has never come up before. Anyone around here have any sudden need to prove who they are and how old they are? There's one other thing about this. Recall that Google wrote we've designed enhanced autofill to be private and secure. When you enter relevant info into a form, Chrome will save this data only with your permission and protect it through encryption. And before

[00:54:58] filling in saved info on your behalf, Chrome will ask you to confirm keeping you in full control of your data. Now, there's no doubt that they mean that. Even if the application for this information may be a concern, there's no doubt that Google will do their best to keep that data from leaking. The problem is, leaking is what data does. It leaks. Right? I mean, that's what it does.

[00:55:28] That's what it does. Chrome is a good browser with excellent security, but it's still being constantly exploited and receiving patches to close zero day vulnerabilities that have been discovered being used in the wild. This is not any criticism of Chrome and its Chromium engine. Firefox and Safari are in the same boat. Today's web browsers have grown so complex and are also never being left alone. They're being constantly updated with the latest

[00:55:57] features that they can never, probably, ever become completely impervious. So, to me, you know, it's a convenience for my password manager to be able to fill out my credit card number and mailing delivery address information. That comes in handy. But I memorized my California driver's license number 54 years ago. Right?

[00:56:26] Aside from having to add a zero in front of its most significant digit when California ran out of numbers, it has never changed. So, I've had no problem entering it the perhaps what, maybe five or six times I've ever needed to provide my identity online, such as when I froze my credit reporting at the various agencies or when I signed up for Social Security. Other than

[00:56:56] that, it doesn't come up very often. But consider this. We're entering a very different universe if the world's most popular web browser designers for some reason believe that in the future we're going to be needing to provide our government identification information with sufficient regularity that enabling our web browser to do that for us will be a benefit.

[00:57:25] And here's the other problem. Even if we trust Google to have done everything right about keeping that personally identifiable information secure and to never leak, how can we possibly trust all of the many individual websites that are presumably all going to be asking for this information often enough for Google to have added this feature to Chrome? We all know that websites cannot keep secrets.

[00:57:56] They don't. Just ask Troy Hunts, have I been pwned site? And don't forget that massive database leak, Leo, you and I and hundreds of thousands of others all discovered had our searchable credit, our social security numbers, searchable online. Further demonstration that websites leak. So this brings to mind that old adage about how to keep a secret. Don't tell anyone. I don't plan to

[00:58:25] tell Chrome or Firefox or Safari or even my trusted password manager anything more about me than they really require knowing for my own convenience and I don't need to give my driver's license number out like ever with a few exceptions. If we get to a place where we're needing to frequently provide our driver's license numbers to random websites, then the internet

[00:58:55] will have entered an entirely new era and not a good one. No. So I don't know what Google knows, but I hope they're busy implementing identity protecting age assertion technologies rather than storing my driver's license number in an encrypted secure format so it can be given out more easily because I don't ever want to be in a position where that's happening.

[00:59:26] Wow. I didn't think of that until you said it and then I realized. Yeah, why? We haven't needed it until now. No, all of a sudden. What's changed? Well, we know. I turn off all of that stuff, password, autofill, address, even address autofill and credit card autofill. I don't think the browser's the right place for that stuff. Well, as we know, it's not multi-platform. They're not all as focused on

[00:59:55] it as our password managers are. And if it's on, then you end up with a collision of the autofill. Everybody's trying to fill the thing out. It's like, whoa, wait, whoa. Hold on there. No, yeah. I do keep it in Bitwarden and I keep all that other stuff in Bitwarden. I presume that's relatively safe if I need to fill it in. But like you, I never consciously memorize my driver's license number, but you enter it enough, it sticks. I know. I don't know why, but I can run through

[01:00:25] it. It's not that long for one thing. No, exactly. And mine has a little rhyme to it, so it's good. Oh, nice. Okay, so it's not often that I find myself envious of life in the UK. Not that there's anything wrong with the UK. It's just kind of hard to beat Southern California is all I'm saying. But this next bit of news

[01:00:55] would certainly be welcomed by our UK-based listeners, and I wouldn't mind having some of it myself to go along with Southern California's sunshine. Last Wednesday, the official gov.uk website posted this update under the headline, spoofed numbers blocked in crackdown on scammers. The UK government wrote, scammers hiding behind fake numbers will be unmasked

[01:01:25] under a new partnership with Britain's biggest, there's six of them, phone companies to protect the public from fraud. A landmark new agreement between government and industry signed at the BT Tower today will see a raft of new measures to safeguard the UK's mobile network from fraud. It will make it harder than ever for criminals to trick people through scam calls using cutting-edge technology to expose fraudsters

[01:01:55] and bring them to justice. Scam calls and texts are a daily frustration for many with criminals based abroad often impersonating trusted organizations like banks and government departments to deceive people to steal money or personal information. Britain's six largest mobile networks have committed to upgrade their network within the next year to eliminate the ability for foreign

[01:02:24] call centers to spoof UK numbers making it clear that calls are originating from abroad exposing scammers lies. Data shows that 96% of mobile users decide whether to answer a call based on the number displayed on their screen with three quarters unlikely to pick up if it's from an unknown international number. Advanced Call technology will also

[01:02:53] be rolled out across mobile networks to give police the intelligence to track down scammers operating across the country and dismantle their operations. New commitments to boost data sharing with the police will shine a light on the mobile networks that let scam calls slip through their net empowering customers and making it harder for scams to go undetected. So in this regard I could easily wish that the U.S. would be

[01:03:23] as proactive as the U.K. When you think about it, this is such a simple solution. Simply examine the telephone calls entering the U.K. Just watch your national borders. It's trivial to know when a call coming in from outside the U.K. is carrying a spoofed originating U.K. phone numbers will need to be

[01:03:52] admitted but the agreement specifically talked about foreign call centers spoofing known U.K. So presumably there's some way to handle them separately and yay to the U.K. This would be something we could all use. You've said this for years with regard to ISPs but if the phone companies did the same thing. It's exactly like ISPs who are saying wait a minute you know these packets do not have

[01:04:22] RIP and they're saying that something

[01:04:51] that makes a lot of sense is pruning old and aging technologies from our web browsers browser bloat is a very real thing not every idea that the internet community comes up with gains or maintains a solid foothold but unless I mean think flash right but unless proactive measures are taken to deliberately scrape the dead bits out of our

[01:05:21] browsers they just don't go away on their own and the last thing anyone wants is having zombie code taking up space and polluting browsers browsers with old unmaintained and potentially exploitable

[01:06:34] language transformations xslt is a declarative template based language that's used for transforming convenient to code but difficult to view xml formatted data into other forms such as html here's what mozilla posted about this just a few months ago back in august mozilla wrote our position is that it

[01:07:04] would be good for the long-term health of the web platform and good for user security to remove xslt and we support chromium's effort to find out if it would be web compatible to remove support which is an interesting way to phrase it if it would be web compatible to remove support meaning I think how badly it breaks things if it turns out that it's not possible to remove support then we

[01:07:34] think browsers should make an effort to improve the fundamental security properties of xslt even at the cost of performance while it's important to not break existing web content it's also important to prevent security vulnerabilities thank you xslt they wrote has been in maintenance mode in browsers and has been an ongoing source of security issues features and technology are sometimes removed from

[01:08:04] browsers for this reason even when doing so breaks some existing content examples include mutation events window.show modal dialogue function keygen and plugins the usage of xslt is lower than that of mutation events at time of their removal and flash was very commonly used if it turns out not to be possible to remove the feature we'd like to

[01:08:34] replace our current implementation says Mozilla the main requirements would be compatibility with existing web content addressing memory safety security issues and not regressing performance on non xslt content we've seen some interest in sandboxing live xslt and if something with that shape satisfied our normal production requirements we would ship it okay so that was august

[01:09:03] wednesday before last google's chrome group posted the headline removing xslt for a more secure browser and they wrote chrome intends to deprecate and remove xslt from the browser this document details how you can migrate your code before the removal in late 2026 in other words we're currently in late 2025

[01:09:33] so you got a year actually things start getting all dicey in march as we'll see they wrote chromium has officially deprecated xslt chromium has xslt including the xslt processor javascript api api and xml and xml and and xml version 155 that's of chrome november 17th

[01:10:02] 2026 so a year the firefox and webkit projects have also indicated their plans to remove xslt from their browser engines this document provides some history context explains how we're removing xslt to make chrome safer and provides a path for migrating before these features are removed from the browser okay then google then provides a timeline for this removal where

[01:10:32] starting next march they cautiously tiptoe forward disabling first by default but not fully removing it yet increasing portions of chrome's xslt support but the more interesting part of this event since i really hope no one cares about the loss of xslt itself is what we learn about the feature and code support evolution of the web through the

[01:11:01] lens of this event here's what google shared about the past and present of xslt since we now pretty much know its future they wrote xslt was recommended by the worldwide web consortium our w3c on november 16th funny how these these november timelines line up so around the same time 1999 end of the year

[01:11:30] 1999 so 26 years ago as a language for transforming xml documents into other formats most commonly html for display in web browsers in other words it would be possible for a website to for a web browser to retrieve an undisplayable xml

[01:11:59] format document and and for the for the code in the browser to have xslt which is like like a declarative non procedural non explicitly executed template oriented language kind of like s you know css is to to to

[01:12:29] declaratively translate an xml document into html which you would then stick into the DOM the document object model and render on the screen for the user so that's a thing for 26 years before the official 1.0 recommendation Microsoft took an early initiative by shipping a proprietary implementation based on the w3c working draft

[01:12:58] in get this internet explorer five so yeah released in march of 1999 following the official standard mozilla xslt 1.0 support in netscape 6 before we had firefox netscape 6 in late 2000 other major browsers including safari opera and later chrome also incorporated native xslt

[01:13:28] 1.0 processors making client side xml to html transformations a viable web technology in the early 2000 2000 so w3c the w3c standardized on it produced a specification and by the early 2000s all the browser community had it meaning anybody could reasonably

[01:13:58] use it for presentation of information through a web browser where the source of that was an xml document which is anything but presentable google said the xslt language itself continued to evolve with the release of xslt 2.0 in 2007 and xslt 3.0 in 2017 these updates introduced powerful

[01:14:27] features like regular expressions improved data types and the ability to process json not just xml browser support however this is interesting never followed today today all major browser engines only provide native support for the original xslt 1.0 from 1999 26 years ago in other words

[01:14:57] it wasn't important enough for them even to go to 2.0 in 07 or 3.0 in 2017 stayed at 1.0 google wrote this lack of advancement coupled with the rise of the use of json as a on the wire format and javascript libraries and frameworks like jquery react and view dot js that offer more flexible and powerful document object model manipulation and templating

[01:15:27] has led to a significant decline in the use of client side xslt its role within the web browser has been largely superseded by these javascript based technologies so why does xslt need to be removed the continued inclusion of xslt 1.0 in web browsers presents a significant and unnecessary security risk the underlying

[01:15:56] libraries that process these transformations such as live xslt used by chromium browsers and firefox are complex aging c c++ code bases this type of code is notoriously susceptible to memory safety vulnerabilities like buffer overflows which can lead to arbitrary code execution for example security audits and bug trackers have repeatedly identified high

[01:16:26] severity vulnerabilities in these parsers and they cite two cves 2025 74 25 and 2022 228 34 both in live xslt and i just misspoke by the way a moment ago as far as i know mozilla does not use the live they implemented their own native code back in the early days back in netscape six so because client-side xslt

[01:16:56] is now a niche rarely used feature these libraries this is google saying receive far less maintenance and security scrutiny than the core javascript engines yet they represent a direct potent attack surface for processing untrusted web content indeed xslt is is the source of several recent high profile security exploits that

[01:17:25] continue to put browser users at risk the security risks of maintaining this brittle legacy functionality far outweighs its limited modern utility further more the original purpose of client side xslt transforming data into renderable html has been superseded by safer more ergonomic and better maintained javascript apis modern

[01:17:55] web development relies on things like the fetch api to retrieve data typically json and the dom parser api to safely parse xml or html strings into dom structure within the browser's secure javascript sandbox frameworks like react view and svelte then manage the rendering of this data efficiently and securely this modern tool chain is actively developed

[01:18:25] benefits from the massive security investment in javascript engines and is what virtually all web developers use today indeed only about 0.02 percent of web page loads today actually use xslt at all with less than 0.001 percent using xslt processing

[01:18:55] instructions okay so okay to me it sure sounds like they're doing an awful lot of apologizing for something that really just needs to die on the other hand even the end of the horrific flash plug-in remember those nightmares leo i mean we we dined out on flash so often on this podcast oh my lord i mean it was just such a problem and even

[01:19:25] that it took forever to finally say goodbye which was painful and it's true that for those vanishingly rare websites that that are built in some fashion around xslt and who will stop functioning without it xslt's complete disappearance from the web could prove to be a significant inconvenience

[01:19:54] so google continued apologizing by writing this is not a chrome or chromium only action the other two major browser engines also support the removal of xslt from the web platform webkit and gecko for these reasons deprecating and removing xslt reduced the browser's attack surface for all users simplify

[01:20:24] the web platform and allow engineering resources to be focused on securing the technologies that actually power the modern web with no practical loss of capability for developers so what I love about this as a lesson is it's a perfect textbook example of the way all this should work the web ecosystem needs to evolve to meet the evolving uses

[01:20:53] to which our web browsers are being put but evolution doesn't only mean continually tacking on new feature after new feature without end it necessarily also means trimming off the dead limbs so that the organism as a whole can remain as healthy as possible this is never an easy thing to do because someone somewhere is going to see their website die through no

[01:21:23] fault of theirs they will have been early adopters of an interesting technology that all browsers at the time built in and have supported ever since unfortunately their use of that technology has left them being such a minuscule minority of the world that the sane decision on the part of the web browsers is to discontinue their support and to say

[01:21:53] they're sincerely sorry which Google clearly is if XSLT could be left in there without compromising all internet users it would be left in there it would be left alone but this old code which still requires maintenance sees so little use that it makes much more sense to just remove it than it does to expose everyone to its dangers which require continual repair to deal with so

[01:22:23] that's the way the web ecosystem goes and you know it is the way it should go yeah and speaking of the way it should go Leo the way I think this podcast should coffee doesn't keep you up at night I don't drink it late in the day and I drink espresso

[01:22:53] that doesn't keep me up no and I do drink espresso which has a strong flavor but the caffeine is burned off by the additional roasting right I don't know I have one cup in the morning and if I have another one I won't sleep well and I would love to drink coffee all day maybe I'll get some decaf although that seems like it should be anathema but anyway we will get back to the highly caffeinated Steve Gibson I like the caffeine bite there is a yeah

[01:23:35] I cloud security platform potential rewards of AI I don't know if they outweigh the risks they're both right the rewards are probably too good to ignore but you can't ignore the risks loss of sensitive data attacks against enterprise managed AI and of course generative AI helps threat actors helping them to you know create we just were talking about phishing lures to write malicious code to

[01:24:05] automate data extraction AI is a double edged sword that's pretty clear there were 1.3 million instances of social security numbers leaked well we know they leaked for a variety of reasons but 1.3 million instances of them leaked to AI applications people using AI and giving that information to AI chat GPT and Microsoft Copilot alone saw nearly 3.2 million data violations I think

[01:24:35] it's a variety of reasons employees use these SaaS AI apps without thinking maybe you're giving it access without your knowledge to data on your system maybe it's time to rethink for all of us your organization safe use of public and private AI just talk to Jeff Simon he's senior vice president and chief security officer at T-Mobile what a job they use Zscaler he said quote Zscaler's

[01:25:05] fundamental difference in in the technologies and SaaS space is it was built from the ground up to be a zero trust network access solution which is the main outcome we were looking to drive end quote with Zscaler zero trust plus AI

[01:25:35] risks of AI related data loss protects against AI attacks does both to guarantee greater productivity and compliance maybe you want to learn more about Zscaler at zscaler.com slash security that's zscaler.com slash security thank you Zscaler for the work you do and for supporting Steve and the work he does now fully caffeinated I give you Steve Gibson okay so

[01:26:05] while we're on the subject of web browsers which we will be looking at again for today's main topic I wanted to share Mozilla's posting last Friday which carried the headline introducing early access for Firefox support for organizations the pointer to this announcement described it as paid Firefox support for corporate customers which may be curious so this is what Mozilla said they said

[01:26:35] increasingly businesses schools and government institutions deploy Firefox at scale for meaning everywhere for security resilience and data sovereignty organizations have fine-grained administrative and orchestration control of the browser's behavior using policies with Firefox and the extended support release today we're opening early access to Firefox support for organizations

[01:27:04] that's its official title a new program that begins operation in January of 2026 so in a month or month and a half what Firefox support for organizations offers they said support for organizations is a dedicated offering for teams who need private issue triage and escalation defined response times custom deployment options and close collaboration with Mozilla's engineering and product

[01:27:34] teams so they said private support channel accesses a dedicated support system where you can open private help tickets directly with expert support engineers issues are triaged by severity level with defined response times and clear escalation paths to ensure timely resolution discounts on custom deployment paid support customers get discounts on custom deployment work for integration projects compatibility testing or

[01:28:04] environment specific needs with custom development as a paid add-on to support plans Firefox can adapt with your infrastructure and third party updates and finally strategic collaboration gain early insight into upcoming development and help shape the Firefox enterprise roadmap through direct collaboration with Mozilla's team so some opportunity to steer

[01:28:59] role on SQL for business critical and sensitive operations if these levels of support are interesting for your organization get in touch using our inquiry form and we'll get back to you with more information so So that's new and interesting.

[01:29:18] To me, at first blush, this sounded like a bit of the result of a brainstorming meeting whose goal was to cook up new sources of revenue for Mozilla to help support Firefox. But I can also easily imagine that there has probably been some true demand for these services for which Mozilla had no such program.

[01:29:40] So organizations that wish to be able to depend upon Firefox and Mozilla will now have a way of being assured that they can do so while paying for the privilege. I dropped a link to this announcement into the show notes. It's here in the middle of page 12 and for anyone who's interested. And that blog posting contains links that allow you to follow up and get your organization listed.

[01:30:05] So, you know, it's Firefox has been just, you know, free and open source and it will continue to be so. But, you know, if there are organizations that have decided that they want to go fully Firefox, I can imagine if the price is right saying, yeah, you know, we'd like to have access to Firefox's developers on a shorter leash so that we're able to get attention where we need it, where and when we need it. So I can see that that makes sense.

[01:30:38] Meanwhile, Russia's policy continues to starve their own citizens of Western services. Now Akamai has reported service disruptions throughout Russia after the Russian government started filtering Akamai's traffic. This has led to disruptions for some Russian Akamai customers.

[01:31:03] Akamai says, yeah, it's aware of the government's actions, but it's unable to do anything about it. Right. It's mean, it's, you know, the it's it's Russian bandwidth on Russian wires. And so if they, you know, Akamai has a known block of of IP presence. So if Russia wants to say no Akamai, they can.

[01:31:26] This may just be, you know, Russia issuing a we're serious about this warning because they have not yet implemented a full blanket block. And Russia now requires foreign cloud providers, among which would be Akamai to open local offices in country and register themselves with the state.

[01:31:52] So that may just be like, you know, a little bit of saber rattling on Russia's part saying, hey, you know, we told you if you want to be bringing bandwidth into Russia, you've got to have a local office. And so far, most organizations are saying we don't think we want to do it that much.

[01:32:11] And in some cases, if if if they're if the West is is sanctioning, then it may not be legally possible for Western corporations to be running offices in Russia. And we know there's been a great exodus of that so far. A number of times in the past year, we've looked at the fine security work being performed by a company called Wiz.

[01:32:36] And I've been forced to say, you know, W.I.Z. as in wizard, just to be clear. Another security firm, Mandiant, was also once independent and we often covered their work. They were then gobbled up by Google to become a division of that ever growing behemoth.

[01:32:57] So it's now time to report that Google's 32 billion dollar acquisition of Wiz security just passed U.S. regulatory approval. Although there are some other jurisdictions in which approval is still pending, it appears certain that Wiz will be joining Mandiant as a Google as a new Google property, you know, an alphabet property.

[01:33:25] And so Google increases their Internet security offering group. And, you know, Mandiant is still doing great work. I imagine Wiz will be, too. It's just, you know, Google has so much money. They're just they're spending some of it. And Leo. Yes. Believe it or not. Please, please. I know. Tell me it's true. Looks good. Don't tease me.

[01:33:50] A recently obtained leaked copy of proposed changes to the EU's comically horrific GDPR regulation, which forced, among all the things, all websites everywhere to constantly request their visitors cookie preferences. We'll finally change the requirements to work. Oh, my God. The way they always should have. It's hard to believe.

[01:34:19] I've read the language. The new regulations allow web browser users to configure their browsers, their browsers once and for all to subsequently transmit their cookie tracking and direct marketing preferences to every website they visit. OMG.

[01:34:43] This would be a formalized variant of the DNT, do not track header or the GPC, the global privacy control signal header. But it would be done by GDPR regulations, which, as we know, has a global effect because I'm in Southern California and I'm still getting cookie banners. Thank you very much.

[01:35:13] The regulations. The regulations also legally require every website, which is the part that matters, to silently comply with and obey any such preference transmission from a browser's headers.

[01:35:30] Once adopted and following a six-month implementation grace period to give websites a chance to get up to speed, these amended requirements would be backed by the full weight, force, and effect of the EU's GDPR, which, as we know, originally was involved in these cookie pop-ups on the entire world.

[01:35:51] So the constantly annoying cookie request banners would finally disappear, and users who care will be able to set and forget their preference in their browsers once and for all. Of course, I just use uBlock Origin to block them, but still. Yeah. Yeah. It'd be nice.

[01:36:14] This will be, well, I mean, and this will be built into the browser, so much higher traction we could expect over time. Right. Right. You know, and I'll do things like, you know, have GRC display a banner when people don't have these set just to let them know, hey, you know, you've got a browser that supports this. Maybe you want to think about turning it on. You bet.

[01:36:40] Last week, we also saw another pair of migrations away from dependence upon Microsoft's closed proprietary solutions, the International Criminal Court. I got a kick out of this one, Leo. They dropped their use of Microsoft Office in favor of OpenDesk in response to the U.S. sanctioning some of its judges.

[01:37:03] So the U.S. sanctioned some judges over something that we didn't like, that the International Criminal Court did. I saw it go by at the time. I don't remember now what it was. And so the ICC said, OK, we're going to switch over to OpenDesk. Thanks very much.

[01:37:19] Also, oh, yeah, Austria's armed forces abandoned office for Libre office while the Austrian Ministry of Economy has moved from Microsoft's Azure over to NextCloud. So, you know, the non-domestic dependence on Microsoft proprietary solutions is really changing.

[01:37:46] And I hope Microsoft, somebody there is paying attention because, you know, they've certainly been enriched by the global dominance they had. And it's still there, but it's waning. You know, there's handwriting on the wall. Speaking of handwriting, recall that last week we noted that officials in Oslo, Norway,

[01:38:08] became worried about the hidden and undocumented cellular radios they found scattered throughout their Chinese-made electric buses. So out of an abundance of caution, they pulled the SIM chips out of all of them to shut those radios down. Because, you know, why not tell us why they're here at least if you're going to have them?

[01:38:30] I just wanted to follow up this week by noting that Norway's discovery has shaken assumptions so that investigations are now underway in several other countries, including Australia, Denmark, the UK, and the Netherlands. All of them are driving their buses into large bus-sized Faraday cages and saying, OK, what's up with you? What's going on here? Yeah. OK, so this is extremely cool, this next piece.

[01:39:02] And at first I'm like, what? Are you, what? Microsoft's claim in the introduction of what they named their whisper leak attack brought me up short because what it was claiming to do seemed far from plausible. They proved otherwise. They wrote, Microsoft has discovered a new type of side channel attack. Oh, and this is for our listeners who have not been listening for long.

[01:39:31] This is probably the best example of a side channel attack on cryptography, on encryption that we will ever see. I mean, this is, this is so good. So if you've been wondering what side channel is and you haven't gone back to earlier episodes, we know that that our truck driving friend is catching up. He's probably, you know, up to episode 100 now. He was on 52 or something when we last checked in with him.

[01:40:01] Um, uh, this is a perfect classic example of a side channel attack. So they wrote, Microsoft has discovered a new type of side channel attack on remote language models. This type of side channel attack could allow a cyber attacker, a position to observe your network traffic to, oh, sorry.

[01:40:25] And actually they, they meant in the position to observe your network traffic to conclude language model conversation topics. Despite being end to end encrypted via transport layer security. We've worked with multiple vendors to get the risk mitigated. In other words, this has been fixed now, as well as made sure Microsoft owned language model frameworks are protected.

[01:40:56] Okay. So now what Microsoft is saying here that they've discovered some sort of side channel attack on a fully encrypted TLS connection, which can reveal large language model conversation topics. They then tell us why we should care writing in the last couple of years,

[01:41:21] AI powered chat bots have become rapidly an integral part of our daily lives, assisting with everything from answering questions and generating content to coding and personal productivity. As these AI systems continue to evolve, they're increasingly used in sensitive contexts, including healthcare, legal advice, and personal conversations.

[01:41:46] This makes it crucial to ensure that the data exchange between humans and language models remains anonymous and secure. Without strong privacy protections, users may be targeted or hesitate to share information, limiting the chat box usefulness and raising ethical concerns. Implementing robust anonymization techniques,

[01:42:10] encryption and strict data retention policies is essential to trust and safeguarding user privacy in an era where AI powered interactions are becoming the norm. In this blog post, we present a novel side channel attack against streaming mode language models that uses packet network sizes and timings. Okay. Uses packet sizes and timings.

[01:42:38] This puts the privacy of user and enterprise communications with chat bots at risk, despite having end to end encryption. So, okay. It can't, it's not claiming to determine what they're saying, but it appears to be able to determine if the discussion is about a specific topic. Okay. So this is certainly not nothing. I'll let them finish.

[01:43:06] They wrote cyber attackers in a position to observe the encrypted traffic. For example, a nation state actor at the internet service provider layer, someone on the local network, or someone connected to the same Wi-Fi router, could use this cyber attack to infer if the user's prompt is on a specific topic.

[01:43:31] This especially poses real world risks to users by oppressive governments, where they may be targeting topics such as protesting, banned material, election process, or journalism. Finally, we discuss mitigations implemented by cloud providers of language models to reduce the privacy attack risks against their users. Through this process, we have successfully worked with multiple vendors to get these privacy issues addressed.

[01:44:00] Okay. So Microsoft's post then reminds us that packet length depends upon packet content. Less content means smaller packets. And also that the cipher text that's encrypted from plain text will have the same approximate length

[01:44:28] as the plain text it encrypts. Next, we have the fact that users of cloud-based AI prefer watching the AI generating and sending tokens of text as they're generated sequentially. Right? It's in streaming mode, as it's called. You know, as if the AI was busily typing on its computer on its end.

[01:44:55] This means that rather than waiting to receive the entire output all at once, the AI models are deliberately dribbling it out as it's being determined. That also means that the TLS protocol is similarly dribbling out individual encrypted packets one by one as they're being sent to the user containing in many cases,

[01:45:23] individual encrypted words. And finally, the timing of the individual dribbles contains some information about what the model went through in order to produce that next bit of dribble.

[01:45:40] It turns out that Microsoft did indeed discover and implement a successful side channel attack without ever having any access to the decrypted content, only using the individual sizes and timing of the TLS packets, which were seen to be going back and forth.

[01:46:07] This attack does not allow an eavesdropper to broadly determine what's being discussed. But in the example they gave, they pre-trained their system, their cyber attacking system, with 100 examples of LLM prompt transaction regarding money laundering. They asked about money laundering 100 different ways,

[01:46:35] and they trained their recognizer on the LLM's replies only by examining the individual TLS packet timings and lengths that replies about money laundering generated from the LLM. And it worked. Once they had set everything up,

[01:46:57] they allowed their system to monitor the individual packet lengths and timings of 10,000 separate conversations, with 100% of the time, it successfully identifying the one conversation out of those 10,000 that was about money laundering. Microsoft summed the thread up as follows. For many of the testbed models,

[01:47:27] a cyber attacker, that is, that many of the testbed models that Microsoft implemented, so they saw this happen, a cyber attacker could achieve 100% precision. All conversations it flags as related to the target topic are correct, while still catching 5% to 50% of target conversations. In plain terms, nearly every conversation the cyber attacker flags as suspicious

[01:47:55] would actually be about the sensitive topic. No false alarms. This level of accuracy means a cyber attacker could operate with high confidence, knowing they're not wasting resources on false positives. To put this in perspective, if a government agency, they wrote, or internet service provider were monitoring traffic to a popular AI chatbot,

[01:48:23] they could reliably identify users asking questions about specific sensitive topics, whether that's Monday laundering, political dissent, or other monitored subjects, even though all the traffic is encrypted. They said, important caveat, these precision estimates are projections based on our test data and are inherently limited by the volume and diversity of our collected data.

[01:48:50] Real world performance would depend on actual traffic patterns, but the results strongly suggest this is a practical threat, not just a theoretical one. So this seems academically interesting, but not something that we would need to worry about. But when we recall Bruce Schneier's reminder, attacks never get weaker, they only ever get stronger. You know,

[01:49:20] it seems like what it might be a curiosity today could have the tendency to mature over time. So, how to fix this? They wrote, we've engaged in responsible disclosure with affected vendors and are pleased to report successful collaboration in implementing mitigations, notably OpenAI, Mistral, Microsoft, and XAI

[01:49:49] have deployed protections at the time of writing. This industry-wide response demonstrates the commitment to user privacy across the AI ecosystem. OpenAI, and later mirrored by Microsoft Azure, implemented an additional field in the streaming responses under the key obfuscation, where a random sequence of text of variable length is added to each response.

[01:50:18] This notably masks the length of each token, and we observed it mitigates the cyber attack effectiveness substantially. We've directly verified that Microsoft's Azure mitigation successfully reduces attack effectiveness to levels we consider no longer a practical risk. So, as I said, here we have a beautiful example of a surprisingly effective side channel attack,

[01:50:47] and a classic, perfect example of a side channel attack in general, where the data being leaked is never seen, but, you know, never seen directly, but some indirect consequences of the specific data are observable and can allow a sufficiently clever attacker to infer what that data must have been

[01:51:15] for that inference to be true of the data. So, just, you know, nice work on Microsoft's part and, you know, not something we would ever think to protect or that needed protecting, but, indeed, it did. Leo, break time. We're going to talk about a few miscellaneous bits and then we'll tackle our topic.

[01:51:44] Indeed, we will. And I want to tell you about Zapier right now, our sponsor for this segment on security now. Zapier is something I use to prepare not this show because you do your own thing, but all the other shows when I make bookmarks I use a very clever system that I set up many years ago with Zapier to automatically take the bookmark and prepare the rundowns and all that stuff. I don't need to go into the details, but one of the things I'm very excited about, as you know, I'm also a kind of

[01:52:14] dedicated AI user in a variety of places, is being able to use something new from Zapier that'll let me add AI to my existing workflows. We talk about AI a lot on this show, on all our shows over the last few months, everybody's been talking about AI. We even made a show all about it, Intelligent Machines on Wednesdays. But I think that it's pretty clear just talking about a trend doesn't help you use it or be more efficient at work. How many times have you sat down

[01:52:43] with an AI or clawed code or something and said, now what? To make AI part of your workflow, you need the right tools. And that's where Zapier is such a great partner. I'm so thrilled. Zapier is how you break the hype cycle on AI and put AI to work across your company. You're probably already using Zapier. If you're not, maybe I can explain it to you. Zapier is a way to automate workflows. You don't need a book,

[01:53:12] be a coder to do it. It's very easy to use. I've been using it for years to do everything from turn on my Hue lights at sunset to send automatic emails and I can go on and on. Zapier, though, now can help you deliver on your AI strategy, not just talk about it. Zapier is now an AI orchestration platform. So you can do all the things you used to do. Zapier has literally, I think, more than 3,000 connections to apps you already use. But now you can also

[01:53:43] insert some AI into any workflow. So you can get more done. You can be more effective. You can get a little help. And they support all the top AI models, ChatGPT and Claude. You can add them to the tools, those 3,000 other tools your team's already using. So you can actually, you know, sprinkle a little magic, a little AI exactly where you need it, whether it's AI-powered workflows, an autonomous agent, a customer chatbot. There's so many things I've dreamed of doing

[01:54:12] that AI now enables it. And being able to orchestrate it with Zapier makes it so much easier, so much better. Zapier's for everyone. Don't need to be a tech expert. Teams have already automated over 300 million AI tasks using Zapier. Join the millions of businesses transforming how they work with Zapier and AI. Get started for free by visiting zapier.com slash security now.

[01:54:42] That's Z-A-P-I-E-R dot com slash security now. In my opinion, this is exactly where AI can shine. Not by, you know, letting it take over your job, but by using it to help you in your existing workflows and then creating new workflows. The sky's the limit. Zapier dot com slash security now. And now, back to Steve. A word from a listener. David Wright

[01:55:12] wrote, Hi Steve, I've bought numerous copies of Spinrite over the years to support you. Aw. He's moved around from company to company and said, hey, we need a corporate site license for Spinrite. He says, but I loved it. He said, but I've never actually needed to use it in anger. He said, I've had problems over the years, but they all turn out to have other causes. Until last week.

[01:55:42] Now, this is a fresh email, so this just happened. He said, my predecessor set up a NAS for the documentation of our measuring and control department. And he said, installation of the PLCs and associated technology. Their documentation drive, he had drive in quotes, meaning, you know, a NAS drive. It was connected by iSCSI to a server, disappeared. Looking at the NAS, one of the drives

[01:56:11] was blinking red. Checking the NAS UI, the drive was also showing a fault there, but he who shall not be named had set up the NAS, which was the main storage for all the departments documentation with drives spanning zero redundancy RAID zero. So, meaning, the entire volume was at risk because of one drive. He said, I grabbed my copy

[01:56:40] of Spinrite, a USB drive adapter, and plugged it in. 24 hours later, the drive was back in its NAS, and we were busily copying their documentation over to our NAS. A new drive has been ordered, and I will be completely rebuilding their NAS with RAID five this time. He said, with so much kit, it was one of those pieces that hadn't been checked since I took over, but at being a NAS with four large drives in RAID,

[01:57:11] you assume the person setting it up wasn't so idiotic as to use RAID zero. Needless to say, once the dust is settled and I have time to breathe, I'll be putting in an order for another corporate license. Best regards, David Wright. So first of all, David, thank you. I wanted to share David's story since it's the perfect contemporary example of Spinrite 6.1 still coming to the rescue of those who need it with RAID

[01:57:40] configured so that any one of its four drives having a problem would endanger the entire storage volume. I'm unsure what someone would do if not for Spinrite. There are many data recovery specialist services and if a drive has failed electrically or mechanically so that it requires a PC board swap or, God help you, a head replacement, then there's no alternative.

[01:58:10] Software is not going to be able to help you there. But that sort of catastrophe is exceedingly rare. usually they'll have a drive for a week or more so you're down for that period of time and then charge several thousand dollars. They take advantage of people's desperation to have their data back, of course. And we've heard many times from ex-employees of these services who learned about Spinrite from their employer or their

[01:58:40] ex-employer that the first thing those companies do is run Spinrite over the drive themselves. So, you know, many days and dollars can usually be saved as Dave here just reported he did by giving Spinrite a try yourself. And, you know, save thousands and save a week and get your data back. So, anyway, thank you, Dave. I appreciate the feedback. While I'm on the topic of GRC software, I'll mention that Saturday evening I dropped

[01:59:09] the 62nd development release of our forthcoming commercial version of the benchmark and I am so pleased with the way it has turned out. As is so often the case, when I begin one of these journeys, I only ever have some rough idea of what the end result will be. And this is one reason I learned long ago, actually it was with Spinrite 3.1, to never guess when that will be. I, you know, people say when, when, when, when? I go,

[01:59:39] I would tell you if I knew, but I don't know because I don't know what it's going to be. In this case, as we know, I mostly set out with the goal of adding the three newer protocols that the freeware benchmark doesn't support, IPv6, DNS over TLS, and DNS over HTTPS. But what we have wound up with after a year of work, because it was, it was November last year, is a far more advanced

[02:00:08] and enhanced result. result. It now does things like quickly and automatically sidelining resolvers right from the get-go, which it determines quickly will be unable to compete. So this allows it to, to, to spend its time accurate, more accurately, much more accurately, actually, much more accurately measuring the performance of the DNS resolvers at the head of the pack,

[02:00:38] rather than giving equal time and wasting time on the stragglers at the end. And this behavior can be tuned, since there are also several new expert-level knobs that can be turned on this software. Through statistical analysis of the spread of timing results, we also learned that the original single-pass timing of 150 queries, which are made up of the top

[02:01:08] 50 domains on the internet, which is what the freeware version has always done, turns out that was unable to yield sufficient certainty due to packet timing variations. It's easy to obtain an average, you know, four readings will do that, but it's surprising to see how many queries must be made to obtain 95% statistical certainty of what

[02:01:37] that average value actually is rather than by chance it being higher than it actually would be in practice. So the new version of the benchmark makes five passes by default, though that can be set to any number you want. And if someone, for example, wished to measure, collect, and process timing data over a much larger time span, like, for example, run the benchmark for two days, the benchmark's actual running

[02:02:06] speed can now be set so that a run which would, for example, normally take 30 minutes could be set to take 50 hours with each resolver queried 750 times over a much wider span, which allows you to then get that average. So, and even so, you can still do a benchmark in three minutes. So, anyway, there are many, many more features, and I am so pleased with the outcome of this past year's work.

[02:02:36] The gang in the news group has now had the benchmark for several days. Nobody's found a problem. It's working perfectly for everyone. We're done. So, I'll be working on the documentation to get that ready for the release, which should be a week or two from now. So, I'm very excited. And, while we're on the subject of GRC projects, recall that about a month ago, near the start of October,

[02:03:07] there was a time when all of GRC's weekly Security Now podcast email suddenly went to Gmail's spam folders. Our listeners, I don't know how they even saw them or found them. In fact, Leo, you said that you check your Gmail spam folder once a week to see if anything important has gone there. So, obviously, Gmail makes mistakes. I was horrified because I had done nothing different, but suddenly

[02:03:37] all of the Gmail from our listeners, and we have a huge percentage of listeners who either use Gmail as their domain or have their own personal domain that Google handles for them. It all went into junk. It was all routed that way. So, we soon learned that Gmail had apparently suffered some sort of internal glitch because many other people's email, which was bound for Gmail, which had never

[02:04:07] had any trouble, was also going into its recipients spam folders. So, it wasn't anything that I did, nor really anything that Google was doing deliberately. I think that there was some internal glitch inside of Google for a few days, and the weekly security now mailing happened to hit then. But, since I'm planning GRC's second ever full mass mailing to our more than

[02:04:36] 150,000 subscribers, once the commercial version of GRC's DNS benchmark that I was just talking about is ready, the possibility that Gmail recipients among those 150,000 plus might get routed into spam scared the you-know-what out of me. So, even though I was certain I had originally gotten all of the spam stuff fixed correctly, I

[02:05:05] returned my focus to our SPF, DKIM, and DMARC DNS records. All of the various test sites said that everything I had set up was all working correctly, it was a hunky dory, that the records restricting the spoofing of email from GRC were all correct. Yet a look at Google's user reported spam history and chart told a very different story. Users

[02:05:35] apparently could be annoyed by email pretending to come from GRC, spoofed GRC. So GRC.com email was being sent by spammers because GRC's been around a long time, I suppose. So what I discovered was that even though my anti-spam DNS records were well locked down, there were two optional parameters missing

[02:06:05] from our DMARC DNS record. The bits that were missing are named or called alignment modes, and those can either be relaxed or strict. And what I discovered was that if they're not specified, they default to being relaxed, as in none, because spam was getting through. So I added two additional values, adkim equals

[02:06:35] s, and aspf equals s, both for strict. And it took a while, it took Google a while for the records to propagate, probably Google is caching them internally because it doesn't want to be constantly checking all of the DNS for incoming email sources. So I was like on pins and needles for a while, but I have in the show notes, and Leo, you were showing it, thank you, the

[02:07:04] recent chart from Google showing that I think that's the last 90 days, September, October, November, yes. So basically through September, October, there were instances of users reporting incoming spam that was pretending to be GRC. It had nothing to do with GRC. I never sent it. No one at GRC ever sent it. It was bad

[02:07:34] guys thinking that maybe if we pretend to be Gibson Research Corporation that has a spotless email reputation, we'll be able to get through. And they were. And I was, as a consequence, Google was saying to me, you know, we're not so sure about GRC email. Well, the good news is adding those last two specifications finally locked it down tight. And as we can see in that chart, it's been flatline at zero ever since

[02:08:04] early October. So there have been periods in the past where it was also a flatline for a while. So I've been holding my breath. But at this point, it looks like we've exceeded the length of time that we've ever not had any spam problem. So anyway, I just wanted to share this if there are listeners and I know there are because I've heard from you who are running your own email servers. It turns out this is important. Those two records,

[02:08:34] which I managed to spend a lot of time a long time ago with SPF and DKIM and getting it all right. And I never discovered those two fields had to be specified in order to get true protection. Apparently, you get some, but not what Google needs. So you have to say strict ADKIM and strict ASPF. Yes. And then you'll get through. Yes. And then

[02:09:04] when an email comes into a provider who has previously probably obtained that record from GRC, they'll see that our instructions, GRC's instructions are, if this doesn't strictly align with SPF, then reject it. Absolutely, it is not valid. And so it was relaxed until I said,

[02:09:34] treat that as strict. And the SPF, I mean, so SPF is Sender Policy Framework. It just says, it's so simple, it says these are the IPs that are allowed, that will ever generate valid email from GRC. And actually it's just one IP, it's something .201, client.grc.com. And I've said, this is the only IP that will ever generate valid email

[02:10:03] from GRC. And I've been saying it for years, but without also saying, and I'm serious about it. Strict, I'm being strict. Yeah, I'm being strict, darn it. Don't, you know, I mean, and to me, it's crazy that if why would I, what value is having an SPF record and a DKIM record if they're being treated in a relaxed fashion? Well, so somebody could use different subdomains probably, right? So it could be

[02:10:33] mail.grc? No, there are mechanisms for having, for like specifying ranges of IPs or subdomains and even so, you know, strict. Yeah, I think, I mean, I actually kind of know. The reason is that you want, before you lock this down, you want it to be in a reporting mode where you can monitor bounces. Yes, to make sure that you got it all right so that you don't get

[02:11:02] email that is rejected when it shouldn't be. Like, valid mail you're sending that gets sent to spam. That wasn't the problem. It was invalid mail that bad guys were sending as GRC were being seen as legitimate. So, you know, false positives instead of false negatives. So, anyway, problem solved, yay. And when we get this, I'm now confident, increasingly confident. Again,

[02:11:32] I've seen weird spells where we've not been spoofed, but I, given that I made this change and after waiting a little bit, it's gone absolutely to zero with not a single exception where before it was like, looked like the Rocky Mountains in the graph. Yeah. It's like, okay, I think maybe, I think maybe we got it. So, the whole point of this is that somebody does not spoof you to send their spam. Correct. And Google was assuming that mail coming from

[02:12:02] you was, in fact, spam. Yes. And the problem is they have a very low tolerance. It's 0.3%. If it's over 0.3% of users saying, I don't want this, you get in trouble with Google. So, 0.3% is three out of a thousand. Right. So, somebody must have done that though, right? They must have clicked. You could do that by accident. It's very easy to click that button

[02:12:31] spam. That's what I was, that's what I was thinking, except that now it's gone to zero. And we've had many of our mass mailings, not a single recipient has said this is spam. So, so what was happening was bad guys spam. I mean, it was spam. It wasn't from you. Yeah. Yeah. How to stay hard longer from grc.com. I haven't gotten that email.

[02:13:01] And it's like, no, we didn't send this. And so people were saying, this is spam. And unfortunately, I was being blamed for other people. It was getting associated with your domain. Yes. And, and again, it was like 20%. Well, the reason it was 20% was I'm not sending any email at all. And so if, you know, so one out of five people were, were, were, were, were, were clicking on spam saying this is spam. Makes sense.

[02:13:32] Yeah. Turns out it's a, you know, spam is a problem. It's a little bit of a problem. Yeah. Who knew? Yeah. And I wouldn't mind except that I still get tons of spam in my Gmail account. So Gmail is, it's entertaining actually to look at the spam folder in Gmail. Oh my God. Cause I mean, you, you could look in the morning and just since like earlier in the morning, you've got like just a torrent of spam. The good news is that Google has this ability to view across all their subscribers.

[02:14:01] So it's very apparent when all these people are getting the, the same, you know, come on email. Well, that's the theory is this kind of community spam filtering is the best way to do it. But I, maybe because I've had Laporte at Gmail forever, I get so much spam, even not into my spam box. Yeah. Most of it's in French. Maybe that's why. Yeah. Well, so for anyway, so my, my message is it

[02:14:31] really does look like it is possible no matter how popular your domain is to spammers to abuse. If you get this SPF and DKIM and DMARC all set up correctly with everything set for the strictest enforcement possible, then no valid recipient provider will think that spam that is being spoofed as

[02:15:00] coming from you will get through. It'll go into people's spam folder. So, it's positive. Do you want to see? Just to show you how much spam is not being filtered, or this is my Laporte Gmail primary inbox. Let's see, I get a request for something. It's all in French. Just missed your call, says Jen. Here's an invoice for your account from Airtel.

[02:15:30] I mean, I don't know if it's, it's gotta be spam. I don't know what it is. It's why I don't use this address anymore, which is why I'm willing to tell people what it is. And I do think that like some of this is typos. It's people trying to send to a real French person. Yeah. Bonjour. Your personal training account has been updated. Notice Google translated it. Thank you. Join us at the Indigenous Speakers University at Vancouver

[02:16:00] Island University. But see, this is a CC to all of these people whose names are visible in here. I mean, this is crazy. Roof inspections for N Street. I don't live on M Street. OK. I love all the French stuff too. Revention attention ocular. I noticed that Kimberly wrote you. I think she wrote to me too. Yeah, Kimberly, you know, she gets around. She does. Hey, Laporte, it's my email.

[02:16:30] She doesn't know my first name because it's just Laporte at Gmail. All right, I'm sorry. OK, I'm glad you fixed it. We're going to oh, I am too. I feel very relieved. I just wanted to spread the news so that if any of our listeners have any problem like that, it turns out it can be it appears again, I'm I'm couching everything in a so far and I'm crossing my fingers. But boy, I'll know when I send out 150,000 pieces of email. Oh,

[02:17:00] Yeah, it's gonna be good. OK, we are at two hours. Let's take our final break and then we're going to look at the question which is entirely gray. I don't normally have a gray area feeling about things, but in this case, yeah, I don't know that this is an interesting issue. We talked about it on Sunday. I'm very curious what you think about it. It has to do with agentic browsers

[02:17:30] doing your shopping on Amazon. Yeah, we'll talk about it in just a minute. I think I'm gray too. I was not, I understand from both points of view. But anyway, we'll get to that in a moment. But first, let's talk about Vanta, our sponsor. What's your 2 a.m. security worry? What keeps you up at night? Is it, do I have the right controls in place? Or are my vendors secure? Or the really scary one, how do I get out

[02:18:00] from under these old tools and manual processes? Enter Vanta, V-A-N-T-A. Vanta automates manual work so you can stop sweating over spreadsheets, chasing audit evidence, filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. Vanta also fits right into your workflows using AI to streamline evidence collection, to flag risks,

[02:18:30] and to keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and get back to sleep. Get started at vanta.com slash security now. That's V-A-N-T-A dot com slash security now. Thank you, Vanta, for supporting security now and the important work Steve does. Thank you for the important work you do for all of our IT professionals out there.

[02:19:00] Okay, Steve, let's talk about this. I think it's a very interesting story. Yeah. Yeah, yeah. Okay, so some time ago, we examined the robots.txt file, which is sort of where this controversy began. And as we know, they were originally provided by sites as an aid to help keep web search spiders out of trouble. Um, the controversy arose when Cloudflare decided to become much more proactive on behalf of

[02:19:30] their users when they believe robot AI agents, whether scraping for content or browsing on behalf of their users, were being deliberately deceptive and were also deliberately disobeying the clearly expressed wishes of those users. Then last week's podcast was here come the AI browsers, which looked at the vulnerabilities that could arise when AI browsers encountered remote website content, which might confuse, which it

[02:20:00] might confuse for user instructions. Today, we have a third aspect of the AI web browser amalgam, which is AI browsers acting on behalf of their users. The Guardian's headline read, Amazon sues AI startup, I thought that was interesting, they call it a startup, I guess, over browser's automated shopping and buying feature, which it follows with

[02:20:30] the tease, Amazon accuses perplexity of covertly accessing customer accounts and disguising AI activity as human browsing. Okay, now the idea that perplexity almost certainly does this is not news. Although questions were raised over Cloudflare's possible misinterpretation of perplexity's automated agent actions, as a web technology developer, I was left with

[02:20:59] no questions there. It seemed obvious to me that the evidence revealed deliberate shenanigans on perplexity's part. So let's see what the Guardian's reporting adds to this. They wrote, Amazon sued a prominent artificial intelligence startup Tuesday over a shopping feature in the company's browser, which can automate placing orders for users. Amazon accused perplexity AI of covertly accessing

[02:21:29] customer accounts and disguising AI activity as human browsing. Okay, so you know, duh, it's the internet, Amazon, and Amazon has done quite well thanks to the internet, right? In fact, they owe their entire existence to the internet. So what's wrong with having a browser working on our behalf? That's the real question, and that's what we're going to examine today. The Guardian continued, writing, Amazon's

[02:21:58] lawyers wrote, quote, perplexity's misconduct must end. Perplexity is not allowed to go where it has been expressly told it cannot. That perplexity's trespass involves code rather than a lock pick makes it no less unlawful. Whoa. Okay, so expressly told it cannot certainly sounds as though someone has been caught ignoring and

[02:22:28] bypassing those pesky robots. text files again. But this time we don't have some bridge tollgate analogy. This time we're talking about the content owner becoming very upset, where the Guardian continues, perplexity, which has grown rapidly amid the boom in AI assistance, has previously rejected the U.S. shopping companies' claims, accusing Amazon of using its market

[02:22:58] dominance to stifle competition. Perplexity wrote in their blog post, bullying is when large corporations use legal threats and intimidation to block innovation and make life worse for people. Unquote. The class highlights an emerging debate, and it is a debate, over regulation of the growing use of AI agents, autonomous digital secretaries powered by AI, and their interaction with

[02:23:27] websites. In the lawsuit, Amazon accused Perplexity of covertly accessing private Amazon customer accounts through its Comet browser and associated AI agent and of disguising automated activity as human browsing. Perplexity system posed security risk to consumer data, Amazon alleged, and the startup had ignored repeated requests to stop. Amazon said, rather than being transparent,

[02:23:57] Perplexity has purposely configured its Comet AI software to not identify the Comet AI agent's activities in the Amazon store. Well, imagine that. In the complaint, Amazon accused Perplexity's Comet AI agent of degrading customer's shopping experience and interfering with its ability to ensure customers who use the agent benefit from the tailored

[02:24:27] shopping experience Amazon curated over decades. Third-party apps making purchases for users should operate openly and respect businesses decisions on whether to participate, Amazon said in an earlier statement. Perplexity earlier said it had received a legal threat from Amazon demanding that it block the Comet AI agent from shopping on the platform, calling the move a broader threat to user

[02:24:57] choice and the future of AI assistance. Perplexity is among many AI startups seeking to reorient the web browser around artificial intelligence, aiming to make it rafting emails to completing purchases. Amazon is also developing similar tools such as Buy For Me, which lets users shop across brands within

[02:25:26] its app, and Rufus, an AI assistant, to recommend items and manage carts. The AI agent on Perplexity's Comet browser acts as an assistant that can make purchases and comparisons for users. The startup said user credentials remain stored locally, just like they do for us now, and never on its servers. The startup said users had the right to choose their own AI assistants, portraying

[02:25:56] Amazon's move as an attempt to protect its business model. Perplexity added, easier shopping means more transactions and happier customers. But Amazon doesn't care. They're more interested in Alexa. Yes, I just said the A word. Or the Fire

[02:26:26] TV or the Fire tablets or any of the Amazon stuff. It's that they're ads. It's all ads. I was going to do that initially because in researching it looked like it had the best voice recognition technology. I want that. The good news is Apple is really gung-ho on HomeKit and pushing forward into that market in the future. I trust Apple more than any other organization in the world

[02:26:54] to do the right thing. We're an Apple shop except for Windows. Amazon makes more money on advertising than it does on product sales. That's the fact. Yeah. So guess what? Not Google and not Amazon. Thank you very much. So using the common AI browser to shop is a much more pleasant experience for its user because they won't be exposed

[02:27:23] to Amazon's constant visual bullying and repeated appeals to purchase stuff. I'm a heavy Amazon user and I'm quite familiar with a need to often decline their multiple come-ons along the way to the final purchase conclusion. I mean, what about this? And how about that? Oh, you left this and you were looking at this before. What about that? It's like, just let me have the am I done yet button please.

[02:27:52] So this question of the agency of AI agents I think is very interesting and it's not at all cut and dried. For example, what if rather than using Perplexity's Comet AI browser we used an AI Chrome browser extension to do the same thing? In that scenario we would be using an

[02:28:22] authentic Chrome browser but an add-on AI agent would be viewing the pages and clicking the links and pressing the buttons on our behalf. So Amazon is attempting to tell the world that we're unable to make our lives better and easier while purchasing stuff from them? You know, they certainly wouldn't like that scenario the Chrome AI add-on because it's going to do the same

[02:28:52] thing that Perplexity's Comet AI has built in. Since the entire internet pretty much blew up over this new battle last week, I mean, it was something to see the coverage of this, and since the rights and roles of AI agents promises to be one of the critically important issues of our near future, I want to spend a bit more time on it today before we move on. TechCrunch weighed in on this with their coverage last week titled

[02:29:22] Amazon sends legal threats to perplexity over agentic browsing. Here's what TechCrunch reported. They said Amazon has told perplexity to get its agentic browser out of its online store. The companies both confirmed publicly on Tuesday. After warning perplexity multiple times that Comet, its AI powered shopping assistant, was violating Amazon's terms of service by not identifying itself as an agent,

[02:29:51] the e-commerce giant sent the AI search engine startup a sternly worded cease and desist letter, perplexity wrote in a blog posted titled Bullying is not innovation. Perplexity lamented in the blog post, quote, this week perplexity received an aggressive legal threat from Amazon, demanding we prohibit Comet users from using their AI assistants on Amazon. This is Amazon's first legal salvo against

[02:30:20] an AI company and it is a threat to all internet users. And I, of course, I completely agree. This is important. As I noted above, the AI add-on to Chrome thought experiment demonstrates that this is a question with a very soft border. Where exactly does the AI agency begin an end? Does Amazon refuse to allow us to do anything? TechCrunch continues,

[02:30:50] Perplexity's argument is that since its agent is acting on behalf of a human user's direction, the agent automatically has the same permissions as the human user. The implication is that it doesn't have to identify itself as an agent. Amazon's response points out that other third-party agents working at the behest of human users do identify themselves. Amazon's statement explains,

[02:31:20] quote, it's how others operate, including food delivery apps and the restaurants they take orders for, delivery service apps and the stores they shop from, and online travel agencies and the airlines they book tickets with for customers. If Amazon is to be believed, then perplexity could simply identify its agent and start shopping. Of course, the risk is that Amazon, which has its own shopping bot called Rufus,

[02:31:49] could block Comet or any other third-party lactic shopper from its site. Amazon suggests as much in its statement which also says, quote, we think it's fairly straightforward that third-party applications that offer to make purchases on behalf of customers from other businesses should operate openly and respect service provider decisions whether or not to participate, unquote. Perplexity claims that Amazon would block the shopping bot,

[02:32:19] and I'm sure they would, because, I mean, they already said seize and desist, Amazon wants to sell advertising and product placements. Unlike human shoppers, a bot tasked with buying a new laundry basket presumably wouldn't find itself buying a more expensive one, or getting lured into buying the latest Brandon Sanderson novel and a new set of earphones on sale. If all this sounds a bit familiar, that's because it is. A few months ago,

[02:32:50] Cloudflare published research accusing perplexity of scraping websites while specifically defying requests from websites blocking AI bots. Interestingly, many people came to perplexity's defense that time because this wasn't a clear-cut case of web crawler bad behavior. Cloudflare documented how the AI was accessing a specific public website when its user asked about that specific website. Perplexity fans

[02:33:19] argued that this is exactly what every human-operated web browser does. On the other hand, perplexity was using some questionable methods to do that accessing when a website opted out of bots, like hiding its identity. As TechCrunch reported at the time, the Cloudflare incident foreshadowed the challenges to come. If the agentic world materializes as Silicon Valley predicts it will, if consumers and companies

[02:33:49] outsource their shopping, travel bookings, and restaurant reservations to bots, will it be in the best interest of websites to block bots entirely? How will they allow and work with them? Perplexity may be right in that Amazon is setting a precedent. As the 800-pound gorilla in e-commerce, Amazon is clearly saying that the way this should work is for an agent to

[02:34:19] identify itself and let the website decide. So, I think that what makes this such an interesting debate is that the issue is anything but black and white. What has evolved is being called the attention economy. But the commandeering of our attention comes at a cost to us, a cost that we often have no control over and might prefer

[02:34:49] not to pay. So, one reading of what is happening is that new AI agency tools are appearing which promise to return to us some of the control that's been deliberately taken away. When we visit a webpage, we're its captive audience. We're subjected to whatever it wishes to do to us. It's true that we could leave. Nothing is forcing us to remain, but there might be something there we want.

[02:35:18] If it would be possible to avoid the nonsense and get only the bits we want, that seems like a clearly pro-user thing. It's no wonder that the agent concept is appealing to people. I believe that this is critically important because the way this shakes out will determine the shape of our future. My feeling is that user rights will

[02:35:47] ultimately prevail and that Amazon and others will be forced to grin and bear it, much as websites have had to tolerate the presence of ad blockers. I mean, should a website be able to say, you can't use this browser to visit me? No. No. I mean, technically they can, they could, but should they be? I mean, it seems unreasonable. And then the next step is should a website be able to say, you can visit us,

[02:36:17] but not with an ad blocker. Websites do that all the time. Yeah. You would think Amazon would want, if I go to Amazon using an agentic browser to buy something, you would think Amazon would want me as a customer, but apparently not. And as you said, if they're actually generating more revenue from advertising than sales and what we want. Yeah, but I, but I, I suspect that that that's, I mean, they made their ad sales went up 24% last quarter. I mean,

[02:36:47] they're, they're making a lot of money in ad sales. And it, it, it's, it's product placement, right? It's like, I'm searching for this and there, there, there's four other things in front of the thing I want. Yeah. It's the Amazon picks. It's the Amazon recommends. to do. Remember when Google's page came up and it was a beautiful white page with 10 links that were actually all good. And that's all that was there. And now it's all sponsored crap. Yeah.

[02:37:17] And so that's why people want, and the other reason people use an agentic browser is I know what I want. Just go get it and look for the best price for me. It's just, it automates something that they could do by themselves, but it's a lot easier. And Amazon's also worried because when I wanted to get that inexpensive Samsung phone, I ended up buying it from Best Buy where I never go. But if I told an agent that I'm looking for this Samsung, whatever it is, get me the best price because

[02:37:46] that's all I care about. Right. My, my default is Amazon and it broke, it would have broken that default. Yeah. Yeah. Isn't that interesting? It's a fascinating story. I'm glad you brought it up and I, yeah, I'm still kind of, it's, we're in a, it's such a different world that we're living in and our rules, our, our value systems don't really extend to this kind of new world we're

[02:38:16] living in and we're not sure. Talking about, you know, automating much of what the user does. There was a beautiful article in Vox this morning. Oh, I don't have it on the tip of my tongue, but it was, it was basically, it was, it was well-written and fun about the probable form of the coming AI apocalypse. And, but they basically, you know, we're going to have

[02:38:46] our experience with computers automated for us. And I'm sorry, Amazon, but you're a target of this. You know, you have been living off of human eyeballs and humans are deciding they want to sub that out. Yeah. And you kind of, you kind of made it that way by making it so unpleasant. Yes, exactly. Exactly. We, yeah, we were a captive audience and now we found out a way, we found a way to get free and you've

[02:39:15] become dependent upon our captivity. Yep. Yep. That's what Cory Doctorow has been writing about. Mr. Gibson, you're amazing. Thank you so much for doing what you do. We really appreciate it. Steve's here every Tuesday. That's when we do security now, right after Mac Break Weekly, supposed to be and usually is around 1.30pm Pacific, 4.30 Eastern, 21.30 UTC. We stream live on YouTube, Twitch, X.com, Facebook, LinkedIn, and Kick.

[02:39:45] We also stream live in the Club Twit Discord. So if you're a club member, you get special behind the rope access. Please do become a Club Twit member. That helps us out a lot. It's becoming more and more important. Now one quarter of our operating expenses are paid by the club and I think that number is going to go up a lot in the next year. I'm just guessing, but I think it will. So please, you know, join the club. 10 bucks a month. You get ad free versions of this show and all the other shows we do. You get access to the Discord.

[02:40:15] You get all the special stuff we do like the AI user group. And coming up Friday, it's our photo time segment with Chris Marquardt. Next week, Micah's Crafting Corner. Twit. TV slash Club Twit. After the fact, you can get this show in a variety of places. Go to Steve's site, grc.com. He has three or four unique versions of the show. He has a 16 kilobit audio version. The impoverished audio version. For people with no bandwidth. None at all. He also has

[02:40:44] a 64 kilobit audio version. That's just fine. He has the show notes, which he really crafts beautifully. It's the best show notes I've ever seen. It's how many pages? 18 pages? I don't know what it is. 22 today. 22. So it's a book you get for free every week. And he also has transcripts written by Elaine Ferris. That takes a few days after the show. Great way to search. Great way to read along as you listen or just read if sometimes it's easier to understand if you read it. That's fine

[02:41:14] too. GRC.com. Now while you're there, pick up a copy of Spinrite. You never know when somebody's going to set your NAS for RAID zero. You got to have spin. Why? I don't know. Why do we have five discs in there? Oh, that way they're faster. Right? Spinrite, GRC.com. Another thing you can do, we were talking about this whole spam thing, is because Steve has a newsletter. He sends out the show notes every week, so you don't have to go to

[02:41:44] the website to get those. You could just go to GRC.com slash email, provide your email address. The primary reason for that is to whitelist it so you can correspond with Steve, send him your picture of the week, your comments, your suggestions, your questions, that kind of thing. But there are two boxes below it, unchecked, one for the show notes, and one that you're going to want to subscribe to. He's only sent out one email in the entire time this has existed, but he promises he will only use it

[02:42:14] when there is a new product to announce, and I think we're getting close. Sounds like we're getting close to the DNS benchmark. If you've done, what is it, 62 versions? 62 releases over the course of a year. That's a lot of testing. It's going to work. That's Steve's, you know, his motto is it's going to ship without bugs. But if you, and it's going to be soon, I think. So if you want to know, check both those boxes and you'll get those emails. I'm a little annoyed too. It's a little over 200k now.

[02:42:44] How will we ever survive? I haven't made a picture that's less than 200 megabytes. I don't know what you're talking about. That is the one gift of assembler. It astonishes me how compact You can't get smaller than that. You can't. No. That's literally the smallest way you could make a program. What else? Oh, you can go to our website and get the show. Twit.tv slash sn. We have our

[02:43:14] own unique versions. 128 kilobit audio. Don't ask. We also have video there. There's a YouTube channel dedicated to security. Now you'll find a link at twit.tv slash sn. There's also, of course, your favorite podcast client. If you subscribe in that, you can get it automatically the minute it's available, audio or video or both. I encourage you to do that. That's the best way to keep up on what's going on with security now. Happy Veterans Day, Steve. And a thank you to all the veterans in our audience. There are quite a few.

[02:43:44] We appreciate your service to our country. We'll see everyone back here on the 18th. The 18th. Thanks, Steve. Take care. Bye.