SN 1055: React's Perfect 10 - RAM Is the New Lobster

[00:00:00] It's time for Security Now. Steve Gibson is here with lots of security news. Apple says no, India says yes. Scattered Lapsus Hunters has a new name. RAM prices going through the roof. And Steve's announcing a new product finally available for sale as of today. All of that and the worst code exploit in a long time. Next on Security Now.

[00:00:31] Podcasts you love. From people you trust. This is TWiT. This is Security Now with Steve Gibson. Episode 1055. Recorded Tuesday, December 9th, 2025. Reacts Perfect 10. It's time for Security Now. The show we cover your security, your privacy and all the exciting attacks that are happening on the internet today.

[00:01:02] Podcasts you

[00:01:31] which is titled reacts perfect 10 because oh yeah um we'll we'll get into what react is a and perfect 10 was actually a quote from one of the security people who said oh this this is really the bad guys are going to be feeding off this one for quite a while but we're going to talk about

[00:01:55] of course a bunch of other stuff first uh france's vanity fair facing a stiff fine over what they did with cookies and they didn't eat them uh graphene os for speaking of france is pulling out of france over like bad behavior of french authorities thinking that they can i guess bully these guys because they're not apple or they're not google so let's get you know let's pound on the small

[00:02:23] open source guys so they're saying no thanks we're leaving um the eu is adding to the pileup uh over underage social media and i thought you guys over on mac break had a great conversation about all this leo that was you know i mean we're all pretty much on the same page with all of this right i mean why wouldn't we be because there's it's kind of there is a right answer uh also boy

[00:02:50] india was busy and and i think you guys talked about that a little bit too i don't know what has happened in india but they they mandated the tracking of all smartphones i heard you guys talking about gps which i didn't pick up on then apple said no then they india changed their mind it's just what what what's the rule today uh over there uh they but but apparently and they haven't backed down they're

[00:03:16] also going to require all encrypted messaging to be sim tied so there's another thing we'll talk about that uh scattered lapses hunters the infamous and unfortunately quite well known and quite successful bad guy group uh they've got an initial now instead of having having to say scattered lapses hunters and

[00:03:38] not remembering who they are um also non-security related topic ai demand driving ram pricing through the roof to the point where you can there's no fixed pricing you've got it it's like well what is the lobster cost today so okay uh i i'm going to talk a little bit about the dns benchmark which uh went on sale

[00:04:01] on friday after it was like done uh and it's i'm so proud of what it ended up being uh also we've got a couple pieces of feedback uh one about cisco talking a good game but they're still cisco also uh browsers this is from chrome uh going to be asking users for access to their local networks and why that's

[00:04:28] just not gonna be i mean it's better than nothing which is what we've had so far but oh boy and then finally we're going to do a deep dig into uh what is with react and what happened and what does this mean so i think uh maybe you know we it's going to be okay we're working on it we're getting better with age 20 years we've been doing this show getting the hang of it all right we will get to uh

[00:04:57] you forgot the picture of the week coming up oh no i haven't seen it this one had an unfortunate caption this one i struggled for the caption on this one i i had to show it because it's such a fantastic picture but i thought how can i like give it some context i tried well all right we'll let our listeners judge how i did and maybe they'll come up with something when you never know maybe of course we

[00:05:21] got of course they will you bet you our show today uh brought to you by oh you know this name one password it's easy to assume that being small means flying under the radar the reality is small businesses are being targeted more and more by bad actors you thought you were immune right cyber criminals know that lean teams often lack the resources to prevent or respond to a breach

[00:05:46] in short the bad news is teams of any size can be a target the good news is even the smallest teams can foil cyber crime one password provides simple security to help small teams manage the number one risk that bad actors exploit weak passwords one password provides centralized management to make sure your company's logins are secure it's a simple turnkey solution that can be rolled out in hours

[00:06:12] whether you have a dedicated it staff or not and however your complex your security needs may get one password will stay with you every step of the way a password manager should be the first security purchase you make for your team i really believe that small businesses need to plan for the worst case scenario and guard against cyber attacks right from the start for small teams responsibility for security often defaults to a single employee often one who's already juggling other business functions

[00:06:42] yeah yeah sally down the hall she's the one in charge the most effective security solutions have to be intuitive they also have to be user friendly because you know if it's not easy to use people won't use it you want everyone at your company to use one password one passwords enterprise password manager helps your company eliminate security headaches and improve security by identifying weak and compromised passwords and replacing them with strong unique credentials and don't let one

[00:07:11] password's name fool you they're not just a password manager one password epm extended password management lets you securely store and share developer secrets and other sensitive data and helps streamline the transition to passwordless authentication by transitioning to pass keys love that with one password's simple automated workflows your team can enforce security compliance and prevent breaches and potentially

[00:07:38] preventing millions of dollars in losses it's the single most impactful investment you can make in your company's security unfortunately it's not expensive and it's easy to implement take the first step to better security by securing your team's credentials find out more one password dot com slash security now and start

[00:07:59] securing every login now that's one password dot com slash security now thank you so much for supporting steve and security now and picture of the week time steve okay so i gave this pair of pictures the caption each year we jump through more hoops to increase our security it's become a lot how much does all that locality it's become a lot how much does all that really help okay so

[00:08:29] . that's the caption for two frames the frame on the left shows a a an opening with a you know a red a rope line rope and the caption google when hackers try to hack my account in other words

[00:08:51] okay not that difficult right and then the right one shows it is titled google when i log into a new device and this one i didn't see the guard dog with its teeth out down in the lower right initially so this one looks like something that maxwell smart would have confronted uh back in

[00:09:17] the day it's got chains and locks and and slide bars and triple hinges and a keypad and a thumbprint reader on there meaning god help you if you have to get through this door it's going to take you an hour to unlock and deal with everything and and of course that the the gist of this is something that we do feel

[00:09:45] which is you know accounts are still being hacked passwords are being uh obtained uh people are still getting hacked yet we're doing all this more stuff i mean i have to say leo i love the one-time password idea but it gets a little tiresome after it's like okay

[00:10:14] hey you know again yeah fine three two six two nine four it's like okay you know and then again again so it's like so i look for those check marks yes i trust this device leave me logged in please remember that i've been here so that i so that you'll believe me next time with less rigmarole and which is not to say i believe me i'm like i like one-time passwords all of this is good one of

[00:10:43] the strongest measures of what one of the strongest improvements is they should you be remembered at this browser because no bad guy can be remembered as you if they've never logged in as you before from you know some foreign country so it's it's really good protection but yes it is annoying

[00:11:11] google when i log into a new device google's doing the right thing you know you've never we've never seen you logging in through this device before so we need a blood sample that's that's going to be good uh but you know you're going to end up being drained if you do it too often so okay uh we've

[00:11:34] noted before that regulations that are not enforced will often simply be ignored in fact i could probably more strongly say will be ignored until they're enforced because it's like yeah you know it's the equivalent of that annoying high school tough guy whose favorite retort was oh yeah make me it's like

[00:11:56] yeah fine and in the news is that french the french edition of the vanity fair website uh van at vanity fair dot fr uh had their bluff called uh to the tune and it's not it's an expensive call for a cookie uh 750 000 euros so that'll get your attention uh and you think wow isn't that a pretty stiff penalty for

[00:12:22] just like some problem with cookies the company lay publications conde nast um publishes printed and online magazines including the vanity fair magazine six years ago okay six years ago way back in december of 2019 the cnil which is the abbreviation for you know it's in french for france's data protection agency

[00:12:49] uh received a public complaint so the agency received a complaint from the association noyb which is europe's center for digital rights and it doesn't actually stand for none of your business but it's a great abbreviation for noyb uh so so noyb which does not stand for none of your business but it's too bad it

[00:13:16] doesn't uh complained to cnil french's data protection agency about cookies being placed on the devices of users visiting vanity fair dot fr um this was happening without any user notification or permission after several investigations and discussions with cnil condi nast the parent received an order to comply

[00:13:42] in september of 2021 so first of all almost not you know almost two years right december 19 this began december 2019 this began september 21 nearly two years later finally fine you you've got to remove your cookies fix your cookies because your cookies are not working right and then the proceedings were closed

[00:14:08] in july of 2022 now it's not clear whether the proceedings were closed the next summer after verification that condi nast and their vanity fair dot fr site was doing the right thing or not would have closed a year later in july and also in november of 2023 then again in february of 25

[00:14:33] the cnil carried out further online investigation so it sounds like they just assumed condi nast would take care of this get it done following the order after all these two years of negotiations i don't know what you have to negotiate over a cookie but okay um so they so cnil went back and looked and what do you think they found based on their findings the restricted committee as it's known

[00:15:03] which is the the cnil body uh responsible for issuing sanctions considered that the company lay publications condi nast had failed to comply with the obligations of article 82 of the french data protection act and imposed that fine of i mean 750 000 euros um the amount of the fine is intended to

[00:15:29] take into account the fact that the company had already been issued with an order to comply it couldn't have come as a surprise after nearly two years of discussion about whether we're going to receive an order or not and after which they did but apparently i just blew it off uh as well as the the the other thing factored into this 750 000 fine is the number of people likely to have been affected by

[00:15:58] this misbehavior of their cookie policy and the various breaches of the rules protecting users with regard to said cookies so you know no one's going to shed a tear here except some accountant at vanity fair uh if it wasn't you know and again it wasn't as if the fine could have shocked anybody um

[00:16:22] they were very clearly told what they needed to do and they apparently just blew off cnil saying yeah you know everybody else does it so you know i would imagine that someone's going to lose their job or maybe a team whoever is in charge of cookies over at vanity fair dot fr three quarters of a million euros uh which could have been easily prevented i mean what everybody else does is bring up a little cookie

[00:16:51] banner and say hey we want to store some stuff on your computer just tell us it's okay click here but apparently either they didn't do that or they did and they didn't honor it who knows um anyway so i hope everybody else sees this that when cnil says you're in breach of our regulations of course this is against the backdrop of this whole wacky model of cookie management getting ready to change

[00:17:20] because the gdpr is being updated um and so we have california now and the eu both saying browsers need to accept a setting from their users transmit that setting to everywhere they go and everywhere they go needs to honor what the user has said they want so um but you know that was 10 years ago right that all

[00:17:46] that came into place and so it's going to take a while for all this to catch up and change meanwhile the very nice android alternative and i think you were just talking about it last week or the week before leo graphene os which is an android compatible api compatible or yeah right android alternative

[00:18:10] api compatible um they recently posted on x that they're leaving france due to a new french law that would mandate breaking their encryption obviously no so they posted we no longer have any active servers in france and are continuing the process of leaving ovh ovh is a french cloud hosting company which they've

[00:18:40] been using they said france is no longer a safe country for open source privacy projects they expect backdoors and encryption and for devices too secure devices and services are not going to be allowed in france we don't feel safe using ovh for even a static website with servers in canada and the us via their canada

[00:19:09] us subsidiaries we were likely going to release an experimental pixel 10 support very soon but that's getting disrupted so that'll be delayed they're saying the attacks on our team with ongoing libel and harassment and they're talking from the french authorities from french law enforcement they're being harassed have escalated raids on our chat rooms have escalated and more it's rough right now and support

[00:19:39] is appreciated so it appears that graphene os believes that they may have already been compromised because they also posted we'll be rotating our tls keys and let's encrypt account keys pinned via account uri dns sec keys may also be rotated our backups are encrypted and can remain on ovh for now so

[00:20:08] that you know the reason you rotate keys is you worry that they could have been compromised that your keys could be in somebody else's hands meaning that tls and your less encrypt domains and your dns sec security you know is not as sure as you'd like it to be so they're going to change all their keys after completely

[00:20:33] excommunicating themselves from from any dependence on on france-based servers now in the thread that followed a more lengthy which was a more link a much more lengthy posting on x which i won't bother everybody with where they go into all the details of of of what's going on um and and the way they're going to

[00:20:55] be moving uh someone named lars posted i'm a lead developer for a hosting company in denmark we do not have any back doors or political influence company will never have any back doors or anything that's not illegal for normal fax we definitely do not ask questions

[00:21:24] which and this was posted you know offering the option of some assistance or an alternative to the graphene os guys in the in you know in reply in in the reply thread to their posting whereupon the graphene os guys said we appreciate it but unfortunately we'll likely have issues in denmark too due to their push to outlaw encryption without back doors we'll hopefully still be able to operate in the eu in

[00:21:54] general but we want to avoid chat control supporting countries due to this experience graphene os is not based in the us and is a non-profit open source project we're leaving france because we don't trust that french law enforcement won't coerce ovh to do something after a judge signs off based on falsehoods

[00:22:20] we've been subject to attacks by law enforcement on graph graphene os including many false claims and also direct threats these jeez so reading between the lines it sounds as though authorities with french law enforcement have demanded that graphene os unlock some suspected criminals handsets and graphene

[00:22:46] has tried to explain that they do not have that capability they wrote it's not possible for graphene os to produce an update for french law enforcement to bypass brute force protection since it's implemented via the secure element so you know again that sounds like like french law enforcement is saying you need to help

[00:23:11] us brute force open these locked smartphones that are running your os they uh graphene said the secure element also only accepts correctly signed firmware with a greater version after the owner user unlocks successfully so may may someone may have been suggesting a downgrade attack where you deliberately

[00:23:35] load older graphene os software onto the device in order to bypass some of the later protections and they're saying sorry that's been accounted for in the design of this can't do it they wrote we would have no legal obligation to do it even if we could but it's not even possible we have a list

[00:23:59] of our official hardware requirements including secure element throttling for disk in disk encryption key derivation okay meaning that the secure element throttles brute force attacks making them in impractical and that's in the hardware and there's nothing they can do to get around it

[00:24:20] secure element throttling for disk encryption key derivation combined with insider attack resistance and and they wrote and they aren't blaming goo and they aren't blaming google for this design meaning they're saying that graphene os is at fault for making it brute force impossible but it's actually google

[00:24:42] a lot of people whose engineering did this properly because users don't want their smartphones to be hacked and they finish saying in canada and the u.s refusing to provide a pin and password is protected as part of the right to avoiding incriminating yourself in france they've criminalized this part of the

[00:25:06] right to remain silent since france is criminalized the refusal to provide a pin why do they need anything from us which that's some good logic and of course we don't know anything about what the french authorities believe might be on a criminal's confiscated graphene os based smartphone but we certainly know why a suspect

[00:25:31] might choose not to share their password with the authorities right we talked about that trade-off ages ago back in the context of true crypts early whole disk encryption which was designed by cryptographers who knew how to completely and correctly protect a hard drive's data it was it was effectively and

[00:25:57] practically not bruce brute force crackable because it was done right the bad guys might very well have horribly incriminating material stored on a true cryptid drive so they would much rather face some charges whatever they may be for not providing their password than provide the password and have authorities learn firsthand just how criminal they were

[00:26:28] so i doubt that law enforcement authorities will ever accept you know ever in the future of humanity except the truth of being unable to unlock an encrypted device or spy on encrypted communications they just you know they know the data is there they want it so you know i'm sure they believe that they should have the right to see

[00:26:56] inside anything they choose under the logic of after all they're the good guys right of course we know that the eff would beg to differ so so so there's that but it's also happening in the eu uh and leo i know you talked about this over a mac break here we are it is december 9th

[00:27:19] we are on the literal eve of the australian law to ban the use of social media all social media by anyone younger than 16 uh as we know this effectively requires anyone who does wish to continue using any social media to arrange to prove that they are at least 16 years old if that wasn't the requirement then somebody who

[00:27:48] was 14 could say yeah i'm an adult okay so you know the onus has been placed unfortunately on the social media providers to prevent the use of their systems by anyone younger than 16. so we're recording this on december 9th and tomorrow of course sorry it's already december 10th in australia so right it's going on now i guess right um which is always weird why why does it turn

[00:28:16] next year in new york before it turns it i don't get that leo but you know we're not a flat earth we are a spinning globe and you know it would be weird if it was midnight in the middle of the day yeah yeah so that's that that wouldn't work either um so what's different here what's happening now in

[00:28:41] australia is countrywide and that's the that's the difference to you know and actually saying that the whole world is watching is not an exaggeration on sunday uh today's tuesday so two days ago on sunday the new york times piece was titled a grand social media experiment begins in australia with the tag

[00:29:07] the country is trying to wean children under 16 off the likes of tick tock snapchat youtube and instagram with a new law the teenagers are skeptical the new york times said saturday the bbc's headline was can you ban kids from social media australia is about to but some teens are a step ahead

[00:29:32] i i read the bbc piece kids are still using uh or or or i'm sorry are using still photos of their parents or vpns surprise unicef in australia just has a piece titled social media ban is was their title uh and they summarize their position by writing and this is unicef writing from 10 december 2025

[00:30:00] anyone under 16 in australia won't be able to keep or make accounts on social media apps like tick talk instagram youtube snapchat x facebook and more there's 10 total the rule doesn't punish young people or their families instead social media companies have to stop under 16s from having accounts

[00:30:25] or risk serious fines and the fines are up to 50 million australian dollars about 35 million us they said the new law is meant to make things safer online but unicef australia believes the real fix should be improving social media safety not just delaying access and and then for their part the guardian

[00:30:52] headlined their piece everyone will miss the socializing but it's also a relief they said five young teens on australia's social media ban and it was an interesting article uh they they said australia's world world first social media ban for under 16s will begin in just a few days this is written on

[00:31:15] the weekend malaysia denmark and norway are to follow suit and the european union last week passed a resolution to adopt similar restrictions as the world watches on millions of australian adolescents and their parents are wondering just what will actually change come 10 december and npr had

[00:31:41] a piece as well as i said everybody's like okay these guys are going first what's going to happen so it's going to be interesting to see right how all this pans out um as i said the economic fine for repeated failure to enforce is 50 million australian dollars 35 million us so that's not nothing um but there's also of course reputational damage anybody who screws this up is going to be in

[00:32:09] the news because everybody's watching so it's clear that the 10 affected social media platforms can't ignore this and do nothing uh and we know that you know the claim of being old enough that no longer washes that we were we were all happily using that for the last 20 years but no more so uh you know they're going to need to adopt what some lame measure that allows them to avoid penalties

[00:32:38] while kids gleefully work around and you know uh spoof the proof of age which is what's going to be happening a lot and you know i mean classrooms will be buzzing uh everyone will be talking about how they did it there was in in the uh in the bbc piece that interviewed five teens uh one 13 year old said she just took a picture of her mom and showed it that and it said okay go ahead so you know my feeling is that

[00:33:06] there was probably no way to avoid the present mess that the world is about to endure and a mess it's going to be as we know change is difficult even when everyone is pulling in the same direction and wants it but change when the platforms and their users all want to leave things the way they are and only some

[00:33:29] unseen government legislators and their regulators want to force change it's just bound to be a mess i of course hope that some good technology will eventually step into the gap to provide privacy respecting age verification but we don't have that yet and we don't even appear to be close uh since the handset the the handset makers are very much strongly in the we don't want this to be our problem camp

[00:33:59] although i think that's exactly wrong i i think you know that's the point of contact between the user and the technology is the handset and i get it that apple doesn't want to do this but they're inching towards it as you know we we've covered various of those measures uh as is google so i think they probably know that ultimately they're going to need to be the place where this decision gets made it is

[00:34:25] the right place it's the logical place for it to be and on the eve of this first countrywide event i wanted to also note that the eu is now making much the same noise which one of those articles talked about uh and also whereas australia's human which is to say non kangaroo population is about 27 and a half

[00:34:48] million the total population of the eu's current 27 member states is around 450.5 million so a huge population the european parliament news recently posted a piece with the headline children should be at least 16 to access social media say members of the european parliament those are members of the

[00:35:17] european parliament mep is an acronym meps however things may be better in the eu from a privacy and accuracy standpoint at least we can hope a vote was held two weeks ago uh two weeks ago wednesday where the members of the european parliament these meps uh voted to adopt a non-legislative report

[00:35:42] by 483 votes in favor 92 against and 86 abstentions the report and their votes expressed deep concern over the physical and mental health risks minors face online and called for stronger protection against the manipulative strategies that can increase addiction and that are detrimental to children's

[00:36:05] ability to concentrate and engage healthily with online content so here's the part that caught my eye in that eu's adopted reporting they wrote just it's a short paragraph expressing support for the commission's work to develop an eu age verification app and the european digital wallet the eid wallet

[00:36:30] meps insist that age assurance systems must be accurate and preserve minors privacy which is to say everyone's privacy right because again you need to assert that you're not a minor and you'd like your privacy protected it's funny how they get that no one really latches onto that in any of this reporting such systems do not relieve platforms of their responsibility to ensure their products are safe and

[00:36:59] age appropriate by design they add but you know so so these guys may be moving forward in the in the right way and with 450 million users and steena over there in the eu and it just not being a hard problem to solve if you want to solve it i'm hopeful so you know the idea that that commission would be pressing

[00:37:24] for an eu age verification app that's really good news uh given some means for establishing an individual's date of birth which we know that may be the european digital identity that date can easily be protected inside the device while simple assertions of older than x are then trivial to generate with

[00:37:52] total security and anonymity as i said crypto can do this without without breaking a sweat so my takeaway here is that yes we're about to descend into some extremely messy chaotic times but you know given the kicking and screaming by the platforms and their users this was inevitable given that the legislations and the legislators are just barreling ahead without any solution to the well we'll let other people solve

[00:38:19] the problem approach so the right people understand the concepts of accurate privacy preserving solutions and they know this is possible so i doubt that the world's gonna have to wait that long and that we're eventually going to finally obtain a good solution and i know leo you guys were talking about it over

[00:38:39] mac break weekly the the the loss of the loss of absolute unaccountability is going to be mourned by some but um you know jason was talking about the loss of privacy that's just interim with we can do this without any loss of privacy yes you will

[00:39:03] have to identify yourself in order to in order to securely embed your your date of birth in the device but once that's done all the people using it that's the that's the real difference here we do not want to have to be showing a driver's license individually to every website we visit you're going to have to show it

[00:39:27] once to your device and then and then be biometrically locked to that so that it knows you uh you you that you didn't use your license for a friend's phone uh in in some fashion so you know it needs to be done right but it can be and once that's done then that strongly constrains any and any further dissemination of of privacy loss that's where we're going to end up being so it'd be fun to watch

[00:39:57] it here on this podcast as it happens and it'll be fun for me to take a sip of coffee leo well that we can arrange i don't know if we can help with the other one but i think we can arrange we can at least be here cheering yes our show today brought to you by veem oh you need to know about veem when your data goes dark veem turns the lights back on veem keeps enterprise businesses running when digital

[00:40:24] disruptions like ransomware strike and you know ransomware is just out there waiting to strike how well by giving businesses powerful data recovery options that ensure you have the right tool for any scenario broad flexible workload coverage from clouds to containers and everything in between with veem you get full visibility into the security readiness of every part of your data

[00:40:51] ecosystem tested documented and provable recovery plans that you can deploy with the click of a button how's your recovery plan looking that's why you need veem if you're out there in the in the world and you're not prepared you need veem veem is the number one global market leader in data resilience that's the term just call them the global leader in helping you stay calm under pressure that's the

[00:41:16] offer with veem it's all good keep your businesses running at veem.com v e e a m dot com all right back to steve so this is such a weird path um staying with the topic of government legislators seemingly losing their multi

[00:41:42] decade decade simultaneously all losing their multi-decade shyness toward legislating our use of personal technology which sort of seems to happen have happened globally all at once we have the news that the government of india uh intends to verify and record every smartphone in use by their citizens

[00:42:09] uh that was essentially tech crunches headline uh last week uh under which they wrote the indian government is widening the scope of its anti-theft and cyber security initiative to cover both new and used smartphones an effort aimed at curbing device theft and online fraud but a move that's also raising fresh privacy concerns yeah no kidding they wrote as part of the expansion the indian

[00:42:38] telecom ministry is requiring companies that buy or trade used phones to verify every device through a central database of imei numbers this comes in addition to a recent directive order get this ordering smartphone manufacturers to pre-install the government's sankar safi app on all new handsets and push it

[00:43:06] onto existing devices through a software update ordering smartphone manufacturers to do that uh-huh good luck with that uh yeah uh in other words india is now requiring all handset makers both to pre-install a state mandated app and also to retro install the app into all existing devices

[00:43:34] tech crunch continues writing reuters first reported the news on monday which was later confirmed by the ministry in a public statement so ministry said yep that's right got to do that launched in 2023 that sankar safi portal allows users to block or trace lost and stolen phones the system has blocked

[00:43:59] i was a little surprised by these numbers leo the system has blocked more than 4.2 million devices and traced 2.6 million more devices per government data india is a big country and there's hundreds of millions of cell phones in use so yeah yeah uh the system expanded earlier this year with the release of a

[00:44:23] dedicated sankar safi app in january which the government says helped recover more than 700 000 phones including 50 000 in october alone wow so uh i guess they've got a smartphone smartphone theft and reuse problem and they're taking steps uh tech crunch said the sankar safi app has since gained broad adoption

[00:44:53] the app has been downloaded nearly 15 million times and saw more than 3 million monthly active users in november up more than 600 percent from its launch from its launch month which would have been 2023 according to marketing intelligence firm sensor tower web traffic to san far to san char sati

[00:45:14] has also surged with monthly unique visitors rising more than 49 percent year over year per sensor tower data gathered uh shared with tech crunch so okay up to this point it appears that the choice to have one's smartphone protected with this tracing and recovery app has been the users

[00:45:37] but tech crunch explains what's changed they wrote the government's order to pre-install san char sati has already drawn significant backlash from privacy advocates civil society groups and opposition parties critics argue the move expands state visibility into personal devices without adequate safeguards

[00:46:01] the indian government however says the mandate is intended to address rising cases of cyber crime such as i mei duplication device cloning fraud in the second-hand smartphone market and identity theft scams responding to the controversy the indian telecommunications minister said tuesday that san char sati is quote a completely voluntary

[00:46:28] democratic and democratic system unquote okay and that users can delete the app if they do not wish to use it which again sort of flies in face of the other things that were previously said the directive reviewed by tech crunch and circulating on social media on monday instructs manufacturers to ensure the pre-installed app is quote readily visible and accessible to end users at the

[00:46:58] time of the time of first use or device setup and that its functionalities are not disabled or restricted unquote raising questions about whether the app is truly optional in practice india's deputy telecom minister said in media interviews that most major manufacturers were included in the government's working group on the initiative

[00:47:22] the move would mark a significant step toward creating the

[00:47:52] creating a nationwide record of smartphones in circulation india's used smartphone segment is expanding rapidly as rising prices of new devices and longer replacement cycles push more customers toward cheaper alternatives india became the world's third largest market for secondhand smartphones last year in 2024

[00:48:16] but as much as 85 of the secondhand phone sector remains unorganized meaning most transactions occur through informal channels and through brick and mortar stores 85 so only 15 are being you know formalized and tracked the government's move covers only formal re-e-commerce and trade-in platforms leaving much of the broader used device market outside the scope of the

[00:48:46] of the current measures well unless manufacturers are going to be uh back porting you know back installing this thing in any software updates which may still be happening on on remarketed phones anyway tech crunch said while announcing the pre-installation of its app the indian government said the move would

[00:49:08] help help help enable quote easy reporting of suspected misuse of telecom resources unquote privacy advocates say that the growing data flows could give authorities unprecedented visibility into device ownership raising concerns over how the information could be used or misused

[00:49:29] the head of the head of programs and partnerships of the toronto-based non-profit non-profit policy lab tech global institute told tech crunch quote it's a troubling move to begin with you're essentially looking at the potential for every single device being data based in some form and then what uses their database can it be put to at a later date we don't know

[00:49:57] the indian government has not yet detailed how the collected data will be stored who will have access to it or what safeguards will apply as the system expands digital rights groups say the sheer scale of india's smartphone base estimated to your point leo at some 700 million devices yeah means even administrative changes can have outsized consequences potentially setting precedence that other governments

[00:50:26] may study or replicate quote while the intent behind a unified platform may be protection mandating a single government controlled application risks stifling innovation particularly from private players and startups who have historically driven secure scalable digital solutions said the director of the new delhi based technology think tank eschia center

[00:50:55] if the government intends to build such systems they must be backed by independent audits strong data government safeguards and transparent accountability measures otherwise the model not only puts user privacy at stake but also removes fair competition for the ecosystem to contribute and innovate right if the government's already got that locked up then third parties need not apply they will how can they compete

[00:51:24] um the indian telecom ministry did not respond to tech crunches requests for comment while the sanschar sat the app is visible on a user's phone the broader system it connects to operates largely out of sight the permissions its data flows and back end changes included including the planned api integration may be buried in long terms and conditions documents that most people never read

[00:51:54] or even see he said as a result users may have a little practical understanding of what information is being collected how it is shared with whom it's shared or the extent of the system's reach quote you can't go about restricting cyber crimes and device thefts in such a disproportionate and heavy-handed way boy is that a common theme he said the government is basically saying that look

[00:52:20] you need to put my app on every device that's sold on every existing device you have to install it and in anything that's being resold as well unquote so wow i think they felt the pressure because uh this is a press release from the department of telecommunications in india yes they gave up yes and in fact i've got that after i tell you what apple said yeah i wasn't too happy about it i know that

[00:52:50] so uh on on a practical side we know about the tyranny of the default right if the app is pre and post installed a great many more people will end up using it way more than 15 million recent downloads there's 700 million phones in circulation most people will not remove it they'll just assume oh whatever that is

[00:53:14] it's you know it's good for me um and it's not completely clear whether removal will even be an option since the indian government's intention looks to be more aimed at assuring that all smartphones participate and of course one wonders what apple right would think about such a mandate on the other hand india is now producing apple smartphones so who knows well it turns out apple does indeed say no

[00:53:42] i i dug around some more and discovered to no one's surprise apple does not plan to abide by india's order the india times headline was quote apple to resist dot order um that's in india's department of telecom

[00:54:03] to preload state-run sankar sati app as policy outcry i'm sorry as political outcry builds and then we get a little bit more interesting information about disabling or removing that makes somewhat more sense the india times wrote apple does does not plan to comply with a mandate to

[00:54:26] preload its smartphones with a state-owned cyber safety app and will convey its concerns to new delhi three sources familiar with the matter said after the government's move sparked surveillance concerns the indian government has confidentially ordered although it didn't stay secret of course you can't those sorts of things confidentially ordered companies including apple samsung and yaomi

[00:54:53] to preload their phones with an app called sankar sati or which is uh uh in english is communication partner is what that means within 90 days the app is intended to track uh stolen phones block them and prevent them from being misused so that was news will block them so meaning that the government

[00:55:19] can prevent a phone from operating uh i didn't pick up any of that in the previous reporting so you know you would call that a biggie um that suggests that this communications partner app would have the ability to shut down a phone and if that's the case it's no wonder that apple is saying uh no thanks the reporting continues from india times writing reuters was the first to report on monday

[00:55:46] that the government also wants manufacturers to ensure that the app is not disabled also for any devices already in the supply chain manufacturers should push the app to phones via software updates the telecom ministry confirmed the move later describing it as a security measure to combat serious endangerment of cyber security but minister modi's political opponents and privacy advocates criticized the move

[00:56:14] saying it's way it is a way for the government to gain access to india's 730 million smartphones so anyway uh i'm going to skip the balance of this basically uh a bunch of uh opinions were polled by reuters talking about it you know being more than a sledgehammer it's more like a double barrel shotgun

[00:56:39] uh uh and someone saying that there's no way apple would ever agree to do this and in fact we know that that's the case so following on the heels of that as you said leo india decided okay uh i guess that's not going to fly uh they backpedaled on their requirement that their official press release from

[00:57:03] the ministry of communications which you had on the screen proclaims across its top government removes mandatory pre-installation of the sanchar sati app so it turns out that the government changed its mind two days after the announcement following extensive public criticism of this what everyone was was concerned was veiled surveillance um and i decided to keep that original reporting in place for the podcast

[00:57:32] because it's still useful to understand what's in the air and this is in the air you know india may not be done meddling communications because the indian times also had a headline why your whatsapp web may now log

[00:57:54] out every six hours india's department of telecommunications said uh all right i'm sorry uh the india times is quoting them saying in their story due to a new directive from the department of telecommunications whatsapp web will automatically log out its users every six hours under the new rule

[00:58:22] that the department of telecommunications requires messaging apps including whatsapp telegram and signal the internet of telecommunications to implement sim binding in other words linking of the users of services to the sim card used for registration via its imsi identifier if the original sim is not present access to these apps will be blocked

[00:58:50] 90 days from the directives issuance so there's a 90 day um you know get up to speed period from the from the publication of the publication of the directive within 90 days this technology has to be in place for all uh text messaging apps and you know whereupon i think well you know good luck telling signals meredith whitaker

[00:59:15] that you're requiring signal to bind to specific sim cards uh as we know signal has historically been bound to a user's phone but there's no way that signal would be modifying their app if it meant the slightest reduction in the privacy of their users and if this move you know did not represent some enhanced form of

[00:59:38] government control then why would india be mandating this change at all okay but there's more the india times explains under the same under the same directive web versions of these applications will log their users out periodically no later than every six hours and force a re-authentication via a qr code scan

[01:00:05] a user logs into whatsapp web through a browser by scanning the qr code through the phone application according to the authorities this is to curb cyber fraud by preventing misuse of apps without active sims often by scammers operating from abroad platforms are required to comply within 90 days and submit reports

[01:00:30] within four months potentially by around february of next year the rules will apply to whatsapp telegram signal snapchat and other ott you know over the top messaging platforms operating in india users are likely to face workflow disruptions especially multi-device professionals and travelers and small businesses

[01:00:53] that rely on shared devices whatsapp has 500 million indian users and a major chunk of its business users are also in the country one user wrote on x sim binding rule shall be a major disruption for professionals and businesses using web accounts of whatsapp etc it won't eliminate the fraud completely

[01:01:17] as sim cloning and sim spoofing will still work while the section of the tech industry believes that the dot might have breached its regulatory mandate officials clarified that the directions issued to the apps are within the purview of telecom cyber security rules an official told the india times quote it's only for the

[01:01:39] entities that use telecommunication identifiers like a mobile number for their services if they don't want to do the sim binding they should not use the mobile number as an identifier unquote industry representatives also question the effectiveness of sim binding in curbing fraud originating outside india noting that

[01:02:03] scam operators can still obtain indian sims through mules or remote devices while a significant volume of fraud originates within the country so you know we really appear to be entering a period where government legislators are feeling increasingly empowered leo to dictate the operation of the personal communications

[01:02:27] devices operating within their jurisdictions uh and i found no indication yet that india will be backing down from this latest you know sim binding deal on on messaging app plat or messaging platform apps yeah wow so so what do you think that's about i mean that that's just like like um

[01:02:51] tying like no what's app honest what's app is based on your phone number right because we have a story anymore it used to be but it does no longer has to be okay because we had that story that we talked about last week where there was no rate limiting on brute forcing whatsapp web to look up people's identities right just by trying every possible phone number right i guess you do have to

[01:03:19] submit a phone number your id can just be like my idea on whatsapp is leolaport.24 so that was a change that they implemented last a couple of years maybe last year i guess that's why it's 24 but so you can look up by id or by phone okay yeah but i don't know if you can look up by phone that's an interesting question uh anymore and of course i guess i think you need a phone number to register it so yeah they have your data that's right yeah and i guess the idea also was that whatsapp

[01:03:49] could you you'd give it access to your contacts and it would it would go through your contacts take all the phone numbers out of your contacts and cross cross reference that with whatsapp users in order to populate your whatsapp contacts right oh i was thinking of signal i'm not i've you're right whatsapp i don't know i don't use whatsapp i think it is tied to your phone number you're right yeah yeah and of course every facebook app asks for access to your contacts and i always say no

[01:04:17] yeah because i'm i'm not gonna what good could come of that i'm not giving out steve gibson's phone number and home address and email that what could could possibly come of that if i if you want me to know you're on whatsapp you'll let me know i'm you're on whatsapp right yeah i you know you you had a a sentence in here that's uh i think you could you could shorten uh where you say that uh countries

[01:04:42] are increasingly uh feeling uh legislators are feeling increasingly empowered to dictate the operation of the etc just say legislators are feeling increasingly empowered period and i think that's really what's happening is that governments worldwide are becoming more and more authoritarian and more and more interested in enforcing their world view on their uh constituents and i don't think i don't think

[01:05:07] that's a good trend at all no and unfortunately the technology allows that right i mean well technology is stimulating it because they feel like we're they've lost control of us right but but but but the technology also is a control mechanism it is a control mechanism exactly so they've discovered that and they're trying to use it and uh yeah i don't have high hopes for this it you know i think what

[01:05:34] happens you give people power they want more power yeah and uh you can do everything you can john adams said that i was watching the great uh ken burns uh documentary in the revolutionary war and john adams said you know we can make a democracy but i have i i feel like people's greed for money and power is so great that it's unlikely we can sustain it right and washington you

[01:06:00] know responds to famously to that woman who asks after the signing of the declaration of independence frank what did you just oh franklin keep it yeah yeah yes a democracy if or no a republic if you can keep it keep it yeah i think even in the beginning they knew that this was going to be a lot of difficult well and you know we all grew up all of us who are of a certain age yes the uh the pigmentation

[01:06:27] has left our hair um uh it's always been the way it is and it's always going to be the way it is and but that's not the history of democracies right they have a they have a period and if it's if it's at all encouraging we've been through bad times in the u.s before there have been many any democratic eras yes states and we've survived and we have swung back yeah yeah so let's hope um let's

[01:06:55] take a break we're at an hour in we're going to talk about the abbreviation of scatter lapses hunters it's not an inspired abbreviation but it helps uh and then uh a bit about ramp pricing it's gone nuts unbelievable what's going on around pricing i'm you know i'm i'm glad i'm well equipped with computers but i'm worried about the future i don't know in fact that that that thing i had to

[01:07:18] sign for i just purchased a machine my a machine probably my final computer for my new office that i'll be setting up in a month or two uh and i did it laptop uh it's a it's a it's a small uh uh what do they call it small form factor like a knuck yeah that kind of thing yeah yeah i uh i think i'm thinking maybe i i was gonna wait till next year apple has a oled screens coming and i really love

[01:07:47] oled screens maybe i'll just got a pc instead they have plenty of oled pcs and just put linux well and of course i i will do uh what this thing has is is uh three display ports on the back because i i am a i'm a three screen person that works for me and i made the mistake on the system i have uh in my place with lori of having a that that curved high resolution screen no uh no i don't like it and

[01:08:15] because i have lower resolution on the sides and when you drag something across the boundary it gets it's all screwed up it's like your peripheral vision on the screen that's not not good yeah so i'm gonna go three flat screens all the same resolution and then and and you organize it in i'm sorry parenthetically we'll get back to the show in a moment folks but yes you organize like you have code in one window and yes yes i have uh generally have static things in different locations

[01:08:43] so like i always have windows explorer open on the right the right half of the right side and that's just where it lives it's always there yes it's always there so that's smart yeah yeah and it's you always know to go there and and it's interesting because laurie and i have very different organizational approaches uh and and she wants like she's an organizer but she likes to put things in bins

[01:09:09] and i'm a position-based organizer i know where something is in like in location and so i go right to it and but if it's if she organized it it's gone it's gone so it's like honey where did what happened to the she says oh i organized that oh okay where is it now we have that problem in the kitchen i i now

[01:09:34] know where everything is in the kitchen but if if we reorganize i'm in deep trouble in deep trouble all right let's take a break i know what are the ad breaks are on this show that's one thing i do know and it's time for one we'll have more with steve in just a bit but first a word from our sponsor big id they're the next generation ai powered data security and compliance solution big id is the

[01:09:58] first and only leading data security and compliance solution that can uncover dark data through ai classification that can identify and manage risk that can remediate remediate the way you want you get to choose that can map and monitor access controls and scale your data security strategy along with unmatched coverage for cloud and on-prem data sources and by the way that's huge big id also

[01:10:24] seamlessly integrates with your existing tech stack which means you can coordinate security and remediation workflows you can take action on data risks to protect against breaches you can annotate delete and quarantine and more based on the data all while maintaining an audit trail for compliance and as i said it works with your existing tech stack everybody like i'll give you examples service now

[01:10:48] palo alto networks microsoft of course google of course aws and on and on and on that's nice you don't have to adjust how you work to work with big id big id's advanced ai models let you reduce risk accelerate time to insight and gain visibility and control over all your data this is where i really think ai shines when it's got a specific focused task it's it can be so useful and so good intuit named it

[01:11:18] the number one platform for data classification in accuracy speed and scalability it really works and some of the customers well people love big id so much they're happy to give it a testimonial like for instance the u.s army yes the u.s army big id equipped the army to illuminate dark data i can imagine that after 250 years they probably have quite a bit to accelerate their cloud migration

[01:11:42] which is a big priority for the services to minimize redundancy and to automate data retention something they have to do for a variety of legal reasons as well u.s army training and doctrine command gave them such a great testimony let me read it to you this is a direct quote quote the first wow moment with big id they said came with being able to have that single interface that inventories a variety of

[01:12:06] data holdings including structured and unstructured data across emails zip files sharepoint databases and more to see that mass and to be able to correlate across those is completely novel i've never seen a capability that brings this together like big id does end quote that's pretty good see cnbc recognized big id is one of the top 25 startups for the enterprise they were named to the inc 5000

[01:12:35] and deloitte 500 not just once but four years in a row the publisher of cyber defense magazine says quote big id embodies three major features we judges look forward to become winners understanding tomorrow's threats today providing a cost effective solution and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach start protecting your sensitive data

[01:13:02] wherever your data lives at big id.com slash security now get a free demo and see how big id can help your organization reduce data risk and accelerate the adoption of generative ai safely again that's big id.com slash security now oh and while you're there there's a free white paper that provides valuable

[01:13:27] insights for a new framework that's just coming down the pike it's called ai trism t-r-i-s-m that's ai trust risk and security management it'll help you harness the full potential of ai responsibly and that paper is free at big id.com slash security now thank you so much for supporting steve and security

[01:13:50] now back to you steve so a random observation uh that i'm beginning to see the infamous scattered lapses hunters uh being referred to by the abbreviation slh i i said no biggie but slh uh i don't know if it'll catch on but they have been so much in the news that the security industry appears to feel that they've

[01:14:13] become abbreviation worthy so uh the news blurb that caught my eye referred to slh uh it was a note saying that the the security firm believed that they have seen slh's focus shifting from salesforce

[01:14:33] over to zendesk um so slh appeared to be enamored of the you know saas model the software as a service exploitation like of customers of that um there was a at this point a lack of razor sharp attribution for some of the very recent zendesk related attacks but there have been some and the suspicion is it is slh so

[01:15:03] we now have slh as a as an as a abbreviation for scattered lapses hunters not quite as fun as scattered lapses hunters but what the hell um and i just completely off topic i suppose we should have seen this coming i this next bit of news is not security related but it's tangentially ai related and i thought that our computer-centric listeners would find it interesting

[01:15:30] the the short blurb that first caught my attention and i'd seen something about it pass by but hadn't paused uh was micron exits consumer ram market and the little blurb said american hardware vendor micron will leave the consumer ram market and discontinue its crucial brand and of course crucial has been a

[01:15:54] as i've been a well-known uh you know consumer ram memory brand for years they wrote the move the move comes as the ai boom has led to an explosion in prices in ram and ssds as ai companies build data guzzling data centers and have swallowed almost the entire market output for the next few years so

[01:16:23] okay that you know i guess we should have seen this coming that led me to look for some additional detail which i thought that our listeners would appreciate i found a nice piece over on the verge whose headline was ram prices are so out of control that stores are selling it like lobster they wrote michael crider's headline at pc world today perfectly captures how ridiculous the pc memory

[01:16:52] shortage has become stores like the san francisco bay area's central computers are beginning to sell ram at market prices like you'd pay for the catch of the day at a seafood restaurant a message posted in the store's display case reads quote costs are fluctuating daily as manufacturers and distributors adjust to

[01:17:17] limited supply and high demand because of this we cannot display fixed prices at this time unquote micro center is apparently doing the same quote due to market volatility we ask that you please see a sales associate for pricing unquote they wrote it's hard to overstate just how quickly the ram crunch is

[01:17:42] changing the affordability of computers and it might soon impact other realms as well as everything from game consoles to smartphones require ram to function three months ago yesterday the author said i bought 32 gig of memory for my gaming pc and at the price of that exact kit oh sorry and the price of that exact kit

[01:18:08] has more than tripled since then three months ago he says it now costs 300 more now 440 versus 130 in case you're curious he said for 32 gig he said a more common version of the same kit went from 105 to 400 some prices have doubled doubled doubled since october and while you can still find some 32 gig kits for as low as 230

[01:18:37] a 64 gig ddr5 kit can easily run you 700 800 even 900 some high profile product launches might be impacted by the price of memory valve pointed to the ram crunch as one of the reasons it could not promise a specific price for its steam machine just yet just as out of control um you say oh the author said just as

[01:19:05] out of control gpu prices from earlier this year have finally settled down runaway memory prices might make them shoot back up again every graphics card requires gobs of vram more is better and word is that nvidia and amd are preparing to raise prices to compensate for the crunch digital foundry is recommending you buy a gpu at or below msrp

[01:19:35] while you still can one with 10 gig or more of vram microsoft may also have to raise xbox prices yet again to compensate but sony has stockpiled enough ram for the ps5 to last some number of months epic ceo tim sweeney says it may take years for high-end gaming to recover from the ram crunch

[01:19:58] because of ai he says factories are diverting leading edge dram capacity to meet ai needs where data centers are bidding far higher than consumer device makers wow so i noted another piece in the news yesterday that said 200 environmental groups

[01:20:25] you know first of all i didn't realize there were 200 environmental groups 200 environmental groups are demanding i love that choice of words a halt to the construction of new u.s data centers you know i guess just on principle um first of all you know good luck with that uh that might have stood some chance of happening you know if we had a bleeding heart democrat

[01:20:54] running the countries at the moment but you know our president trump recently again declared that global warming was a hoax and that wind turbines cause cancer so i would be highly skeptical that any number of environmental groups doesn't matter how many you gather together are going to get much traction in the washington climate at the moment but what's interesting to me from a technology standpoint is that it does appear

[01:21:22] that the desire to concentrate an unprecedented amount of computational capacity within a comparatively small physical area is truly causing trouble right if nothing else we know that just getting that much electrical power service to a single location is not something that the existing power grid was originally set up to deliver

[01:21:50] nor does it accommodate much variation without a lot of lead time and when you step back to think about it the only reason to want or to arguably you know make a case for needing that much computation in such a small physical space has to be economies of scale what i mean by that is it what's being built is not a single

[01:22:19] humongous brain it's a very large number of individual small brains and they don't actually all need to be under the same roof or even in the same state for that matter it's just more convenient and more cost effective if they're all grouped together in one place that way they can all share staff and utilities and walls

[01:22:47] and security and cooling and a parking lot and so on you know and this sort of suggests that a reasonable compromise might be to limit the total size of individual ai data centers have more of them and spread them around more you know and that said i you know i certainly get the coolness factor of having a

[01:23:11] massive ai debt data center i mean i understand that that you know appeals to the tech bros um and you know if ai actually made money and could pay for itself then you'd have a potentially viable business model so i guess you have to save as much money as you can on facilities hoping that you know you're saving money

[01:23:35] everywhere you can because none of this yet makes economic sense you know leo what does make economic sense is it that time again no oh what makes economic sense what makes economic sense is grc's new dns benchmark oh i can't wait this is oh we've been waiting how long how long you been well first of all you

[01:23:58] wrote it once before yes uh i actually had and somebody found in a directory of theirs a the beginnings of a dns speed test in 2002 so yeah long time ago and i distinctly remember in 08 um in in in

[01:24:23] 2008 writing the first version one of the dns benchmark at starbucks i i had i had a little a little like road show where you know because i have to have a clanky keyboard right and so i had a i had a who's that guy with that clanky keyboard again well and of course starbucks the starbucks i was going to was across from uci so it's all students irvine yeah and they're and they're they all have

[01:24:51] you know spongy quiet apple keyboards right and i'm over in the corner going clankity clank clank clank clank you know and i would i would get there they opened at 4 30 so i would get there because i had to have my m yeah 4 30 a.m yeah okay and so and i i had to have my corner right so i would be the first person there i would unlock i would unlock the door because they they hired you university

[01:25:21] students who were short and they couldn't reach the the the door's upper lock along comes the guy with the clanky keyboard he's gonna have me having me there having me there i they wouldn't have to still get up at 4 30 a.m no lord no oh this is a long time ago this was in you i happen to know that it was a 2008 when i wrote the benchmark okay yeah and so i just sat there

[01:25:45] and and then you know and then i was part of a group of of regulars and so around 6 30 some of the regulars would start showing up and so i'd pause and you know talk to them and then and then they'd wander off and i'd go back to work now i understand why you go to starbucks because i wouldn't want to be in a crowded coffee shop trying to focus but at 4 30 a.m it's you got the place to yourself

[01:26:10] yeah lots of coffee to boot so that's good i could see yeah and i had solid work there yeah yes and and i would leave at a little after four so i would spend about a full 12 hours in a single stint and then i'd go find some dinner so that was my routine and i i also perfected the putting the sponge ear foam things deep into my ear canal and then putting these bows

[01:26:40] sound blockers on top of that so you know i would just see people's mouths moving but i'd just be in my zone for about 12 hours a day writing the benchmark and you did this at starbucks why because it was better than being home alone okay okay i mean you know a little socializing people around yeah yeah and i i didn't have to walk far to get more coffee so it was good anyway so i did not

[01:27:08] i've known you for so long i had no idea that's what you were doing wow yeah okay so you're on a sprint to write this this would have been oh wait this was during the podcast yeah yeah like i said i i had no idea okay anyway so um uh put this on grc made it available and as i've mentioned before for

[01:27:36] many many many years it was seeing more than a thousand downloads a day i used it all the time i still do yeah we have more than 9.7 i think it is or maybe 8 million total downloads and i just and i and it had gotten to be 16 years old and so it was a year ago uh it was in december of 2024 that i

[01:28:00] i'd finished with spin right six one that was finished put it to bed it's like okay i've made i've made my commitment to give everybody a free update to spin right even after 20 years um and i thought okay i want to see what i can do with like bringing the dns benchmark back up to speed um uh anyway so i spent

[01:28:25] a year working with a bunch of neat guys in the uh and and and leila who maybe are one female in the in the grc uh dns.dev group oh you know our our news group old scouts old school nntp servers um and for a while i remember i talked on the podcast about having imagining having well so the idea was to

[01:28:53] to do something grc has never done before which is to have an inexpensive um an inexpensive commercial product you know i the only thing i ever had was spin right uh at 89 and i wanted to try doing a you know under 10 well a little bit under 10 dollars 9.95 um fill it with features bring it up to

[01:29:21] date uh and offer something that i thought was a a a good value for a good price so um that it happened on friday was that it it we know it we had a couple almost finished things that needed to get fixed and and changed as everybody knows the original benchmark um uh only did was only able to

[01:29:46] benchmark ipv4 servers which is all there almost was back at the time so the big change was i needed to add ipv6 support but then of course none of the of of the udp resolution is encrypted so it's not authenticated it's not encrypted so we have doh and dot uh android devices support dot natively all of

[01:30:14] our browsers support doh natively so uh and in fact in the picture there leo you can see the ipv6 addresses being lots of little digits in two in two rows uh they're huge and fourth from the bottom is a dns over tls server that's also in the list um anyway the um essentially what's happened is

[01:30:41] over the course of these 16 years the internet has changed a lot oh yeah and um the the big problem i had was that i had a bunch of false starts trying to figure out how to get this thing to do ipv6 and

[01:31:02] tls connections because uh ipv4 addresses fit in 32 bits and i was working in a 32-bit architecture so it was you know so i so resolver addresses were like they fit in registers well not in the future

[01:31:23] they didn't so that all had to get changed but the biggest thing that has really changed is that version one prioritized cached lookups over all else and that's changed um when you know we've been talking about things like ublock origin and other content control utilities

[01:31:51] we've noted that the content of today's websites are now being pulled from scores of different places you know from all over the internet libraries and ads and trackers and like like uh like uh chat add-ons and and ai pop-ups and all this junk that are now on web pages well those all require dns lookups

[01:32:18] so what's changed is that whereas a server's caching performance was probably most important back in 2008 when i wrote version one that's no longer true so what what the original dns benchmark has done and the the i mean has always done and and still does at version one is it first sorts

[01:32:46] the the resolver performance by their cached performance um that completely dominated by design all of its resolver ranking cache performance you know was as we know would be the amount of time the resolver would need to reply to a query for a domain's ip that it already knew that it that had already

[01:33:12] cached locally from some someone you may be or someone previously asking for it and it not having yet expired because ips you know all of the records that dns caching resolvers cache has an expiration time which allows the internet to update itself for for changing ips um it turns out that internet transit times completely dominate

[01:33:43] that measure whatever it is we're measuring when we measure cached performance all of that time is the time it takes the query to get to and back from the resolver so it is essentially equal to just pinging the resolver that you know we we have we've tested that it's about the same um you know and and while

[01:34:08] it may not seem very useful to know what a resolvers essentially its ping time is um it turns out that dns performance is all about connectivity how well are you connected to the the resolver that you are asking for ip addresses from so as i said the problem was that's all that version one of the benchmark took

[01:34:34] into consideration if a resolver close by you could beat out other resolvers then version one of the benchmark gave it the highest rating it was at the top of the list but oh and it was only in the case of a tie in cached performance within its one millisecond resolution that the uncached lookup performance would be

[01:35:00] considered as the second sort key essentially it was like a multi-key sort where where where the first key um you know does the gross arrangement and the second sort key does the the the finer grain arrangement within the grossly arranged first key so the problem with that was that a resolver might reply to cached

[01:35:25] queries in five milliseconds but then take 10 times as long like 50 milliseconds to perform a lookup for something it didn't already have in its cache whereas another resolver might take only one millisecond more six milliseconds to reply to a cached query but be much faster for looking up uncached data like 10

[01:35:50] milliseconds so you'd much rather be using that second resolver unfortunately you know swell again in 08 cached performance dominated because most of the material was coming from the the the domain you were browsing to most servers were providing you all of the content now that's no longer the case so um

[01:36:18] the the other little confounding thing is that 16 years ago in 2008 no one had local border NAT routers that were also serving as caching resolvers you know we had NAT back then but those early NAT routers were not doing dns lookups for their NAT clients as they are now so that matters because the original version of the benchmark would be

[01:36:45] seriously over impressed by the performance of that local caching dns router or resolver sitting right there on our land how could any remote dns resolver know how matt no matter how fast it might be possibly compete with a caching resolver that was sitting right next to the user on their own land so you know just try pinging your land's gateway and you'll see how quickly it responds

[01:37:13] no no other dns resolver out on the internet can compete and again the the the version one of the benchmark was was only looking at cached performance so what does the new version two do it takes the average of all three types of dns queries cached uncached and dot com resolution it's got four sorting options the original

[01:37:39] cached first sort if they're still you know it's still there for anyone who might want it for some reason but the new default is best performance which averages all three types so anyway uh i've spoken before about all the features that are in there uh we we learned that we were not getting much benchmark to benchmark

[01:38:04] consistency it turns out that even asking 50 different domains for for their ips for each of your resolver there's enough jitter in the internet because the internet's gotten busier and it's gotten bigger than it used to be it turns out that we need to do more asking in order to get a in order to get

[01:38:27] statistical significance from the the data that we're collecting so this thing allows you by default to run essentially five rounds of the benchmark and aggregate all the data but you can also go for 10 20 50 and 100 if you really if you don't mind waiting like four hours for a 100x benchmark and what's interesting is that you see all of the sorting stabilizing after a while because initially

[01:38:57] the the the the the the ranking is jumping around because of internet jitter and it take it actually takes a lot more looking anyway short version is i'm done with the benchmark uh anyone can have it for nine dollars and 95 cents um i appreciated what andy was saying or uh what um not andy uh uh um

[01:39:21] alex jason alex yes thank you uh although andy did chime in alex was was was has all of our sentiments about how much he hates subscription stuff yes yes and and i hate it as much as everybody uh so the the deal here you buy this one time i will never ask you no matter what happens for anything up for the dns

[01:39:46] benchmark again all updates and versions no matter how big or small they are included in the one time purchase price so you get to own it for life and you are also purchasing its entire future uh when i cycle back around to it and continue to update and improve it so uh anyway i'm done with that i'm gonna get

[01:40:09] moved into my new home with my wife uh and then i will be starting in on validrive 2 which is my next project uh okay to work on a major improvement to validrive which is now grc's most often downloaded freeware this is the uh app that lets you determine if you're getting the proper amount of storage on your

[01:40:34] usb thumb drive yes or it's just a bogus which many are it turns out even for me it turns out many are more than a thousand copies are downloaded every day now i think we're up to about 1100 copies a day wow and i'm gonna do a lot more for version two so it'll uh the gang who worked with me for a year on on testing and came up with lots of good ideas for for for the benchmark i mean leo this is the

[01:41:02] like things like it it looks at the resolvers and it's it i do something called sidelining because if result if a resolver it very clearly doesn't have any chance of even being in the running it just gets sidelined by by version two of the benchmark so that we don't waste time asking it a lot of questions because it's just too far away physical distance on the internet is what really ends up

[01:41:32] making the difference and so uh anyway this thing is just it's it's got a whole bunch of pop-up dialogues and anyway i'm very proud of of this last year of work and uh before long we'll be on to the next one yes congratulations that's fantastic all written in assembly language we might all an assembler the version one i think it was 163k i think this one's 200k holy cow so christmas

[01:42:02] couldn't i couldn't make it any um it does run under wine and leo it's very cool it runs on arm max really under uh emulation yes so the mac is emulated the mac is emulating um intel and wine knows how to run

[01:42:24] on a mac oh and use the it use the intel emulation so we've got guys in our news group who are running it on on arm on maybe it's windows arm we know that but i'm sure someone is running it on a on an arm based mac using wine and the the um the intel instruction emulator because this is about network

[01:42:50] performance not processor performance running in emulation is harmless that's not right nothing wrong with that yeah right nice very nice congratulations grc.com for more and then the top of it top of every page says click here for grc's new dns benchmark version two nice oh and i got rid of all the plus and pro i did talk for a while about having a plus version and a pro version right i just ended up putting everything into the plot in well into the

[01:43:20] one version version that makes sense that was just the right thing to do yeah that makes sense and 10 bucks come on that's nothing spend more than that on an ice cream sunday well you may spend more than that on our next advertiser i hope you do i'm gonna take i'm gonna take a sip of coffee then we're gonna look at some feedback i'm praying that you will absolutely uh our next advertiser today let me

[01:43:46] make myself big and that small is uh zero trust zscaler zscaler is the world's largest cloud security platform wow potential rewards of ai we we all know are too great to ignore especially in business but as we've often talked about so are the risks through exfiltration of sensitive data attacks

[01:44:14] against enterprise managed ai generative ai also helps threat actors become much more efficient helping them to rapidly create phishing lures that are impeccable right right malicious code uh we've seen evidence they're even using ai for data extraction to automate data extraction that because nowadays it's not enough just a ransomware to encrypt your computer first they steal all your data so they

[01:44:39] can blackmail you as well as ask for money uh ransomware there were 1.3 million instances this is the this is actually the topic of ai leaking information private information into the public domain there were 1.3 million instances of social security numbers leaked to ai applications chat gpt and microsoft copilot

[01:45:04] saw nearly 3.2 million data violations it's not hard it's easy you're using ai all of a sudden you're sending it data from your company and it's very easy to accidentally exfiltrate something you really don't want the outside world to have maybe it's time to rethink your organization's safe use of public and private ai chad pallet who is the cso at bio ivt loves zscaler he says zscaler helped them reduce their cyber premiums

[01:45:35] by 50 percent they said oh you got zscaler we're gonna cut your rates while doubling their coverage cut your rates and double your coverage and improve their controls take a look we got a video from chad watch with zscaler as long as you've got internet you're good to go a big part of the reason that we moved to a consolidated solution away from sd-wan and vpn is to eliminate that lateral opportunity that people

[01:46:03] had and that opportunity for misdirection or open access to the network it also was an opportunity for us to maintain and provide our remote users with a cafe style environment with zscaler zero trust plus ai you can safely adopt generative ai and private ai to boost productivity across your business and not have to worry about accidentally sending out private information zscaler zero trust architecture plus ai

[01:46:33] helps you reduce the risks of ai related data loss and protects against ai driven attacks to guarantee greater productivity and compliance find out more that's the best thing to do go to zscaler.com security that's zscaler.com security thanks zscaler for their support of security now 4 30 a.m huh i had no idea

[01:46:58] yeah yeah somebody in the youtube chat says that you said that before but i i must have missed it i knew you went to the starbucks for that quad venti latte but i know you stayed all day not anymore yeah i think i was drinking americanos back then which was the you know uh stronger uh shots of espresso in hot water so sort of that's right so it's espresso yeah so so it's uh um no but it was the right thing at the time

[01:47:28] so yeah that's what you need and i mean you know we had a we had a great group of people who became uh i would say lifelong friends except it cov covet extinguished it uh but it really was a social thing for you as much as anything else that's interesting yeah yeah it was fun yeah okay so stefano from sunny sunny italy as he put it he said hi steve i feel there's a specific aspect which has been left out

[01:47:51] in this whole cisco improvement of resilience see the light moment he says as a long-time network engineer i always found infuriating the hoops that i have to jump through in order to download a patched firmware image from any of the biggest vendors especially cisco them crying about the fact that

[01:48:15] there's so many unpatched devices still exposed is peak irony and it is partially on them if i buy some piece of hardware i expect you the vendor to support it and patch it for a reasonable amount of time i would argue you know the device is useful life but okay he says but within that reasonable time frame

[01:48:40] i must be able to easily access updates without them being locked out behind support contracts or similar immoral in my eyes double dipping device life cycle management is perhaps the hardest part of this job the strings of the purse are never in our hands so it's not our call only the consequences are on us oh

[01:49:08] meaning that he's on the it end not on the management budget pay for it end so you know he literally if he if he doesn't have the support contract or the paid for access or whatever he can't update his hardware he said he he finishes writing i'm sure many many more fellow engineers have been in my same situation

[01:49:33] perhaps after changing jobs and ending up in a barely maintained infrastructure or simply having to wait for the next round of funding in order to swap out some old lemon quoting cisco's anthony grieco quote this is further amplified by the fact that many organizations have not updated and maintained their network infrastructure missing opportunities to fix known vulnerabilities dot dot dot end quote he said

[01:50:02] then stop preventing me from doing so anthony signed the steve from sunny italy so his note reminded me uh the back when i was running uh a bonded pair of t1 trunks remember those old days leo when we were doing this over over those uh to my home here i was using a cisco router to do the work it's one of the

[01:50:28] reasons i know it intimately and the cisco was not wonderful to deal with back then i had assumed that they were better now but sounds like it's really still the same cisco based on what stefano has indicated so uh i let's hope that anthony now in charge apparently having seen the light does something with it that'd be really good

[01:50:51] blair learn wrote hi steve ironic i ran across an item i don't believe you've covered yet google recently rolled out in chrome 142 something they're calling local network access the gist of it is that if you have a public website such as example.com it has the potential to host malicious javascript code which

[01:51:20] attempts to access resources on your local your local network for example the router admin interface on 192.168.0.1 he says friends the techniques seem similar to the issue you described a month or two back with adware setting up a server on a phone's local host address to be used by the adware vendor's

[01:51:43] ad code for tracking purposes he said local network access is a new permission in the browser the user is it's not quite that but what but i'm going to explain exactly what it is the user is prompted to allow access to devices on the local network and if permission is denied he's right about this then code on example.com is prohibited from contacting resources in the myriad local networks now you might ask why would you ever

[01:52:13] want to allow such a thing in the first place he says my use case was a development website hosted by an external vendor with a javascript application contacting a test version of an api that was hosted on a server which is only accessible via vpn he said probably not something most home users are going to encounter but i have to imagine our enterprise developers would he said google has a

[01:52:41] blog post about it and then there's the link in the show notes and the spec can be found out can be found at and he has the w3c's you know the worldwide web consortiums uh url he says i always look forward to the next episode of security now spin right licensee club twit member and general purpose geek

[01:53:03] blair okay so this issue that blair mentions google finally addressing has been a significant and growing problem forever and i'm surprised actually that it hasn't been causing more havoc um there was a point i think it might have been during the pre-release of ie 11 which was surprisingly long ago uh time flies leo

[01:53:31] where microsoft and i've mentioned this before flirted with flatly denying their ie 11 browser access to the local host address 127.0.0.1 or and or the local lan um this came up at the time because i was working on

[01:53:55] squirrel and one of the ways that is that the microsoft's plans of blocking local uh host access came up at the time because i was i was working on squirrel and one of the ways squirrel robustly prevented interception of any secrets was by allowing the user's local browser to connect to a little web server

[01:54:21] running in squirrel on their machine this gave the browser a private connection to the squirrel authenticator which they could use to cut out any possible man in the middle now pass keys as we've discussed implements the same form of protection with user smartphones over a bluetooth link to create a local link

[01:54:48] between the web browser and the smartphone pass keys authenticator that no remote attacker can possibly intercept now in the case of microsoft and ie 11 and the local host ip they fortunately came to their senses and realized that there were far too many valid use cases where a web developer for example might be running a

[01:55:14] local web server or web services on their local machine and need to be able to access it with their browser during the development and testing now until now this has remained an unsolved problem which was really in need of a comprehensive solution our browsers are as we know are no longer just passive content displays technologies such as javascript and web assembly have turned them into effective application platforms

[01:55:44] so just to be completely clear about the nature of the problem from the perspective of any web browser device you know web client web browsing client sitting on a private local area network that web browser has network visibility into two completely different networks it can obviously see and access the global public

[01:56:14] internet because it's able to access and obtain remote content but that browser can also just as easily see its own local area network we know this because for example lan routers are managed by aiming a browser at the lan routers gateway ip which is typically 192.168.0.1 or dot 1.1 or something like that you know

[01:56:42] our web browsers can see everything on our own lands so the problem is that a user might visit a malicious remote website which causes their web browser to download and run some malicious javascript or web assembly or whatever code now that the code is running inside the user's browser essentially the trojan horse has been

[01:57:07] invited into the house so unless something is done that malicious code that's now running in the user's browser

[01:57:17] has the same access to their lan as they do it can reach out and log into their lan router scan their network for other juicy targets you know find printers transfer code upload firmware you know get up to whatever mischief it might wish to when you stop to think about it

[01:57:40] and then you know get up to what you know get up to what that's now you know get up to that so the good news is it's finally going to happen the w3c's specification for this new feature explains its entire purpose and scope

[01:57:58] they write although rfc 1918 that's the thing that that set aside our lands 192.168.x.x the whole 10 dot network the 172.16 through uh you know uh a bunch of other uh successive ips those were all set aside

[01:58:22] by by by by the specification of rfc 1916 long ago so they said although rf 1916 1918 has specified a distinction between private and public internet addresses over for over two decades user agents have not made much progress in segregating one from the other this is the w3c writing this websites on the public internet

[01:58:50] can make requests to local devices and servers which enable enable a number of malicious behaviors including attacks on users routers then they list a whole bunch of examples they said local network access that's the formal name for this local network access aims to prevent these undesired requests to insecure devices on

[01:59:15] the local network this is achieved by deprecating direct access to local ip addresses from public websites and requiring that the user grants permission to the initiating website to make connections to their local network the overarching goal is to prevent the user agent the browser from inadvertently enabling attacks on devices running on a user's local intranet

[01:59:45] or services running on the user's machine directly for example we wish to mitigate attacks on users routers or on software running a web interface on a user's loopback address 127.0.0.1 for better or worse this is becoming a common deployment mechanism for all manner of applications

[02:00:07] applications and often assumes protections that simply do not exist there should be a well-lit path is the way they described it to allow these requests when the user is both expecting and explicitly allowing the local network address requests to occur for example a user logged in to plex.tv may want to allow the site to connect to their local media

[02:00:36] server to download media content over the local network instead of routing through remote servers the specification then clarifies the intent of this with a couple of quick examples they said alice is at home on her laptop browsing the internet she has a printer on her local network built by acme printing company that's running a simple http server

[02:01:03] alice is having a problem with the printer not functioning properly so alice goes to acme printing company's website to help diagnose the problem acme printing company's website tells alice that it can connect to the printer

[02:01:20] to examine its diagnostic output alice's website to allow alice's website to allow support dot acme printing company dot com to connect to local devices on her network since this is something alice wants and is expecting she grants explicit permission for that website to connect to local devices on her network

[02:01:43] acme printing company that connects to local printer's diagnostic output through alice's web browser and i'll just note that it may be a little bit unnerving for people to realize this is possible that is it is possible for acme printing company to connect to alice's web to alice's printer through her web browser

[02:02:06] we have the all of i mean these browsers have become incredibly powerful now they can act as proxy gateways into our land so alice's web browser uh says yes tells alice that it is part um oh so acme printing company then connects to her local printer's diagnostic output through alice's web browser and tells alice that a part is malfunctioning on the printer it needs to be replaced

[02:02:35] then w3c also provides an alternative uh sample alice continues browsing online to find the best price for the replacement part on her printer while looking at a general tech support forum she suddenly gets a permission request in her browser for

[02:02:58] print uh https colon slash slash printer support dot evil dot com to connect to local devices on her local network being suspicious of why printer support dot evil dot com would need to connect to local devices she denies the permission request

[02:03:20] and i'll just say we hope okay which is to say all of this of course presents us with a new problem because while yes it's 100 true that the that for the first time ever uh the user sitting in front of their web browser

[02:03:43] will be required to proactively allow some remote website to access their network and that definitely represents a nice step forward in security capability the trouble is it's still just a capability because we've also just saddled users with the new responsibility

[02:04:07] of determining what's benign and what's malicious how is anyone really gonna know if we've learned anything it's that many users are unable to reliably tell the difference and it's not their fault since we've also seen bad guys who are highly motivated and very inventive cooking up all kinds of tricky schemes to trick people we know that the so very human user

[02:04:36] remains the weakest link in the security chain so now chrome as of chrome 142 and presumably other browsers to follow since this will be you know this is a w3c official specification all the browsers will be popping up notifications when something you're doing requires a remote site to have access to your local network allowing that to happen without any notification

[02:05:04] as we have been doing until now is certainly not safe but no one should imagine that if any really juicy targets should appear on user networks you know the bad guys aren't going to uh gonna wait right they're gonna cook up some very reasonable appearing reason why users should good give their remote web domains that will not be called

[02:05:33] evil.com they're going to be called heaven sent.com you know access to the users local network devices it's going to happen so i'm sure that the google chrome guys you know who are driving who were the driving force behind this w3c spec you know they know this is an imperfect solution but they also know it's the best that they could come up with

[02:05:58] they needed to put up some roadblock so that browsers could not do this behind users backs they know that they really can't count on users to be judicious about what to and to not allow

[02:06:11] i saw a sample google pop up and it just says example.com wants access to your local network hopefully people know that is that should be no unless you there's like a specific reason for it to happen because i go to localhost all the time and well and see that i'm glad you said that leo because that's a good point what we thanks to the security

[02:06:36] work that's a good point what we thanks to the security work that's been done so far there is a clear binding between any script or webisem and the domain from which it came so so essentially you are temporarily white listing

[02:06:56] that domain to have access to your local network which is to say you know a browser will have multiple tabs open those and and there will be scripts running from advertisers and from all of the different domains you're visiting they will not have a whitelist for access to your land it's only the script that you've whitelisted from

[02:07:25] that domain that will and and and the point is you'll be able to still put 192.168.0.1 directly into your url and go there because you are the source of that of of that access to the local domain you at your browser not indirectly through some remote domain

[02:07:51] yeah so i don't so unless something remote wants to do this um most users even power users who are logging into their local routers or going to their printer's http server you know their browser will just allow that without any trouble you won't get challenged when you're initiating that to your own land yourself

[02:08:13] only when some remote domain wants permission to do that and then you're and then you get a pop-up which will only temporarily whitelist any script running from that one domain and here we are two hours it's time to talk about the oh boy the latest disaster

[02:08:38] uh cve in history yeah it's really nothing worse nope you can't get better than 10 it's too bad they didn't give it an 11 that would have been fun uh a remote access to react sounds pretty about as bad as you can get it's the definition in fact we're going to defund we're going to start off by defining what would be because our listeners all know now enough about this what would be the characteristics

[02:09:07] of the worst possible exploit available okay think this is a little thought exercise think about that for a moment while i tell you about our sponsor hawks hunt as a security leader you get paid to protect your company against cyber attacks and you know what kudos for you for listening to this show but i know your job's getting harder they're more cyber attacks than ever and and and these phishing emails generated with ai they couldn't be

[02:09:34] more perfect they're indistinguishable from the real thing here's the problem those those legacy one-size-fits-all awareness programs you'd be using they don't stand a chance against today's threats they send at most for generic training what is it for a year right and they're generic right most employees ignore them they laugh they hate them they think they're stupid

[02:09:59] and then somebody you know you send out a test you know and somebody actually clicks on it then what happens you embarrass them they're forced into an embarrassing training program that feels like punishment that nobody learns from punishment that's why more and more organizations are doing better they're trying hawks hunt hawks hunt goes beyond security awareness and actually changes

[02:10:22] behaviors by gamifying the process rewarding good clicks coaching away the bad your your your users will never feel embarrassed they'll they'll be engaged they'll be having fun they'll be learning i'll give you an example when when a employee sees an email and suspects it might be a scam hawks hunt will tell them immediately and it and if it is you know your test email

[02:10:46] they're going to get that dopamine rush you got it that gets them to click learn and protect your company and as an admin for you hawks hunt makes it really easy to automatically deliver phishing simulations and not just email slack teams using ai to mimic the latest real world attacks the simulations are also personalized if you want to each employee you can have information about department

[02:11:13] location and more and then instead of these big generic quarterly trainings you get instant micro trainings to solidify understanding and drive lasting safe behaviors you can trigger gamified security awareness training that awards employees stars and badges i know that sounds dumb but they love it it's like you would love it it's like yeah i did good boosting completion rates ensuring compliance

[02:11:39] and really the bottom line is helping them learn how to protect your company you could choose from a huge library of customizable training packages or they have ai you could generate your own make them really you know effective these simulations hawks hunt is everything you need to run effective security training all in one platform it's easy to measurably reduce your human cyber risk at scale and you don't

[02:12:05] have to take my word for it there are over 3 000 user reviews on hawks on g2 which make hawks hunt the top rated security training platform for the enterprise including easiest to use and best results this is easy for you best results for your company it's also recognized as customer's choice by gartner and it's used by thousands of companies worldwide companies like qualcomm aes nokia they use it to train millions of

[02:12:34] employees all over the globe visit hawks hunt.com security now right now telling my modern secure companies are making the switch to hawks hunt that's hawks hunt.com security now we thank him so much for supporting steve and security now and doing a great job and and as an employee i'm both an employee and a boss as an employee i really appreciate it when it's fun fun to learn you know not to click on phishing

[02:13:02] attacks i look forward to them all right steve now on we go so as i said by this time from everything we've seen and shared on this podcast through the years we can probably all define what a what a worst case vulnerability looks like it would affect any popular widely present internet facing server

[02:13:29] it would not require the remote attacker to be in any way authenticated on that server it would allow said attacker to remotely supply whatever code they would wish any such server to execute on their behalf and the attack would have a low complexity so that no rocket science is needed taken together

[02:13:55] in the parlance of the day we would term this as a critical unauthenticated low complexity remote code execution vulnerability a shorter though less descriptive summary might also be cvss 10.0 yeah because you know most of what we see is they're trying to get there they're a 9.8 but they're not really completely

[02:14:22] just unbelievably bad underachievers obviously this yeah they were this is a 10.0 the headline given to dan gooden's reporting of just such a vulnerability last wednesday uh so not even a week ago in ours technica was admins and defenders gird themselves against maximum severity server volm in the subhead

[02:14:50] in the subhead it says open source react executes malicious code with malformed html no authentication needed so there's a lot to cover here let's begin with dan's description in ours technica he says security defenders are girding themselves in response to the disclosure of a maximum severity vulnerability disclosed wednesday in react server an open source package that's widely used

[02:15:20] by websites and in cloud environments the vulnerability is easy to exploit and allows hackers to execute malicious code on servers that run it exploit code is now publicly available react is embedded into web apps running on servers so that remote devices render javascript and content more quickly with fewer resources

[02:15:46] required react is used by an estimated 6 of all websites and 39 of cloud environments when end users reload a page react allows servers to re-render only parts that have changed a feature that drastically speeds up performance

[02:16:07] and lowers the computing resources required by the server security firm wiz said exploitation requires only a single http request and had near 100 percent reliability in its testing multiple software frameworks and libraries embed react implementations by default as a result even when apps don't explicitly make use of react functionality

[02:16:37] they can still be vulnerable since the integration layer itself invokes the buggy code and that sends us a little bit like log4j right which we recall although that wasn't bad as it turned out this is turned has already turned out to be bad the combination of the widespread use of react particularly in cloud environments the ease of exploitation and the ability to execute code that gives

[02:17:05] attackers control of servers has earned the vulnerability a severity rating of 10 the highest score possible writes dan on social media security defenders and software engineers urged anyone responsible for react related apps to immediately install an update released wednesday one researcher wrote i usually don't say this but patch right

[02:17:34] freaking now the react cve listing and that's cve 2025 551 82 is a perfect 10 react versions 1901 1912 or 1921 contain the vulnerable code so that's worth noting it's only this year's reacts so this happens this year if i hope you're not running an older one because that would be worth it

[02:18:04] worse but you know so update again the third party components writes dan known to be affected so these are third party things that have react in them include vite rsc plugin parcel rsc plugin react router rsc preview redwood sdk waku and next.js

[02:18:30] that being a biggie of course according to wizz and fellow security firm akito the vulnerability tracked as i said 2025 551 82 resides in flight a protocol found in the react server components next.js has assigned the designation uh yeah they have a different uh cve

[02:18:53] six uh six six six 64 78 to track the vulnerability in its package and then dan hits us with the nature of the vulnerability which will also come as no surprise to our long-time listeners since this podcast long ago identified interpreters as a particularly particularly particularly particularly particularly

[02:19:15] dan writes the vulnerability stems from unsafe deserialization the coding process of converting strings byte streams and other serialized formats back into objects or data structures in code hackers can exploit hackers can exploit the insecure deserialization using payloads that execute malicious code on the server

[02:19:43] patched react versions include stricter validation and hardened deserialization behavior in other words they fixed a bug in the deserializing interpreter which interprets the serialized stream and makes a mistake wizz explained quote when a server receives

[02:20:04] a specially crafted malformed payload it fails to validate the structure correctly this allows attacker controlled data to influence server side execution logic resulting in the execution of privileged javascript code they added in our experimentation exploitation of this vulnerability had high fidelity with a near 100 success rate and can be leveraged into a full remote code execution

[02:20:33] the attack vector is unauthenticated and remote requiring only a single specially crafted http request to the target server it affects the default configuration of many popular frameworks both companies writes dan are advising admins and developers meaning react and next.js

[02:20:57] both companies are advising admins and developers to upgrade react and any dependencies that rely on it users of any of the remote enabled frameworks and plugins mentioned above should check with their maintainers for guidance a keto also suggests admins and developers scan their code bases and repositories for any use of react meaning you might have included it as a dependency in some build structure and not even know it's in there

[02:21:27] but react is still accepting that stream when it comes to it and could then trip over its own feet and execute bad code in your system dan's article quickly generated 79 comments uh from which the ars staff chose one which reads

[02:21:47] just ask grok for a proof of concept basically the deserializer can be made to execute any arbitrary code by encoding a nested object with an eval expression into base 64 bytes shockingly easy to do he wrote

[02:22:08] okay so now let's step back a bit to answer the question what is it wikipedia sums it up nicely writing react also known as react.js or react.js is a free and open source front-end javascript library

[02:22:27] that aims to make building user interfaces based on components more seamless it's maintained by meta and a community of individual developers and companies according to the stack overflow developer survey react is one of the most commonly used web technologies today react can be used to develop single page mobile or server rendered applications with frameworks like next.js

[02:22:55] and react router because react is only concerned with the user interface and rendering components to the dom react applications often rely on libraries for routing and other client-side functionality a key advantage of react is that it only re-renders those parts of the page that have changed avoiding unnecessary re-rendering of unchanged dom elements

[02:23:20] react is used by an estimated 6 of all websites okay so now we have some sense for what react is how widespread is its use the platform security company ox titled their reporting of this wednesday millions of servers vulnerable to rce in react components they wrote a critical vulnerability in react and next.js allows attackers to execute code

[02:23:50] on vulnerable servers without any authentication potentially exposing millions of applications to immediate risk react is one of the most popular javascript libraries for building user interfaces created by facebook meta with over 1.97 billion total downloads

[02:24:13] one point almost 2 billion downloads that's a lot of downloads discovered today wednesday this vulnerability affects the react and next.js ecosystems which power over 10 million active websites globally including major platforms built with react such as instagram netflix airbnb that serve billions of users daily

[02:24:41] With React downloaded over 20 million times weekly, new vulnerable applications are being deployed continuously. The potential exposure is massive, spanning e-commerce platforms, financial services, healthcare applications, and enterprise systems worldwide. Okay, so you know the bad guys are going to be just salivating. They wrote,

[02:25:48] Who's affected? Any server running an unpatched version of React or Next.js or any package based on a vulnerable React component.

[02:26:59] Millions of servers around the world, causing information leakage, secret extraction, and more. All right, so it's not good. Did anyone notice? Ha, you betcha. Two days later, Friday, December 5th, Ox followed up with their report of active exploitation under their headline, React's CVE 2025 55182 is now actively exploitable.

[02:27:27] Verified POC. They wrote, Hacker, Hacker Maple 3142 published a working proof of concept for 55182, which we successfully verified. Just two days after we published our initial analysis of the React Next.js server-side RCE vulnerability, a fully functional exploit has been released publicly.

[02:27:52] The proof of concept works exactly as expected and results in unauthenticated remote code execution on vulnerable servers. The exploit abuses React, blah, blah, blah. We all know about that. So then they get into details of the attack and congratulate the exploit's author, this Maple 3142, calling it great work. They also provide a link to Maple's exploit demo on GitHub. And I have a link at the bottom of page 20 in the show notes for anyone who's interested.

[02:28:23] To no one's surprise, the industry has jumped to get this resolved. This is an emergency. And there were apparently a few hiccups along the way. Cloudflare notably suffered a 25-minute oopsie outage while working to protect all of the servers behind them from the abuse of the vulnerability. Network World reported under their headline,

[02:28:49] Cloudflare firewall reacts, you know, pun there, badly to React exploit mitigation. With the subhead, in attempting to fix one problem, Cloudflare caused another. They wrote, Cloudflare's network suffered a brief but widespread outage Friday after an update to its web application firewall, you know, a WAF,

[02:29:15] to mitigate a vulnerability in React server components went wrong. At 9.09 a.m. UTC, the company reported that it was investigating issues with the Cloudflare dashboard and related APIs, warning that customers might see requests fail or errors displayed. Just 10 minutes later, they had deployed a fix. And actually, it looks more like it was a 25-minute outage.

[02:29:41] So maybe it was 15 minutes into it, then 10 minutes after that, they had a fix. So a total of 25. They wrote, But not before a flood of reports of problems with Cloudflare and its customers poured into uptime tracking sites such as downdetector.com. During the same window, Downdetector saw a spike in problem reports for enterprise services, including Shopify, Zoom, Cloud AI, and Amazon Web Services,

[02:30:11] and a host of consumer services from games to dating apps. Cloudflare explained the outage on its service status page, writing, A change made to how Cloudflare's web application firewall parses requests caused Cloudflare's network to be unavailable for several minutes this morning. This was not an attack.

[02:30:31] The change was deployed by our team to help mitigate the industry-wide vulnerability disclosed this week in React server components, unquote. So the OX report said, Cloudflare was no doubt attempting to protect those of its customers who have not yet had an opportunity to patch the vulnerability in the two days since it was revealed.

[02:30:54] The wobble in Cloudflare's services comes just two weeks after a much bigger one rendered its customers' websites inaccessible and so forth, blah, blah, blah. So anyway, I appreciated how these guys at Network World concluded their posting. They wrote,

[02:31:47] So I think that's what I'm going to do. This is what I'm going to do. This noted that their logs did not capture any evidence of successful exploitation of this vulnerability against any of their free or commercial customers. And by the way, both were protected by this. Cloudflare's WAF, their web application firewall update, also protected anybody on the free plan.

[02:32:15] They never said explicitly that their apparently WAF change service outage was a mistake, but it certainly seems like it had to be. You know, they're continually updating their web application firewall patterns with new detections and blocks, and their customers are not experiencing system-wide outages on an ongoing basis. So I think they, you know, fumble-fingered at something somewhere.

[02:32:44] Of course, AWS and Fastly and other CDNs also quickly deployed their own network protections for their customers, so everybody pretty quickly got protected. I should also mention that two China-based threat actors were seen to immediately jump onto this exploit with attacks beginning within hours of the vulnerability's public disclosure.

[02:33:08] Well, remember, that was Wednesday, and the CDN protections didn't snap into place for a full 48 hours. So there was likely some serious damage done during this window from disclosure to fix, which sort of suggests that this could have been done better.

[02:33:27] There's no reason, for example, that the major CDNs at least could not have been brought into a loop, you know, on the DL and allowed to have their application firewalls updated so they would have been protected before the disclosure. No reason for that not to happen. So maybe somebody will be thinking about that.

[02:33:56] The AWS security team linked the attacks that they saw to two groups tracked as Earth Lamia and Jackpot Panda. The AWS wrote, Earth Lamia is a China-Nexus cyber threat actor known for exploiting web application vulnerabilities to target organizations across Latin America, the Middle East, and Southeast Asia.

[02:34:23] The group has historically targeted sectors across sectors across financial services, logistics, retail, IT companies, universities, and government organizations. And Jackpot Panda, they wrote, is a China-Nexus cyber threat actor primarily targeting entities in East and Southeast Asia. The activity likely aligns to collection priorities pertaining to domestic security and corruption concerns. Whatever that means.

[02:34:52] So Amazon says the attackers used anonymizing proxies to hide their infrastructure. So requests were being bounced through other systems and also deployed exploits for other vulnerabilities using these as the backdoors to get in. Interestingly, both groups used their own homegrown exploit implementations.

[02:35:21] Remember the proof of concept, even that took two days before it went public. But this thing was so dead simple to do that no one waited. You didn't have to wait two days. These things, the attack started within hours of the disclosure that there was a problem. And they rolled their own exploits because it was so easy to do.

[02:35:44] So then later, multiple public proof of concept exploits were released, including one from Lachlan Davidson, a security reacher we've talked about before. He was the guy who initially found and reported this devastating vulnerability.

[02:36:01] So it's likely not an exaggeration to say that this vulnerability is probably going to haunt the developer ecosystem for some time due to its ease of exploitation, widely available proofs of concept, its low complexity versus its power, as well as React's popularity. Next.js is currently considered to be the best web technology available for producing very SEO friendly content.

[02:36:30] If a technology was, you know, ever expected to replace WordPress, those, you know, people in the know argued that it would be Next.js that would be the replacement for WordPress. Palo Alto Networks wrote, ultimately, this incident underscores the inherent friction between performance and security in modern architecture.

[02:36:56] While React server components optimize data fetching and search engine optimization by moving logic closer to the source, they simultaneously move the attack surface closer to organizations most sensitive and valuable data. So which I think that's a terrific perspective. So anyway, I wouldn't say we dodged a bullet. I would say that a bunch of people probably got hit.

[02:37:25] And over time, we may get some more news like by next week of, you know, what organizations are in trouble as a result of this. We could see that those who weren't immediately reactive, so to speak, are going to be in trouble.

[02:37:42] And we'll start getting, you know, extortion notices and data exfiltration and all of the follow on, you know, badness that comes after a network is penetrated. Yeah. Wow. And so it's been patched. Yes. And does React work to automatically update itself or do you have to explicitly?

[02:38:09] No, there's no, you need to get the updated stuff. Yes. And I should mention that the benchmark that is now available does have automatically check for updates enabled. Oh, good. And it will alert its user every time they use it. All I do is send a short DNS query to GRC. I'm using DNS in order to send back the most recent release number.

[02:38:37] And so it checks that against its own release and it lets you know if there's something better. And also gives you the link to update and puts your transaction code from your purchase into Notepad, I mean, into the clipboard so you can paste it directly into the form and get the download link for the new one. We had, thanks to a year of development, we had lots of time to polish the whole update delivery system. Feedback's great.

[02:39:07] That's really great. Well, good. Everybody should go to GRC.com and get your copy of the DNS Benchmark Pro. You're not calling it Pro. You're calling it version 2. Just V2. Version 2. Buy it once, own it forever, and own its entire future. Nice. That was it. Now, did you send out the email to the list? No. I want to do a walkthrough video. I need to get the documentation. The documentation pages need to be updated.

[02:39:37] They're still all talking about version 1. Okay. I'm not ready to do that, but I still have no spam being reported by Google, so all of those changes I made to my email system have taken hold, and it'll probably be a couple weeks, and then I will notify that that main mailing list is now up to 153,000 subscribers. Wow. That'll be fun to let them know. Well, I'll tell you what.

[02:40:02] You can kill two birds with one stone if you go to GRC.com slash email. The idea here is you enter your email address, and then Steve will know that you're you and not some spammer, and that means you can email him from then on. And you'll also see the two additional subscriber lists. I always say there's a checkmark, but I don't see a checkmark. You just- You get one when- Oh, it's in the email. Ah. Yeah.

[02:40:31] Well, you fill that out. Then I send you a link for managing your account. When you click that, that brings up your own page where you can subscribe and unsubscribe from whatever. Right. So, yeah. And there isn't a banner on this page to upgrade. There it is. It's on this page, though. It's just not on the email page. So, Steve, you might want to add that to the email.

[02:40:59] Like I said, I mean, the site has only- The only thing I've ever had for sale was Spinrite. So, the site is Spinrite sales oriented. Yeah. And for example, Spinrite is there in the top level menu, but there's no mention of the benchmark in the menu. I do have it under freeware utilities, but it's not really a freeware utility. Although, for what it's worth, version one is still available.

[02:41:25] If, for whatever reason, somebody can't spend $9.95, I understand. I still want them to have what I have available, which is version one. And so, you're still welcome to that. Good. GRC.com. Although, it does misrank your resolvers, unfortunately. I did the best job I could back then, but I know how to do it now. Because the world's changed in 16 years. And it's changed a lot. It absolutely has. If you go to GRC.com, you can also get the show there.

[02:41:54] There are a lot of places to get the show, but that's one of the places. There are some unique versions there, though. I want to tell you about it. There's a 16-kilobit audio version for the bandwidth impaired. There's a 64-kilobit audio version. That's full fidelity. There are the transcripts written by an actual human being, not AI-generated, but Elaine Ferris does those. Those take, as a result, a couple of days to get up on the site. And there's the show notes. By the way, the show notes are one of the mailing lists Steve offers.

[02:42:23] So if you sign up for those mailing lists, there is one for show notes. So you'll get that automatically. Otherwise, you can go to GRC.com and download it. Get yourself a copy of the DNS benchmark, Spinrite, give me your email, sign up for the newsletters. And then anything, that's your assignment. Anything else is on you. There's a lot of other fun things you can do at GRC.com. One of them is his whole vitamin D story under, I think it's under research.

[02:42:51] It might be interesting for you to know that we are going to repeat that very famous, yeah, under health, that very famous vitamin D episode from, I think, 2009. It's that old. And that will be our New Year's Eve show. New Year's Eve, Eve show. The penultimate day of 2025 show. We're going to update it a little bit also. Yeah, we'll have to update it.

[02:43:17] But the other thing is, because it was audio back in those days, there was no video, Anthony Nielsen has created a very nice kind of Yule Log-y thing you can run in the background. You'll see when you're listening to the show, there is a little bit of video associated with it that Anthony did a nice job with that. So GRC.com to get all of that stuff.

[02:43:37] You can also, of course, get the podcast, I almost called it a radio show, get the podcast at our website, twit.tv.sn. There's audio there and video, 128 kilobit audio and video. There's video at the YouTube channel dedicated to you, to security now. In fact, you'll find that YouTube link on our website, twit.tv.sn, as well as a link to a number of podcast clients. Or you can use your favorite.

[02:44:07] If you subscribe in the podcast client, then you get it automatically. You don't have to think about it. And yes, you have the choice between audio and video versions of the show. We'd also like to invite you to join the club. This is the time of year where I am being very grateful for all of our wonderful club members who make all of this possible. You pay for a quarter of all of our costs now. It makes a big difference to us. And I'd like to get that even more to 50% because ad sales are pretty slow for next year.

[02:44:35] And I think that this might be a time that you could help us help you. Go to GRC. That's in my head now. Go to twit.tv.slashclubtwit. $10 a month, $120 a year. There's a 10% off coupon for the yearly subscription that is available only now through December 25th. So get that for yourself or as a gift for somebody. You'll get ad-free versions of all the shows. You'll get access to our Club Twit Discord. All the special programming we do.

[02:45:05] There's a lot of great stuff as a thank you, really, for your support of Twit. Well, I think that is every... Oh, yeah, one more thing. We do record the show on Tuesdays right after Mac Break Weekly. That's roundabout, 1.30 Pacific, 4.30 Eastern, 21.30 UTC. And you can watch that live if you're in the club, in the Discord. But there's also YouTube, Twitch, X.com, Facebook, LinkedIn, and Kik. So there's other places you can watch live. Chat with us live as you're watching. Now I am finished.

[02:45:35] Steve, we'll see you next week on Security Now. Bye.