SN 1061: More GhostPosting - RAM Crisis Hits Firewalls

[00:00:00] It's time for Security Now! Steve Gibson is here. We're going to talk about RAM pricing. We're going to talk about Claude Code and Vibe coding. The six-day certificates are now out from Let's Encrypt. And yes, it's the return of GhostPoster malicious browser extensions you need to watch out for. All that coming up next on Security Now.

[00:00:25] Podcasts you love. From people you trust. This is TWiT. This is Security Now with Steve Gibson. Episode 1061, recorded Tuesday, January 20th, 2026. More GhostPosting.

[00:00:44] It's time for Security Now! The show where we cover your security, your privacy, how computers work, the best sci-fi, vitamins, magnesium and more with this man right here, Mr. Steven. Steven Gibson. Hello, Steve. Am I bored or what, Leo?

[00:01:00] No, you're right. What you are is a polymath. That's the word. You have many diverse interests and you are a very quick learner and you like sharing what you've learned with us and that's, we're grateful. I have to say, I like that probably, that sure fits. I'll go with that.

[00:01:20] I was always an enthusiast. I would like get really excited about something for six months and then lose interest and move on to the next thing. You're a little bit more, thank goodness, devoted. A little less, what is that? Is that ADHD or ADD or what is it? Do they have some initials for that? There's probably some diagnosis, I'm sure. I'm sure there is. We're all on the spectrum somewhere. Yeah.

[00:01:45] Okay. So, we're going to talk about ghost posting again after more worrisome information surfaced following our first discussion of it four podcasts ago.

[00:02:00] It was our last podcast of 2025. I thought we were done with it, but no, but more interesting stuff and some good takeaways, I think, for this security now number 1061 for what is happening with January. It's almost gone. It's the 20th. I guess our last podcast of January will be next month, I mean, next week. So, wow. Okay.

[00:02:28] But we're going to look at other things first, of course. It turns out that not only are PCs going to be affected by what's happening with RAM, but there have been some recent studies and surveys that demonstrate that enterprise, high-end enterprise networking, like firewall equipment, is similarly going to be hit. And it's got to go. Oh, I'm sorry.

[00:02:54] Yeah. Yeah. Yeah. Because the high-end equipment is using a lot of RAM in order to do what it's doing. And so, we're going to see that going up too. Anthropic has provided sizable support to the Python Foundation, which is good and interesting in a couple ways. The FTC has clamped down on General Motors' secret sale of driving data.

[00:03:21] A new – it's not an organization. A new – I don't know what it is. It's a government thing. No, I know why you don't know what it is. Yeah. Yeah. It's abbreviated anchor, A-N-C-H-O-R, which replaces – Agency, maybe. Agency. I like that. That's an agency, which replaces – I don't know how you pronounce this except CPAC, although it's not the CPAC we're all familiar with, C-I-P-A-C.

[00:03:51] That was that agency that was terminated when Trump – shortly after Trump became president for the second time, which is that private public information sharing where the industry was relying upon their ability to disclose their own mistakes without fear of retribution from the government.

[00:04:18] So anyway, we're going to catch up on where that is. Germany, it turns out, is planning to legislate themselves total access to the internet's global data. And Leo, we were talking about the inability to pronounce things before we began the podcast.

[00:04:37] I've got a German word that – I mean, it looks like the Scrabble set fell on the ground and they just assembled the letters in an arbitrary sequence. Luckily, it's got a three-letter abbreviation. But anyway, we'll talk about this legislation from this organization in Germany.

[00:04:58] Grubhub has not completely confessed, but we now know that they are the shiny hunter's most recent extortion victim. Oh, jeez. Uh-huh. So shiny hunters, the shine has not been lost yet. Let's Encrypt's six-day certs are now available to anyone who wants them, which is the way it should stay. Not mandatory, but yeah, okay.

[00:05:27] I'm really nervous about my inability to protect my certificate, you know, despite the fact that I'm running a web server that has to have one. You know, okay, so I want six days. Anyway, we'll get there.

[00:05:39] Iran has said – well, actually not said publicly, but there are internal reports and internal machinations which force people to draw the conclusion that they plan to permanently remain off the internet as they have been since January 8th. Not coming back. We'll talk about what that means.

[00:06:04] Also, oh, I got two so cool graphs. An HD tune before and after – an HD tune is a utility, you know, HD as in hard disk. It was run on an SSD by one of our listeners and Spinrite owners before and after. And it's my favorite chart.

[00:06:29] Also, we've got some great listener feedback and then we're going to get around to talking about the fact that Ghost Poster turned out to have been – I hope we can use the past tense. It's not clear. Much worse than was believed and then that we knew four weeks ago when we talked about it for – I think it was 1057 was our last podcast of last year.

[00:06:53] And, of course, we've got a picture of the week that many of our listeners have written back saying – because I sent this all out last – yesterday afternoon, early afternoon. They said, oh, yeah, I remember that. Okay. Well, I can't wait to remember what that is. But we'll find out in just a little bit. It is – yes. It's the follow-on to the famous Be Kind Rewind sticker. Oh, yes. Oh, yeah.

[00:07:22] Which Blockbuster put on all of their VHS tapes, you know. It was also the name of a movie about a guy who works in a video store. I can't wait. We have lots to talk about and, of course, this is the place to talk about it if you're interested in security. We will get underway with our picture of the week. Again, I have sealed myself in a soundproof booth for the last seven days. I have no idea what the picture of the week is.

[00:07:52] We will look at it for the first time together. Although, as you have pointed out, people who subscribe to your newsletter get it a day before. And they've been probably already talking about it and everything. So I'm probably the last to know. Yes. Before we get to that, though, let me talk about our sponsor for this segment on security now, our great friends at Bitwarden. And I know you know about Bitwarden, Steve. We talked a lot about it a few years ago.

[00:08:20] We decided that the password manager we were using might not be the best one in the business, even though they were at the time a sponsor. We were driven off. We were driven off. It's true. But we found, I think, a very, very good replacement. I don't know about you, but I am super happy with Bitwarden. Now, one of the reasons I was happy to move to Bitwarden is because it's open source.

[00:08:42] And I'm a firm believer that if you're going to trust something that has crypto in it, it has to be open source crypto so that you know they're using the best algorithms. They didn't roll their own. They didn't make it up that there are no backdoors. It does what it says it does. You can look at it. It can be audited. In a nutshell, that's Bitwarden. GPL license. The codes on GitHub. There's no surprise. They have become the trusted leader in not just passwords, by the way. Pass keys. Secrets management.

[00:09:10] Frankly, I put everything that I want to keep secret in Bitwarden. Bitwarden is consistently ranked number one in user satisfaction by G2 and by software reviews. 10 million users now. Across 180 countries, more than 50,000 businesses. Steve and I are not alone. And when I say business, that's really important. I mean, it's one thing for your passwords. Anybody who watches this show is using a password manager. You know about good password hygiene. You know how important that is.

[00:09:38] But if you have a business, can you say the same thing about your employees? We know, you know, your employees are probably doing all the things everybody else does that's wrong, like reusing passwords, using bad, weak passwords that are easy to remember, putting their passwords in a... Actually, we had to fire an employee who was putting all of the company's networking passwords and everything in a spreadsheet that he posted publicly.

[00:10:06] So he said, I have easy access to it. No! That's why... I know. I know. That's why you need Bitwarden for your business. It keeps you secure all year long. One of the things Bitwarden has just added, they always had nice new features. Another advantage of being open source, I think. With the new Bitwarden access intelligence, organizations can detect weak, reused, or exposed credentials. And then, with the employee, immediately guide remediation.

[00:10:35] So the employee understands why this was bad, what happened, and helps them replace those risky passwords with strong, unique passwords. Passwords done right. And that closes a huge security gap. We've talked about it many times. Credentials are perhaps the top cause of breaches. Access intelligence from Bitwarden makes those bad passwords, those reused passwords visible, prioritizes remediation, and corrects them before exploitation can occur.

[00:11:05] But it's not just business. Bitwarden's for everybody. They love the individual. They've just introduced something I think is so cool called Bitwarden Lite, L-I-T-E. It's a special, lightweight, self-hosted password manager. So this is perfect for a lot of our audience. It's built for a home lab or personal project. Any environment where you want quick setup, minimal overhead, and TNO. Trust no one because you're hosting it. Bitwarden's now enhanced with real-time...

[00:11:35] You don't have to use this, obviously. This is just one feature. One of many features there. Enhanced all the time they're improving Bitwarden. Real-time vault health alerts. As I mentioned, they've got those password coaching features that help users identify weak, reused, or exposed credentials. This is not just as business. It's for everybody using Bitwarden. Helps you take immediate action. I do it all the time because I have thousands of passwords over the last, what is it, 20 years. And they're all in my Bitwarden vault. And every once in a while I use one of Bitwarden and says, we want to change that right now.

[00:12:04] Here, let me help you. That's fantastic. Makes it easy. Bitwarden also makes it easy to move from the browser password manager, which so many people use. It's probably what your mom uses. Probably what Uncle Vinny uses. Whether it's Chrome, Edge, Brave, Opera, Vivaldi. Direct import means they don't have to... This is what Steve and I did when we moved. We had to export our passwords.

[00:12:29] And then you're in that scary point where everything's in clear text on your hard drive. Import them in and you've got to remember to delete it. Not anymore. Bitwarden supports direct import. Direct import copies or imports credentials from the browser into the encrypted vault. In fact, when you install Bitwarden, it'll offer to do that without requiring that separate plain text export. That makes migrations fast, easy, and eliminates the exposure that's associated with the manual export and deletion steps. I love that.

[00:12:59] They're always thinking. They're always improving. G2 winner 2025, the most recent G2 report, says that Bitwarden continues to hold strong as number one in every enterprise category. That's the sixth straight order. Congratulations, Bitwarden. The setup is easy. It'll import from most password management solutions. It's a quick move and it's painless. And you're going to be so glad you moved to Bitwarden. Bitwarden's open source code is regularly audited by third-party experts.

[00:13:27] They meet SOC 2 Type 2 GDPR, HIPAA, CCPA standards. They're ISO 27001-2002 certified. Get started today with Bitwarden's free trial for your business of a Teams or Enterprise plan or get started for free as an individual user. Bitwarden.com slash twit. That's Bitwarden.com slash twit. Thank you, Bitwarden, for supporting Steve and the work he does here. Okay.

[00:13:58] Okay. So I found the sales pitch for this device, Leo. Okay. It reads, never pay another DVD rewind fee again. It's a DVD rewinder. It is a DVD rewinder. Well, wait a minute. I know. Hold on. No. It's compatible. Wait a minute. With all disc formats.

[00:14:26] With DVD-R, DVD-RW, DVD-R, DVD-RW, CD-R, CD-RW, audio CD. In fact, you can see down there the little switch. It says either DVD or MP3. Oh, my goodness. It'll rewind your audio discs as well. Wow. So, and then in the marketing material that came along with it, they explained.

[00:14:54] They said, we've tested the DVD rewinder with the next generation disc media, including Blu-ray and HD. The DVD rewinder also works with Sony PlayStations, Xbox, and other disc-based console system media. The DVD rewinder works with all disc-based digital media to provide optimized digital experience.

[00:15:20] Visual indicators blink and audible sounds are played while your digital media is reversed. The DVD rewinder also has, get this, Leo. This is so clever. A USB port for MP3 players and USB media. So, it will even rewind your USB media when it hits the end. Even iPods, ladies and gentlemen. Everything.

[00:15:49] It'll rewind your iPod. Wow. That's fantastic. It's an amazing device. I can't understand why it's no longer available. Sometimes you can find one, a stray one on eBay. But, yeah. Oh, my. You know, sometimes the obvious things, you just miss them. I want this for the next white elephant party. Because that would be a great giveaway. Someone comes along and they go, ah, nobody did a rewinder for DVDs.

[00:16:19] It's like the missing link. Be kind. Rewind. Rewind that DVD. That's right. That's right. And the truth is, Leo, that when Blockbuster switched from tapes to DVDs, the employees still put the please, you know, be kind, please rewind sticker on the DVD boxes. Well, that probably stimulated the demand for this DVD. They were well. What are you going to do? You don't want one of those fees.

[00:16:48] Sometimes in some places would charge you a fee if you did not rewind your media. So you could probably hold this up and show them, hey, I have a DVD rewinder. These are all the DVDs I'm returning are fully rewound. Steve, you understand there's an entire group of our members of our audience that have no idea what we're talking about. Fortunately, the bulk of our audience are old.

[00:17:18] Or probably where we are. But seriously, there's a whole generation that's never seen a VHS cassette. That's true. That's amazing. And soon there'll be a generation that's never seen a CD or DVD. Well, and I was saying to Lori the other day, imagine kids now growing up, never being in a world that never had AI that you could talk to and would answer.

[00:17:43] I mean, here all of us oldies are like, oh my God, have you seen what it can do? It's amazing. It is. And now the next round, they're going to be like, eh, yeah, I just crocked it. I just crocked it. Let's hope that does not become the verb. I'm just saying. Yeah. Yeah. Yeah. Okay.

[00:18:10] So any of our listeners who provide purchase planning guidance for high-end network security products may wish to consider advising those who have, you know, make the final decisions that maybe they should be purchasing sooner rather than later. If they already know what they were going to do, but just haven't pulled the trigger.

[00:18:32] Some recent commentary about the effect of the rising cost of RAM will also likely have on the security equipment sector suggested that prices could be expected to rise there as well shortly. The commentary said, the current price hikes and supply shortage of DRAM memory chips are expected to also impact firewall makers and the cybersecurity market.

[00:19:01] DRAM is a crucial component for the manufacturing of modern next-gen firewalls, a staple in the cybersecurity defense of any major enterprise. Investment advisory firm, Wedbush says firewall companies will see thinner margins this year due to the rising DRAM costs. This will impact their bills of materials with the extra costs being passed on to consumers as product price increases.

[00:19:28] This will likely lead to lower sales, smaller profit margins, and weaker investor yields. Companies like Fortinet, Palo Alto Networks, and Checkpoint are expected to see the biggest headwinds on the stock market this year as a result of DRAM hikes. Firewall makers join laptop, PC, and smartphone vendors, all of which are expected to see big headwinds this year due to collapsing sales.

[00:19:54] DRAM prices have been up between 60% and 70% since last year and are expected to grow another 50% in the first quarter of the year alone. The production of most of this year's DRAM supply has already been purchased by AI companies for use in their future data centers.

[00:20:17] DRAM maker Micron has exited the consumer market and focused strictly on supplying AI and data center makers. South Korean company SK Hynix is also pondering a similar decision from both the DRAM and NAND slash SSD markets.

[00:20:38] So, I mentioned previously that I purchased my next small form factor desktop PC from Lenovo a couple of months ago before I planned to deploy it. Probably March, another two months still. And I did that due to the expectation that PC vendors will soon have no choice other than to raise the prices for their systems.

[00:21:07] And since it will be done across the board by the industry, it's not like they're going to lose out of the competition. The competition is going to have to do the same thing as well. And I also had mentioned previously several months before that, that I was, I had become similarly glad to have recently purchased replacement servers for GRC after the second of the five that I currently had had died.

[00:21:36] That used up, two dying out of five, you know, used up my margin. I know I no longer had any spares. So, I wanted to be ready with replacement servers standing by in case I were to lose another. At the time, those server replacements were for that just in case instance. But now I'm glad since I always prefer to stuff my servers with as much RAM as they can handle. You know, that's a good thing for their health.

[00:22:06] And last summer, RAM was still amazingly inexpensive. Not so any longer. So, I think that the takeaway here is that if, as I said, if somebody already had plans to purchase high-end RAM intensive network security equipment like sometime soon, it might make sense to cut the purchase order like very soon. Because prices are expected to rise. Again, not surprisingly.

[00:22:34] Unfortunately, the little form factor PC that I purchased, I was unable to max out its RAM. And I went looking for the balance. And I decided, okay, I'm going to wait. Because, you know, this crazy RAM pricing is not expected to last forever. I hope it doesn't.

[00:22:57] But at the current RAM prices, I'm not willing to buy another 64 gig to bring this thing up to 128. I'll stay where I am. Which should be fine. Maybe it was 32 and it can take 64. I don't quite remember. But I looked at current prices and it's like, ow. Yeah. I don't need it that badly. Just hope you're, you know, you're where you need to be for now. Right? Yeah.

[00:23:27] Oh, yeah. I've got, I had, I had at least 32 gig, which may be 64. I'm not sure. But it could take twice what I had. And I thought, well, I want to give it all I can because I expect to be more in a virtual machine environment also, you know, moving forward. So last week, the Python Software Foundation announced some very welcome financial support from Anthropic.

[00:23:54] Under their headline, Anthropic invests $1.5 million in the Python Software Foundation and open source security. They wrote, we are thrilled to announce that Anthropic has entered into a two-year partnership with the Python Software Foundation to contribute a landmark total of $1.5 million to support the foundation's work with an emphasis on Python ecosystem security.

[00:24:24] This investment will enable the PSF, that's Python Software Foundation, the PSF, to make crucial security advances to CPython, which is the, that's the Python written in a hybrid of C and Python itself. And the Python package. Actually, it's a Python that compiles, that's written in C and compiles to C, but you write in Python. CPython. Oh. Yeah. So it's, well, but written in C. Well, I think Python in general is written in C. Some of the libraries are written in Python, but CPython. Right.

[00:24:54] Instead of, so Python's normally an interpreter. Right. CPython writes C code, which is then compiled. I see. I got you, got you. So it outputs C code that is then compiled. Yeah. Got it. That's my understanding. I may be wrong. Correct me if I'm wrong, Chowron. So CPython and also PyPy, which we're talking about all the time for not good reasons, the Python package index will also be receiving, the benefit of this. This is great.

[00:25:23] So, yeah, it's really good. And so they said it will also sustain the foundation's core work supporting the Python language ecosystem and global community. This is because Python is really the language of AI. Of AI. Exactly. And they said Anthropics funds will enable the PSF to, well, exactly. It's a strategic investment, right? On, on Anthropics part. Yeah.

[00:25:46] Anthropics funds, they said, will enable the PSF to make progress on our security roadmap, including work designed to protect millions of PyPy users from attempted supply chain attacks. And get this, planned projects include creating new tools for automated proactive review of all packages uploaded to PyPy, improving on the current process of reactive only review.

[00:26:16] We intend to create a new dataset of known malware that will allow us to design these novel tools relying on capability analysis. One of the advantages of this project is that we expect the outputs we develop to be transferable to all open source package repositories.

[00:26:35] As a result, this work has the potential to ultimately improve security across multiple open source ecosystems, starting with the Python ecosystem. This work will build on PSF security developer in residence, Seth Larson's security roadmap, with contributions from PyPy safety and security engineer, Mike Fiedler. Both roles generously funded by Alpha Omega.

[00:27:04] Anthropics support will also go towards the PSF's core work, including the developer in residence program driving contributions to CPython, community support through grants and other programs, running core infrastructure such as PyPy and more. We could not be more grateful for Anthropics' remarkable support, and we hope you will join us in thanking them for their investment in the PSF and the Python community.

[00:27:30] So, as you said, Leo, this is great and welcome news. One and a half million likely makes a big difference to the Python project as it would to any volunteer-driven open source effort. And given the insane flows of cash the AI sector is seeing, one and a half million doesn't even qualify as a drop in the bucket.

[00:27:55] It's more like some vapor for the likes of any mainstream commercial AI vendor. At the same time, much as this will be welcome support on the receiving end, you know, and we should also acknowledge, right, that it's likely a clever investment on Anthropics' part.

[00:28:12] You know, the line from the announcement, as I said, that caught my eye, planned projects include creating new tools for automated proactive review of all packages uploaded to PyPy, improving on the current process. So, yes, automated proactive review. In other words, deploying AI to examine all newly submitted Python package code.

[00:28:39] And whose AI do you imagine the Python Software Foundation will choose to deploy? You know, even if it weren't Anthropic, given Claude's current code analysis strength. You'd use Claude anyway. That's right. Yes. Anthropic solution would probably be the one to choose. You're not going to use Grok for that. And they're certainly not going to use a competitor's AI with the $1.5 million.

[00:29:05] I was kind of wondering if some of that might have been in AI token credit, but they said cash. So, anyway. I think every company now uses open source software a lot. In fact. And ought to really be supporting. Everybody should be doing this. If you're using open source, fund those projects because they're underfunded and they need help. And you're making money off of them. So, put some of it back in.

[00:29:34] I talk a little bit later again about my plans to switch to Let's Encrypt TLS certs when I'm forced to. And that much as I do for Wikipedia that, you know, sends me a little email every month thanking me for my, you know, drip of contribution. I'm going to do the same thing for Let's Encrypt because I'll be using their certificate services for free. And that's a hell of an infrastructure that needs to keep, you know, running and going.

[00:30:03] So, yeah, I agree with you, Leo. I think that's it's the right model.

[00:30:09] One of the more egregious privacy invading behaviors that has come to light is the idea that car makers might be generating additional revenue for themselves behind their car owners backs by selling data about their individual drivers driving to insurance companies.

[00:30:36] The question has been whether or not individual drivers may have consented to this. I would argue strongly that it is not possible to actually consent to something that's never explicitly described and explained and which probably appears in a purchase agreements legalese fine print. I've been driving for about 55 years now, and I purchased a few cars in during that time.

[00:31:04] I've never attempted to read any of the fine print. I presume that as a U.S. consumer, my rights will be protected by my government's agencies, whose job it is to be a check on corporate greed and to make sure that consumers who don't read the fine print get a fair shake. Nevertheless, to that end, last Wednesday, the FTC posted an announcement under their headline.

[00:31:32] FTC finalizes order settling allegations that GM and OnStar collected and sold geolocation data without consumers informed consent.

[00:31:45] They wrote, the Federal Trade Commission finalized an order with General Motors and OnStar settling allegations that they collected, used, and sold consumers' precise geolocation data and driving behavior data, you know, like acceleration and braking. We know that the cars are tracking, we know that the cars are tracking that, from millions of vehicles without adequately notifying consumers and obtaining their affirmed consent.

[00:32:14] Under the order finalized by the commission, General Motors LLC, General Motors Holdings LLC, and OnStar LLC, collectively GM, which are owned by General Motors Company, are prohibited from sharing certain consumer data with consumer reporting agencies.

[00:32:33] They also are required to take steps to provide greater transparency, which I would argue is any transparency, and choice to consumers over the collection, use, and disclosure of their connected vehicle data.

[00:32:49] In a complaint first announced in January 2025, so this took a year, the FTC alleged that GM used a misleading enrollment process to get consumers to sign up for its OnStar connected vehicle service and OnStar smart driver feature.

[00:33:09] The FTC also alleged that GM failed to clearly disclose that it collected consumers' precise geolocation and driving behavior data via the smart driver feature and sold it to third parties without consumers' consent. The final order, approved by the commission, imposes a five-year ban on GM disclosing consumers' geolocation and driver behavior data to consumer reporting agencies.

[00:33:37] This fencing in relief is appropriate given GM's egregious betrayal of consumers' trust. And for the entire 20-year life of the order, GM will be required to, and we have four bullet points, obtain affirmative express consent from consumers prior to collecting, using, or sharing connected vehicle data, including sharing data with consumer reporting agencies,

[00:34:05] with some exceptions, such as for providing location data to emergency first responders. Second, create a way for all U.S. consumers to request a copy of their data and seek its deletion. Third, give consumers the ability to disable the collection of precise geolocation data from their vehicles if their vehicle has the necessary technology.

[00:34:32] And finally, provide a way for consumers to opt out of the collection of geolocation and driver behavior data with some limited exceptions, again, like emergency conditions. The commission, I got a kick out of this, the commission, they said, voted two to zero. So, Leo, both of the commissioners said, okay, we like this. Steve and I vote two to zero that we agree. Thank God it wasn't a tie.

[00:35:02] That would have happened. So, in addition to General Motors, we know that Hyundai has been found to be sharing its driver's data with a company called Versic. That's one of the major brokers of such information. Both Honda and Toyota are believed to be doing the same.

[00:35:21] And, you know, this nauseating spying on the part of automakers feels so similar to the idea of consumer ISPs, like all of the companies that we use to connect us to the Internet, surreptitiously monitoring and tracking their own subscribers' Internet usage and behavior without knowledge or permission, technically, right?

[00:35:44] Maybe it's in, you know, they'll say something down in there about, you know, for business purposes without ever, you know, being expressed about what it is. Just, you know, their attorneys have, like, give them an out legally. And remember, Leo, you used to introduce me on this podcast as the person who coined the term spyware and who created the world's first spyware removal tool. Both of those things are true.

[00:36:13] I named that first anti-spyware utility OptOut. And I, oh, I will never forget the raw fury that was expressed in the email end users were sending to that spyware parent's company at the time named Oriate. They shared some of the email with me. I mean, oh, it was way over the top.

[00:36:43] I mean, it's like get higher security guards to protect your family. The people were so upset. But that's how people reacted to the affirmative discovery of secretly installed spyware residing inside their machines. It was never my intention to put Oriate out of business.

[00:37:09] But it turned out that their entire business model was only viable while they remained unknown and secretive. Once people learned about them, no one wanted anything to do with them. My creation and publication of OptOut generated so much antipathy toward them that I spoke, as I mentioned, to their leadership on several occasions.

[00:37:35] I came to understand that individually they were not bad people. The Oriate system was a revenue generation library that shareware and freeware authors could embed into their software to display advertisements on the app's UI surface.

[00:37:58] So the Oriate system was supposed to advertising enable shareware to generate some revenue from the shareware's use. The big mistake. Oriate made was in relying upon the freeware and shareware authors to notify their users. It was all about notification. Notify their users that this was taking place.

[00:38:27] None of their authors did that. Or if they did, again, buried down in the software's license agreement that no one ever bothered to read or understand. I explained to the Oriate management that they needed to take independent responsibility for their operation of their system by displaying their own permission dialogue to get the end user's permission. Most of the anger.

[00:38:56] Most of the anger and, oh, it was palpable, was over the fact that this was going on behind people's backs, users' backs. And it just engendered fear. Right. I mean, they were afraid of the idea that something was watching them. So today, the names have changed, but the behavior has not.

[00:39:17] GM knows that if their users were clearly asked whether they would like to have detailed data about their driving habits sold for GM's profit to third parties, who would then resell it to their insurance providers to justify increases in their own insurance rates, who would say, you betcha, sign me up for some of that? Nobody, right?

[00:39:46] Similarly, ISPs know that no one would want to have their detailed use of the internet resold the data brokers. But ex-ISP employees have said they know firsthand that's happening. So we know that the opinions and votes of our politicians can deeply influence or can be, their votes can be deeply influenced by commercial interests through lobbying.

[00:40:16] No. So thank goodness we have independent consumer watchdog agencies such as the FTC to watch our backs for us. A lot of insurance companies will give you a, this is how they get around this, a reduced rate. You think it works? It works both ways? Yeah. Well, what they do is they offer you as their insuree a reduced rate if you agree to be tracked. Right. And then they have an app that you can install. So that way- Directly with the company. Right.

[00:40:45] It's not, and no car company is making money on that, selling your information without your knowledge. You're agreeing with the insurance company. I think that's okay. Yeah. Yeah, yeah, yeah. Right. In that case- That's actually good because that reduces our expense if, you know, because insurance companies don't want to insure bad drivers, right? They only want to insure people working on the planes.

[00:41:09] The other day, I showed Lori my 20-plus-year-old beloved BMW sedan died two years ago. Oh, man. Oh, man. Oh, man. And I replaced it. And since then, my aggregated driving shows an average of 26 miles per hour. Now, I-

[00:41:37] You should see what my aggravated driving is. No, that's good, Steve. You follow the speed limit. So I- Well, not because I want to. It's just because there's cars in my way. You live in LA area. You can't go any faster, even on the freeway. Hey, I want to correct myself. C-Python, I did not know this, actually, is the official name of real Python.

[00:42:05] It is called C-Python because it was written in C. C-Y-T-H-O-N, Cython is the one I was thinking of, which is compiled C, and that is not a Python software foundation project, so they don't get any of the money. C-Python is Python. It's the same thing. They just, I don't know, they call it Python. Okay. Before we figure out what Anchor and C-I-P-A-C are, let's take a break.

[00:42:34] Okay. And then we're going to figure out what the Department of Homeland Security is up to and whether the replacement Anchor Council is going to make anybody happy. Yes. Security Now brought to you this week by Thinkst Canary. This is not an external USB drive, nor is it 64 gigs of RAM. Nor does it need to be rewound. You do not rewound that. No, and it doesn't have to be rewound.

[00:43:04] No. This is the best darn honeypot ever made. This is the Thinkst Canary, and you're going to love it. You need it as part of your overall security strategy. I have a question for you. If, you know, it's not going to happen, but let's say you were breached. Your company's network was breached by a bad guy. How would you know? This is a question that a lot of bosses don't want you to ask. How would you know if somebody were in your network?

[00:43:34] You can assume the bad guys are clever. They're covering their tracks. They're not going to say, hey, I'm in here. I'm working here. They're going to sneak around. And what are they going to do? They're going to look for places they can hide time bombs, little ransomware time bombs. They're going to look for proprietary information, your secrets, maybe customer information. They're going to exfiltrate that stuff so they can blackmail you before they set off the time bombs and ransomware you. You need a way of knowing that somebody's in your network.

[00:44:03] On average, companies do not know they have been breached for 91 days. That's three months for the bad guys to wander around unimpeded. Again, you need this. It's a honeypot. Now, writing your own honeypot is not an easy thing to do. Our sponsor, Thinkscanary, has done it for you. This is a Thinkscanary. It looks just like an external USB drive. A little difference here, though. It has an Ethernet port and a USB connection for power. You plug this in.

[00:44:32] You put it in your closet anywhere you want. You're going to want one for every LAN segment, for sure. You might want more. Just sprinkle them all around. And if you have remote offices, et cetera, every one of them should have one. The idea is you want to sprinkle these around because they don't look like honeypots. They don't say, hey, I'm a Thinkscanary hacker. They say, I'm a SharePoint server. I'm an IIS server. I'm Microsoft Windows 9 or whatever.

[00:45:02] They could be anything. They could be a SCADA device. This one turns out to be a Synology NAS. It's a fake one, though. I mean, you can't tell. The bad guy can't tell. It's got the MAC addresses right. They have the company MAC addresses. They have the full login pages. Anything that a bad guy would use to say, is this the real thing? They've done. It's a perfect impersonation. The other thing these Thinkscanaries can do, which is so cool, is they can create files, lore files that can be a whole variety of things.

[00:45:29] Anything from a WireGuard configuration file to an Excel spreadsheet. You can name them with provocative names like employee payroll information. And you can put them anywhere, even on your cloud. I have some on Google Drive. You have them on local on-prem hardware. You can spread them around. These are like tripwires, right? So you've got the Thinkscanary honeypots. You've got these tripwires. They can be deployed in minutes. Literally, you could set these up in just a few minutes. You get this great console. It's got a dropdown menu.

[00:45:59] You choose what it is. You can even, if it's a server, if it's a Windows NT server, you can say, turn on every service. Make it a Christmas tree. Or you could say, no, no, just a few special services like, I don't know, RDP. Make that public. You can do whatever you want, right? Once you set this up, but then you let it sit there. You relax. You wait. The minute somebody accesses one of those lore files, and they can't resist.

[00:46:28] What a WireGuard configuration? I can't wait to get in there. Those spreadsheets with social security numbers? That's for me. Or if they try to brute force your server, your fake SSH server or NT server, you're going to get from your Thinkscanary an alert. No false alerts. Just if you get an alert from your Thinkscanary, something you need to pay attention to, and you're going to want that alert. It's very simple. By the way, the alerts can come any way you like, or all of them.

[00:46:54] Email, SMS, Slack messages, webhooks. They support webhooks. There's an API. Syslog, of course. You just choose a profile for your Thinkscanary device. So easy, you might change it every few days. I sometimes, just for fun, change it every day. Then you register with the hosted console. You'll get your monitoring, your notifications, and then you wait. Attackers who breach your network, malicious insiders, other adversaries cannot help but make themselves known by accessing your Thinkscanary.

[00:47:26] Now, if you're a big bank, you might have hundreds of these, as I said, spread out all over. A small operation like ours might just have a handful, but let's give you an idea. Visit canary.tools.twit. $7,500 a year will get you five Thinkscanaries. You also get your own hosted console. You get upgrades. You get support. You get maintenance. If you use the code TWIT, when you sign up in the How Did You Hear About Us box, say TWIT, you'll get 10% off the price. And not just for the first year, but for life.

[00:47:55] You can always return those Thinkscanaries. They've got a great two-month, 60-day money-back guarantee for a full refund. No questions asked. I do have to tell you, though, we've been doing ads for Thinkscanary. It'll be 10 years this summer. 10 years. In all that time, in that entire decade, that refund guarantee has never once, not once, been claimed. Visit canary.tools.twit. Don't forget, enter the offer code TWIT in the How Did You Hear About Us box.

[00:48:25] That's canary.tools. It's awesome. Now, speaking of awesome, back to Mr. Wonder. No rewinding necessary. No rewinding necessary. You couldn't rewind it if you tried. There's nowhere to stick it in. All right. Okay. So last year, we touched upon the crucial need for industry executives to be able to disclose

[00:48:53] known security incidents, that is, you know, their own known security incidents. And these are like, you know, infrastructure agencies, you know, major power companies and so forth. To government officials without fear of reprisals from the government. This was the critical role that CIPAC had. I guess CPAC.

[00:49:18] CIPAC stood for the Critical Infrastructure Partnership Advisory Council. Last Wednesday, the publication CyberScoop published a very nice piece about the pending replacement agency.

[00:49:35] CyberScoop wrote, the Department of Homeland Security is finalizing plans for a new body that would replace the functions of the Critical Infrastructure Partnership Advisory Council, CIPAC, and serve as a communications hub between industry and government to discuss ongoing threats to U.S. critical infrastructure, including from cyber attacks.

[00:49:59] Under previous administrations, CPAC served as a nerve center for federal agencies, industry, and other stakeholders. While industry widely praised its utility, the council was one of many DHS advisory bodies that were shuttered last year by Secretary of Homeland Security, Kristi Noem, after President Donald Trump returned to office.

[00:50:25] Now, according to multiple sources, a proposed regulation for a new replacement council is in the final stages of review and approval from Noem's office. The new body will be called the Alliance of National Councils for Homeland Operational Resilience, which has the initials ANCHOR, A-N-C-H-O-R, Alliance of National Councils for Homeland Operational Resilience.

[00:50:55] And will also serve as an umbrella organization for other federal sector risk management agencies. Its goal is to restart conversations and planning, conversations and planning around infrastructure security that took place under the previous CIPAC, according to a former DHS official.

[00:51:20] The official, who requested anonymity to discuss the administration's plans, said all 15 federal sector coordinating councils have been briefed on ANCHOR. One of the primary differences between CPAC and ANCHOR will be in structural authorities and liability protections. And now the liability protections is the key issue, right?

[00:51:46] I mean, that's what industry executives explained that they have desperately needed. The article says CPAC was essentially, quote,

[00:52:11] He said this created a waterfall effect of bureaucracy that made CPAC a poor vehicle for holding broad conversations between not just DHS and industry, but all other federal sector risk management agencies and sector coordinating councils. So it kind of sounds like it may have been the way it was implemented before, a little bit of a bureaucratic nightmare. The official said, quote,

[00:52:39] What DHS has strived to do is create a new framework for engaging on threat conversations and pre-deliberative policy conversations impacting security outcomes with sectors and the private sector without having to create all these waterfall advisory councils or new charters and all that stuff, unquote. So, okay, so far that all sounds good, right?

[00:53:08] Any reduction in needless bureaucracy sounds like a good thing. CyberScoops reporting continues saying, Under CPAC, the original organization, conversations between government and industry were also closed by default, which is in double quotes, so that was a term of art, closed by default to the public,

[00:53:31] with mandatory liability protections for every conversation and setting. Often, the most the government could do was issue a press release or cite comments under Chatham House rule. Under Anchor, there is expected to be wider latitude for DHS or other councils to open certain meetings to the public or provide transcripts of conversations they hold with stakeholders.

[00:54:01] And, of course, that could put a chill on the conversations, right? Because previously, the government was essentially gagged. CyberScoops says, however, However, the official emphasized that liability protections remain one of the last unresolved issues. The administration is still determining when those protections would or would not apply to anchor-related discussions between government and industry

[00:54:29] and further changes could be made to assuage the industry. Other federal laws, such as the Cybersecurity and Information Sharing Act of 2015, only provide liability coverage for one-to-one conversations between a company and the government. The previous entity, CPAC, by contrast, provided a liability shield for one-to-many engagements,

[00:54:56] where a company may engage with federal, state, and local agencies, as well as other companies and entities. The officials said, quote, That created a well-understood and important liability shield, which allowed senior officials all the way up to the CEO of private sector companies to openly communicate with each other. Following the initial publication of this reporting,

[00:55:25] A DHS spokesperson in a statement did not dispute the description of anchor provided by CyberScoop, but called discussions of an imminent regulation release premature. The spokesperson said, quote, We look forward to sharing more details once we have something to announce, unquote. This week, Adrienne Lotto of the American Public Power Association told Congress

[00:55:52] that liability protections in CPAC were critical to fostering open dialogue between industry and government around cybersecurity and infrastructure protection. She also signaled that a new advisory council was forthcoming, saying industry, quote, was apprised by DHS that the administration's proposed CPAC replacement is ready for publication in the Federal Register, unquote,

[00:56:20] while encouraging the administration to finalize the plans quickly. Even with some uncertainty around anchor's structure and liability protections, many industry executives are likely to embrace the return of information-sharing partnerships that they believe were vital to understanding the digital and physical threat landscape facing their industry sectors. Last year, industry groups lamented the disbanding of CPAC to members of Congress,

[00:56:49] prompting Representative Andrew Garbino, now chair of the Homeland Security Committee, to pledge he would look into this and hopefully speak to the administration to try to fix this, unquote. The former DHS official said they expected anchor to be largely welcomed by many industries who have called for the restoration of CPAC, even as they look to grapple with the Trump administration's new approach. The official said, quote,

[00:57:16] everybody who wants to talk in groups is going to be excited to have it back. At the same time, those who are concerned about the amount of risk it opens up will need to see the details. So I clearly recall us reporting on the industry's concern over the disbanding of that original CPAC.

[00:57:42] Since there were clearly things, there are clearly things that the government alone can do, which private industry may need their help with. If nothing else, setting laws and regulations that allow the industry to do what it needs to do. But if a fear of the consequences of divulging serious incidents and problems keeps industries silent,

[00:58:08] which CPAC didn't because of its blanket liability protection, then that would not be good for anchor. I like the sound of an improved structure that sidesteps the need to design and spawn endless subcommittees and create charters for them. And it sounds as though the need for liability protections at least is clearly understood now.

[00:58:35] So let's hope that anchor happens and that it provides the protections that the executives need in order to openly speak with the government at all levels and among themselves. Okay, so, okay, Leo, the word is German.

[00:58:56] It's B-U-N-D-E-S-N-A-C-H-R-I-C-H-T-E-N-D-I-E-N-S-T. The Dienst. Bundesnachrichtendinist. Perfect. And there you have it.

[00:59:21] So I have some reporting that was obtained from translations from German. And at this point, since it describes Germany's new legislation as pending, as opposed to enacted, I didn't want to spend any more time digging into the source material, which would all have needed translation. And also, my assumption is that if or when this does occur, it will have plenty of multi-sourced coverage translated for us in English.

[00:59:50] So today, I'm just going to share the reporting that I have, and everyone will quickly see why it was worth sharing, you know, as is for now. So the reporting read, German lawmakers are working on a new law that will grant the country's intelligence agency new and extensive hacking and surveillance powers.

[01:00:15] The primary intent of the new law is to free up the bun, bun, bun, bunness, not rictendinist. Yes. The BND from relying on the U.S. National Security Agency, our NSA. Oh, yes. Uh-huh. Which apparently- I think everybody's looking at ways to get around that. Yes. Yeah. Well, because you can't count on it now, right? Yeah.

[01:00:43] For threat information and bring Germany's interception capabilities on par with other European countries, such as France, Italy, the Netherlands, and the U.K. According to a draft of the new law obtained by German media, the BND, everyone knows who they are, will have- I guess it's the equivalent of the NSA, right? The Germans' NSA is the BND. Yes. So, done.

[01:01:12] Will have the power to intercept full internet communications and not just metadata as it is allowed today. The agency will also be allowed to store the data for up to six months, which will allow it to better index and search it for threat intelligence. The BND will also have its offensive hacking mandate extended.

[01:01:38] The law will allow the agency to hack foreign internet service providers and retrieve information about its targets if the companies do not cooperate or provide the requested data. What? According to reports, this provision will apply to major U.S. companies, meaning the hackies.

[01:02:01] This provision, the ability to be hacked by the BND, will apply to major U.S. companies and infrastructure providers like Google, Twitter, and Meta, which have been known to be prickly, imagine that, about surrendering such information in the past. The agency could previously intercept the communications of individuals abroad, but now the BND will also

[01:02:29] be allowed to put any foreigner in Germany under surveillance. The same goes for journalists working for foreign state-run media organizations, which German lawmakers say are acting more like agents of a foreign state than independent reporters. Wow.

[01:02:50] Finally, BND agents will also be allowed to enter apartments and deploy their federal Trojan on a target's device. Great. What could possibly go wrong? The federal Trojan has... You've been federally Trojanized. According to reports, the new law's draft is 139 pages long because all the words are as long as the BND is.

[01:03:18] So you need more pages, right? And that almost doubles the BND's previous capabilities. So I think the short version of what this means is, thank goodness for state-of-the-art encryption. Yes. Which we have every reason to believe is utterly unbreakable by anyone. The math is your friend.

[01:03:44] And while Germany's legislation might at first seem, you know, like egregious overreach, we know that the U.S. National Security Agency, our beloved NSA, has already built a massive data center of over 1 million square feet, about 20 miles south of Salt Lake City, Utah. And while the details are kept close, it's well known to be a massive data storage facility.

[01:04:13] We've often noted that there may be value in storing massive quantities of encrypted data, and probably selectively, that cannot be deciphered today, but may be decipherable using tomorrow's technology.

[01:04:31] So it's easy to imagine that the internal encrypted communications of the U.S.'s global adversaries may be tapped and tagged and sent to Utah for long-term archiving. And then, once the NSA's quantum computing technologies come online in the future,

[01:04:55] the public key crypto handshakes that established the ephemeral secret symmetric keys might be broken. And those communications, even though by then no longer current, still might be important to obtain.

[01:05:13] So I feel, you know, I sometimes feel that the EFFs, you know, the Electronic Freedom Foundation's absolutism about privacy rights and encryption goes a little overboard. You know, like, boy, did their knees jerk quickly.

[01:05:31] But when we see examples like this of how aggressively foreign governments and our own are pursuing information that, for the most part, they probably have no need for. They're just sucking it up because they can. I appreciate that the EFF is working to always provide some counterpressure against these tendencies. Because, you know, there does just seem to be an increase in this going on, Leo. Yeah.

[01:06:01] This is perfect forward secrecy protects us against this ultimately, though, right? That's. No. No. It doesn't. No. Because all that's happening there is the perfect forward secrecy means that the key is changing. So that so but that but the key is changing because you're you're continually renegotiating during the communication.

[01:06:30] But all of those renegotiations are similarly in are similarly interceptable. So they have to. Yeah. So if it were a if it were a very static key, then that would be worse because you just break it all at once and you get the entire conversation here. You do need to be doing successive rekeying. Right.

[01:06:56] And, you know, but the NSA presumably is able to do that. The new key is arranged using the old key. So once you get the old key, you can find the new key and then you continue to do that as a chain. All right. Yeah. That's why they're saving everything. They can have my old messages.

[01:07:15] And yes, you know, and again, I we know law enforcement bitches and moans more than they ever have, but they have also never had a greater wealth of data. All of us went online rather than, you know, walking around doing things. And all of this data is is being tapped. So.

[01:07:43] It's not that there's any great dearth of of of information available. No. Okay. So we appreciate. That it could happen to anyone. You shared your story with us last week, Leo. I shared that. I almost. I know. I got it. Yes. I got it. I got a little text that I that me initially like, oh, that looks like that. Whoops.

[01:08:10] Anyway, now appears that someone inside Grubhub clicked a link. They should not have, which permitted the infamous shiny hunters gang to obtain authentication credentials. Bleeping computer, which reported on this exclusively last Thursday, headlined their reporting. Grubhub confirms hackers stole data in recent security breach. Bleeping computer wrote food delivery platform.

[01:08:38] Grubhub has confirmed a recent data breach after hackers access its systems, which sources tell bleeping computer. The company is now facing extortion demands. I'm sorry. With with sources telling bleeping computer. The company is now facing extortion demands. Grubhub told bleeping computer, quote, we're aware of unauthorized individuals who recently downloaded data. From certain Grubhub systems.

[01:09:06] We quickly investigated, stopped the activity and are taking steps to further increase our security posture. Sensitive information such as financial information or order history was not affected, unquote. Now, they wrote Grubhub would not respond to any further questions regarding the breach, including when it occurred, whether customer data was involved or if they were being extorted.

[01:09:35] However, the company confirmed that it is working with a third party cybersecurity firm and has notified law enforcement. Last month, in other words, clearly something happened. Last month, bleeping computer wrote Grubhub was also linked to a wave of scam emails sent from its b.grubhub.com subdomain that promoted a cryptocurrency scam promising a tenfold return on Bitcoin payments.

[01:10:02] Grubhub said at the time that it contained the issue and took steps to prevent further unauthorized messages, but would not answer further questions related to the incident. It's unclear whether the two incidents are connected. While Grubhub would not share further details, multiple sources have told bleeping computer that the shiny hunters cyber crime group is extorting the company.

[01:10:28] Bleeping computer attempted to verify these claims with the threat actors, meaning the shiny hunter guys, but they too refused to comment. Now, I'll just interject here that the threat actors silence at this juncture would be expected since part of their promise in return for receiving an extortion payment would be their silence.

[01:10:54] Since they presumably still hope that the returns from their data breach will result in a payday, much as they have shown a willingness to brag in the past, they're certainly not going to talk to the press until it's clear that doing so would not compromise their negotiations and their extortion payout, if any.

[01:11:17] Bleeping computer continues, according to sources, the threat actors are demanding a Bitcoin payment to prevent the release of older Salesforce data from a February 2025 breach and the newer Zendesk data that was stolen in the recent breach.

[01:11:38] And, of course, that all tracks the reporting that we've been doing here, where we noted that a month or two ago, the shiny hunters gang had switched to attacking Zendesk users after they had apparently fully played out their multiple earlier Salesforce breaches.

[01:11:57] Bleeping computer concludes writing Grubhub uses Zendesk to power its online support chat system, which provides support for orders, account issues and billing. While it's unclear when the breach occurred, bleeping computer was told that it was through secrets and credentials stolen in the recent sales loft drift data theft attacks. So the attacks that keep on giving.

[01:12:25] In August, they wrote, threat actors use stolen OAuth tokens for sales lofts Salesforce integration to conduct a data theft campaign between August 8th and August 18th of 2025. According to a report by Google's threat intelligence team, Mandiant, the stolen data was then used to harvest credentials and secrets to fault to conduct follow up attacks on other platforms.

[01:12:54] Google reported reported by their TIG, their threat intelligence group, that UNC 6395, that's their formal nomenclature for shiny hunters, targeting sensitive credentials such as Amazon Web Services and access keys, passwords and snowflake related access tokens.

[01:13:17] Shiny hunters claimed at the time to be behind the breach, stating they stole approximately 1.5 billion data records from the account, contact, case, opportunity and user Salesforce object tables for 760 companies. So that was a major, somewhat downplayed event and attack.

[01:13:49] And Leo, we're at an hour. Let's take a break. And then we're going to talk about the availability of Let's Encrypt's six-day certs now available, fortunately, only if you want them. Six days. Wow. I might vibe code an Acme cert downloader so that I don't have to think about this anymore. What could possibly go wrong? Our show this week brought to you by ThreatLocker.

[01:14:18] We are getting ready for a trip to Orlando. It is ThreatLocker's Zero Trust World. Let me tell you about Zero Trust and ThreatLocker first, and I'll tell you about Zero Trust World and how you can save if you plan to visit us in Orlando. ThreatLocker is Zero Trust, which takes basically, you could say it in three words, a proactive deny-by-default approach. That's the key. Deny-by-default.

[01:14:47] Every unauthorized action is blocked. Unless you explicitly say, yes, this person can do this with this tool, this tool can do this. It can't. Now, that protects you. It's kind of amazing from so much, from both known and unknown threats. You don't need to know what the threat is. You just say, hey, I don't know what this threat is. It can't do that. Modern attacks hide inside endpoints. You know this.

[01:15:15] Attacker-controlled virtual machines, sandboxed environments, or VM-based malware. And why do they do that? Because it basically evades traditional antivirus software. It's inside the sandbox, right? Well, it doesn't work. ThreatLocker's Zero Trust prevents VM-based attacks before they can launch. Yes, it even works with VM-based attacks. Critical vulnerabilities in your everyday tools that your employees use. Even seemingly harmless apps.

[01:15:45] Those can be a gateway for attackers. ThreatLocker stops those, too. ThreatLocker recently detailed how 7-Zip used 7-Zip. We talked about this on the show, I think. 7-Zip's symbolic link extraction bug enabled arbitrary code execution when administrators or service accounts tried to extract a maliciously crafted zip. 7-Zip. That's all they're using 7-Zip. They said, there's a zip file. Let's extract it.

[01:16:12] Well, you should take note that ThreatLocker's application control denies unapproved binaries. And ThreatLocker's ring fencing limits what even loud apps can access. So even if 7-Zip is allowed, you could say, but they can't work on that. But with ThreatLocker, even approved tools can't become attack vectors. This is such a powerful concept and it's so effective. ThreatLocker works across all industries.

[01:16:41] They've got amazing US-based support. It's there for you 24-7, so you're never on your own. Works with Windows, but it also works with Macs. It enables comprehensive visibility and control. In fact, that's one of the real benefits of ThreatLocker's ring fencing. You get compliance built in because you have a record of every action. ThreatLocker is trusted by those companies that cannot afford to be down for one minute. They say, we just can't afford to be hit by ransomware.

[01:17:09] Companies like JetBlue, Heathrow Airport, the Indianapolis Colts, the Port of Vancouver, they all use ThreatLocker. ThreatLocker consistently receives high honors and industry recognition, a G2 high performer and best support for enterprise summer 2025. Up here, Spot ranked ThreatLocker number one in application control. GetApp's best functionality and features award in 2025. I can go on and on.

[01:17:35] Get unprecedented protection quickly, easily, and cost-effectively with ThreatLocker. Visit ThreatLocker.com slash TWIT to get a free 30-day trial. You'll also learn more about how ThreatLocker can mitigate unknown threats and ensure compliance. That's ThreatLocker.com slash TWIT. But for a limited time, we've got a code for you to Zero Trust World in Orlando. Use the code ZTWTwit26. ZTW for Zero Trust World. TWIT for this week in tech.

[01:18:04] 26 for the year. ZTWTwit26, all one word, to save 200 bucks off registration for Zero Trust World 2026. And this is the full package. You get access to all sessions. You get hands-on hacking labs. You get meals. There's that fabulous after party. The most interactive hands-on cybersecurity learning event of the year. It's coming up March 4th through 6th in Orlando, Florida. And don't forget, if you registered, save 200 bucks.

[01:18:35] ZTWTwit26. We're really looking forward to this. It's going to be a very fun event. And I can't wait to see you out there. We already have heard from a number of people who are coming out just to see you, Steve. So get ready. It's going to be fun. It's going to be great. I will not be in costume, but I will be there. You know, when I tell you what the theme is, which is secret still, you might want to be in costume. You might say, oh, I can do that. It's not the Grinch. It's not the Grinch. Don't get in sight. Okay. Okay.

[01:19:06] Last Thursday, January 15th, Let's Encrypt announced under their headline, six-day and IP address certificates are generally available. They wrote, short-lived and IP address certificates are now generally available from Let's Encrypt. These certificates are valid, get this, Leo, for 160 hours. Oh, wow. Just over six days. That's forever. Yeah.

[01:19:34] Now, in order to get a short-lived certificate, subscribers simply need to select the short-lived certificate profile in their Acme client. Short-lived certificates improve security by requiring more frequent validation and reducing reliance on unreliable revocation mechanisms. If a certificate's private key is exposed or compromised.

[01:20:01] If a certificate's private key is exposed or compromised, revocation has historically been a way to mitigate damage prior to the certificate's expiration. Unfortunately, revocation is an unreliable system, so many relying parties continue to be vulnerable until the certificate expires, a period as long as 90 days. Well, yeah, 90 for them. With short-lived certificates, that vulnerability window is greatly reduced.

[01:20:27] Short-lived certificates are opt-in, and we have no plan to make them the default at this time. Subscribers that have fully automated their renewal process should be able to switch to short-lived certificates easily if they wish. But we understand that not everyone is in that position and generally comfortable with this significantly shorter lifetime.

[01:20:50] We hope that over time, everyone moves to automated solutions and we can demonstrate that short-lived certificates work well. Our default certificate lifetimes will be going from 90 days down to 45 days over the next few years, as previously announced.

[01:21:11] IP address certificates allow server operators to authenticate TLS connections to IP addresses rather than domain names. Let's encrypt supports both IPv4 and v6. IP address certificates must be short-lived certificates, a decision we made because IP addresses are more transient than domain names.

[01:21:38] So validating more frequently is important. You can learn more about our IP address certificates and the use cases for them from our post-announcing our first IP certificate. We'd like to thank the Open Technology Fund and Sovereign Tech Agency, along with our sponsors and donors, for supporting the development of this work.

[01:21:58] And as I said before, the shortening of the maximum lifetime of web server DV domain validation certificates will eventually drive GRC, my company, to use Let's Encrypt's free certificates.

[01:22:17] Once I switch to their solutions, I will definitely establish a periodic voluntary payment to them, much as I have with Wikipedia, as I mentioned at the top of the show, since I feel that it's important to support the infrastructure that makes that possible, even if the entire necessity of any of this is something I could not disagree with more. So be it.

[01:23:12] That in any way allows them to impersonate the target site. They must still somehow arrange to cause their victims' internet traffic to believe that it's going to the real domain's IP address, while it is instead being rerouted to a spoofed server where the stolen certificate resides.

[01:23:35] So you need either a DNS compromise also, or some physical interception and rerouting of the actual packet traffic must be achieved, none of which is easy to do either. So if this was ever happening, if it would be big news. We would know about it. Instead, crickets.

[01:24:05] And I get it that the Let's Encrypt's guys need to say that revocation is broken. I understand that, but that is no longer true. I have a picture of going to revoked.grc.com on the screen. Anyone's invited to go to revoked.grc.com.

[01:24:27] It says error, sec underscore, or error code underscore sec underscore error underscore revoked underscore certificate. No browsers are fooled any longer. And any of our long-term listeners know that I was on to all of this, pointing this out and drawing attention to this as loudly as I could before anybody else was doing so.

[01:24:54] I looked a little foolish at the time, like I was tilting at windmills saying that this was a problem. You know, what's the big deal? I created that revoked.grc.com site to clearly demonstrate that none of this was working at the time. It is now everywhere.

[01:25:12] And it's even been, you know, solved quickly on the client side with no privacy compromise, thanks to Bloom filters, which we talked about in detail for this specific application.

[01:25:26] And just so that I'm clear, I think it is truly great that Let's Encrypt is now offering six-day TLS, DV, and IP-validated certificates for those who feel they need them. I don't know why anyone would, but okay, great.

[01:25:46] It's the being forced to use shorter life certificates, whether for the web or for code signing, that feels so wrong and regressive to me. I don't need a nanny. Few of us do. And as I've said, if anyone did, like, if this was actually a problem, it would be making news.

[01:26:09] The only news it's making is that it's, you know, discomforting everybody who's having to use these increasingly short-lived certificates for no apparent reason. Okay. Several news outlets are reporting, have reported on something that caught my attention, mostly because it's so sad and, in my opinion, wrong-minded.

[01:26:38] The news is that the country of Iran plans to extend its current disconnection from the internet, which began in the evening of January 8th, their time, permanently. Which is hard to even believe.

[01:26:59] But yes, technical reports have indicated that efforts are being made to restrict the use of messaging apps for internal use only. All satellite dish antennas of all ilk are being gathered up and technology is being finalized to identify network traffic that transits across Starlink and other space-based providers. Iran's ruling theocracy, you know, it is what it is.

[01:27:28] It's been clear that the influence of the West, largely through, you know, although I guess I would say largely, though not exclusively, brought to Iran by the internet. It's been a challenge to the nature of its historical theocratic rule. But Iran's population today is not old.

[01:27:49] Its median age is somewhere between 33 and 34, meaning that half of Iran's population is younger than 33 to 34, somewhere in that range. And currently about a quarter of the population are children under the age of 15. So cutting that population off from all external internet access certainly seems, you know, destined to fail in the long run.

[01:28:20] I, okay, I just wanted to report on that. I imagine we'll be looking at that in the future if, in fact, that continues. I have, as I mentioned at the top of the show, I've received from one of our listeners and a Spinrite user a pair of charts that I had never seen before. And I got a big kick out of them. I wanted to share them. The listener's name is Don with two Ns, Don Edwards.

[01:28:48] He wrote, Dear Steve, you've often mentioned how Spinrite improves SSD performance, and we've seen the results of its benchmark tests. But here's a different view. My friend panicked when his computer would not boot. It has a crucial 480 gigabyte SSD boot disk and a Seagate 1 terabyte hard drive data disk.

[01:29:14] Not knowing whether the problem was hardware related or not, I rescued the drives. He meant, you know, removed the drives and connected the SSD to my own desktop PC to see if the data was intact. All appeared fine. So I ran HDTune to look at the smart data and run its benchmark.

[01:29:40] And he included the chart for the before Spinrite alongside the chart for the after. He said the drop in performance shown in the HDTune Pro chart on the left, particularly at the start of the drive, actually it's about the first two thirds, he said was troubling. So I ran Spinrite 6.1 on level three, and it took around three hours.

[01:30:07] I could see it having trouble writing to the drive, but in the end, no data was lost. Afterward, and he says, see the post Spinrite chart on the right. It's clearly fixed. I backed up all the data files from his hard drive and put both drives back in the PC. When we plugged in all the cables and screens, his PC worked.

[01:30:32] So whether it was the SSD or a bad cable connection or something else, I don't know. But what I do know for sure is that his SSD is working much better than before. The graphs show it. And he is very relieved. Keep up the good work. Don Edwards, Johannesburg, South Africa. And Leo, you can see there on the left, many people are familiar with HDTune.

[01:30:59] This is showing the drive's speed across its mass storage surface, essentially. So from zero gigabytes to 480 gigabytes. And the top of the chart is 450 megabytes per second. You would expect a solid state drive being solid state, right, would just be a straight line.

[01:31:27] People who have run HDTune on spinning drives see a characteristic downward stepping in performance, typically going to about half speed by the time they get to the inner cylinders of the drive, because those cylinders having a shorter circumference, the data transfer rate is much lower because they have many fewer sectors. Here, instead, on this well-used SSD,

[01:31:57] we see deep downward spikes coming almost down to 50 megabytes per second from the normal of around, well, looks like about 425. And it's really bad for past the halfway point. And then it goes up high. And in fact, what's interesting then is if you look at the chart on the right,

[01:32:23] you'll see, first of all, it's all gone from, it's got completely fixed from running a spin right level three on the drive. You do see a little bit reduction in an area that used to be, that used to look full speed. The reason is, and this surprised us when we began working with spin right,

[01:32:51] those areas on the chart on the left were not actually being read. That's not actually 425 gigabytes per second. Those areas had been trimmed. So the drive knew they had never been written to. And so it was just giving back zeros. It was sending zeros back. After running spin right across the drive, those areas were written to by spin right.

[01:33:21] As soon as the operating system retrims the drive, which happens, you're able to do it on demand by command if you wish. Just running the little optimized command in Windows does a retrim on the drive. Then it'll run right back up to flatline at maximum speed. But what really matters here is that a drive that was running like, what, one eighth as fast as it should.

[01:33:50] And it wasn't booting because there were some errors which didn't show up in Don's just quick mounting of the drive where it looked like he saw all the files. Spin right fixed those problems and also restored the drive to its original performance. Anyway, just a very cool set of charts using a third-party utility that many of our listeners are used to. Okay. Jeff Ekstrand wrote,

[01:34:18] You can find, oh, this is so cool. You can find the advertising ID on Roku via some secret menus. On the remote, you can do some convoluted button pushes to access these menus. One of them contains the advertising ID. I do not remember which one. Then he provided a cheat sheet. So, and it happens that, I played with it.

[01:34:46] It's the secret screen number two is where the advertising ID is found. This all relates to us talking about the California legislation where you're able to give Cal privacy this information, and then they provide it to the data brokers using that information to help find you in order to force them to scrub your data and to no longer offer it for sale.

[01:35:16] So, if you have a Roku, you press the home button five times, then up, right, down, left, up. So, you sort of go around the arrow pad clockwise, home button five times, then up, right, down, left, up. And sure enough, that suddenly switches the screen, and there was my advertising ID, which was a grid formatted identifier.

[01:35:46] You know, four sets of hyphens with hex code, hexadecimal code of various sizes. So, there's a developer setting screen, a wireless secrets screen, a secret screen, secret screen number two. That's where the advertising ID was. An HDMI secret screen, a platform secret screen, channel info menu, and a reboot shortcut. Although I'm not sure how much of a shortcut that is.

[01:36:16] You have to hit the home button five times, then up, then the rewind button twice, and the fast forward button twice. It's pretty much easier just to use the normal menus. Anyway, I've got a link to the YouTube video that this guy found for us. And, you know, there's a bunch of other information, as is generally the case. I'm sure you've seen this too, Leo.

[01:36:40] These sorts of hidden Easter eggs are initially, they initially look like, oh, you found some massive treasure trove. But it's kind of internal counters and stuff that doesn't, don't really have much value. This is cool that you can get there. Like, what's your Mac address? It's like, okay. I mean, yeah, the Mac address is there for Bluetooth and Wi-Fi and so forth. So, if you want that, you can find it. Anyway, thank you very much, Jeff. I appreciate that.

[01:37:09] And it's an 11-minute YouTube. It was posted two months ago on November 19th. It has had 1.2 million views. So, this seems to be of interest to some people. Anyway, I got a kick out of it. Thank you, Jeff. Michael Wright said, hello, Steve.

[01:37:30] I'm a first-time emailer to you who's been listening to your show for a couple of years now and find it a great resource to keep up with developments in the world of cybersecurity. Thanks so much for the podcasts. I'm a week behind with the podcast and today finished last week's podcast. You made a good point about how there should be no legitimate reason for anyone to have their MongoDB server accessible over the Internet.

[01:37:58] That got me wondering if people are deploying MongoDB servers without even realizing they are publicly accessible. I'm referring to cloud deployments where, for many flavors of deployment, a public IP address is automatically created with traditional on-prem, making a server accessible over the Internet, required work to be done.

[01:38:27] Right, you got to poke a hole through, typically through a NAT or a firewall or something. I mean, you had to work in order to create a public presence. I think he's right there. He said, for example, oh, yeah, he's making my point, creating a NAT rule on a firewall to translate a public IP address to a private IP address. However, with public cloud, this is often done automatically.

[01:38:51] If people are deploying systems to the cloud without having an understanding of cloud deployment and how this differs from on-prem, I could certainly see how it could be possible to deploy a system without realizing you just made it accessible to anyone, anywhere on the Internet.

[01:39:13] It would be interesting to know how many of the 86,000 exposed servers are using IP addresses reserved for public cloud. Keep up the great work. P.S. On the topic of British time travel series, he said, I found bodies to be a pretty good effort. Certainly a different take on the subject. Not sure if you've seen that one. Regards, Michael.

[01:39:38] So, I suspect Michael is right and that many of those MongoDB server instances are spun up in the cloud. And although this may be an explanation, it certainly isn't an excuse. What's happening is very wrong. So, the question is how? How did this happen?

[01:40:03] It's likely a case of the user assuming that those in charge are doing the right thing. Whereas, those in charge wrongly assume that their users are aware of the implications of spinning up random server instances in the cloud. And they assume that those users will prevent public exposure if they don't want it.

[01:40:31] In other words, one hand doesn't know what the other one is doing. And then they each assume that the other one is taking responsibility for the expected and needed network security. The problem is that those who designed these system services heavily promote their super ease of use. You know, one-click server activation.

[01:40:58] So, they're offering their inherently insecure solutions to a level of user who has very little comprehension, if any, of the full implications of clicking on that, yes, please create a MongoDB server instance for me button.

[01:41:20] I wanted to focus on this specific instance because I suspect that this lack of communication with its assumption that the other party is taking care of securing things has long been a major source of network insecurity for the entire industry.

[01:41:39] Several months ago, I noted that the early Cisco routers, which had no built-in notion of public-facing WAN interfaces versus private-facing network LAN interfaces, they treated all of their network interfaces identically. There was no concept of LAN and WAN.

[01:42:03] Those early routers also had their various network services enabled out of the box. Back then, for example, you had to manually add a no HTTP command to the router's startup configuration script if you did not want the router's built-in HTTP server to be running by default.

[01:42:29] I very clearly recall needing to deliberately turn off of a handful of services that I knew I had no need for, and I certainly didn't want to have running every time that the router booted, and I had to do that every time I set up a Cisco router.

[01:42:47] The engineered designers of these early routers must have assumed that their devices would only and always be used by other expert network engineers. And since Cisco was always selling the security of their products as one of its benefits, non-expert purchasers reasonably assumed that Cisco would have their back, and that the router's operation would be secure out of the box when it was anything but.

[01:43:18] Instead, as we know, it was bristling with enabled and insecure gee whiz features that were entirely peripheral to the router's core operation. So the lesson here is that each side's assumptions about the other were wildly incorrect and serious vulnerabilities resulted.

[01:43:40] This is why a couple months ago when I read that piece from the guy at Cisco who made it clear that if this actually came to pass, they really did finally understand what was going on. So, you know, thank goodness. Still, we just need more communication. And as we've said, these devices absolutely have to be secure out of the box,

[01:44:07] and you have to take serious deliberate action to damage their security, to do things which are insecure. And maybe you have to be asked, are you sure? And maybe you need to be asked, are you really sure? Okay. So I got an email from someone named Bob, whose note was cyber attack was my experience unique.

[01:44:37] He wrote, hello, GRC team. I've been a big fan and Spinrite customer since learning about your Spinrite product on the tech guy. Remember that, Leo? Oh, I heard of that show. Yeah. He said, recently, I experienced a type of cyber attack I had not heard of. I can go into more detail, but basically a program, Screen Connect,

[01:45:03] was remotely installed on my PC and launched with no interaction by the client, me. He said, I became aware of the attack when I was at my mom's house and my phone started notifying me of money transfers that I did not initiate. I freaked out, as you might imagine. I rushed home. And when I got there, I found that my machine had been hijacked.

[01:45:32] My screens were blacked out with Screen Connect in large white letters. I was unable to do anything other than shutting down the machine. Yikes. Needless to say, I've been dealing with the aftermath. Unfortunately, I'm not out too much money. But I found out who my friends and foes are in terms of how they did or did not help me cancel the transactions. In short, PayPal's response was abominable.

[01:46:01] I assume the criminal used a sniffer to find my IP address. And since my machine was idle, they were able to install and launch Screen Connect without detection. He said, parens, no client interaction to install and launch the software is considered a feature of the product. He said, in my opinion, the software is like a gun.

[01:46:28] Misuse can lead to devastating results. They offer a free 15-day trial, but I didn't check to see if it is full featured. What do you think about this? Short of keeping my machine powered off, what could I have done to block this type of attack? Any insight would be appreciated. Regards, Bob. Okay, so this is the nightmare scenario for any individual.

[01:46:55] I have omitted Bob's last name to protect his identity. No one wants to be required to authenticate with every service we use, every time we use them, right? So being persistently logged into many services is the choice most of us make.

[01:47:19] But with that convenience, that persistent logged on convenience comes the consequence that anyone and anything that's able to use our persistently logged in computer can act on our behalf. The abuse of persistent logon is what bit Bob.

[01:47:45] Bob doesn't know, so we don't know exactly how someone managed to crawl into his PC. Through the years of this podcast, we've seen many different ways this could have happened. But by far the most likely is that Bob or someone using Bob's computer clicked on a malicious link. Last week, as we mentioned, Leo, you shared your own incident, which forced you to cancel and have two credit cards reissued.

[01:48:14] And I mentioned that I'd received a text message that I briefly considered to be valid because by pure chance, it fit into the context of my life and it made sense to me.

[01:48:27] So it's certainly not the least bit far-fetched to imagine that Bob or someone who uses Bob's PC might have made the mistake of clicking on a malicious link in email or maybe on a web page. Who knows? That's all that's needed.

[01:48:47] That could have established an outgoing connection to an attacker who was then able to install the client-free screen connect remote control software. The attacker could then have waited until that PC had been left running and unattended, showed, you know, and it could determine that through no use of its keyboard or mouse for some period of time.

[01:49:13] Then they took the opportunity to begin sending the owner's money to remote accounts. For example, PayPal allows zero authentication transfers of cash from the bank accounts and credit cards associated with the person's PayPal account if they remain logged into PayPal statically. It just brings up a dialogue on screen.

[01:49:39] You click, you know, complete the transfer and the money is gone. So when Leo and I speak to the attendees of Threat Locker Zero Trust World Conference in Florida this coming Wednesday, March 4th, our discussion will be titled The Call is Coming from Inside the House. We're going to be talking about the growing need for enterprises to actively protect themselves from anything their own employees might do.

[01:50:08] Whether it's deliberate or inadvertent doesn't matter since the result of the enterprise is the same either way. Doing this effectively means imposing significant limitations upon everyone who has access to the enterprise's internal network. I'll be arguing that while it will not be at all easy, there is no longer any other way to further increase security from where we are today.

[01:50:37] Given everything we've seen in the past year, it's clear that the spoofing of employees, of enterprise employees, is the next big growth threat vector. But for the individual PC user at home, no one wants to impose severe restrictions upon themselves when they're working within their own safe enclave in their residence. I certainly wouldn't.

[01:51:06] In this case, this happened to Bob because his PC was able to act without his physical presence to send his money out. The practical solution to this would be the inclusion of a simple biometric authentication for anything that requires Bob's presence.

[01:51:28] Having a fingerprint reader integrated into our keyboards or mice to confirm the identity of anyone who is requesting a protected action would prevent these sorts of unattended or other attended attacks. And for example, a sponsor of this podcast, Bitwardens, password manager, fully supports unlocking with biometric authentication on Windows, Mac OS, and Linux.

[01:51:58] And also using all Chromium based browsers, Firefox, and Safari. So setting this up would certainly be possible. Of course, it means incurring this overhead all the time because there's no way to know if and when someone might get a hold of your computer behind your back.

[01:52:20] Um, and even so, this still leaves user spoofing as a problem since something happened to compromise Bob's PC to start with.

[01:52:32] The most reasonable explanation of how screen connect remote control software found its way onto Bob's machine is that something he did deliberately, maybe downloaded and installed some piece of software that incorporated this malicious functionality as a backdoor without ever realizing it.

[01:52:55] So even biometric authentication would not have prevented that initial event because it was done by him. But requiring authentication for every single high risk transaction might. We're not there yet, but I wouldn't be surprised if in the future, you know, that's the shape of things.

[01:53:17] There are available keyboards and mice both that have fingerprint readers built in and Windows Hello can be engaged to require them for specific actions. So it kind of feels like where we're going to go.

[01:53:33] It's unfortunate, but if someone wants to really protect their machine against their own or somebody else's who shares their machines, um, misuse, something like that's going to be necessary. And Leo, we're an hour and a half in. Let's take a break and we're going to continue with feedback. Indeed, indeed. Yeah, I think Bob doesn't really know how he got hacked. It's very well, yeah.

[01:54:02] And behind a NAT, I'm sure he's behind a NAT router. Everybody is. And so you just can't, you know, just getting his IP doesn't allow somebody in. Yeah, I just wanted to say that so that people don't go, well, wait a minute, my computer's always on. We used to have people say, no, you have to turn your computer off when you're not at it, which as a security precaution, no, I don't. I mean, I guess it would work. I turn none of mine off.

[01:54:29] When I, when I, when I talked about the, the, the solution I've come up with after Lori and I move in a couple of months that I've got the dumbest laptop with the biggest screen I could find because I'm going to connect to my computer. It's a terminal. You know, it's a terminal. And that, and my machine is never turned off. It's like, you know, it's just 24 seven. Yeah. I know people who not only turn off their machines, but disconnect the ethernet cable. Just in case.

[01:54:57] And it's like GRC servers. I've got, I've got servers. They're publicly exposed. They're servers. They have to be publicly exposed. You just, you don't turn them off. Right. But you know, I used to get calls all the time on the tech guy show. I'm not surprised Bob listens to the tech guy show. Cause that was, I'd always get people say, they hacked me just by, you know, I didn't do anything. The problem is when you click on that link, you don't know that that malicious link did anything. Life goes on. It's right. And then it's later they exploit you.

[01:55:27] And if you download some software that is going to be like to sort your spreadsheets or something, you know, say, Oh, look, it's sort of my spreadsheets. Yes. And it also ran screen connect persistently in the background waiting for you to go visit your mom. Yeah. Yeah. Let me talk about our sponsor and we will get back to work with Mr. Steve Gibson. You're watching security. Now our show today brought to you by a brand new sponsor meter.

[01:55:56] I think maybe I talked about them last week. This is the company building better networks. Remember meter. If you're a network engineer, Oh, you know, the headaches meter was founded by two network engineers who knew the headaches legacy providers with inflexible pricing, it resource constraints, stretching you thin that's never changed. Has it complex deployments across fragmented tools? You are mission. You, yes, you, you're mission critical to the business.

[01:56:26] But you're being forced to work with infrastructure that wasn't built for today's demands. That's why so many businesses are switching to meter much to the relief of their network engineers. Meter delivers full stack networking infrastructure. These guys said, you know what? The only way we can do this right is if we cover it all from, from the ground up. And when I say all, I mean wired, I mean wireless, I even mean cellular.

[01:56:54] And it's all built for performance and scalability. I had not heard of these guys. When I talked to him, I was so blown away. Meter designs the hardware. That's how much they care. They know if you're going to control the stack, you actually have to design the hardware. You've got to write your own firmware. You've got to build the software. You've got to manage the deployments. You, you got to do the support. And they offer everything, including ISP procurement.

[01:57:20] They, when they do that survey, and you can have them at any level you want, but when they do the survey, if you say, no, no, fix it all, they will do it from ground up. ISP procurement, security, routing, switching, wireless, firewall, cellular, even electrical power, even DNS security. They'll do, they'll set up VPNs and SD WANs for you. They can help you with multi-site workflows and all in a single solution.

[01:57:49] In fact, this is one of their biggest sweet spots. One of the, one of the biggest customer bases comes from people who've acquired, you know, their business is humming. It's going fine. They acquire a warehouse and it's completely different, right? The wiring's different. It's old. It doesn't work, whatever. They've got to integrate it into their existing system. Oh, Meter can do this. Meter's single integrated networking stack scales. It's, they use it in major hospitals.

[01:58:18] And if you know, hospitals are really a challenging environment. Just the last time you were in the hospital, did your cell phone work? No, because they have all this stuff, this electrical stuff, the MRI machines, the CAT scans. It's hard. This is a tough environment. Meter works there. They love that kind of challenge. Branch offices, warehouses, large campuses, data centers, even. Even Reddit uses Meter.

[01:58:46] That's actually a pretty good testimonial. If it works for Reddit, it's going to work for you. The assistant director of technology for the Webb School of Knoxville is a fan. He said, quote, we had more than 20 games on campus between our two facilities. Each game was being streamed via wired and wireless connections. The event went off without a hitch. We could never have done this before Meter redesigned our network. With Meter, you get a single partner for all your connectivity needs.

[01:59:14] From that first site survey to ongoing support without the complexity of managing multiple providers or tools. There's a real benefit to having an integrated stack like this. Meter's stack is designed to take the burden off your IT team and give you deep control and visibility, reimagining what it means for businesses to get and stay online. And these days, that's basically, it's table stakes. It's fundamental. You've got to get and stay online, don't you?

[01:59:44] Meter, built for the bandwidth demands of today and tomorrow. We are so thrilled to have Meter as a sponsor. We thank Meter so much for sponsoring. Go to meter.com slash security now. Book a demo. That's all I ask. M-E-T-E-R dot com slash security now to book a demo. I was so impressed with what these guys do. Like I said, I'd never heard of them. When I found out, when I dug deep, it blew me away. You should do this. Go to meter.com slash security now.

[02:00:14] You owe it to yourself to see what Meter can do for you. M-E-T-E-R dot com slash security now. Thank you, Meter. Welcome to the Security Now family. Okay, Rob. If they hang around for a while, I might have them come here and fix me up. Go ahead. Rob Sherman. His subject was feedback on Claude AI. He said, hi, Steve. I just finished listening to last week's SN episode.

[02:00:43] And as someone who's been using it constantly since the update came out, I wanted to give you some feedback. In short, it is absolutely insane. How good it is. I'm a product manager and not a programmer. So when my CTO told me that I needed to try it, I wasn't sure why. I am now.

[02:01:09] He said, I had an internal project that I had been waiting to get programmer resources for over six months. Once I got Visual Studio set up with Copilot, I gave it my product brief. And after answering a few simple questions that Claude had, it began coding. An hour later, I had a fully functioning alpha.

[02:01:32] It did all the coding, designed and built a UI, and implemented a scanner to get all the data out. Since then, when I have a few hours, I'll just go in and tweak it. That dark mode I've been asking for last year is in there. The toggle for it is labeled, I finally got my dark mode. That's the beauty of having hyper-personalized software. That can be the name of the switch. I love it.

[02:02:02] The build reporting and error checking I was told we wouldn't be able to do, it's done. Oh, wow. I have also completed three other projects that we weren't supposed to get to until Q3. It's amazing. I am so sold on it that I got myself a personal license and this weekend did a write-up on the eDrum application I've been waiting for someone to build.

[02:02:29] I gave it to Claude, and now I have my very own alpha version. This is so addictive. I completely know how this guy feels. He said, this is not to say that it has been 100% smooth sailing. There's a learning curve to Claude especially, and I have blown through my 200% of my monthly request at work in 14 days.

[02:02:55] He said a few tips for anyone looking to get started with this. First, your individual chats, he has in quotes, with Claude, have a size limit. Once you hit that limit, you have to start a new chat. If you're just asking it a simple question, you'll be fine. But any larger projects, you will run out of room. I recommend starting any project by having Claude write up a programming plan and tracking document.

[02:03:25] Then have it keep those files updated. That way, if you have to start a new chat, you can tell it to go read those docs to get up to speed. That's sort of like chaining these chats together, he said. Second, Claude in Visual Studio Copilot won't let you upload PDF or other docs, but you can add MD files.

[02:03:52] I've taken to having ChatGPT summarize any files and turn them into MD format, which I can then put into my project repo. Once in there, Claude is all set. Third, Claude will lie to you. It is always a good idea to have it double-check its own work. I had it write a bunch of new code. When it was done, I told it,

[02:04:20] Hey, would you take a look at this new code and check it for errors? It found four items that needed fixing. Thanks for everything you do, Rob. And he said, P.S., started taking magnesium last week. So, Leo, on the subject of Claude? It is very addictive. He is just starting to get into it. So there's a few things I would say about his tips. One is, yeah, he's talking about token context.

[02:04:49] And when you get, the context starts to fill up, it starts to hallucinate. That's when it starts to hallucinate. Oh, okay. Interesting. There are a lot of tools out there for compacting tokens, for handling this. He needs, what you probably should do is start going to YouTube and looking at some best practices. Anthropic has a bunch of videos, but there are other people who have put together a bunch of videos on best practices with Claude. And then you want to start looking at Claude's skills and plugins, because there are a lot of plugins.

[02:05:19] For instance, the double-check its own work. There are some really good plugins that Claude will use to find flaws, to double-check itself. There's plugins for security assays. I have Claude do regular security assays, not just on the stuff it writes, but on everything in my system, because it's very good at finding flaws.

[02:05:43] As you start to use it, you will see more and more of stuff that you can do and get it really refined. It's revolutionary. I don't think I've ever seen anything. It reminds me of first discovering the internet. It's amazing. And the things you're explaining sound like the early days. Like, you know, in three years. Oh, it's the Wild West.

[02:06:13] This will all be automatic. It'll be built in. I mean, it feels like, you know, we're in the learning curve stage. The fact that these things have to kind of be learned and figured out and added and done afterwards and so forth. Well, it's funny. Even Anthropic, the creators of Claude, don't know all of the ins and outs. There was a guy. I told you about Ralph Wiggum. The Ralph Wiggum tool, right?

[02:06:40] That was created by just somebody else who said, you know, if you told Claude to keep going, to keep looping over and over again until it got to a state that you submitted, like no more errors, it will. And in fact, Anthropic said, oh, that was a really good idea. And they've now added Ralph Wiggum as part of their official plug-in. So there's more, what we're seeing, there's one called Superpower, Harper Reid, who, that's the other thing.

[02:07:08] If you can find a guru, somebody who's been using Claude and really knows how to use it, that helps too. Harper Reid is my personal guru on this. He was on Twitter on Sunday and he uses something called Superpower, which adds a bunch of very good plug-ins. I would check. He says, you use Superpower, of course, Leo. I said, what's that? And I went and found it. Most of the stuff's on GitHub. It's amazing. And it's easy to blow through your credits.

[02:07:37] That's why I ended up getting the Claude Max subscription, which, by the way, has been sufficient. So that's good. We want them to stay in business. And if people are getting, you know, I mean, it sounds like it would be easy to get $200 a month worth of value out of it. I feel really using it. That was the question. I thought, is this worth it? And then I thought, you know, if I were going to buy software to do these things, I'd spend a lot more than that.

[02:08:05] And it would never be, it wouldn't be customized. It wouldn't be exactly what you wanted. Yeah. Look what Rob's done. He's just getting started. Look at all the things he's done already. Yeah. Your trust in Claude will improve as you understand it better and understand where the pitfalls are and things like that. It actually can be pretty, I think, very, very reliable. And again, we have pitfalls because this is the, you know, baby steps. It's the Wild West. We're figuring it out. We're just learning to crawl. Yeah. Yeah.

[02:08:33] And that was my other thought is I don't want to add too many of these third-party features and other things because I feel like they're, Anthropic is basically building this in over time. So Claude's getting better and better and better. So you don't need to do as much extending it. I hope as time goes by, it'll probably be able to do everything you want it to do automatically. Yeah. Compact your context.

[02:08:56] And where do you, we were talking before we began recording because I was talking about a conversation that I listened to you having on MacBreak Weekly about how, you know, from my standpoint, having been programming for about 55 years now.

[02:09:14] What I recognize is that for me, the maturity that I have acquired over these decades is about how to solve the problems. Not the syntax of the language. I could use any language. Exactly. It's the structure, the like, it's a refinement of the understanding of how this kind of problem should be solved. I agree. How does that fit into Claude?

[02:09:45] I mean, it is using other output in order to produce. So is it getting that or I guess I wonder from that approach to maturity of coding or is it just kind of like solving the problem brute force? Like you, I want to believe that we are adding something of value. And our many years of experience matter.

[02:10:14] But I have to say there are people like Rob who've never programmed who are writing pure English prompts. And it's working. And we're getting the job done and it's working. I think, I mean, I like you, I am not as good as you or as experienced as you, but I think like a programmer, I think. So I tend to approach Claude in a more modular way. I don't write single prompts and say, just write it and get back to me when you're done.

[02:10:43] It's still an iterative process for me. And I feel like I get better results by iterating with Claude. So in that case, your history of really what humans are great is pattern recognition, right? In your history, what's that happens in chess too? I think that's intuition. It's intuition. We think of it as kind of flash of intuition, but really it's pattern recognition.

[02:11:05] And you get good at playing chess by playing hundreds of thousands of games and seeing hundreds of thousands of positions and internalizing that. And then it's not even a conscious process. You go, oh yeah, well, I can know what you're, that's. And it's the same thing with coding. I think you rec, it's pattern recognition. In fact, they talk about design patterns in coding. And so I think it's a higher level. You're not writing login code, but you understand that, well, I'm going to need some login code here.

[02:11:34] I'm going to want to encrypt my secrets here so I don't accidentally commit them to GitHub. I'm going to, and so that the, the, your, all of that experience is, I think, still valuable. Obviously Rob, who doesn't have that experience still can get what he wants done. I love that he named it. I finally got my, my dark mode is hysterical. But that's what, that's, that's the level you're working at now is you're writing your own stuff for yourself. I think it's just super empowering.

[02:12:04] Yeah. It does sound also like it's not instant because he like started it going and went off and had dinner and then, you know, came back and it had done it. This is one of the big breakthroughs that's just happened in the last few months is this ability for this to run continuously for many hours. That's brand new. And I'm a little uncomfortable with it, to be honest. That's why I like to do, do it more modular.

[02:12:31] Cause it like, it, it, it could just like completely hallucinate Skynet. It makes me nervous, but that's why, that's where you use things like Ralph Wiggum. You use some of these plugins to, to control it. So lots of people are running multiple clods at the same time, threads at the same time. This seems to be more and more of the best practice for these big things. And then have the. How much does he provide in financing to Anthropics? It could get expensive. Oh, it can get expensive.

[02:13:01] But, but what happens is you can actually have, I want you, you, this thread, you Claude number one, check on Claude number two, make sure he's not doing anything weird. So you can, they call it a mixture of experts now. And you can even do that or have other, you could have chat GPT. Look at the Claude code. I mean, it's inception. It's a very interesting world. And you're right. It's, this is why it's fun to get into. Cause it's wild west now.

[02:13:29] And there, even the expert, Andre Carpathi, the man who created the term vibe coding tweeted on Christmas day. He says, I can't keep up. It's too fast. It's, I don't, I can't follow it anymore. There's too much going on. It is an explosion right now of, of interesting ideas. And I think it, I think we are very, very close to some big, uh, AI. I think it's, it's, I, it feels like it's going to change the world. I think it's happening.

[02:13:58] You know, here for the last 20 years, we've been lamenting, you know, security errors in code. In five years, they may be gone. You, I can't imagine that Claude code would write a buffer overflow. It's just not gonna, it's just not gonna use stir copy. It's just not gonna, it knows better than that. Now there will be subtler things.

[02:14:23] One of the things people point out with, uh, AI is if it can't, if it's, this is, this is, this is a coding hallucination. I, I got to divide by zero error. Instead of making sure you don't divide by zero, you just hide the error. That's the, that's the equivalent of a Claude code hallucination. Hide the error. The error doesn't go away. So you got to watch for things like that.

[02:14:53] That's, that's, that's the level it's hallucinating at. But I think it's, I think you can say pretty surely that this will all be ironed out. Yep. There's, I think there's no reason. It all feels like, or like first steps sorts of things. Yeah. Just intuitively. Yeah. Yeah. Wow. And you could, you can teach Claude code not, not to make any of those fundamental security errors. Just don't, you know, that's bad. Don't do that. Bad. No more stir copy.

[02:15:23] Okay. Last sponsor. And then we're going to talk about the, unfortunately the return or the persistence or the previous existence, the previous unknown existence of ghost posting. I got to find out what that is. That's a good name for it. That's by the way, at least 50% of the battle. If you're, if you're doing malware detection is having a good name. Oh, gotta have that. Yeah. Yeah. I mean, the reason we all know Heartbleed is it was such a great name. It had a great logo. Dripping blood.

[02:15:53] Exactly. All right. We're going to get back to security now and ghost posting. Ooh. Ooh. As Paris Martineau would say. But first, a word from our sponsor, delete me. You know, technology is so fun, so exciting, so interesting and challenging, but it also has

[02:16:17] brought us some pretty nasty things like data brokers, data brokers. These are the companies and there are more than 500 of them now that collect your personal information online and sell it off to the highest bidder. You, if you've ever searched for your name, you do not want to know how much of your personal data is on the internet. This is just, it's just, it's more than you think, not just your name and contact info.

[02:16:45] Literally, your social, Steve and I found our social security numbers in a data breach. Your home address, information about your family members. All of this is being, and it's completely legal, unfortunately. We don't have a comprehensive privacy law in this country. All of this is being compiled by data brokers and then sold online to anybody who wants it. Marketers? Yeah. But that's the least of your worries. Law enforcement? Foreign governments?

[02:17:14] Anyone can buy your private details. And of course, hackers, which can lead to identity theft, phishing attempts, doxing, harassment. You need to do something about it. Now, you probably know you can go one by one to every data broker. There's 500 of them, remember, and delete your data. And then start over because it's like painting the Golden Gate Bridge. You'll never be done. And there's new data brokers all the time. Or you can join Delete Me.

[02:17:44] Delete Me does it, and they do it right. Anybody who listens to this show is very much aware of how this is going on, how our privacy is being compromised. But I have a solution for you. It's why we use, in fact, as a company, I think it's really important for your company to use this middle managers, management targeted by these bad guys. They use the information they gain to craft very effective phishing, text messages, and emails that happen to us.

[02:18:16] And there's very little defense because it seems so real, it seems so authentic. That's why we went to Delete Me to solve the problem. Delete Me removes your personal info from hundreds of data brokers. What you do, you sign up. You're going to give Delete Me the information you want deleted. They need to know what it is that you don't want online. That way you control it, right? And their experts take it from there. They know everywhere to go. They have all the tools to remove that stuff, to demand the takedowns.

[02:18:44] They will send you regular personalized privacy reports showing what they found, where they found it, what was removed. And the most important thing, it's not just a one-time service. They're always doing it. They're always working for you, constantly monitoring and removing the personal information you don't want on the internet. Because as I said, it's a full-time job. You can take it down, but it's going to come back. You need Delete Me to do this.

[02:19:09] To put it simply, Delete Me does the hard work of wiping you and your family and your company's personal information from data broker websites. Take control of your data. Keep your private life private. Sign up for Delete Me. We've got a special discount for our listeners, 20% off individual plans when you go to joindeliteme.com slash twit and use the promo code twit at checkout. Now, that's the only way to get 20% off is to visit joindeliteme.com slash twit and enter

[02:19:38] the code twit at checkout. And again, and it's really important, get the right address because there's other Delete joindeliteme.com slash twit. That's all one word. Joindeliteme.com slash twit and it'll help a lot. If you use the offer code twit, you'll get 20% off and we'll get the credit. Joindeliteme.com slash twit. Thank you, Delete Me, for the great work you do for our audience. Let's get to ghost peppers. Ghost peppers. No, not ghost peppers.

[02:20:08] Ghost posting. Ghost posting. Okay. So our final podcast of 2025 was titled Ghost Poster. For the short summary at the top of the show notes, I summed it up by writing how a PNG icon was used to infect 50,000 Firefox users. Oh, man.

[02:20:31] The discoverer of 17 different malicious Firefox add-ons was Koi Security, KOI. They discovered that PNG icon files were being used to contain and infiltrate obscured JavaScript into user PCs through Firefox extensions.

[02:20:55] Some of the extensions were free VPNs and others were junk extensions that, you know, someone who just wanted to collect free browser add-ons might add to their browsers. Nevertheless, more than 50,000 Firefox users had this malicious code running inside their browsers. So one of our takeaways was to avoid collecting crap from obscure sources that you don't really need.

[02:21:22] And by the way, the phrase free VPN is an oxymoron. Yes, do not. No. There's something wrong. There's something wrong with a free VPN, folks, because, you know, it goes along with free lunch. Okay. So that was episode 1057. Why are we back here four weeks later for episode 1061?

[02:21:48] One, it's because following Koi Security's discovery, a different firm, Layer X, has reported their discovery of an additional 17 of the same. But this time they're not just attacking Firefox. Users of Edge and Chrome turn out to have been even earlier targets.

[02:22:10] And get this, with more than 840,000 downloads and installations. So 840,000 downloads and installations. Unfortunately, these attacks are incredibly effective, lucrative. And that's we know what that means, right? They're going to continue. Layer X's disclosure headline was browser extensions gone rogue.

[02:22:39] The full scope of the ghost poster campaign. So here's what we now learn from Layer X's follow-on research. They wrote, last month, researchers from Koi Security published a detailed analysis of a malicious Firefox extension. They actually extension family. They dubbed ghost poster.

[02:23:01] A browser-based malware leveraging an uncommon and stealthy payload delivery method, steganography, within a PNG icon file. This innovative approach allowed the malware to evade traditional extension security reviews and static analysis tools. Right? Because nobody expected an icon to contain any malicious code.

[02:23:31] But nor did they expect it to be intelligible. It's a compressed image. So it's just going to be noise. Not so much. They said, following their publication, meaning Koi's publication, our investigation identified 17 additional extensions associated with the same infrastructure and tactics, techniques, and procedures, so-called TTPs, tactics, techniques, and procedures.

[02:24:01] Collectively, these extensions were downloaded over 840,000 times, with some remaining active in the wild for up to five years. The ghost poster malware employs a multi-stage infection chain designed for stealth and persistence. Payload encoding. The initial loader is embedded within the binary data of an extension's PNG file.

[02:24:30] Runtime extraction. Upon installation, the extension parses the icon to extract the hidden data, a behavior that deviates from typical extension logic. Delayed activation. The malware delays execution by 48 hours or more and only initiates command and control server communication under specific conditions. And finally, payload retrieval.

[02:24:58] The extracted loader contacts a remote command and control server to download additional JavaScript-based payloads. After activation, the malware is capable of stripping and injecting HTTP headers to weaken web security policies, for example, HSTS and CSP. Hijacking affiliate traffic monetization.

[02:25:25] Injecting iframes and scripts for click fraud in user tracking. Programmatic capture solving. Programmatic capture solving and injection of additional malicious scripts for extended control. These features indicate a campaign is not only that the campaign is not only financially motivated, but also technically mature. Emphasizing operational stealth and longevity. Right.

[02:25:53] I mean, these things were there in the extension stores for Edge, Firefox and Chrome for five years in some cases. The infrastructure, they wrote, uncovered by Koi security was linked to 17 Firefox extensions, all sharing similar obfuscation patterns, command and control behavior and delayed execution strategies.

[02:26:17] Our automated extension malware lab feature confirmed the same threat actor infrastructure and was also able to distribute extensions on the Google Chrome and Microsoft Edge add-ons store. Our analysis shows the campaign originated on the Microsoft Edge browser with later expansion into Chrome and Firefox.

[02:26:46] So I have in the show notes a timeline for anyone who's interested. It provides a chart which shows that the first known extension infected Edge browser users back in February of 2020. And none of this was known until just last month. So from 2020, it's been there. About six weeks later, at the end of March of 2020, Firefox was first hit.

[02:27:15] It was hit again at the beginning of May. Then a run of eight more malicious Edge extensions were released over the course of two years, from the end of August 2020 through the end of September 2022. A month later, at the start of October 22, the first Chrome extension was created. Then things were quiet for nearly two years until another because these extensions existed and they were just sitting there doing their business.

[02:27:43] Two years later, another Edge extension appeared in August of 2024. But then after that, it was all Firefox from the end of October 2024 to today. So it's interesting that throughout all this time, only two known malicious extensions were seen to affect Chrome.

[02:28:07] It would be interesting to know why, since that's clearly Chrome is clearly the largest potential source of user installations. But in any event, 840,000 is a lot of malware out there.

[02:28:23] The Layer X people expanded upon Koi's earlier findings and they reported 17 additional confirmed extensions with infrastructure overlap and common loader patterns, meaning certainly from the same people. More than an additional 840,000.

[02:28:43] So that's on top of the 50 that Koi found, bringing us, what, to 890, almost 900,000 cumulative installs across Firefox, Chrome and Edge. Malicious presence dating back to 2020, indicating long-term operational successes, bypassing all major browser stores' security checks.

[02:29:07] So these bad guys, now six years ago, found a way to slip malware past all the stores' security checks by encoding them in the back end of a PNG icon.

[02:29:23] And they said malware variants using alternative delivery mechanisms, which suggests that there is still ongoing experimentation and adaptation.

[02:29:37] Now, beyond the previously identified extensions, we observe a more sophisticated and evasive variant associated with the campaign, which by itself accounted for 3,822 installs. I have a picture of it in the show notes only because anybody would install this. It shows Firefox browser add-ons.

[02:30:05] It's got a nice-looking icon. It's called Instagram Downloader, and it's by Instagram Download, available on Firefox for Android. It's got 28 reviews at a 4.4, seems reasonable, and currently 3,822 users. And there's a nice button, download Firefox and get the extension. Who wouldn't do this?

[02:30:35] I mean, this is the problem. This looks like a legitimate, useful thing. So in this iteration, which the LayerX people found, the malicious logic is embedded within the background script and leverages an image file bundled inside the extension as a covert payload container.

[02:30:59] At runtime, the background script fetches the image and scans its raw byte sequence for the delimiter in decimal. It's 6262626262, which corresponds to the ASCII string of a sequence of four less than symbols.

[02:31:19] All data following that marker is decoded as text and stored persistently in chrome.storage.local under the key inst logo, I-N-S-T-L-O-G-O. The stored data is later retrieved, base64 decoded, and dynamically executed as an additional JavaScript payload.

[02:31:42] This secondary script introduces further evasion by deliberately sleeping for approximately five days before initiating any network activity. This, of course, is to thwart security analysis. You know, security researchers will load up a browser with stuff, set it to running, and watch to see what it does. They generally won't wait for five days. Users do.

[02:32:11] Five days afterwards, upon activation, it fetches content from a remote server, extracts server supply data stored as base64 encoded keys, and executes the decoded content, enabling ongoing payload updates and extended control.

[02:32:28] The staged execution flow demonstrates clear evolution toward longer dormancy, modularity, and resilience against both static and behavioral detection mechanisms. They said while Mozilla and Microsoft have removed the known malicious extensions from their respective stores, extensions already installed on systems remain active unless explicitly removed by the user.

[02:32:58] This persistence underscores the limitations of store takedowns as a containment strategy, particularly for malware employing delayed activation and modular payload delivery. Okay. Now, they listed a bunch of their 17. Something called page screenshot clipper only had 86 downloads.

[02:33:25] The full page screenshot had 2,000 downloads. The convert everything, whatever that is, had 17,171. But the translate selected text with Google had a just shy of 160,000 downloads.

[02:33:46] And among them, the biggest was by all time, the number one was translate selected text with right click had 522,000 downloads. So this translation hook seems to be offering something that people want. Unfortunately, these things were malicious. They're not going to say something you don't want.

[02:34:16] No. They're going to say something you want, right? Right. And what this is teaching them is that by offering these bogus translation apps, they're able to get a lot of downloads. So that's clearly a hook that interests people. They've figured out what it is people are going to download for free. It can't be too valuable or you wouldn't think it was free. So it's got to be something like kind of simple and cool.

[02:34:44] Well, like that Instagram downloader, right? You know, while we all might determine that something seems fishy about an offer of a free VPN, that screenshot that we showed of the Instagram downloader looks entirely legitimate. And I could imagine downloading it without ever being the wiser. So this is really a... Well, get ready because it's easy for bad guys to write this stuff now. I mean, the vibe coding that makes it easy for us to write what we want...

[02:35:14] Yep. Yep. Makes it easy for them too. Really true. One thing that puzzles me is LayerX's suggestion that the removal of extensions from the web store leaves any already downloaded and installed extensions in place and dangerous. We know that all the browser vendors have the ability to remotely disable any browser extensions that are found to be malicious.

[02:35:42] I suppose it might be the case that a malicious extension that its malicious publisher withdraws from the store might slip under the radar since it's no longer being offered. If it's removed from the store, maybe it just doesn't raise a beacon.

[02:35:58] And it might also be that the post-installation mechanisms, which these extensions use, by moving their later downloaded code into the browser's permanent store, affords them some post-removal protection. I don't know. But the convincing appearance of that Instagram download extension is, as I said, that seems unnerving to me.

[02:36:21] It's important to note that Koi was aware of around 50,000 downloads and installs because, for whatever reason, they apparently were not looking back far enough. The instrumentation that the LayerX people had gave them five years of history, and they found 840 or they found 17 more extensions whose downloads totaled more than 840,000.

[02:36:45] So I think one of the important takeaways here is that we must always remember that we can never know what we don't know. There's no point in getting overly worked up over things that we cannot control nor excessively worrying over what we don't know. I would just say, be skeptical.

[02:37:11] Don't install extensions just because you've got room on your toolbar for more of them. It seems like a good, useful tool. Keep to the things you need. And it seems that they come from real, known, legitimate enterprises. I mean, obviously, I've got BitLocker. What am I trying to say? BitLocker? No, not BitLocker. Bitwarden?

[02:37:40] Bitwarden. Thank you. I'm just drawing a blank. I'm sitting here looking at it. I've got Bitwarden sitting on my toolbar and a few other things that I trust that I've been using for years. You know, the vertical tabs extension for Firefox and a few other things. But I just avoid more. And that would be the advice to everybody. But this is the rule of thumb for all software. Install as little software as possible, right? It's not just browser extensions.

[02:38:10] It's, you know, it's like the browser download helper. Who needs help downloading a file? We used to. We used to. That was a very common category. I know. That's still in some people's heads. Probably the boomers amongst us. But yeah, this was always, I started saying this on a regular basis on the Tech Guy Show. It's like, really, the real rule is install as little as possible.

[02:38:39] You know, if you just got your iPhone and left it with just the stuff it came with, you'd be far better off with performance, with battery life, and for safety. Yep. As I mentioned, I'm very much a living off the land guy. You know, I don't want to install something else if I've already got functionality there. It's just, I'd rather not. That's why I install Emacs everywhere. And that's it. That's all you ever need, really. Yes. Yes.

[02:39:08] Plus, as easy as it would be to write a malicious plugin for Emacs, I don't think anybody's going to do that. The pickings are slim. Let's put it that way. Steve, what a great show. Always, always look forward to Tuesdays. And I hope you do too, everybody. Make sure you're here. We do the show Tuesday afternoon, right after Mac Break Weekly. That is, for us, 1330 Pacific Time, 1630 East Coast Time, 2130 UTC.

[02:39:38] We stream it live. That's why I mentioned those times. That's when we record the show. But as we're recording, we stream. We stream it to the Club Twit Discord. This is one of the benefits our fabulous Club Twit members get. Thank you, Club Twit members. But we also stream it for everybody's delectation on YouTube, Twitch, x.com, Facebook, LinkedIn, and Kik. You don't have to watch live, of course, because it's a podcast you can watch after the fact anytime you want.

[02:40:05] The website has it, twit.tv slash sn. There's a YouTube channel dedicated to it. Steve also has it on his website. In fact, there's a number of reasons you might want to go there, not just to get the podcast. Steve's got the very small 16-kilobit audio version. No one else has that. No one else has the 64-kilobit audio version even. Steve's got that. He makes two nice and small versions. He's got transcripts written by a human. Elaine Ferris does a great job.

[02:40:33] And that is all at grc.com. Show notes are there as well, although you can get those emailed to you if you go to grc.com slash email. That is a form that Steve initially set up to whitelist email addresses so that you can email him with suggestions, comments, questions. But it just happens to be at the bottom. There are two boxes unchecked that one is for the weekly show notes email.

[02:40:59] One is for an email list that I don't think he's used in any living memory anyway, where he will send out an email when he's got a new product. Now, you are going to eventually use that for DNS Benchmark Pro, right? Yep. I'm in the process of updating the way the benchmark is purchased. And since that will affect the product, so I haven't done the walkthrough video because I have to have that in place first.

[02:41:29] And as soon as that's done, then I'll do the mailing to announce it. This is how conscientious Steve is. He wants to do it right. And this is why we love him. That is the other reason to go to his website, by the way. Spinrite, the world's best mass storage, maintenance, recovery, and performance enhancing utility. You saw that graph. That was kind of mind-boggling. But also the brand new DNS Benchmark Pro to make sure you're using the fastest DNS provider available to you.

[02:41:58] That's different for everybody, right? Because it's where you're located. So you've got to run it yourself. You can. Really nice little program. Not expensive. Lifetime as usual with Steve. You get a lifetime subscription to it. You could charge monthly, but he doesn't. He doesn't do that. All of that at GRC.com. Everybody hates it. I'm not doing it. Nope. He's also got forums if you want. That's another great place to give him feedback or talk with other Security Now fans. We have our forums for everybody.

[02:42:26] They're open to all at twit.community. There's also a Mastodon instance, which I love. It's kind of my favorite way to hang out. I'm better than X. That is at twit.social. In both cases, just mention you heard it on Security Now. I'll put you right in. And let's see what else. Oh, most important. You can subscribe to this show. Wow. What a concept. It's free. All you have to do is go to your favorite podcast client and search for Security Now. Leave us a good review.

[02:42:55] And then you'll get it automatically after you press the follow button or the subscribe button or whatever they call it. It doesn't cost anything. I don't like subscribe because that implies you have to pay for it. Follow maybe. It's also confusing. So there is no good button. But press the button. Get it automatically every Tuesday after we're done. Well, just in the nick of time that I decided to drill something outside. So I think this might be a good time to say thank you, everybody, for joining us. And we'll see you next time on Security Now.

[02:43:25] A week from now, the last podcast of January. Oh, my. See you, Steve. Bye. Hey, everybody. It's Leo Laporte asking you, begging you, pleading with you. There are only a few days left to take our annual TWIT survey. This is the best way we have of knowing more about our audience. Help us out. Let us know what you like, what you don't like, who you are. Just fill out the survey. It's on our website. It should only take a few minutes. TWIT.TV slash survey26.

[02:43:53] Survey closes January 31st. So don't delay. And thank you very much. We really appreciate it. Security now.