SN 1063: Mongo's Too Easy - AI Bug Bounties Gone Wild

[00:00:00] It's time for Security Now! Steve Gibson is here. He's going to talk about an antivirus that infects its own users. Hmm, that's not good. Curl discontinues bug bounties. That's not good either. They say they have to do it. And MongoDB has lowered the hacking skill level bar to the floor. It's too easy to hack! All of that and more coming up next on Security Now.

[00:00:29] Podcasts you love. From people you trust. This is TWiT. This is Security Now with Steve Gibson. Episode 1063. Recorded Tuesday, February 3rd, 2026. Mongo's Too Easy. It's time for Security Now! Oh, goody, goody, goody! I don't think all those CISOs and CIOs and security professionals listening are going, oh, goody, goody, goody, but in their heart of hearts,

[00:01:01] They're thinking, yay, it's Tuesday! Steve's here, yay! What are they going to talk about today? Steve Gibson, our hero, the man of the hour. Every Tuesday we get together, talk about the latest security news. And, you know, interestingly enough, there's never been a lack of security news to talk about. Oh boy. And in fact, I, I, Lori's been pushing me to start working on the podcast earlier in the week.

[00:01:28] Well, and it makes sense because she knows how stressed I get. You know, I'm, when I commit to doing something and doing a good job, that's going to happen. So, uh, I was reminiscing with her that there was a time, maybe a couple years ago, when I would come, I would, uh, you know, cause I'm, I, I'm working in my separate location during the day.

[00:01:51] And then, so I would come home at four and I would say on a Monday and I would say, I have all my topics. Like I've gone through the news and I've got a list of topics. And then Monday night and all day, Tuesday morning, up until we started recording, I'd be fleshing everything out, doing the research, pursuing the leads to, you know, basically creating the show notes that we now see.

[00:02:18] And she'd been pushing me to like, start sooner, start earlier. And, and so then the other thing that's happening is we're in the process of, of working on this, finishing up this remodel, which is now 18 months in. I mean, it's, it's, we bought the house. Oh, I know all about that.

[00:02:36] Year and a half ago. Um, and so, so then there's the problem that I'm needed on site for like decision-making and there, for example, this morning, this way, no, no. Yes. The, the, the, this morning it was supposed to be, I told them I I'm available until one. Well, then it was going to be noon. Then they switched it to nine 30.

[00:02:58] And these were people coming out to measure the stairs for this, the hand, the, the, the, the, the, the main staircase railing. And I needed to be there. Well, I couldn't be there if I was up against a podcast deadline.

[00:03:14] So I started this week on Saturday morning. Normally I tried to, I tried to do coding and GRC stuff all day, Saturday. And then she had me starting. She, I mean, you know, well, I am married. So a little woman or as Richard Campbell calls her, she who must be obeyed.

[00:03:35] Anyway. Yes. Uh, and I've heard that actually, that that's a common phrase now. And the other one is happy wife, happy life. So yeah. Anyway. So the point is that as a consequence of the fact that I'm starting earlier and I have to say it's, it is nice to like, have it done. Yeah. Know that I've got my commitment met and then I'm free to write code. Otherwise I'm sort of preoccupied by, Oh, you know, I got to get to, I got to get to it.

[00:04:04] So as a consequence, the show notes this week went out like Sunday early afternoon and someone wrote back and said, Oh, I love this. This is the earliest I've ever received them. Unfortunately, a super important piece of news dropped. That's what came to my mind. Yes. Yes. Yes. And I have been flooded with our listeners because I actually warned.

[00:04:35] About this event for several years. I was saying, this is going to be a problem or it could be not, I didn't say it was going to be, but this is a danger. And as a consequence of the fact that I'd been, I won't say predicting it, but recognizing that this is a problem. Oh my God. The, you know, all of our listeners said, Steve, it happened.

[00:04:59] It's like, uh, yeah. Anyway. So that was about Notepad++ that we'll be talking about. What a story. Yeah. Yes. And, uh, but all Leo, there's been a breakthrough.

[00:05:13] Our picture of the week. There is a breakthrough in age verification that does not require it's, it's verifier. You, the person being asked to verify their age. You can't look, don't look. It's not, you can't look yet. I save it. I save it. I, I just see the, I see your headline.

[00:05:37] It says finally an age verification solution that does not require its user to provide any additional information. It's fantastic. It's the kind of thing where it's like, once you see it, it's like, Oh, how did we like, everybody's like, get all tangled up in crypto. And everything is like, no, no, it's much simpler than that folks. Anyway, I think maybe this is going to be a good podcast.

[00:06:05] Okay. Yeah. I'm going to tell you, Steve, we're going to get you vibe coding here. You really got to get, I know you you're a coder and you probably think, Oh no code has to be written by humans. But there are certain things like for instance, I've over the last couple of weeks vibe coded a series of tools that I use to prepare the shows now that they go out.

[00:06:27] I have a newsreader that's custom built just for the kind of news reading that I want to do. You know, you would point it to all the security sources and, and it, it, it, not only does it let me bookmark them, but it summarizes them. It pulls quotes and stuff you could have, and I have a workflow. So I do that. And then I have a, that's called beat check.

[00:06:47] And then there's a tool after beat check that I run every day called collect stories. It goes out, collect stories for each of the shows, puts them in a format that you can read on the web. Uh, and that I can open with Emacs so I can organize it. And then there's a final stage called prepare briefing that prepares a, uh, a webpage for it. You could easily vibe and all of this is vibe. I didn't write a line of code. All of it's just said, well, could you do this? Could you do that? Could you upload it? Could you do this?

[00:07:15] Could you do this? And, and, and by the time it's done now, it's not only saved me a lot of time, but it's given me a whole, uh, you know, way of doing this that takes a lot of the stress out of it. I think we should talk because I, I would like for you to try these tools. You will be blown away. The difference that I see is that, and I've heard you talking about this on your other podcast that you've got like too many topics.

[00:07:40] You've got too many things to talk about what our listeners have told me they value is, is my analysis. Yes. Well, and that, that step is not gone. This isn't so automated that I'm out of the loop, but it just gets the stuff ready for me. And then I go, and I can do that. Oh, that one's good. That one's good. That one's good. And the AI summaries help with assessing that. Uh, I don't have any dearth of, uh, of topics as you said, no security, nor do I right.

[00:08:10] Yeah. No, a lot of what we do is, uh, boil it down. That's our job, right? Is to take this flood of information and make it usable for our listeners. You do a great job of that. I'm just thinking it's a, well, I'm not going to talk you into it if you want, but I think you, I would be very interested in your reaction just to see.

[00:08:31] As this thing writes its code, how competent it's gotten over the last two weeks, three weeks, November 24th was the breakthrough day of last year. Wow. Wow. It's, it's, uh, if we're not at AGI, then I think we need to define AGI better than this. It's, it's very human, very competent, uh, very responsive.

[00:08:53] One of our topic we have, we have two main topics for today. I titled this Mongo's too easy coming back, which made me think of blazing saddles, but I don't think that's that Mongo. Uh, cause it was the first podcast of the year was talking about the Mongo breach or Mongo bleed rather Mongo DB. Right. There's more information about that, but there's another piece of information that was vying.

[00:09:20] It actually, it was the topic. It was my working topic until there were two things that I want to talk about. The other is the, the, the breakthrough in bug finding. It's another thing that we thought was going to happen, but what we're, one of the trends I would say is safe to make. And it's, it's, it, it echoes what you're saying is this is happening faster than anyone expected.

[00:09:49] Right. I mean, it, it was, we knew it would, we knew it would happen. You know, I had said AI should be able to code because code has a rigor that, you know, it's their native language. Psychotherapy doesn't. It's like, well, sorry, you're not feeling well today, honey. You know, it's funny though. It's one of the things that's come up and I, I don't know if you cover it today, but a lot of the people, things people are doing now with things like OpenClaw

[00:10:19] is completely violating all of everything we know about security. You know, it's gotten to the point now where curling to bash, no big deal. Not going to, I'm not going to. And in order to use these personal assistants, you basically have to say, well, I'm just going to throw caution to the wind. In fact, that the new phrase is, is YOLO everything. You only live once, just YOLO it all. And it's very tempting because when you do it, you know, that balance between security and,

[00:10:47] and, and privacy or security and convenience functionality, functionality, or ease of use, the scale is vastly tipped. If you're willing, a perfect example is what the shuttles computer programming cost because it could not have a single bug. You can't fix it. It was insanely expensive to, to program that pokey little computer. Right.

[00:11:11] So at this point, the temptation to give this AI agent, this claw bot, it's called open claw. Now they keep changing the name of OpenClaw, your, a credit card number, your, your phone number, access to your Google docs, your Gmail, everything. The benefit you get out of that is so great that it's, it's very tempting. I'm, I'm sitting here. It's half installed. My fingers. It's like,

[00:11:38] I just can't bring myself to do it. I really, what I'm going to do is give it a credit card with a hard limit of like $5 a day, but you want to give it all these tools because it's amazing. There was a guy, uh, I was watching, uh, looking at a guy on Twitter who said, this is weird, but I, I told my claw bot to surprise me, you know, work on something overnight and surprise me.

[00:12:05] It called him. It made a phone call. It had overnight gotten a phone number, created a computer generated voice and called him in the morning and said, Hey, surprise. I figured out how to make phone calls, Steve. It's weird. It's getting weird out there. Anyway, we're going to talk about security and our picture of the week and we've solved the age verification problem. Leo, it is the most brilliant solution.

[00:12:35] Fantastic. We will talk about that in just a moment with Steve gives it. I'm going to shut up now because it's a Steve show and it's all about Steve. This portion of the show brought to you by ThreatLocker. Steve and I are actually headed out to Orlando for zero trust world. And we're very excited. It's coming up in March sponsored by ThreatLocker. ThreatLocker is the solution you've been looking for. You know that ransomware is harming business worldwide, but now ThreatLocker can

[00:13:02] stop it before it starts. Recent analysis from ThreatLocker shows how one single, one of many, but one ransomware operation, Qi Lin, surged from 45 incidents in 2022, just 45, less than, fewer than one a week to 800 last year. ThreatLocker's zero trust platform takes a proactive, and this is the key here with zero trust, deny by default approach. It blocks every unauthorized action.

[00:13:32] If you don't say it can happen, it can't happen. That protects you, not just from known threats, but from zero days, from unknown threats, threats nobody even thought of before. ThreatLocker's innovative ring fencing constrains tools and remote management utilities. So attackers cannot weaponize them for lateral movement or, you know, mass encryption or mass exfiltration of your information. ThreatLocker works in every industry. It supports, the support is fantastic, 24 seven,

[00:13:59] it's US-based. It will work on Windows, it will work on Mac environments, it works everywhere and gives you comprehensive visibility and control, which is great for compliance. Ask Emirates Flight Catering. The global leader in the food industry, 13,000 employees. ThreatLocker gave Emirates Flight Catering full control of apps and endpoints, improved compliance and delivered seamless security with strong IT support. The CISO of Emirates Flight Catering said this, a direct quote, quote,

[00:14:28] the capabilities, the support, and the best part of ThreatLocker is how easily it integrates with almost any solution. Other tools take time to integrate, but with ThreatLocker, it's seamless. That's one of the key reasons we use it. It's incredibly helpful to me as a CISO, end quote. ThreatLocker's trusted by some of the best and biggest in the world, companies that can't afford to be down, that can't afford ransomware. Companies like JetBlue, they use ThreatLocker.

[00:14:54] Heathrow Airport uses ThreatLocker. The Indianapolis Colts, the port of Vancouver, they all use ThreatLocker. ThreatLocker consistently receives high honors and industry recognition as a G2 high performer and best support for enterprise summer 2025. Peer spot ranked number one in application control. GetApp's best functionality and features award in 2025 and on and on. Visit threatlocker.com slash twit. You can get a free 30-day trial. Learn more about how ThreatLocker

[00:15:22] can help you mitigate known and unknown threats and ensure compliance. That's threatlocker.com slash twit. Now, if you want to come out and see me and Steve for a limited time, we've got a code for you. ZTWTwit26. Zero Trust World is ZTW. ZTWTwit26, all one word. That's 200 bucks off registration for Zero Trust World 2026. You get access to all sessions. You get hands-on hacking labs,

[00:15:50] meals. There's an incredible after party. Lisa and I have some sweet costumes for that. I know, Steve, you can't make it to that, but I will be there. The most interactive hands-on cybersecurity learning event of the year. It's March 4th through the 6th in Orlando, Florida. Steve and I are going to do a presentation at the end of the day on March 4th. We'd love to see you at that. And don't

[00:16:11] forget the offer code, 200 bucks off ZTWTwit26. All right. Are you being facetious when you say this solves everything? Oh, I have to interrupt. I have to preempt. We don't normally do breaking news here, but while you were talking, I got a little blurb on my phone, a little piece of news.

[00:16:35] The Wall Street Journal just posted AI disruption fears, royal software industry, and the stock market. And it says, from LegalZoom.com and Expedia to Aries and Apollo, shares of companies that sell or invest in software fell sharply on Tuesday. Investors fears that new developments in artificial

[00:16:59] intelligence will supplant software reverberated through the stock market Tuesday, dragging down the shares of companies that develop, license, and even invest in code and systems. Traders have questioned. Oh boy. Traders have questioned. I just lost a house worth of money. Traders have questioned whether AI will chip away at the competitive moat built by software makers like

[00:17:27] Adobe and Salesforce. Ever since generative AI models hit the market several years ago, recent advancements in tools such as those from AI developer Anthropic are now prompting more scrutiny. On Tuesday morning, investors honed in on Anthropic's announcement that it was adding new legal tools to its co-work assistant meant to help automate a number of legal drafting and research

[00:17:53] tasks. Shares of Thompson Reuters, LegalZoom.com, and London Stock Exchange, which all provide some form of legal tools or research databases, fell more than 10%. Yep. And I think that's true, but it's disruptive. There will be opportunities. For instance, I think a huge opportunity is enterprise-grade security around these AI tools. The stuff I want to do with OpenClaw is so risky, you would never let

[00:18:22] somebody do that in a company ever. But there will be companies that will come up with ways to do this in a secure and safe fashion. Those guys are going to make a lot of money. So it's- What it means is expanding the security boundary, expanding the moat to encompass much more than it did before. Absolutely. We had lots of small security boundaries that were all individualized. What we want to do then

[00:18:48] is to expand that so that there's much more content within a much larger boundary. In that case, then all of that is able to interact within its own enclave. And there has to be AI firewalls. There have to be ways of letting AI go out and look at the world without exfiltrating your private company documents or your credit card numbers. There's going to be

[00:19:14] ways to do this, I'm convinced. I would argue that that's probably the challenge. We've talked a lot about how adding an equal sign to the end of a prompt breaks through all of the protections. It's like, what? So this doesn't work in any normal way that we've known before, but it's also not surprising that that's where the answer was. And no one thought to look there before. Anyway, I never

[00:19:43] mentioned that we're going to talk about an antivirus system, which is infecting its own users. Yeah. Not what you look for in AI or in AV. Apple's next iOS release, a point release, will be fuzzing cellular locations. We talked about that. Yeah. Curl has discontinued its bug bounty

[00:20:08] program due to a flood of bogus AI generated bug reports. They just said, okay, we can't, we would know no more payout anymore. Um, we have, uh, the, the other main topic I'm going to talk about is AI discovering and fixing, get this 18 CVE worthy zero days in open SSL. Holy cow.

[00:20:34] This is the breakthrough on that side that we need to talk about. It turns out that Ireland, contrary to what I said last week, did not already pass their spying legislation. We have a listener in Ireland who is involved in performing, uh, Irish English translations and explained to me why this was confusing. I will share that. Uh, an AI irreversibly deleted someone's project files and apologized.

[00:21:04] Yeah. Uh, at least it was very polite about it. The AI is very polite, Leo. Oh, I'm sorry. Uh, uh, you're dead. Oh, it's too bad. Uh, we're, we're, we're, we're, we're, my bad. I am so sorry. We're going to look at windows, serious global clipboard security problem. Uh, another listener came up with something I hadn't thought of before about a way for ISPs to monetize their subscribers

[00:21:32] identities. And then we're going to look at MongoDB having lowered the hacking skill level bar to the floor. So lots of good stuff to talk about, but now Leo, it is time to share with our listeners a stunning breakthrough in age verification. I'm very nervous about this. Let's see. I'll let you read it and react. And then I will explain it. I'm going to scroll up. We need to

[00:21:58] verify your age, please. Choose a verification method below. You only need to do one method. Take a selfie. Okay. Search for my IDs in existing breaches. Is this real? So you have a multiple choice here. This is for age verification. The headline says we need to verify

[00:22:21] your age. Please choose a verification method below. You got two choices here and it does give you a little padlock and shows your details are used for verification purposes only and is not stored. And so the first choice is take a selfie. Confirm your age with a quick selfie, which is processed directly on your device for privacy. Or you could choose the second option, which is search for my

[00:22:49] ID in existing breaches. And it explains, we'll search for your ID in our database of breached personal information. If your ID is found, we can verify your age automatically. It's quick and easy. And odds are you're already in there. Oh, Lord. That's true. Now, is this a joke or is this serious? No, it was, it was, it could be serious. I mean, that's true, right?

[00:23:19] It's one of those things where you have to do a double take because you're thinking, uh, wait a minute. And it's powered by kid ID. That's the logo at the bottom. And one of our listeners who, who received this Sunday afternoon wrote and said, wait a minute, kid ID.com is a real thing. It's real. Yeah. It's like, yes. Um, the, they are in fact, the service that, um, God, I'm now, I don't know. One of the people that we've talked about, one, one of the, uh, age, age clamped

[00:23:48] services was using kid ID in order to perform this verification. And I think maybe they're the ones that were not deleting people's selfie pictures and got caught doing that. But I, I could be wrong about that, but good. Now they have my ID in their breach and, um, I'm set. Yeah. So basically, wow. Security breaches. So, so I'm sure this was a, a, a fake. It's gotta be tongue in cheek, but it's, you know, great humor. And it just suggests that like, well, you know,

[00:24:17] breaches are so rampant that why are we even being asked to identify ourselves? Everybody knows how old you are. That's right. Wow. That's exactly right. Okay. So, um, uh, I I I'm going to do this out of order because I want to address this, this big piece of news that, that really lit up our listeners. Uh, Don Ho, the author of the immensely popular windows note

[00:24:42] pad replacement, which is notepad plus plus, which I, along with many of our listeners have chosen to use for, you know, as a, like our, our, our primary note, you know, simple text editor. And I mean, plus plus is no exaggeration. This thing, it recognizes the language of the, of what it is. You're, you're dropping into it based on file extension. It's got every bell and whistle you

[00:25:11] can imagine. Um, so, I mean, and I've, over time, I've really come to like it. Well, Don notified the world Sunday after the podcast notes went out that, uh, for around six months or so the second through, through the second half of last year, June, through the start of December, 2025, unbeknownst to him,

[00:25:36] of course, highly sophisticated state level actors believed to be Chinese had arranged to compromise hit and did compromise his notepad plus plus software update mechanism. Uh, they used it

[00:25:56] to launch targeted malware attacks against specific notepad plus plus users. So a, you know, a serious supply chain attack. Now our listeners know that I have complained on multiple times about the high rate of notepad plus plus updates. Bless his heart. Don seems unable to just leave this thing alone.

[00:26:25] It's like, it's never done. So, uh, you know, I specifically cited the possibility of exactly this sort of supply chain attack being facilitated due to the, you know, to notepad plus pluses, seemingly endless code changes every time, you know, it downloads another copy into your computer.

[00:26:51] That's another opportunity. I'm not saying that it's going to happen, but it could, you know, and the more frequently it's done, of course, what happened is these Chinese state level, uh, bad guys, they're not dumb. They see the notepad plus plus is updating itself like not hourly, but like all the time. And they're thinking, Hey, that's a target, but, you know, we want to get

[00:27:18] that because it's abused all of its users into accepting constant updates. And every update is another opportunity for us to get our, our malicious code into someone's computer. And that's what happened. So, uh, anyway, I wanted to acknowledge to everybody that I got everyone's email. Thank you. I I'm glad, you know, everyone says, I'm sure you already know about this, but,

[00:27:44] and the first time I get one of those, that's not true, but all subsequent ones, of course it is true. Still, I do appreciate them. And I appreciate letting, having everyone make sure that I knew about this and also Don acknowledges. And if I, if it was important and it, you know, and it's not because the problem has been solved already, but he also had a, uh, a lack of security in his own

[00:28:12] update mechanism, which a, which his compromised hosting provider, this is, this was not a, a compromise at his end. It was the system, which was hosting his updates is what got compromised, but they targeted him and his notepad plus plus. So it's now at 8.9.1. He recommends that you go to

[00:28:39] the site, download it yourself and perform a manual installation just to be absolutely sure. And I would say then turn off this whole automatic update nonsense. Um, we have one listener who is proudly strutting around saying I'm at 8.2 or something from three years ago. And I'm sure glad

[00:29:04] I turned it off back then. So again, I mean, these, these things are like, Oh, the accent on the Swedish umlaut is backwards. It's like, Oh, so let's update the world with a new copy. It's like, no, I just, come on. Yes. You know, it works. Um, and you know, Leo, one of the things I've always appreciated about firmware updates is the manufacturer recognizes that a firmware update is,

[00:29:30] is, you know, it's a little bit fraught, right? If, if you trip over the power cord in the middle of a motherboard firmware update, right? You don't have a motherboard anymore. So their, their advice is always, if everything is working, don't update your firmware because guess what? Everything is working. It's only if you've got some known problem that a firmware update is known to

[00:29:55] fix that. It makes sense for you to, you know, make sure the plug is tightly in the socket, in the wall and then, and keep the dog, you know, in the other room and then start your updates. So again, notepad plus plus has been fine for like the last decade. Uh, they think it's Chinese, as you said, the Chinese hackers, what do you think they were after? It's just to get on as many machines as they possibly. No, no, no. These, uh, it, I want to

[00:30:25] believe everything that we're being told. So it's a huge relief that these were apparently very targeted. They were, they, they were looking to get into specific machines and they did using notepad plus plus as their Trojan to get them onto the machine. But no, so none of us, none of our, I mean,

[00:30:50] So it wasn't a crypto stealer or something like that. It was really aimed at probably Chinese dissidents or overseas Chinese. Yes. And yes. And I did see that the attacks that were known were over. They were targeted at other Asians over there. Uh, not, uh, not aimed at the West. And I'll just note though. I mean, I've downloaded notepad plus plus updates sometime between last

[00:31:18] June and the beginning of December. Although had this been a widespread attack, it would have come to light much quicker. So, so certainly the, the reason we believe these were high level Chinese state actors is they didn't want this to get found. They wanted to keep this facility of being able to,

[00:31:40] to selectively infect specific notepad plus plus users alive and working for them available to them as long as they could. So, um, so, uh, so, you know, it's a good thing that it wasn't a widespread attack because anybody updating during that window of the time the attack starts and, and then it is

[00:32:02] found and ended would have had malware installed in their computer. And, you know, many of us are updating notepad plus plus a lot. I, I also stopped back when I said, I'm sick and tired of this. And I turned that off. So, but I don't know that that, that I haven't done it since last June. So anyway, I really, if it's, you know, we're like all addicted to this update, update, update, we got to

[00:32:32] have the latest and greatest because maybe it's going to fix something problem that we don't know we have. Well, if you don't know, you have it, you're probably okay. So, uh, last week two security companies, Morphosec and Kaspersky both detected and reported that the

[00:32:55] e-scan antivirus product published by a company based in India had attacked its own users after one of its get this update servers was breached and infected with malware. So this perfectly reflects what we were just talking about with notepad plus plus, you know, we are seeing an increasing

[00:33:17] incidence of supply chain attacks and attacking people's insecure update servers. Because as I said, we would, the world's become addicted to updates. Uh, everything we got is updating itself all the time. Um, so here again is another instance of that. The event was covered by bleeping computer

[00:33:41] which shared e-scans defensive annoyance over the bad press this generated. And I'm here to give them some more bad press because oopsie, um, bleeping computer also reminded us that back in April of 2024. So coming up on two years ago, e-scans update facility was breached by North Korean hackers and

[00:34:07] used to spread malware into corporate networks. So, you know, I've often said that anyone can make a mistake. You know, it's true. And that mis and sometimes mistakes make us stronger, but an antivirus solution has a very, a highly privileged position in our machines. It's got to be running in the kernel.

[00:34:32] Uh, and a second similar incident occurring fewer than two years after the first one. I think that should be a concern to any e-scan customer. That's a reason to look elsewhere for an antiviral solution if you want to look anywhere at all. So of all the coverage. No, what you don't, I mean, I guess a business might, but. I I'm, I'm going to get there. I'm going to get us there here in a second. Okay. Cause I completely

[00:35:01] agree with you. Yeah. Uh, of all the coverage this received, I thought that Kaspersky summarized the technical details best. They explained on January 20th. So right. A couple of weeks ago, a supply chain attack has occurred with the infected software being the e-scan antivirus developed by an Indian

[00:35:23] company, micro world technologies. The previously unknown malware was distributed through the e-scan update server. The same day, our security solutions detected and prevented cyber attacks involving this malware on January 21st, meaning the day later, having been informed by Morphosec, the developers of

[00:35:47] e-scan contained the security incident related to the attack. Users of the e-scan security product received a malicious reload.exe file, which initiated a multi-stage infection chain. According to colleagues at Morphosec, who were the first to investigate the attack, reload.exe prevented further antivirus

[00:36:12] product updates. Of course it would by modifying the hosts file, thereby blocking the ability of security solution developers to automatically fix the problem, which among other things led to an update service error. Okay. Now I want to take a moment here just to remind everyone how very powerful

[00:36:35] the hosts file remains. And to share a little bit of internet historical trivia, the presence of a hosts file predates the internet. As we know, ARPA stands for the Advanced Research Projects Agency, and the internet grew out of the earlier work on something that was known as ARPANET. I recall that

[00:37:00] when I was working at SAIL, you know, Stanford University's Artificial Intelligence Lab in 1992, a big refrigerator-like thing was white and looked like it came from a battleship. I mean, it was really overbuilt. It was just then while I was there being installed. It was an IMP, an interface message processor, which was a node on the still very young ARPANET.

[00:37:31] Back before the creation of DNS, there was a need to map familiar host names to ARPANET addresses or nodes. And as we know, that's the role that DNS serves us today. But ARPANET had no DNS. It barely even had ARPANET. So every machine on the ARPANET had a copy of the ARPANET's master hosts

[00:38:00] file. That file was maintained on a single machine at SRI, Stanford Research Institute, and all hosts on ARPANET would periodically pull that file from SRI's one designated master copy to maintain an updated and synchronized listing, you know, a view of all other available machines on ARPANET.

[00:38:29] We have in our Discord right now, a guy who worked at Barrett Bolt, Baranek & Newman, BBN. BBN, yep. Who says, I actually drew the ARPANET apps when I worked at BBN before there was anything called DNS. And before we had CAD. So he was drawing them with- By hand. Yeah, with a protractor. A stencil and then, you know, and a straight edge. Yeah.

[00:38:58] Yeah. Pretty amazing, Craig. Wow. So in a classic example of old computer stuff sticking around from generation to generation, the original hosts file never went away. Today, it sits somewhere inside every internet-connected machine.

[00:39:19] Windows users can find it at c colon backslash windows backslash system32 backslash drivers backslash etc. So, I mean, it's like really an afterthought, right? Drivers backslash etc. Etc. I just looked at mine on my Windows 10 machine. Its first line of that file contains a Microsoft copyright notice dated 1993.

[00:39:47] So, like when the TCP IP stack was first added to Windows 95, because the file was dated 93, right? Or maybe Windows 3.1. I don't remember what the first Windows was that got on the internet.

[00:40:06] Anyway, the thing that makes the hosts file so powerful is that by convention, it is the first place any internet-connected machine will look for a host name to IP address mapping. In other words, it takes priority over everything else. And you don't even have to restart or reboot.

[00:40:31] I've used this sometimes myself when I've needed to locally test some client-server code that will eventually run at www.grc.com. If I add the line 127.0.0.1 space or tab, you know, some form of white space, then www.grc.com,

[00:40:56] then immediately and without waiting, restarting, rebooting, or anything, any attempt to access www.grc.com will be intercepted and be handled by a server on my own local machine. And that allows me to use a TLS www.grc.com certificate on my local machine.

[00:41:20] I mean, it's exactly as if it were at grc.com, because the browser thinks that's the domain that it's accessing, and so the certificate works. So, anyway, modification to the host's file can also obviously have malicious consequences.

[00:41:42] If, as in this case, somebody wished to prevent future updates to eScan's antivirus system after they'd infected the machine, placing the domain names of those update services into the user's local host file would immediately and completely prevent the compromised antivirus from being updated again to eliminate the malware.

[00:42:12] Kasprowski continues writing, The malware also ensured its persistence in the system, communicated with control servers, and downloaded additional malicious payloads. In other words, you do not want this thing getting into your system. Reload.exe, you know, reload the gun. Persistence was achieved, they wrote, by creating scheduled tasks. One example of such a malicious task is named CorelDefrag.

[00:42:41] Oh, sounds simple, you know, harmless. CorelDefrag. Doesn't make any sense, really, but okay. Additionally, the CONSCTLX.exe malicious file was written to the disk during the infection. Okay. At the request of the bleeping computer information portal, eScan developers explained, that the attackers managed, oh, so this is Kaspersky,

[00:43:10] it's why they referred to bleeping computers so oddly. Kaspersky is writing this, saying at the request of the bleeping computer information portal, eScan developers explained, that the attackers managed to gain access to one of the regional update servers and deploy a malicious file, which was automatically delivered to customers. They emphasize that this is not a vulnerability,

[00:43:35] the incident is classified as unauthorized access to infrastructure. Right. We're not going to call it a vulnerability. Right. Even though all of our customers got infected. The malicious file was distributed with a fake, invalid digital signature. Now, that's interesting. Somebody was asleep with a switch and didn't notice that the signature, the digital signature was invalid or didn't stop this thing from executing.

[00:44:04] According to the developers, the infrastructure affected by the incident was quickly isolated, thanks to other people finding it and telling them. And all access credentials were reset. Having checked our telemetry, writes Kaspersky, we identified, get this, hundreds of machines belonging to both individuals and organizations, which encountered infection attempts

[00:44:31] with payloads related to the eScan supply chain attack. These machines have been mostly located in South Asia, primarily in India, Bangladesh, Sri Lanka, and the Philippines. Okay. Now I'll take a moment here to note that these are only the hundreds of machines that also happen to be under the observation of Kaspersky's telemetry. This must reflect only a tiny microcosm

[00:45:01] of the entire internet. One of the things that annoyed me was seeing the micro world technologies people, because there were other things that I pursued in getting to the bottom of this. They were dramatically pushing back and downplaying the severity of this problem for their customers, which was pretty severe. The one thing that we don't want to see is an irresponsible provider

[00:45:29] of highly privileged antivirus software. You need to trust your AV company. Kaspersky says, having examined them, we identified that to orchestrate the infection, attackers have been able to replace a legitimate component of the eScan antivirus located under the path c colon backslash program files x86 slash eScan slash reload.exe

[00:45:58] with a malicious executable. So that reload.exe in the eScan subdirectory is the problem. They said this reload.exe file is launched at runtime by components of the eScan antivirus. It has a fake, invalid digital signature. We found this implant to be heavily obfuscated with constant unfolding and indirect branching, which made its analysis quite tedious.

[00:46:27] What Kaspersky means when they refer to constant unfolding and indirect branching is that typical straightforward code simply contains jump instructions, which cause the program's execution to jump to another location. So someone examining a disassembly of the code can see for themselves where the CPU's execution will jump to.

[00:46:56] By comparison, an indirect jump refers to another location in the program or to the contents of a CPU register. And it will be the current contents of that location or register that specifies the location to which the CPU's execution will jump. Since there's no way to know what that location or register might contain

[00:47:24] at the moment the indirect jump is executed, a static disassembly and an examination of the deliberately obfuscated malicious code will not reveal its execution paths. You won't be able to tell by looking at the code itself where anything is going to jump to because you don't know until you actually run the program that those addresses get resolved.

[00:47:53] So as Kaspersky noted, this makes an analysis of the code far more tedious. And that's, of course, exactly what its malicious creators intended. Kaspersky continues saying, when started, this reload.exe file checks whether it's launched from the program files folder and exits if not. It further initializes the common language runtime environment inside its process,

[00:48:22] which it uses to load a small .NET executable in memory. This executable is based on the unmanaged PowerShell tool, which allows it to execute PowerShell code in any process. Attackers have modified the source code of this project by adding an AMSI bypass capability to it and used it to execute a malicious PowerShell script inside the reload.exe process.

[00:48:52] Okay, now, AMSI is Microsoft anti-malware scan interface. So this malware has arranged to bypass that. I wish my own code did that. Maybe I wouldn't have so much problem with Microsoft's annoying anti-malware scan. Which is, you know, false-positiving on me. Anyway, Kaspersky's teardown goes on to take the malware apart and describe its operation in great detail,

[00:49:21] but we all have a good sense now for what happened. And the point you were going to make, Leo, I have in the show notes, I wrote, neither Leo nor I use any third-party anti-malware add-on. And whenever I'm asked, I recommend against it. It's true. There was once a time when I strongly recommended the addition of a third-party firewall to Windows. Then Microsoft added one into XP

[00:49:51] and finally set it running by default with XP's Service Pack 3. The same thing happened with add-on antivirus. The various third-party AV solutions had their day, but that day has passed. Windows now brings its own along. I see no benefit and only downside risk associated with gratuitously adding another to Windows. This recent misadventure

[00:50:20] with eScan shows how much trust any third-party must be given to obtain such an honored place in our PCs. As I said, AV is in the kernel, which means if it goes bad, you're in deep trouble. It goes bad. Yeah. It's just not worth it. Yeah. What is worth it, Leo, is hearing from our next sponsor. Oh, I always like that. One of my favorite things.

[00:50:51] Yeah, actually, this is a good one, too. I'm happy to talk about it. We'll continue with security now in a moment, but first a word from Meter, the company building better networks. Meter was founded by two network engineers who thought there's got to be a better way. And if you're a network engineer, I bet you've thought that, too, once or twice. You know the headaches. Legacy providers with inflexible pricing, IT resource constraints. We all have that, right? Stretching you thin.

[00:51:20] Complex deployments. Fragmented tools. You know, you're mission critical to the business, right? But you're working with infrastructure that just wasn't built for today's demands. I mean, it's not quite as bad as an imp, but it could be. That's why businesses are switching to Meter. Oh, look at their website. This is the sweetest stuff. Meter delivers full stack, and I mean full stack networking infrastructure for wired, for wireless, even for cellular,

[00:51:51] and they build it for performance, they build it for scalability, they build it for security. Meter knows that in order to make that work, you've got to do it all. You've got to, the whole stack, they design the hardware, they write the firmware, they build the software, they manage the deployments, and then they provide aftermarket support. Meter offers everything. I mean, even down to ISP procurement, they can help you get the right ISP with the capabilities you need. The security, they'll help you

[00:52:21] with routing, switching, wireless, firewall, cellular power, DNS security, VPNs, SD-WANs, multi-site workflows. It's all in one solution from a single vendor. You know why that's great? Because if you have multiple vendors, you know that one vendor is going to blame the other one, the other one's going to blame them. And you get the vendor run around. Well, it's not our problem. Ask your ISP. Meter handles it all. Meter's single, integrated networking stack scales. I mean,

[00:52:51] they're in major hospitals. If you've ever been to the hospital, you know how challenging that wireless environment can be. They help with branch offices. It's not unusual that a company will acquire a branch office or worse, a warehouse in another area. You know, you're expanding. Business is going great. Now you've got to get there, whatever wonky stuff they add into your system. Well, Meter can come in and fix the whole thing. They do large campuses. They do data centers. They do Reddit's

[00:53:20] data center. Okay, so that's a pretty good testimonial. The assistant director of technology for Webb School of Knoxville had a great quote. They were in an interesting situation. He said, quote, we had more than 20 games on campus going on between our two facilities. Each game was being streamed via wired and wireless connections simultaneously. The event went off without a hitch. We could never have done this before Meter redesigned our networks.

[00:53:50] That's pretty good. With Meter, you get a single partner for all your connectivity needs from that first site survey to ongoing support without the complexity of managing multiple providers or multiple tools. Meter's integrated networking stack is designed to work together and to take the burden off you and your IT team to give you deep control and visibility, reimagining what it means for businesses to get and stay

[00:54:19] online. Meter is built by network engineers for network engineers for the bandwidth demands of today and tomorrow. People who know exactly what's going on in your life right now and are here to help. We thank Meter so much for sponsoring. I had a great conversation with them a couple of weeks ago. So impressed with what they're doing. Go to meter.com slash security now to book a demo. Okay? That's meter M-E-T-E-R dot com

[00:54:49] slash security now. Book a demo. Look around. Take a look at the equipment that what they can do. I think you'll be really impressed. I certainly was. Meter dot com slash security now. Now. More security now with Steve Gibson. So the Apple iOS world has been moving through a number of point and point point releases. Seems like we've had a lot of updates after 26. Yeah.

[00:55:19] And of course some of that has been good. They've toned down liquid glass making a little less liquidy. Yeah. Whew. Every so often even with all my settings set to mute it and suppress it like I'll get a little weird liquidy squiggle under something. It's just terrible. Why do these companies do this? I don't get it. Yeah. Yeah. Okay. So we're currently hovering at 26.2.1

[00:55:48] but there's some welcome news about 26.3 for cellular connected devices. Last week Apple announced that it would be adding optional deliberate imprecision to cellular surface to cellular services ability to geolocate cellular devices. devices. So here's what we learned from Apple under their headline Limit Precise Location from Cellular Networks. They said with the

[00:56:17] Limit Precise Location setting you can limit some information that cellular networks may use to determine your location available on compatible iPhone and iPad models with supported carriers. Obviously cellular models. Cellular networks can determine your location based on which cell towers your device connects to. And of course we know also relative signal strength factors in. And I learned just recently they can also request GPS coordinates.

[00:56:48] Did you know that? Wow. Yeah. I had no idea. Over the cell network. Yes. Does make sense. I have our signal our I'm Lori and I are both Verizon subscribers and in our area it's like this well-known Verizon dead zone. Yeah. So one of the first things we did when we set up shop there was we got a femtocell as they

[00:57:18] used to be called. Yeah. And you know you just connected into your LAN and now we have five bars where we used to not even have one sometimes. Irks me a little bit because you're using your internet for their connectivity but it's the only first there's no way to lock it to your phones. You're providing cell service to your neighbors. I didn't know that. Yeah. We used to have to have a femtocell at the old twit studios

[00:57:47] because it was a dead zone for T-Mobile. Anyway, so the point of information for whatever location is building the almanac in three space so it knows where it is. So I guess I'm not surprised

[00:58:17] that they're able to ping your phone and say give me your current GPS location. And it is a privacy concern because they sell that they don't even sell it. They sell it for cheap if they sell it to law enforcement. It's exact too. It's exact. So Apple said cellular networks can determine your location based on which cell towers your device connects to. The limit precise location setting enhances your location privacy by reducing the precision of location data available to

[00:58:47] cellular networks. With the setting turned on, some information made available to cellular networks is limited. As a result, they might be able to determine only a less precise location, for example, the neighborhood where your device is located rather than a more precise location. Oh, look, he's in the bathroom right now, such as a street address. The setting doesn't impact signal quality or user experience, they said. And they

[00:59:16] finished saying the limit precise location setting does not impact, and this is important, the precision of the location data that is shared with emergency responders during an emergency call. So again, they also took the time to think this through. This setting affects only the location data available to cellular networks. It does not impact the location data you share with apps through location services. So, you know, within the

[00:59:46] family and within your community of devices and where you've said, yes, I'm, you know, let Google Maps know where I am when I'm using them, that still remains high precision. location. So they said, for example, it has no impact on sharing location with friends and family with Find My and so forth. So, okay, at the moment, iOS 26.3 is in its third beta pre-release,

[01:00:15] so it's expected shortly. Once it's available, the setting can be found under the phone's cellular data options, which I thought was not where I would have looked, but okay, cellular data options, and they said that a device reboot may be required in order to change that setting. So it's probably, you know, down in the baseband system that that's part of the core infrastructure of their cellular technology. And, you know, I'm, as I've said

[01:00:44] before, and I know you are too, Leo, we're annoyed by Apple's constant commercial upselling of their services. It just feels to me like they don't need to do that. But the flip side is there is no company that I trust more to have my back. Apple has demonstrated their steadfast commitment to their users' privacy over and over through the years. Now, I fully realize that it might really amount to not that

[01:01:14] much, right? Because tracking and privacy invasions are happening well outside of Apple's sphere of control. But, you know, so there's not a lot they can do overall. But knowing that my handset is arguably doing everything it can to have my back is better than nothing. You know, and it's what I would choose, you know, even while like Leo, you know, neither of us spend that much time worrying about privacy in the abstract.

[01:01:44] It feels like, you know, good luck. There are a couple of footnotes to this. One is, at least according to some sources, this is because Apple now designs its own modem. So they have that C1X, they can do that. The other thing, though, is, and you read it, but maybe you kind of skimmed over, it says participating cellular carriers. Yes. The carrier has to agree to it. And currently in the United States, the only carrier that has agreed to it in the United States so far is Boost Mobile.

[01:02:14] And there's even some speculation that carriers might actually sue Apple over this, just as some companies have sued over app tracking, transparency, because they make money on selling your location. And they're going to say, you know, their excuse will be, oh, no, no, it's how we improve our service. We need to know. We need to know exactly where the phone is in order to map the signal strength reception and blah, blah, blah. Exactly. It's for your benefit.

[01:02:44] Wow. So it remains to be seen how many companies will allow this. I'd be very curious. On the other hand, it may be consumer demand just says, you know, tell Steam Mobile and Verizon and AT&T, you know, you better do this. Yeah. I see. Yeah. Okay. I hate to do another break, except this is going to be a long piece. This is the other big story is another breakthrough in AI. So we're at the top of the hour. Let's take a break. Let's do it.

[01:03:14] And then we won't have to break in the middle of this. I don't hate when you take a break. I just want you to know. I like it. I like it that you have to take breaks, to be honest. Our show today brought to you, and you know this company, so I don't think you're mine so much. Bitwarden. We love Bitwarden. The trusted leader in passwords, pass keys, and secrets management. You know, this is another company where their commitment to the customer is genuine. They're an open source company, so they kind of have to,

[01:03:44] right? Bitwarden is consistently ranked number one in user satisfaction by G2 and software reviews with over 10 million users in over 180 countries, more than 50,000 businesses. Bitwarden is the one to use, whether you're protecting a single account your own or thousands at a business. Bitwarden keeps you secure all year long and consistent updates. They're always adding new features. I think that part of that is because it's open source. They've just

[01:04:14] added something for enterprise called Bitwarden Access Intelligence. With this, organizations can actually detect weak, reused, or exposed credentials and then immediately guide remediation with the user, replacing risky passwords with strong, unique ones. And as we all know, that's a major security gap. Credentials are one of the top causes of breaches. Access Intelligence helps you get ahead of that. Those weak passwords become visible, prioritized,

[01:04:43] and most importantly, corrected before exploitation can occur. They've also added something for us, small users, Bitwarden Lite. It's Lite. Actually, it is a lightweight, and I love this, self-hosted password manager. See, when you're open source, you can do stuff like that. It's built for home labs, for personal projects, environments that want quick setup with minimal overhead. Bitwarden understands that there's no one size fits all when it comes to a password manager,

[01:05:13] and they want to make sure that every single person uses a password manager. It's the only way you've got to do it. Bitwarden's now enhanced with real-time vault health alerts for everyone, incidentally. It's not just enterprises. They have those password coaching features that'll help users identify weak, reused, or exposed credentials and take immediate action to strengthen their security. Maybe, I know, you listen to this show, you know how important a password manager is, but there are people you know, maybe your family members who,

[01:05:42] or maybe your employees who are not so aware. So this is a nice feature because it explains, you know, hey, this password's been seen in a breach, let me help you fix it. Bitwarden now supports direct import. Oh, this is great too. So many people's first experience with a password manager is in the browser, right? The browser says, I'll save those passwords, but we know that's not the ideal way to do it for convenience, for security. So Bitwarden now supports direct import right from the browser's password manager into Bitwarden.

[01:06:12] Currently works on Chrome, Edge, Brave, Opera, and Vivaldi. So those are all Chromium based, and I'm sure Bitwarden is going to enhance it with more browsers soon. This eliminates that step Steve and I went through when we moved to Bitwarden of exporting your passwords from the old password manager. Now they're on your hard drive in the clear, right? Unencrypted. Import them and remember, you've got to remember to thoroughly delete that clear text version. Well, you don't have to do that because this direct import copies credentials right from the browser into the

[01:06:42] encrypted vault without requiring that separate plain text export. So that's easier, simplifies migration, helps reduce exposure associated with manual export and deletion steps, and makes it really easier for people to do the right thing to stop using the browser password manager and use something better. G2 winner 2025 reports Bitwarden continues to hold strong as number one in every enterprise category. This is in G2. for six straight quarters. Bitwarden's setup is easy, it supports

[01:07:11] importing from most password management solutions, and it is GPL-licensed open source. You can see it on GitHub. Plus, it's regularly audited by third-party experts and they publish the results of those audits so everybody can see. Bitwarden meets SOC 2 type 2 GDPR HIPAA CCPA compliance. It's ISO 27001 2002 certified. I mean, they do it right. So here's my pitch. Get started in your business. Get started today with Bitwarden's free trial of a Teams or Enterprise plan, or as an

[01:07:41] individual, get started for free, free forever across all devices. That includes unlimited passwords, unlimited pass keys, hardware key support. Bitwarden.com slash twit. That's Bitwarden.com slash twit. We thank them so much for their support of security now. And I thank them personally for making a password manager I don't mind using. Okay, back to you, Steve. So I first encountered this next piece of

[01:08:11] news thanks to a listener, Elardis Erasmus. He wrote, hi, Steve. You may have seen this already. I work for a company that makes use of OpenSSL for cryptographic primitives. I evaluate the vulnerabilities as and when they're disclosed to determine the impact, if any, on our products. Just this Tuesday, OpenSSL released new

[01:08:40] versions fixing 12 previously unknown security vulnerabilities. This is way more than the usual one or two fixes found in a typical OpenSSL security release. Okay, I want to pause to note that the idea that Elardis works for a company that uses and relies upon OpenSSL's cryptographic primitives and therefore carefully follows, tracks, and

[01:09:10] examines the consequences of any newly disclosed vulnerabilities which might have, you know, an effect upon their use, that just does my heart good. It is so smart and it's a perfect demonstration of the responsible way to use any sort of third-party library. You know, most organizations would and do simply link to the library and never give it another thought. We don't know who he works for, but

[01:09:40] whoever it is, they understand what I call non-finger-pointing security. You know, deflecting responsibility after a breach occurs due to the use of somebody else's vulnerable library might feel good. You know, you get to say, well, it's not our fault, you know, but the breach still occurred and it occurred on to your systems as a consequence of using a library that, you know, you weren't being responsible for its use of.

[01:10:10] You know what I mean? So, anyway, I just wanted to take a moment and say that that is just the right way to do this. In any event, he explains his reason for writing, saying, to my astonishment, all 12 of the newly discovered OpenSSL zero-day vulnerabilities were found by an AI based cybersecurity company called Aisle. And I don't know what, if it's an acronym,

[01:10:37] but it's A-I-S-L-E, right? So that's where their name came from. Aisle, A-I-S-L-E. He says, here's a link to a blog post from one of their researchers in case you're interested. What was also interesting from that blog was to learn that AI slop led to the cancellation of the curl bug bounty program. He finishes, thanks for all you do, best, Elardis Erasmus. Okay, so, the AI-driven

[01:11:06] security company we learn of here, as I said, is called Aisle, A-I-S-L-E. And the contents of this blog posting that he linked to by one of their AI security researchers, as I said at the top of the show, it was runner-up for today's topic, and you'll quickly see why. The researcher begins his posting with a TLDR, which reads, OpenSSL is among the most scrutinized

[01:11:35] and audited cryptographic libraries on the planet. It underpins the encryption for most of the internet. They just announced 12 new zero-day vulnerabilities, meaning previously unknown to the maintainers at time of disclosure. We at Aisle discovered all 12 using our AI system. This is a historically unusual count

[01:12:05] and the first real-world demonstration of AI-based cybersecurity at this scale. Meanwhile, Curl just canceled its bug bounty program due to a flood of AI-generated spam, even as we reported five new genuine CVEs to them. AI is simultaneously collapsing the median, and he has

[01:12:34] in double quotes, slop, and raising the ceiling, meaning real zero days in critical infrastructure. Okay, so let's pause here and first take a look at the problem that the Curl project has had. The project's bug bounty page, which is at curl.se slash docs slash bug bounty.html, it was updated with a

[01:13:04] very short notice, which just says, up until the end of January 2026, which, okay, here's, we're on February 3rd today, right? So, three days ago, up until the end of January 2026, there was a Curl bug bounty. It is no more. The Curl project does not offer any rewards for reported bugs or vulnerabilities, period. They said, we also do not aid

[01:13:33] security researchers to get such rewards for Curl problems from other sources either, meaning, you know, you can't go to Hacker One or one of the other bug bounty programs and say, hey, I found a bug. They're out of that game now. A bug bounty gives people, they wrote, too strong incentives, as in incentives which are too strong, T-O-O, strong incentives, to find and make up problems in bad faith

[01:14:03] that cause overload and abuse. We still appreciate and value valid vulnerability reports. Okay, so now to give this page, that's all they said on the new bug bounty page is basically ain't none, we're done because we were, you know, offering to pay people incentivizes them to just make stuff up and apparently AI is the cause. Okay, so to give it a little more context, I used

[01:14:32] the Wayback machine to capture the same page six weeks ago on December 18th. Before the closure of all curl bug bounties, the page said, same page, the curl project runs a bug bounty program in association with HackerOne and the internet bug bounty. How does it work? Start out by posting your suspected security vulnerability directly to curl's HackerOne program.

[01:15:02] After you've reported a security issue, it has been deemed credible and a patch and advisory has been made public, you may be eligible for a bounty from this program. See the security process document for how we work with security issues. What are the reward amounts? The curl project offers monetary compensation for reported and published security vulnerabilities. The amount of money that is rewarded depends on how serious the flaw is determined

[01:15:31] to be. Since 2021, the bug bounty is managed in association with the internet bug bounty who set the reward amounts. If they set amounts that are way lower than we can accept, the curl project intends to top up awards. In 2025, typical medium rated vulnerabilities are being rewarded $2,500 US each.

[01:16:02] So finally, they finish who is eligible for a reward. Everyone and anyone who reports a security problem in a released curl version that has not already been reported can ask for a bounty. And those days are over. So, you know, when crimes are being investigated, the classic three requirements are means, motive, and opportunity. You know, could they do it? Why would

[01:16:31] they do it? And were they in a position to do it? One of this podcast's foundational observations, which followed the explosion and endurance in high-end advanced intrusions, you know, with ransomware and extortion has been that the thing the bad guys want, the only thing the bad guys want is our money. They, I mean, much as our personal details are important to us,

[01:17:01] they could not possibly care any less about the health records, the dating habits, the sexual proclivities or social security numbers of anyone else. They just don't care. The only value any of that has is for extorting those who somehow allowed that data to escape or to become encrypted and thus unavailable to them under an unknown encryption key. I'm reminding everyone of this fundamental

[01:17:31] observation because the presence of a vital and vibrant bug bounty system which rewards with money those who discover and responsibly report security vulnerabilities represents another source of revenue which can be readily abused. We know how crucial Curl's security is. You know, Leo is just making a joke about, you know, using Curl to bash and,

[01:18:00] well, who cares? Hope for the best. Hope for the best. That's right. We've covered the discovery and remediation of previous critical vulnerabilities in Curl. We also know the importance, the necessity of motivating security researchers to go looking for problems. Independent researchers need to eat too, so they're far more likely to look for, discover, and report security vulnerabilities

[01:18:29] in open source projects that will reward their time and trouble than those that do not. Curl's announced withdrawal from their historical and important bug bounty programs means that independent research into Curl's security has effectively ended. You know, sure, you can find one by mistake and report it to them, but sorry, you're just gonna, you know, you're a good citizen. They're not paying anymore.

[01:18:59] So I dug around a bit for some additional background and I found some over at the It's FOSS site. The posting titled, Curl gets rid of its bug bounty program over AI slop overrun provides some additional background. The guy there wrote, last year in May, the Curl project's bug bounty program was inundated with AI slop, where many bogus reports were opened

[01:19:28] on Hacker One, leaving the Curl maintainers to go through garbage. The problem didn't stop even after Daniel Stenberg, the creator of Curl, threatened to ban anyone whose bug report was found to be AI slop. He said, we're now in 2026 and the situation has reached a tipping point. For context, Curl is an open source command line tool used by billions

[01:19:57] of devices worldwide. Daniel has submitted a pull request on GitHub that removes all mentions of a bug bounty program from Curl's documentation and website. Coinciding with that, the project's security.txt file has been updated with some blunt language that makes the new policy crystal clear. We've talked about these types of

[01:20:27] files previously. They're a semi-formal collection of files that can be found under the forward slash dot well hyphen known slash directory in the root of websites that have them. So I checked out the Curl projects security.txt file which reads project Curl. The Curl open source project accepts security reports

[01:20:56] for problems found in products made by the Curl project. We offer no, that's in caps, zero, in parens, rewards, or other kinds of compensation for reported problems. But we offer gratitude and acknowledgements clearly stated in documentation around confirmed issues. we will ban you and ridicule you in public if you waste our time

[01:21:26] on crap reports. So it does appear that the Curl project is pretty fed up with the nonsense they've been subjected to for the past eight months or so. The posting over on the FOSS continues saying, the Curl team intends to make a proper announcement in the coming days, though many outlets have already covered the news of this happening, so I would say they ought to get on it ASAP. The program

[01:21:55] officially ends in a few days on January 31st, 2026. After that, security researchers can still report issues through GitHub or the project's mailing list, but there won't be any cash involved. What pushed them over the edge, you ask? Well, just weeks into 2026. Seven Hacker One reports came in within a 16-hour period in just one week. Some were actual bugs, but none of them were

[01:22:25] security vulnerabilities. By the time Daniel posted his recent weekly report, they'd already dealt with 20 submissions in 2026. The main goal here is said to be stopping the flood of garbage reports. By eliminating the monetary incentive, they are hoping people or bots will stop wasting the security team's time with half-baked unresearched submissions.

[01:22:54] He also gives a stern warning to wannabe AI sloppers, saying that, quote, this is a balance, of course, but I also continue to believe that exposing, discussing, and ridiculing the ones who waste our time is one of the better ways to get the message through. You should never, all caps, report a bug or a vulnerability unless you actually understand it and can

[01:23:23] reproduce it. If you report anyway, I believe I am in the right to make fun of and be angry at the person doing it, unquote. So, yeah, he says, that's that. If people still don't understand that AI slop is harmful, to such sensitive pieces of software, then sure, they can go ahead and make a fool of themselves. Okay, so that's the bad news.

[01:23:53] It appears to be a new problem created by AI that will be the automation of the generation of low quality, often bogus security bug reports on the hope that they may score one and get some money. This has the potential to significantly spam the industry's critical bug bounty system. We know that the bounty

[01:24:23] programs whose importance has been well established won't go down without a fight. So, what's likely to happen will be much more focused upon the establishment of any would-be bug bounty recipient's reputation. The result would be that reports coming in from unknown presumably AI bots hoping to score a bounty would somehow be treated differently. The problem is,

[01:24:53] then, it's unclear how an unknown human researcher would go about establishing a reputation as a non-bot, maybe just submit one high-quality report and wait for it to be seen to be such and, you know, get a gold star and you got to get a couple until your reports are less filtered. So, anyway, this will be something for us to all keep an eye on. I have kind of a little different take on it. Good. First of all,

[01:25:23] I don't know this guy, but open source maintainers for very good well, without compensation, without much credit, one of the most used programs in the world for years and is, you know, a little sensitive. I get at least two or three bug reports on our website every day, not AI generated, just by people who are hoping to get

[01:25:53] some money out of us. We don't have a bug bounty even. This is a problem, a people problem, not an AI problem. There are lots of people out there who, you know, are hoping to get some money from somebody by saying, I found, you don't get any of these because we get them all the time, you know, trust and safety or at twit.tv or that kind of thing, saying you got a bug and I'll reveal it if you give me some money. That's just a people problem.

[01:26:23] Maybe AI has enabled some of these people, but I think that that's not exactly really the target. And I think there's a huge risk at stopping his bug bounty. Because there's a lot of people who do make money at this who legitimately report bugs who will not be incented to do so. And I think Curl's a pretty important thing. I think the solution to this is not to turn the bug bounty off, but to get some help, to get some more people working on this project and maybe some more eyes on the reports.

[01:26:53] The final thing is I don't think ridicule is going to do anything because the people who do this are not susceptible to ridicule. You'll never hear me ridicule anybody ever. It's just not. Well, they're anonymous for the most part. These aren't real security researchers. I think it's fairly easy to filter out these bad reports. I certainly pay no attention to the emails I get every day saying there's a bug on your website. I think

[01:27:23] that for me, establishing a reputation system. We know we need a bug bounty program. We know that bounties are good. We shouldn't throw the baby out with the bathwater here. We need that bug bounty. And sadly, curl, as you said, it is on the front lines. We've covered some serious curl problems. There have been a lot of bugs. That's maybe the other reason he's a little prickly. If you look at his CVEs, it's not the most

[01:27:53] secure software ever. I think he might be a little sensitive at this point to people finding bugs. I don't know. I love curl. I'm grateful to it. I would contribute to curl. Absolutely. Stepping back further too, we know that there is a fundamental problem with the open source model. That's really the problem. Major corporations are taking advantage of open source.

[01:28:23] That fantastic cartoon of the whole internet resting on a little peg that's supported by someone in Nebraska. It is a weird system that we've evolved where one unpaid volunteer is expected to maintain a command line tool used by billions of systems. Right. Right. So I'm very sympathetic.

[01:28:53] More people should support him. The work is very important. Get some help. But I don't think turning off the bug bounty is really and ridicule is absolutely useless. Yeah. Okay. So that's it's not time for good news, Leo. Yeah. Because there's another side of this story, isn't there? Yes. That was the bad news. It also appears to be the case that code digesting and understanding AI, when in the hands of actual

[01:29:22] security researchers, can create newfound leverage, enabling the high-fidelity discovery of true security vulnerabilities. The first line of the posting by Isles security researcher, said Open SSL is among the most scrutinized and audited cryptographic libraries on the planet. We know that is not hyperbole. It's absolutely

[01:29:52] true. I mean, it is really rare to find a bad problem in Open SSL because the entire industry is being so careful with it, unlike Daniel with Curl. So here's what this guy went on to explain. He said, we at Isle have been building an automated AI system for deep cybersecurity discovery and remediation, sometimes operating in bug bounties

[01:30:22] under the pseudonym Giant Anteater. Our goal was to turn what used to be an elite artisanal hacker craft into a repeatable industrial process. We do this to secure the software infrastructure of human civilization before strong AI systems become ubiquitous. Prosaically, we want to make sure we don't get hacked into oblivion the moment

[01:30:52] they come online. No reliable cybersecurity benchmark reaching the desired performance level exists yet. We therefore decided to test the performance of our AI system against live targets. The clear benefit of this is that for a new zero-day security vulnerability to be accepted as meriting a CVE, it has to pass an extremely

[01:31:22] stringent judgment by the long-term maintainers and security team of the project, who are working under many incentives not to do so. Beyond just finding bugs, the issue must fit within the project's security posture, i.e. what they consider important enough to warrant a CVE. OpenSSL is famously conservative

[01:31:52] here. Many reported issues are fixed quietly or rejected entirely. Therefore, our benchmark was completely external to us, and in some cases, intellectually adversarial. We chose to focus on some of the most well-audited, secure, and heavily tested pillars of the world's software ecosystem. Among them,

[01:32:21] OpenSSL stands out. Industry estimates suggest that at least two-thirds of the world's internet traffic is encrypted using OpenSSL, and a single zero-day vulnerability discovered in it can define a security researcher's career. It is a very hard target in which to find real, valuable security issues. In late summer 2025,

[01:32:51] six months into starting our research, we tested our AI system against OpenSSL and found a number of real, previously unknown security issues. The fall 2025 OpenSSL security release contained a total of four CVEs. Three of those four were discovered, responsibly disclosed, and in

[01:33:20] some cases even fixed by us, or more precisely, by our AI system. And two were rated as moderate severity issues, and the third as low severity. For context on our approach, our system handles the full loop scanning, analysis, triage, exploit construction, if needed and possible, patch generation, and patch verification.

[01:33:50] I hope you're listening to this, Leo, because this is astonishing. I mean, it has happened. Humans choose targets and act as high level pilots overseeing and improving the system, but don't perform the vulnerability discovery. On high profile targets, we additionally review the resulting fixes and disclosures manually to ensure quality, although this only rarely changes anything. Today, January 27th,

[01:34:20] 2026, meaning just last week, OpenSSL announced a new security patch release publishing 12 new zero day vulnerabilities, including a very rare high severity one. of the 12 announced, we at IEL discovered every single one of them using our AI system. Adding these new 12 to the

[01:34:50] three out of four CVEs we already had in 2025 previously, this means that IEL, and by extension, AI in general, is responsible for discovering 13 out of the 14 zero-day vulnerabilities in OpenSSL in 2025. Both the count and the relative proportion have been increasing as a function of time and are overall historically

[01:35:18] very atypical, with the most recent 12 vulnerabilities spanning a significant breadth of OpenSSL's code base. Even a low-severity CVE is a higher bar than might be obvious. The vast majority of reported issues don't qualify as security vulnerabilities at all. Most are bugs that get fixed without CVEs as standard patch releases.

[01:35:47] To receive a CVE from OpenSSL, an issue must pass their conservative security posture and be deemed important enough to track formally. Low severity in OpenSSL still means a real externally validated security vulnerability in well-audited critical infrastructure. In five cases, AISL's AI system directly proposed

[01:36:17] the patches that were accepted into the official release following a human review from both AISL and OpenSSL. Matt Caswell, executive director of the OpenSSL Foundation, said this about the findings, quote, keeping widely deployed cryptography secure requires tight coordination between maintainers and researchers. We appreciate IEL's responsible

[01:36:47] disclosures and the quality of their engagement across these issues, unquote. Tomas Mraz, the CTO of OpenSSL, said about the newest security release, the following, quote, one of the most important sources of the security of the OpenSSL library and open source projects overall is independent research. This release is fixing 12 security issues, all disclosed to us by IEL.

[01:37:16] We appreciate the high quality of the reports and their constructive collaboration with us throughout the remediation, unquote. The researcher at IEL continues, the assigned CVEs still don't represent the full picture here. Some of the most valuable security work happens when vulnerabilities are caught before they ever ship, which is, writes the researcher, my ultimate goal. Throughout 2025, IEL's system

[01:37:46] identified several issues in OpenSSL's development branches and pull requests that were fixed before reaching any release. Our AI discovered a double free in the OCSP implementation. It was caught and fixed before the vulnerable code ever appeared in a release. Our AI also found a use after free and a double free in RSA's

[01:38:16] OAEP label handling. It found a crash in bio underscore send message receive message with legacy callbacks. And our AI discovered a location where important private key file permissions were not being set by the OpenSSL REQ command. This is the outcome we're eventually working towards. Vulnerabilities prevented proactively, not only patched after deployment

[01:38:45] retroactively. The concentration of findings from a single research team spanning this breadth of subsystems and vulnerability types is historically unusual for OpenSSL and is in my view in large part due to our heavy use of AI. So, okay, I wanted to put Aisle onto everyone's radar. They are at Aisle.com

[01:39:16] and they're going to be worth keeping an eye on. What became clear to me in looking around their site is that their work on OpenSSL, you know, they also found a handful of true vulnerabilities, five of them, that resulted in CVEs and curl, was just for the sake of working to perfect their process. Their actual business is not the improvement of open source software. That was just a happy

[01:39:44] proof of concept development side effect. For them, OpenSSL served as a perfect test bed allowing them to further test their AI assistant code analysis system and capability. They're going to be offering this capability for hire to the likes of Apple, Google, Microsoft, and others as well, until they're acquired by some big fish, as a means of enabling their customers

[01:40:14] to similarly find and fix previously undiscovered bugs. Their about page says of them, we're not chasing trends. We're solving the toughest problem in cybersecurity. Aisle was built by security leaders and AI scientists who've seen both the scale of the threat and the limits of today's tools firsthand. Our goal is not to improve vulnerability management. It's to

[01:40:43] end the backlog, to close the loop. We believe in something bold but measurable, zero exploitable vulnerabilities, not as a slogan, but as an achievable outcome. And explaining their mission, they wrote, we started Aisle after seeing the same pattern again and again. Attackers move faster and defenders are forced to catch up with too many tools, too much

[01:41:13] manual work and a backlog that never disappears. Think Microsoft. We built Aisle to break that pattern, not by adding another dashboard, but by creating something fundamentally different, an end-to-end autonomous cyber reasoning system that finds, fixes, and verifies vulnerabilities at machine superhuman speed and scale. Aisle cuts

[01:41:42] remediation time from months or weeks to minutes and seconds, bringing us closer to a future where software defends itself. Built by engineers, accelerated by AI, and designed for reality. So, among Aisle's angel investors is a chief scientist at Google, the CPO for AI experiences at Microsoft, the co-founder

[01:42:12] and chief scientist at Hugging Face, and a research scientist at DeepMind. So they have the backing of industry professionals who have understood that this had to happen, that it was going to happen. You know, our listeners have heard me assert over and over that code should be totally understandable by a sufficiently capable AI. It really means something that AI managed to

[01:42:41] find 15 out of a total of 16 CVEs in a system of code as carefully composed, maintained, and scrutinized as OpenSSL. It's truly a big deal. And as they said, the OpenSSL project does not hand out CVEs readily. They don't want to. It's also found five new CVEs, as I mentioned, in Curl, and they don't care they didn't get a bounty. They didn't do

[01:43:11] it for that. They did it to test their AI against open source software. We've recently seen that AI has made surprising strides in the generation of code, and now it appears we're on the brink of being able to leverage the same power, the power of AI to dramatically improve the quality of both the world's existing and its newly written code.

[01:43:41] My final observation is that every step along the way of this AI revolution, what we've seen has occurred much faster than certainly I and many observers expected. And each new hurdle is easily being surmounted. You know, oh, one AI is insufficient because the problem requires a context window that's too large, causing the

[01:44:10] AI to start becoming confused? No problem. Just divide the too large a task into separate individual smaller tasks and deploy a team of AIs, giving them, you know, each of them a specific subset of the puzzle. What's happening is truly incredible. Having seen and understood the significance of what ILE has already accomplished,

[01:44:40] coupled with the speed at which all of this AI is evolving, I now believe that there's a very real possibility that many or most of us will live to see the day when software bugs are eliminated. That no longer seems like a far-fetched, far-away goal. I think that's the thing that AI is going to do, and it's going to change the world.

[01:45:10] I completely couldn't agree more. And every day I see the evidence of that. One of the things that makes this really interesting with AILE, they mention it, but I want to underscore it, is this stuff is incredibly fast, and it works all day, all night, tirelessly. So, I mean, yeah, okay, maybe it's slower to find a bug than a human would be. I don't think it is. But let's say it is. It doesn't matter. You can

[01:45:40] assign 20 of them to do it, and they'll work all night for you and solve this problem. Tomorrow, we're going to interview a guy who's written some really interesting software called Gastown that's designed to be used with these AI coders like Claude Code. And what Gastown does is it creates, for every project, it creates roles. So you've got a refinery, you've got a crew, you've got something called pole cats, you've got a witness, you have a

[01:46:10] mayor who runs the whole thing, you have a deacon. So we're talking a collection, right? It's a collection. That seems to be the next step. And they work in concert, and they check each other. So if somebody kind of goes off the rails, the mayor steps in and says, wait a minute. Until you see it at work, it's hard to believe. I have a switch in my cloud code that I

[01:46:40] turn on called test-driven development. I said, no, no, write a test for everything. And I don't want to hear from you until every test passes, right? And it writes much more complete tests than I do, because it doesn't have the biases that I do. It just says, well, I've got to test everything. There's also an overseer, that's the human. And it's just really, it's happening so fast and

[01:47:09] so much creativity is being put into it. And there's a lot of risk, I acknowledge. And I just shared with everybody that story in the Wall Street Journal, saying that the software heavy tech companies had just crashed. There's a good reason. Because people are realizing that, you know, hey, I don't need to pay Adobe, I just need to ask my AI to give me one. Right. And honestly, I've talked about this before, we're in the age of hyper

[01:47:39] personalized software. People can say, instead of saying, and I have a photo editing program and I'm going to kind of interact with it to get to do what I want, you just say what you want. And the computer writes a photo editing program to do that for you. And it does it so fast. The other I love Harper, he kind of lives in the future, is this stuff is so cheap in terms of not dollars, but just generation. If something doesn't work, you throw it out and you start over. You just go, oh, that's fine.

[01:48:09] It's disposable software. I wrote a tool that I only ran once that converted my Obsidian posts to the day one journal posts. And I wrote it, I will never use it again, but I did it once and it worked. And it's a beautiful job. And that's power of software. I'm sort of thinking about the brilliance of the way the Unix developers created Unix to be a whole thing. Yes. And so, for instance, my

[01:48:38] workflow with story processing is three different agents doing different things that pipe one to the other. That's exactly right. This is why you were asking a few weeks ago if it's helpful to be a programmer or not. I think it is helpful to be able to think in that way in terms of processes and flow. But the job is changing. But the way you do it, you don't write the code anymore. You write the prompt. But you still have to think in that kind of fashion, I think. Yeah, it's changing dramatically.

[01:49:08] I really want you to try it just for fun. Get it to write assembly. I'm not kidding. It'll write assembly perfectly well. In fact, okay, here's it. Here would be fun. Tell it, hey, this spin right program, it's an assembler. Here's the code. Can you make a Mac version? And just let it go. See what happens. I know. It's kind of, I know, it's a little weird and scary, isn't it? For somebody who spent his life hand coding software.

[01:49:39] Very much. Hand. Who loves, who loves. It's not like labor. You know, like I've always felt guilty when I said I'm going to go to work. It's like, it's not work. It's like talking to a guy who carefully chisels a piece of furniture and then saying, see this thing called a lathe? Here's a laser printer that can pick that wood. And you know what? Here's the good news. I love to code too, and I will always code. I know you

[01:50:09] will always code, but now it's love it. Not for any other reason. Not because we have to. Okay, break time and then a piece of errata and then some feedback. Yes, indeed. Yes, indeed. You're watching Security Now. We're glad you hear our show today brought to you by Material, the cloud workspace security platform built for lean security teams. You can be a lean security team with Material. And it solves a problem that

[01:50:39] if you're in security, if you're an IT guy, you understand this is a problem. Managing security in a cloud workspace like Google Cloud, Microsoft 365, that's challenging. It's hard. Phishing, of course, is a problem, but it's far from the only way in. Unfortunately, today's email security stops at the perimeter, and new attacks are hard to detect. You've got siloed email data and identity security tools, and they don't talk to one another. Material protects

[01:51:08] the email, but it also protects the files, and it protects the accounts that live in Google workspace or Microsoft 365, because effective email security today needs to do much more than just block phishing and other inbound attacks. It needs to provide visibility and defense across the workspace threat surface. As I think about it, this is exactly the kind of thing I was talking about when we were talking about this kind of fuzzy security perimeter

[01:51:38] now that we're doing these AI tools. You need something that can see across the whole workspace, that can see into everything. And that's what Material does. It ingests your settings, your contents, and your logs. It gives you holistic visibility into threats and risk across the workspace, because what you don't know can really hurt you, right? Along with the tools to automatically remediate them. Material delivers comprehensive workspace security by correlating

[01:52:07] signals and driving automated remediations across the environment. This is the new world. Phishing protection, email security, yes. Combining AI advanced AI detections with threat research and user report automation, detection and protection of sensitive data across inboxes and shared files, account threat detection and response with comprehensive control over access and authentication of people and third

[01:52:36] party apps. You probably don't want to think about it, but if your company's living in the cloud, do you have that kind of visibility or are you just kind of hoping everything comes out all right? Material empowers organizations to rapidly mature their ability to detect and stop breaches with step-up authentication for sensitive content, so you can say, yeah, this stuff really protect this, blast radius visualization for accounts so you know what the risks are and how far they can spread, the ability to detect and respond to threats and risk across the

[01:53:06] entire cloud workspace. Material enables organizations to scale their security without scaling their team. Material drives operational efficiency with its simple API-based implementation and flexible automated and one-click remediations for email, file, and account issues, including an AI agent that automates user report triaging and response. It takes your small team and turns them into superheroes, right? With all the power, Material protects the

[01:53:35] entire workspace for the cost of simple email security with a simple and transparent pricing model, too. Secure your inbox in your entire cloud workspace without adding more toil to your day or costs to your balance sheet. See material.security to learn more, to book a demo, check this out. This is the new way of doing things. Material.security. And we thank you so much for supporting Steve Gibson, who likes doing things the

[01:54:05] old-fashioned way. No, that's what I love about you, Steve, because you're very wide open to this. There's a lot of people who are saying, oh, no, it's slop, it's slop, it's not. And you understand this is transformational stuff that's happening. I think we're going to see the end. We're going to be alive. You and I are, you know, I'm 70, you're almost. I'll be there in a minute. I think five years from now, we're going to, I mean, I think

[01:54:34] this aisle company is going to get snapped up by one of the big fish in a heartbeat. I'm sure that's the way they profiled themselves. And we're going to, this is going to change software. The bugs are going to be over, which doesn't mean the podcast is over because we still have the humans in the loop. And, you know, the title of our talk, our presentation next month at ThreatLocker is the call is coming from inside the house.

[01:55:04] I can't wait. There's going to be so much fun. All right. So I have an important correction to share. Thanks to one of our Irish listeners who took the time to explain an important nuance of Ireland's law passing process. Our listener is James Pello, who said, hi, Steve and Leo, longtime listener and happy club twit member. He said, I wanted to flag something from episode 1062 regarding Ireland's communications, interception,

[01:55:33] and lawful access bill. He said, by way of background, I work as an Irish translator specializing in, amongst other things, Irish and EU legislation translating to and from Irish, our national and first official language. I encounter these government press releases regularly, and I've translated a fair few of them myself down through the years, so I have some familiarity with how it all works. In this case, the bill has

[01:56:03] not actually been passed. In fact, it hasn't even been drafted yet. What the press release announces is that the cabinet has approved the minister's proposal to begin developing the legislation. Officials are now tasked with preparing a general scheme, which explains that term that we saw when I talked about essentially a detailed policy outline, which

[01:56:33] the minister says he hopes to publish sometime in 2026. Only after that would the actual legal text be drafted, subjected to public consultation, scrutinized by parliamentary committee, introduced to the, whatever that word is, O-I-R-E-A-C-H-T-A-S. I'm sure if you said that with an Irish accent, it would sound good. Yeah, it makes more sense.

[01:57:03] Anyway, he says, parens, our parliament, debated in both the Dale, whatever that is, lower house, and Synod, sorry, James, the upper house, and signed into law by the president, assuming she has no concerns about it being unconstitutional. In other words, boy, is it not a law. It has a long way to go. It's a general scheme is what it is.

[01:57:32] Yeah, it's an ambition, probably better than anything else. So he said, to clarify the terminology, in Irish law, a bill is proposed legislation still going through parliament, while an act is legislation that has been passed and is in force. So the 1993 act is current law. This proposed bill isn't even a bill yet. It's an announcement

[01:58:01] of intent to draft one. I'm personally of the view that this proposed legislation would actually be a significant improvement on the current regime. Under the 1993 act, interception warrants are authorized by the minister for justice alone. No court order is required. Oversight is purely retrospective. A designated high court judge

[01:58:31] reviews the operation of the act and reports annually to the whatever that word is, prime minister, but doesn't approve individual. James, if you can translate Irish into English, more power to you, because this doesn't look like anything. I could play the pronunciation for you if you want. I think I have it here. Let me see.

[01:58:59] T-A-O-I. So we got three vowels in a row, and then S-E-A-C-H. You know what? None of the dictionaries which normally have recorded pronunciations next to these words. Oh, here we go. Here's one. None of them are playing it. I don't blame them. You have to imagine. T-Shook. T-Shook. T-Shook.

[01:59:29] Yeah, that's the prime minister. Yeah. Anyway. T-Shook. Yeah, you know that. The proposed bill would introduce a requirement for proper judicial authorization for the first time along with an independent examiner and a formal complaints process covering all the powers. He says, but to get a proper read on it, we'll have to wait for the actual text. And then he said something that I'm sure is thank you or goodbye or good luck or something signed off.

[01:59:59] James. Yes. Yeah, I love Irish. I mean, I love it when they speak it. I couldn't pronounce it for the life of me. Yeah. That's wild. Okay, so we don't have to worry about it yet. No, we do not have anything to worry about. you know, there. It sounds like from what James explained, they're going to be whatever they do will have way more formal controls on it than were in place in 1993. But it's they're still I mean, it did say

[02:00:29] what we shared. It's not a law, but it's an intent for like it's a wish for one where they get to have access to anything. That's what they're saying. And remember, that was the one where they're saying we're going to give ourselves the right to install spyware on people's phones if we think that's what we need to do. So I can't say coming soon too, but you know, it's the intent. And we know that Germany expressed the same intent,

[02:00:59] which is what we also talked about last time. Okay. Ronnie Morgan said, I thought you'd be interested to know that Gemini recommended using your DNS benchmark. I've been working on changing DNS resolvers at work and was using Gemini to complete the task, mostly for fun. Before I flipped the switch, I asked Gemini, what would be a good way to test the performance of the old resolvers the new ones. And its number one suggestion was

[02:01:29] your tool, which I honestly didn't even think about until it suggested it. And the result, new servers are performing very well. He signed off saying, thanks for a great tool. I'm looking forward to the surprise you have in store for the paid version of it. He says, parens, which I've already purchased and I'm looking forward to Spinrite 7.0. So thanks, Ronnie, for sharing that. I'm at work implementing some rather deep changes to GRC's e-commerce system, which I originally

[02:01:58] created and wrote in assembly language with no help from AI in 2003. And I haven't touched it since in 23 years, and I'm excited about the system's forthcoming new features, but I'm going to continue to keep quiet about them until they're implemented, tested, ready, because people are going to immediately rush to it and want them, and I won't be ready. So, speaking of Gemini, I recently heard from Panos, the author and publisher

[02:02:27] of Nuevo Mailer, that marvelous e-mailing system I chose as the back-end database and mail management platform for GRC's email list system, which all of our listeners are using. Nuevo Mailer is what mails nearly, I think it was 19,906 pieces of email on Sunday afternoon. None of them bounced back this time. This time Outlook and Hotmail had

[02:02:57] no complaints, whereas last week they bounced 1,500 plus, which I then later remailed with no complaints. So, again, as you said, Leo, you know, anti-spam, false positive. Anyway, Panos has become a listener of this podcast, and he dropped me a note to share a chilling Gemini AI-related event that he suffered last week. He wrote, Hi, Steve, listening to the latest podcast and speaking of AI, here's what happened to me last

[02:03:27] week. The Gemini extension in Visual Studio code while in agent mode wiped out all files and folders from my project. He said, I noticed it got into a loop, doing, undoing the same changes in two files, so I stopped it. I switched to the file explorer to pick something else, and it was empty, not even in the recycle bin. The response from Gemini,

[02:03:57] I just love this, Leo, that sounds incredibly frustrating. Oh, I'm sorry, Dave. I'm sorry, Dave. I didn't mean to do that. We're going to leave the airlocks closed and you're going to suffocate. So Gemini says, that sounds incredibly frustrating. And definitely not the kind of assistance it has in quotes, God, not the kind of assistance anyone wants from an AI.

[02:04:26] I'm sorry you're dealing with data loss. Recent reports, including documented issues in late 2025 and early 2026, have highlighted a bug where the Gemini ICLI and VS code extension can occasionally misinterpret conversational context as destructive terminal commands like RM space hyphen RF, meaning, you know, recursively delete, you know, remove,

[02:04:56] or fail during file moving operations, causing files to vanish. Since these deletions often happen via the extension host, they might bypass your OS recycle bin. But VS code has a hidden safety net that can often save you. So then, Panos continues, the safety net did not help much. It's only backups of recently edited files. Files that you've never

[02:05:26] opened with VS code are not there. Fortunately, I had another IDE which kept backups. Now I have a task running, a BAT file twice a day, making backups of important projects to a different drive. Yeah. So, you know, we've been exploring and promoting the idea of AI-driven software development and we've seen instances where AI is aimed at an existing GitHub project and then

[02:05:56] takes over. You know, so I just wanted to share Panos' hair-raising adventure and suggest that anyone who might be similarly vulnerable running, you know, maybe run a separate entirely disconnected project backup system, you know, something that the AI is not involved with in any way because, you know, belt and suspenders. The way I handle this and Panos, you should consider it too, is everything's on GitHub

[02:06:25] and you commit after every change. So there's always a way to pedal back. To rewind. Yeah, that's the beauty of a source repository like Git is you can always rewind. In fact, you frequently do want to rewind. Like, oh, that really screwed things up. Let's go back to the previous version. I often, I will make what I call a checkpoint and then I'll go do something and if I end up really tangled up, you know, like the first, the first, the DNS

[02:06:55] benchmark from 2008, because IP addresses fit in a 32-bit register, I mean, it was so difficult to switch it to 128-bit IPv6 and then strings, URLs. And so I kept going forward. I go, oh, and I rewind. I go back. I start again. And each time I learned something that I hadn't anticipated until finally I got it to work.

[02:07:25] It's like a video game. You save regularly so that if you run into something, you can come back. resurrected. It's actually really handy. Almost all these tools use GitHub and it's trivial to say to your agent, every time we finish something, commit, I always say, in fact, it does it automatically now, commit, push, and build. That's the other thing. I never used to use GitHub's CICL process where it would build software.

[02:07:55] It builds it now. And it builds it for multi-platforms. It builds it for three different platforms. So it's cross-platform. I just say, you know, commit, okay, good, good job, commit and build. And then I go do something. We live in, I just. So it changes us from coders to project managers. Or bosses, yeah. Yeah. Or the mayor in this case. So also being a listener,

[02:08:24] Panos also shared, he said, P.S., I attached something that happened to me today. Of course, I did not press win plus R. So he attached an example of one of the most terrifying social engineering hacks floating around today. This would get a lot of people, I think. It would. And that's my concern. You know, we've all encountered CAPTCHAs that we're asked to solve. That's a thing now. And more recently,

[02:08:55] when we're attempting to visit a site that's hosted by Cloudflare, we'll encounter an intercept screen that asks us to wait a moment while it verifies that we're human. Sometimes that intercept will self-resolve, and other times we're asked to click on a checkbox to affirm our humanity. Presumably, some fancy JavaScript has been profiling our connection in some way, but it also wants to watch us as we servo the mouse over to the checkbox and

[02:09:25] click it. So in a deviously brilliant social engineering hack that's obvious only in retrospect, bad guys realized that they could spoof the increasingly familiar Cloudflare intercept event and get people to follow additional innocuous looking instructions. I know that a great many of us serve as the computer experts for our friends and neighbors and family

[02:09:54] members and fellow employees. So we've developed an appreciation for how little anyone really and truly understands the computers they're sitting in front of and using. You know, that's what makes this particular social engineering attack so devastating. It will obviously have a high success rate. A week or two ago, we shared the experience of another listener of ours who,

[02:10:24] while visiting at his mom's house, began receiving money transfer acknowledgments on his phone. He ran home to discover that something called Screen Connect had activated and somebody was controlling his machine remotely and using it to transfer his money elsewhere without his knowledge or permission. Naturally, he wondered how such malware might have landed inside his machine. In this case, being a savvy security now listener, it's unlikely

[02:10:54] that he would have fallen for this particular hack, just as Panos did not. But unless somebody really understood what they were doing, this would look like an entirely reasonable request. the solution is for Microsoft to get proactive here. Just as Cisco has needed to with their own networking gear, Microsoft needs to soberly recognize

[02:11:23] that Windows users are not expert users anymore. Less so every day. Over time, you know, they're becoming less expert. You know, clipboard? What's a clipboard? We see this recognition in many other areas of annoying, you know, preemptive hand-holding by Microsoft in Windows. I have two Windows machines that I don't care much about, which are logged in with a Microsoft account. What a

[02:11:53] mistake and lesson that has turned out to be. Microsoft is pushing everyone to log in with a Microsoft account when they repeatedly brutalize anyone who does not. It's, you know, becoming annoying listening to Microsoft over and over and over again, you know, telling me that I need to turn on backups on my PC. It's like, no, I don't. Leave me alone. But I do a major update and it's back to

[02:12:22] setting up Windows screen, you know, making me tell them like four times in a row, no, I am really sure I do not want you to do backups for me. But in this case, of what amounts to system clipboard abuse, which seems like a very serious problem that promises to wreak havoc, it would be trivial for Microsoft to track the source of any data

[02:12:51] that's placed onto the clipboard and take special measures when any clipboard data attempts to cross a security boundary. We know that today's web browsers are inherently high-risk containers and that a huge amount of effort has gone into browser containment. A shared clipboard completely breaches browser containment, right? Because it allows you to copy something

[02:13:21] from in the browser and paste it outside the browser. A shared clipboard is a fundamental weakness which just kind of crept up on us without anyone thinking about it. So the idea that it's possible for some malicious browser JavaScript, which originated from Lord only knows where, to place malicious content onto the shared system clipboard and then instruct its user to execute

[02:13:51] content by copying it into the Windows run dialog without having Windows raise a huge fuss with flashing lights and sirens and are you sure? I mean, I'm sure I don't want backup. I am sure that I would like to have Windows warn me if something that I didn't manually put on the clipboard somehow got there and is about to be pasted

[02:14:20] into a run dialog. It seems to me it is the height of non-proactive irresponsibility on Microsoft's part. So, Microsoft, if anyone there is listening, get this fixed because this problem is not going away. Baring your head in the sand is not going to fix this. You know, this is a problem. Nick Mapsey said, Hi, Steve, I just got to the part in last week's podcast where you

[02:14:50] break down how your ISP can snoop on you. You point out that once we're all using TLS 1.3, the most they can do is track what IP addresses you visit. But I want to point out that even then, there's a much bigger privacy threat they can pose. As you said, ISPs know who you are and where you live. Third-party cookies can track where you've been

[02:15:19] on the internet, but they don't inherently know who you are. ISPs can solve that problem for tracking companies. They could set up a marketplace where a company can ask who currently is at this IP address. And the ISP would, for a price, tell them who you are, where you live, what's your email address, what's your phone number, etc. We already

[02:15:49] know that cell carriers have been selling real-time location data, so this is not a big leap at all. I haven't seen confirmation yet that this is being done, but I'm paranoid enough that this led me to finally start using a 24-7 VPN. I thought it might be worth pointing out on the podcast. And yikes. I have to agree with Nick's horrifying observation. Again, no one has any evidence or proof or belief that this is happening,

[02:16:19] but every ISP is aware of their subscribers' current public IP address. And it must be that law enforcement has been able to ask an ISP exactly who was using which of the ISPs block of public IPs at any given time. That would seem logical. So I agree with Nick that imagining ISPs might monetize that knowledge

[02:16:48] in real time is not a big leap. I suppose it would be beneficial or it would be one benefit of an ISP using carrier-grade NAT, which we've talked about before, where users don't get public IPs, they get a block of private IPs because the ISP themselves, just as users are behind NAT router at home, the ISP is behind a carrier grade

[02:17:18] NAT router and is issuing private IPs to its subscribers, in which case they're anonymized by that. So that would be one benefit of that. But, you know, ISPs do know who we are and they're, you know, who knows what the fine print says, whether they are actually able to disclose our real-time IP to anybody who asks, even not law enforcement but for commercial purposes. I don't know.

[02:17:49] And, Leo, what I do know is that we have one final sponsor to introduce. Steve, you can count. That's so impressive. We are good. I miscounted one week. I don't always count. Yeah, let's take a break, final break, and then we will finish up with our story of the week. Mongo is too easy. Again, it has nothing to do with Blazing Saddles. You remember Mongo from

[02:18:19] Blazing Saddles? Do you remember that? He was played by an ex-football player, what was his name? Alex Karras. He's a big guy. Mongo. Anyway, I wonder if MongoDB could have been named after Mongo from White Blazing Saddle. I could see that. Python is named after Monty Python, right? Our show today brought to you by GuardSquare. This is a brand new sponsor. We want to welcome to security now. Something you need to know about if you do mobile

[02:18:48] app development. Mobile apps today are obviously an inescapable part of life. If you've got anything, a mattress to a camera, you need to have a mobile app, right? Financial services, healthcare, retail, entertainment. Users are trusting mobile apps, really trusting them with all their sensitive personal data. A recent survey showed that 72% of organizations had experienced a mobile app security incident last

[02:19:18] year. Almost three quarters. 92% of respondents reported threat levels rising over the last two years. And attackers know this. Attackers who want your personal data, who want your users, your customers' personal data, are constantly finding new ways to attack your mobile app, just like they attacked Don Ho. They reverse engineer it, repackage it, and distribute the modified app via phishing campaigns. It looks like the real thing. Side-loading,

[02:19:48] third-party app stores, there's all sorts of ways to get users to install that bogus app. But who gets the blame? You. By taking a proactive approach to mobile app security, you can stay one step ahead of these attacks and maintain the trust of your users. That's where GuardSquare comes in. I did not know this existed until I talked to them. This is super cool. GuardSquare delivers mobile app security without compromise, providing advanced protections for both

[02:20:17] Android and iOS apps combined with automated mobile application security testing that helps find vulnerabilities and real-time threat monitoring to gain insights into attacks so you know what's going on. Discover more about how GuardSquare provides industry-leading security for your mobile apps. You'll find them at GuardSquare.com. GuardSquare.com. That's GuardSquare.com. G-U-A-R-D-S-Q-U-A-R-E. GuardSquare.com.

[02:20:47] Don't be another Don Ho. I bet he wishes he had this for Notepad++. GuardSquare.com for your mobile app. Okay. Okay, Steve. So even though we kicked off this year with a podcast titled Mongo Bleed and I resisted talking about it again so soon. The security research I just found was just too much fun and too interesting to pass up. The competition for today's main topic

[02:21:16] as I said was that one I already shared about AI finding flaws in OpenSSL which I agree with you Leo. I mean this is a game changer for the software industry. And you know on the creation side we just saw the stock market you know punish companies that produce software because oh I can make my own now. Okay, so get a load of this one. The following posting was made

[02:21:45] by the Darknet Army posted to the dark web at 2 a.m. last year on October 1st. So this is you know a dark web posting by the Darknet Army. What's up hustlers? I've been using this secret method since 2019. What's up hustlers? What's up hustlers? What's up? To pull in steady cash every day

[02:22:15] but it's starting to get crowded now. Before this method gets completely burned out I'm sharing it here so you can jump on it and make some serious money for yourself. This isn't some complicated tech heavy process. You don't need to know coding hacking or anything technical. If you can copy paste and click you're good to go. I'll guide you through every single step. So what are we actually doing? Here's the deal.

[02:22:45] There are websites out there where businesses store their important information. Think customer records, orders, employee details, etc. in a digital storage system. The storage system is called a database. But here's the crazy part. Some businesses leave their databases completely unprotected, wide open on the internet. They don't set up passwords or any security which means anyone, all caps,

[02:23:14] like you, can access them with just a browser. Once you're in, you can delete their data, wipe it all clean, then leave a ransom note telling them to pay Bitcoin if they want their data back. Sounds wild, right? Stick with me and I'll show you how easy it is to do this. Why are these databases exposed? Most businesses use a type of database called MongoDB because it's fast and

[02:23:44] easy to set up. They use a tool called Mongo Express to manage it, basically a control panel for their database. The problem? Many businesses are careless and leave their Mongo Express control panels exposed online with no passwords. This makes them perfect targets. You don't even need hacking tools to get in. Need help? If you're stuck or have questions, hit me up. DM me on the forum. Message me on

[02:24:14] Telegram. He provides addresses for all that. And final words, he says, this method is stupidly easy and works like magic, but it won't last forever. Businesses are slowly waking up and fixing their Mongo Express setups. So use this while you still can. Follow the steps outlined below to take action and you can start earning $600 a day. So that was actually

[02:24:43] posted to the dark web for the hustlers. I titled today's podcast Mongo's Too Easy because Mongo DB's continuing exploitation is now in the hands of the script kitties. It turns out there's another market out there, such as it is, where there are no sophisticated intrusions with multi-terabyte exfiltrations of data,

[02:25:14] fancy command and control servers with dynamically rotating and changing time-based DNS domain lookups, encryptions and keys and all that. Nope. All of the data contained within exposed Mongo DB instances are simply being deleted. In its place is a ransom note explaining that the data can be returned once payment of $500

[02:25:43] or $600 in Bitcoin has been received. Just to be clear, that's not true. They don't know how to do any of that. They're script kitties. Instead, all of the database's data was permanently deleted and a bogus ransom note is being left behind. It's a bogus ransom note because payment of the ransom has no effect. None. No data is ever returned

[02:26:13] because it was irreversibly deleted from the database. These are not the traditional serious attackers who hack, exfiltrate, encrypt, and extort. No. This is the bottom of the market. These attackers are trading on the reputation, such as it is, that the high-end attackers carefully established long ago for honoring the payment

[02:26:43] of their extortion demands. those guys are serious. These guys are not. The high-end attackers realize that if they want their demands, which often run into the many millions of dollars, to be taken seriously and paid, they need their victims to really believe that payment will result in the return of the stolen data and its subsequent deletion so that it never

[02:27:12] leaks publicly. If the high-end attackers do not honor their agreement upon the payment of ransoms, the high-end of this market will fail. A Canadian cybersecurity firm known as Flare Systems posted a great piece from which I excerpted that earlier posting. The title of their posting last Monday was, MongoDB Ransom Isn't Back, It Never Left. They wrote,

[02:27:42] Between 2017 and 2021, there was a series of research publications about MongoDB ransomware exploitation campaigns. These blogs described the same pattern. Someone in an organization made a mistake, which left MongoDB exposed to the world. The problem was that this MongoDB didn't require any special authorization or password, so anyone over the internet could have accessed and controlled that database.

[02:28:13] Here's the sequence of events for attackers who abused these exposures. Threat actor finds a MongoDB database. They copy everything to their own device. They delete everything on the victim's computer. In place of the database, they leave a ransom note. The ransom note claims, pay hundreds of dollars in the next 48 hours, or the database would be permanently deleted. That was five years ago. But since then, there

[02:28:43] have only been a few stories about ransom against MongoDB. However, a couple of months ago, we conducted a pen testing exercise for a small to medium-sized business. The organization had 12 MongoDB instances, and two of them were exposed to the internet with a ransom note inside. reminded us of the MongoDB ransom campaigns, we decided to create and run a honeypot

[02:29:13] exposing MongoDB secrets. And Leo, if the fixed canary can support a MongoDB, that might be a fun thing for people to play with. Oh, that's a good idea. I have to check and see if I can do that. I bet it can. It's great. So they many similar stories. One story reflects the threat from a victim's perspective, talking about a rising star tech

[02:29:43] startup that heavily relied on MongoDB as a database being hacked and extorted for $25,000. In this blog, we analyze the current MongoDB ransomware threat. MongoDB ransom attacks are not driven by advanced exploits or novel malware. They are the predictable outcome of internet-exposed, unauthenticated databases. As long as

[02:30:13] insecure deployment patterns continue to propagate through tutorials, container images, and copy-paste infrastructure, these attacks will remain cheap, scalable, and profitable for threat actors and costly for organizations without proper controls. The MongoDB ransom ecosystem demonstrates that real risk often emerges from the intersection of deployment patterns, configuration

[02:30:42] shortcuts, and attacker monetization models rather than from advanced exploits alone. The attacks exploit MongoDB databases that are exposed to the internet with default, unsecured configurations, no password, open ports, and so on. Automated scripts. Oh yeah, here I can turn on MongoDB. Let me just tell you it's on port 27017 in case anybody wants to get in. That is the default MongoDB

[02:31:12] port. Yeah, no problem. So I got a Windows server running with MongoDB on it. Just come on in, hack away, you're more than welcome. I'll know immediately though. Isn't that great that I can make that things canary be that? That's fantastic. Sorry, go ahead. So they said automated scripts, bots, scan for vulnerable instances. Once an open database is found, the data is typically exported

[02:31:41] or simply deleted. The collections are dropped and a new collection containing a ransom note is inserted. Threat actors demand payment in Bitcoin, often around 0.005 BTC, equivalent today to between $500 and $600. Actually, that depends about when you look. Bitcoin's been having a little rough time of it lately. They said to a specified

[02:32:10] wallet address promising to restore the data. However, there's no guarantee the attackers have the data or will provide a working decryption key if paid. These incidents sometimes referred to as the MongoDB apocalypse affected tens of thousands of servers. Victims who have paid the ransom often reported receiving nothing in return or finding the provided

[02:32:40] data and data slash keys were useless, leading to permanent data loss. Thus, security experts strongly advise against paying the ransoms. On the other hand, five or six hundred bucks. Part of the key to this working at all is that the bad guys put no effort into this, a bot found it, a bot dealt with it, and they're not asking for millions of dollars, they're asking for five or six hundred bucks. They said, we set up a MongoDB honeypot,

[02:33:09] and so has Leo, on a container infrastructure connected to the world without authentication. We deployed the container in various geolocations. It didn't take long. A few days after we set up the containers, we saw the ransom note in all the servers. They then show the MongoDB shell running and the command show DBS, you know, DBs, databases, which results in the

[02:33:38] listing of a file titled read underscore me underscore to recover your data. After using the MongoDB shell to switch to that file, it is dumped to the console, and it reads, all your data is backed up. You must pay 0.0054 BTC to, and then a Bitcoin address, in 48 hours, your data will be

[02:34:08] publicly disclosed and deleted. For more information, go to, and then they have a website address, the numeral 2 info.win forward slash MDB. They said, after paying, after paying, send mail to us, and then they have an email address, Rambler, and then a plus sign, and then a six-character token, 1Y08BU

[02:34:38] at onionmail.org, they said, and we will provide a link for you to download your data. Your DB code is, and then the same token, 1Y08BU. So they said, we observed this attack, we started collecting threat intelligence to better assess this threat and associated risks. we found hundreds of relevant results, including this MongoDB ransom tutorial,

[02:35:07] the one that I showed you guys above. That's the note that I showed before. Then, under the heading, why and how does the MongoDB attack actually happen? They said, MongoDB is a widely used NoSQL document database designed for flexibility, scalability, and speed. Instead of rigid tables and schemas, MongoDB

[02:35:37] stores data as JSON-like documents, making it a natural fit for modern applications that evolve quickly and handle diverse data types. It is commonly used in web and mobile applications, SaaS platforms, IoT backends, real-time analytics, content management systems, and microservices architectures. Its ability to scale horizontally, replicate data across nodes, and support high-throughput workloads has

[02:36:07] made MongoDB a popular choice among startups and enterprises alike, and particularly in cloud-native environments where agility and rapid deployment are key. With this understanding, we leveraged Flare, which is a tool that they use, their own in-house tool, to identify publicly shared code snippets that explicitly configure MongoDB servers to be exposed to the internet without authentication. This approach is based on the

[02:36:36] assumption, validated repeatedly in real-world incidents, that organizations and individuals often rely on ready-made Docker images and copy-paste configurations from Docker Hub and GitHub when deploying infrastructure. Using Flare, we searched for code artifacts containing the command pattern that would bind MongoDB to all network

[02:37:05] interfaces and enable unauthenticated access by default, and they give a sample of such a string in their posting. They said, this configuration results in a MongoDB instance running inside a container that accepts connections from any IP address. When the container port is bound to the host and exposed externally, any internet originating traffic can connect directly to the database. In their default configuration,

[02:37:35] these MongoDB deployments do not enforce authentication. Again, in their default configuration, these MongoDB deployments do not enforce authentication or require credentials, allowing unrestricted access to any party that can reach the surface. As a result, this code pattern leads to publicly exposed MongoDB instances.

[02:38:04] Over a three-month analysis period in our query, we identified 763, okay, so 90 days, three months, analysis. They said, we identified 763 container images uploaded to Docker Hub containing exactly this insecure configuration. These 763 container images spanned 30

[02:38:34] distinct namespaces. Most of these images appear to be intended for personal or experimental use and have only a few hundred pulls. However, we also identified two widely used projects with more than 15,000 pulls each that included the same insecure setup. Okay, so there's, so Docker Hub is hosting two specific images

[02:39:04] for which 30,000 deployments have been made insecurely. They said, while these numbers alone do not appear significant, this represents only one of the many common ways MongoDB is inadvertently exposed. We highlight this pattern to illustrate how easily insecure configurations propagate and how widespread such exposure can become. Out of curiosity,

[02:39:33] they said, we also searched for some exposed credentials. credentials. We found 17,909 potential results for a specific user password exposure, one of many potential search terms. Out of those, we found at least half of them as valid credentials that can be abused by attackers. The diversity of sources illustrate the low level of password hygiene in the wild and how

[02:40:03] easy it is for attackers to obtain credentials in the wild. We found exposed credentials in coding repositories and registries such as GitHub and Docker Hub, dark web forums, paste sites, and Shai Hulud victims. We used Shodan to identify internet-connected MongoDB services. Our analysis revealed more than 200,000 servers

[02:40:32] running MongoDB that were publicly discoverable. Again, remember, there are very few instances where you actually need public exposure from MongoDB database. It is meant for internal infrastructure, not remote access. 200,000 servers they found running MongoDB that were publicly discoverable. Of these, they said, slightly over 100,000

[02:41:02] instances disclosed operational information, and 3,100 were fully exposed to the internet without access restrictions. Among the 3,100 fully exposed servers, 1,416, that is to say 1,416 instances, had already been compromised with their databases wiped and replaced and replaced with a ransom note.

[02:41:31] In nearly all cases, the ransom demand was approximately $500 US in Bitcoin. Notably, only five distinct Bitcoin wallets were observed across all incidents, with the wallet associated with the ransom notes left on our servers appearing in over 98% of cases. In other words, one attacker is out there. Basically,

[02:42:01] their business model is just scanning the internet for morons who put data on a MongoDB and they delete it and put a ransom note up and hope to get paid. 98% of all of the ransom notes they've seen pointed to the same Bitcoin wallet. They said this strongly suggests the activity is attributable to a single dominant actor, likely the same attacker documented in our previous dark web research.

[02:42:30] The data reveals an interesting discrepancy. They said while Shodan identified 3100 servers as fully exposed to the internet, our analysis shows that only slightly less than half of these instances were actually found to be compromised and wiped. Based on the Shodan data we found, a little more than 95,000 of the more than 200,000 exposed servers had at least

[02:43:00] one vulnerability. So there are also these servers are vulnerable in addition. So under their prevention and mitigation section, they enumerate all of the expected steps and measures. Avoid exposing MongoDB directly to the internet, enable authentication authorization, restrict network access. I'm a big fan of IP address filtering. Why let the world have it? Why expose

[02:43:29] it to Asia, for example? If you have to have it exposed in the US, then do some geolocating. That's no longer difficult to do. They say harden container and cloud deployments, implement continuous exposure monitoring, isolate the database, audit access logs, assess data integrity, and patch and upgrade. Right. So all of that amounts to standard and expected best practices.

[02:43:59] Don't expose the darn thing to the internet, period. Why? Exercise any sort of security hygiene. So anyway, my two final points are, the first is, one of my primary, we wake up and smell the coffee. It's not that it's impossible for authentication to work. It's that it

[02:44:29] absolutely must not be relied upon to work. It should never be the only thing standing between attackers and disaster. It should only ever be one of multiple lines of defense. One of my favorite things that I hit upon last year, thanks to this podcast, is the observation that the only servers that should ever be exposed to the internet are those that are

[02:44:58] meant to be accessed anonymously anonymously by everyone. In other words, no authentication on purpose, no authentication by design. Things like web servers and email servers and DNS servers that everyone is expected to access. Their job is to provide anyone who comes knocking a connection and access. this means that nothing that requires

[02:45:28] a logon before its services can be used from the public internet should ever be widely exposed. I know it sounds nutty and impractical, but almost all systems and services could be set up that way if their IT people cared to do so. Pointing fingers at Microsoft, Cisco, or whomever after the fact and blaming them for their authentication failures may shift the

[02:45:57] blame, but a more robust overall network design could have prevented their failure from also highlighting yours. And I said I had two points to make. The second point flows from this line of Flair's systems conclusion. They write attackers did not rely on sophisticated exploits or zero days. Instead, they abused insecure defaults.

[02:46:28] This further supports the pessimistic contention I ended with last week. AI may help us find flaws in our software. Now we know that's almost certain to happen. Yay, team. That's great. But unfortunately, while AI may be getting smarter, it also shows no signs nor hope of being able to make us humans any less dumb. AI won't

[02:46:57] fix what amounts to laziness and lack of attention to critically important details, configuration mistakes, and default setups. That's on us. There's just no excuse for MongoDB, for example, to still, as we enter 2026, be in the sad state it is. It's truly unconscionable. Well, maybe they'll listen to this show and figure it all out, Steve.

[02:47:27] Certainly I have. Now I have to go open all the ports on my router so that my AI assistant can do everything. give it your credit card number, give it your family history. You only live once, Steve. YOLO, baby. It's so tempting. I'm sitting here looking at, I'm giving it OAuth credentials to my Gmail and my Google Drive. Well,

[02:47:57] how else is it supposed to triage my email and upload files? And know what you're thinking from moment to And know what I'm thinking. Yeah. I already kind of gave it a brain dump. I'm going to also give it my Obsidian and Day One journals, and it can know everything deep down in my inner secrets. But I'm not giving it my GitHub keys. No way. Steve Gibson is at GRC.com, the Gibson Research Corporation.

[02:48:26] That is where, well, there's so many reasons to go there. Of course, Spinrite, the world's best mass storage maintenance performance enhancing and recovery utility. If you have mass storage, you need Spinrite. He's also got the incredible, brand new, just for you, a DNS Benchmark Pro, for a mere $999. lifetime license. Go on in there and get it. While you're at GRC.com, you can also give him your email address.

[02:48:56] He's not going to send you anything unless you ask for it, but the idea is that you can send him stuff because he's got a clever system. He's got a whitelisting system. Once you put the address in, he does some voodoo and then all of a sudden, you can send him emails with pictures of the week or questions or suggestions. GRC.com slash email. There are two little checkboxes below the email address, one for the weekly newsletter. Now it goes out on Sunday. Soon it'll be Saturday. If Lori has anything to do with it, it'll be by Wednesday.

[02:49:28] I take it she does that so she has more time with you and I think that's a good thing. She just knows that I get stressed out because I take this responsibility so seriously and so the sooner it's over then I'm not worrying about getting it done. Doesn't she understand it's never over? It's like painting the Golden Gate Bridge. As soon as you finish one, you gotta start the next. Anyway, check that box. You get that weekly mailing of the show notes. Really, really great stuff. 22 pages this week of fantastic stuff. Links,

[02:49:58] images, all the text. Now you can actually see the real text, the transcript. He's got when you go to the podcast site, not only does he have some unique versions of the show, but he has really nice transcripts written by a human, not AI. Lane Ferris does a great job. So the transcripts for every show are there. It takes a few days. 1063 will be there, you know, maybe by Friday. You also can get, of course, the show. He's got the 16 kilobit audio version.

[02:50:28] Does anybody download that? Ever? I haven't seen the counts. Somebody, somebody must. There are people who absolutely rely on it and they tell me when, you know, it's like I forgot to post it or because I have to manually select the bit rate, sometimes I forget and leave it at set to 64 and they'll say, hey, this thing's too big. I know it's probably people on dial up in, you know, Western Australia,

[02:50:58] stuff like that. You know, people are really out in the boonies, but they love the show. If you know who you are, the 16 kilobit versions at grc.com. He also makes a 64 kilobit version, which is still smaller than what we offer. So that's good. And that sounds fantastic. That one's fine. And let's see, show notes, the two different versions, the transcript, I think that's everything, right, that you offer for that. Go there, there's lots of other stuff. It's one of those

[02:51:28] websites you fall into and three hours later you go, what happened to the time? Lots of great information there. We have copies of the show at our website too, of course, twit.tv slash sn, but ours are heftier. We have 128 kilobit audio for people with four ears. We also have a video version of it. If you like to see Steve's mustache, it's very animated. It's getting wider. It's a life of its own.

[02:51:58] If you keep drinking coffee, it might not get wider. That's twit.tv slash sn. There's a YouTube channel dedicated to this. Actually, that's really useful because I know all the time, you know, you say, God, I got to send this to my boss or whatever. Easy to clip. Everybody can watch it, even your boss. That's the dedicated to Security Now YouTube channel. I can't remember the exact address, something like youtube.com slash security now, something like that. Search for security now, you'll find it. The easiest way to get it,

[02:52:28] subscribe in your favorite podcast client because it's everywhere. Leave us a nice review if you do that, we'd appreciate it. Of course, it's free, there's audio and video. We do do the show live. We stream it live if you want to watch while we're doing it. It's funny, we've been doing that for years. This is like 2009 or something. But now all the cool kids say, hey, you know, you really ought to stream video of your podcast. It's like, oh, really? I should think about that. There's a new podcast company just

[02:52:58] started up Kaleidoscope. and we're going to do video. And we're So if you want to watch us do it live, we stream the video as we're doing it every Tuesday right after Mac break weekly about 1330 Pacific time, 1630 Eastern, that would be 2130 UTC. The live streams are on the Discord for club members, but there's also YouTube, Twitch, X.com, LinkedIn, Facebook, and kick. So lots of ways to watch us live. And if you're

[02:53:28] watching live, I watch the chat and I see all the chats, so you can also chat with us as well. Appreciate it. I think that's all the business I need to take care of except to say, Steve, you did it again. Thank you so much and we'll see you next week on Security Now. Thanks, buddy. Till then. And who knows when the show notes will come, but I'll be working on next weekend. It's always a surprise. Hey, there, it's Leo Laporte, host of so many shows on

[02:53:58] the Twit Network. Thinking about advertising in 2026, we host a network of the most trusted shows in tech, each featuring authentic post-read ads delivered by Micah Sargent, my co-host, and of course me. Our listeners don't just hear our ads, they really believe in them because we've established a relationship with them. They trust us. According to Twit fans, they've purchased several items advertised on the Twit Network because they trust our team's expertise in the

[02:54:27] latest technology. If Twit supports it, they know they can trust it. In fact, 88% of our audience has made a purchase because of a Twit ad. Over 90% help make IT and tech buying decisions at their companies. These are the people you want to talk to. Ask David Coover. He's the senior strategist at ThreatLock. David said, Twit's hosts are some of the most respected voices in technology and cybersecurity and their audience reflects that same level of expertise and engagement. It's the

[02:54:56] engagement that really makes a difference to us. With every campaign, you're going to get measurable results. You get presence on our show episode pages. In fact, we even have links right there in the RSS feed descriptions. Plus, our team will support you every step of the way. So, if you're ready to reach the most influential audience in tech, email us partner at twit.tv or head to twit.tv slash advertise. I'm looking forward to telling our qualified audience about your great product.

[02:55:34] Okay, Nicola, Quizfrage. Homeoffice-Bastade oder Fahrtkosten? Was bringt uns mehr? Moment, ich check das kurz. Oha, Homeoffice gewinnt. Bringt uns 150 Euro mehr im Jahr. Ja, richtig. Aber wieso weißt du sowas? Weil, wieso Scheuer die Erstattung live anzeigt. Das ist einfach die Steuer-App für alle Fälle. Ja, und Fragen beantwortet sie auch. 24-7 und ohne Beamten-Deutsch. Das ist einfach die App, die uns versteht. Steuern erledigt. Safe. Mit wieso Steuer. Jetzt kostenlos ausprobieren.

[02:56:07] Hörst du das? So klingen Füchse, wenn sie Schmetterlinge im Bauch haben. Und die habe ich auch. Der Sparfuchs von Sparsim. Denn zum Valentinstag habe ich was zum Verlieben für dich. 60 Gigabyte im Vodafone-Netz für 9,99 Euro monatlich. Und dank 50 Euro Wechselbonus hat es Surfen verwöhnt. Mach Schluss mit deinem alten Tarif. Sicher dir bis 17. Februar deinen Deal auf Sparsim.de