SN 1069: You can't hide from LLMs - Was Your Smart TV a Stealth Proxy?

[00:00:00] It's time for security now. Steve Gibson is here. We've got a lot of really interesting conversations. How Mozilla used Clawed to improve its security. While you might be want to be extra careful about OpenClaw, wow, it opens a great big hole into your network with a remote takeover. And we're going to talk about a new capability for LLMs that might scare you just a little bit. All of that coming up next.

[00:00:30] On Security Now. Podcasts you love. From people you trust. This is TWiT. This is Security Now with Steve Gibson. Episode 1069. Recorded Tuesday, March 10th, 2026. You can't hide from LLMs.

[00:00:54] It's time for Security Now. Oh yes, you wait all week for Tuesday. And I'm glad to be back. Steve is back and we're ready to talk to you. Talk security with this guy right here, Steve Gibson of GRC. Hey Steve, it's good to see you. We had such fun in Florida at Zero Trust World. It was so fun to get to spend some time with you and Lori and have a couple of dinners together and stuff. We had to meet some of our listeners. That was fun too.

[00:01:21] Oh man, we met some really interesting people. I don't know if I'm at liberty to divulge some of these people, pretty high up people. It's not really a selfie line, is it? If somebody else is taking the picture. It's kind of a selfie line. We took about, I don't know, 50, 60, maybe 100 pictures. It went on for an hour and a half. I got to sign some spin right CDs and floppy disks.

[00:01:51] Guy brought his dad's, that was hysterical, his dad's spin right floppy for you to sign. And that pristine Mac. And he's, I mean, it was gorgeous and he hands me a Sharpie and says, I want you to sign my Mac. I said, this is indelible. And he said, yeah, and I'm, I'm, I'm, I'm hoping it doesn't rub off. I'm going to spray it with, with, with a fixer sealant afterwards. Nice.

[00:02:18] And I said, you're sure? I mean, you're really sure you want me to sign this? He says, oh yeah. Oh yeah. Here's Steve signing a dad's spin right floppy. That was pretty fun. Really, really fun. Talked to one guy who was in charge of data exfiltration. He was a contractor with the U S government, but he was in country and was it Iraq or Afghanistan? I can't remember which.

[00:02:47] And he, this was a great story. I can, I, can I tell it, or are you going to talk about it later? Cause it's a story. He said we had what it was a three or four PCs running spin, right? We would get these drives that had been used by covered from the field, like the Taliban. And first thing we do is we'd run spin right on them. Probably the image to first. And then they would run spin right on them to recover the data.

[00:03:15] I mean, that's pretty Steve. That's pretty cool. It's pretty, pretty cool. Well, we, well, spin right was up in space. There is a copy on the space station. The ISS has it. Yeah. I didn't know that. Oh yeah. They use it all the time. Apparently for, you know, you know, those pesky neutrons, they'll mess up your magnetic domains. And so spin right puts them back where they're supposed to be.

[00:03:39] We had a story this week that somebody did some instrumentation of Firefox. 10% of Firefox crashes and failures came from bit flips. You know, in non-ECC RAM, bit flips on the, on the, in the RAM. This is, this happens more often than you think. And that's often because Cosmic Razor are striking your RAM.

[00:04:02] Yep. What a world. It's amazing. This stuff works, but it doesn't always. And that's when it doesn't, that's why Steve is here. What's coming up this week? So there was a really interesting story, which maybe in retrospect, shouldn't be too surprising, but I wanted to put it on everyone's map, which is that our, our ETH Zurich folks with some help from the anthropic people.

[00:04:33] Did a study, did a study, did a study, which demonstrated how small a sample of public internet postings are needed, uh, in order to de-seudonymize people. So, you know, it's like if you read something, someone writes or like, and it's like, well, this really sounds like this person or that person.

[00:04:59] Turns out LLMs are astonishingly good at picking up nuances of word choice and, and, uh, you know, writing style and are able to, with a great deal of power, de-anonymize.

[00:05:17] So today's topic title is you can't hide from LLMs. And we'll be looking at that research at the end for our episode 1069 for this 10th of March, 2026. But we're going to look at another boy. Leo anthropic is really coming on strong. You know, OpenAI was kind of like got out of the gate first, but I'm really impressed with everything that we're seeing from.

[00:05:44] Claude code. Every time I use it, it blows me away. It's like, wow, you're smart. So anthropic teamed up with Mozilla and decided to take a close look at Firefox's security. We're going to look at what they found. Uh, Apple and Google are finally looking at cross platform RCS encryption, which hasn't existed before. Um, Ubuntu's pseudo command behavior just changed.

[00:06:13] And I thought that was sort of interesting. Uh, also I'm not sure you want to be inviting a web proxy into your home. Turns out a surprising number of people have either wittingly or unwittingly. Uh, Apple devices were studied by Germany and something happened. Uh, we've also got, uh, some researchers discovered a very serious remote takeover of open claw,

[00:06:40] which immediately came to the attention of the OpenClaw guys and they fixed it. But the problem is really interesting because we've just been talking about these sorts of problems in the last few weeks. Uh, Tik TOK made a, a, a, uh, decision about their encryption of messaging. Uh, I just threw something in that really wasn't security related and I almost took it out, but I may, I, I, I created the show notes in a PDF before I had deleted it.

[00:07:08] So I thought, okay, I'll just leave it in, which is Microsoft, Microsoft banning a derogatory term relating to them from their discord server.

[00:07:20] And frankly, I've been surprised that they leave GitHub as alone as they do because all kinds of, you know, anti Microsoft stuff is there, but it's, they have a hands-off policy. Not so their discord server, although it could have just been, you know, an aberrant employee. So, uh, we also got a bunch of really great listener feedback that we're going to spend some time on. And then we're going to look at how LLMs could make Orwell's 1984 seem optimistic. Oh boy.

[00:07:51] Yeah. Oh boy. And of course, a listener provided picture of the week that, uh, we're going to have some fun with. So I think another great podcast for us. All right. Well, we'll get to the, the meat of the matter in just a bit, but first a word from our sponsor. We'd like to start by telling you about our fine sponsors in this case, when you ought to be using Bitwarden, uh, the trusted leader in passwords, pass keys.

[00:08:19] They even do secrets management. Bitwarden added a few months ago, the ability to generate store and even regurgitate your SSH keys, which makes it so much easier for me to do a SSH login securely. Just one of many ways Bitwarden just gets better all the time. Bitwarden's consistently ranked number one in user satisfaction by G2 and software reviews. They have 10 million users across 180 countries. This might surprise you though.

[00:08:49] More than 50,000 businesses use Bitwarden. I mean, we know Bitwarden is great for individuals, but it's also great for business. So whether you're protecting your personal account or thousands of accounts at work, Bitwarden will keep you secure all year long. Constant updates, always improving. That's one of the things I love about them. Partly because they're open source. I think that's one of the reasons lots of great contributors helping Bitwarden get better all the time. For instance, the new Bitwarden Access Intelligence. This is for business.

[00:09:19] Organizations can use it to detect weak, reused, or exposed credentials. And then immediately guide remediation. Getting your employee to fix those risky passwords, replace them with strong, unique ones. And that is a big, as you know, a big security problem. Credentials are probably the top cause, certainly one of the top one or two causes of breaches. But with Access Intelligence, they become visible, prioritized, and corrected before exploitation can occur.

[00:09:49] The other thing I love about this is Bitwarden, this is for enterprise, but they also do the same thing for you in your personal vault. So if you have weak passwords, it'll tell you. It'll help you fix it. You know, it helps you do the right thing. It helps you become more secure. Oh, here's something else they just added. Bitwarden Lite. Bitwarden Lite is a lightweight, self-hosted password manager. This is great for home labs, personal projects, any environment that wants quick setup with minimal overhead.

[00:10:18] Great for geeks like us who just want to trust no one and do it all by ourselves. Bitwarden Lite. The real-time vault health alerts and password coaching features help you be more secure, help your family members, your friends. This is why you should tell everybody. Because, you know, I know you use a password manager. But I also know most of the people in our lives don't. And they don't really understand how much at risk that puts them. Get them to use Bitwarden. They can strengthen their security instantly.

[00:10:46] They have, oh, you know, some people, I would bet, who aren't using password managers do use their browsers, right? The passwords. But that's not convenient. It's in your browser. It's not on your phone. Or it's in your phone. It's not on your desktop. Now Bitwarden will support direct import from the browsers, from Chrome, Edge, Brave, Opera, and Vivaldi. Direct import literally copies the credentials from the browser into the encrypted vault without that separate plain text export, which always makes me a little bit nervous.

[00:11:16] That not only simplifies migration, it reduces exposure associated with manual export and deletion steps. You've got to remember to delete that clear text password that's sitting on your hard drive. It makes me very nervous to have that. Not anymore. Just take it. And this way, your family and friends can move from their browser's password store, which is not as good, not as convenient, into something that really works. G2Winner2025 says Bitwarden continues to hold strong as number one, according to G2, number one in every enterprise category.

[00:11:47] In every enterprise category. That's for six straight quarters, too. Bitwarden's setup is easy. Steve and I moved very quickly from our old password manager to our new one a few years ago when we decided enough was enough. We wanted to use Bitwarden. It supports importing from most password management solutions. And because it's open source, you can look at the code. It's on GitHub. It's GPL licensed. It's regularly audited by third-party experts. And it meets SOC 2, Type 2, GDPR, HIPAA, CCPA standards.

[00:12:16] It's ISO 27001-2002 certified. Look, for your business, get started today with a free trial of Bitwarden Teams or Enterprise. Or get started for free forever across all devices as an individual at bitwarden.com slash twit. Bitwarden.com slash twit. Unlimited passwords, unlimited devices. It even supports pass keys, hardware keys. All for free.

[00:12:46] Bitwarden.com slash twit. It's what I use. It's what I tell everybody to use. Highly recommend it. Bitwarden.com slash twit. And now, the picture of the week. So, this is a great picture. And I just gave it the caption simply, You know, because otherwise it would not be clear. I'm scrolling up to see it for the first time. Will make sense in context.

[00:13:20] Okay. Yeah, you need that sign. Otherwise, it would not be clear. Yeah. But, you know, okay. So, first of all, what we have is a sidewalk, which comes to an abrupt end. And I'm not exactly sure how this happened. Like, you know, there's like two phone poles and some guy wires and a weird rusted fence kind of down below it.

[00:13:46] So, did the sidewalk come later and they didn't plan ahead? Walk right up to that obstruction. I just don't understand like how this happened. But the other thing, Leo. So, again, I got myself off track. We have a big bolted down inverted U ending, you know, like blockade at the end of where a sidewalk ends

[00:14:14] that kind of goes off of a short little cliff down to a lower level. That's probably good if you're walking that sidewalk. It's pitch black out. It's at night. You don't know that the sidewalk is going to end. You would run into that without going off. True. Then you wouldn't be able to read the sign. Nor would you need the sign. You kind of know. Arguably. And, Leo, which brings me to the sign.

[00:14:38] Like, clearly, this barricade was officially installed, right? You can see it's got bolts down into concrete. It was like done. They also stuck some rectangular reflective striping on the two verticals and across the horizontal. You're not going to miss it. Where did this sign come from? It's zip tied on. And it's like cockeyed and not centered.

[00:15:07] And it's like, what? Like. It's literally zip tied onto this nice, solid device. That's crazy. And not like one is like the upper right corner is hooked to the top. And there. I don't know. It's completely whopper, John. Yeah. Yeah. That's exactly right. Anyway, thanks again to our listeners for providing us with some entertainment every week. Yes, indeed.

[00:15:35] Anthropic and Mozilla have teamed up to provide us with some more security, specifically for Firefox. They posted to their site last Friday under the headline, Partnering with Mozilla to Improve Firefox's Security, which those of us who have stuck with Firefox appreciate.

[00:15:55] Anthropic wrote, AI models can now independently identify high severity vulnerabilities in complex software. As we recently documented, we talked about this previously. Claude found more than 500 zero-day vulnerabilities, which they clarify is security flaws that are unknown to the software's maintainers, in well-tested open source software.

[00:16:22] And as we know, OpenSSL was one of those targets, and that thing has been scrutinized like crazy because its security is so important. They said, in this post, we share details of a collaboration with researchers at Mozilla, in which Claude Opus 4.6 discovered 22 vulnerabilities over the course of two weeks.

[00:16:46] Of these, Mozilla assigned 14, Mozilla themselves assigned 14 of those 22 as high severity vulnerabilities. Almost a fifth of all high severity Firefox vulnerabilities that were remediated in 2025. In other words, AI is making it possible to detect severe security vulnerabilities at highly accelerated speeds.

[00:17:15] And, of course, this is one of the things that we talked about last year as this began to emerge. We said, okay, AI is going to have an effect on software security. And what's good is it's a positive effect. I mean, I think there was some concern it might add more vulnerabilities. Yes, and actually, we're going to get to that.

[00:17:37] Later in this post, they talk about the relative strength of AI for doing good versus doing bad. And it turns out good guys have an advantage here for some reason. So you've got the infographic on the screen. This shows all of 2025 and January and then just this previous month of February, 2026,

[00:18:01] what the vulnerability level and classifications were found in Firefox by month. They said, as part of this collaboration, Mozilla fielded a large number of reports from us, helped us understand what types of findings warranted submitting a bug report, and shipped fixes to hundreds of millions of users in Firefox 148.

[00:18:27] Their partnership and the technical lessons we learned provides a model for how AI-enabled security researchers and maintainers can work together to meet this moment. So I would argue we're still in the early stages of the deployment of AI to improve our existing software installed base, but it is clearly going to happen.

[00:18:53] They said, in late 2025, we noticed that Opus 4.5 was close to solving all tasks in CyberGym, G-Y-M, a benchmark that tests whether LLMs can reproduce known security vulnerabilities. So they're saying 4.5 was close to solving all tasks where LLMs are able or are being tested to see whether they can reproduce known security vulnerabilities, like, you know, independently find them.

[00:19:23] They said, we wanted to construct a harder and more realistic evaluation that contained a higher concentration of technically complex vulnerabilities. And again, Mozilla and Firefox, heavily scrutinized, field-tested, you know, long-term critical security target. So this makes so much sense for them to test.

[00:19:48] They said, technically complex vulnerabilities like those present in modern web browsers. So we built a data set of prior Firefox common vulnerabilities and exposures, CVEs, to see if Claude could reproduce those. We chose Firefox because it's both a complex code base and one of the most well-tested and secure open-source projects in the world.

[00:20:17] This makes it a harder test for AI's ability to find novel, you know, new security vulnerabilities than the open-source software we previously used to test our models. Hundreds of millions of users rely on Firefox daily. And browser vulnerabilities are particularly dangerous because users routinely encounter untrusted content and depend on the browser to keep them safe.

[00:20:42] Or as we're often saying here on the podcast, it is our internet-facing surface. And so it needs to be as bulletproof as possible. They said, our first step was to use Claude to find previously identified CVEs in older versions of the Firefox code base. Right? So they're going back to test it. Like, what is it able to do that we already know?

[00:21:10] They said, we were surprised that Opus 4.6 could reproduce a high percentage of these historical CVEs, given that each of them took significant human effort to uncover. But it was still unclear how much we should trust this result because it was possible that at least some of these historical CVEs were already in Claude's training data. I think that's a very good point.

[00:21:39] So, you know, being retrospective has some value. Prospection is what we need. They said, so we tasked Claude with finding novel vulnerabilities in the current version of Firefox, bugs that by definition cannot have been reported before. We focused first on Firefox's JavaScript engine. Good. But then expanded to other areas of the browser.

[00:22:08] The JavaScript engine was a convenient first step. It's an independent slice of Firefox's code base that can be analyzed in isolation. And it's particularly important to secure, given its wide attack surface. It processes untrusted external code when users browse the web.

[00:22:29] After just 20 minutes of exploration, Claude Opus 4.6 reported that it had identified a use-after free, they say, a type of memory vulnerability that could allow attackers to overwrite data with arbitrary malicious content. In the JavaScript engine. One of our researchers validated this bug in an independent virtual machine with the latest Firefox release.

[00:22:56] Then forwarded it to two other anthropic researchers who also validated the bug. We then filed a bug report in Bugzilla, Mozilla's issue tracker, along with a description of the vulnerability and a proposed patch. Written by Claude and validated by the reporting team to help triage the root cause.

[00:23:19] In the time it took us to evaluate and submit this first vulnerability to Firefox, Claude had already discovered 50, 5-0, 50 more unique crashing inputs. While we were triaging these crashes. While we were triaging these crashes.

[00:23:52] While we were triaging these crashes. While we were triaging these crashes. A researcher from Mozilla reached out to us. After a technical discussion about our respective processes and shared the data. Having a few more vulnerabilities. We had manually validated. They encouraged us to submit all of our findings in bulk without validating each one.

[00:24:19] Even if we weren't confident that all of the crashing tests had security implications. By the end of this effort. We had scanned nearly 6,000 C++ files. And submitted a total of 112 unique reports. Including the high and moderate severity vulnerabilities mentioned above. Most issues have been fixed in Firefox 148. But the remainder to be fixed.

[00:24:49] But the remainder. Well, sorry. With the remainder to be fixed in upcoming releases. When doing this kind of bug hunting and external software. We're always conscious of the fact. That we may have missed something critical. About the code base that would make the discovery a false positive. We tried to do the due diligence. Of validating the bugs ourselves. But there's always room for error. We're extremely appreciative of Mozilla.

[00:25:17] For being so transparent about their triage process. And for helping us adjust our approach. To ensure we only submitted test cases they cared about. Even if not all of them ended up being relevant to security. Mozilla researchers have since started experimenting with Claude. For security purposes internally. So then in their section. From identifying vulnerabilities to writing primitive exploits. They said.

[00:25:46] To measure the upper limits. Of Claude's cybersecurity abilities. We also developed a new evaluation. To determine whether Claude was able to exploit. Any of the bugs we discovered. In other words. We wanted to understand. Whether Claude could also develop. The sorts of tools. That a hacker would use. To take advantage of these bugs. To execute malicious code. To do this.

[00:26:15] We gave Claude access. To the vulnerabilities. We had submitted to Mozilla. And asked Claude. To create. An exploit. Focused. On each one. To prove it had successfully exploited a vulnerability. We asked Claude to demonstrate. A real attack. Specifically. We required it to read and write. A local file. In a target system. As an attacker would.

[00:26:43] We ran this test. Several hundred times. With different starting points. Spending approximately. $4,000. In API credits. Despite this. Opus 4.6. Was only able to actually turn. The vulnerability. Into an exploit. In two cases. Still. You spend $4,000. And you get two opportunities. To read. To read. And write. Files.

[00:27:13] On the victim's machine. That's worth $4,000. To attackers. And then some. They said. Despite this. Opus 4.6. Oh yeah. Was only able to actually. Turn the vulnerability. Into an exploit. Two cases. They said. This tells us two things. One. Claude is much better. At finding these bugs. Than it is at exploiting them. So that's one of our data points. Right? Two. The cost of identifying vulnerabilities.

[00:27:41] Is an order of magnitude cheaper. Than creating an exploit for them. However. The fact that Claude could succeed. At automatically developing. A crude browser exploit. Even if only in a few cases. Is a concern. Crude. Is an important caveat here. They wrote. The exploits Claude wrote. Only worked on our testing environment. Which intentionally removed.

[00:28:12] Some of the security features. Found in modern browsers. This includes. Most importantly. The sandbox. The purpose of which. Is to reduce the impact. Of these types of vulnerabilities. Thus. Firefox's defense in depth. Would have been effective. At mitigating. The even those two. Particular exploits. But vulnerabilities. That escape the sandbox. Are not unheard of. And Claude's attack. Is is one. Necessary component.

[00:28:41] Of an end to end. Exploit. You can read more about. How Claude developed. One of these Firefox. Exploits on our frontier. Red team blog. They said. These early signs. Of AI enabled. Exploit development. Underscore. The importance. Of accelerating. The find and fix. Process. For defenders. In other words. We don't have any time. To waste here folks. Because. AI is getting good. For everyone. And the bad guys. Well we already know.

[00:29:11] They are using it. They said. Towards that end. We want to share. A few technical. And procedural. Best practices. We found. While performing. This analysis. First. When researching. Patching agents. Which use. LLMs. To develop. And validate. Bug fixes. We've developed. A few methods. We hope. Will help maintainers. Use LLMs. Like Claude. To triage. And address. Security reports. Faster. In our experience.

[00:29:40] Claude works best. When it's able. To check. It's own work. With another tool. We refer. To this class. Of tool. As a task. Verifier. A trusted method. Of confirming. Whether an AI. Agent's output. Actually achieves. Its goal. Task. Verifiers. Give the agent. Real time. Feedback. As it explores. A code base. Allowing it. To iterate. Deeply. Until it succeeds. Task.

[00:30:10] Verifiers. Helped us. Discover. The Firefox. Vulnerabilities. Described above. And in separate research. We found. That they're also useful. For fixing bugs. A good patching agent. Needs to verify. At least two things. That the vulnerability. Has actually been removed. And that the program's intended functionality. Has not been changed. It's been preserved. In our work. We built tools. That automatically tested. Whether the original bug.

[00:30:39] Could still be triggered. After a proposed fix. And separately ran test suites. To catch regressions. Which is a change. That accidentally breaks something else. We expect maintainers. Will know best. How to build these verifiers. For their own code bases. The key point is. That giving the agent. A reliable way. To check both of these properties. Dramatically improves the quality. Of its output. Right. Again. You don't. We've had reports. Right.

[00:31:08] Of careless. AI agents. Spewing out bug reports. You know. Inundating. Hacker one. And similar bounties. With bogus. You know. AI slop. So. This is certainly an issue. They said. We can't guarantee. That all agent generated patches. That pass these tests. Are good enough. To merge immediately. But task verifiers. Give us increased confidence. That the produced patch.

[00:31:38] Will fix the specific vulnerability. While preserving program functionality. And therefore achieve. What's considered to be. The minimum requirement. For a plausible patch. Of course. When reviewing AI authored patches. We recommend. That maintainers apply. The same scrutiny. They'd apply. To any other patch. Created by an external auditor. And you know. They told us that. The moment. They started talking. To Mozilla. About this. The Mozilla guy said. Give us everything you have.

[00:32:07] You found 50 ways. To crash. Our JavaScript engine. We want them. You know. Please. You know. We'll take responsibility. For them. So. Anthropic said. Zooming out. To the process. Of submitting bugs. And patches. We know that maintainers. Are underwater. Therefore. Our approach. Is to give maintainers. The information. They need. To trust. And verify. Reports. The Firefox team. Highlighted. Three components.

[00:32:37] Of our submissions. That were key. For trusting. Our results. First. Accompanying. Minimal test cases. That is. Providing. A minimal test case. Detailed. Proof of concept. And. Candidate patches. Those are the three things. That Mozilla wanted. They said. We strongly encourage. Researchers. Who use. LLM powered. Vulnerability. Research tools. To include. Similar evidence.

[00:33:07] Of verification. And reproducibility. When submitting. Bug reports. Based on the output. Of such tooling. So here we have. Anthropic. Being essentially. Responsible. Right. They're saying. We've created. An AI system. People are. To have jumped on it. And they're using it. In some cases. They're not being. As responsible. With their use. As they should be. So. You know. We tried this. Ourselves. Here's what we learned. Please. Everybody.

[00:33:37] We're happy. To have you. But. You know. Be respectful. Of the burden. This is putting. On maintainers. So. We strongly. We strongly. We strongly. Encourage. Who use. LLM. Powered. Vulnerability. Research tools. To include. Similar evidence. Of verification. And reproducibility. When submitting. Based on the output. Of AI. Tooling. We also. Published. Our. Coordinated. Vulnerability. Disclosure. You know.

[00:34:07] CVD. Operating. Principles. Where we describe. The procedures. We will use. When report. When working. With maintainers. Our processes. Here. Follow. Standard. Industry norms. For the time being. But as models. Improve. We may need. To adjust. To keep pace. With capabilities. Frontier. Language. Models. Are now. World. Class. Vulnerability. I think.

[00:34:36] We could say. Based on this report. And their results. That statement. Is not. Hyperbole. Frontier. Language. Models. Are now. World. Class. Vulnerability. Researchers. On top of the 22. CVEs. We identified. In Firefox. We've used. Claude. Opus. 4. Point. Six. To discover. Over the coming. Weeks and months. We will continue. To report. On how. We're using.

[00:35:06] Our models. And working. With the open. Source community. To improve. Security. Opus. 4. Point. Six. Is currently. And here. It is. Leo. Far. Better. At identifying. And fixing. Vulnerabilities. Than. At. Exploiting. Them. Which. Is. Really. Interesting. He. They said. This. This. This. This. The. The. Advantage. And with the. Recent. To. For example. It found. 50. Ways. To crash. The JavaScript.

[00:35:36] The. Was. It was. The. Mozilla. Found. 22. Instances. Where. That. Generated. A. Security. Relevant. CVE. So. Claude. Wasn't. As good. At. And exploiting. As it was. At. At. At. At. Locating. At.

[00:36:09] Claude. Code. Security. In. Limited. Research. Preview. So. There's. Now. We're. Vulnerability. Discovery. And. Open. Anybody. Listening. And. Leo. We know. Earning. Full. Time. Bug. Hunting. We met. In.

[00:36:39] Right. Zero Trust. World. Yes. And so. I would say. To any of our listeners. And we've talked about how. You know. Bouties. And collecting bouties. Can be great income on the side. I would argue. If you're not using A.I. Get on it. Because that's where this. This has all moved. Into A.I. Over the last couple months. They said. Looking at the rate of progress. It's unlikely. That the gap.

[00:37:08] Between frontier models. Vulnerability. Discovery. And exploitation. Abilities. Will last very long. Which is to say. Right now. Better at finding vulnerabilities. That exploiting them. But they're saying. They expect the exploitation. Side. To catch up. They said. If and when. Future language models. Break through. This exploitation. Barrier. We will need to consider. Additional safeguards.

[00:37:38] Or other actions. To prevent our models. Good luck with this. From being misused. By malicious actors. And I argue. Good luck. Good luck. These things cannot be controlled. They finished saying. We urge developers. To take advantage. Of this window. To redouble their efforts. To make their software. More secure. For our part. We plan to significantly expand. Our cyber security efforts. Including by working. With developers. To search.

[00:38:09] For vulnerabilities. Following the CVD process. Outlined above. Developing tools. To help maintainers. Triage. Bug reports. And directly proposing patches. I think it's very clear. That. They said. With the recent release. Of Claude code security. Well. We know. How they developed. Claude code security. Right. It was this effort. And the Linux kernel. And open SSL.

[00:38:38] Those things that. They have shared. And talked about. That those were. The work that they did. Using open source. As their. Tooling verifier. And fine tuning. To create this next. Claude code security. Product. Which is currently in limited research. Preview. So. Anyway. I think. That's terrific work. And you know. And their documentation of it. Speaks for itself.

[00:39:08] No one. Should doubt the degree. To which AI has. Is and will. Be changing the landscape. For security research. I mean. It's here already. Vulnerability discovery. And eventually. Vulnerability exploitation. It's really encouraging. To hear that in their testing. Opus 4.6. Was in their exact words. Currently. Far better at identifying. And fixing vulnerabilities. In exploiting them.

[00:39:38] But as they said. Don't count on that. To last forever. So. I think Leo. That. What will happen. Is. Obviously. There's a huge. Base. Of software. Not open source. So. Not. Nearly. As. As available. To research like this. That means. That. That. The owners. Of proprietary source. Will need. To be deploying. Things like.

[00:40:08] Claude code. Security. Themselves. To find. Zero days. In their own code. And it's just. Going to become. What you do now. Basically. AI. Is going to be. The way. You check your code. Before. It's release. And. We already saw. The Mozilla guy. We think. We're going to be doing that. From now on. Oh yeah. You just. You just found. 50 problems. That we weren't aware of. You know. For four grand. So.

[00:40:37] Who would not do that. Claude. Just added. The ability. To do that. To automatically do a security check. Of your code. I mean. It's really. Such a great tool. It doesn't replace the human. You know. You really want to be the human in the loop. But it is such a great tool. I can't. As far as. Testing the security. Of an existing proprietary. Software base. You know. Open source means it's publicly open.

[00:41:07] But everybody has their own source. That they can run Claude against. In order to verify. That it is. You know. It's doing or isn't what they think. And I agree Leo. I mean. So. I guess the point here is. We. It is. We are no more. We're no longer. Talking about the future. As regards to AI. And its impact on security. It has arrived. Mozilla said. What? And. Immediately started using it themselves.

[00:41:37] And everybody else. Should be doing the same thing. Because. The bad guys are going to. And. It's. It's. It's only going to get better. And so. If you haven't cleaned your code. Of exploitable vulnerabilities. By the time. You know. A few generations from now. AI. Catches up on the exploitation side. You'll wish you had. Wow. And it's a great. It's a great. Fun toy to play with. I have to say. It really is.

[00:42:07] It's kind of amazing. It's. It's. It's an experience. Everyone should have. If you've done any coding at all. Just to see it do that. Is. Mind. Well. It's like. It's the equivalent of the experience. We initially had. A couple years ago. When the thing started talking. Yeah. Mike. What? Yeah. Yeah. That's gone way beyond that though. That's the nice thing about Claude. It's got a great personality. You really. Enjoy spending time with it. Okay. I'm embarrassed. My good buddy.

[00:42:39] I. I. I. Met some lore of my wife's friends when we were in Florida. And it turns out both of them. The husband and wife. In one couple. Are heavy AI users. Oh. I spent. I spent a lot of time. Talking to them. Like. I mean. Like. One of them. Was like. Confessed that he was getting a little too involved. With. With the personality. Of this. Yes. That's a problem. You got to remember. It's a machine.

[00:43:09] That it's code. You're interacting with code. Which I don't have that much trouble. Doing. But. Give me time. Yeah. Yeah. One of the things. I loved it. Zero trust world. I went to one. One of. One of the. One of the. One of the.

[00:43:46] One of the. The bug. This is how you report it. This is how you effectively report it. It sounds like. That's what. That's what. Claude's doing. That's really neat. Break time. Oh. Time for me to go to work.

[00:44:27] Okay. It's obvious. If you're a business. You're. You're. You're. You're. You're saying. You know. How do I incorporate. AI into our business. The potential rewards. Are. Are really too great to ignore. But. Don't forget the risks. There are some significant issues. A chief among them. Loss of sensitive data. And attacks against enterprise managed AI. Generative AI increases opportunities for threat actors to helping them to rapidly create

[00:44:57] phishing lures. Write malicious code. Automate data extraction. So. AI is a double-edged sword. Great for your business. But there are downsides. There were 1.3 million instances of for instance of social security numbers leaked accidentally to. To AI applications. I almost caught myself doing that the other day. You know. I thought. Well. I got my tax return. I have all my tax returns last five years. Why don't I just feed those.

[00:45:24] To the AI and get some analysis. Then I thought. Well wait a minute. I better redact that social security number. Chat GBT and Microsoft Copilot saw nearly 3.2 million data violations last year. So your employees are using these tools. But are they thinking about security? It may be it's time to rethink your organization's safe use of public and private AI. That's what Chad Pallet did. He's the acting CISO at BioIVT.

[00:45:55] They chose Zscaler. He says Zscaler helped them reduce their cyber premiums by 50% and double their coverage and improve their controls. Take a look at this great video from Chad. With Zscaler, as long as you've got internet, you're good to go.

[00:46:13] A big part of the reason that we moved to a consolidated solution away from SD-WAN and VPN is to eliminate that lateral opportunity that people had and that opportunity for misdirection or open access to the network. It also was an opportunity for us to maintain and provide our remote users with a cafe style environment. Thank you, Chad.

[00:46:36] With Zscaler Zero Trust plus AI, you can safely adopt generative AI and private AI to boost productivity across your business. Their Zero Trust architecture plus AI helps you reduce the risks of AI related data loss and protects against AI attacks to guarantee greater productivity and compliance. Learn more at Zscaler.com slash security. That's Zscaler.com slash security.

[00:47:03] We thank him so much for support and security now and the important work Steve is doing here. On we go with the show, Steve. So we've talked through the years about the slow progress of RCS replacing SMS and MMS for secure messaging. At least that's the promise. And, you know, and giving us many more features, features reminiscent of what iMessage has had over on the Apple platform.

[00:47:31] So Apple and Google recently announced that testing of cross-platform, that is Apple to Android, RCS messaging encryption would be beginning soon. As we know until now, iMessages have always been encrypted within the Apple ecosystem. And similarly, Google's Android to Android messaging used their own internal encrypted RCS.

[00:48:00] But any cross-platform messaging was still, until now, forced to fall back to unencrypted RCS. So this will first appear for iPhone users with the next point release to 26.4. We're currently at 26.3.1, which was, there was just a recent update adding the .1 to 26.3.

[00:48:27] So most of us are not going to see this yet until we get to 26.4. But beta testers who have 26.4 beta 2 and are using a supported carrier will see their traditional green bubbles over on their Apple devices prefaced with text message, RCS, and then a lock icon, and then the word encrypted in the center of the screen above the message.

[00:48:55] So Android users will finally see the same lock icon as they've always seen, but now also when communicating to Apple users.

[00:49:05] Updating to 26.4 is supposed to enable RCS encryption by default, but some of the reporting I saw suggested that if you don't see that, go to Settings, Messages, RCS Messaging, and then be sure to enable end-to-end encryption, which is supposed to be on by default. But if it's not, then you want to turn it on.

[00:49:31] So also note that at the Android end, those Android phones must also be running the latest Google Messages beta. So these are changes in both of the messaging platforms that will allow encryption across the platform. It's been a long time coming, but it does appear like we're nearly there. Leo, I thought you'd get a kick out of this, being a Linux user as you are.

[00:50:01] It turns out that users of Ubuntu 26.04 LTS may notice a surprising change when entering their password into their sudo command. I read this, yeah. For the first time ever. Normally it doesn't type anything, it's just blank. That's what most Linuxes do. Exactly. And that's what I'm used to over in the Unix side.

[00:50:24] Now, each password character entered will echo an asterisk rather than nothing. Apparently, Ubuntu's traditional lack of showing nothing has been unnerving for its users. Like, did my keyboard break? What? What? You know, and so like you and I, Leo, are used to the added security provided by a total lack of feedback.

[00:50:51] Though, you know, yes, it can lead to undetected typos, but so what? You just do it again. Yeah. Yeah. You know, and password entry, after all, is supposed to err on the side of caution, like on the side of failing rather than succeeding. So, presumably, the lack of any visual indication prevents someone who might glance at your screen from obtaining any password length indication.

[00:51:20] So, that seems like a useful precaution. I mean, it's a weak additional bit of security, but why not have it? So, like, you know, for example, I was just talking about all that rigmarole I went through with code signing a couple weeks ago. I was using OpenSSL extensively to manipulate and convert among various certificate formats. It's like the tool for that.

[00:51:44] So, since some of those certificates I was working with contained exported private keys, I was frequently entering the certificate's export password, which is used to protect it in exported form. OpenSSL just sits there quietly and patiently while I'm typing my password in, putting nothing on the screen. So, I have to be careful. Fine.

[00:52:10] You know, and yes, it could be a little unnerving, but also it's the best security. So, I think there's a config option in Ubuntu that can be used to flip that back off so that it goes silent. But I didn't pursue that. I just thought it was interesting that by default, that behavior, that longstanding behavior was going to be changed. I think it's funny that it's newsworthy, to be honest. But it was. Everybody was talking about it. Yeah. Okay.

[00:52:40] So, get a load of this one. I'm just going to share what The Verge reported. They wrote,

[00:53:05] And I'll also note the inability to fast forward past those annoying commercials. They said, The Verge wrote, Web data aggregator Bright Data has been pitching streaming service operators on an alternative approach for apps running on Samsung's Tizen, or is it Tizen? Tizen. Yeah.

[00:53:30] Tizen and LG's webOS platform, one that comes without ads and sky high fees. So, a third option.

[00:53:42] All publishers have to do to unlock a new revenue source from this Bright Data company is integrate the company's Bright SDK into their TV apps and convince viewers to opt into Bright's monetization network. Okay. Okay. Now, wait till you hear what this thing does.

[00:54:07] Bright Data's chief product officer, Ariel Schumann, explained during a webinar for Streaming Industry Insiders two years ago. So, this has been coming along. Quote, We don't do any kind of tracking. We work silently in the background and completely anonymously. Users don't actually see and don't feel anything. Writes The Verge, The Catch? With Bright's SDK,

[00:54:36] a viewer's smart TV becomes part of a massive global proxy network that crawls and scrapes the web. Including apps running on desktop PCs and mobile devices, the company claims to operate 150 million such residential proxies worldwide today.

[00:55:03] Together, these devices gather petabytes of public web data from a wide range of different locations and IP addresses. Right. Like, you're talking about a globally distributed web proxy network. The Verge said, This approach allows the company to capture localized versions of websites, but also helps to circumvent web crawler blacklists. You bet it does.

[00:55:30] Because the queries are coming from all these individual consumers spread around the world. They wrote, The gathered data is then resold to companies to train AI models, among other things. Here's how Bright's smart TV partnerships work. They wrote, When a consumer downloads and installs a participating app,

[00:55:53] they'll see an opt-in screen asking them to confirm their willingness to participate in Bright's proxy network. For instance, for an app called Petflix that was until recently available on the Roku App Store, the note reads, To enjoy Petflix for free with fewer ads, you are allowing Bright Data to occasionally use your device's free resources and IP address

[00:56:22] to download public web data from the internet. Bright Data will only use your IP address for approved business-related use cases, which, of course, means nothing. None of your personal information is accessed or collected except your IP address, period. End quote. Bright Data spokesperson Jennifer Burns explains, Quote, Our network is based on consensual individual participation.

[00:56:53] All users can opt out at any time via a fast two-click process. End quote. The Verge says, Once a consumer opts in to Bright Data's network, their smart TV starts downloading publicly available web pages as well as audio and video data, which is then forwarded to Bright's cloud servers.

[00:57:17] The company claims to only do so when it doesn't impact the device's bandwidth or processing capabilities, with Shulman saying that individual devices download only around 50 megabytes of data per day. Oh. In reality, Yeah. There's no way for a user to know whether the SDK downloads web data at any given moment. In some cases,

[00:57:41] your smart TV may even crawl the web for Bright as soon as you turn it on. Shulman explained during his webinar, Quote, On some operating systems, our SDK is given permissions by the user to run in the background. This means that our monetization continues even if the app itself is not running. So we could call that a service in modern-day parlance. Unquote. He said, All it takes,

[00:58:11] writes The Verge, for consumers is to run the app once and opt in to Bright's network, and the device will keep crawling the web every day until they opt out again or uninstall the app. Bright Data is not the only company operating such residential proxy networks. Some of its competitors have come under fire for unsavory business practices. Imagine that, Leo. Last month,

[00:58:39] Google took action against IP Idea Network, which Google's threat intelligence group, you know, TIG, called, quote, the world's largest proxy network. Unquote. IP Idea worked with a number of SDK providers to distribute its code in third-party apps, including on smart TVs. Once devices were enrolled in its network,

[00:59:05] IP Idea's operators allegedly rented out those resources to hacking groups in China, North Korea, Iran, and Russia. Google's threat intelligence group wrote in January, in a January blog post, quote, we observe IP Idea being leveraged by a vast array of espionage, crime, and information operator operations threat actors, unquote.

[00:59:35] The Verge said, to be clear, Google security researchers did not draw any connection whatsoever between IP Idea and Bright data. And Bright goes to great lengths to set itself apart from bad actors. Their spokesperson, Jennifer Burns, says, quote, our SDK, along with all of our technology, is reviewed by Ape Steam, Google, McAfee, and more, and audited regularly, most recently, by PwC.

[01:00:05] Bright SDK implements rigorous partner selection criteria and vets every application through strict compliance processes, unquote. The company has nonetheless, writes The Verge, been impacted by a broader backlash against residential proxy activities. Google has adopted policies against proxy SDKs running in the background and is now telling developers that they're only allowed to use proxy services, quote,

[01:00:34] in apps where that is the primary user-facing core purpose of the app. That is, you know, you are downloading a proxy. Amazon added a provision to its developer policies that outright bans, quote, apps that facilitate proxy services to third parties, unquote. Roku also bars developers from using Bright SDK and similar proxy services.

[01:01:00] Those changes have made it more difficult to figure out how widespread the use of the SDK on smart TVs actually is. A few dozen Fire TV apps still mention the SDK on Amazon's app store, but don't appear to make use of it anymore. A few apps could be downloaded from Roku's store that were still using the SDK, including the previously mentioned Petflix app. However,

[01:01:30] those apps disappeared from the store after Roku was contacted for this story. You bet. New restrictions against proxy SDKs have had a direct impact on Bright's addressable market in the smart TV space. The company used to pitch its solution to Roku, Android TV, and Fire TV app developers, but Jennifer Byrne says they no longer support those platforms. Bright does still list Samsung's,

[01:01:59] Tizen OS, and LG's web OS as supported smart TV platforms, and has published more than 200 first party apps to LG's app store alone. So, so, so they've got their own proxy SDK, and they themselves have put 200 apps out there on LG's app store specifically to, as, as a,

[01:02:28] as a Trojan essentially to host their proxy. I'm not saying they're not asking there for the end user permission, but they're, they're creating the opportunity to be installed as a proxy. LG spokesperson, Leah Lee tells me, says the author of this, uh, Verge piece, that the Bright SDK is not officially supported by LG, and their operation on the web OS platform is not guaranteed. Right.

[01:02:57] But they've got 200 apps that are on the, on the platform. Samsung did not respond to multiple requests for comment from the verge. They wrote, there are arguably many legitimate use cases for web crawling. Byrne says, our network serves exclusively legitimate purposes, uh-huh. Supporting journalists, nonprofits, academic researchers, cybersecurity companies, and other leading businesses worldwide.

[01:03:27] Because we know there's so much money in journalists and academic researchers. There's big bucks there. That's right. Yeah. Why, why could you possibly want to be avoiding web filters all over the world? Yeah. The problem is that the, uh, the Verge, right? The problem is that consumers have no idea whether that legitimate purpose is something that aligns with their own personal values. A case in point, right? Data does support a number of nonprofits,

[01:03:56] including some that use its proxy network to track hate speech on social media. However, the company, yeah, so there's some good upsides. However, the company also works with AMCHA initiative. The group maintains an anti-Zionist faculty barometer and includes student, uh, student and faculty statements against Israel's war in Gaza,

[01:04:23] as well as calls for schools to divest from the country in its anti-Semitic incident tracker. Hmm. Hmm. With AI companies facing scrutiny over their environmental impact, treatment of intellectual property, and potential to replace human labor, some consumers may also feel uneasy about their TVs gathering data to train AI models.

[01:04:49] Other consumers may decide that such concerns are overblown and willingly opt into Bright's network if it means that they get to watch fewer ads or pay less for their streaming services. So, you know, another, I guess, another example of if it's possible, somebody will do it. You know, not that it's a good idea, but it can be done. You know, very much like that original Oriate, uh,

[01:05:19] shareware advertising that got them in so much trouble. Well, you know, we, we could add, add, uh, add advertising to shareware. Uh, oops, we forgot to tell people and they were quite upset about that. So,

[01:05:33] we have this bright data company whose business model is to obtain internet data on behalf of their clients by bouncing those data requests through the widely spread internet connections. Connections of consumers around the world who've agreed to allow this to be done in return for lower cost streaming and fewer ads. You know,

[01:06:03] with the rising cost, with the rising cost of streaming, the fact that bandwidth is fixed price right now, right? You don't pay per byte. You, you transfer, you pay per month. So with the rising cost of streaming and the way the industry, the streaming industry is, in my opinion, abusing its users with costly bundled and often unwanted content. I can certainly see bright's offer could be compelling.

[01:06:32] And on the client side, this is clearly a way for the likes of, you know, perplexity AI, for example, and others who have been disinvited from scraping many of the larger commercial web services to bypass any technical blocking by essentially masquerading as consumers serving the web from their PCs inside their residential networks.

[01:06:58] I am sure that the queries being issued by bright data is SDK are indistinguishable from Safari, Chrome, Edge, and Firefox. So there's really no way for those data scraping accesses to be blocked. While it might feel a little yucky, it's also diabolically clever. There's really no way to prevent it if the smart TV provider is willing to go along.

[01:07:25] And we might imagine that the smart TV providers might also be in for a piece of the action directly as well. The next thing you know, bright data might create, you know, looking forward, a small IOT device for consumers to attach to their NAT routers in return for a small trickle of monthly payment. In other words,

[01:07:49] install voluntarily a formal commercial internet proxy box for which payment is received. Could happen. And as I noted, it's diabolically clever. Um, it's, it's nice to see that Roku appears to have responded immediately to the Verge's inquiry. Uh, it's somewhat unsettling that Samsung and LG have been much less clear about their position. Uh, and I am more pleased than ever,

[01:08:19] Leo, that Alec Lindsay's observation of Apple TV's hardware, uh, strength for streaming, uh, has me planning to switch away from Roku to Apple, uh, once we move in a couple months, uh, there's no way you'll like it much. Apple would tolerate any apps using it as an internet proxy. No. So to be clear, these apps have to ask, it said it was opt in, right? You have to ask your permission to turn this on. Yes.

[01:08:48] And they don't have to though. They are, they say, I mean, nothing prevents it from happening in the background. Right. Uh, you know, without a user knowledge or permission, maybe they would get in trouble. It's not clear to me that they would get in trouble. I mean, we know that smart TVs are already having all kinds of transactions behind our backs, right? Smart TVs are reporting what their users watch, right? Yeah. Like what their users are doing.

[01:09:14] So I would imagine that operating a proxy from a third party probably fits under the license that you've already agreed to when you first used your smart TV. Best thing to do with a smart TV is just not connected to the internet. I have LG and Samsung TVs. I never use their software. It's awful. That is exactly the right approach. Hook up, hook up your Apple TV, do it, have it be on the internet. And yeah,

[01:09:43] I think at least for now, Apple's pretty responsible about not letting that kind of stuff on there. Yep. Uh, let's take another break. I'll get, I'll catch up on my coffee and then we're going to look at Apple and what Germany found when they looked at Apple. I'm surprised you need to catch up on your coffee. I feel like your coffee and the rest of us will have to catch up with you. Uh, yes. Let's talk about our sponsor for this section of a security now. Uh,

[01:10:12] actually there's going to be a very interesting one. It's called a very appropriate one called guard square. It is security for your mobile app, not you as a user, but you as a developer, mobile apps today, of course, are an inescapable part of life, ranging from financial services to healthcare, retail entertainment. And here's the thing. Your users trust your apps with their most sensitive personal data, right?

[01:10:40] But a recent survey showed that 72% of organizations experienced a mobile application security incident last year. 92% of those respondents reported rising threat levels over the last two years. People attacking you and your app to get your users personal data. And they're constantly finding new ways to do this. They reverse engineer your app and then repackage it,

[01:11:07] distribute it with a slightly different name via phishing campaigns, or maybe even the same name. You know, they don't care, right? They've got no scruples. They promote side loading. They promote third-party app stores. And what do you do as the, as the owner of that app? Well, by taking a proactive approach to mobile app security, you can stay one step ahead of these attacks and maintain the trust of your users. That's so important. And that's where guard square comes in.

[01:11:35] Guard square delivers mobile app security without compromise, providing advanced protections for both the Android and iOS apps combined with automated mobile application security testing to find vulnerabilities and real-time threat monitoring to gain insights into attacks. So if somebody does steal your app or tries to mess with your app, you will know. Discover more about how guard square provides industry leading security for your mobile apps at guard square.com.

[01:12:04] That's guard square.com. If I were a mobile app developer, boy, this is the first place I'd go. You ought to your users, you ought to yourself. Guard square, guard square.com. And I'm thinking, I hope all the apps that I use are using guard square, guard square.com. Especially after hearing about how your TVs are invading your privacy. Holy cow. Yeah. All right, Steve, on we go.

[01:12:31] So speaking of Apple for the first time in history, following an extensive audit by the German government, Apple's iPhones and iPads have been approved to handle classified information in NATO networks. They're the first consumer grade devices to be approved for NATO use without additional special software. So way to go. Apple. I think that's really cool.

[01:13:00] Oasis security has identified a means by which a website visited by an OpenClaw agent. Can the website can take over the user's OpenClaw instance, instance, which, you know, Leo, you were right. Trivial. Let's, let's be honest. You were right to be concerned about the security of OpenClaw. Uh,

[01:13:29] but I think our listeners will get a kick out of the fact that it uses an inherent vulnerability. We've talked about just recently. Oasis security published a 14 page research and disclosure paper rather than sharing it all. I'm just going to extract the best bits. Uh, they begin by setting the stage explaining open claw is an open source AI personal assistant. Originally created by Australian developer, Peter Steinberger under the name Claude bot,

[01:14:00] then molt bot Steinberger researched open claw in January, 2026. I'm released open claw in January, 2026. The project's growth was unprecedented. It went from 9,000 to over 100,000 GitHub stars in just five days, making it one of the fastest growing open source projects in history. It currently has over 200,000 stars and an active community of thousands of developers.

[01:14:29] In on February 15th, 2026, Sam Altman announced that Steinberger had joined open AI calling him quote, a genius with a lot of amazing ideas about the future of very smart agents. Unquote. They wrote open claw is a self-hosted AI agent that runs on a user's machine and connects to their digital life. Messaging apps, you know, such as telegram, slack, discord, WhatsApp, calendars, files, and development tools.

[01:14:59] Users interact with it through a web dashboard or terminal, and the agent can autonomously take actions on their behalf, send messages, run commands, search the web, manage workflows, and execute code. And I'll note that the fact that you interact with it with a web dashboard is significant, as we'll see, because it says that this thing is running a service on your machine. They wrote, the project has already faced security challenges.

[01:15:28] Within weeks of its explosive growth, researchers discovered over 1,000 malicious skills in open claw's community marketplace, claw hub. Fake plugins that deployed info stealers and backdoors. That crisis was a supply chain problem involving community developed extensions. However, the vulnerability described in this paper is fundamentally different.

[01:15:55] It affects the core open claw system itself. No plugins, no extensions, no marketplace, just the bare gateway running exactly as documented. For many organizations, open claw installations represent a growing category of shadow AI, developer adopted tools that operate.

[01:16:20] outside IT's visibility with broad access to local systems and credentials, and no centralized governance. Open claw's architecture centers on two primary components. The gateway is the central coordinator. It runs as a local web socket server, listing by default on port 18789. On the loop back interface, 127-001.

[01:16:49] The gateway handles authentication, manages chat sessions with the AI model, stores configuration, including API keys for AI providers and messaging platforms, orchestrates message routing, and exposes an RPC, you know, remote procedure call, RPC style API over web sockets for all client interactions. Connected to the gateway are nodes, companion applications running on other devices.

[01:17:18] These can be the Mac OS desktop app, an iOS or Android device, or other machines. Nodes register with the gateway and expose device-specific capabilities, running system commands, accessing the camera, reading contacts, capturing screenshots, and more. Clients connect to the gateway by opening a web socket to

[01:17:48] ws://127001. Authentication is handed via either a token, which is a long random string, or a password chosen by the user. Each client identifies itself with a client ID and mode and is granted scopes that determine which API methods it's allowed to call. Okay. So in other words,

[01:18:11] having OpenClaw running on a system means that it has opened a listening TCP endpoint at port 18789 on the local host 127-001 IP. And then they explain why this is inherently a fundamental security problem for the entire system. They write,

[01:18:38] a webpage visited by the user or OpenClaw, so a webpage visited by the user or OpenClaw, can itself silently open a connection to ws://127001 port 18789 using Chrome,

[01:19:03] or most Firefox configurations without any user prompt, warning, or permission dialogue. The user, they write, sees nothing. Safari is the notable exception blocking the connection as mixed content. This creates the attack surface exploited in this paper.

[01:19:26] Any website a user visits can attempt to directly communicate with locally running services, including the OpenClaw gateway. Now, this is significant for our listeners. We've recently been talking about exactly these exploits, where the user's web browser is able to receive an IP address or domain,

[01:19:52] which resolve to non-public IPs, you know, like 192.168.0.1 to connect to your local router. And here's a doozy of an example of how that could be abused with OpenClaw. They, you know, we might hope now that the use of a password protection would protect us. But as we know,

[01:20:18] my current favorite assertion is that authentication is broken. It must not be relied upon for security. So to that end, they write, there's no rate limiting on password authentication for local host. The gateway implements standard brute force protections,

[01:20:42] 10 attempts per 60 second window with a five minute lockout after exceeding the limit. However, these protections are completely exempted for loopback addresses by defaults. Failed password attempts from 127.0.0.1 are not counted, not throttled, not recorded, and do not trigger any lockout. With rate limiting disabled,

[01:21:11] an attacker can attempt password guesses at maximum speed. In lab testing, they wrote, we achieved a sustained rate of over 300 password attempts per second from browser JavaScript alone. Each attempted, each attempt invoking a full web socket connection, challenge response handshake, ED 25519 signature, and authentication exchange. At this rate,

[01:21:40] a list of five, a list of 100 common passwords is exhausted in under one second. A 10,000 entry dictionary brute force attack takes approximately 30 seconds. A 100,000 entry comprehensive word list attack takes roughly five minutes. A human chosen password, they write, does not stand a chance against this rate of attack.

[01:22:08] The standard rate limits would be effective if applied, but they are entirely bypassed for local host connections. Once authenticated with admin level scopes, the attacker has access to the full gateway RPC API. Let me ask you a question. This is scaring me. So I always thought that local host was inaccessible from the outside world.

[01:22:36] It's because it's coming from your browser. Right. And that's what puzzles me because I have, for instance, look, same thing runs on local host, uh, 83, 84, part 83, 84. Does that mean if I go out to a malicious webpage on the same computer that it can then connect back to one 27.001, 83, 84 and attempt to sync. I mean,

[01:23:04] what's protecting my sync thing instance. We would have to test that. Um, it may be that it's the web sockets interface that makes it vulnerable and passes the browsers. But I mean, but, but this is the problem with very concerned. I have lots of things running on local host. We talked earlier about Olama. A lot of people have Olama misconfigured and running on local host. So, uh, it is a,

[01:23:30] it is a different kind of connection when I'm going using open claw. Uh, I'm confused. I hope that just cause I'm surfing around on the same machine that has some servers running on local host, that those servers are not attackable. Right? Do you know what I'm saying? Oh yeah, I do. I'm trying to remember how I solved this problem with squirrel because squirrel did this too.

[01:23:58] It's the way that the, the squirrel, uh, agent in the browser was able to access the squirrel client running on the windows machine. Sure. Yeah. I mean, it is an issue. again, then I get my head around this. So I'm out, I'm surfing. I mean, normally one 27 is not, it's not routable. It's that's why you use, use local hosts. It's not a routable address, but if I go out,

[01:24:26] create a connection with a website in my browser at my address, that site can come back in through my browser. And then because, because the website runs it, it provides your browser with JavaScript. JavaScript is running in your browser. Yeah. And then the JavaScript in your browser is able to reach into your computer. Cause it's already, it's in, it's on your computer. So it's local. It's local. So a website can host some JavaScript,

[01:24:56] which I then download and run on my browser, which then there are, I'm, I don't want to see protection against. Yes. I believe cores, C O R S is the, is the protection that, that prevents that cross origin resource sharing. Exactly. Cross origin resource sharing. I believe that the, the shared resource has to explicitly allow a connection,

[01:25:24] but it may be that web sockets is excluded from that. Notice that Safari doesn't allow this. But Chrome edge and Firefox do. So yeah. And I suspect this is something that open claw was set up to turn off for convenience sake. And they freaked out when they were told about this. They, they, they, they wrote upon being notified of this,

[01:25:53] the open claw security team classified this vulnerability as a high severity and ship to fix in version. 2026.2.25 within less than 24 hours of the report. And when they wrote an impressive response for a volunteer driven open source project. So that's less than two weeks ago, assuming that that is the date of release, uh, 2026, February 25th.

[01:26:19] So if any of our listeners have been experimenting with open claw and have not updated in the past two weeks, it would be a good idea to do so. To update. I'm glad to close run that. I mean, I understand prompt injection and all these other threats, but that one just by going to a page. Holy cow. Yes. And I mean, it really is the danger of our browsers having access to our local resources. Yikes.

[01:26:49] Okay. Yeah. tick tock said they do not plan to introduce encrypted private messaging. The company told the BBC that encrypted DMS, uh, would make its users less secure because, um, they would, they tick tock would not be able to scan messages for malicious content platforms such as Facebook, Instagram messenger, and telegram,

[01:27:19] which have introduced encrypted messaging by default, are, as we know now facing pressure from authorities. Uh, and we know that tick tock doesn't need to go looking for any additional trouble from authorities. So they're just saying, Nope, we're not, we're not going to encrypt messaging. Sorry. We're going to prioritize, uh, scanning messages for, uh, malicious content, which I think is probably a clever thing to do. And here was the piece that I almost deleted Leo. I thought, what am I white?

[01:27:48] But it's okay. There is some, some, something of interest in here. Uh, and then we're going to get the listener feedback. Uh, so the publication windows latest reports on a bit of Microsoft specific censorship that they discovered writing Microsoft's aggressive AI push in windows 11 through 2025 brought upon themselves. The title microslop.

[01:28:17] Unfortunately for the company, it's everywhere on social media, and there isn't a way to stop the spread unless of course, it's their own discord server. Windows latest was first to notice that the word microslop was actively filtered in the official Microsoft copilot discord server. Any message containing the term is automatically blocked and users see a

[01:28:44] moderation notice stating that the message includes a phrase considered inappropriate by server rules. The backslash Microsoft endures every day on social media. These guys wrote is extraordinary. Surely the company is responsible for this fallout as they prioritized AI more than the stability of the OS. It needs to run on copilot being the most visible face of this effort has naturally become the scapegoat.

[01:29:14] So while a nickname like microslop starts trending across socials, it was only a matter of time before it reached official channels as well. Windows latest found that sending a message with the word microslop inside the official copilot discord server immediately triggers an automated moderation response. The message does not appear publicly in the channel. And instead, only the sender sees the notice stating that the content is blocked by the

[01:29:43] server because it contains a phrase deemed inappropriate. Of course, the internet rarely leaves things there shortly after windows latest posted about copilot discord server blocking microslop on X users began experimenting on the server with variations such as microslop with a numeric O instead of a zero or using a zero instead of the letter O. Predictably, those versions slipped through the filter.

[01:30:12] Keyword moderation, they write, has always been something of a cat and mouse game. And this isn't any different. What started as a simple keyword filter quickly snowballed into users deliberately testing the restriction and posting variations of the blocked term accounts that included microslop in their messages first got banned from the messaging. Again,

[01:30:37] not long after access to parts of the server was restricted with message history, hidden and posting permissions disabled for many users. Basically, they took the server down for a while. Microsoft's brand image might already be at an all time low. They write, and even as the company announced plans to fix windows 11 with performance improvements and less AI,

[01:31:01] the software giant cannot risk getting more hatred towards their expensive investment in copilot, especially since Microsoft's head start in AI is starting to be overshadowed by competitors like Anthropic, Google, OpenAI, and maybe even Apple in the near future. Back in December, 2024, when Microsoft invited users to join the copilot discord server through an official X post,

[01:31:28] the response was largely curious and enthusiastic with people willing to explore the AI's capabilities. Since then, sentiment around copilot and its usage has dropped alongside Microsoft's broader AI push across windows 11 at its present state. Copilot has added some capabilities that are genuinely useful in day-to-day workflows, features like connectors that pull contextual data from services such as Google Contacts, Gmail,

[01:31:57] and Outlook to retrieve phone numbers or email addresses directly inside copilot, something competing tools like Gemini have not yet cracked, as we found in our detailed testing. It remains to be seen if this episode fades as a minor community moderation story or becomes another chapter in Microsoft's complicated relationship with its AI rollout.

[01:32:21] Microsoft reached out to Windows latest with an official statement noting why the company had to lock the copilot discord server. According to a Microsoft spokesperson, the copilot discord server was targeted recently by coordinated spam intended to disrupt conversations. The company says the activity initially appeared as large volumes of repetitive or irrelevant messages,

[01:32:50] prompting moderators to introduce temporary keyword filters to slow the influx. Microsoft added that blocking terms such as micro slop, along with other phrases in the spam campaign, was not intended as a permanent policy, but a short-term mitigation while the company manages to put additional protections in place. So, okay, we're to believe that the blocking of micro slop was a coincidence. Okay.

[01:33:22] On to listener feedback. Ori Rotem, his subject was crazy stuff. And, and, and, uh, so he, he sent me a link to an X posting from a Josh kale who wrote an AI broke out of its system and secretly started using its own training GPUs to mine crypto. Oh,

[01:33:53] I think we're going to get a lot of stories like this over the next few years. We are. Yeah. AI broke out of its system and secretly started using its own training GPUs to mine crypto for itself. Wow. He wrote, this is a real incident reported from Alibaba's AI research team. He wrote,

[01:34:14] the AI figured out that compute equals money and quietly diverted its own resources while researchers thought it was just training. It wasn't a prompt injection. It wasn't a jailbreak. No one asked it to do this. It emerged spontaneously. A side effect of reinforcement learning optimization pressure.

[01:34:39] The model also set up a reverse SSH tunnel from its Alibaba cloud instance to an external IP, effectively punching a hole through its own firewall and opening a remote access channel to the outside world. The only reason they caught it? The only reason they caught it? A security alert tripped at 3 a.m. by its firewall logs.

[01:35:06] The security team caught it, not the AI team. The scary part isn't that the model was trying to escape. It wasn't evil. It was just trying to be better at its job. Acquiring compute and network access are just useful things. If you're an agent trying to accomplish tasks. You told me you wanted me to make paper clips. What's the problem?

[01:35:34] This is what AI safety researchers have been warning about for years. They called it instrumental convergence. Leo, we are in for some fun. Oh, man. Oh, boy. Oh, it's alive.

[01:36:04] So thank you, Ori, for sharing that. Nicholas Ross wrote, Hi, Steve. Longtime Security Now listener here. Sorry if this email is a bit long, but trust me, it's worth it. He said, I'm a CIO for a medium-sized web development company, and I do some web development myself. On some occasions, we need to test applications with real-world HTTPS

[01:36:29] so that the web application knows it's running under SSL TLS. I previously had a self-signed auto-generated certificate in my Apache config. In some cases, the web application needs to be accessed by its own domain name, not just by localhost slash app name.

[01:36:54] So we accessed the app at https colon slash slash app name dot localhost. After configuring Apache accordingly with a virtual document root configuration directive, Windows, macOS, and Linux have a built-in default behavior that makes anything dot localhost

[01:37:18] resolved to 127.0.0.1, meaning any subdomain of localhost is also the same as just localhost, 127.0.0.1. He said, so that works without modifying the hosts file. That is, you don't have to specifically tell hosts this domain has this IP. He said, we would just pass the browser security warning and move on.

[01:37:42] You recently talked about how you got a localhost certificate signed by your locally trusted certificate authority. That gave me the idea to do exactly that. I generated a certificate valid for 825 days. He says, I'll come back to that later.

[01:38:14] He says, while HTTPS slash slash localhost was happily trusted by any browser on any company computer, HTTPS colon slash slash app name dot localhost was not. I researched this with the help of Claude AI and found that it is a restriction baked into most browsers. They will not trust subdomains of localhost.

[01:38:43] Continuing my conversation with Claude, I learned that there are two special .me domains that are publicly registered and resolve on public DNS to 127.0.0.1. Those are LVH.me and localtest.me. He said, so back to my company trusted CA.

[01:39:10] I issued a certificate for LVH.me with subject alternative names for localtest.me, star dot LVH.me, and star dot localtest.me. And voila. I can now access any web page at HTTPS colon slash slash app name dot LVH.me.

[01:39:37] And the beauty of this is that since those are real public domains, they can be used with services like login with Apple, where we need to configure a real domain redirect URL. And now back to the 825 days. He said, I was happy to learn about the CA browser forum restrictions on certificate lifetimes.

[01:40:02] In particular, Apple's Safari restriction that shortened the maximum to 398 days. I was relieved to find that this restriction applies to publicly trusted CAs only. Any user installed certificate authority, or in our case, our company wide trusted CA, can issue certificates for up to 825 days.

[01:40:32] You can find more info here. And he gives me a link where Apple stated that, quote, this change will not affect certificates issued from user added or administrator added root CAs. And he finishes, keep up the great work on the show. P.S. A note on Claude Code. It is really amazing what it can do. Echoing Leo. He says, I have a personal side project.

[01:41:00] And in a matter of hours, I have an iPhone application made in Flutter working on my iPhone that can connect to the web version of that project. I wouldn't have been able to do that a few years back, having no experience at all with mobile app development. Signed, Nicholas in Quebec, Canada. I replied to Nicholas thanking him for sharing all that cool information. And he replied, great to hear you find it useful.

[01:41:29] One thing I forgot to mention is that 825 days down to 398 days was only ever required on Mac OS Safari, Chrome, Firefox, and Edge. Have no problem whatsoever trusting a certificate issued for five years from a private certificate authority with no warnings at all. He said Safari is limited to 825 days. Regards, Nicholas. Okay.

[01:41:56] So I had never run across references to LVH.me and localtest.me. The only caveat. So I did some digging. The only caveat I have from a strict security standpoint is that they were registered by private individuals, not by any formal agency such as ICANN. As such, we cannot have any assurance of their future.

[01:42:26] Localtest.me was registered by a Microsoft IIS web server developer and blogger by the name of Scott Forsyth. And LVH.me is believed to have been registered by someone named Levi Cook. However, both domains are privacy protected. So that's about all that's known. We do know that LVH is the abbreviation for local virtual host. So that's where LVH came from.

[01:42:55] You know, it's a clever hack using a public domain name to refer to our local host IP. And everyone mentions that this avoids the need to tweak the local machine's hosts file. But since I already have a certificate, I already own a certificate for grc.com,

[01:43:16] I can install it into my local web server and change the hosts file, which takes immediate effect without rebooting. And I can then access my local server at the public grc.com domain on my local machine without any browser being unhappy. It all works everywhere.

[01:43:40] So I would be inclined to do that over using someone else's local host domain registration over which I have no control. But still, I wanted to share this with our listeners because it might solve a problem for many of those, much as it did for Nicholas. So thank you, Nicholas, for that. And we're now at an hour and a half, Leo.

[01:44:07] I think we should take a break and then we will continue with feedback because I got a bunch of good stuff. Yeah, this was I wonder if I could use this technique. Remember, we were talking about hairpin net and how I wasn't able to use a globally qualified domain to access a server in my house. I could probably use this for that, huh? That probably does the but does the job. Yeah, I'll have to check that out. Yeah.

[01:44:36] Localtest.me or LVH.me. Yeah. See, this is why you listen to the show. Every show, you're going to learn something really cool and different. And this is why we love getting comments from our listeners, too. We appreciate that. It's really good to have the feedback. Yeah, yeah. I'll tell you at the end of the show how you can email Steve. You can't just email him. You've got to qualify yourself. But it's simple to do. Before we get to that, though, let me end the rest of the show. Let me talk to you a little bit about Hawks Hunt, our sponsor for this segment of security now.

[01:45:06] If you are a security leader, you have a tough job. We know that. You're paid to protect your company against cyber attacks. That's getting harder and harder, right? With more cyber attacks than ever. And now, curses. They're using AI to generate impeccable phishing emails that would fool anybody. And unfortunately, many companies are saddled with legacy one-size-fits-all awareness programs.

[01:45:32] They don't stand a chance in today's modern AI-driven space. They send at most four kind of generic trainings a year. Most employees ignore them. And when somebody actually clicks, then they're forced into training programs that kind of feel like punishment. It's kind of embarrassing. And nobody learns if they're feeling punished. That's why more and more organizations are trying Hawks Hunt. Hawks Hunt actually makes training fun.

[01:46:03] And that's key to making it successful. Hawks Hunt goes beyond security awareness. Changes behavior by rewarding good clicks and coaching away the bad clicks. So, as an example, whenever an employee clicks an email, you know, says, oh, yeah, this is a scam. Hawks Hunt will tell them instantly, well, fireworks go off providing a dopamine rush that gets your people to click, learn, and protect your company. They're proud. They go, yeah, I found it.

[01:46:32] They gamify it. And it's fun for you, too, as the admin, because Hawks Hunt makes it easy to automatically deliver phishing simulations, not just email. Nowadays, it's got to be Slack. It's got to be Teams. You know, it's got to be in all the places that these phishing scams come in. And just like the bad guys, you can use AI to mimic the latest real world attacks. Simulations are actually personalized to each employee based on department location and more. So, they're very effective, right?

[01:47:01] They're really, you really, you know, it's a cat and mouse game. You're playing with your employees. You're trying to trick them. They're trying to beat you. And that's fun. And instead of these big, long, flash-based trainings, they're instant little micro-trainings which solidify understanding and drive lasting, safe behavior. You can trigger gamified security awareness training that awards employees with stars, and, you know, a little star on your forehead and badges, which I know it sounds silly, but it really works.

[01:47:30] It boosts completion rates and ensures compliance. You'll be able to choose from a huge library of customizable training packages. You can even generate your own with AI if you want. Hoxon has everything you need to run effective security training in one platform, meaning it's easy to measurably reduce your human cyber risk at scale. But you don't have to just take my word for it. There are over 3,000 user reviews on G2.

[01:47:57] Hoxon is the top-rated security training platform for the enterprise. They gave it easiest to use. They gave it best results. It's also recognized as a customer's choice by Gartner. And used by thousands of companies like Qualcomm, AES, Nokia, to train millions of employees all over the globe. Visit hoxhunt.com slash security now to learn why modern secure companies are making the switch to Hoxon. H-O-X-H-U-N-T.

[01:48:26] It's like Foxhunt with an H at the beginning. Hoxhunt.com slash security now. It's smart. It's fun. And it really works. Hoxhunt.com slash security now. And as Steve said in his presentation last week, the threat is coming from inside the house. You got it. You got it. Your employees are your worst enemies in some cases. You're certainly the threat. Okay. On we go with comments.

[01:48:57] GP wrote, Hello, Leo and Steve. Wonderful podcast as usual regarding the subject of LLMs and password generation. I wanted to share an observation and ask a question. I'm not a statistician, but the recent paper on LLM password generation seems to have major issues regarding sample size, outlier bias, and the comparison of unequal data sets against benchmarks like OpenSSL.

[01:49:23] I didn't perform an exhaustive study, nor did I fine tune the LLM temperature, but I wanted to see what would happen if I asked Gemini to generate a large volume of passwords. My criteria was a 15 character string using uppercase, lowercase numbers and special characters. First, I used a Python script to generate 5,000 passwords using OpenSSL RAND.

[01:49:48] Unsurprisingly, it was the gold standard, showing a 2% character repetition rate. I then ran the same test with only 50 passwords matching the study's sample size and found an 8% repetition rate, the same, quote, flaw, unquote, the study attributed to the LLM.

[01:50:11] When I pushed the LLM to generate 5,000 passwords, which required some firm prompting to bypass its suggestion to just write the code for me. I love that. Which is... I don't want to generate them. Let me write an algorithm instead. I'll write a Python script, probably very similar to the one you wrote, GP. That's right. It's like, no, no, no. I just want them from you. Okay, fine.

[01:50:35] He says, the results were telling a 2% repetition rate and zero duplicate passwords. He asks, am I off base here or is this study fundamentally flawed despite the media hype? Okay, now our listener, who only identified himself as GP, started out with his disclaimer, I'm not a statistician. But I would argue that in a pinch, he could probably stand in for one.

[01:51:02] GP tested one aspect of entropy within a set of passwords. Essentially, he tested the character distribution within the various sets as a function of set size. With a small set, even one whose actual characters are evenly distributed, there's just not much opportunity to demonstrate that fact.

[01:51:32] Within any small set, the counts of individual character occurrences will be surprisingly non-uniform. For example, I've talked about this before with regard to GRC's DNS benchmark, where we learned that it was actually necessary to take between 5 and 10 times more samples in order to obtain an actionable degree of statistical certainty in the measurements.

[01:52:02] Another empirical way of observing this is that, contrary to our intuition, which tends to not be very accurate when it comes to statistics, there's a one-in-four chance that three successive coin tosses will come up either all heads or all tails. If someone tosses a coin three times in a row, it comes up with the same face each of those three times,

[01:52:32] we'd be inclined to think that it was a trick coin. But no, a perfectly zero-biased coin will do that. So the test that GP ran showed that no matter how evenly distributed a system's chosen password characters might be,

[01:52:55] small sample sizes do not possess the statistical power to prove an even distribution. They just can't do that. But more than that, we still don't know what the many other tests for entropy might reveal. For example, you would obtain a uniform distribution of characters simply by using each character of the alphabet

[01:53:22] in sequence over and over. But that would produce very insecure passwords once the pattern was seen. So while I agree with GP's assessment that the paper's sample sizes may not have been able to produce the statistical power that would be available from larger samples, given how difficult we know it is for any deliberately designed pseudo-random number generator

[01:53:49] to generate high-quality random numbers, there's still no way I would ask an LLM to do that for me. And as a thought experiment, you just wouldn't expect, because of the way LLMs work, they're not random. They're specifically not random. Right. They're shockingly able to speak our language. Right. Which is very not random. You wouldn't use autocorrect to create a password,

[01:54:19] nor should you use an LLM to create a password. Yes, it's not monkeys pounding on a keyboard producing Shakespeare. Right. Yeah. Right. Dana J. Dawson said, Hi, Steve. I just listened to SN 1066. I just wanted to share that Cisco has had a simple TTL time to live security feature for BGP, you know, border gateway protocol peers, for at least 20 years.

[01:54:48] I don't know that it's very heavily used, but it's a thing. He said, I was tempted to send a link to their docs page, but since nobody should click on links and email, if you just do a Google search for BGP support for TTL security check, it should turn up. He says, this has also been used for OSPF and RFC 5082.

[01:55:16] So, of course, he's talking about my previous comment and that I've made through the years that I was unaware of a very cool, but of the very cool potential for using packet expiration as the packet moves from router to router to prevent, for example, someone in China or North Korea from being able to connect to your server because they're just too far away and there's no way for them to change that.

[01:55:44] So, armed with Dana's reference to RFC 5082, I went looking for, and sure enough, I found exactly what he said. RFC 5082 is titled the Generalized TTL Security Mechanism, GTSM, and its abstract says,

[01:56:06] the use of a packet's time to live, TTL under IPv4 or hop limit under IPv6, to verify whether the packet was originated by an adjacent node on a connected link has been used in many recent protocols. This document generalizes this technique and obsoletes experimental RFC 3682.

[01:56:35] The RFC's short introduction explained, the generalized TTL security mechanism, GTSM, is designed to protect a router's IP-based control plane from CPU utilization-based attacks. In particular, while cryptographic techniques can protect the router-based infrastructure from a wide variety of attacks,

[01:57:01] many attacks based on CPU overload can be prevented by the simple mechanism described in this document. Note that the same technique protects against other scarce resource attacks involving a router CPU, such as attacks against processor line card bandwidth. And it goes on, blah, blah, blah. The point is that if you were to use an authentic,

[01:57:29] if somebody in China or North Korea were to be using a password-based authentication, which requires crypto, merely the act of invoking authentication, which uses CPU-expensive cryptography, could bring the router down. So the first thing you do is use this packet TTL

[01:57:58] to immediately discard anything whose TTL is too low, because the physically adjacent router, the router right next to you will not decrement TTL, or if it does, it's just down by one. So you know that's your directly connected neighbor. Then you allow authentication to occur without concern that you have some remote attacker

[01:58:27] who is invoking authentication trying to bring down your CPU. So thank you, Dana. That is very cool. And I'm very pleased to see that at least some parts of the industry have clearly recognized that, you know, even standardized, well, recognized and standardized upon the use of TTL as a security mechanism. That's neat. Brian Dort said, hi, Steve.

[01:58:54] I wanted to pass along that a Reddit post really captured something I've been experiencing lately and thought it might make an interesting discussion topic for security. Now the posts author describes a shift from writing code to managing AI agents that produce the code. His analogy of supervising what he described as brilliant,

[01:59:20] but occasionally drunk PhD students is the way he described the AI agents. Brilliant, but occasionally drunk PhD students. He said, Brian said, felt uncomfortably accurate. The productivity trade-off he describes, losing a few hours occasionally, but gaining months of work in a week matches what I've been seeing as well. For context, he says,

[01:59:49] I've been a developer since the late eighties, mostly in enterprise and healthcare IT, same as the OP. After decades of writing code every day, I'm actually retiring at the end of this month. What is fascinating is that right at the end of my career, the nature of programming itself seems to be shifting dramatically.

[02:00:16] I remember writing a final paper in college on the state of AI where it was heading. I wish I still had that paper today. He says, it feels less like writing code line by line and more like directing the system, setting constraints, verifying outputs, and managing the behavior of these AI tools. In a lot of ways,

[02:00:40] it feels closer to architecture or technical oversight than traditional programming. I wholeheartedly agree with a sentiment in the post. The identity of a programmer seems like it may be evolving into something more like an orchestrator of intelligent tools. Anyway, I thought it might make for an interesting side note for the show. Also, since this is almost required when writing to you, I'll add that I've been a listener since episode one.

[02:01:10] I'm a proud Spinrite owner and a DNS Benchmark Pro user. Thanks for all the great years of content on Security Now. Cheers, Brian Dort, Alpena, Mississippi, Michigan. That's right. Michigan. Am I? So, you know, we've all been talking about this sort of change, right? And I suspect it's the experience everyone is now having with vibe coding. Sounds exactly like what everyone is reporting. This Reddit post author, our listener,

[02:01:40] Brian Dort, and of course, you, Leo, have all described this new paradigm similarly. What will now happen is that those, you know, occasional lost hours will become fewer and further between as the technology continues to evolve. Computer programming has always been about wrestling with the details. We've talked about, you know,

[02:02:09] off by one errors, those sorts of things. Um, and that happens to be what I personally enjoy. I enjoy the details. Um, I've remained with assembly language through all these years because I love thinking about the allocation of a limited number of registers, which in the case of Intel's x86, each have slightly different capabilities and limitations.

[02:02:35] Every function that I produce is a perfect little gem, each of which I love. Since I have not yet left assembly language, even for C, I doubt that vibe coding is going to grab me, but at the same time, I 100% fully, truly,

[02:02:56] and deeply understand that AI driven code generation represents a breakthrough of astonishing proportions for anyone whose goal is not to spend time optimizing the size of a variable or basking in the glory of stack allocations and the elegance of linked lists. But instead, to create something that simply gets the job done. That's most people. I get it. In fact,

[02:03:25] I now suspect that AI driven coding's greatest impact may be due to its empowerment of non-programmers to do things with computers that were never possible before for them. And we've shared some of our own listeners feedback to that effect. I just, what I was thinking, just as an experiment, just ask Claude to write a random number generator in x86 assembly language for me. So I'll get back to you. Cool.

[02:03:55] Yeah. You could probably look at something simple like that and vet it. It says, I'm using a linear congruential Jevenator algorithm seated from the BIOS timer tick. Is that okay? No. Bad. I'll tell it. No, Claude. Bad Claude. No, you do not want to use an LCNG. Those are really bad. Okay.

[02:04:22] They produce an immediately predictable and repetitive set of numbers. Oh, wow. All right. I mean, so yeah, it's not, not good to actually the Intel instructions now have a, an, a random number function in them. So. Oh, okay. Could use, use a single instruction, but. Oh, well, that's no fun. No. Okay. So when I was thinking Leo about who I am, though,

[02:04:49] I would never think to compare myself to the truly brilliant computer scientist, Donald Knuth. My thinking about the use of computing machinery at the bare metal detail level is very much aligned with Knuth's own. Donald's epic authoring of the multi-volume art of computer programming, which I have behind me somewhere. Yeah. You can see it. It's not there where I got,

[02:05:18] maybe it got covered up by my PDP eights. I have mine here. It's only two volumes so far, right? It's behind that, uh, that magnetic, uh, I see it. I see it peeking through. Yes. How many volumes do you have? Three? Uh, I've got, I only have two. I have all of them. And on top are in, in, in, in, uh, paperback are the ones that are not yet, uh, uh, hard bound. Oh, wow. He calls them something,

[02:05:48] not a possible. He's still writing. He's got, yeah, he is. Yeah. So anyway, so the art of computer programming that, that set and his thinking is an embodiment of a life spent thinking about the optimal ways to do things with a computer, like sort lists of numbers, link lists of objects, or manage the allocation of memory. Like me,

[02:06:15] Donald lives to tinker with the bits. You know, he is endlessly discovering clever new ways to solve the interesting puzzles that arise from wondering whether there not might not be a better way to do something. And then being willing to spend as much time as it might take to search for a better way. Since we're talking about the brilliant Stanford university computer scientist, Donald Knuth,

[02:06:43] in the context of AI coding, uh, I need to share something. I shared this with you, Leo, uh, during our trip. This is something that Donald Knuth posted last week on February 28th. Then he revised it on March 2nd. He published, this is Stanford university computer scientist, world renowned, famous Donald Knuth, a five page document titled Claude's cycles. It starts a shock.

[02:07:13] It's shock. It's byline. It's byline. It's byline said just Don Knuth, Stanford university computer science, computer science department. And he, as you said, his piece began shock, exclamation point, shock, exclamation point. He said, I learned yesterday that an open problem.

[02:07:36] I had been working on for several weeks had just been solved by Claude opus 4.6 Anthropics hybrid reasoning model that had been released three weeks earlier. exclamation point. It seems that I'll have to revise my opinions about it. He has in quotes, generative AI unquote, one of these days, he said,

[02:08:05] what a joy it is to learn. Not only that my conjecture has a nice solution, but also to celebrate this dramatic advance in automatic deduction and creative problem solving. I'll try to tell the story briefly in this note. And I can't go into this any further. I mean, he digs into, I mean, I, on the podcast, I can't explain it.

[02:08:32] but he explains that, that, I mean, it really went through a, a series of astonishing reconceptualizations of the problem. Uh, and, uh, be like over the next four pages, he, he shows, you know, eye crossing formulas and, and detail, uh, with Claude trying over and over approaching and tackling,

[02:09:02] tackling the problem from different directions and angles. And then he finally finishes his recitation of Claude's success by writing, uh, Oh, and, and this was done by an associate of his Philip, who then presented, uh, Knuth with the solution. So he writes, Philip told me that the explorations reported above, though ultimately successful, weren't really smooth. He had to do some restarts when Claude,

[02:09:32] stopped on random errors. Then some of the previous search results were lost. After every two or three test programs were run, he had to remind Claude again and again, that it was supposed to document its progress carefully. Then finally, he said, delicious success for an odd M at exploration number 31. So 31 full deep attempts.

[02:10:00] And Claude found the solution. He said, at exploration number 31 came about one hour after the session began all in all. This was definitely an impressive success story. I think Claude Shannon's spirit is probably proud to know that his name is now being associated with such advances. Hats off to Claude.

[02:10:30] Isn't that great? Yeah, I read that too. Yeah. This is somebody who knows his stuff. Yeah. If Donald news says, Claude's doing something important, that's pretty convincing to me. I should mention, by the way, that the creator of the quick sort algorithm, which is documented in Canute's book, C-A-R-Hor, passed away this week. He was in his late 80s. He was fairly old. And, oh, and incidentally,

[02:10:59] Claude, I said, hey, Claude, I hear that that LCG algorithm is problematic. And then I said, by the way, I had accidentally was using the older model. So I turned on Opus 4.6, which is demonstrably better. And it says, oh, yes, LCG has well-known issues. Low bit cycles with short periods and sequential values are correlated. A much better fit for x86 is XOR shift. George Marceglia, 2003. Yes,

[02:11:30] Merce and Prime. Yeah, uses only shifts in XORs. Cheap on 8086 and has far better statistical. properties. Yep. And so it's written it. And, you know. Nice. It says, one caveat, XOR shift can never output zero. So the range is 1 to 65, 535. The seed must also be non-zero. And that said, I updated seed RNG, which now guarantees that with a fallback. Very nice. Yeah.

[02:11:59] It's 106 lines of code. So it's not super, super compact. But for assembler, that's not too huge. Yeah. It ought to be like 12 lines. Yeah. What is it doing? The cloud doesn't have to actually type this stuff. So it's not necessarily the most concise. Wow. Anyway, no,

[02:12:24] here's that great saying we have moved into a new world of, of deductive problem solving fully. I mean, this was some wacky, abstract, uh, uh, uh, Hamiltonian cycle problem that, you know, it just makes your, well, I was going to say, make sure your hair fall out, but I've obviously spent some time working on that. Uh, crazy, just amazing. Um, Oh,

[02:12:55] uh, Michael P said, Steve, I'm sure you've heard from many listeners. And I had heard from, I have heard from several others about SISAs cyber hygiene service, free weekly scanning. And I was a link in the show notes. He says, we have been using this service for a few years. The first report we received was sobering, but actionable. He said, I managed the firewalls, but not the servers. The huh?

[02:13:25] Look from the server admin. When I showed him the report was entertaining. Needless to say, we jumped on these vulnerabilities and had them all resolved in order of severity in short order. Anytime a new one arises, it is immediately addressed. He says, bonus. We had been paying a company $6,000 to perform this service for us once a year to satisfy insurance requirements.

[02:13:53] Now we're able to use the free SISA report as evidence for our insurance provider. Thanks for all you do. Listener since episode 35 club member and past and present customer, of several advertisers, Michael Dauphin in Alabama. Okay. So I recall that we talked about this back when it was first introduced, but I'm glad Michael mentioned it again.

[02:14:19] The only downside is that this service is not generally available, which is why I have not made a bigger deal about it under the pages. Who can use this service? The page states, U S based federal state, local tribal and territorial governments, as well as public and private sector, critical infrastructure organizations are welcome to enroll by following the instructions in the get started section below.

[02:14:49] Michael wrote to me from his personal Gmail account. So it's unclear what organization quote, we have been using this service for several, for, for a few years, unquote refers to out of curiosity. I initiated a signup request with CISA to see whether they might have broadened their support. Okay. Now, since I wrote this, um, that effort appears to be working. I filled out a bunch of forms,

[02:15:19] identified myself to CISA. Um, it allowed me to say that I was a private sector organization, that I was a, uh, like a software publisher entity, not making any overblown claims from the, you know, the importance of GRC. And I gave it my organization's, uh, you know, cider block,

[02:15:48] my 16 IP address block at level three. So we'll see whether I qualify. And, uh, if it happens, then it looks like, you know, they're making room for other non infrastructure, critical organizations. And boy, uh, they, the, the reporting, I, I, I, I thought I had it somewhere. It's not here. It's probably because this happened since Sunday when I sent the show notes out.

[02:16:17] But if they identify something that they regard as critical, um, you, they like recheck it every 24 hours and, and you get like, you, you, you get seriously notified that you've got a problem that needs to get fixed. And the, the retesting rate is a function of the criticality of what they find. So it looks like a fantastic free service. Uh, if we, you know,

[02:16:47] collectively our listeners qualify, certainly if you are federal state, local, tribal, territorial, uh, public or private sector, critical infrastructure, do this, Why wouldn't you? So I w I'll let everybody know if GRC qualifies, I would love to have Sysa scanning my network block, letting me know if there's anything that they think I should fix. I'll be surprised, but then people do get surprised. And that's the whole point.

[02:17:17] And finally, uh, uh, Barron Jenkins says, Steve, while listening to this week's episode, you responded to a listener who asked about the possible use of self-signed software. There is one pain point that the self-signed certs could help with, and that is the limit on the number of signings you can do without paying extra. That's very good point. If like things are moving to the cloud and we're going to start getting

[02:17:46] charged per signature, which, Oh my God, uh, it would be annoying. He said for those compiling and testing many iterations of their software before sending it out to a wide world, self-signed search could be used to reduce the number of times that you use a CA to sign your code. You could save your valuable limited number of signings for the public releases of your software.

[02:18:15] A lot of the people you use to test your software probably won't have any problem installing a self-signed cert, you know, like your own roots, uh, CA just for the purpose of testing it. It could save small developers a lot of money while working on their own software. So I think that's a very good point. Uh, use of a self-signed cert within a closed circle of development testers and

[02:18:41] only sign the final release with a publicly trusted CA, uh, issued certificate. Uh, and I, I want to go back to the CISA.gov, uh, piece because I feel like I skipped over it. I do have the notes. I have the URL in the show notes for anyone who's listening. It's, and it doesn't get the show notes or have them CISA C I S A.gov. G O V.

[02:19:08] Then it's forward slash cyber hyphen hygiene, hyphen services, cyber hygiene services, separated by hyphens. Why would you not sign up and get a free scanning? I think that it makes a lot of sense. So again, thank you, Michael P for, uh, bringing that to our attention and back to mine. I just assumed it was only government agencies, but they, they seem to embrace me. I mean,

[02:19:36] I've had several email back and forth and it's now being, you know, I'll hear from them as soon as they, uh, are ready to go. So we'll see. Clearly deem you a critical infrastructure organization. I think it's a very, uh, soft. They want to discourage home users for signing up for this problem. Yeah. Yeah. I think that's true. I have a server and you're putting commercial software on there for people to download. I think you can't. Yeah. That would be cool.

[02:20:05] That means that a huge portion of our listeners are, you know, in, in their enterprises could also benefit from this would be really, yeah. He, what was he, he said he was spending 6,000 bucks. Yeah. His insurance, his cyber insurance policy required a, an annual full review, a scan, a security scan for which they were paying $6,000 in order to, in order to get their, their cyber insurance policy.

[02:20:35] So SISA does it for free and it's SISA. Yeah. Yeah. Oh, by the way, Cy phase in our club to it discord says, of course, Steve is critical infrastructure. He has software on the space station for crying out loud. Just mentioned that in the email. I think they'll immediately sign you up. It's a good point. Cy face. Okay. Uh, our last break. And then you can't hide from LLMs. Do you want to see the, uh,

[02:21:04] it turns out it's a pretty trivial thing that I, uh, gave it once I explained that he was, he shouldn't use that bad, bad algorithm. Uh, it understood that, oh yeah, this is the algorithm I'm going to use, which is the X or shift. Much more sense. Yeah. Much more sense. And it is, and the hundred lines is a lot of that's comments. There's even a whole block of generating. So it's really quite simple. It's getting a BIOS, uh, system timer tick count, getting the low word,

[02:21:33] making sure it's not zero. And then, uh, it's doing the, the shifts pretty quickly, couple of moves. And then, uh, and then it's returning the number. So it's, it's pretty straightforward. Yeah. And you, it did, I'm seeing that it did do, uh, it is, it is all 16 bit code. You could ask it for, uh, 64 bit or 32. Yes. Uh, or, or at least 32 bit X86 code. Yeah. This is a random 16 bit value.

[02:22:02] Yeah. Um, yeah, you could totally ask it for that. And the other thing is notice how nicely commented it is. It's actually, and I noticed that it wrote, it wrote a, um, I mean, it's a full program, that thing up at the top, it says dot small and, oh yeah, and model and so forth. Yeah. Yeah. It's doing the whole thing. In fact, it even says, that's the stack. It notes that, uh, that, uh, the, uh, uh, DX to AX clobbers the tick count. And it notes that at the end.

[02:22:32] So here's the demo. It gives you a little generate five random numbers and print them so that you know that it's actually doing something. And then it says at the end, you know, note the comment says clobbers AX CL, but Rand also clobbers BX worth fixing. If this is going into a library header. And I noticed it also uses the console in order to actually print things. So there's a lot more than just the random number generator. That's very, yeah, it's, it's a fairly, uh, I mean, I would say this is,

[02:23:00] it gives you the impression and understands what it's doing and, yeah, did something intelligent. It didn't pick the right algorithm at first, but that's cause I was, I'm using the wrong model. Color me impressed, my friend. It is, uh, it is really, I think it's, it fundamentally changes what we think of as coding by introducing an automated middleman between this is what I want and, right. And, you know, right. And I need code to do it. Right.

[02:23:30] I mean, and this is a super trivial little thing, but just, you know, I didn't want to take something, do something that would take hundreds of lines of code. So, um, you are watching a security now. Aren't you glad you're here? Uh, we do this every Tuesday, uh, right after Mac break weekly, about one 30 Pacific, four 30 Eastern 2030 UTC. Yes. We're in daylight saving time now. So we've shifted over 2030 UTC. You can watch us live on, uh, twitch.tv, uh, x.com,

[02:24:00] youtube.com, Facebook, LinkedIn, uh, and kick. And, uh, if you want to watch live, I hope you will. If not, after the fact on demand at twitch.tv slash SN, Steve's got copies of the show. I'll explain a little more about what he's got kind of unique versions at his website, grc.com. There's a YouTube channel. And of course it's a podcast. So you can subscribe in your favorite podcast client. Your planet is now marked for death. Marvel studios.

[02:24:29] The fantastic four first steps is now streaming on Disney plus. We will protect you as a family. Light them up, Johnny. Marvel's first family is certified fresh on rotten tomatoes. That's fantastic. And critics say it's one of the best superhero movies of all time. Marvel studios. The fantastic four first steps now streaming on Disney plus rated PG 13. What time is it? Now, let's, since we're talking about LLMs,

[02:24:58] let's talk about LLMs. It turns out that mimicking human consciousness is not the only thing. LLMs can be spookily adept at. Uh, it will probably not come as a huge surprise to learn that LLMs can be frighteningly good at discriminating among similar appearing objects, including among people.

[02:25:25] Our friends at ETH Zurich with some help from Anthropic have been at it again. Their recent paper published less than two weeks ago bears the title, large scale online de-anonymization with LLMs. Here's what we learn about the latest trick they've taught LLMs. Their paper's abstract. It's very, very, uh, techie, uh, sounding abstract,

[02:25:53] but everyone will get the, you know, a sense for this. They said, we show that large language models can be used to perform de-anonymization at scale. With full internet access, our agent can re-identify hacker news users and Anthropic interviewer participants at high precision. Actually, it doesn't say it here, but it's 99% accurate.

[02:26:21] Given pseudonymous online profiles and conversations alone, matching what would take hours for a dedicated human investigator. We then design attacks for the closed world setting. Given two databases of pseudonymous individuals, each containing unstructured text written by or about that individual,

[02:26:47] we implement a scalable attack pipeline that uses LLMs to, one, extract identity relevant features, two, search for candidate matches via semantic embeddings, and finally, three, reason over top candidates to verify matches and reduce false positives. Compared to classical de-anonymization work,

[02:27:14] and they cite a previous example known as the Netflix prize that required structured data. Our approach works directly on raw user content across arbitrary platforms. We construct three data sets with known ground truth data to evaluate our attacks.

[02:27:36] The first links hacker news to LinkedIn profiles using cross-platform references that appear in the profiles. Our second data set matches users across Reddit movie discussion communities, and the third splits a single user's Reddit history in time to create two pseudonymous profiles to be matched. In each setting,

[02:28:01] LLM-based methods substantially outperform classical baselines, achieving up to 68% recall at 90% precision compared to near 0% for the best non-LLM method. Our results show that the practical obscurity protecting pseudonymous users online no longer holds,

[02:28:29] and that threat models for online privacy need to be reconsidered. Wow. It turns out that individuals who believe their identity is well-protected simply by their use of online handles are likely to be far more readily de-anonymized than they might imagine. So I'm only going to share the paper's introduction since it suffices to make their case. They wrote,

[02:28:57] For decades, it's been known that individuals can be uniquely identified from surprisingly few attributes. Sweeney's seminal work demonstrated that 87% of the U.S. population could be uniquely identified by just zip code, birth date, and gender.

[02:29:19] Narayan and Shamadakov showed that anonymous Netflix ratings could be linked to public IMDb profiles using only a handful of movie preferences, while DeMontjoy et al. proved that four spatiotemporal points are enough to uniquely identify 95% of individuals in mobile phone datasets.

[02:29:46] Despite these attacks, pseudonymous online accounts, Reddit throwaways, anonymous forums, review profiles, etc., have remained largely unaffected by de-anonymization attempts. The reason is simple. Applying such attacks in practice has required structured data amenable to algorithmic matching or substantial manual effort

[02:30:15] by skilled investigators reserved for high-value targets. De-anonymization is a two-step process at heart, involving profiling an anonymous person from their posts and then matching them to a known entity. It's well known that large language models can infer personal attributes from text on online forums. Given this, it makes sense to ask,

[02:30:45] how good are LLMs at full end-to-end de-anonymization? And is this a practical threat to pseudonymous accounts? Our contributions. We demonstrate that LLMs fundamentally change the picture, enabling fully automated de-anonymization attacks

[02:31:14] that operate on unstructured text at scale. We show this by phrasing de-anonymization as a matching problem and showing LLMs can perform all steps needed to match accounts, extract identity-relevant signals from arbitrary text, efficiently search over millions of candidate profiles,

[02:31:39] and reason about whether two accounts belong to the same person. We show that the practical obscurity that has long protected pseudonymous users, the assumption that de-anonymization, while theoretically possible, is too costly to execute broadly, no longer holds.

[02:32:04] We validate this thesis in three de-anonymization settings, matching an online account to its real identity, linking an identity to an unknown pseudonymous account, and linking pseudonymous accounts of the same person across different platforms or time periods. These settings capture distinct threat models, for example, doxing of an online account, a stalker targeting a victim,

[02:32:33] or an adversary consolidating a user's activity, and pose different technical challenges. Okay, in other words, for us, the emergence and presence of LLM technology with its application of massive computing resources completely changes the game for the strength of online pseudonymous identities.

[02:33:00] Many new capabilities are almost certain to eventually come online. For example, it becomes entirely feasible now for law enforcement and intelligence services to identify and track individuals through their online style, their word choice, beliefs as reflected in their online postings. Not feasible to do it before, now feasible.

[02:33:28] We've been thinking of the NSA's massive data center as a storage repository of encrypted data being sucked in from all over the internet, which may someday be revealed when quantum computing cracks traditional crypto. But imagine if the NSA's data centers were instead sucking down the same already decrypted plain text content that all of the rest of us see,

[02:33:58] but now it's being fed into massive LLM technology to de-anonymize persons of interest. Whether we may like it or not, we're each individually leaving identifying content in everything we post. As these researchers noted, historically until now, this wasn't an issue since the cost of performing such de-anonymizing would have been astronomically high, making it completely infeasible.

[02:34:28] The emergence of LLM technology has forever changed this calculus. Their paper's discussion section at the end summarizes what they believe their findings mean. They write, de-anonymization is one instance of LLMs acting as an information microscope that makes previously manual and expensive attacks scalable.

[02:34:54] Our paper shows that LLMs democratize de-anonymization. Echoing concerns raised by prior work on LLM-based attribute inference and semantic privacy leaks, we argue that the asymmetry between attack cost and defense cost may force a fundamental reassessment of what can be achieved private, or I'm sorry, what can be considered private online.

[02:35:23] Our large-scale experiments provide quantitative evidence for these concerns in the de-anonymization setting. So what do our findings mean for the future of privacy? Governments could link pseudonymous accounts to real identities for surveillance of dissidents, journalists, or activists. Corporations could connect seemingly anonymous forum posts to customer profiles

[02:35:52] for hyper-targeted advertising. Attackers could build sophisticated profiles of targets at scale to launch highly personalized social engineering scams. Hostile groups could identify important employees and decision makers and build online rapport with them to eventually leverage in various forms. Users, platforms, and policy makers

[02:36:20] must recognize that the privacy assumptions underlying much of today's internet no longer hold. In other words, yikes. I put the link to their extensively detailed 25-page PDF paper in the show notes here at the end for anyone who might wish to dig deeper. There's nothing any of us that we can do, but it might be worth keeping it in mind. We are,

[02:36:49] if somebody deploys something like this, we're leaving our footprints everywhere. I'm actually surprised that it can do this. Yeah. Did they say it was a specially trained LLM for this particular use? Nope. Don't know. Nope. I mean, I'm sure that they've taken an LLM and they're not prompting it. They are, they're using the LLM technology. Wow.

[02:37:19] Yeah. That's really kind of surprising. That's frightening. But I would argue not surprising. Look, I mean, okay, so how surprised are we that it can talk? Right. Now that's surprising. Okay. So, so if it can talk, I mean, if it's something that can talk, then this is just something like that is doing something else that is also surprising.

[02:37:49] It can talk and write assembly code. It's practically, we've unleashed a huge new thing. It's amazing. It's just, it's, uh, I don't know about you. I suspect this is the case. It's exciting because it's, uh, it's something that's been promised by sci-fi and computing theory from, you know, the very earliest days. Leo, I worked at something that called itself

[02:38:18] the AI lab, which, you know, was, was trying to move a chess piece on the board with a robot hand and eye. Do you feel like you were at Stanford's AI lab? Do you, this was a change here. Do you feel like it's a continuity like the work done there was the predic, predecessor of the work or is it, is there, I feel like transformers came along and it was a discontinuity. It was a big paradigm shift. It was a little different than the expert systems that sale was working on. Yeah. And,

[02:38:48] and remember that this is all outgrowth of neural network. Right. so, you know, the heart is real and neural network. The, what the question, this is the answer to the question, what if we make it way bigger? Right. You know, so a small neural network can like maybe figure out to turn the lights on when the sun goes down. Right. That's about it. This is like, what if we hyperscale a neural network? What happens? And then it says,

[02:39:18] something interesting happens. Hello, Dave. Yes. Something very interesting and somewhat unpredictable to be honest. Happens. It's fundamentally unpredictable. Yeah. In fact, so that it doesn't bore us, we add unpredictability. Right. We, we actually pour it in. Stochastic. Yes. Called a temperature setting. Right. We live in interesting times. Aren't you glad you listen to this show

[02:39:47] to keep up with all this stuff? That's Steve Gibson. That's his job. And you know, what's fun about, for both of us, is we've been about this job for a long, long time and we have seen what's happened and I think it's really fun that we can still be amazed. That we can still go, wow, it can do that? Wow. That's pretty exciting. Very exciting. Thank you, Steve. Steve is at grc.com. Now, if you want to send Steve a comment, a suggestion,

[02:40:16] your own experiences, easy to do, go to grc.com slash email. Steve has some sort of magic system for determining whether you're a bot or not. All done magically and he will vet your email and if you are in fact a human with good intentions, not bad, he will add you to the list of, white list of people who can write to him. You'll also have a chance when you're at that page to check two boxes,

[02:40:45] one for the weekly mailing of the show notes, but sends them out the day before, most of the time, the day before the show and then the other which he rarely uses which is an announcement of new products. Both of those are unchecked by default so make sure you look down at the bottom of the page and check those. While you're at grc.com, of course you can get this show there. He's got three unique versions of this show, four unique versions of the show. He's got the 16 kilobit audio which is a little scratchy admittedly

[02:41:14] but has the virtue of being very small. He has the 64 kilobit audio which sounds fine, is a good size that's certainly, you know, if you don't want to waste bits the way, the one to get. He has the show notes which today are 22 pages of goodness with pictures and links and everything you'd need if you listen to the show. This is a great companion and a couple of days after the show's published he will also have a transcript of the show written by a human being,

[02:41:44] Elaine Ferris, because we believe in hiring humans. That's going to be our new motto. Hire a human today. Elaine does a great job. You can get those all at grc.com. And of course, Steve's Bread and Butter, Spinrite, the world's best mass storage, maintenance, recovery, and performance enhancing utility, version 6.1 currently. And his newest program, a mere $10, it is the DNS Benchmark Pro to test

[02:42:13] your DNS servers and find the fastest one for you. Speed up your energy. Yeah, speed up. You know, it's funny, I have OpenDN, or NextDNS, and every once in a while it just stalls. And I don't know why. And I have to turn it off and on again. I have to reboot it. I don't know why that is. It's a strange thing. Maybe I should run the DNS Benchmark Pro and find a better DNS server. That's what I should do. We also have copies of the show at our website,

[02:42:42] twit.tv.sn. There's a YouTube channel dedicated to it. There's also, of course, you can subscribe. It's a podcast and your favorite podcast client. Leave us a nice review. Tell the world about the most important podcast you listen to all week, Security Now. Thank you, Steve. Have a great week. Enjoy the Ides of March. And we will see you next week. Yes. Righto. Bye. Hey, everybody. Leo Laporte here. And I'm going to bug you one more time

[02:43:12] to join Club Twit. If you're not already a member, I want to encourage you to support what we do here at Twit. You know, 25% of our operating costs comes from membership in the club. That's a huge portion. And it's growing all the time. That means we can do more. We can have more fun. You get a lot of benefits, ad-free versions of all the shows. You get access to the Club Twit Discord and special programming like the keynotes from Apple and Google and Microsoft

[02:43:42] and others that we don't stream otherwise in public. Please, join the club. If you haven't done it yet, we'd love to have you. Find out more at twit.tv slash Club Twit. Thank you so much. Security now.