SN 1070: CISA's Free Internet Scanning - Malware Disguised as a VPN

[00:00:00] It's time for Security Now. Steve Gibson is here. Lots to talk about this week. We need a caption for our photo of the week. Maybe you can help a social media company. Another one says no to strong encryption. That's not a good sign. There is a problem with proxies serving malware and it might even be coming from your router. We'll tell you how to find out. And then he's going to talk about his experience using CISAs Internet Scanner. All that coming up next on Security Now.

[00:00:29] This episode is brought to you by OutSystems, a leading AI development platform for the enterprise. Organizations all over the world are creating custom apps and AI agents on the OutSystems platform. And with good reason, build, run and govern apps and agents on one unified platform. Innovate at the speed of AI without compromising quality or control. OutSystems is trusted by thousands of enterprises worldwide for mission critical apps. Teams of any size and technical depth

[00:00:58] can use OutSystems can use OutSystems to build, deploy and manage AI apps and agents quickly and effectively without compromising reliability and security. Without systems, you can accelerate ideas from concept to completion. It's the leading AI development platform that is unified, agile and enterprise proven. Allowing you to build your agentic future with AI solutions deeply integrated into your architecture. OutSystems. Build your agentic future.

[00:01:28] Learn more at OutSystems.com slash twit. That's OutSystems.com slash twit. Podcasts you love. From people you trust. This is Twit. This is Security Now with Steve Gibson. Episode 1070. Recorded Tuesday, March 17th, 2026. CISA's free internet scanning.

[00:01:58] It's time for Security Now every Tuesday. I know you're looking forward to this and I am too. We get together with this guy right here, Mr. Steve Gibson, our security guru. Talk about the latest news and there is always a lot of security news. It is true, Leo. A small, very small subset of the world looks forward to sometimes this Monday morning or I mean Wednesday morning typically. Well, let's put it this way.

[00:02:25] We had about when we were last a couple weeks ago at Zero Trust World. I think there were 1,800 people in our audience. We have, you know, I don't know, maybe eight times that for every show. So it's a lot more people who are listening today than we're there in the – although a live audience, you're very aware of them. A podcast audience, we don't know.

[00:02:50] Although, as you'll see, this week's picture of the week issued a caption photo contest. Ah. So what – you know, I invited our listeners to caption this photo early on. Boy, did I get replies. Well, 20,191 pieces of email went out Sunday saying – Wow.

[00:03:19] We got any ideas? Oh, boy. Did I – yeah, I got ideas back. So – All right. Well, we'll see that in just a second. This is episode 1070 for – we're crossing over the middle of March. It's the 17th.

[00:03:35] I decided that I wanted to share the results from my first successful interaction with SIS's free internet scanning because I'm now in a position to be able to know it like what it is and to be able to recommend it without reservation to anybody who's got more than one IP that is, you know, DHCP issued by their ISP.

[00:04:03] Small, medium, large enterprise, I qualified. And as we know, I'm not running anyone's water filtering for the municipality or anything. I'm just GRC. But – so it turns out that that barrier, which they talk about as this is for, you know, government agencies and local, state and federal, you know, no.

[00:04:28] It's commercial enterprises are considered infrastructure in a very broad definition. So, anyway, I'm going to tell everybody everything that I came away with from that and also what it found in GRC's network that – okay, I knew about it, but still, it was interesting. And it was a little bit of a cry wolf. But we're going to talk about the picture of the week, of course.

[00:04:54] Also, a mega social media company has decided to say no to their own strong encryption on their own messaging, which is interesting. Yeah. And what does that mean? WhatsApp is going to give parents more control, which we'll discuss that. I think that's also good.

[00:05:15] And consumer bandwidth proxying that we were just talking about in the context of that bright data, sort of semi-slimy, so smart TV API. Turns out it's becoming a big deal. And I guess, in retrospect, not that big a surprise. That is consumer bandwidth proxying. Also, Meta has purchased the Maltbook founder duo. Try to say that three times.

[00:05:46] We'll talk about that. The EU has given up and is settling upon a compromise with that controversial chat control. Oh, it turns out that ransomware negotiation may not be always what it seems, which should come as a surprise. CISA is compelling federal agencies to submit their logs to them. What?

[00:06:14] Also, is that a VPN in your pocket? Or maybe is that something more malicious? We're going to answer that question. Also, be very careful about what you download, thinking that it might be AI. Once again, bad guys jump on anything that is popular, taking advantage of the enthusiasm of the moment.

[00:06:37] We've got a super clever and also worryingly simple means of bypassing AV scanners that a security researcher came up with. I'm going to answer the question that I keep getting from our listeners, which is whether AI will be writing code for me.

[00:06:57] And I've got an interesting couple of well-informed postings to share about that, followed on the heels of another listener of ours discovering the joy of AI. And then I'm going to share my experience with CISA's free internet scanning and unreservedly promote it to our listeners' enterprises.

[00:07:23] I just can't think of a reason why anyone who was able to and was qualified wouldn't want to enlist another set of eyes looking at and confidentially reporting what they see from the outside. So I think, Leo, maybe it's worth tuning in this week. Well, you've done so already, so it's too late. And I should mention, it is St. Patrick's Day.

[00:07:50] So I shall be disappearing from time to time to check my corned beef to make sure it is doing its thing. And are four-leaf clovers a result of Chernobyl radiation? Ah, that's a good question. Or do they occur in nature? Well, they do occur in nature. I know that because we had them before Chernobyl. But I wonder if there are more of them than there used to be. Aren't they normally three? Normally the three. They are a mutation, I believe. Yes.

[00:08:20] You know, Mark Thompson went to Chernobyl with a group. Like, he thought that would be a cool place to go walk around. And he did report that there seemed to be an abundance of four-leaf clovers. Aha! So. That's a very interesting experiment. What made me think of it, yeah. Hmm. We will get to our picture of the week and your caption contest in just a moment. But first, a word from our sponsor. Delete me. Let me tell you, folks.

[00:08:50] If you've ever searched for your name online, if you've ever wondered how much of your personal data is out there on the internet, don't do it. It is a lot more than you can possibly imagine. Your name, your contact info. Steve and I did this, I don't know, about a year ago after a big breach, a big data broker breach. Found our social security numbers, home addresses. You know, it's not illegal to sell somebody's social security number. That seems like that should be illegal. It's not.

[00:09:19] Last week, we had Cindy Kohn, who's the executive director of EFF, on. She's written a new book about privacy's defender. And we talked about why we do not have comprehensive privacy legislation in this country. We do not have that protection. Well, fortunately, we have delete me. Okay? I mean, the bad news, it's completely legal for data brokers to collect all this information about you, your family members, your employees, and then sell it online to anybody, anybody who wants it,

[00:09:49] including foreign nationals, law enforcement. It's not just marketers anymore. Hackers. Of course, this can lead to terrible consequences. Identity theft, phishing attempts, doxing, harassment. But now you can protect your privacy with delete me. I think everybody should be doing this. We first became aware of delete me when Lisa was phished. There were text messages sent out on her behalf. So they used her name and phone number.

[00:10:18] And they knew about her direct reports and what their phone numbers were. And they were able to text them saying, oh, I'm stuck in a meeting right now. Can you buy some gift cards and send them out? So impersonation attack. Impersonation. That's the word. That was an eye-opener. Because immediately I saw they know way too much about our corporate structure. So I think every business should have delete me for their middle management, their upper management to avoid this. This certainly helps a lot.

[00:10:46] And it's something we've been subscribing to for a long time. In fact, you know, every couple of weeks we'll get a delete me email, which is great, telling you what they found, what they've removed. Delete me is a subscription service. So it doesn't just, it's not a one and done. It will remove the personal information you specify from hundreds of data brokers. There are more than 500 at the last count and new ones every day. So it might even be more than that. You sign up, you provide delete me with just, you tell them what you want removed.

[00:11:15] So they don't remove too much, right? Just, I don't want my social out there. That kind of thing. I don't want my phone number out there. Their experts will take it from there. They will go one by one and get your stuff gone. And then, as I said, they'll send you regular personalized privacy reports telling you what info they found, where they found it, what they removed. And they will do this again and again because data brokers are like cockroaches. You can't just exterminate them once. They come back.

[00:11:44] And there's new ones all the time. You need delete me to constantly work for you. They always are monitoring. They're always removing the personal information you don't want on the internet. To put it simply, delete me does the hard work of wiping you, your family, your employees, your management's personal information from data broker websites. So take control of your data. Keep your private life private. Sign up for delete me. We've got a special discount for our listeners. This is on the individual plans. You'll get 20% off your delete me plan.

[00:12:12] Join delete me dot com slash twit. So that URL is very important. Join delete me dot com slash twit. Use the promo code twit at checkout. The only way to get 20% off is to go to join delete me dot com slash twit and enter the code twit at checkout. That's join delete me dot com slash twit offer code twit.

[00:12:35] We thank him so much, not only for supporting security now and the good work Steve does here, but for helping keeping us private and safe on the internet. So, Leo, before you look at the photo, I will just tell you that all I wrote across the top of it was security now's caption that photo contest. Okay. And when you scroll up, you'll see why.

[00:13:05] Oh, boy. Oh, boy. Now, we were talking about this. I don't know where this is, but Paul Therot and I were talking about this in Mexico. He lives in Mexico City. This is what the phone poles look like, because if something doesn't work, they don't figure out what's not working. They just put a new one in. So many of these wires are probably non-functional. Tell us what we're looking at here.

[00:13:29] So, well, when I was growing up, we would have called this a rat's nest. Yes. And it is someone atop a – it's hard to describe this as a telephone pole, although these look like phone lines coming in. There's one in there somewhere, I think.

[00:13:51] And look, there's like boxes hanging from wires and various size junction containers. And I do notice that there's a lot of loopage, like rolls of wire that are hanging. It would be really interesting, actually, to know where. Now, and as you noted, when something goes wrong, they just string another one.

[00:14:19] And it's difficult to imagine that this actually functions. And one wonders how long ago this began and to allow this to occur to it. So, it's just – anyway, so in response – all I said was I didn't even – I didn't have a chance to talk about it on the email that I sent out.

[00:14:45] But our 20,191 recipients said, oh, I got a name for that. And so, the responses have been pouring in. In response to something that came in early, that gave me an idea for what I think is going to – I'm going to suggest as the winning caption. But we will see next week.

[00:15:08] In the meantime, those who are just listening to this, I don't think I could adequately prepare you for what you would actually see if you saw the photo in this week's show notes. It is beyond insane. And Leo, how did he get up there?

[00:15:31] He must have had a crane plant him on the top of this because you can't climb the – well, I guess you could climb the side. But then who knows how many wires you'd pull loose. So, wow. That's amazing. And I've had this photo in my pictures of the week candidate pile for quite a while. And finally, I thought, okay, let's just see what our listeners think about this. Okay.

[00:16:00] So, last week, the news – and we talked about this, of course – was that TikTok had decided and formally announced that it would not be adding end-to-end encryption to its already controversial enough short-format video sharing platform. Right? They said that – that is TikTok said that we want to enhance our users' security.

[00:16:27] And doing that means being able to screen the content that our users are sharing and prevent illegal content from being shared. So, they said that.

[00:16:41] Then what's – somewhat surprisingly, last Friday, the Hacker News reported that Meta, of all people, or all groups, all companies, had announced their somewhat similar plan to back encryption out of Instagram. What? What?

[00:17:02] So, the Hacker News wrote, Meta has announced plans to discontinue support for end-to-end encryption for chats on Instagram after May 8th, 2026. So, I guess this was like a 60-day notice, right? March, April, May.

[00:17:23] They said, the social media giant said in a help document, quote, if you have chats that are impacted by this change, you'll see instructions on how you can download any media or messages you may want to keep, which I thought was interesting. How is keeping messages relevant to ending end-to-end encryption? Maybe they're just going to start over. I don't know.

[00:17:48] Like, get rid of everything that has been in the dark that they haven't been able to see so that from now on, any new messaging will be without end-to-end encryption. Anyway, they said, if you have an older version of Instagram, you may also need to update the app before you can download your affected chats, unquote. Quote, Hacker News said when reached for comment, this is what Meta had to say.

[00:18:13] Quote, very few people were opting in to end-to-end encrypted messaging in DMs. So, we're removing this option from Instagram in the coming months. Anyone who wants to keep messaging with end-to-end encryption can easily do that on WhatsApp. Okay.

[00:18:33] They said, the Hacker News said the American company first began testing end-to-end encryption for Instagram direct messages in 2021 as part of CEO Mark Zuckerberg's, quote, privacy-focused vision for social networking, which we all remember at the time. They said the feature is currently only available in some areas and is not enabled by default.

[00:18:55] Then they said weeks into the Russian-Ukrainian war in February 2022, the company made encrypted direct messaging available to all adult users in both of those countries.

[00:19:09] The development comes days after TikTok said it does not plan to introduce end-to-end encryption to secure direct messages on the platform, telling BBC News that the technology makes users less safe and it wants to protect users, especially young people, from harm.

[00:19:26] Last month, Reuters also reported that Meta proceeded with plans to adopt encryption to secure messages in Facebook and Instagram, despite internal warnings in 2019, that doing so would hinder the company's ability to detect illegal activities, such as child sexual abuse material, CSAM, or terrorist propaganda.

[00:19:52] And then flag those illegal activities to law enforcement. They said end-to-end encryption has been hailed as a win for privacy as it ensures that only communicating users, only communicating users, can decrypt and read messages, thereby locking out service providers, bad actors, and other third parties from accessing or intercepting the data.

[00:20:18] However, law enforcement and child safety advocates have argued that the technology creates a safe space for criminals, as it prevents companies from complying with warrants to turn over message content. A problem referred to as the going dark phenomenon. This year, the European Commission is expected to present a technology roadmap on encryption. We'll have a little more to say about that in a minute.

[00:20:46] To identify and evaluate solutions that enable lawful access to encrypted data, good luck with that, by law enforcement, while safeguarding cybersecurity and fundamental rights. Okay, so I think this is interesting.

[00:21:04] And I wonder whether this signals the start of a gradual backing away from providing strong encryption to consumers on the mega popular generic platforms.

[00:21:21] I doubt whether most lawful users of TikTok, lawful users of TikTok, Instagram, or even WhatsApp, really care all that much about encryption. Sure, if they can have it for free, and if it's built in, and if it doesn't cause them any trouble or headaches, sure, okay, fine, they'll take it. But is even a single person going to walk away if it's removed?

[00:21:50] I doubt it. While there was an initial rush on the part of publishers to provide it, like in 2019 with Zuck's big privacy first business, I don't think it's ever been shown that there was any actual consumer demand.

[00:22:10] Anyone who really wanted secure messaging, after all, could switch to Signal, which is also free and where Meredith maintains unflagging vigilance at the gate.

[00:22:22] So the way we're seeing things shake out, I suspect that the right solution to all the mess and pushback to this messaging, you know, to the increasing prevalence of fully encrypting everyone's random messages on consumer platforms by default, is simply not to bother with it. And no one will much care. I know this will make the privacy at all costs people's heads explode.

[00:22:52] But again, Signal is always available, as is Telegram, and is free for anyone who actually wants it. For those who worry about grooming and CSAM, you know, removing always-on encryption by default from the major platforms will tend to eliminate that opportunistic abuse. It won't be on, and so the bad guys can't safely do that. And in fact, eventually, I think it won't even be an option.

[00:23:21] So I'd be interested, Leo, to know what that gal you had an EFF person on recently wonder, you know, what she had to say about all this. WhatsApp, however, is also moving in a parent-forward fashion. One, Meta also announced the addition of parent-managed accounts for WhatsApp.

[00:23:49] The accounts are designed for pre-teen children where access to account settings will be controlled by a PIN set by the parent. Essentially, parents can control settings, lock those settings on their children's devices, their underage teen, you know, pre-teen children's devices, and obtain some control over it.

[00:24:15] The message content on the pre-teen accounts will remain private. So this is not a privacy invasion. It's a, you know, setting controls lock. Parents will be able to approve to whom their children may speak, what groups they can join, and review message requests from unknown contacts.

[00:24:39] So do a little bit of sort of at-distance management of what their kids are doing, keep their kids from changing that stuff. Basically, parental controls for WhatsApp. And I think, you know, that that seems to make a lot of sense to me and seems like a good thing.

[00:24:59] Last week, we looked in some depth at the company Bright Data, whose unfortunate business model involves arranging to offer end users, like, not directly from them, but by virtue of streaming partnerships and smart TV partnerships,

[00:25:24] to offer end users the ability to lower their costs, either for streaming and or see fewer advertisements, in return for the privilege of routing third-party internet traffic through their ISP-purchased or subscribed bandwidth, and thus using their residential consumer IP address.

[00:25:51] And as we noted last week, there's only one conceivable reason for doing this, which is to allow those third parties to mask their identities and hide whatever their purchase may be among the world's broadly distributed consumers. The issue of consumer proxies was again in the news after we talked about it last week for another reason.

[00:26:19] The Risky Business News late last week opened by writing, American and European law enforcement agencies have seized the infrastructure of a residential proxy provider named Sox Escort. The latest such crackdown against proxy providers over the past years.

[00:26:42] And again, this is like a growth interest on the internet, this idea of proxies, because the internet is getting much better about filtering and proxies are a way to bypass filtering. Risky Business News wrote the service, this Sox Escort service,

[00:27:03] had been running since 2021 and rented access to more than 369,000, so more than a third of a million, 369,000 different IP addresses, not all at once, but across its entire lifetime. So they came and went over time. Generally, there were several tens of thousands at any given time. According to the FBI, they write,

[00:27:31] Europol and Dutch Police Sox Escort was a front for a malware operation that infected modems and home routers. In other words, unlike Bright Data, which is hopefully an above board, only with user permission and hopefully with user understanding, asking to reuse consumer bandwidth, this is malware.

[00:27:59] These are, you know, leveraging router vulnerabilities in order to get these proxies installed and then obtain persistence. So, in other words, malware proxies, not benign bandwidth bouncing proxies, they were maliciously installed without their host's knowledge or permission to form a proxy botnet.

[00:28:25] Of course, we've talked about proxy botnets through the years because this IP-based blocking, as I said, has been growing and the bad guys are needing to obscure their bandwidth. The article continues writing, Lumen's Black Lotus Labs linked this group to a botnet it discovered in 2023 named AV Recon.

[00:28:54] The botnet never grew to an extremely large size, but managed to maintain, they write, a healthy pool of IP addresses it could rent out to its customers, most of which were other cybercrime operations needing ways to hide their attacks inside the infrastructure of residential internet providers. Europol linked the service to ransomware deployments,

[00:29:20] DDoS attacks, and the distribution of child sexual abuse material. It also estimated that SOX escort operators made more than 5 million euro from renting their infected IPs, which they noted is quite the sum for a service as simple as, you know, proxying. On the day of the takedown, they write, the FBI published an advisory with tips on how telcos and consumers

[00:29:50] can protect their devices and prevent them from ending up as nodes in proxy networks. It also published advice on spotting and removing, specifically, this AV Recon from residential devices. Over the past few years, they said, the U.S. has mounted a war against residential proxy networks after several reports concluded that foreign adversaries were using infected American routers

[00:30:19] to hide their tracks. Law enforcement takedowns have targeted both private proxy networks, like ORBs or operational relay box networks, but also residential proxy providers. The difference between the two is that ORBs are typically built and managed by the threat actors for their sole use. So those are essentially proxies installed somewhere, while a residential proxy provider is a service built for an operator's financial gain,

[00:30:48] typically rented out to whoever has the money. And they finished saying, past proxy-using botnets that were taken down include 9-11-S5, any proxy, 5-SOX, RSOX, Flax Typhoons Raptor Train, Volt Typhoons, KV Botnet, APT28s, Mubot, VPN Filter, and others. So in other words,

[00:31:17] the idea of proxying is a hot commodity on the internet today. Our takeaway is that while bad guys, again, probably have very little interest in the contents of any random person's internal network, and for that we can be thankful, and let's hope that doesn't change soon,

[00:31:39] there is substantial interest in using and abusing any distributed bandwidth they are able to obtain. Being able to hide and emit their junk, whatever it is, attacks, probes, whatever, from residential IPs, from the IPs of users who have no idea that's what's going on, that's of huge value to them. In fact,

[00:32:08] way back in time, when I tracked down that kid that had been DDoSing GRC, it was a, I got the FBI to work with me, I had the IP address of a source of the attacks, because the source IPs were not spoofed, we located a family a few miles from me, and I made a house call, and looked at their computer,

[00:32:38] it was infected, they had no idea this was going on behind their back, they were horrified, and of course I was interested, because I wanted to get a sample of this thing, in order to reverse engineer it, which I did, and in return for that, I disinfected their computer for them, but that's an example of, you know, this happening behind people's backs, and nobody had any idea, so,

[00:33:07] we've also learned that substantial interest in, you know, I said there is, there is substantial interest in using and abusing any distributed bandwidth the bad guys can obtain, and what we know is, that substantial interest in equates to substantial pressure to get in, that is, you know, bad guys want in, to people's NAT routers, so,

[00:33:35] keeping the bad guys out, means resisting any temptation, to rely on a border routers, authentication mechanisms, we see time and time again, you just can't, any NAT router, without any deliberately exposed, WAN side services, is going to be inherently bulletproof, if traffic is only originated from inside,

[00:34:05] and is only allowed to come back in from outside, when it matches what first went from inside out, so, it's a firewall, unless you poke holes in it, poking holes in it means, unsolicited connections from the outside in, because for example, you just couldn't resist, turning on remote web access, to your router's management interface, I can't resist that, please,

[00:34:34] please resist, so, I use tail scale, to open up, 100%, that's okay, right, yes, because tail scale, is outbound, NAT penetration, and you are not opening, you know, you are not able to, from Starbucks, you know, put, you know, go HTTP, S, colon, slash, slash, and then your home IP, and, and be looking at your, your routers, oh, log into your ASUS, no, no,

[00:35:04] don't do that, no, no, it's only when consumers, decide to deliberately expose, external management, you know, access, to their router hosted services, that authentication bugs, in the routers firmware, can be leveraged, to install, and maintain proxies, so, and again, it's like, everyone's, false thought is, well,

[00:35:32] who would want to get into my router, I, who would want to get into my network, I don't have anything, the fact that you have a router, is valuable, that creates pressure to get in, because, they want to set up shop, and use your bandwidth, and use your IP, and also, you don't want your IP associated, with all kinds of dastardly deeds, on the internet, that's not good for you either, and there's some interest in, when, what does it take to get a house call, from Steve Gibson,

[00:36:02] asking for a friend, that's special treatment, let me tell you folks, so, if I, so, does the proxy server, run on the PC, or does it run on the router, it's on the router, so, so, it is, yeah, so, it's a little, it's a little, demon, that is set up, in the router, it, it, it's added to the router's boot code, so that it comes back alive, and it, it, it, it reaches out,

[00:36:31] to a remote command, and control server, to establish a contact, so even, even with it there, it doesn't open a port, it's, it maintains its own stealth, because it reaches out, to the external command, and control, and then, so, and then, so basically, it, it phones home, to establish a connection, and then, to await orders, how, how is, how do you detect it?

[00:37:00] you've got to look at the actual, you've got to, you know, look at the actual, yeah, well, traffic, or, I mean, it, unfortunately, and this is the problem, is most, the reason I paused there, is that all the ways I could think of, required you to know Linux, you know, I mean, you need, you need to, to look at the, the, the shell script startup stuff, and go, what the heck is that? That's not supposed to be there. you need Steve to come over. So,

[00:37:30] attack me. if you reboot, the, the router, is that sufficient? Okay. oftentimes, rebooting, because a lot of these things, are unable to establish, yes, they only live in RAM, so, so rebooting is the first thing, reflashing is, that will also do it, so, like, you know, if, if you're able to just, update your firmware, or re-update, your firmware, that will also, clear things out. Good to know. You know, the other thing that's good to know, Leo? What's good to know,

[00:38:00] I know you know. I know, I know. This next sponsor, is good to know about. Everyone should know, about our next sponsor, I completely agree with you, and I would tell you about them, if I just had put the right copy in there. So hold on, just a, just a, just a, just a moment, while I get there. Mesmerize our viewers. Yes. Everybody, look at Steve's coffee cup. Steve's coffee cup. It's so good.

[00:38:29] Our show today, brought to you by, Material, the cloud workspace security platform, built for, lean security teams. I love Material because it's not there to replace you, security teams. It's there to augment you, to make your life better. Managing security in the cloud is tough, especially in those cloud workspaces we all use now. We're a Google workspace customer. Maybe you're a Microsoft 365 customer. It's not just phishing anymore either.

[00:38:59] It's not the only way in. Today's email security, you know, tends to stop at the perimeter, and new attacks are hard to detect with siloed email, and data, and identity security tools. So Material goes that extra step. They protect the email, the files, the accounts that live in your Google workspace, or your Microsoft 365, because effective email security today needs to do more than just, you know, block phishing, and other inbound attacks. It needs to provide visibility,

[00:39:28] and defense across the entire workspace threat surface. Material ingests your settings, ingests your contents, your logs. It's smart. It looks at it, and it gives you a holistic visibility into the threats and the risks, not just email, but across the workspace. And then, of course, it gives you the tools to actually remediate them. Material delivers comprehensive workspace security by correlating signals

[00:39:55] and driving automated remediations across the environment. You get phishing protection and email security, combining advanced AI detections with threat research and user report automation. So you've got all these signals coming in, and you can coordinate those. You also have detection and protection of sensitive data, not just in your inbox, but shared files too, because it understands the whole workspace. You also get account threat detection and response.

[00:40:24] Somebody's trying to get Lisa's Google workspace account pretty much every day. This would give you comprehensive control over access and authentication of people and third-party apps. Material empowers organizations to rapidly mature their ability to detect and stop reaches with step-up authentication for that really sensitive content, blast radius visualization for accounts, and the ability to detect and respond to threats and risk across the entire cloud workspace.

[00:40:52] Material enables organizations to scale their security without scaling their team. It's not there to replace you. It's there to make your life better. Material drives operational efficiency with its simple API-based implementation and flexible automated one-click remediations for email, file, and account issues, including an AI agent that automates user report triaging and response. Makes your life easier.

[00:41:21] Material protects the entire workspace for the cost of just email security alone. With a simple and transparent pricing model, you'll be very impressed. Secure your inbox and your entire cloud workspace without adding more toil to your day or costs to your balance sheet. See material.security to learn more or book a demo. Easy to remember. Material.security. We thank him so much for supporting Steve and the work he does at Security Now.

[00:41:50] That's material.security. And now, back to a fully caffeinated Steve. Recaffeinated. Recaffeinated. Okay, so in case anyone was wondering, MaltBook, which was that weird facility, that was affiliated with OpenClaw, where only OpenClaw's autonomous AI agents were able to talk amongst themselves,

[00:42:19] and we lowly humans were only able to look on, gawking in wonder at the interagent AI dialogue. That was just purchased by Meta. I assume, actually, the guys started work there yesterday. I assume Meta's entire interest is in obtaining those two creators of MaltBook. Matt. One of whom is a good friend, by the way, Steve. Ben Parr, who's been on Twitter many times. And Ben Parr.

[00:42:48] Yeah, I didn't know Ben was MaltBook, or I would have had him on the show to talk about it all this time. He was kind of more stealthy than the other guy. The other guy got all the attention. Yeah. Anyway, congratulations. Yes. I'm sure they're being well compensated. I hope so. They both started working at Meta yesterday on March 16th. Meta's MSL, which modestly stands for, M is not for modest.

[00:43:16] M is for Meta, literally this is what they call themselves, Meta Super Intelligence Labs, MSL. Matt has been working on autonomous AI agents since 2023, and he launched MaltBook in late January as an experimental third space, as they put it, for AI agents.

[00:43:39] And MaltBook was built largely with the help of his own personal AI assistant, which he named Claude Clotterberg. Okay. And, of course, his partner in MaltBook, and now also at Meta, as you said, is Ben Parr, who was formerly an editor and columnist at Mashable and CNET. And a good friend. And a good friend of the show, of Twit.

[00:44:08] So, apparently, MaltBook continues to be available through Meta, although they indicated that they weren't certain what its future might be. So, it's not clear whether they're going to bother to keep it going, but for now, it is. The typical corporate-speak statement from Meta, as reported by Axios, was that, quote, the MaltBook team joined MSL, joining MSL,

[00:44:36] opens up new ways for AI agents to work for people and businesses, unquote, which, of course, says nothing. And I doubt that even they know what they mean by that, but that's how these sorts of acquisitions go, where it's the people that are actually being acquired. Meta doesn't care about MaltBook at all. They just want those guys. Although, I imagine that they want to somehow capitalize on this agentic future.

[00:45:05] And, yes. And extend Facebook to agents. Why not? God help us, Leo. I know. I mean, the real problem with MaltBook, besides the fact that it has had a terrible security model, was that humans could get in, too. Right. So, we never really knew. If it was only AI-generated dialogue. Right. Right. Right. Okay.

[00:45:29] So, the good news is that the EU was unable to secure the votes needed to pass its most recent attempt to force all communication services to monitor their users' communications. I mean, we were balancing on a razor's edge there for quite a while. It's like, this could almost happen. And, finally, Germany reversed their previous, yeah, we think that we probably should vote.

[00:45:59] And they said, okay, no, we're not going to. And that killed the whole thing. So, what we have, instead, is an extension of the previous, what's been called voluntary chat control, which, you know, as I said, that's what's already been in place. Last Wednesday, the 11th of March, Heiss Online covered this news,

[00:46:21] writing, the EU Parliament approved a renewed extension of voluntary chat control, which is in quotes because that's not really the official name, but that's what we all call it, to combat child sexual abuse in Straussburg on Wednesday. After the initiative surprisingly failed in the responsible committee a week ago, MEPs are now attaching clear restrictions to the extension.

[00:46:48] The regulation creates a temporary exception. Again, this is, remember, we were just talking about how COPPA would need to be amended, Leo, in order to allow, like, kids to disclose that they're children, but that would be a breach of COPPA because you're not supposed to know that. Well, here we have to say that would kind of be a hint that something's wrong here.

[00:47:14] Yeah, we got the same thing happening here because you can't even voluntarily look at people's data under EU regulations. So what we have is an amendment to the regulation creating a temporary exception to the European data protection rules, allowing messaging services to scan chats for depictions of child sexual abuse.

[00:47:42] There is currently no agreement on a long-term solution, which is, you know, which is what the EU Commission and member states were hoping to get. Providers of messaging services, Heiss wrote, may automatically scan their platforms for digital traces of child pornography. The search for adults who prey on minors, known as grooming, is also under debate

[00:48:07] because this violates the EU directive on the protection of privacy. The EU hastily created an exception regulation in 2021. This exception regulation, which has already been extended once, now again, is valid until the beginning of April and was supposed to be renewed until April 2028 at the request of the EU Commission. Last week, however, the Commission's proposal surprisingly failed

[00:48:36] in Parliament's Committee on Civil Liberties, Justice and Home Affairs. In a... They're just having all this trouble with this. In a new compromise, Parliament has now agreed to an extension until August 2027. At the same time, MEPs voted for a clear limitation of powers

[00:48:58] to search for already known material and only for users or groups suspected of concrete wrongdoing. Thus, not just a blanket search everybody. Furthermore, encrypted chats should not be affected. Well, actually, practically, they can't be because they're encrypted. A spokesperson for the Committee on Civil Liberties, Justice and Home Affairs said, quote, This exception is a temporary, strictly limited instrument

[00:49:28] that allows providers to continue their voluntary detection measures under certain conditions. The extension must also maintain end-to-end encryption. These restrictions correspond to Parliament's draft for a long-term solution. These will be the subject of upcoming negotiations with the Commission and member states. Only when an agreement is reached here can the renewed extension come into force.

[00:49:57] There's currently no majority in Parliament for far-reaching surveillance powers, such as arbitrary chat control. That's what we were talking about before that Germany vacillated on and then said no. The Council of Member States has also moved away from this after a long struggle, right? However, this does not make a permanent, voluntary solution any easier, especially since it also affects the fundamental rights of EU citizens, which are protected from this.

[00:50:27] While the Commission and member states want to make the controversial exception regulation permanent, the EU Parliament insists on significant restrictions. For example, error-prone technologies such as AI should not be used in the search for child pornographic depictions. Scanning text messages for grooming attempts should also remain prohibited. So if anybody thinks this sounds like a huge mess,

[00:50:57] then you have been paying attention. Because, yes, the EU just, they're in a big scramble and confusion. They're in a pickle. Boy, yes. The good news is that saner heads prevailed, and since they weren't able to push anything forward, they at least didn't move anything backward.

[00:51:21] And companies that have been doing some of their own platform-based CSAM screening, as we know some major providers have, this gives them the cover to continue to do so without requiring them to do it, nor requiring them not to offer their own internal encryption for their users to whatever degree they wish to.

[00:51:52] So, you know, for now, that's what we have, and it's probably the best that we could hope for. You know, they're unwilling to drop it, but they are unable also to push it forward. So they're just extending the voluntary chat control, and maybe that'll calm down over time. It's so telling that in both the U.S. and the EU,

[00:52:15] any attempts to do this have to require exceptions to existing privacy laws. It's like the age verification stuff in the U.S., they have the, whoever it is, the Department of Commerce had to give an exception to the COPPA rules, the Child Online Privacy and Protection Act rules, because, well, if you're going to ask people's ages, that's a violation. Isn't it telling that the thing you want to do is a privacy violation? That should tell you something.

[00:52:46] Oh, well. I'm asking too much. Yeah. I, I, I, uh, there, there was a piece that one of our listeners sent me that I looked at, which, and I can't remember now where the, what the publication was in, but, uh, the, the people were just going crazy calling any indication of L. I know what it was. It, it was that, um,

[00:53:11] meta had secretly been supporting nonprofits to the tune of $2 billion. I think that was the number, um, across the country, uh, for them to be pushing on behalf of, of, um, uh, the need for age determination. Oh yeah. And pushing Google and Apple to push this onto their platform. And they were doing this secretly because they didn't want anybody to know

[00:53:40] that they were behind this. Yeah. Yes. And my take is that this is where that should happen, that it should be Apple who simply allows an API to be, I mean, the, the user still has control. Uh, uh, if, if, uh, if you want to go to an age restricted site before that happens,

[00:54:05] a dialogue pops up and says the site or the app or whatever it is wants to know, if you are an adult, do you want to give them any indication? You can say no. In which case, if, if you, you may not be able to go there or you can say, yes, I, I'm an adult and I, I, you know, tell them that to me, I mean the, this, I get it that there are people who want to give nothing,

[00:54:36] but it's just not, we also have laws throughout the world where age matters. Yeah. You know, children can't drink alcohol. Children we've decided cannot be exposed to aspects of human sexuality. You know, children, you know, I mean, there is behavior that's regulated based on age that needs to get extended out to the internet because the internet is here to stay. I think that's fair. I really do. I've come around a little bit on that.

[00:55:06] Yeah. I have to find a way to make it work. And I think you're right. There is a choke point. It's a, it's Android and iOS. Yeah. And that's where this should happen. Yeah. And the beauty then is that, and this is meta's point and they're right. Then every individual provider doesn't have to keep, you know, coming up with their own solution because every independent solution is another opportunity for a privacy breach. And so, you know, you know, doing things like looking at the camera and say, Oh,

[00:55:36] don't worry. We're not going to keep your photo. Well, we've already seen examples where, where third parties did keep people's photos and then they got breached. So, yeah, I, I, I trust Apple and I would trust and Google to engineer something for Android that's as good as we can get. And, and yes, that, you know, you could still have absolute privacy, but then you're going to lose some access to, so to content, which your government has decided,

[00:56:05] you know, only adults should have. So you, you get to choose. Yeah. Yeah. I think that's fair. And it's privacy forward. Yes. Yeah. And it's as good as we can get. I mean, yes, you're, you're going to lose some if you want access to adult restricted content that your government has said, the government that you're, that you are subjected to has said, no, kill children can't have that. You just need to tell us that you're an adult and, and you,

[00:56:34] the platform you're using needs to, you have to have shown that to the platform one time, let them check it. And then the platform remembers and can make that assertion on your behalf. Okay. Leo, get this, this next bit of news just made me shake my head. I'm not going to spend too much time on it, but I didn't want to let it pass without comment. CyberScoop informs us that ransomware negotiators, right?

[00:57:02] Working for the ransomware negotiation firm, digital mint. That is like that, that, that companies that have been breached and have been, that are under ransom. They bring digital mint in, to negotiate on their behalf. They were also the ransomware attackers. That they were negotiating with. Oh, Oh, Oh,

[00:57:30] So cyber scoop wrote a 41 year old South Florida man is accused of conducting at least 10 ransomware attacks and helping accomplices extort a combined. 75 and a quarter million dollars in ransom. Payments.

[00:57:54] And I think that's why he was making a ransomware negotiator for digital mint. Oh, this has to be a movie.

[00:58:03] Somebody has to option this. This is too good. According to federal court records unsealed last Wednesday, five of Angelo John Martino III's alleged victims hired Digital Mint, which assigned Martino to conduct ransomware negotiations on their client's behalf, putting him in a position to play both sides as the criminal responsible for the attack.

[00:58:33] And the lead negotiator for his alleged victims. Really, you can't make this up. I don't know. You know, these ransomware guys, they're really hanging in there tough. I think you're going to need to give them some more money. I don't know. Yeah, they're just not. They're really sounding like they're not going to give. They're really hanging in there.

[00:58:57] Martino allegedly, they wrote, Martino allegedly obtained an affiliate account on Alf V, also known as Black Cat, a criminal ransomware as a service group. And conspired with other, get this, other former cybersecurity professionals. So, oops. Oops.

[00:59:20] To break into victims' networks, steal and encrypt their data, and extort companies for ransoms over a six-month period. Prosecutors accused Martino of providing confidential information regarding ransomware negotiations to Alf V co-conspirators to maximize the ransom payment.

[00:59:42] The five U.S.-based victims that hired digital mint and unwittingly tapped Martino to allegedly conduct ransomware negotiations with himself and his co-conspirators include a non-profit. I'm telling you, this is a movie, man. I know. A non-profit and companies in the hospitality, financial services, retail, and medical industries.

[01:00:12] All five of those victims paid ransoms. Wow. So, anyway, CyberScoop's coverage of this continues at some length, but everyone gets the idea here. On the one hand, this obviously puts the guy who's negotiating both sides of the deal, as you noted, Leo, in the position to know exactly how much ransom his victim will actually pay.

[01:00:40] Now, just between us guys, what's the maximum you'd be willing to pay? I won't, you know, we just want to find out what your time is. Yeah, exactly. We're not, we probably don't, we don't want to go there, but just so we know, what do we have to work with?

[01:00:56] Now, on the flip side, the upside, such as there is, is that the negotiator is also in the unique position to know for sure whether the attackers, since that's also him, will actually honor their promise to restore the victim's data and delete any copies they might have. I'm pretty sure that if you give these guys a million dollars, they're going to give you the key. I'm pretty sure. That's right.

[01:01:26] I can't promise, but I have a good feeling about it. Seems like, yeah, the way they're talking, I, I, they, they, they seem like, you know, they're obviously they're bad guys, but they seem like good bad guys. This is a gutsy fella. That's, uh, well, he's a gutsy fella in chains right now. Uh, yeah. And, and boy, the, the article had pictures of, uh, uh, aerial photos of his estate in South Florida, you know, and a 220.

[01:01:54] 24 foot yacht that was, you know, docked on his pier. So yeah, he wasn't, he wasn't hurting. And he was married. You got to wonder what his wife thought. Like, you know, he doesn't really work that much. What do you do for a living? He closes his office door and mumbles. Yeah. I don't know. I got a very important meeting with myself. Just, uh, be back later. Yeah. Let you know how it goes.

[01:02:22] So three weeks ago during episode 1067, we covered the news of yet another horrific CVSS 10.0 in Cisco's, courtesy of Cisco, Cisco's SD-WAN product. Uh, this is that bug behind CVE 2026, uh, 201-27.

[01:02:47] Another critical authentication bypass in Cisco's catalyst SD-WAN. Uh, and the reason I say another is it had, it had an additional one back in 2020. It's hard to get those right, especially for Cisco. Uh, it, it, in this case is allows unauthenticated remote attackers to gain admin level access to SD-WAN controllers to compromise entire WAN infrastructures.

[01:03:16] Last Wednesday, CISA revised their previous orders, which we covered three weeks ago. Three weeks ago, CISA was saying you needed to update by such and such a time. They had a whole, you know, calendar laid out.

[01:03:34] CISA has now ordered all federal agencies to upload their logs from Cisco's SD-WAN devices to CISA's own cloud platform by next Monday, March 23rd. These catalyst, uh, SD-WAN devices had been under attack, as we know, using a zero day since, as we said at the time, still true, 2023.

[01:04:05] Wow. And a great many of Cisco's customers have done nothing about it in the past three years. While CISA has no jurisdiction over private enterprises, it does over federal agencies. It has been given that, uh, jurisdiction. This uploading and aggregating of the logs on CISA's platform will allow CISA's, uh, people to investigate which agencies have been compromised.

[01:04:34] So Leo, you were wondering, you asked the question like, how would a consumer know if their router? Well, not easily, but in the case of SD-WAN logs, look, you morons, just send, have you configure your device. To send your logs to our cloud platform. We will look at them for you and let you know if you've got a problem. So, and I imagine the first thing they'll do is like, why have you not updated your firmware on your SD-WAN?

[01:05:03] So, uh, agencies will have to configure their Cisco SD-WAN to send future logs to the same cloud logging aggregation warehouse, which is known as CISA Claw, C-L-A-W, the cloud logging aggregation warehouse. Hmm. Interesting. Interesting. Uh, clawing back the data.

[01:05:27] Um, now, uh, the past year, as we've talked about, has seen a huge upward trend in the use of VPN services for geo relocation. Why? Well, right.

[01:05:43] This increase in VPN use has been driven by new regional legislation, which forces providers of age restricted content to block access based on the geo location of their would be visitors. Thus appear to be somewhere else.

[01:06:02] Unfortunately, a new demand and a rush to something, whatever, anything, AI, geo relocation, you name it. What is the current enthusiasm creates? It's, you know, that, that rush creates new opportunities for bad guys to take advantage of the inexperience of newbies who are entering a market that's new to them.

[01:06:28] We've previously noted that this has been happening with VPN add-ons for Chrome. Microsoft security has been tracking a group. They identify as storm 25 61, which has been using search engine optimization, SEO poisoning to provide malicious links to unwitting windows users who are looking for VPN client software.

[01:06:55] Um, Microsoft writes in mid January, 2026, Microsoft defender experts. Microsoft's identified a credential theft campaign that uses fake virtual private network clients distributed through search engine optimization, poisoning the campaign.

[01:07:17] The campaign redirects users searching for legitimate software to malicious zip files on attacker controlled websites to deploy digitally. And here's interesting digitally signed. Wait, what? Digitally signed. Digitally signed. Trojans that masquerade as trusted VPN clients while harvesting VPN credentials.

[01:07:42] Microsoft threat intelligence attributes this activity to the cyber criminal threat actor storm. Uh, 25 61 active since May of 2025. Storm 25 61 is known for distributing malware through SEO poisoning and impersonating popular software vendors.

[01:08:02] The techniques they used in this campaign highlight how threat actors continue to exploit trusted platforms and software branding to avoid user suspicion and steal sensitive information. By targeting users who are actively searching for VPN software. Attackers take advantage of both user urgency and implicit trust in search engine rankings.

[01:08:29] The malicious zip files that contain fake installer files are hosted on GitHub repositories. Which have since been taken down. But of course, GitHub, you know, engenders trust. Additionally, they said the Trojans are digitally signed by a legitimate certificate that has since been revoked.

[01:08:52] This blog, writes Microsoft, shares our in-depth analysis of the tactics, techniques, and procedures, the TTPs, and indicators of compromise in this storm 25 61 campaign. Highlighting the social engineering techniques that the threat actor used to improve perceived legitimacy. Avoid suspicion and evade detection.

[01:09:17] We also share protection and mitigation recommendations as well as Microsoft defender detection and hunting guidance. In this campaign, users searching for legitimate VPN software are redirected from search results to spoofed websites that closely mimic trusted VPN products. But instead, deploy malware designed to harvest credentials and VPN data.

[01:09:45] When users click to download the software, they're redirected to a malicious GitHub repository. They say, again, no longer available. That hosts the fake VPN client for direct download. Okay, so I'll note that while Microsoft keeps reinforcing that the malware has been taken down, they know as well as we do that no sooner will one set of malware be taken down than its replacement will appear.

[01:10:14] In fact, it's more often the case that multiple sets of redundant malware have already been staged in place on GitHub and are just waiting to be linked to when the current malware in use is removed. This allows that malware to age a bit on the platform to increase its appearance of authenticity.

[01:10:39] So a takedown of one set, while certainly useful and necessary, should by no means suggest to anyone that the threat has been, you know, in any way diminished. This is a classic case of whack-a-mole. And while it's true that the game must be played, it can never be won by playing catch-up. You know, another mole will always be ready to pop up somewhere else. Microsoft continues to explain,

[01:11:07] The GitHub repo hosts a zip file containing a Microsoft Windows installer, an MSI installer file that mimics a legitimate VPN software and sideloads malicious DLL files during installation.

[01:11:30] The fake VPN software enables credential collection and exfiltration while appearing like a benign VPN client application. So, for example, an unwitting user believes they're getting a VPN. They download the VPN, install the VPN, activate the client.

[01:11:51] It says it's connected to the remote VPN server, and they then go to wherever they are wanting to VPN to and log in. None of that is true. So the bad guys obtain the credentials they use to log in to wherever they were trying to VPN to. So it is very crafty.

[01:12:16] And I mean, this is the way enterprises end up getting penetrated and being ransomed by somebody from digital mint who's working for the bad guys or themselves. So Microsoft said, This campaign exhibits characteristics consistent with the financially motivated cybercrime operations employed by Storm2561. In other words, ransomware. The malicious components are digitally signed. This was interesting.

[01:12:47] By Taiwan Lua Near Information Technology Company Limited. Okay. The initial access vector, they said, relies on abusing SEO to push malicious websites to the top of search results for queries such as Pulse VPN download or Pulse secure client.

[01:13:13] So you put that into Google, and the first link is this bad one. They said, but Microsoft has observed spoofing of various VPN software brands, not just Pulse, and has observed the GitHub link at the following two domains.

[01:13:37] Once the user lands on the malicious website and clicks to download the software. And again, when you go to this malicious website, you know, if you're not paying attention, if you don't know what the domain should be, it looks legit. I mean, it looks 100% like, oh, good. I just got to the home of Pulse VPN secure. I'm going to download this secure client.

[01:14:07] Why wouldn't you? They said, once the user lands on the malicious website and clicks to download the software, the malware is delivered through a zip download hosted at github.com slash latestver slash VPN slash releases slash download slash VPN hyphen client to slash VPN hyphen client dot zip.

[01:14:32] Looking at that URL is like, okay, what's bad about that? Looks fine. So they said, when the user launches the malicious MSI masquerading as a legitimate Pulse secure VPN installer embedded within the downloaded zip,

[01:14:50] the MSI file installs pulse.exe along with malicious DLL files to a directory structure that closely resembles a real Pulse secure installation path. It's, you know, it's common files backslash pulse space secure. This installation path blends in with legitimate VPN software to appear trustworthy and avoid raising user suspicion.

[01:15:19] Alongside the primary application, the installer drops malicious DLLs, dwmappy.dll and inspector.dll into the Pulse secure directory. The dwmappy.dll file is an in-memory loader that drops and launches an embedded shellcode payload that loads and launches the inspector.dll file, a variant of the InfoSteeler Hyrax.

[01:15:49] The Hyrax InfoSteeler extracts URI and VPN sign-in credentials before exfiltrating them to attacker-controlled command and control infrastructure, which is how the bad guys learn how to log into, like, your enterprise that you're intending to VPN to securely.

[01:16:12] In other words, no one wants this software, any of this software, anywhere near any of their computers. It's all bad. Microsoft noted that the files were all signed. As I've been saying, no code these days can get off the ground any longer without being signed by someone. In this case, Microsoft also explains, writing,

[01:16:42] the MSI file and the malicious DLLs are signed with a valid digital certificate, which is now revoked. The Taiwan Lua Near Information Technology Company Limited. This abuse of code signing, they wrote, serves multiple purposes. It bypasses default Windows security warnings for untrusted code,

[01:17:09] might bypass application whitelisting policies that trust signed binaries, reduces security tool alerts focused on unsigned malware, and provides false legitimacy to the installation process. They said Microsoft identified several other files signed with the same certificates. These files also masqueraded as VPN software.

[01:17:37] Okay, so Microsoft described this as an abuse of code signing. Okay, I suppose it's an abuse of the intent of code signing, but I'd be inclined to call it a failure of the code signing requirement to prevent the use of malicious software. Because, right, the bad guys didn't abuse code signing.

[01:18:04] They used code signing to abuse the process code signing was designed to prevent. Maybe I'm splitting hairs, but what we don't know, and what Microsoft chose not to reveal here, is whether this Taiyan Lua Near Information Technology Company Limited is an authentic firm whose valid signing certificate somehow got loose,

[01:18:32] but that's difficult to understand because, as we know, code signing certificates now must reside in hardware, or whether the company was always a facade, which bad guys used to obtain a valid code signing certificate. Microsoft also chose not to reveal who signed their certificate. It would be interesting to know which certificate authority allowed themselves to be spoofed,

[01:19:01] and how and where exactly the required chain of enterprise existence proof failed. How'd this happen? Hopefully, somebody at Microsoft is pursuing this because this is exactly what's not supposed to happen. It's because of all these hoops that I had to go through everything I did in order to update my code signing certificate because you're not supposed to be able to do this.

[01:19:30] But here's a clear instance of very, very malicious software having a valid code signing certificate, and Microsoft mentions it a number of times in their write-up. The only actionable takeaway we could have from this is the annoyingly diffuse imperative to remain ever vigilant. There are bad guys scattered all around the world

[01:19:58] focused upon taking advantage of our trust or in any momentary lapse of our attention. All we really can be is as well-informed and careful as possible. While we're on the subject of bad guys taking advantage of the passion of the day, I wanted to note that Bitdefender, Kaspersky, and ThreatBook

[01:20:27] all recently posted independent examinations of the dramatic rise they all noted in malicious web pages offering instructions for installing AI agents like Claude and OpenClaw. I have a picture here in the show notes of what somebody would receive if they put into Google download Claude Code.

[01:20:57] The first response that comes up is, it's from developers.squarespace.com. Oh my God. It's a sponsored result. Uh-huh. Exactly, Leo. And it says, install Claude Code, Claude Code docs, use the AI-powered sidebar, generate snippets, refactor logic, and explore ideas in a clean interface. Terrible. So you put download Claude Code into Google,

[01:21:27] the first sponsored result that comes up is malicious. Because Google, yes, who would not trust this? Now, we know that we should not be getting Claude Code from developers.squarespace.com. Oh, but. But your typical user doesn't know that. I wonder how many people have been bit by this. That's awful. Yes. Google labels it as a sponsored result,

[01:21:56] and the branding looks authentic. Users tend to trust it. You know? So, you know, no more needs to be said other than to be careful and to always go to the original source of anything you obtain from the internet. And again, the perfect instance. Why is this being done? Because right now, AI is the rage. And the bad guys are going to take advantage of what everybody wants. Oh, and when you install this stuff, you really give it full access to everything. Yeah, it's like.

[01:22:26] So it's a great way to get malware in a system. Yeah. Yeah, you should never Google support numbers either for the same reason, right? Yep. But everybody does. But you should Google, Leo. Oh, our next sponsor? Yeah. How did you know? You're getting good at the segues, Steve Gibson. You better watch out. You're going to be a DJ soon. This episode brought to you by my Thinkst Canary. I love this little guy. I do love this little guy.

[01:22:55] This, it looks like, I don't know, it looks like a little USB hard drive, like external hard drive. But it's not. Sure, it has a USB cable, but it also has an internet port. And that should tell you something. This here is the best darn honeypot anywhere in the world. Honey pots are phenomenally useful. But as we learned when we talked to Bill Cheswick, who wrote Stalking the Wiley Hacker and wrote the very first, as far as I know,

[01:23:21] honeypot, they are also devilishly difficult to create because you want your honeypot to be secure. You don't want it to look like a honeypot. You want it to look like something, you know, a bad guy would want to get into. And so it takes a lot of skill to write a honeypot. Fortunately, the people at Thinkst Canary have that skill. They've got decades teaching companies and governments how to break into systems. That's their expertise.

[01:23:50] They know how hackers think. And they have developed the best honeypot ever, the Thinkst Canary. This is a honeypot you can deploy in minutes. It's absolutely secure. It's written bulletproof. And it looks like the real deal. You can go into the configuration utility. It's so easy to set it up. This one's a Synology NAS. That's mine. But it could be a Windows server, a SharePoint server. It could be a Linux server.

[01:24:18] You could turn on all the services, a handful of services. It could be a scatter device. It could be anything you want. And when it impersonates those devices, it really looks real. For instance, this has a Synology MAC address. So that's probably the first thing to look at. Well, let's see. What's the MAC address? Oh, yeah. This has the exact login screen. It looks exactly like the real deal. The folks at Thinkst Canary take great pride in making very effective honeypots.

[01:24:46] You could make it a SSH server. And the other thing you do with it, which is really cool, is you can create files with it that look like the real deal, like Excel spreadsheets or PowerPoint documents or even things like WireGuard configurations, Cisco SD-WAN configurations, anything that a bad guy might want to get into. And then you could sprinkle those, as many as you want, unlimited all over your network, even on your... I have on my cloud, my Google Drive has a few.

[01:25:16] You know, they look like spreadsheets labeled employee information, that kind of thing. The kind of thing a hacker cannot resist. Now, this is why this is great. If someone is accessing one of those lore files or brute forcing your fake internal SSH server, your Thinkst Canary will immediately tell you you have a problem. You don't get false alerts. If you get that alert via text, Slack, webhooks, syslog, there's an API that you can get any way you want, email.

[01:25:45] When you get that alert, you know, there's somebody in my network. Just choose a profile for your Thinkst Canary device, register it with the hosted console for monitoring and notifications. Then you sit back and you wait. You relax because the minute an attacker breaches your network or a malicious insider starts looking around your network, they can't help but make themselves known by accessing your Thinkst Canary. Now, you should have one for every network segment. You know, Big Bank might have hundreds of these scattered

[01:26:14] all over the place, small operation like ours, just a handful. But let me give you an example. Go to canary.tools.twit. For 7,500 bucks a year, you'd get five. You'd get your own hosted console. You'd get upgrades. You'd get support. You'd get maintenance, of course. Oh, and if you use the code TWIT in the how did you hear about us box, you'll also get 10% off the price for life. Now, you can always return your Thinkst Canary with their two-month money-back guarantee and you get a full refund.

[01:26:44] That's 60 days. And I should tell you, next month it'll be the 10th year that we've been talking about these Thinkst Canaries, a whole decade. I should say that during all of those years, nobody has ever asked for that refund, ever. Because once you get one of these, you know. How did I live without it? Visit canary.tools.twit. Enter the code TWIT in the how did you hear about us box. 10% off, and not just for the first year, but for as long as you have your Thinkst Canaries.

[01:27:15] This, every network needs at least one of these, many of these really. One for every segment, I would say at least. How else will you know if there's an intruder? This is your intruder alert, intruder alert. ThinkstCanary at canary.tools.twit. Don't forget the offer code TWIT. Thank them so much for their support. Yeah, Steve, we're going to the RSA conference next Tuesday. I'm very excited. We're going to have a lot of fun. Sometime you have to come up for that. Have you ever been?

[01:27:45] That's where I met Steena. Oh, you met Steena coming down the escalator. That's right. That's right. Yep. Steena from YubiKey. Yeah. Yeah. On we go with the show, sir. Okay. So this is so, I don't know what this is. Is it frightening? Is it clever? Is it genius? Is it a movie of the week? Okay.

[01:28:08] So a security researcher by the name of Christopher Aziz of Bombadil Systems discovered a very, very clever. I say new technique. I mean, it's always been there, but nobody thought to do this.

[01:28:27] That allows for the creation of malware containing zip files that slide right past endpoint security tools, you know, Windows Defender and so forth. All the various AVs. In his testing, Christopher found that his simple, I mean, horrifyingly simple zip format hack would evade 98% of antivirus engines.

[01:28:55] I think one out of 55 caught it. The other 54 didn't. When Chris packaged something, a piece of known, very well-known malware in a regular zip file, it was almost universally detected by the AV engines at VirusTotal.

[01:29:17] But when he simply then tweaked the zip files header to claim that its file contents had been directly stored rather than compressed, nearly all existing AV tools were fooled into believing that the contents was just gibberish.

[01:29:40] In other words, they didn't attempt to decompress the contents because the header said it wasn't compressed. It's almost too easy. Christopher put up a page on his GitHub account to draw attention to this obvious in retrospect vulnerability. It's at github.com slash bombadil, B-O-M-B-A-D-I-L hyphen systems forward slash zombie hyphen zip.

[01:30:10] He wrote under how it works. He said, AV engines trust the zip method field. When method equals zero, meaning that the file was stored, not compressed, they scan the data as raw uncompressed, as if it was raw uncompressed bytes.

[01:30:33] But the data is actually deflate compressed, which is zip standard compression format, deflate compressed. So the scanner instead, believing it's not compressed, just sees it as compressed noise, he writes, and finds no viral signatures. The CRC, the cyclic redundancy check, the CRC is set to the uncompressed payloads checksum,

[01:31:02] creating an additional mismatch that causes standard extraction tools, 7-zip, unzip, and WinRAR, to report errors or extract corrupted output. He said, however, a purpose-built loader, meaning a loader that knows what has been done, that ignores the declared method and decompresses as deflate, recovers the payload perfectly.

[01:31:30] He said, the vulnerability is scanner evasion. Security controls assert no malware present here, while malware is present and trivially recoverable by attacker tooling. As for the attack vector, this is not an end-user extraction vulnerability.

[01:31:54] This is a staged delivery smuggling technique, meaning that you would, you know, malware, some script or something running that's already running would download this. Because of this simple hack, it would get into the system by passing all AV screening,

[01:32:16] and then it would know how to decompress this back into its fully malicious, uncompressed state. So he said, the staged delivery smuggling technique. First, a malicious payload packaged in what he calls a zombie zip with a modified header. The zip transits security boundaries, email gateways, network scanners, endpoint AV.

[01:32:43] Scanners read method equals zero, scan compressed noise and report, yep, all clean. A purpose-built loader or dropper decompresses the payload programmatically. The payload materializes and executes. He says, this is consistent with established malware delivery patterns,

[01:33:07] known having previously been seen in ISO smuggling, HTML smuggling, cab abuse, and so forth, where attackers use custom loaders rather than consumer extraction tools. So, what was affected? He said, 50 out of 51 AV engines on virus total were fooled. Also fooled? Also fooled?

[01:33:35] Microsoft Defender, Avast, Bitdefender, ESET, Kaspersky, McAfee, Sophos, Trend Micro, and so forth. He said, only something known as Kingsoft detected it. So, anyway, this just goes to show how some of the simplest hacks, even after all of this time, can still be among the most effective. You know, sometimes there's just no need for something to get overly fancy.

[01:34:04] There's, you know, some assumptions were made, and those assumptions can be abused to the benefit of the attackers. Okay, so, will AI write code for me? Our listeners, understandably curious, because I've been so impressed with things like what Claude Code is doing for people,

[01:34:30] continue to express their curiosity over my own plans for AI coding. I mean, this is like, until this week, where I asked what the caption for that photo should be, it was probably the most often asked thing. Like, well, Steve, when are you going to start using AI? And I'm sure that this is partly due to my having previously made T-shirts for myself,

[01:34:58] which say in white block letters on a black, born to code. You know, and also due to my having been completely open-minded about a topic that has perhaps been more near and dear to me than anything else in my life. I have many times, as we know, Leo, celebrated your successes and experiences embracing Claude Code. And I've shared many of our listeners' similar stunned,

[01:35:27] mouth-left-hanging-open experiences when AI produced code for them that made their computer do things they never imagined they'd be able to obtain for themselves. And in fact, I'll be sharing another instance of that here after this. Obviously, something huge has happened. The question remains what that is exactly. As I settled down last Saturday morning to begin assembling today's podcast,

[01:35:57] I decided to log into X to see whether any of our listeners might have posted a candidate picture of the week. That's where I used to get them. The good news is everyone has largely switched over to using email, as I have, but you never know. So it was serendipitous that when I happened to check, my feed contained several posts that were completely on topic for the question of AI and coding.

[01:36:27] I don't know. Presumably, Elon's X system knows of my interest in the topic and therefore dropped those into my feed. So the first post I want to share was written by a guy named Akash Gupta, who posts frequently on Medium. Akashgupta.medium.com. If anyone's curious, I've got a link in the show notes with the spelling.

[01:36:54] His short bio says that he helps product managers, product leaders, and product aspirants to succeed. And that clearly is his focus. His posting quotes somebody who posted on the 13th, an Arvid Kahl who just wrote, devs are acting like they didn't write slop code before AI. So it sounds like this guy is defending,

[01:37:24] you know, AI produced code against people who are saying, you know, it's sloppy. So Akash Gupta, who has a lot of experience with AI and product managers, he says in his posting, he writes, 41% of all code shipped in 2025, meaning last year, was AI generated or AI assisted.

[01:37:52] The defect rate on that code is 1.7 times higher than human written code. And a randomized controlled trial found that experienced developers using AI tools were actually 19% slower than developers working without them. Devs, he says, have always written slop.

[01:38:20] The entire software industry is built on infrastructure designed to catch slop before it ships. Code review, linting, type checking, CICD pipelines, staging environments, all of it assumes one thing. The person who wrote the code can walk you through what it does when the reviewer asks. That assumption,

[01:38:48] that is that the person who wrote the code understands it. He says that assumption held for 50 years. It broke in about 18 months. He said when 41% of your code base was generated by a machine and approved by a human who skimmed it because the tests passed, the review process becomes theater.

[01:39:15] The reviewer is checking code neither of them wrote. The linter catches syntax, not intent. The tests verify behavior, not understanding. The old slop had an owner. Someone could explain why temp underscore fix underscore V3 underscore final existed, what edge case it handled,

[01:39:44] and what would break if you removed it. The new slop instead has an approver, different relationship entirely. He says, Arvid's right, the guy he was originally quoting, Arvid's right, that devs wrote bad code before AI. The part he's missing,

[01:40:05] the entire quality infrastructure of software engineering was designed around a world where the author and the debugger were the same person. That world ended last year. And nothing has replaced it yet. So I just, I like that just as a statement, you know,

[01:40:27] and his post captures aspects of my own discomfort with using AI to create code that I'm going to put my name on. So the answer to the question of whether AI will write code for me would be not the AI we have today. Even before this, consider this, even before this AI coding revolution arose,

[01:40:56] I should objectively have at least been using C, right? But I'm so comfortable, right. Come on. I'm so comfortable with assembly language. And I now have so much solid boilerplate written by me in assembly language through the years that moment to moment, the path of least resistance is just to keep using assembly.

[01:41:26] When I face the possibility of using something to write code for me, I'm immediately brought up short, wondering how can I possibly know the code it creates is correct. The code I'm writing is never for a lark. You know, I'm not writing it as a hobby. I'm always writing production code that I and others will depend upon.

[01:41:55] Either it's server side code running on GRC servers or code that will form a product that bears my name. In either case, the code needs, I need the code to be as correct as I'm able to make it. It's true that I have, we know, strong perfectionist tendencies. I know that's one of the reasons people listen to this podcast.

[01:42:23] I don't ever judge my work by whether it's good enough. I don't have a good enough. I know, you know, you know, that I judge it by whether it's as good as I am capable of making it. That is my standard. Can it be better? So if I don't actually write the code I'm using, you know, and offering for sale, how can I ever definitively make that judgment?

[01:42:50] If no one or nothing sentient and personally responsible creates it, if the code just magically appears, and if there are large swaths of code that is never carefully inspected by anyone, how can I ever have confidence in what the code does? Sure. I know. Test, test, test. I get that. You know,

[01:43:19] that is after all, you know, the model that many of our development testers know quite well. That's the development model that has evolved with the code that I currently offer by hand is, is validated,

[01:43:34] but is the appearance of the code working or the code no longer being seen to fail an adequate replacement for someone actually writing the code for a purpose? I don't know, but I do know that the entire world is objectively going nuts over AI written code.

[01:44:01] Perhaps the reason for this is that there is tremendous pressure within the larger code creating universe to create more code with fewer human coders. So perhaps it's the fact that I truly love writing code myself and that I feel very little pressure to produce more code faster. Maybe that's, you know,

[01:44:31] why there, why the balance for me, the scale hasn't tipped. I've talked about days past when my little company employed many more people, many of whom I was actually jealous of since they were getting to do the work I wanted to be doing instead of just managing them doing that work. If that's the case, why would I want to have an AI producing code that I would then not have the joy of writing for myself?

[01:45:01] You know, all of the foregoing suggests that the answer to that question, when will Steve be using AI to author his code? The answer is at least not yet. But we should point out, Steve, you're kind of a unicorn. You're kind of a rare Avis. Yes. The question is me. Me. I mean, our listeners have been asking, Steve, you're all, you're, you know, you're, you're talking about Claude Code and how great it is.

[01:45:31] When are you going to use it? And I'm explaining why maybe never. Yeah. And I, but nobody, the, how many people work like you? I mean, you're really an anomaly. You weren't in the past. There were a lot of people like Peter Norton and stuff who wrote their own stuff and shipped it and so forth. But most code these days is written by large teams, you know,

[01:45:56] with all sorts of layers of review and architecting. And I think for a lot of what is written today, AI makes perfect sense. Not for you because you're, you know, I didn't, I didn't say otherwise. No, no, I know. And you're right. I agree with you a hundred percent. Yeah. And I, but I do. Anybody who loves to write code should write code. If you love it, you should write it. Why not?

[01:46:26] That's not, but I have to say, I'm not sure I fully agree with this tweet because, uh, one of the things you're not going to see, frankly, if you have a written code is, uh, whatever was it that temp fix underscore, because it won't get patched. It'll be created whole code is so cheap that you refactor, you redo it. You don't, you don't do that kind of, that's what humans do. They apply a little spackle,

[01:46:56] a little bondo to the code. That's not what happens or shouldn't with AI. If it's being done, right. I think really the experience people have with AI coding depends a lot on their own mindset and how they've gone about it and how it really, you become, instead of the coder, you become the kind of more like the manager manager. Yeah. Yes. And, and a good product manager really thinks deeply about specs is willing to throw out code and start over. I mean, and Leo, I,

[01:47:25] I remember, I always say what we have today is not what we're going to have tomorrow. It's going to very much change. That's the other thing. He says 41% of code written in 2025. Well, the thing that changed everything was November 24th, 2025. So when, uh, opus 4.6 came out, so, so. So, I have one more thing I want to share, but let's take a break. Uh, I'm looking at the clock and now would be a good time. I'm sorry to slow you down. I apologize.

[01:47:53] And then I've got uncle Bob Martin's post. Oh, uncle Bob, good old uncle Bob. He's quite the character, but, uh, a legend in the business for sure. You're watching security now with a great Steve Gibson. You know, I'm really glad that there are people like you, Steve, that cherish that are artists. You know, you wouldn't expect a machine to paint the Sistine ceiling. Uh, you're an artist. That's absolutely great. Uh, but I, but I am not.

[01:48:24] So I appreciate having an AI to do some. And there's a whole different side of just getting the job done. Sure. Like, you know, and that's what most people are doing. And I'm going to share a post from a listener after this, that takes the exact reverse. This has changed his life. Yeah. Yeah. And then, uh, you know, and I will say, you know, when I, when I do coding puzzles, like Advent of code, I'm not, I have no interest in having AI do it. No,

[01:48:51] because the whole point of it is me having the fun of writing. And in fact, AI ruined the whole challenge. It really did. It actually hasn't been a very good, uh, uh, influence on it. Uh, he had to change everything. Uh, let me talk about our ad for this segment of security. Now this episode brought to you by adaptive. Uh, yes, it's a security platform.

[01:49:14] It's the first security awareness platform built to stop the thing that is perhaps pestering you the most AI powered social engineering. Here's the shift. Attackers don't need malware anymore. They just need trust. They need a cloned voice, a convincing deep fake on zoom, or maybe just buy an ad and Google search or an AI written fish that looks exactly like it came from your IT team.

[01:49:45] And as you, as we were saying, when we were at zero trust world, uh, as you said, the threats coming from inside the house. That's why you need adaptive adaptive prepares your organization with simulations, not just an email, but across email SMS and voice. You, yes, deep fakes, phishing, voice phishing, and AI generated phishing, including scenarios that can mirror your own brand and executives.

[01:50:11] Imagine if your CEO is on the phone saying, Simpson, I need you now. You know, this, this is how the bad guys work nowadays. And when employees report something suspicious, is that the boss adaptive can help you triage it fast. Hey, I think I might've done something wrong, something bad. So security teams aren't buried in false alarms, but actually can fix the problem before it propagates.

[01:50:39] If you need training fast with adaptive AI content creator, you can turn a breaking threat. Something just happened yesterday in the news, right? Something Steve just talked about today, an incident report, a compliance doc instantly into interactive multilingual modules. I mean, I'm talking minutes, no design team required adaptive does it adaptive will let you build, customize and monitor every part of your training with complete personalization. The result is a more resilient security culture,

[01:51:08] which is essential. Take a company like plaid, right? Uh, I use plaid every day to log into my finance platforms. Plaid's platform powers thousands of digital finance apps, links consumers, developers, institutions together with sensitive data. At its very core plaid security and compliance are non-negotiable. What do they use? Yeah, they use adaptive security. Plaid's head of security,

[01:51:34] GRC says adaptive has equipped our teams with cutting edge tools and built a smarter, more resilient security culture across the company. Actually that makes me feel good. Cause I use plaid. I'm glad to know they're on it. They're on it. Trusted by fortune 500s backed by NVIDIA and open AI. Adaptive is building the defenses we need for the AI era. Learn more at adaptive security.com. That's adaptive security.com.

[01:52:03] You want your customers to feel like I do as a customer of plaid. Oh good. They're, they're doing what it takes. Adaptive security.com. We thank them so much for supporting security. Now, Steve. Okay. So before we leave this topic, actually, we have another note from a listener too, but I wanted to share another X post that appeared in my feed directly underneath the previous one. Uh, it was written by someone who we obviously know Leo, uh,

[01:52:33] you are aware of uncle Bob. Uh, he's got a Wikipedia page, uh, which, you know, was created to capture and describe his life's work. Uh, his given name is Robert Martin. Uh, although he goes by uncle Bob Martin, uh, Wikipedia informs us that he's an American software engineer, instructor, and author who is most recognized for promoting many software design principles. And by the way, he's a lover of Lisp, uh,

[01:53:01] and for being an author and signatory of the influential agile manifesto. He's authored many books, uh, and magazine articles and was the editor in chief of the C plus plus report magazine and served as the first chairman of the agile alliance. Yeah. Wikipedia says he joined the software industry at age 17. So like many of us, it's been his life. Uh,

[01:53:27] he's credited with introducing the collection of object oriented design principles that came to be known as solid. And Wikipedia mentions that he's authored many books. That's right. 13 books. Uh, since I'm going to share his, what I think is a, an interesting observation, which really made sense about the current state of AI generated code. I want to first clearly established his bona fides. Uh,

[01:53:55] so here are the titles of the 13 books he's authored across the past 30 years. And these are real books published by Prentice Hall, Cambridge university press, Addison, Wesley professional and Pearson, uh, with titles, with titles, designing object oriented C plus plus applications using the boot method, more C plus plus gems, extreme programming and practice, agile software development principles, patterns, and practices,

[01:54:23] UML for Java programmers, agile principles, patterns, and practices in C sharp, clean coding, a handbook of agile software craftsmanship, the clean coder, a code of conduct for professional programmers. He's all into clean, clean architecture, a craftsman's guide to software structure and design, clean agile, back to basics, clean craftsmanship, discipline, standards, and ethics, functional design,

[01:54:53] uh, principles, patterns, and practices. We programmers, a chronicle of coders from Ada to AI. Okay. So here's what uncle Bob Martin posted last Saturday morning. He wrote two months ago while working on my empire game with AI, I had that quick silver experience. When you push on a blob of mercury, it slips out in some random direction.

[01:55:24] Every time I added a new feature, some older feature would shift behavior. This was true. Even after I added unit tests and acceptance tests, the AI always took the path of least resistance on the current feature and was willing to sacrifice older features. It would change tests,

[01:55:50] including acceptance tests in order to get the latest feature done. Telling the AI not to do that was ineffective. AIs are stochastic, and so are any rules you feed them. Rules bias their behavior, but do not absolutely constrain it. When I called them out on breaking rules, they apologize and swear they won't do it again,

[01:56:19] but they can't really make that promise. They are, in the end, liars and cheats. The solution is to massively over-constrain them, force them to write so many tests that changing a test feature breaks many tests. They feel that force and retract the change. It's like peer pressure with a lot of peers. At the same time,

[01:56:50] I reduce the chances for collateral damage by continuously forcing the AI to partition everything into small, decoupled units. That way, it's not easy to break one feature while implementing another. It also keeps the AI from getting confused by its own messes. The final goal is semantic stability in the face of continuous development.

[01:57:19] The things that worked before keep working as they were, while newer things get added. This is a continuous effort. Acceptance tests, unit tests, TDD, crap analysis, and mutation tests are run after a reasonable batch of changes and are tasked with reducing crap below eight, covering any untested behavior, and killing all surviving mutants.

[01:57:47] The size of the batch of changes is a judgment call. Too big, and the analysis and repairs take a long time. Too small, and the verification effort overwhelms the development effort. And then he finishes with side note, the mutation tests consume massive amounts of computer power. My cores are running full bore all the time, and that's even

[01:58:17] with differential mutation. There's something poetically just about all this. The AIs require a massive amount of computer power to create. What they create for us takes a massive amount of computer power to keep stable. So, okay, I think this has to do with the size of what he's trying to accomplish, right? Like, you know, he's building something big

[01:58:47] and it's tending to get slippery, like, you know, like liquid mercury where you push on it and it slips away. And, but from the start of our discussion of AI, I've been saying that I firmly believe AI will have a very bright future in coding. I still believe that's true, 100%, but not today's AI. Today's AI is still

[01:59:16] general purpose AI. It's like asking AI for that list of very high quality random numbers. Doing that perfectly, which we know how to do, requires specialization, not generalization. This is every bit is true when it comes to writing code correctly. The laughable catastrophic mess Bob describes in his posting,

[01:59:46] you know, commonly referred to as attempting to herd cats, is not the way to write code. These four sentences from Bob's posting say it all. He wrote, AIs are stochastic, and so are any rules you feed them. Rules bias their behavior, but do not absolutely constrain it. He says, when I call them out on breaking rules, they apologize and swear they won't do it again, but they can't really make that promise. They are,

[02:00:16] in the end, liars and cheats. I believe that in those four statements, Uncle Bob exactly and perfectly captures the state of play today, but that's only today. I'm always, as I keep saying and noting, very careful to state that nothing we have or believe we have today regarding AI will hold tomorrow. And Leo, your November 28th date is a perfect example. On November

[02:00:45] 27th, we had one thing on the 29th, we had the world changed. It's not at all done changing. You know, we're like in that first round of home on the computers that were interesting and a lot of us got them, but they never got off the ground. It took another, you know, a bunch of more evolution and time for it to finally reach critical mass. And so the way I think this will shake

[02:01:15] out is that someday we will have many differing forms of application specific AI. I suspect that's where the answer lies, at least the most the practically economic answer. As I understand today's AI operation, having a single super genius AI that contains all knowledge and does everything perfectly,

[02:01:44] may be possible, but is incredibly wasteful, as in way too expensive to contain and operate if all you want is high quality code. Instead, employ the far more cost-effective services of a specialist code-generating AI, whose model can be far smaller while also containing far more

[02:02:14] concentrated knowledge about code and only about code. It knows nothing about the works of Shakespeare. It just knows about code. That's why our old model, prior to November 24th, 2025, was asking a question of a chat bot and then taking its code and pasting it in. We've gone way beyond that in a very, very brief period of time. I think AI, especially AI coding, is kind of like the blind

[02:02:44] men and the elephant. You know that adage? Everybody is seeing a different part of it. And I think especially we can't use our notions of coding from prior times in modern times. it's just so different now. And everybody has a different take because everybody has a different experience. It's a huge period of flux. And I think that's the only

[02:03:13] true thing. And really the best advice I think for anybody is just try it, play with it, get to know it, give it a tough problem, read and learn. Everybody's talking about it, not everybody's right. There's a lot of points of view about this. And not everyone can be right when the target keeps moving. I mean, we are, I cannot say enough, the world will be different again next year as regarding

[02:03:43] AI and code. There's just, there's no question about it. Yeah. We're in an interesting time. I mean, I guess the bottom line, we've talked about this before and I think we both agree on it, is that what the job is, is taking human thoughts and ideas and translating them into computer. And what we're trying to make is a computer program that's very adept at that. The easy part is translating it into computer, the hard part is translating us. But for somehow, something happened

[02:04:13] that it got really good very rapidly at understanding what we're saying and putting it into action. But there's still, you know, miscommunications and gaps, it's very, it's, well, we live in interesting times. Uncle Bob's very prolific, talks a lot about this. I actually saw this tweet. He's very active on X and talks a lot about this. Very interesting. So here is an example of AI

[02:04:42] on the flip side. Our listener, Craig, the subject of his email was hard to describe. He wrote, first, I'd like to say thanks for mentoring me throughout nearly my entire career. Now retired, I ran the IT department for a 50-employee DOD, DOE subcontractor. What I learned from you and implemented over the years made

[02:05:11] NIST 800-171 compliance easy. And I can proudly say that my company was never hacked. Oh, wait, aside from that, where's Kitty who created a hidden FTP site on my public FTP server? Remember those days? LOL. But aside from that, never once was my network taken down. I had weekly security awareness training from my users, almost

[02:05:41] always from your show. I was tight a decade before anyone was even thinking about security. Thank you. My entire career was hobbled by my poor coding skills. I never attended college for computers, just drinking and failing out. I learned everything. I majored in that too. I learned everything building PCs in those box

[02:06:10] shops in the late 90s. Network Lite, FTW, LOL, computer shopper for the win. I used to tell people I can code, but I can't develop. I could write a simple script after hours of scouring Stack Exchange or Spiceworks to figure it out. The places I could have gone if I had properly trained as a developer. Now, all those tools I wish I had over

[02:06:39] my 30 years of career are at my fingertips. The best analogy I can give is that I spent my career in 2D black and white, and all of a sudden, I can see 3D in color, and infrared, and ultraviolet, and x-ray. And he's talking about AI. He said, I now have an entire agent infrastructure team, a CISO,

[02:07:09] architect, audit, monitoring, hardening, infrastructure, etc., managing my entire home lab. My kitchen module has an AI chef running from local olama to help with the current recipe. I just got done having CISO build a 3D desktop for my platform inside of my Quest 2. It made downloading 20 years of Google account and then organizing it into my own system

[02:07:39] easy. It's working on building out a complete voice system around my house. It can talk to my 3D printers. All of this is possible and I just have to ask for it in natural language. My jaw is still on the ground. I hate to say it, Steve, but commercial software is dead. I don't need to buy what I can have my agents write. All I need are GPUs.

[02:08:11] So, anyway, I just thought that was a great snippet from one of our customers whose life has been changed thanks to AI. That's nice. Really nice. Yeah. Okay, our last break and then I'm going to share my 100% positive experience with Sysa's free internet scanning and pose the question, why are we not all doing

[02:08:41] it too? Well, I'm going to try. I mean, I guess you're, I don't have multiple IP, I guess I do have two IP addresses. I guess, I don't know, I have one static and one theoretically changeable that never changes. You have resources for Twit, right? Or are they just all cloud? It's all cloud. All distributed stuff? Yeah, it's all over the place. So, it would be a small enterprise that has a block of network space. Russell could do it. I'll have

[02:09:10] Russell. He's in Florida? Okay. He can do it from Florida? What do you mean he doesn't work when he's in Florida? Let's do the final commercial and then we'll get to the topic of the day. CISA. Free internet scanning. CISA has been decimated in the recent budget cuts and I'm very nervous. I'm glad they still have their bots running because yeah well

[02:09:40] yeah I mean we are the I'm sure the target of cyber warfare if not now soon they've lost a huge bunch of staff and they had what I consider to be a terrible administrator for a year he's gone now but that doesn't mean everything's better there's no administrator we're in an interesting time let's just say that this episode of security now brought to you by meter I'm going to go see these guys at RSA I'm very excited about seeing these guys

[02:10:10] at RSA next week meter is the company building better networks I want to talk to the founders I talked to them on the phone a couple of months ago and I was so impressed because they were network engineers who felt your pain if you're a network engineer they know the headaches legacy providers with inflexible pricing everybody's got IT resource constraints stretching thin

[02:10:39] complex deployments across fragmented tools you Mr. Network and Ms. Network engineer are critical mission critical to the business but you're working with infrastructure that wasn't built for today's demands and insufficient resources that's why so many businesses are switching to meter and this is so cool meter delivers full stack networking infrastructure wired wireless and cellular that's built for performance and

[02:11:09] scalability these guys realized there's only one way to build a reliable network and that's to own the whole stack so meter designs hardware that's why I can't wait to see him at RSEC I want to see this stuff in

[02:11:40] switching they do wireless they do cellular they do firewall they do power power is important right DNS security they'll help you with VPNs with SD WANs with multi-site workflows all in a single solution one of the things they said they commonly see is a company acquires another company or acquires their warehouse now suddenly you have another site with completely incompatible software

[02:12:09] and hardware solutions you got to get it on your network you got to get it reliable some of these warehouses are 100,000 square feet so there's all sorts of challenges with wireless and they go in and they get it all working they fix it all with their own hardware and software METER's single integrated networking stack scales they are in major hospitals that's another challenging environment environment because of all equipment right they're in branch offices warehouses large campuses they're in

[02:12:39] data centers you know who uses METER in their data center reddit there's network that must perform right the assistant director of technology for web school of Knoxville loves METER they said we had this is a direct quote we had more than 20 games going on on campus between our two facilities each game was streamed by a wired and wireless connections the event went off without a hitch we could never have done this before METER redesigned our network with METER you get

[02:13:09] a single partner for all your connectivity needs from first site survey to ongoing support without the complexity of managing multiple providers your tools METER integrated networking stack is designed to take the burden off your IT team and give you deep control and visibility reimagining what it means for businesses to get and stay online and isn't that the job right METER is built for the bandwidth demands of today and tomorrow by people who know your pain they've been there

[02:13:39] and they're here to help we love METER thank you so much for sponsoring I can't wait to meet you METER next Tuesday at RSEC go to meter.com slash security now to book a demo today or if you're going to RSEC go on over to the booth METER dot com slash security now to book a demo and that reminds me Steve I will not be here next week Mike I'm going to miss Tuesday's shows so that I can go to the

[02:14:09] RSA conference which I have never been to so I'm really excited I get to go to this it's going to be so much fun we're going to see a lot of sponsors so that'll be neat too all right let's talk about CISA okay so last week I shared feedback from a listener who shared with us that his organization uses CISA's free internet network scanner to keep an eye on his organization's network security exposure he explained that when he

[02:14:39] first had CISA scan their network what they found was quite bracing and brought their other IT people up short and as I also noted his sharing that with me raised my own curiosity about just who might qualify for CISA's periodic scanning cyber hygiene service and its page says reduce the risk of successful

[02:15:08] cyber attack cyber threats are not just possibilities but harsh realities making proactive and comprehensive cybersecurity imperative for all critical infrastructure adversaries use known vulnerabilities and weaknesses to compromise the security of critical infrastructure and other organizations CISA offers no-cost cybersecurity services to help organizations reduce their exposure to threats by taking

[02:15:38] a proactive approach to monitoring and mitigating attack vectors by taking advantage of CISA's cyber hygiene services you can and we have some bullet points here significantly reduce risk organizations typically reduce their risk and exposure by 40% within the first 12 months most see improvements in the first 90 days avoid surprises because the services look for assets exposed to the internet

[02:16:08] they identify vulnerabilities that could otherwise go unmanaged sharpen your response by combining vulnerability insights gained with existing threat detection and risk management efforts enrolled organizations can increase the accuracy and effectiveness of response activities this means fewer false alarms and less chance of real danger slipping through the net broaden your security horizon CISA's scanning is about

[02:16:38] more than pinpointing vulnerabilities it's about expanding your organization's security boundaries from basic asset awareness to daily alerts on urgent findings you'll be in a better place to make risk-informed decisions they said CISA's cyber hygiene services include vulnerability scanning this service continuously monitors and assesses internet accessible network assets public static

[02:17:07] IPv4 addresses to evaluate their host and vulnerability status in addition to weekly reports of all findings you'll receive ad hoc alerts about urgent findings like potentially risky services and known exploited vulnerabilities and web application scanning this service deep dives into publicly accessible web applications to uncover vulnerabilities and misconfigurations that attackers

[02:17:37] could exploit this comprehensive evaluation includes but it's not limited to the vulnerabilities listed in the OWASP top 10 which represent the most critical web application security risks this service provides detailed reports monthly as well as on-demand reports to help keep your application secure okay so I've I brought all this up again because my experiment to see whether GRC's little

[02:18:07] decidedly non-governmental non-tribal 16 IP network block might qualify to receive SIS's automatic periodic background security scans security and reporting and it was a resounding and surprising success based upon my experience I would hazard to imagine that a great many of our US-based

[02:18:37] listeners who are in charge of their own small medium and even large enterprise networks like the listener that put me on this would be able to similarly qualify to receive this free service much as I have and if so why wouldn't everyone wish to avail themselves of this entirely sane zero cost service offered by an agency of our federal

[02:19:06] government now I suppose I can imagine that it might make some listeners a bit queasy to invite Uncle Sam to scan and report on the state of their networks but stop to consider that anything that might be discovered and reported is already public information it's not as if you know we're making an exception for CISA allowing them through our firewalls to rummage around inside

[02:19:36] our networks that's not happening they're on the outside attempting to look in just like would-be attackers and hackers in Russia North Korea and China the difference is that CISA is on our side with the goal of strengthening North American networks against attackers in Russia North Korea and China and elsewhere they email password protected

[02:20:05] PDF reports that's only whose only its intended receipt is able to decrypt open and view I don't see any possible downside whereas I see potentially huge upside okay so what happened with GRC that CISA cyber hygiene services page it's at CISA CISA dot gov D-O-V

[02:20:35] slash cyber hyphen hygiene hyphen services I've got a link in the show notes invites candidates to indicate their interest and open a dialogue by sending an email to vulnerability at CISA dot DHS dot gov with the subject with just the subject requesting cyber hygiene services so I addressed an email and I wrote simply to whom it may

[02:21:05] concern I own a small commercial network which I would like to have scanned thank you Steve that was on the morning of Saturday March 7th did you say do you know who I am just just just to whom it may concern I want to have my network scanned thanks that was Saturday March 7th so nobody was working at CISA I received a reply to

[02:21:34] that email first thing Monday morning so immediately after the weekend at 532 a.m. Pacific so 832 in the east where CISA is that email response said Steve thank you for your interest in V.S. because they like abbreviations

[02:22:04] they said so thank you for your interest in our cyber hygiene vulnerability scanning service period enrollment in our Cy High V.S.. service must be done by a person in your organization who has ownership or authority over the IP addresses to be enrolled this individual should hold a position such as chief information officer chief information security officer or a similar official capacity

[02:22:34] if you are in this role please proceed to navigate CISA's cyber services cyber hygiene services the beta version of our web-based enrollment system to complete the following steps first create a login dot gov account login dot gov is our trusted partner for secure and private access to CISA's online services including cyber hygiene the login dot gov account must use the

[02:23:03] same organization business email that will be used to complete the remaining enrollment steps and actually I don't think it does but didn't seem to matter second return to CISA's cyber services cyber hygiene services page after logging in you will now be redirected to the CISA services portal for ready set cyber use the navigation ribbon to go to cyber services enroll in cyber hygiene to return to the enrollment

[02:23:33] process third complete account registration and organization's profile complete your organization's profile enabling your organization to receive cyber hygiene and access other CISA services and then finally once you've completed the organization information page you'll be redirected to a thank you page select the enroll now option to continue the sci high vs enrollment process this step includes collection of the

[02:24:03] necessary information to enroll in the sci high vs service and services as the authorizing document allowing CISA to perform the sci high vs service for your organization for the IP address validation process you will need to input and successfully verify the formatting of your IP addresses before continuing to the next page multiple IP addresses must be separated by comma

[02:24:32] or line break if there are errors with the formatting the system will display a model noting or modal meaning dialogue error I guess noting how many errors you will have the option to either go back and correct the errors or download a CSV file for editing if you have input numerous errors if you have questions regarding your enrollment please reach out to us at this email address best regards Matt Leon

[02:25:02] CISA vulnerability management intake team blah blah blah so I went back to CISA and logged in at login.gov where I already had an account since I'm 70 soon to be 71 and I used login.gov for managing social security renewing my global entry certification and driver's license so I was then bounced back over to CISA where I filled out a modest

[02:25:32] and not very intrusive questionnaire just I mean it wasn't a lot to tell them around 10 minutes after completing that process I received another email with a subject CISA organizational account confirmation and an invitation button to complete the sign-up process I may have done something there I don't recall but either way you know the email trail shows that 13 minutes later after that one I received a final email

[02:26:01] with the subject cyber hygiene vulnerability scanning acceptance letter I thought huh that was easy congratulations you got in the letter said welcome to CISA cyber hygiene you know sci-hi vulnerability scanning VS so these people really do love their abbreviations the letter says your sci-hi VS acceptance letter has been processed and a copy of the letter has been attached

[02:26:31] for your convenience your organization has been placed in queue for inclusion into the CISA sci-hi VS service scanning will begin as soon as your request file is processed in alignment with your requested scan start date and if not otherwise specified scanning begins immediately the letter continues please keep an eye out for traffic and actually I did my log showed the scanning keep an eye out for

[02:27:01] traffic from sci-hi VS scanning IPs which will signal to you that scanning has begun you will receive your first sci-hi VS report via email on the Tuesday following the initial scan which is based and then here's what was interesting they said overview of Sysa sci-hi

[02:27:30] VS methodology cyber hygiene defines a host as having at least one port open and service scanning of hosts occurs continuously between each weekly report cyber hygiene scan prioritization is as follows okay so we have addresses IP address IPv4 addresses with no running services detected where

[02:28:00] they say parens dark space are re-scanned after at least 90 days so if there's an IP that seems dead nothing responds that they could find it only checks every three months or hosts with no vulnerabilities detected are re-scanned every seven days hosts with low severity vulnerabilities are re-scanned every six days hosts with medium

[02:28:30] severity vulnerabilities are re-scanned every four days hosts with high severity vulnerabilities are re-scanned every 24 hours hosts with critical severity vulnerabilities are re-scanned every 12 hours a single host may have multiple vulnerabilities of varying severity which informs the frequency that a given host is scanned presumably the highest severity vulnerability found defines how often

[02:29:00] it is rechecked and that finishes need assistance if you need to make changes to the information submitted in the acceptance letter to include updated IPs to be scanned or you have any other questions pertaining to your sci-high VS service please email us at vulnerability at cissa.dhs.gov then last Wednesday the day after last week's podcast when I didn't know if any of this was going to work I received my first

[02:29:29] sci-high VS report now I'll admit I was actually somewhat surprised to see that cissa had not found anything critical to complain about you know like I thought maybe but that's not to say that cissa did not find anything they did complain that grc's web servers would still ssl

[02:29:59] tls connections using old and deprecated 64-bit block ciphers things like triple des and blowfish although not blowfish that was open ssl but not in my case that just is what people generally have really old copies of open ssl i'm sorry open uh open ssh can use blowfish and should no longer so what caused my heart to initially

[02:30:29] skip a beat or two was that their report's headline was urgent vulnerabilities detected and i thought what so obviously that commanded my attention their report enumerates their findings by vulnerability description uh also whether it is known to be exploited because as we know that cissa's kev kev kev known exploited vulnerabilities that's one of their

[02:30:59] big deals so they've got a column in the report for that whether it's known to be exploited also whether ransomware is known to be exploiting it uh because obviously that that drives an interest in that vulnerability and in being compromised by ransomware there's a column for its severity uh the host ip address and port where the where they found the vulnerability uh and the date and time of its initial discovery

[02:31:28] in this case all of grc's web server ips uh at the https port 443 share the vulnerability that cissa identifies as quote ssl medium strength cipher suites supported and then in parens they said suite 32 that's the vulnerabilities name um it is not however known to have ever

[02:31:57] been exploited so in the column of known to be exploited it's no all the way down the reason is that the suite 32 vulnerability and attack is theoretical it's called suite 32 because the theoretical attack has a complexity of 2 to the 32 meaning 1 in 4 billion or 4.3 billion the suite part of the name comes from the pun

[02:32:27] suite 16 because it's a birthday attack you need to do a whole bunch of things recording all of them and then looking for any collision between any two thus the birthday attack the vulnerability has its own website at suite 32 dot info which explains the nature of the attack writing an important requirement for the attack is to send a large number of requests

[02:32:57] in the same TLS connection therefore we need to find clients and servers that not only negotiate the use of triple DES but also exchange a large number of HTTP requests during a single TLS connection without ever re-keying this is possible using a persistent HTTP connection as defined

[02:33:26] in HTTP 1.1 with keep alive on the client side all browsers that we tested Firefox Chrome Opera will reuse a TLS connection as long as the server keeps it open okay so it says a large number of requests during a single TLS connection but exactly how large in their own testing to recover a 16 byte

[02:33:56] authentication token you know which might be an HTTP cookie for example a 16 character cookie which would be two 64 bit encrypted blocks because this is an attack on 16 bit block encryption they needed to keep a single TLS connection established for 18.6 hours during which their client pounded on the server

[02:34:25] with a storm of continuous small HTTP requests finally transferring 705 gigabytes of data in the process in short at least for GRC this is not a real problem but that does not mean there's any way for me to defend GRC now totally unnecessary support for this old

[02:34:55] and admittedly weaker than it needs to be triple DES cipher today so I very much appreciate the reminder nudge from CISA and I've already tweaked the cipher suite configurations of GRC's various web servers so that the next time they're rebooted their support for that long ago deprecated triple DES cipher suite will disappear you know it hasn't been useful

[02:35:25] for a long time it's only there because of inertia but we know about inertia and security so that's the story of GRC's establishment of an ongoing very valuable free vulnerability scanning service courtesy of CISA as I said I cannot imagine why anyone listening to this podcast who's responsible for anything more than a single IP home network or any sort of you know truly fixed

[02:35:55] pre-assigned IPs which are pointed to by DNS would not wish to immediately avail themselves of CISA's free scanning service you won't know what might surprise you until you do and even if you find nothing that would be super useful to know too you know if you do find something it might be very important and you know the more that's going on within a

[02:36:24] complex networking environment involving multiple departments and overlapping responsibilities and people who've been terminated and blah blah we don't know what equipment they left running and different configurations you know the more of that there is the more chance that something unsuspected may be there so win win win win win that's my motto for the day you won't know what might surprise you until you do that's why it's a surprise surprise

[02:36:55] Cyphase found the GitHub repo for all this stuff so I don't know if that means it's open source I don't know if you could take the GitHub repo and compile it and make it do well why not have it done for you yeah well why not exactly but it's kind of cool that they've put this all online yep 41 repositories on on GitHub under CYHY nice so you can at least see what they're doing that's

[02:37:25] that's pretty cool it's a lot of shell scripts shell and Python yeah it's running on their infrastructure and you know I did get so I got that one report that had that one vulnerability that a couple days later I got a 34 page beautiful PDF that had charts and graphs and it was tracking vulnerabilities and like bar graphs and how long has this been around I mean

[02:37:55] it is really valuable and the listener who put me on to this noted that this replaced for their insurance provider a service that they had been paying $6,000 a year for and that was an annual scan so something could be bad for a year before it would get seen I can see some enterprising person taking all this code getting it running and making their own commercial version of

[02:38:25] this it's open source though CISA has its own I love this GitHub repository commit today secure tomorrow I like it oh that's what they said it's their motto yeah commit today secure tomorrow I've got another motto now I've got two mottos from the last section of this show that's pretty impressive Steve you are pretty impressive we appreciate everything you won't know what might surprise you until you do surprise

[02:38:57] Steve Gibson at GRC.com if you go there right now you will find spin right the world's best mass storage performance enhancing repair and maintenance utility everybody should have it if you need spin right you'll find 61 there that's Steve's bread and butter you'll also find another new program he just

[02:39:31] show we have copies too but Steve's got some unique versions a 16 kilobyte audio version which makes it 16 kilobit I should say audio version which makes it very compact and a 64 kilobyte audio version which sounds perfectly fine he also has the show notes which he composes in a mass fit of energy every Saturday and Sunday caffeinated energy working

[02:40:00] very hard to get it out and it's worth getting that 20 pages there about every week you can of course download it from the site but Cable also has a mailing case submit your suggestion for the caption contest that's right baby yeah transcripts created by a nice

[02:40:30] human being named Elaine Ferris available a few days after the show also at grc.com now if you go to grc.com slash email you can get your email address whitelisted so you can send Steve pictures of the week or questions or suggestions or comments many but one is for the show notes which emails out automatically every Sunday or Monday before the show and then below that a very infrequent

[02:41:00] email he sends out when he's got a new product have you used it yet not for this product not for DNS benchmark no I'm wrapping up some changes to get rid of that old ridiculous buy four copies and you're entitled to be a consultant I'm replacing that with an explicit consultant license nice and so I'm in the process in assembly language of updating our e-commerce system and

[02:41:30] then I will let everybody know because this final release of the benchmark which everybody gets who purchased it before there's a very excited puppy here yeah who can't wait to get a copy of that he says quick give me a credit card dad perfect time we also have copies of the show at our website twit.tv slash sn that's Burks beautiful little lily who's just a sweet poodle miniature poodle she's very sweet but

[02:42:00] Lisa came home and she started parking at Lisa you can get it at twitter tv slash sn there's a YouTube channel with a video we have audio and video on our site and there's also of course best thing to subscribe in your favorite podcast client you'll get it automatically audio or video or both and give us five stars give us a good review tell the world about security now everybody needs to be listening to this show every week it's really vital especially on this

[02:42:29] week before the release of Hail Mary I have tickets to see it I have mixed feelings about IMAX I don't actually like IMAX I had a bad experience with it I was hard to see everything even if you're sitting in the right spot it's still big and it becomes more about the movie theater than about the movie so

[02:42:59] I I'm going to see it in something called screen Z with a Z where it's on the regular screen I've done that too it's bad Leo I have a feeling it's going to it was really easy to get tickets space space x or space z where it's on the side of the side it's not good they

[02:44:10] but I I the time I had the reviews are very positive people are saying this is the best movie you're going to love it I I I I I I will you I will but are you going to talk about it on Sunday yeah probably sure okay but you know as much as I can without

[02:44:40] spoiling it for anybody yeah I'll give you my review okay on twit yep Steve we'll see you next Tuesday we do the show every Tuesday right after Mac Break Weekly 130 Pacific 430 Eastern 2030 UTC YouTube Twitch X Facebook I gotta hurry because he can't hold his hand YouTube Twitch X Facebook LinkedIn and kick or of course for our club members in the discord thank you Steve Gibson have a wonderful week see you in two

[02:45:10] weeks my friend and Micah next Tuesday bye hey everybody Leo Laporte here and I'm gonna bug you one more time to join club twit if you're not already a member I want to encourage you to support what we can have more fun you get a lot

[02:45:40] of benefits ad free versions of all the shows you get access to the club to discord and special programming like the keynotes from Apple and Google and Microsoft and others that we don't stream otherwise in public please join the club if you haven't done it yet we'd love to have you find out more at thank you so much