Leo Laporte (2:35)

So you've done it before. You did it with blockchain. It's very frequent that you're able to. Because that's, that's how you work, digest all this stuff. You're kind of our retrieval augmented generation. You digest all this stuff and give it back to us so we can understand it. So I look, I'm very much looking forward to this episode.

Steve Gibson (2:54)

Well, and I'm. And if, you know, in the fullness of time, if I spend some time, you know, digging in, you're Good, then that would be interesting. But we got a bunch of stuff to talk about. We're going to look at. Oh, this is a great story. How Microsoft lured the US Government into a far deeper and expensive dependency upon its own proprietary cybersecurity solutions than the Biden administration expected. Also, Gmail will be offering native throwaway email aliases, much like Apple and Mozilla will. We'll touch on that. Oh, my God. And Russia, well, they're banning additional hosting companies. They're going to give their big Internet cutoff switch another trial next month and some other things that we'll talk about. And they used a diabolical Windows flaw to attack Ukrainians. It was found by a security group. And boy, when our old timers find out that something we assumed was safe might not be safe to do, that's going to raise some hair. Also, we're going to look at. Oh, I have a note from our listener about the value of old security now episodes. We're going to touch on True Crypt's successor, also using Cloudflare's tunnel service for remote network access. Another of our listeners said, hey, this is what I'm doing. So we're going to share that. Also answer the question about how to make a local server appear to be on a remote public ip, which in this case is coming in handy for pretending to be a remote command and control server when testing malware. Also, how to share an impossible to type password with someone else. Oh, and another listener asked, and I answered, and then he confirmed about finding obscure previous references in the Security now podcast. So that. And then we're going to dig into this whole question of what is artificial general intelligence and how is what we have today failing that, what are the recognized and widely agreed upon characteristics that AGI has to have and when might we get some? So I think a great podcast. There was not, as you could tell, there was not a huge amount of news. I looked everywhere for good stuff, but boy, I added it up. I think I have 4300 some, plus some inbound pieces of email from our listeners.

Leo Laporte (5:48)

Holy cow.

Steve Gibson (5:49)

So, like, since this began. So I'm not starving at all for listener feedback. And, you know, I think it's. It's fun, actually. We've got. Changing this from Twitter to email completely changed the feel of the feedback since it no longer needs to fit into 280 characters, you know, and so it's, you know, a lot more interesting. So excellent, a great podcast. Oh, and Leo, yeah, we're starting in on our second thousand this is podcast number 1001.

Leo Laporte (6:21)

I hadn't really thought of it quite that way.

Steve Gibson (6:24)

Second thousand. That's right.

Leo Laporte (6:26)

Put that into perspective.

Steve Gibson (6:27)

That's what everybody wants. They want another thousand. I was like, okay.

Leo Laporte (6:30)

Oh God.

Steve Gibson (6:31)

There we go.

Leo Laporte (6:32)

Okay, well, you and I are going to work on it. We're going to do our best. That's. That's all we can promise. Just.

Steve Gibson (6:39)

I look different than I did 20 years ago. But you look about the same.

Leo Laporte (6:42)

I don't. I. You're being very.

Steve Gibson (6:43)

Oh, you got your hair still. It's nice. Silver, I think.

Leo Laporte (6:47)

The badger. I still have the badger on top. Our show today brought to you by, very happy to say Big id, this is a really, really interesting company. They're the leading data security posture management solution. Sometimes they call it dspm. Big ID is the first and only DSPM solution to uncover dark data, to identify and manage risk, to remediate the way you want. Scale your data security strategy through unmatched data source coverage. Big ID seamlessly integrates with your existing tech stack and allows you to coordinate security and remediation workflows. You could take action on data risks, annotate, delete, quarantine and more based on the data, all while maintaining an audit trail. Very important for complex compliance. Right. Partners include ServiceNow, Palo Alto Networks, Microsoft, of course, Google AWS and more and more and more. And with Big ID's advanced AI models, you can reduce risk, accelerate time to insight. This is a new metric for me, I love it. Time to insight TTI and gain visibility and control over all your data. Now let me give you an idea of the kinds of people who use Big id. Who do you think would have an awful lot of data in an awful lot of places in a variety of formats, some legacy formats, who would need to know where all their data is in such a situation? How about, oh, I don't know, the US army, right? They used Big ID to illuminate all that dark data, to accelerate cloud migration, minimize redundancy and to automate data retention. I have this quote is from the US Training and doctor in Command is mind boggling. This is the quote quote. The first wow moment with Big ID came with just being able to have that single interface that inventories a variety of data holdings, including structured and unstructured Data across emails, zip files, SharePoint databases and more. I mean, parenthetically I'm just going to say you can imagine the different kinds of formats the army has had has collected over the last couple of decades. He goes on to say to see that mass and be able to correlate across those is completely novel. I've never seen a capability that brings this together like Bigid does. That's, that's a pretty good endorsement. Cnbc recognized Big ID as one of the top 25 startups for the enterprise. Named the Inc 5000, the Deloitte 500 two years in a row. They're the leading modern data security vendor in the market today. You need to know this name. Big id, publisher of Cyber Defense magazine said, quote, big ID embodies the three major features we judges look for to become winners. Understanding tomorrow's threats today, providing a cost effective solution, of course, and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach. It all starts with knowing where your data is, by the way. Also really important if you're looking at AI because if you think about it, you want to train, but you want to train on the stuff. You know, the army probably has a lot of stuff they don't want to train AI on because it's sensitive or secret. So it's really important to understand what your data is, where it is in, in all sorts of places. That's what Big ID can do. Start protecting your sensitive data wherever your data lives. @bigid.com security now, get a free demo. See how Big ID can help your organization reduce data risk. Accelerate the adoption of generative AI. We're going to be talking about that later today. Big ID. Big ID. Big ID. You don't, don't ask me to spell ID. BigID.com SecurityNow they do have, we're talking about AI. They have so many great reports on their website, bigID.com SecurityNow but they do have a free report that's brand new that gives you some really useful insights on key trends on AI adoption challenges, including those challenges of what to train on, what not to train on, and the overall impact of generative AI across organizations. They know and they have a great paper on this. So read it@bigid.com security now you need big ID. Thank you so much for supporting the work Steve does here and you support us. Of course, when you go to that address, then they know that we saw it on security now. Big ID.com security now. Steve, I'm ready with the picture of the week. It's a good one this week.

Steve Gibson (11:30)

It is a good one and I've had some feedback from our listeners already to really liked it. I was again on the ball. And just a reminder to our listeners that those we just shy of 13,000 people are now subscribed to the Security now mailing list. 12,979.

Leo Laporte (11:50)

Almost exactly the same number of Club Twitt members we have. So I think there's maybe a correlation there.

Steve Gibson (11:56)

I think there may be. And there was a. That was the count when the mailing went out around 3pm yesterday. So just say that 24 hours ahead of time. Anybody who was subscribed to the list got this stuff. So. Okay, anyway, so the point was that many people wrote back and said, wow, that's terrific. So what we have is a residential staircase going up, you know, as they do along one wall with a handrail and then a banister on the outside to, you know, so that the stairs are not open. Now, this family has a couple of toddlers and looks like maybe sister's a little older than brother.

Leo Laporte (12:47)

She was first up.

Steve Gibson (12:49)

He's in diapers still and looks like maybe he's two. She might be maybe two and a half or three, I don't know. But across the bottom of the stairs is a screen that mom and dad have said, kids are not going upstairs. They stay downstairs.

Leo Laporte (13:07)

It's a child. And I think it's a brand new one. It looks like it because it's still got the sales tag on it.

Steve Gibson (13:13)

You're right. And I noticed also that behind it are a couple of stacks of stuff that, you know, what the kids to get into they don't want the kids to get into. Exactly. Well, now, I gave this picture the caption. The bottom of the staircase may have been blocked, but these future hackers are not deterred because the stairs protrude out from the banister supports. And both of the kids have walked up the outside of the stairs seeing whether there's a way they can get in there because they're going to find a way. And it looks like maybe that the. If I'm right, the oldest sibling looks like she's sort of trying to squeeze herself in because she sort of ran out of Runway there on top of that wrist.

Leo Laporte (14:08)

Now, how so?

Steve Gibson (14:10)

Yeah, so there. So there are. We hope the analogy is not that they're behind bars because, you know, the banister does look a little bit like that too. But you know, these guys, they're determined to find a way past mom and Dad's blockade of the stairs. So.

Leo Laporte (14:27)

Oh, boy. Future hackers. Accurate.

Steve Gibson (14:29)

Yeah, future hackers. Okay. So some Recent reporting by ProPublica raised some interesting questions, and I got a kick out of this. I'm sure that our listeners will too. So ProPublica and I'll be interrupting a few times here with some of my own comments. They said in the summer of 2021, and we covered this at the time. President Joe Biden summoned the CEOs of the nation's biggest tech companies to the White House. A series of cyber attacks linked to Russia, China and Iran had left the government reeling. And of course, some of that was Microsoft's fault, right? And the administration had asked the heads of Microsoft, Amazon, Apple, Google and others to offer concrete commitments to help the US Bolster its defenses. Biden told the executives gathered in the East Room, quote, you have the power, the capacity and the responsibility, I believe he said, to raise the bar on cybersecurity, unquote. Now, they said Microsoft had more to prove than most. Its own security lapses had contributed to some of the incursions that had prompted the summit in the first place, such as the solar winds attack, in which Russian state sponsored hackers stole sensitive data from federal agencies, including the National Nuclear Security Administration. Following the discovery of that breach, some members of Congress said the company should provide better cybersecurity for its customers. Others went even further. Senator Ron Wyden, who chairs the Senate's Finance Committee, called on the government to reevaluate its dependence on Microsoft before awarding it any more contracts. Now, as we're going to see shortly, what happened is not exactly what Ron was looking for. This was not the kind of reevaluation that Ron had in mind. ProPublicans said. In response to the President's call for help, Microsoft's CEO, Satya Nadella, pledged to give the government $150 million in technical services to help upgrade its digital security. Well, isn't that nice? On the surface, they wrote, it seemed a political win for the Biden administration and an instance of routine damage control from the world's largest software company. But the result of ProPublica's subsequent investigation suggests that Microsoft's seemingly straightforward commitment to provide a bunch of free technical services belied a more complex, profit driven agenda. As time has since revealed, Microsoft's apparent generosity was a calculated business maneuver designed to bring in billions of dollars in ongoing revenue, lock competitors out of lucrative government contracts, and even further tightened the company's grip on federal business. And as I reading this, I thought, you know, if I didn't know better, I would think Gates was still around. Since this turned out to be a recognizing, recognizably classic bill move. So they wrote the White House offer, as it was known inside Microsoft, would dispatch Microsoft consultants across the federal government to install Microsoft's cybersecurity products, which as part of the offer were provided free of charge for a limited time. That's right. What a bargain. What's wrong with this picture? Okay, so they said, well, how about Once the consultants installed the upgrades, federal customers would be effectively locked in because shifting to a competitor after the free trial would be cumbersome and costly, according to former Microsoft employees involved in the effort, most of whom spoke on the condition of anonymity because they feared professional repercussions. At that point, the customer would have little choice but to pay for the higher subscription fees. In fact, two former sales leaders involved in the effort likened it to a drug dealer hooking a user with free samples. If we give you the crack and you take the crack, you'll enjoy the crack, one said. And when it comes time for us to take the crack away, your end users will say, don't take it away from me, and you'll be forced to pay. Former salespeople said that Microsoft wanted more than those subscription fees. The White House offer would lead customers to buy other Microsoft products that ran on Azure, the company's, of course, their cloud platform. This carried additional charges based on how much storage space and computing power the customer used. These former salespeople said that the expectation was that the upgrades would ultimately spin the meter, and quoting them, spin the meter for Azure, helping Microsoft take market share from its main cloud rival, Amazon Web Services. In the years after Nadella made his commitment to Biden, Microsoft's goals became reality. The Department of Defense, which had resisted the upgrades for years due to their steep cost, began paying for them once the free trial ended, laying the groundwork for future Azure consumption. So did many other civilian agencies. Former Microsoft salesperson Karan Sandy, who had knowledge of the deal, said that the White House offer got the government hooked on Azure, and it was successful beyond what any of us could have imagined. While Microsoft's gambit paid off handsomely for the company, legal experts told ProPublica, the White House offer should have never come to pass as they sidestep or even possibly violate federal laws that regulate government procurement. Such laws generally bar gifts from contractors and require open competition for federal business. Eve Lyon, an attorney who worked for four decades as a procurement specialist in the federal government, said that accepting free product upgrades and consulting services collectively worth hundreds of millions of dollars is not like a free sample at Costco, where I can take a sample, say thanks for the snack and go on my merry way. Here you have changed the IT culture and it would cost a lot of money to switch to another system, unquote. Microsoft, for its part, defended, of course, its conduct. Steve Fale. That's F, A, E, H, L name.

Leo Laporte (22:01)

Yeah.

Steve Gibson (22:01)

That's good. Yeah, I thought I should spell it. Faehl. Steve Fahl, the security leader for Microsoft's federal business, said in a statement, quote, the company's sole goal during this period was to support an urgent request by the administration to enhance the security posture of federal agencies who are continuously being targeted by sophisticated nation state threat actors. There was no guarantee that agencies would purchase these licenses and they were free to engage with other vendors to support their future security needs. Pricing for Microsoft Security Suite was transparent, he said, and the company worked closely with the administration to ensure any service and support agreements were pursued ethically and in full compliance with federal laws and regulations, unquote. Fale said in the statement that Microsoft asked the White House to, quote, review the detail for antitrust concerns and ensure everything was proper. And they did so.

Leo Laporte (23:19)

I love the phrase on Azure.

Steve Gibson (23:22)

I just think that on Azure that's.

Leo Laporte (23:25)

A nice ad campaign.

Steve Gibson (23:27)

There's only one little problem with this, of course, as we know, it really is surprisingly difficult to switch vendors. And of course it gets worse. ProPublica found the White House summit ushered in a new form of concentrated reliance as well as the kind of anti competitive behavior the Biden administration has pledged to stamp out. Former Microsoft Salespeople told told ProPublica that during their White House offer push, they advised federal departments to save. Get this Leo. To save money by dropping cybersecurity products they had purchased from competitors. Those products, they told them, were now redundant. Salespeople also fended off new competitors by explaining to federal customers that most of the cybersecurity tools they needed were included in the free upgrade bundle. Today, as a result of the deals, vast swaths of the federal government, including all of the military services in the Defense Department, are more reliant than ever on a single company to meet their IT needs. ProPublica's investigations, supported by interviews with eight former Microsoft employees who were involved in the White House offered, reveals for the first time how this sweeping transformation came to be a change that critics say leaves Washington vulnerable. The very opposite of what Biden had set out to achieve with his summit. Because of the monoculture. Right. It's like, oh, everybody's using Microsoft. Unfortunately, we've seen Microsoft making some significant mistakes.

Leo Laporte (25:26)

Well, wasn't this in kind of response to SolarWinds?

Steve Gibson (25:30)

Yes.

Leo Laporte (25:30)

Yeah.

Steve Gibson (25:31)

Yes. This was three years ago when it was like, oh my God, what are we gonna do?

Leo Laporte (25:35)

Right?

Steve Gibson (25:35)

And so Microsoft said, hey, how would you like some free stuff? We'll give you 150 million of stuff for free.

Leo Laporte (25:43)

It was only free for the first year. I mean, it wasn't even free free. It was a trial offer. Basically.

Steve Gibson (25:49)

It was, I mean, okay, so the ProPublica article, I've got a link in the show notes, it goes into much greater detail. That was just like the introduction quarter of it. So I have a link to it, as I said, for anyone who wants more. But I'm sure that all of our listeners get the idea. At one point, Microsoft was asked to provide this enhanced security support to the federal government at no charge, indefinitely, which they flatly declined. Then, of course, it became a negotiation over, well, then how long would the services be free, you know. And of course, what adds even more salt to this wound is that for many years, the same federal and military agencies had been steadfastly refusing to go with Microsoft solutions due to their cost. But they could not say no to free. So this allowed Microsoft to get their solutions in the door to remove any previous reasonably priced competitive solutions. And then once the free offer expired, the choice was either pay up or go without. You know, it's at least mildly disgusting. And what's more, you know, this didn't just fall into Microsoft's lap, right? Former insiders made it clear that this was their intention all along. From the beginning, Microsoft CEO Satya Nadella knew exactly what he was doing. Basically, it was a Trojan horse.

Leo Laporte (27:36)

How hard is it if you've upgraded your security to Microsoft G5 level, is it to go back? Like, if they go, oh, we don't want to pay for it, so we're going to go backwards.

Steve Gibson (27:51)

If Elon Musk is going to do.

Leo Laporte (27:53)

Anything, this is something he might want to weigh.

Steve Gibson (27:55)

This is the kind of thing, I mean, it takes holding your breath and pinching your nose. And I mean, it's an upheaval. And so anyone in it understands that. But it's not their money they're spending, it's our money they're spending. And so it's always less expensive to pay for the incremental cost of another, you know, another three months than it is to say, okay, we're on the wrong path. We're gonna just, we're gonna dead end this path. Because it does then mean going out, getting competitive bids and literally having downtime while all of this changes. Because that, you know, you have to remove all of this junk and put in New stuff.

Leo Laporte (28:50)

So if the whole motivation for doing this was, oh my God, we've got a big security problem, you're not going to tear out the security fix you just installed to fix that so that you could do something else, you're going to be a lot of pressure just to keep on keeping on.

Steve Gibson (29:08)

Well, and Leo, you and I and our and the old timers of the who are listening to the podcast, we all remember Gates. I mean, oh yeah, he was Bill. Bill was much, you know, he's revered as some technical genius. I mean, he's a genius, but he was much more of a businessman. Oh yeah, he was a, than he was a coder, you know, and he says that now too. You know, I mean, so, you know, we watched all of the early shenanigans that Microsoft got up to. You know, things like, oh, you can't remove our browser. We built it into Windows. No, it's part of the operating system. What? No, it's not. Until the EU said take it out. And they said, well, okay.

Leo Laporte (29:55)

You know, that should not give us any same old, same old.

Steve Gibson (29:59)

But this is just, this just struck me as so Gatesian. It was just like, oh boy. Yeah, yeah, so, ouch. Okay, so Apple has Hide My Email. Mozilla offers their Firefox relay. And you know, these are email services that create throwaway aliases for a user's primary account. The recent news is that Google is reportedly working on adding something which they call shielded email to gmail for their 2 billion Gmail users. So as with the other services, users will be able to quickly generate random looking usernames for use to filling out online forms and subscribing to things and, and so forth, which hide their real email addresses. So those are just aliases. And then you'll have some means of managing the aliases so that, for example, if you started to get spammed on one, first of all, it would be interesting to know who you know which email address is spamming you, and then you're just able to delete it and you'll get rid of it. So I've noticed that a large percentage of the subscribers to GRC's mailing lists are Gmail domain users. So I imagine this will come as a welcome service. Unfortunately, I use Gmail as my trash can already because I've got, you know, grc.com email addresses. So it's a little late for me, I don't think. I think it would serve much purpose using, you know, shielding what is already my throwaway account. But still, for people whose main, whose primary email is Gmail, I think this sounds like a good thing. And you know, better late than never. It certainly took them a while. On the other hand, Leo, can you imagine the infrastructure that Google must have in order to give 2 billion users like email that works as well as Gmail does and they use their own server.

Leo Laporte (32:06)

They aren't using an open source server or anything like that. So if you were, you might be a simple plugin. But yeah, that's a big deal. That's a lot to move. Yeah. Plus it's old. Let's not forget Gmail is not a brand new service by any means. Correct. It was one of the very first web services.

Steve Gibson (32:24)

Correct. In fact I remember. Do you remember a guy named Steve Bass who was. He ran the Pasadena IBM PC user.

Leo Laporte (32:35)

Oh yes.

Steve Gibson (32:36)

Pimug was the. If you tried to pronounce the. Anyway, and I think he wrote for PC World also.

Leo Laporte (32:44)

I remember his byline. I do.

Steve Gibson (32:46)

Yes. Neat guy. And he had early access to Gmail and so sent me an invite that allowed me to get a, you know, a special email account at, at, at Gmail. So yeah.

Leo Laporte (33:06)

Which you're not going to tell anybody because you. Otherwise it would be completely useless.

Steve Gibson (33:11)

It's, it's, believe me, it's next to that now. Anyway, it's just, you know, I have.

Leo Laporte (33:17)

Laport Gmail which was. Because I was also early on.

Steve Gibson (33:20)

Very nice. Yep.

Leo Laporte (33:22)

And everybody's decided, apparently the spam world's decided that I'm French and I get a lot of French spam, almost exclusively French spam. And I also, because people, you probably this happens to you. I'm sure it happens to our listeners. They don't really understand that you can't put a space in a Gmail address. So a lot of people named Francois Laporte and Abigail Laporte, they type a space in there and it all goes to Laporte at Gmail. So I get all sorts of stuff like your tickets are ready. I mean just endless. Your reservations for tonight in Paris. I mean it's, I'm tempted but no, I'm.

Steve Gibson (34:05)

Well and, and you're right. The, the, the problem with it being that big, like all those domains are all those names in a single domain is that if it is not like, you know, BZ QRT 79 or something, if it is Leo or Fred, it's.

Leo Laporte (34:24)

The end of the world.

Steve Gibson (34:25)

You're, it's like, you know, goodbye.

Leo Laporte (34:28)

There's a story about jim@aol.com Poor Jim never really did get to use that email address. Do you want me to take a break or do you want to continue on?

Steve Gibson (34:40)

I think now is a good time. We're half an hour in, and then we're going to talk about. It's definitely not love coming from Russia.

Leo Laporte (34:47)

So from Russia.

Steve Gibson (34:49)

Going to talk about. And we do get to talk about Russia.

Leo Laporte (34:57)

Thank you, Steve. Our show today, brought to you by those great folks at Delete Me. I have some direct experience with Delete Me because we have been using it for our CEO for some time now. If you've ever searched for your name online, I don't actually recommend that you do this, but if you've done it, you know how much of your personal information is right there in public. And it's all data brokers. They've been collecting this stuff for years. Every app you use, it's not just TikTok, it's Facebook, it's Instagram, every site you visit, and they take all that information, they collate it, and they make basically a dossier about you and your. And your family, about everybody you know. Maintaining privacy is more than a personal concern. It's a family affair. That's why Delete Me has introduced family plans. So you can have Delete Me for everyone in the family. I think. And I think they do have this corporate plans as well. I think that's what we use, because you really should have delete me for every manager in your company. We ran. I've told this story before. Forgive me if it's, you know, you've heard it before. But we ran to Delete Me because Lisa, somehow, bad guys figured out what her phone number was, what company she worked for, and who her direct reports were and what their phone numbers were. I wonder where they got that information. Right? And as a result, they were able to do a spear phishing campaign purporting to be texts from Lisa's phone, the CEO's phone, saying, Quick, I need some Amazon gift cards. I'm in a meeting. Get them and send them to this address. Fortunately, our employees are smarter than that. But immediately told me, you know, we got to do something to reduce the amount of information about our management online. And that's when we went to Delete me. Delete Me helps reduce risk from identity theft, from cybersecurity threats like that, from harassment, you know, from all of the things privacy violations can do. It is not a nice thing. Delete Me's experts know where the data is. They will find and remove your information from hundreds of data brokers. And by the way if you get the family or the corporate plan, you can assign a data sheet for each member. It's tailored to them so that you could say, well, you know, the, don't delete the Instagram information, but do delete the Facebook, that kind of thing. Easy to use controls. So as an account manager, you can manage privacy settings for the whole family. But this is important. Once they've removed that data, you don't just then walk away because you could do that yourself. First of all, you need to know the hundreds of data brokers out there. But then you need to know as new ones come online and they do every single day, it's a very profitable business. You need to know to go back. And that's what delete me does. They continue to scan and remove your information regularly, not only from the existing data brokers, from all the new ones that pop up all the time. And I'm talking addresses, photos, emails, relatives, phone numbers, social media, property value, everything. It's all online. Data brokers have it all. Until we get a comprehensive privacy law in this country protecting you, you gotta protect yourself and your family and your business. Reclaim your privacy by going to JoinDeleteMe.com TWIT the offer code TWIT gets you 20% off, which is a great deal. JoinDeleteMe.com and use the offer code TWIT for 20% off. And if you, if you. Once you go to jointholeebie.com twit look at all the offerings. They have a very granular set of offerings that can really do the things you need to do to protect yourself online. So I would very much recommend looking at all that. It's really an amazing company. Joindeleteme.com Twitter thank you. Delete me. By the way, after the national public data broker breach, Steve, we searched for my name. It was right there. My Social Security and everything.

Steve Gibson (39:02)

Mine too.

Leo Laporte (39:02)

Leases, not leases. And I thought that that's a pretty telling thing that delimi really worked. Join delimi.com Twitter thank you, Deletemi. Steve.

Steve Gibson (39:15)

So Russian officials have recently. I'm sorry, we're going to get there in a second. Have recently announced via Telegram that they. Which I thought was interesting. Oh yeah, let's use Telegram.

Leo Laporte (39:29)

While interesting.

Steve Gibson (39:30)

What is punishing them?

Leo Laporte (39:31)

Wow.

Steve Gibson (39:32)

That they plan to expand Russia's ban on foreign web hosting providers who are hosting content that discredits the glorious Russian army. Their words. So Akamai and CDN 77 may soon find themselves added to the banned list for being naughty. Overall, Russia appears to feel that the Internet is at best a mixed blessing. It's unclear to me how it's possible to even function within today's globalized economy without it. I think they're nuts. But Russia seems ready.

Leo Laporte (40:12)

I'm getting ready for the go ahead.

Steve Gibson (40:15)

That's right. Russia seems poised to at least explore getting along without the Internet. To which end Russia's illustrious Internet watchdog, none other than Ross. Com. I'm sorry, has announced its plan to conduct another test next month of Russia's big Internet disconnect switch. When pulled does what it says, it severs all ties between Russia and the rest of the global Internet.

Leo Laporte (40:53)

And they did it once before, didn't they?

Steve Gibson (40:55)

They tried, yes. And they've been working on it for years. They have to do things like figure out what to do with DNS queries that resolve to IP addresses that are no longer available. But they just don't want everything to, to hang and crash and like sitting in like, you know, with the hourglass spinning. So, you know, it turns out that disconnecting from the Internet is not an easy thing to do. And of course as I was, as I was thinking about this, I thought what about Starlink? Because you know, it's no longer the case that useful Internet connectivity requires, you know, landlines and, and fiber optic trunks and all of that.

Leo Laporte (41:43)

You know, Starlink is a thing is banned in Russia, that would be my guess. Or it doesn't offer it. Let me see, it's available in Ukraine.

Steve Gibson (41:53)

Of course they, and, and you're right, Russia is sanctioned right now.

Leo Laporte (41:58)

So that's what I thought.

Steve Gibson (41:59)

Yeah.

Leo Laporte (42:00)

So that just works into their, in their favor, doesn't it?

Steve Gibson (42:03)

That's right. Easier to disconnect, easier to pull the switch. So anyway, so they're, they're going to do another test in December and again, you know, it's like, is there some big long term plan here? Is it just so that they like are worried they're going to get attacked? I don't know. You know, we would know if our country was doing the same thing because it would have an effect. I mean pulling the switch on global connectivity will have an effect. So really interesting, you know, we'll have to see what they've got planned. But while we're on the topic of Russian antics, get a load of this. One of the zero days it was CVE 202443451 that Microsoft patched this past week was, you know, in patch Tuesday last week was used in a Russian hack of Ukrainian organizations earlier this year. According to the security firm Clear sky, the zero day was part of an exploit chain that exposed NT Landman, you know, NT Land Manager credential hashes, also known as ltl, NTLM credential hashes, when victims interacted with dot URL files that were received in phishing emails. But here's the part that really caught my attention. Clear sky said that right clicking, deleting or moving the file established a connection with the attacker's server, exposing authentication data. The report suggests that the campaign also used social engineering to convince victims to run executables. Okay, but hold on. Right. Clicking on a file to display its context menu and examine its properties, deleting it or dragging it to another directory was all that's needed to cause the victim's machine to establish a remote connection to a malicious server. What? So I went over to Clear sky to see what was up and I've got a link in the show Notes for anyone who wants to see too. The Clear sky research team posted their write up last Wednesday writing a new zero day vulnerability cve. Oh, by the way, it was posted Wednesday because the patches were pushed on Tuesday, the day before, you know, closing this down. They said a new zero day vulnerability 434 51.

Leo Laporte (44:55)

Ironically, Clear Sky securities sent an invalid response. I don't know if it's blocked or it can't provide a secure connection. So it might be my browser. Sometimes this happens.

Steve Gibson (45:09)

Interesting. Yeah, I think maybe do an explicit HTTPs.

Leo Laporte (45:17)

Yeah, no, I think the ubiquity blocks certain things.

Steve Gibson (45:21)

Ah, okay.

Leo Laporte (45:22)

Yeah, so I was just clicking the link you had you provided.

Steve Gibson (45:25)

Yeah, yeah, yeah. Let me try clicking it here.

Leo Laporte (45:28)

Yeah, I'm sure it's fine. It's just me. Yeah, I also have that from Safari.

Steve Gibson (45:34)

It just came right up for me.

Leo Laporte (45:35)

Yeah, so it's a. It's a ubiquitous. I've noticed this. There's certain places I can't go and I think it's the security. I do use security in ubiquitous.

Steve Gibson (45:44)

Okay, so they wrote a new zero day vulnerability 43451 was discovered by Clear Sky Cybersecurity in June of this year 2024. This vulnerability affects Windows systems and is being actively exploited in attacks against Ukrainian entities. The vulnerability activates URL files containing malicious code through seemingly innocuous actions. Then they have three bullet points. First, a single right click on the file in all Windows systems will do this. Deleting the file in Windows 10 or 11 will do this. Dragging the file to another folder in Windows 10 or 11. And some Windows 78 and 8.1. They wrote the malicious URL files were. I should note that a URL file is just text, so it's kind of pushing it to call it malicious.

Leo Laporte (46:48)

But okay, it's just a link.

Steve Gibson (46:50)

It's just, yeah, it's got. It looks like an any file. So they wrote the malicious URL files were disguised as academic certificates and were initially observed being distributed from a compromised official Ukrainian government website. What actually happened was that the Russians compromised an email server in Ukraine and then used the email server's credentials to send, you know, dkim spf, you know, DMARC approved email to others in Ukraine. So the email that was coming in looked like it was verifiably authentic from the compromised server. But in fact, unfortunately, it was phishing email. So they said the attack begins with a phishing email sent from a compromised Ukrainian government server. The email prompts the recipient to renew their academic certificate. The email contains a malicious URL file. When the user interacts with the URL file by right clicking, deleting or moving it, the vulnerability is triggered. So I'll just say this is like, this is the first time I've seen that, like, you know, dragging a file and dropping it in the trash or right clicking to learn more about it. That's all it takes under Windows 10 and 11 in order to, well, and right, right clicking in all versions of Windows in order for this thing to happen. Anyway, I've got more details. So they said when the user interacts with the URL file by right clicking, deleting or moving it, the vulnerability is triggered. This action establishes a connection with the attacker's server and downloads further malicious files, including SparkRat malware. SparkRat is an open source remote access trojan that allows the attacker to gain control of the victim system. The attackers also employed techniques to maintain persistence on the infected system, ensuring their access even after a reboot. Okay, so the culprit here is a URL file, which is a Windows Internet URL shortcut. It's a text file and anyone who's ever looked at like the original.ini you know, config files back in the early days of Windows will recognize the format here. It's got sections that are surrounded by square brackets and then just simple name equals value pairs in all in text. The key is that the file contains a URL equals line where the scheme of the URL is file colon, forward slash, forward slash followed by the IP of the malicious remote server. In Windows, the file colon slash, slash scheme is hand is is handled by SMB, which is of course server message blocks, which underlies Windows Original File and Printer sharing, which as we know was never up to snuff security wise. So that's where NTLM credential hashes come in, because Windows has always been extremely generous handing out it's like IDing its users by sending their credential hashes around long before it was realized that you that's not a good idea to be sending somebody's hashed credentials, because there's all kinds of mischief you can get up with them, including just a replay of the credential hash in order to impersonate them, which is exactly what this thing does. So apparently upon even extremely innocuous contact with these files and Windows and you know, it's worse and in more recent Windows 10 and 11, Windows Explorer will, without any prompting, reach out to the file server that's indicated in the shortcut, even without its recipient executing the shortcut, the researchers wrote. When examining the URL file, Clear Sky's team exposed a new vulnerability. Right clicking the file establishes a connection to an external server. In addition, execution in a sandbox raised an alert about an attempt to pass the NTLM hash through the SMB protocol. After receiving the NTLM hash, an attacker can carry out a pass the hash attack to identify as the user associated with the captured hash without needing the corresponding password. In other words, the credential hash that NTLMS SMB protocol sends out to identify its Windows user can simply be captured and subsequently used to impersonate the user as if they were logged in, the researchers wrote. Further investigation yielded that in Windows 10 and 11 operating systems, the action of dragging the file from one folder to another or deleting the file caused the file to communicate with a target server and only then be deleted or moved. Under Windows 7.8 and 8.1, the file did not initiate communication when dragged or deleted unless the target folder was open at the time of dragging. They said this did not happen on the first attempt, but was observed only after two to three attempts. That is, they concluded the newly detected vulnerability is somewhat more exploitable on Windows 10 and 11 operating systems. So I'm sure that it must be a bit unnerving to those old pros among our listeners here to learn that the actions that any of us might take to dispose of something we may have inadvertently received could themselves lead directly to a compromise of our machine. That's new. So Microsoft reportedly patched and closed this flaw in last Tuesday's patch updates. So that's good, but it should serve to remind us that those of us using Windows are using an extremely complex operating system that is still dragging a ton of legacy code forward. That code was written, that NTLMSMB file and printer sharing code was written, and its protocols were designed long before the world had an appreciation for just how secure our future systems would need to be. What came to mind as I was thinking about this, the classic example of this was the original design of the Windows metafile format. Windows draws on the screen through a series of drawing primitives, you know, invoking a circle or a rectangle or a line function with parameters and so forth. A Windows metafile WMF is just the capture of those drawing primitives. It's essentially a script. Then later, when that metafile is opened, those primitives are replayed onto a new blank canvas to recreate the original drawing so the metafile contents are interpreted. But the designers in the original metafile format thought, what if we want to do something more? You know, some. Something more than just replaying something that was previously recorded? Why can't the file contain some code that's executed? And remember, this was Windows 3.0. So among all of the interpreted tokens, they specified a meta escape code, which is what it was called, that would cause the system to execute, to essentially escape from interpreting GDI graphics device interface tokens and execute the code contained within the Windows metafile, starting at the bytes immediately following the special escape code. And so it sat there in the metaphile specification for years, until much later. Oh, and it was copied as like from 95 to 98 to what was the last 16 bit version? It was me, Windows me. And then it made the jump to Windows NT and so on. So later, years later, in the era of NT and network and Internet connectivity, it was suddenly rediscovered and labeled as a horrible exploitable flaw. At the time, when I calmly stated that it was obviously there all along by design, many people misunderstood me. They thought I was saying that Microsoft had deliberately planted a back door in Windows metafiles. It was, you know, it was originally deliberate, but it was never malicious.

Leo Laporte (57:13)

It was convenience.

Steve Gibson (57:15)

Yes, it was. Yes, it was a reasonable thing to do back when we could trust every image our machines might try to render. But let's just say it didn't age well. And neither was Microsoft's original NT Land Manager and their SMB protocol. You know, they didn't. They have not aged well either. And, you know, they were also designed back before we really understood security. So this, you know, this wasn't deliberate on Microsoft's part and we what was really interesting was that a couple a week or two ago we were just talking about how Microsoft has decided not to keep patching NTLM problems yet. The zero Patch guys are so there's another reason why zero Patch is worth looking at. Oh, and I should mention I got a bunch of feedback from our listeners who said, you know Steve, you should mention that there's a free tier also, so it's not necessary to subscribe to Zero Patch in order to get some of the benefits of it. So I just wanted to mention that along with all the others. And thank you everybody who wrote to say, you know, there's a freebie available, so there is a free tier for zero patch. Okay, so not a lot happened this week and we've just covered it all. So I'm going to spend some time with some feedback from our amazing listeners. Good. I believe he would pronounce his name Iko A Y I K O. I'm sorry if that's wrong, but I'll say Iko Fred is in Uganda and he said, hey Steven, Leo, this is Iko Fred from Uganda. I've been listening to security now since 2021, starting around the 800-00, as in, you know, episode number is that I occasionally miss a few episodes when things get busy, sometimes up to a month, but I'm thoroughly enjoying the show. Exclamation point, he said. I don't have I do not have a formal background in computer science, but I developed an interest in programming in 2020 and learned some Erlang and Elixir, he said. My first and only languages which I'm now using at work, he said. It made me realize I had only a blurry understanding of many key concepts. I'd never thought to go back to the earlier episodes from 2005, but a few episodes ago a listener recommended going back to the earlier episodes, so I decided to give it a try and wow, exclamation point, he said. The way you explain topics like how the Internet works, cryptography and VPNs really clicked for me, he said. I was blown away by how much easier it was to understand these concepts through your explanations. Now I feel like I've been programming by superstition all along, he said. Each episode, he said. Each episode has left me wanting more and I've even re listened to some episodes three to four times, especially those on cryptography and Internet fundamentals. I'm now on episode 58 and I'd encourage anyone with a shaky grasp on these topics to check out the earlier episodes. They won't regret it. Isn't that so? I wanted to share that just as to remind our listeners about that. But he finishes saying, one episode made me think this is exactly what I need, he said. That was episode 41. True Crypt, he said. Unfortunately, I learned that TrueCrypt's development was discontinued in 2014. Do you have any recommendations for alternative tools with similar features to TrueCrypt that are compatible with Linux? I love something with the same level of privacy and security. Thank you again for all your work. I really appreciate it. Looking forward to episode 1000. Best regards. So I mentioned this bit of feedback last week that I wanted to share it this week because I know that this podcast has been discovered by many people. Years after we recorded those early fundamental technology podcasts. We've heard from others who, after discovering this podcast, had the idea of going back to start from scratch and catch up, and those people have invariably found that it was worth their time. So frankly, part of me is tempted to just stop and recreate some of that work from the early days so that they're put back into everyone's feeds. But that doesn't make any sense, because they're already there. Every podcast we've ever recorded remains available to everyone, and reproducing content we've already created would displace our new content, for which we often barely have enough time as it is. So from time to time, I'll take a moment, as I have here, to remind our listeners that back in the early days, we laid down many of the fundamentals of the way everything we're talking about today works, and it was done in a way that many people have found to be extremely accessible. Also, another thing we often hear is that while our listeners enjoy the content today, they feel that there's much they don't understand. You know, they say, like, well, I get. I understand maybe 20% of what you're talking about. We just mentioned that a week or two ago. You know, it is true that I consciously build upon the foundation that we have laid down before using what's come before. That's the only way it's possible for us to move forward. So to those who feel that they've been tossed into the deep end of the pool by showing up here late, let me note that all of that knowledge that's missing and assumed was once covered in detail back in the earlier days of this podcast. Really. I mean, we all of the stuff we talk about and sort of zip over when we're Talking about something new that's all been discussed in detail in the past and it's all there waiting and free for the asking for anyone who wants it.

Leo Laporte (64:11)

At some point, I'd love to make a playlist of foundational episodes that people should listen to.

Steve Gibson (64:17)

Yeah.

Leo Laporte (64:18)

But just for Aiko, Fred, there is a replacement for True Crypt. Steve talks about it in episode 582. You'll get there. It's Veracrypt. And he talks about it in this episode and many other episodes.

Steve Gibson (64:30)

Yep, it is. It's so. It is. And I have a link to Veracrypt in the show. Notes. V E R A C R Y P T F R Veracrypt Fr I went over and took a look and yep. I mean it was updated a month or two ago, so it is being kept current and it is platform agnostic. It'll work beautifully for Linux and encrypt your drive just like TrueCrypt once would have.

Leo Laporte (64:57)

Very nice.

Steve Gibson (64:58)

Yes.

Leo Laporte (64:58)

See, we cover it all. We've covered it all over the years.

Steve Gibson (65:01)

We really. We have. Well, Leo, how many thousands of hours?

Leo Laporte (65:06)

That's right.

Steve Gibson (65:06)

Wow.

Leo Laporte (65:07)

Several at least.

Steve Gibson (65:09)

Okay. Scott Gottfried wrote to share his powerful solution for accessing his network from home. But Leo, let's take a break and then we're gonna find out what Scott is using in order to get roaming access. And it's not something we've ever talked about.

Leo Laporte (65:27)

Oh, how fun.

Steve Gibson (65:28)

Something new.

Leo Laporte (65:30)

Yeah. Like Hamachi or. We've talked about a lot of different ways of doing stuff like that. Yeah.

Steve Gibson (65:35)

And you know, Hamachi still exists.

Leo Laporte (65:37)

Really?

Steve Gibson (65:38)

But it was log me in bought them.

Leo Laporte (65:41)

Yeah.

Steve Gibson (65:41)

And so it's a commercial service, but it's still there.

Leo Laporte (65:44)

And it was a great idea using what five do, right? Yeah, exactly. Well, I can't wait to hear what, what else there is out there. But first, a word from our fine sponsor. A name. You know, I know you know, One password. You may be thinking, oh yeah, I know. They, they do a really good password manager. Well, this is a new product from 1Password. Kind of takes a password manager. The next step. It's called Extended Access management. Now let me ask you a question. If you're an IT or run a business, do your employees, do your end users always work on company owned devices using IT approved apps? Of course. They're the best, right? No, they don't. They bring their phone in their laptop. They're watching their Plex server from home. So how do you keep your company's data safe when it's sitting on all Those unmanaged apps on all Those unmanaged devices. 1Password's answer to that question. Extended Access Management. 1Password Extended Access Management helps you secure every sign in for every app on every device because it solves the problems traditional IAM password management and MDM cannot touch. Imagine your company's security like the quad of a college campus. You know the nice brick pads in leading through the green sward between the ivy covered buildings. Those are the company owned apps, IT approved apps, company owned devices, the managed employee identities. It's all nice, it's all peaceful. But then as on any college campus, there are the paths people actually use. The shortcuts worn through that beautiful green grass that is actually the straightest line from building A to building B. You don't want to go round about to get to Physics 101. You know about straight lines, right? Those are the unmanaged devices, the shadow IT apps, the non employee identities. Like contractors. If you've got employees, it's inevitable they're going to do their own thing. Problem is, most security tools only work on those happy little brick paths. A lot of the security problems take place on the shortcuts. That's why you need 1Password. Extended Access Management. It's the first security solution that brings all these unmanaged devices, apps and identities under your control. It ensures that every user credential is strong and protected. Every device is known and healthy. Every app is visible. It's security for the way we really work today. And it's now generally available to companies that use Okta or Microsoft Entra. It's also in beta for Google Workspace customers. So good news, you can check it out right now@1Password.com SecurityNow this is really an exciting new offering. 1Password 1PS W R D. Right. 1Password.com SecurityNow we thank him so much for supporting Steve's important work here at Security Now. We thank you for supporting it by going to that site so they know you saw it here. 1Password.com Security now. Okay, on we go.

Steve Gibson (68:48)

More Q and A. Scott leaves to the end that everything he describes is all a free service provided by Cloudflare, which is really interesting.

Leo Laporte (69:01)

I've used their pages, they have a lot of free services actually.

Steve Gibson (69:04)

Yeah. So I wanted to mention that up front, that is the freeness. So that while I'm sharing what Scott wrote, everyone who might have a similar need will be taking it seriously and thinking, oh, this is interesting. So Scott said, hi, Steve, congrats on 1000. I've listened for all 20 years every episode. Thank you and Leo, he said. I've heard several questions from your listeners about how to access their home network while traveling. VPN Overlay Network I had the same question. My primary requirement for accessing my home network was that I did not want to open any ports on my router. Amen to that, he said. I researched solutions for several months until I happened upon a blog post at Cloudflare. The solution for me is the Cloudflare Tunnel and that's at www.cloudflare.comproducts/tunnel T U N N E L and he said I run an old Intel NUC from inside my network that creates an outgoing tunnel to Cloudflare. The Cloudflare Dashboard lets me add my own domains, has a firewall, provides authentication, and allows me to configure routing for my four internal home subnets, he said. It's awesome. I run two separate photo sharing apps for the family. The apps run in Docker containers on the nuc, which has Linux and CASA os, but the tunnel could run on a NAS or Zima board. When traveling, I use the Cloudflare Warp app on my laptop and connect to my home network. I can then RDP to my Windows nuc. I can access my Ubiquiti cams and I can access my TrueNAS. Nothing on the home network is exposed to the Internet. It all happens through the tunnel. The family accesses my shared photo apps. Jellyfin and Piwego using a web browser pointed to my custom domain. I add authorized family member email addresses to the Cloudflare dashboard. When a family member tries to log on to one of the apps, they just enter their email address. They are sent a PIN for access. All of that is handled by Cloudflare. It's a little bit of a Propeller beanie kind of stuff, but one could just start with a tunnel to access the home network without sharing apps and dealing with authentication. Oh, he says. I forgot to mention all of the stuff I use at Cloudflare is free. All caps exclamation point, he said. I hope this might help anyone searching for this type of solution. Best Scott so thank you Scott for sharing that. It was news to me, so I went over to take a look. Cloudflare's tunnel page says Protect your web servers from direct attack. From the moment an application is deployed, developers and IT spend time locking it down, configuring ACLs, you know, access control lists, rotating IP addresses, and using clunky solutions like GRE tunnels. There's a simpler and more secure way to protect your applications and web servers from direct attacks. Cloudflare Tunnel Ensure your server is safe no matter where it's running. Public, cloud, private cloud, kubernetes, cluster, or even a Mac Mini under your tv. So from Scott's description, it sounds like an extremely powerful and capable solution for simple, safe remote connections to an internal network. It may be more than many of our listeners need, but I wanted to put it on everyone's radar, you know, because it really does sound like a power user's tool, you know, being able to set up authentication, have registered email addresses where someone is able to receive a pin, provide that back, and then automatically get access through the tunnel back to the network. You know, there's a lot there. It does a lot. But anyway, it looks like a potentially very interesting solution. At the same time, I got a note from Jeff Price, who also happened to write thanks for the emails, they're very helpful. He said, I have meaning the weekly security now, you know, preview of the podcast. He said, I have a medium sized network at home with Synology, NAS, dozens of IoT devices, etc. I've been using Tailscale for all remote connections. This means no open ports or port forwarding. I also set up a system inside my home as an exit node, which means even when I am traveling I can encrypt all of my traffic back to my home and then exit from there. In other words, anything he's doing while he's traveling believes he's still at home, which can be useful for, you know, access to streaming services and so forth that have a specific geographic boundaries. He said Tailscale has worked great and it is much faster than OpenVPN. So just another, you know, reminder that the overlay network solution is almost drop in easy to use and there are Tailscale and zero tier and there's Also Nebula and Netmaker. There are clients for all of the various OSes that we're using and even for the various NAS. So there's a. Probably a. Well, it is far less flexible and capable. It's also sort of more of a homegrown solution than Cloudflare's tunnel. So you know, your mileage may vary. Pick the solution that seems best for you. Adam B. Has an intriguing problem. He said, hi Steve, I'm a longtime listener to the show. I'm not sure how long, but I definitely remember when you used to alternate episodes between topics and news and he means news and feedback. He says, I'm a proud Spinride owner and thanks to you and Leo getting me interested in HackerOne a few hundred dollars better off having found a couple of local privilege escalation vulnerabilities during some poking around on my weekends. That's very cool. So he's a little bit of a white hat hacker helping people. He says, I have a question that I have not been able to find an answer to online and I thought might interest you and my fellow listeners. I'm a hobbyist malware analyst. Clearly from based on the experience he shared. Yeah, he said, and as part of that, I often run the samples in a network that's isolated from the Internet just to see what happens. Sometimes the samples will try to communicate with a command and control server. Often the hard coded C2 server is a fully qualified domain name, but sometimes it's a public IP address I can off, he said. He says it can often be useful to pretend to be the command and control server just to see what the sample sends when the C2 server is a fully qualified domain name. It's easy enough to use my own DNS server in the isolated network to answer the DNS request with an A record IP address of my choosing. Meaning that. Right. So the malware says I need the IP address of bad guys.ru and because he's created an isolated network, he's got his own DNS server. So the machine running the malware generates a DNS query to badguys.ru and the DNS responds with you know, 192.168 or something which is a machine on. On that network. So that's where the, the malware attempts to connect to which is his own server so he can see what's going on. He said, however, when the C2 server is a public IP address, this becomes more troublesome. I think I have two choices, he wrote. He said, One, patch the sample to change the IP address to 1 on the LAN, or 2, somehow get my LAN to answer the ARP request with a Mac address of my choosing. He said the problem with choice number one is that this isn't practical at scale, meaning, you know, patching the malware in order to point it to something local. And I agree. And he said, as in, you know, sometimes I like to run 10, 20 or 50 versions of the same malware family. He said, I don't want to have to manually patch 50 different samples. It also seems like the less satisfactory choice. The problem with choice two is that I simply can't figure out how to do it. How can I configure my network so that if a sample makes a Request for a public IP address. In other words, one that isn't in the 24 of my LAN. The request is handled by my C2 server. The best answer I could find online was concerned with ARP poisoning, but this seemed very unreliable and likely to cause an unstable network. It feels like the answer will be something to do with the default gateway, but I can't figure it out. I hope that makes sense. I would really appreciate your thoughts on the subject. A big thank you to you, Leo and the whole team. Kind regards, Adam. Okay, what Adam wants to do can definitely be done in a highly robust fashion. It would be possible to manually add static routes to the routing table of the machine that's hosting the malware. This would cause the traffic bound for that target IP to override the normal non local default route, which would send the traffic out to the network's gateway interface and instead to another local network interface. But doing that is tricky and messy. The more straightforward solution, and it's really slick, would be to obtain a router that has some extra hardware interfaces. That little NetGate SG 1100, which I'm using here, has an AUX network connection. You know, it's got lan, it's got WAN and lan, and AUX as in auxiliary. And it's not a simple switch using the same network as the lan. It's a separate network interface and that can be given its own lantern or for example, one of those Protectly P R O T E C T L I protect ly vault devices. I'm using one of those at my other location. Those are nice also, and Amazon has those for sale. Or you can get them directly from Protectly. The idea is to have an extra physical network interface. You would use the router software such as PF Sense or OpSense to define another small LAN network for that extra interface. And instead of using one of the normal private networks like 192.168.something.something or 10.something something, you would create a network that includes the target IP of the command and control server. You then attach a machine, this C2, your command and control spoof server. You attach a machine to that interface and manually assign it the IP of the command and control server that the malware is looking for. Now, whenever the malware in the host machine addresses Internet traffic to that remote public ip, your local router's routing table will see that the IP matches within that extra network and will send the traffic to it rather than out onto the public Internet. So you wind up with a very straightforward robust and easily adjusted and maintained solution. And yes, Dale Myers.

Leo Laporte (82:34)

Okay.

Steve Gibson (82:35)

Has a problem. I've forgotten how many breaks we've taken.

Leo Laporte (82:40)

I thought there was something going on. We have one more, so you could put that anywhere you want.

Steve Gibson (82:46)

Okay. Only. Only one left. Only one more.

Leo Laporte (82:48)

Yeah.

Steve Gibson (82:48)

And then we will. We'll finish our feedback and before we get into what is AGI.

Leo Laporte (82:53)

Yeah.

Steve Gibson (82:54)

Thank you. Dale Myers has a problem no one should ever face. He said, Hi, Steve. I never thought when I started listening at 0001 that there would ever be a thousand and still counting Security now podcasts. He said, I started at the beginning, right after Fred Lange suggested that your podcast might be worthwhile. He was right. At the time, I was a volunteer in the IT department of a parochial school. The things I learned from SecurityNow led to important improvements in our system over the years. In those days, there were not so many listeners and you took time to answer two of my questions submitted in the feedback dialog box at the bottom of the SecurityNow page. Now I have a new question that relates to using a password manager. He said, I've been doing a bit of traveling by air lately, and the last time I was in my travel agent's office, I decided to use some of the accumulated points. She said she could not access my account without my password. There was a place for it on her screen, but I could not figure out how to get the password from there or two there from my password manager. Any thoughts? Signed Dale Myers. Okay. So my first thought was, huh, That's a really good question. How would you do that securely? And then I thought, I wonder why this isn't a problem we've heard about before. And then the question answered itself. Since no one should ever have this problem, no one should ever be asked to give their password to someone else like a travel agent so that she could access their account so you know, it's not a bigger problem because it should never be required of anyone, ever. The whole thing, you know, seems like a fundamentally bad idea. But that doesn't help Dale, who apparently does have this problem, even if everyone agrees he should never have had this problem in the first first place. Given that Dale has been listening since episode one, we know that his travel account is currently protected by a ridiculously gnarly, long, random, and impossible to manually enter or even communicate password. So my advice would be not to even try briefly change your password to something ridiculously simple to type, which meets the travel system's password policies, but otherwise minimal in every way. You know, it's only going to be that way for a few minutes, so its security doesn't really matter. Once the travel points have been transferred, the account's password can either be restored to what it was before or set to something new. Now, a workable alternative would be to just send the account's initial gnarly password via email or a text to the travel agent, let her log in, do whatever she needs, then change the account's password to something new and super secure once the points have been moved. Now, having said that, I did get a piece of feedback from a listener about an incredibly cool looking device. I've got. I've got it on the way to me because I want to understand it and be able to talk about it. It is a little dongle which has a USB port and it is a Bluetooth keyboard dongle, meaning that what, what Dale could do if he had this, or if any of our listeners had this problem, Dale could have this with him, give it to the travel agent and have her plug it into her computer. You know, just any USB port. Now, very much like the original Yubikey, this thing looks like a USB keyboard. So then there are Android and iOS and other apps for this thing. So Dale would be able to send his password through this app and it would type into the password field on the travel agent's computer, which is kind of a cool hack. Anyway, I will, I'll know more about it. I'll, I'll, I'll have all the details in next week's podcast for anybody who wants to jump ahead. It was not cheap. It was $37 and it's being shipped from Poland as I recall. But still, yeah, kind of a cool thing. Chris C. Asked a while back. You said something about a large company that was fined for not keeping teams or Slack chats as required by federal law. Do you remember who this was and what the law was? So I replied to Chris, I vaguely recall that in passing, but I have no specific recollection. And I said, GRC's on site. Search in the upper right of every page can be used to search only the podcast transcripts, which are fully indexed. So you might be able to track down the reference that way. So that was my reply to Chris. I wanted to share this because I use GRC search from time to time myself in the same way when I'm looking for something from our own past. You heard me casually mention that we talked about something, whatever it was back during podcast number whatever. So I just don't want anyone to imagine for a second that I recalled that podcast like Chris here, I did recall that it was something that was mentioned but not what or when since I get these sorts of questions often like that Chris asked. I just wanted to pass on to everyone that both the show notes and Elaine's precise transcripts are fully indexed and that index can be easily searched using GRC search box. And I checked a little bit later. Chris had replied. He's responded thank you, exclamation point. I didn't know that was there. He said, I found it in SN number 959. He said Google did not help me, but the search engine on your site powered by the same company did. So again we do have, you know, essentially podcast specific search which will allow anyone to find something that they think they recall that we talked about before but can't remember exactly where or when. You're free to keep asking me, but you know I'll do the same thing you could do, which is to use the little search box in the upper right of every page at GRC and Leo, we are ready to talk about artificial general intelligence.

Leo Laporte (90:23)

Oh boy.

Steve Gibson (90:23)

Whatever that is, we'll at least maybe know what it is even if we don't know when. About half an hour from now. But let's take our last break and then we'll plow into that.

Leo Laporte (90:35)

I'm excited. I'm really excited. I'm ready to take notes. Maybe you should take notes on this though. This is a very important sponsor for security now they've been with us for a long, long time. I'm talking about the thinkst Canary. Now if, when you hear things canary, I want you to think, oh yeah, that's a honeypot, right? Yes, that's exactly what it is. A little box about the size of an external USB drive. But it's not a drive though. It's a little computer that can be set up to look like anything. Now I shouldn't even say it's a computer because it's so easy to use. You log into the console, there's a drop down menu, you can choose from all kinds of ssh, Server, Windows Server with a Christmas tree of services lit up, or just a handful of very select services. It can be, it could be a SCADA box. Mine is a network attached storage device. It's exactly an exact duplicate of what a bad guy would see if they were attacking a Synology nas. It's, it's got this right Mac address, it's got a Synology Mac address, it's Got the right DSM 7 Login the whole thing is authentic. That's important, because a honeypot has to fool the W E hacker. Now, if you've got that set up, very easy, you have it in minutes. Another thing you might want to do is create lure files. You can use your thinks Canary to create phony Excel spreadsheets or PDF files or Doc files, whatever it is you want, and give them a name that's very, you know, insightful, like employee Social Security numbers. Now, that's maybe too obvious. How about just employee information? That's a good one. Okay. Employee information. Dot xls. Now, there's no way a bad guy browsing around your network cannot try to open that. But the minute that they do or they access your fake SSH server, you're going to get a notification from your things to Canary. It's going to say you've got a problem. And the notifications, by the way, could be any way you want. Email, sms. It supports Slack Web hooks, Syslog, of course, any variety of ways, basically. And they've got an API if you want to write your own. However you want the notifications to come in, they will. But they're only the notifications that matter. You don't get false positives on this thing. It's. It's. I could tell you because we've been running it for years, it's really a clever idea. And the reason you need this is I know you have excellent perimeter defenses. You know, I. We all do, right? Something that's keeping the bad guys out of your network, you've got to have that. But what happens when they get in your network? Do you have any sensors, any way of knowing? These guys are very clever. They erase the logs as they go. They. They don't leave any footprints behind. How would you know, Think about this. How would you know right now if some bad guy weren't browsing around your network, looking at all your files, exfiltrating personal information about your employees or your, or worse, your customers, preparing for a ransomware attack by finding every backup, every nook and cranny, how would you feel? And how would you know? That's why you get a thanks to Canary. You choose a profile for your thanks Canary device. You register it with a hosted console for monitoring and notifications. And like I said, you can have notifications any way you want. And then you just wait. And if, if you're like us, you might not get a notification for a long time. We've, in our, in all the years we've run it things Canary, we've only had one. It was from a device somebody had hooked up. It was actually a storage device somebody hooked up that went out and sniffed all the IP addresses on the network. And I got a notification saying there's something going around sniffing your, your, your network. It gave me the, the incoming, you know, IP address. I was able to track it down right away. I figured out who it was. We took it off the network and that's the only time we've ever heard from it because that's the only time we've ever had anybody inside our network doing anything malicious. So whether you've got attackers or malicious insiders, they will make themselves known because they can't help but access these things. Canary devices or these lure files. It really works. Now, it depends on how big you are, how many you would want. A big bank might have hundreds spread out all over their operations. We might have a handful as a small business. But let me give you an idea. Go to Canary Tools Slash Twit. You can see the pricing. Clear pricing there. They don't hide anything. Rough idea though. $7,500 a year get you five thinks canaries. You get that hosted console, you get the upgrades, the support, the maintenance. Oh, and don't forget, if you use the Code Twit in the how did you hear about us? Box, you're going to get 10% off that for life. Now, if you're at all skeptical, here's the really good news. They have a two month, 60 day money back guarantee for a full refund. So for any reason you don't like your Thinks canaries, you got two months to get your money back. I might mention that in all the time that we've partnered with Thinks Canary, that refund guarantee has never been claimed. Once you get this, once you see how great it is, you you're going to say, I don't know where you've been all my life, you could go to Canary Tool. Love to see other people saying loving things about their Thinks Canaries. Go to Canary Tool Twit to find out more. Enter the code Twit and how did you hear about us box to save 10% on your think Scanneries for life again, Canary Tools Slash Twit offer Code twit gets you 10% off for life. Thank you. Thanks for creating a really incredible product. And thank you, dear listener, for using that address so they know you saw it here. Canary Tools Slash Twit. All right, I've been dying in to hear this. Steve Gibson on AGI.

Steve Gibson (96:33)

Well, okay. Steve Gibson surveying A bunch of other people's feelings about AGI.

Leo Laporte (96:40)

Yeah, that's fair. I want to know what you think too though. I think you'll probably give us some idea.

Steve Gibson (96:44)

Yeah, I do have some feelings, so. Okay. I should note that I already have everything I need with thanks to today's chat GPT4. Oh, and it has changed my life for. For the better. I've been using it increasingly as a time saver in sort of in the form of a programming language, super search engine, and even a syntax checker. I've used it sort of as a crutch when I need to quickly write some throwaway code in a language like PHP where I do not have expertise, but I want to get something done quickly. I just, you know, I'd like, you know, get. Solve a quick problem, you know, parse a text file in a certain way into a different format, that sort of thing. In the past I would take, you know, if it was a somewhat bigger project than that, an hour or two putting queries into Google, following links to Programmers Corner or Stack Overflow or other similar sites, and I would piece together the language construction that I needed from other similar bits of code that I would find online or if I was unable to find anything useful like, you know, solve the problem, I would then dig deeper in through the languages, actual reference texts, to find the usage and the syntax that I needed and then build up from that, you know, because, you know, after you programmed a bunch of languages, they're all sort of the same largely. I mean, Lisp is a different animal entirely, as is apl. But, but you know, the procedural languages, it's just a matter of like, okay, what do I use for inequality? What do I use for, you know, how exactly are the looping constructs built? That kind of thing. That's no longer what I do because I now have access to a what I consider a super programming language search engine. Now I ask the experimental coding version of ChatGPT for whatever it is I need. I don't ask it to provide the complete program since that's really not what I want. You know, I love coding in any language because I love puzzles and puzzles are language agnostic, but I do not equally know the details of every other language. There's nothing ChatGPT can tell me about programming assembly language that I have not already known for decades. But if I want to write a quick throwaway utility program like in Visual Basic Net, a language that I've spent very little time with, and because I like to write an assembly language But I need to, for example, quickly implement an associative array, as I did last week, rather than poking around the Internet or scanning through the Visual Basic syntax to find what I'm looking for. I'll now just pose the question to ChatGPT. I'll ask it very specifically and carefully for what I want, and in about two seconds I'll get what I may have previously spent 30 to 60 minutes sussing out online. It has transformed my work path for those sorts of. For that class of problem that I've traditionally had. It's useful whenever I need some details. Where I do not have expertise is, I think, the way I would put it. And I've seen plenty of criticism levied by other programmers of the code Produced by Today's AI. To me, it seems misplaced, I.e. their criticism seems misplaced and maybe just a bit nervous. And maybe they're also asking the wrong question. I don't ask ChatGPT for a finished product because I know exactly what I want and I'm not even sure I could specify the finished product in words or that that's what it's really good for. So I ask it just for specific bits and pieces and I have to report that the results have been fantastic. I mean, it is literally, it's the way I will now code languages I don't know, I think is probably the best way to put it. It's ingested the Internet and you know, obviously we have to use the term it knowing them very advisedly. It doesn't know them. But whatever it is, I am able to like ask it a question and I actually get like really good answers to tight problem domain questions. Okay, but what I want to explore today is what lies beyond what we have today, what the challenges are and what predictions are being made about how and when we may get more, whatever that more is. You know, the, the, the there where we want to get is generically known as artificial General intelligence, which is abbreviated AGI. Okay, so let's start by looking at how Wikipedia defines this goal. Wikipedia says artificial General intelligence is a type of artificial intelligence that matches or surpasses human cognitive capabilities across a wide range of cognitive tasks. This contrasts with narrow AI, which is limited to specific tasks. Artificial superintelligence ASI, on the other hand, refers to AGI that greatly exceeds human cognitive capabilities. AGI is considered one of the definitions of strong AI. They say creating AGI is a primary goal of AI research and of companies such as OpenAI and Meta. A 2020 survey identified 72 active AGI research and development projects across 37 countries. The timeline for achieving AGI remains a subject of ongoing debate among researchers and experts. As of 2023, some argue that it may be possible in years or decades, others maintain it might take a century or longer, and a minority believe it may never be achieved. Notable AI researcher Geoffrey Hinton has expressed concerns about the rapid progress toward AGI, suggesting it could be achieved sooner than many expect. There's debate on the exact definition of AGI and regarding whether modern large language models such as GPT4 are early forms of AGI. Contention exists over whether AGI represents an existential risk. Many experts on AI have stated that mitigating the risk of human extinction posed by AGI should be a global priority. Others find the development of AGI to be too remote to present such a risk. AGI is also known as strong AI, full AI, human level AI, or general intelligent action. However, some academic sources reserve the term strong AI for computer programs that experience sentience or consciousness. In contrast, weak AI or narrow AI is able to solve one specific problem but lacks general cognitive abilities. Some academic sources use weak AI as the term to refer more broadly to any programs that neither experience consciousness nor have a mind in the same sense as humans. Related concepts include artificial superintelligence and transformative AI. An artificial superintelligence is a hypothetical type of AGI that is much more generally intelligent than humans, while the notion of transformative AI relates to AI having a large impact on society, thus transforming it. For example, similar to the agricultural or industrial revolutions, a framework for classifying AGI levels was proposed in 2023 with Google DeepMind researchers or by Google DeepMind researchers. They define five levels of AGI emerging, competent, expert, virtuoso, and superhuman. They define, for example, a competent AGI is defined as an AGI that outperforms 50% of skilled adults in a wide range of non physical tasks and a superhuman AGI. In other words, an artificial superintelligence is similarly defined, but with a threshold of 100%. They consider large language models like ChatGPT or Lama2 to be instances of the first level emerging AGI. Okay, so we're getting some useful language and terminology for talking about these things. The article that caught my eye last week as we were celebrating the thousandth episode of this podcast was posted on perplexity AI titled Altman predicts AGI by 2025. The perplexity piece turned out not to have much meat, but it did offer the kernel of some interesting thoughts and some additional terminology and talking points, so I still want to share it. Perplexity, wrote OpenAI CEO Sam Altman, has stirred the tech community with his prediction that artificial general intelligence AGI could be realized by 2025, a timeline that contrasts sharply with many experts who foresee AGI's arrival much later. Despite skepticism, Altman asserts that OpenAI is on track to achieve this ambitious goal, emphasizing ongoing achievements and substantial funding, while also suggesting that the initial societal impact of AGI might be minimal. In a Y Combinator interview, Altman expressed excitement about the potential developments in AGI for the coming year. However, he also made a surprising claim that the advent of AGI would have surprisingly little impact on society, at least initially. This statement has sparked debate among AI experts and enthusiasts, given the potentially transformative nature of AGI. And Altman's optimistic timeline stands in stark contrast to many other experts in the field who typically project AGI development to occur much later, around 2050. Despite the skepticism, Altman maintains that OpenAI is actively pursuing this ambitious goal, even suggesting that it might be possible to achieve AGI with current hardware. This confidence, coupled with OpenAI's recent 6.6 billion funding round and its market valuation exceeding $157 billion, underscores the company's commitment to pushing the boundaries of AI technology. Achieving artificial general Intelligence faces several significant technical challenges that extend beyond current AI capabilities. So here we have four bullet points that outline what AGI needs that there's no sign of today. First, common sense reasoning. AGI systems must develop intuitive understanding of the world, including implicit knowledge and unspoken rules to navigate complex social situations and make everyday judgments. Two, context awareness AGI needs to dynamically adjust behavior and interpretations based on situational factors, environment, and prior experiences. Third, handling uncertainty. AGI must interpret incomplete or ambiguous data, draw inferences from limited information, and make sound decisions in the face of the unknown. And fourth, continual learning. Developing AGI systems that can update their knowledge and capabilities over time without losing previously acquired skills remains a significant challenge. So one thing that occurs to me as I read those four points reasoning, contextual awareness, uncertainty, and learning is that none of the AIs I've ever interacted with has ever asked for any clarification about what I'm asking that's not something that appears to be wired into the current generation of AI. I'm sure it could be simulated if it would further raise the stock price of the company doing it, but it wouldn't really matter, right? Because it would be a faked question like that very old ELIZA pseudo therapist program from the 70s. You know, you would type into it, I'm feeling sort of cranky today, and it would reply, why do you think you're feeling sort of cranky today? You know, it wasn't really asking a question. It was just programmed to seem like it was, you know, understanding what we were typing in. The point I hope to make is that there's a hollowness to today's AI. You know, it's truly an amazing search engine technology, but it doesn't seem to be much more than that to me. There's no, there's no presence or understanding behind its answers. The Perplexity article continues, saying overcoming these hurdles requires advancements in areas such as neural network architectures, reinforcement learning, and transfer learning. Additionally, AGI development demands substantial computational resources and interdisciplinary collaboration among experts in computer science, neuroscience, and cognitive psychology. While some AI leaders like Sam Altman predict AGI by 2025, many experts remain skeptical of such an accelerated timeline. A 2022 survey of 352 AI experts found that the median estimate for AGI development was around 2060, also known as security now episode 2860 90% of the 352 experts surveyed expect to see AGI within 100 years. 90% expect it so not to take longer than 100 years, but the median is by 2060, so not next year, as Sam suggests, they wrote. This more conservative outlet stems from several key challenges. First, the missing ingredient problem. Some researchers argue that current AI systems, while impressive, lack fundamental components necessary for general intelligence. Statistical learning alone may not be sufficient to achieve AGI. Again, the missing ingredient problem. I think that sounds exactly right. Also, training limitations. Creating virtual environments complex enough to train an AGI system to navigate the real world, including human deception, presents significant hurdles. And third, scaling challenges. Despite advancements in large language models, some reports suggest diminishing returns in improvement rates between generations. These factors contribute to a more cautious view among many AI researchers who believe AGI development will likely take decades rather than years to achieve. OpenAI has recently achieved significant milestones in both technological advancement and financial growth. The company successfully closed and here they're saying again, a massive 6.6 billion funding round valuing at $157 billion. But, you know, who cares? That's just, you know, Sam is a good salesman, they said. This round attracted investments from major players like Microsoft, Nvidia and SoftBank, highlighting the tech industry's confidence in OpenAI's potential. The company's flagship product, ChatGPT, has seen exponential growth, now boasting over 250 million weekly active users, and you can count me among them. OpenAI has also made substantial inroads into the corporate sector, with 92% of Fortune 500 companies reportedly using its technologies. Despite these successes, OpenAI faces challenges, including high operational costs and the need for extensive computing power. The company is projected to incur losses of about $5 billion this year, primarily due to the expenses associated with training and operating its large language models. So when I was thinking about this idea of we're just going to throw all this money at it and it's going to solve the problem and, oh, look, you know, the solution is going to be next year, the analogy that hit me was curing cancer, because there sort of is an example of, you know, oh, look, we just, we had a breakthrough and this is going to, you know, cure cancer. It's like, no, we don't really understand enough yet about human biology to say that we're going to do that. And I know that the current administration has been these cancer moonshots. And it's like, okay, have you actually talked to any biologists about this? Or do you just think that you can pour money on it and it's going to do the job? So that's not always the case. So to me, this notion of the missing ingredient is the most salient of all of this. Is like, what we may have today has become very good at doing what it does, but it may not be extendable. It may never be what we need for AGI. But I think that what I've shared so far gives a bit of calibration about where we are and what the goals of agr, of AGI are. I found a piece also in Information Week where the author did a bunch of interviewing and quoting of people that I just. I want to share. Just to finish this topic off. It was titled Artificial general intelligence in 2025. Good luck with that. And it had the teaser. AI experts have said it would likely be 2050 before AGI hits the market. OpenAI CEO Sam Altman says 2025. But it's a very difficult problem to solve. So they wrote. A few years ago, AI experts were predicting that artificial general intelligence would become a reality by 2050. OpenAI has been pushing the art of the possible along with big tech. But despite Sam Altman's estimate of 2025, realizing AGI is unlikely soon, HP Neuquist, author of the Brain Makers and executive director of the Relayer Group, a consulting firm that tracks the development of practical AI, said, We can't presume that we're close to AGI because we really don't understand current AI, which is a far cry from the dreamed of AGI. We don't know how current AIs arrive at their conclusions, nor can current AIs even explain to us the processes by which that happens. That's a huge gap that needs to be closed before we can start creating an AI that can do what every human can do. And a hallmark of human thinking which AGI will attempt to replicate is being able to explain the rationale for coming up with a solution to a problem or an answer to a question. We're still trying to keep existing large language models from hallucinating, unquote. And I'll just interrupt to say that I think this is the crucial point. Either you know, or rather earlier I described ChatGPT as being a really amazingly powerful Internet search engine. Partly that's because that's what I've been using it to replicate for my own needs. As I said, it's been a miraculous replacement for a bunch of searching I would otherwise need to do myself. My point is this entire current large language model approach may never be more than that. This could be a dead end, you know, if so, it's a super useful dead end, but it might not be the road to AGI at all. It might never amount to being more than a super spiffy search engine, the Info week article continues. OpenAI is currently alpha testing Advanced Voice mode, which is designed to sound human, such as pausing occasionally when one speaks to draw a breath. It can also detect emotion and nonverbal clues. This advancement will help AI seem more human, like which is important, but there's more work to do and frankly, that's where we begin to get into the category of parlor tricks, in my opinion, like, you know, making it seem like more than it is, but it still isn't. Edward Tehan, CEO of Zero GPT, which detects generative AIs use in text, also believes the realization of AGI will take time. In an email interview with the article's author, Edwards said, quote, the idea behind artificial general intelligence is creating the most human like AI possible, a type of AI that can teach itself and essentially operate in an autonomous manner. So one of the most obvious challenges is creating AI in a way that allows the developers to be able to take their hands off eventually, as the goal is for it to operate on its own technology, no matter how advanced, cannot be human. So the challenge is trying to develop it to be as human as possible. That also leads to ethical dilemmas regarding oversight. There are certainly a lot of people out there who are concerned about AI having too much autonomy and control, and those concerns are valid. How the developers make AGI while also being able to limit its abilities when necessary. Because of all these questions and our limited capabilities and regulations at the present, I do not believe that 2025 is realistic. Current AI, which is artificial narrow intelligence, performs a specific task well, but it cannot generalize that knowledge to suit a different use case. Max Lee, the CEO of the decentralized AI data provider URT and an adjunct associate professor in the Department of Electrical Engineering at Columbia University, said quote Given how long it took to build current AI models which suffer from incessant sorry, from inconsistent outputs, flawed data sources and unexplainable biases, it would likely make sense to perfect what already exists rather than start working on even more complex models in academia. For many, for many components of AGI, we do not even know why it works, nor why it does not work. To achieve AGI, a system needs to do more than just produce outputs and encourage I'm sorry, and engage in conversation, which means that LLMs alone won't be enough. Alex James, chief AI officer at the AI company Data Miner, said in an email interview, quote it should also be able to continuously learn, forget make judgments that consider others, including the environment in which the judgments are made, and a lot more for that. From that perspective, we're still very far. It's hard to imagine AGI that doesn't include social intelligence, and current AI systems don't have any social capabilities, such as understanding how their behavior impacts others, cultural and social norms, et cetera. Sergei Kasovich, the deputy CTO at the gambling software company SoftSwiss, said, To get to AGI, we need advanced learning algorithms that can generalize and learn autonomously, integrated systems that combine various AI disciplines, massive computational power, diverse data, and a lot of interdisciplinary collaboration. For example, current AI models like those used in autonomous vehicles require enormous data sets and computational power just to handle driving in specific conditions, let alone achieve general intelligence. LLMs are based on complex transformer models. While they are incredibly powerful and even have some emergent intelligence, the transformer is pre trained and does not learn in real time. For AGI, there will need to be some breakthroughs with AI models. They will need to be able to generalize about situations without having to be trained on a particular scenario. A system will also need to do this in real time, just like a human can when they intuitively understand something. In addition, AGI capabilities may need a new hardware architecture such as Quantum computing, since GPUs will probably not be sufficient. Note that Sam Altman has specifically disputed this and said that current hardware will be sufficient. In addition, the hardware architecture will need to be much more energy efficient and not require massive data centers. LLMs are beginning to do causal inference and will eventually be able to reason. They'll also have better problem solving and cognitive capabilities based on the ability to ingest data from multiple sources. So, okay, what's interesting is the degree of agreement that we see among separate experts. You know, they're probably all reading the same material, so there's some degree of convergence in their thinking. But, you know, Altman is an outlier. And it seems to me as though these people know what they're talking about from the things they've said. Perhaps, you know, maybe Sam has already seen things in the lab at OpenAI that no one else in the outside world has seen, because that's what it would take for Sam to not be guilty of over hyping and over promoting his company's near term future. Now, I put a picture in the show notes. You had it on the screen there a second ago, Leo. That is not a mockup. That is not a simulation. This is an actual image of a tiny piece of cerebral tissue. Those are neurons and axons and dendrites. They are the, the, the coloration was added. But that, but those. That is actual human brain tissue in that photo in the show notes. I'm especially intrigued by the comments from the talk that the top academic AI researchers in the world who admit that to this day no one actually understands how large language models produce what they do. Given that, I'm skeptical that just more of the same will result in the sort of qualitative advancement that AGI would require, which is certainly not just more of the same. When I said in the past that I see no reason why a true artificial intellect could not eventually be created, I certainly did not mean next year. I meant someday. I meant that I believe that a biological brain may only be one way to create intelligence. One thing I've acquired during my research into the biology of the human brain is a deep appreciation for the astonishing complexity, I mean astonishing, of the biological computing engine that is us. The number of individual computing neurons in the human brain is 10 to the 11. Okay, so that's 100 billion, 100 billion individual neurons. A billion neurons 100 times over. So, you know, consider that a billion neurons 100 times. And not only are these individual neurons very richly interconnected, typically having connections to 20,000 others. Each individual neuron is all by itself individually astonishingly complex in its behavior and operation. They are far from being simple, integrative binary triggers like, you know, we learned in elementary school. And we have 100 billion of these little buggers in our heads. So perhaps Sam is going to surprise the rest of the world next year. We'll see. Color me skeptical, but not disappointed. As I said, I'm quite happy to have discovered the wonderful language accessible Internet digest that ChatGPT is. You know, that's more than a simple parlor trick. It's a big deal, and it's, I think, kind of magic. But I suspect that all it is is what it is. And for me, that's enough for now. I'd wager that we have a long ways to wait before we get more.

Leo Laporte (131:24)

What? How. How would you know if something is in an AGI? That's what's one of the things that's bothered me. What? There's. The Turing test is not real. There's a Chinese room test that maybe. No, a little better. I think there's really no way to judge an aggressive guy.

Steve Gibson (131:42)

No, no, I mean, it. It would. Well, another perfect example is chess. Once upon a time, you could have easily said, well, humans are like, you know, humans can play chess. No machine could play chess. Right, Right. I mean, that. That was something people were saying for a long time. Right now we've just, you know, we're.

Leo Laporte (132:10)

They've.

Steve Gibson (132:10)

The computers have blown past us. So. And for me, and I know that you have also used constrained domain large language models, which you've trained by dumping all of a bunch of Lisp textbooks into it and then being able to ask questions. You know, this is a fantastic technology that we have.

Leo Laporte (132:36)

Right.

Steve Gibson (132:36)

But I think it's very much in the same way that, like, the solution we have for cancer is by using chemotherapy to limit growth of our whole body. Because cancer cells are a problem because they're able to reproduce at such a high rate. I mean, it's. It's like we haven't even begun to start an actual cure. We just have sort of mitigation that is able to push people into remission. So my feeling is that I agree with the experts who suggest that what we may see today we should regard it as nothing more than what it is. And there's no reason to believe that we're going to get some sort of transformation just by getting more of the same.

Leo Laporte (133:40)

Yeah. I also think that looking for an AGI is maybe not really the sensible end goal that machines could Be as useful as an AGI or as powerful as an AGI without actually being a general intelligence. I don't know if that's a reasonable thing to be measuring AI progress.

Steve Gibson (134:06)

It is certainly the case that if you, if we had something where people could describe casually exactly how and how they wanted a computer program to operate and actually like got a functioning error bug free thing, that would be transformative for the world of coding.

Leo Laporte (134:34)

Right?

Steve Gibson (134:34)

And I would not be surprised, Yes, I would not be surprised if we don't have something like that.

Leo Laporte (134:39)

Before long I asked my, one of my favorite AIs perplexity AI, which is a search Internet search engine. You should give it a try since that's how you seem to think or seem to like using AI. So I asked, is there a test for AGI? It mentions a Turing test, some other tests, but then it mentions some casual tests like the coffee test. An AI enters an average American home and figures out how to make coffee. You know, what, if, if, if a robot could do that, it may not be AGI, but boy, that's, that's impressive. Or could go to college, enrolls in a university, obtains a degree, passing the same classes as humans. I think we might be close to that. The IKEA test. An AI controls a robot to assemble flat pack furniture correctly after viewing parts and instructions. Many humans can't do that. So that, that would be an interesting test as well. I just, I think that, that those are obviously kind of silly, but that points out there is no kind of accepted definition for what AGI is. And there are many different ways. Just as with humans, there are many ways to be intelligent. I think there are many ways for a machine to be usefully intelligent. If a machine could come in my house and make coffee without any, you know, advanced knowledge about that, except kind of maybe a basis, basic idea of what coffee is and how to make it, I'd be impressed. I think that would be useful. May not be AGI, but it'd be pretty cool anyway. Yeah, there was, when we were growing.

Steve Gibson (136:16)

Up, there was a game, it was called Nim where Love Nim. And there was a way to set up a computer using matchboxes and matchsticks where you would basically this thing was like a very early combinatorial computer. And by iterating on this, you were training it to make the right decisions over time about how many sticks to take away when a certain number of matchsticks remained. And I mean that's, this is the kind of stuff that fascinated me as I was A kid I wasn't climbing stairs on the outside of the banister. I was, you know.

Leo Laporte (137:06)

But see, that's combinatorial math. And you can easily see how it would be simple to program something. You know, I have a kind of a famous book, a list book, as it turns out, by Peter Norvig called Paradigms of Artificial Intelligence Programming. And it talks about the, Some of the. This is an early book, I think it's 30 or 40 years old now. It's in public domain. It's that old. But he talks about some of the early attempts to do what he called a gps, a general problem solving machine. And it's basically that it's a combinatorial thing. We'll try this and then this and then this. And if that doesn't work right, backtrack, then try this and this. And, and you could see how you could solve chess that way if given a fast enough machine or even go, which is a lot more difficult to play than chess or protein folding. A lot of things that doesn't. Those are useful tools. Maybe not intelligent, but we don't even know what human intelligence is. So I don't know how we.

Steve Gibson (138:05)

Yeah, and I, and I think you're right. I. When you mentioned protein folding, there are many people who are expecting with like that what we have now or could have in a year or two could make, you know, dramatically change health care by, by like, you know, looking at mass amounts of data and pulling associations and relationships out of that that we don't see.

Leo Laporte (138:33)

Right.

Steve Gibson (138:33)

Because it just has a scope that.

Leo Laporte (138:36)

We don't have and that's really more applicable. Yeah, and it has something to do more with capacity. The amount of data it can store, which is so much faster than a human mind, the amount of speed with which it can process it. Again, faster than a human mind. That doesn't make it intelligent. That just makes it faster and bigger and better in some ways. I'm, I think it's a fascinating subject. I as, and I, you probably feel the same way as, as science fiction fans, I think we both would love to see AGI in our lifetime. Just be fun to talk to an alien intelligence that we created.

Steve Gibson (139:12)

I, it would certainly be the case that, that creating a conversation would be a next step where if you actually got a sense of, you know, there, there being something there, I, I just, I know I get no sense that, that it's anything other than, you know, and it's clearly, you know, it's, you know, it refers to itself in the first person you know, it's like, let me know if there's any more I can do for you. And so they're like, you know, they gave it a bunch of sugar coating. It is designed to make us think like, you know, exactly like we're talking to us to an entity. It's not an entity.

Leo Laporte (139:54)

Even the word hallucination really is an inappropriate anthropomorphization of what's really going on.

Steve Gibson (139:59)

Yeah. Calling it a mistake.

Leo Laporte (140:01)

It's just a mistake.

Steve Gibson (140:02)

It's just a mistake.

Leo Laporte (140:04)

It's an error. Steve, as always, fascinating show, great information, lots of food for thought. We just got an email from a prisoner who listens to the show, but he's allowed to listen to the podcast in the library, but he can't read the show notes because he doesn't have access to the Internet. And he said, could you print out the show notes and mail them to me? And I think we will. I think that that's. I think they should allow that. Talk about rehabilitation. Start listening to this show. By the time you get to episode 1002, you're going to be pretty smart about this computer stuff.

Steve Gibson (140:40)

You'll have a career when you get out of.

Leo Laporte (140:42)

I think you might.

Steve Gibson (140:42)

Well, jail.

Leo Laporte (140:43)

You might. Well, I'm glad you listened to the show and I hope you keep listening. A special thanks to our Club Twit members who make this possible with their $7 a month. That's all it is. That's the lowest price of any podcast network. For all the shows we do, for all the content we do, for access to the Discord ad, free versions of the shows, specials we put on, like our photo specials, our coffee specials, coding. There's all sorts of stuff going on, crafting in the club. I think that's a pretty good deal for seven bucks. And it really makes a difference to our bottom line. If you have not yet joined, please go to TWiT TV ClubTWiT. Two weeks free. You could see what it's like. And if you refer somebody, you'll get a link when you sign up. If you use that link, put it on your socials and refer somebody, you'll get a free month for everybody who joins, which means you. You could possibly, if you have enough friends, never pay for Club Twit at all. Twit tv Club Twit. Spread the word. And for our existing members, we thank you so much. We do this show every Tuesday right after Mac break weekly. That ends up being about 1:30 to 2pm Pacific, let's say 5pm Eastern, 2200 UTC. I mentioned when we do it because we stream it again, thanks to the club members, we're able to stream this live on 8. I have to put up the fingers because I lose track. Eight different platforms. There's the Club, Twit, Discord, there's TikTok, there's X.com Twitch, YouTube, LinkedIn, Kick. And I left out some Facebook. Did I get LinkedIn one of them? Lots of places. You know what? If you go to Twit TV live, you'll see a list of all of them. Watch live if you want, but I highly encourage you to get a copy of the show now. You can get it from Steve if you want. We certainly encourage you to do that. Grc.com he has a couple of unique versions on his website. The 16 kilobit audio version, which is a little scratchy, but it's small. It's small. Small but scratchy. I know people like that. He also has the 64 kilobit audio. Less scratchy sounds a lot better. But you know, it's five times bigger. Four times bigger. He also has the transcripts which are great. We mentioned those earlier. Elaine Ferris does those. She does a wonderful job. They're great for searching or I think people like to read along. In fact, somebody had a tip I saw that. Listen at double speed and then read along with it. You'll understand it all completely, but you'll get it done in half the time. Isn't that a clever idea? Try it. Do get.

Steve Gibson (143:14)

It's like having subtitles.

Leo Laporte (143:16)

Yeah, gr. Yeah, exactly. It's subtitles for the show. Gr. And really good ones. Right? Not computer generated. Grc.com While you're there, take a look at SpinRight 6.1 is the current version of the world's best mass storage maintenance, performance enhancing and recovery utility. If you have mass storage, you need spin, right?

Steve Gibson (143:37)

Yeah.

Leo Laporte (143:38)

Get a copy right now. It's Steve's bread and butter. Not. But soon something else is coming along. I will be paying for that pro version of the DMS benchmark as soon as that's available. I can't wait to see that. I'll keep that running all the time. Lots of other stuff there for free, including shields up grc.com and if somebody was saying if he sent me an email, said if Steve would just publish his email, I would send it to him. Do not send me email for Steve, Send it to Steve. Here's how. Go to GRC.com Email Enter your email address. Excuse me. Optionally sign up for the newsletters but that's optional. You, you don't have to. But he will then validate your email address and you can just send him.

Steve Gibson (144:27)

Email at security now@grc.com you just send it.

Leo Laporte (144:33)

It's amazing. That's new actually. And it's a really good solid solution to to Steve's emails problems. So again GRC.com email we have the show at our website, Tut TV SN. When you're there, you'll see a link to the YouTube channel. Great way to share little clips. Please do that. People who don't listen to Security now send them some useful stuff. Say you're missing a great show, you should be listening. That helps us a lot. So GRC. I'm sorry Twitter TV SN. There's a YouTube link there and there's also of course best way to listen. Subscribe. And your favorite podcast player, you'll get it automatically. There's audio and video and you know, then you don't have to ever worry about it. You'll have a Security now in your inbox suitable for listening at any time. Steve. Have a great week. I'm about a third of the way through Peter F. Hamilton's exodus.

Steve Gibson (145:27)

I'm. It's dragging a little bit. I'm at, I'm at three quarters and it's like, okay, I was afraid of that. Yeah.

Leo Laporte (145:36)

So far, I have to say a third of the way in. It's gripping.

Steve Gibson (145:39)

Well, he's so inventive. It is definitely that. See what you think when you get to 75%, I'm talk. It's like, okay, well you know, it's a lot of work. You really don't want that in your science fiction.

Leo Laporte (145:55)

No. You got to what they call the slog. Yeah, the slog is never fun. We got the slog with that one with the Al Capone in it.

Steve Gibson (146:04)

Oh, there was that and then, and then that other last whatever that I don't even, I don't even remember that dreaming void. There were. There were all the kids on that planet and they were running around and I don't know what happened is okay. Peter.

Leo Laporte (146:18)

It's hard to write a thousand page novel and keep it going the whole time.

Steve Gibson (146:23)

Yeah, well.

Leo Laporte (146:25)

But we still love it. We do. Thank you, Mr. Gibson. Have a great week. We'll see you next week on Security Now. Bye bye. Security Now. This episode brought to you by promvo Security is the biggest non negotiable in business. The only thing more important than data is making sure you don't lose it. So when it comes to Google Cloud products, Promvo is the trusted guide for all your needs as a Google Premier partner. Promo is 100% Google focused and can help your organization get the full value from solutions like Google Workspace, Google Cloud platform Gemini and Vertex AI, Google Chrome hardware and more to streamline the way that you do business. Promvo's comprehensive management platform gPanel enhances Google Workspace security with real time reporting and alerts. So no more worrying about a disgruntled employee trying to delete Google Drive folders or locking important files on their way out the door. No matter the size of your organization, Promivo is with you every step of the way with unmatched expertise, agility and commitment. Learn how Promvo can help you harness all Google suite capabilities@promvo.com SecurityNow Today's show is brought to you by Progressive Insurance. Do you ever think about switching insurance companies to see if you could save some cash? Progressive makes it easy to see if you could save when you bundle your home and auto policies. Try it@progressive.com Progressive Casualty Insurance Company and affiliates. Potential savings will vary. Not available in all states. After investing billions to light up our network, T Mobile is America's largest 5G network. Plus right now you can switch keep your phone and we'll pay it off up to $800. See how you can save on every plan versus Verizon and at&t@t mobile.com KeepAndSwitch up to four lines via virtual prepaid card. Allow 15 days qualifying unlock device credit service ported 90 plus days with device and eligible carrier and timely redemption required. Card has no cash access and expires in six months.