Security Now 1007: AI Training & Inference

Leo Laporte

It's time for Security now. Steve Gibson is here this week. A revelation. There is an incredible number of yet unencrypted email servers out there. You don't want it to be your provider. Steve will talk about that and why it's still happening. Also a capture that you can solve by playing Doom. And then Steve gives us the results of three weeks of hardcore research on how AI works. A really good, I think, insight into artificial intelligence. That and more coming up next on Security Now.

Steve Gibson

Podcasts you love from people you trust.

Leo Laporte

This is Twit. This is Security now with Steve Gibson. Episode 1007, recorded Tuesday, January 7, 2025. AI training and inference. It's time for Security now for show of a brand new year with this guy right here, Mr. Steve Gibson, who did not miss his Tuesday broadcast one bit.

Steve Gibson

Right, you're right. As it turns out, working 20, almost 24, seven around the clock on code can actually burn one out.

Leo Laporte

You burned out coding?

Steve Gibson

I got to a point where, especially when I was. Okay, so I'm working on the DNS benchmark. IPv6 has been fully supported now for a while. I'm now working on bringing up the tls, the secure encrypted protocols. And the problem was these are all new features, right? Yeah, this is.

Leo Laporte

So you've had a DNS benchmark for a long time, but you're going to do a pro. Should fill people in who didn't hear this. A pro version that will have additional features.

Steve Gibson

Yeah, yeah. So here was the problem was that I wrote it 15 years ago originally. And an IPv4 address. IP address is 32 bits, right? Well, that's the size of the registers in the X86.

Leo Laporte

Oh, too convenient.

Steve Gibson

Yes, yes. Throughout the entire code, I'm assuming that a DNS server's IP fits in a register. Yeah. And so you can do so many clever things that way. You can index into a list using the IP address. You can sort the IPs by sorting 32 bit words that are the native size of the processor so fast. I mean, well, and so the first thing that happened was IPv6 won't fit in a register because that's 128 bits. And we want. One of the big features is I've never seen any performance benchmarks about this next generation encrypted DNS, you know, DoH and DoT and DoQ, which is the QUIC protocol. The QUIC protocol, all of which this next generation of the benchmark will support. So the first thing I had to do, which is Where, I don't know, the first month went and oh, Leo, I had to be like checkpointing my code. I would go, try to make some changes and go down a blind alley and go, okay, well that didn't work. So I'd restore the original source code, learning what I had learned from what didn't just work and try again. I mean it was, I had to rewrite, I have had to rewrite a huge portion of the original benchmark because it was so locked into 32 bits for an IPv4 address. And that had to be completely scrapped in order to allow both IPv6 and basically URLs. Because the way you address dot, you know, DNS over TLS, DoH, DNS over HTTPs and DoQ, you, you address them as URLs, not as IP addresses.

Leo Laporte

Interesting.

Steve Gibson

So anyway, so now you have an.

Leo Laporte

Appreciation for what the UNIX graybeards are going to have to go through between now and 2038, having represented time as a 32 bit number, which fits very conveniently into a register, they're going to have to add a few bits.

Steve Gibson

Yeah. Anyway, so about a month ago, I guess IPv6, I got that all running. The fact that it ran at all meant that I was. Now I abstracted myself out of the IPv4 32 bit problem that was all working. But I've never had the occasion to create a naked TLS connection because normally you just use HTTPs and I've done that a lot on my various apps. But I've never needed to create like to do a certificate exchange and negotiate a TLS protocol.

Leo Laporte

All that's handled underneath by the browser. Right?

Steve Gibson

Exactly.

Leo Laporte

Now you got to do it your.

Steve Gibson

Or a Windows API that just does it all for you. So I had, in order to get a non HTTP raw TLS connection that was all new code. So that's all now in there. And I do have DOT working. Anyway, we got into all this.

Leo Laporte

I'm impressed, actually. What you got done in a few weeks, that's very impressive.

Steve Gibson

Well, it's, it almost killed you, didn't it? Well, what happened would be after working for five days, morning, afternoon and evening, and Lori saying, honey, really, you work too much. I got to a point where if I was facing some next challenge that I had to deal with, I was like, okay, I can't do this now. In the morning I'll be fresh. Anyway, what I realized was not having the, the weekly break, like the enforced break to switch to security now bring myself up to speed about what's been going on read all of our listener feedback in order to, like, you know, get the hints from our listeners. It actually is a good thing. So, yeah, I'm glad we're back. Think of it as your weekend now.

Leo Laporte

The day and a half to two days you have to prepare.

Steve Gibson

Actually, that's really what it is. It is, it is the.

Leo Laporte

It's a.

Steve Gibson

It's a time shifted weekend because I work on code all through the weekend. Weekend.

Leo Laporte

There's no Saturday and Sunday for this man anyway, so there is Monday and Tuesday, though. That's the thing.

Steve Gibson

Today's podcast, first podcast of 2025.

Leo Laporte

Wow.

Steve Gibson

Is titled AI Training and Inference.

Leo Laporte

Oh, I know what else you did over the break. You learned a little bit about AI, didn't you?

Steve Gibson

Yes, as I told our listeners at. At as. Because I said, okay, it was going to be three weeks, right? Because we had.

Leo Laporte

For.

Steve Gibson

We had the best of. And then we were dark on. On New Year's Eve. So for me, it's been three weeks since I was last focusing on the podcast.

Leo Laporte

And I told everybody to be clear, what Steve has done in three weeks is figure out how to use IPv6, how to do TLS naked, and how AI works. Not much.

Steve Gibson

It was a good holiday.

Leo Laporte

Holy moly.

Steve Gibson

So before we launch into the podcast, I want to take a moment to assure everyone who's like, oh, God, not more AI, that this podcast, which we call Security now, is not morphing into AI. Now, I'm quite conscious of the fact that through the end of 2024, yes, here today, we have and will spend time looking at what's been, you know, quietly simmering in the back rooms of university and commercial labs for years and has just suddenly, you know, burst out onto everyone's foreground attention, you know, and of course, you know, historically, from time to time, we've veered rather far afield, touching on topics of health, science fiction, the Voyager spacecraft, and even homemade portable sound guns. You know, what underpins all these diversions is the underlying science and technology that makes them go. And in this most recent case, my focus and fascination with AI. All of the feedback that I've received from our listeners has suggested that this is a topic of interest that is deeply shared. And in fact, we've got a bunch of listeners who are in the. In AI there. We've got Google AI listeners among those here. So, you know, over the holidays, during the three weeks we've been apart, as we said, I focused upon bringing myself up to speed, really, about what's been going on and I've come away with an understanding, I think of the big picture and I have a number of observations that I'm excited to share. So we'll get to that. But I also think that this is probably it for a while. I'm sure that eventually that fallout from AI research will bear directly upon the security of our software. I don't know how. Microsoft must have a team because they're sharing in a lot of the OpenAI technology. Being a major investor, they must have a team, I hope they do, who are already thinking, how can we leverage this to have fewer patches on every second Tuesday of the month. So anyway, I wanted to assure everyone, yes, we're going to talk about it again at the end of today's podcast, but not forever. I really think this is. I've kind of got this gets it out of my system and I will be now content to wait for things to mature. But we're gonna talk about more than that. Of course. We're gonna talk about the consequences of Internet content restriction, the measured risks of third party browser extensions. There have been some more troubles there. The consequences of SonicWall's unpatched 9.8 seriousness, you know, CVSS score, firewall severity, the incredible number of still unencrypted email servers, Leo meaning not, you know, not individual email encryption, but the interchange of email among servers. Still not encrypted today. It's a shock.

Leo Laporte

People are sending their passwords in clear text.

Steve Gibson

Just wait. Yes, yes, exactly. And the content of their email, I mean, everything is in the clear.

Leo Laporte

That's shocking.

Steve Gibson

Also, and I heard you mention this, I think it was on Sunday. We have the declaration. We hope it's true that Salt Typhoon was finally evicted from three telecom carriers. They've all said, oh, you know, Verizon. Oh yeah, they're all gone now, so they say. Also, HIPAA has getting a long needed CyberSecurity upgrade. The EU oddly has decided to standardize on USB C for its power charging. What? And then, believe it or not, we have a captcha which you solve to play or you solve by playing Doom. So once we've caught up with all that, I'm going to share what I've learned from three weeks of studying AI technology. And of course we have also as our picture of the week Security now's first ever caption contest. So.

Leo Laporte

Well, this will be fun. And those of you watching live, don't look. Hold your powder. We'll give you a chance too to caption the upcoming picture of the week in just a moment. It's going to be a good show today. Our show brought to you by very happy to say Bit warden back for 2025. And goodness knows you probably need it. Certainly anybody who these days is using a browser or has anything they want to keep private is using passwords. And as you well know, the human brain was never designed to remember hundreds of passwords. You need help. You need Bit Warden, the trusted leader, not just in passwords, but in keeping secrets and in pass keys, which, you know, we're in this transition period. You probably can replace some of your passwords with pass keys, but you still need a password manager. And what better place to store your passkeys than not in your phone or your computer, but in the one thing that's with you all the time, your password manager. Bitwarden's open source. It's a great solution and it's a really good solution, not just for individuals, but for businesses. In today's digital landscape, it's more important than ever to protect your organization. Bitwarden has stepped up to the challenge with powerful new features designed to simplify and fortify your password management. Recently, Bitwarden expanded its teams plan. So they have an enterprise plan and a teams plan with a robust SCIM that's a system for cross domain identity management, SCIM provisioning for users, this is a big deal. This allows MSPs and organizations to really streamline the access control, easily. Integrating seamlessly with leading IDPS like Azure Active Directory and Okta and OneLogin and JumpCloud, Bit Warden delivers enterprise level security capabilities that work for businesses of all sizes. That's just one of many, many features in Bit Warden. Bitwarden has also redesigned. I don't know if you saw this, this is kind of a little New Year's gift for everybody uses Bitwarden. They've completely redesigned the extension. They've created an intuitive and efficient, more efficient password management experience. I think it looks really nice. It's got a modern interface. But there are also benefits under the hood. Faster navigation, the organization is clearer, workflows are smoother. It makes it easier for individuals and businesses to do what Bit Warden does best, manage their passwords across platforms. And by the way, it's not just about security. One of the things that sets Bitwarden apart is its simplicity. Setup is easy, it only takes a few minutes. They automatically will import from most password management solutions. And I said it's open source and it really is. It's GPL licensed, it's posted on GitHub. You can look at the code. You can inspect it, anybody can. But Bitwarden also pays for regular audits by third party experts and unlike some other companies, publishes the full results of those audits. So you can use Bitwarden with confidence. Look, your business deserves a cost effective solution for enhanced online security. You deserve Bitwarden. Get started today with Bitwarden's free trial of a teams or enterprise plan. And as always, because it's open source, it's free forever across all devices. As many passwords as you want, including passkeys and hardware keys. As an individual user, free forever@bitwarden.com TWIT this is the Pat I know you use a password manager and your business probably uses one, but are they using the best one? Help them get to the best password manager bitwarden.com twit and if you've got family members or friends who say I don't need a password manager, they really need bit warden, tell them it's free forever for individuals. Bitwarden.com TWIT okay, caption contest time. Steve, do you want to prepare us in any way for this?

Steve Gibson

Well, so you could just look at the picture.

Leo Laporte

Okay.

Steve Gibson

And it, it raises, it raises more questions than it answers.

Leo Laporte

What's it protecting would be question number one.

Steve Gibson

Yeah. And what I love is that you can sort of see a bit of a path out from where the, from the vantage point of the photographer of this to the gate. So for those who can't see, we. It's just this bizarre. You normally, you can sort of figure out, okay, what one of these strange pictures, how it came to pass. We have a metal security gate with bars and a locking plate that's protected so you can't slip a credit card in and a locking handle out in the middle of a, of a field.

Leo Laporte

It's a field that Steve says you have to go to to have completely private conversations. Maybe that's what it's protecting. I don't know.

Steve Gibson

It hasn't been mowed for a decade. We've got, you know, bushy trees in the background. Someone said, looks like one of the plants behind it looks like a cauliflower or something. I don't care. But it's like, what I mean, like, how do you explain this? It's crazy. So as I was looking at this, thinking this is a crazy photo that would be great for the podcast. And coming up short for a caption that I loved, I thought, okay, let's leave this to our listeners. Let's turn this over to everyone who sees these every week and gets a kick out of them. So anyway, this is Security Now's first caption contest. Here's the picture. It's in the show notes. Take a look at it. You know, you can write to securitynowrc.com I sent the email, the show notes and so forth out to all of the subscribers to that list last night. And I forgot about the caption contest as being a thing. And I thought, what is all this email coming in like immediately? And that's why before the podcast I asked you, Leo, I think you're gonna have to tell explain to me what's going on with Narnia. Because if there's one term I've heard more than any others, I mean, we've had, I should say already, a bunch of great submissions. Don't let that forestall anybody from sending theirs in. Next week we will have the What? The top 100 captions that have been suggested out of the thousand that I imagine that I'm gonna be receiving.

Leo Laporte

And now you know what Narnia is. Of course. It's from the magical kingdom from the book the lion, the Witch and the Wardrobe. And you get to it by going through the back of a giant wardrobe cluster.

Steve Gibson

Yes. And this does look like. Maybe you can't tell from looking at this. This is actually a portal to somewhere else. And because it looks like you're actually seeing this, that makes sense, actually, this shrubbery behind the gate. But no, if you, and clearly some people have walked down that path from here to the gate, probably just to check, you know, jiggle the handle and see if the gate's locked or not.

Leo Laporte

It's an attractive nuisance for sure. We're getting some suggestions from the chat room, like, oh, I forgot my key would be one and the long forgotten protocol is, is another. But I bet you the best way to do it would be the email. Steve, is there a, A, a prize for the best caption that hearing yours.

Steve Gibson

Read out loud on the podcast, you'll be, they'll be like, that was mine.

Leo Laporte

That's your prize.

Steve Gibson

That's the one I sent.

Leo Laporte

That's your prize. Awesome. All right, well, let's get going. We got a show to do here. You've got indeed lots of stuff probably happened in the last three weeks.

Steve Gibson

Okay, so I know you touched on this a little bit on Sunday, sort of tangentially, but questions surrounding restrictions on access to Internet content are both controversial and nuanced. You know, they factor in the individual's age and their location, the nature of the content and the prevailing government. And, you know, if 10 different people are asked about restrictions on access to Internet content, you're gonna get 10 different answers back. So not a lot of consensus there. And where questions of access to Internet content by children arise, even parents and guardians will disagree. But I do know from conversations with many parents of young children, many of whom take time from their lives every week for this podcast, managing what their kids are exposed to on the Internet is a source of significant concern. The first thing many of our listeners do when setting up a new network at home is to choose a DNS filtering provider that offers a. What's known as a family oriented plan, which filters out and removes access to the Internet's more unseemly websites. Now, one place where everyone, I would say nearly everyone agrees, is that age appropriateness is a thing. You know, there's content on the Internet that requires some maturity and perspective to understand correctly. Back in the days before the Internet, you know, which is a world that many of us remember well, our rough age could be determined by just by a glance at us, right? So if at the tender age of 10 or 11, we were to try to get into a bar or a strip club, those who stood to lose their license to operate such a facility would go to great lengths to prevent our entrance. And everyone's familiar with the concept of a fake id. The only reason of needing to fake an identity is to enable its holder to do something that the law forbids them to do at their true age. But what's different today is that we have the Internet and no one knows how old anyone is in cyberspace. You know, although there can be some benefits to this, it's also subject to abuse. And this represents a profound change from the physical world that many of us grew up in. Having been born in 55, I was 34 years old by the time that in 1989, Tim Berners Lee came up with the idea for the World Wide Web. That means that there was never a time for me when a website might ask me to verify that I was at least 18 years old and that wasn't true. You know, I was nearly twice that age by the time that websites started thinking that would be a good thing. But there's no doubt that, you know, with gossip and curiosity and peer pressure being what it is, you know, plenty of today's children who are probably far short of their 18th birthday, you know, might well be clicking those, you betcha, I'm 18 buttons, you know, it's not my intention to moralize, and I'M not doing that here. If today's Internet existed when I was 14, I have no doubt that I would have been, you know, curious to see what was hidden behind those buttons and that I might have been pressing them after first bouncing my connection through a handful of Tor nodes. Now, I suspect that few parents would disagree that where age appropriateness is concerned, a world of difference separates access to the sort of, you know, hardcore adult content that's readily available on the Internet from, you know, viewing TikTok cat videos. And the difference is so stark that the Internet's premier adult content website already blocks its access across much of the US Southern states. And it just went dark across all of Florida last Wednesday in a preemptive action as the Sunshine State's latest legislation went into effect. A lot of this legislation happened here at the beginning of 2025. Okay, so that's on the extreme side. But what about the cat videos? I chose this as our first topic of 2025 because as we start into this new year, as I said, more and more states are enacting and have enacted Internet age restriction legislation aimed at the far more benign gray area of modern social media. And much of this new legislation that just went into effect at the beginning of the year is ad hoc. I think because we've been addressing the issues for a while. It's increasingly well understood that there are pros and cons to this. But if you look across the legislation, it's just random and uncoordinated. Here's a really brief timeline. On July 1st so summer before last 2023, Connecticut put legislation called SB3 into effect, which requires social media platforms to obtain parental consent before allowing minors to open accounts. Then jump forward a year to last summer. On July 1st of last year, Louisiana's Act 456 requires social media platforms to impose limitations and restrictions on certain accounts, implement age verification for account holders, and obtain parental consent a couple months later, September 1st. That's four months ago. Texas HB18 requires digital service providers such as social media platforms to get consent from a parent or guardian before entering into an agreement with minors younger than 18, including to create an account on the 1st of October. Maryland Kids Code, as it's called, requires social media platforms to set default high privacy settings for users under 16 Ban the collection of children's data for personalized content, ensure age appropriate design, implement age verification and obtain parental consent for younger users the same month. Utah HB464 and SB194, you know, house and Senate in Utah, respectively The Social Media Regulation act requires parental consent from minors to create social media accounts and mandates age verification by social media companies. It also restricts social media use between okay. 10:30pm and 6:30am for users under 18 without parental consent. Okay. 1st of January, so 2025. Tennessee HB 1891 requires social media companies to verify the age of users attempting to create and maintain accounts. It mandates that platforms obtain parental consent for minors under 18 and enforces stricter privacy and SAFET measures for these users. The law aims to protect minors from potential online harms by ensuring that social media companies comply with these new regulations. There was also three others that that, that that went into effect that, that that passed and will be coming into effect. Florida the one I mentioned before. HB3 requiring social media platforms to verify users ages, obtain parental consent for users under 18, protect minors personal data, limit their exposure to harmful content. Georgia's SB351, known as the Protecting Georgia's Children on Social media act of 2024 requires social media platforms to implement age verification processes for users. Mandates parental consent for minors to create accounts and restrict social media use in schools. Minnesota and finally Minnesota MN HF 3488 sets rules for compensating miners who contribute to online content creation. What you're going to compensate them. It requires content creators to keep records and set aside earnings for minors. And it allows for legal action against violators. Also mandates the removal of content featuring minors upon request. And I should mention also, I didn't put it in the show notes but, but the penalty in Florida is $50,000 per infraction per minor. Yes.

Leo Laporte

Yeah.

Steve Gibson

It's like what, okay, and on top of all this, our US Congress also has some legislation that's been floating around since 2023 known as the Protecting Kids on Social Media Act. And its future's unclear and I have no idea what position the incoming administration and our next Congress will adopt on such measures. You know, on the one hand there's the politically popular promise of protecting the children, whereas the flip side is that pesky US Constitution's First Amendment guarantee of freedom of speech. And I should mention that a bunch of this new legislation is already under injunction because First Amendment says you can't do some of these things legislators, no matter how much you want to. Now a well known website featuring adult content greets its visitors with this statement. It says, quote, did you know that your government wants you to give your driver's license before you can access this site? It says, as crazy as it sounds it's true, you'll be required to prove you are 18 years or older, such as by uploading your government ID for every adult content website you'd like to access. We don't want minors accessing our site and think preventing that from happening is a good thing, but putting everyone's privacy at risk won't achieve that. Now, of course, it's unclear what would prevent anyone from uploading a photo of someone else's ID or just synthesizing one from scratch. To upload what you can imagine, a bunch of websites will pop up, you know, the create your own ID site. But the larger point here to note is that there are consequences to this move from the real world to the cyber world, and that the unfettered anonymity and freedom we've enjoyed through the first 24 years of the 21st century Internet may soon be challenged. Now, it may be that none of this will come to pass, or that at least if it does, it won't be until its consequences have have received significant legal and constitutional scrutiny. You know, in reaction to Florida's new laws last October, the Computer and Communications industry association and NetChoice, whose members include, you know, the likes of Google and Meta, you know, big social media platform providers, filed a federal lawsuit challenging the constitutionality of the various restrictions being imposed by this new Florida law. The lawsuit's text stated, in a nation that values the First Amendment, the preferred response is to let parents decide what speech and mediums their minor children may access, including by utilizing the many available tools to monitor their activities on the Internet. Now, this feels as though it's headed to the Supreme Court because US legislators are going to need to have some clarification about what they can and cannot require of social media and other companies. But what seems clear today is that these long simmering issues are beginning to come to a boil and that the parents and guardians of minors may soon be put in the loop at least and given the controls, hopefully which they need to allow their households to abide by whatever the prevailing laws end up being for their locality. But the question is, how can this also be done while preserving the privacy of the individual? As I started out saying, no one knows how old anyone is in cyberspace. That also applies to you and me, right? No one looking at me today in the physical world would mistake me for a miner. But when any of us connect to any website, there's no indication of any kind how long we've been breathing this planet's air. There's been a freedom that we've all enjoyed up to now. So we need to consider what it means to have that change since that's what we're talking about here. No one would argue that our children need to be protected from harm, even while we're going to need to work out an exact enough definition of harm to be actionable. And that's going to be a challenge. But as that notice on that premier adult content website noted, the ultimate consequence of that may be us needing to somehow affirmatively show that we're not minors who are in need of state mandated protection. How do we do that without sacrificing a great deal of the privacy we currently enjoy? I don't know, Leo.

Leo Laporte

Yeah, we, as you know, we talk about it a lot on all of our shows. Australia passed a law binding all social media for kids under 16.

Steve Gibson

Right. Like a few months ago.

Leo Laporte

Right.

Steve Gibson

And we, and we did.

Leo Laporte

Still, it's not an effect. It won't be in effect till the end of the year. But they're attitude is, well, we don't know how to do this. But you guys are smart, you figure it out.

Steve Gibson

Well, and we saw how well that worked for the encryption problem. It's like we need to be able to see what people are doing and we don't know how. So you guys are smart, you guys, you know, you techies, you just figure out how to give us what we want and not, not breach anyone's privacy. No, I really the, the biggest point I wanted to sort of point out here is that the physical world figured out how to do this a long time ago, and that's the world we grew up in. But in cyberspace, it's easy to forget that anonymity is something that we sort of take for granted with our use of the Internet. But that's at odds with exactly what all of this legislation, which we're now seeing begin to happen, wants to do. It says we need to know how old you are. And that's a huge change. And it's not just how old children are. They need to know how old we are to know we're not children.

Leo Laporte

Yeah, I got carded the other day and I thought that's hysterical. But the guy said, well, it's policy. We don't, we know. I obviously you're not under 18 or under 20.

Steve Gibson

I was too. I was trying to remember where it was. Some somebody asked for my id. I said, what you're.

Leo Laporte

This is at a cost plus one of those import stores. And he just said, yeah, we just do it. I said, I'm not even buying the liquor. This old lady is. And he said I need hers too. There is a cynical side of me that says, and this is true, I would say in Texas, Louisiana, a few states where they don't want this to be solved, they want to ban pornography. And so they don't really care if this can't be solved. They're happy when these, and it's happened in a number of these states, including now just now in Florida where the, these big pornography sites just abandoned the site. They say abandon the state.

Steve Gibson

They can't afford the lawsuits. It's just not worth it.

Leo Laporte

And I think honestly that's what the legislators want, Seriously, that's what they're trying.

Steve Gibson

To do is to scare the adult websites out of their state.

Leo Laporte

Yeah, they don't like pornography. That's a whole different argument. And it doesn't have a security angle to it. But you know, we live in interesting times, don't we?

Steve Gibson

Well and for me, the, the we, we've talked about this a little bit that yes, we do live in interesting times, which is why I'm so glad we're here now, Leo. And you and I are talking about.

Leo Laporte

This especially by the way, for AI because that's about to change everything in ways that may make this trivial, right?

Steve Gibson

So for me the question is the technology of this, right? Because we've talked about the technology of tracking, we've talked about the technology of encryption. Well, what about the technology of age attestation? Like how do you do that? Because one of the things that upset us about that first Google attempt at eliminating tracking was where when you visited a website, it would present that token that told the site about your interests. And everyone said, and I remember you saying quite rightly, wait a minute, you know, they don't have that now. So suddenly the, our web browser is going to be telling every site we visit. Hey Leo, what are the question of interests?

Leo Laporte

Are you got a pornography? Hey, yeah, it's a, it's. These are such difficult problems. I just read a statistic and I think it's probably accurate, that said in order to change a policy, any policy in this country, it takes 90% of the people to believe it should be changed. Not 50%, not 60%, 90%. There has to be a generally obvious consensus, an overwhelming, overwhelming consensus that this is what we should do. And that happens so rarely on any subject that it seems nothing much happens ever. I don't know, it's quite an interesting.

Steve Gibson

Issue and one that we are going to be facing.

Leo Laporte

We, you know, Paris Martineau did a very interesting piece in the Information Weekend about a new kind of a face recognition technology. I think it was called Yachty. Y O T I that did age verification. And so that's what I think legislators and companies are looking for, is something passive that it just looks at you. You don't even have to pose. It just says, yeah, you know, you're probably over 16. Or, no, you're probably under 16. I mean, maybe that's the solution. The people at Yachty claim it works quite well.

Steve Gibson

So of course it does mean that you have to have a camera aimed at you.

Leo Laporte

Oh, that's a good point. Yeah. Many people probably don't want that either.

Steve Gibson

Yeah, it's a little spooky, you know. Yeah. What's not spooky is this next advertiser.

Leo Laporte

Oh, they're fantastic. In fact, your timing couldn't be better, Steve, because you know what happened when those laws passed in those states? VPN sales went through the roof. Yep. Because guess what? VPN protects your privacy. This episode of Security now is brought to you by the VPN. I recommend the only one I use, ExpressVPN.

Steve Gibson

Nice.

Leo Laporte

Couldn't be better timing. A few decades ago, private citizens, you know, were as we were talking about private. But the Internet's changed everything. Think about all the stuff. You browse, you search for, you watch, you tweet. Now imagine all that data being crawled, collected and aggregated by data brokers into a permanent public record, your public record. Having your private life exposed for others to see was what's something only celebrities worried about. But in an era where everyone is online, in a sense, everyone is a public figure. So if you want to do stuff online and you want to do so privately, you turn to Express VPN. That's what I do. Everybody needs a VPN. And ExpressVPN is the best. It's private. Absolutely. They guarantee no logging, no record. In fact, you can pay for ExpressVPN with cryptocurrency and even more. Kind of make sure that no one knows anything about you. ExpressVPN runs their ExpressVPN trusted server in RAM. You know when you press that big Button on your ExpressVPN VPN app and it's on your iPhone, your Android phone, your Mac, your PC, your Linux. You can even run it on a. On a router. They even sell router. Very good routers, actually, at ExpressVPN, you can put it on there, and it runs on many other routers. You're saying privacy matters to me and you press that button, you're connecting to an ExpressVPN server somewhere in the world. And they have more than 100 countries now. So you're going to that spot, that IP address that you then emerge into the public Internet. No one is. It's not yours, it's theirs. No one knows it's you. But More than that, ExpressVPN runs, as I said, they spin up this trusted server. When you start that vpn, it runs in RAM sandbox. It cannot write to the drive. So there's no record of your, of your use, of your visit. You know, the authorities can knock on the door and grab the ExpressVPN servers. They've done that in the past in countries where they don't need a warrant even. They just barge in and take it and there's nothing on there. Furthermore, they use a custom Debian distribution that wipes itself every morning. Every morning they reboot. No history. One of the best ways for, and the easiest ways for data brokers to track you, really is the way they track you is through your unique IP address, right? Every time you emerge on the Internet from your current Internet service provider, that's your number. It even reveals a little bit about your location, right? With GeoIP locating, with ExpressVPN, you're using their IP address. Much more difficult for data brokers to monitor, track and monetize your private online activity. ExpressVPN also encrypts 100% of your network traffic. So we know that's valuable too. In fact, you're going to hear, I'm shocked because I thought, oh, you don't need this anymore. Every email server is encrypted, right? No, we're going to hear about that in a second. If you're using one of the email companies that Steve's about to talk about, you also want to use ExpressVPN to encrypt not only your password going to the email server, but the mail going back and forth. It's very important on a public Wi Fi imagine, right? ExpressVPN is easy to use. It lets you choose the country you're in. It's just, and it's so fast. They invest. This is why you don't want a free vpn. They invest. It's, you know, it can be less than seven bucks a month, so it's not expensive. But that's important that you want to pay for it because they take that money and they rotate their IP addresses. They do this trusted server thing. They make sure. And they provide enough bandwidth, they Provision their service sufficiently so that you can get HD quality video. It doesn't slow you down, protect your online privacy. Today, I hope I've convinced you this is the one. ExpressVPN.com SecurityNow we're thrilled to have them back in 2025. E-X P-R-E-S-S VPN.com ExpressVPN.com SecurityNow Right now they've actually upped their offer. Four extra months free when you buy a one year package. So the price is even better. You may not use it all the time, but when you need it, you will be really glad to have it. ExpressVPN.com Security Now. Great to have them back on the show for a whole nother year. In fact, every sponsor you hear on this show and our other shows in the new year, they've re upped and we're very grateful to them. We're also grateful to all the brand new subscribers we got. You know, I made the pitch in the last few weeks of the year that we may not make it in 2025 without your help. And a lot of people have joined Club Twit thanks to that. So welcome to our new Club Twit members. And of course, as always, an invitation to everybody to join if you're not a member. Twit TV Club Twit. All right, let's go on. I didn't. Sorry to interrupt for such a long period of time. Back to Mr. Gibson.

Steve Gibson

So we have a bit of a cautionary tale here.

Leo Laporte

I think everything on this show is a cautionary tale, to be honest.

Steve Gibson

Yes, that's true. Except AI, I don't think that's cautionary.

Leo Laporte

At least I'll be interested what you have to say. Actually, I'm very curious.

Steve Gibson

Okay, so I needed to share this because it highlights a very real threat which users of increasingly popular web browser extensions face. And that's a compromise of the extension which is then downloaded or updated by the user's browser. Now, several times in the past we've talked about the threat of an extension's author abandoning an extension. Like deliberately saying, okay, I just, you know, I'm done with this. I've been tending this thing for 10 years and then selling his, you know, basically the installed base to an unscrupulous third party. So that's one problem. But there's a, there's a different one. The other clear and present danger is a deliberate attack on and compromise of an extension's publisher for the purpose of turning an extension malicious. This is what recently happened to the cyber firm Cyber Haven, the security firm Cyber Haven, and at least 35 other known Chrome browser extensions that are known to have been compromised as part. Yep, as part of a concerted effort. Okay, so what happened two days after this past Christmas, on December 27th, Cyber Haven posted under their headline Cyber Haven's Chrome Extension Security Incident and what we're doing about it.

Leo Laporte

You do not want that headline.

Steve Gibson

Oi yai yai, they wrote. Our team has confirmed a malicious cyber attack that occurred on Christmas Eve affecting Cyber Haven's Chrome extension. Public reports suggest this attack was part of a wider campaign to target Chrome Extension developers across a wide range of companies. We want to share the full details of the incident and steps we're taking to protect our customers and mitigate any damage. I'm proud, writes the author of this, of how quickly our team reacted with virtually everyone in the company interrupting their holiday plans to serve our customers.

Leo Laporte

Oh, that's why they do it Christmas Eve, isn't it?

Steve Gibson

That's exactly right. Nobody will be home. That timing was no coincidence. And acting with the transparency that is core to our company values. And I gotta say, and I will say I'm impressed by this response that the Guy wrote. On December 24, a phishing attack compromised a Cyber Haven employees access to the Google Chrome Web Store. The attacker used this access to publish a malicious version of our Chrome extension, which was version 24.10.4. Our security team detected this compromise at 11:54pm UTC on December 25th and removed the malicious package within 66.0minutes. So they have some bullet points. First, version 24.10.4 of our Chrome extension was affected. The malicious code was active between 11:32am UTC on December 25 and 2:50am UTC on December 26. So for a total of a little over 25 hours, Chrome based browsers that auto updated during this period were impacted. Our investigation has confirmed that no other Cyber Haven systems, including our CICD process and code signing keys, were compromised. For browsers running the compromised extension during this period, the malicious code could have exfiltrated cookies and authenticated sessions for certain targeted websites. Now they know that it's facebook.com, we'll get to that in a second. Also, while the investigation was ongoing, our initial findings show the attacker was targeting logins to specific social media, advertising and AI platforms. Then our response we notified affected customers December 26th at 10:09am UTC. We also notified all other customers not impacted. The compromised extension has been removed from the Chrome Web Store, a Secure version 24.10.5 has been published and automatically deployed. We've engaged an external incident response firm for third party forensic analysis. We're actively cooperating with federal law enforcement. We've implemented additional security measures to prevent similar incidents for customers running version 24.10.4. That's the bad one of our Chrome extension. During the affected period, we strongly recommend Confirm if you have any browsers running the Cyber Haven chrome extension version 24.10.4. Enforce an update to version 24.10.5. Is it currently available in the Chrome Web Store or newer? Rotate Facebook personal and business account passwords for accounts on impacted machines. Review all logs to verify no outbound connections to the attacker's domain or other malicious activity. Okay, so it's good to see that this security firm acted appropriately in every way. They responded immediately. They determined the original attack vector, how the bad guys penetrated their perimeter security. And they now know that an employee fell victim to a crafted phishing attack. They replaced their compromised extension quickly, verified that this was the extent of the penetration, and notified the public without delay. They fessed up to the mistake and made no attempt to downplay it. And they did all this on Christmas Day. Wow. So, as you said, Leo, it's likely no coincidence that the phishing email attack was launched on December 24, the day before a span of holiday that was doubtless intended to maximize the period of time the extension's malicious modification would go undetected. Now, I'd have to say that this particular phishing attack might have caught any developer unaware. The show notes here, right adjacent the text here on page six has a snapshot of the perfectly formatted HTML notification that was received by a developer. I mean, it looks completely legitimate, you know, from the Chrome Web Store. Hi there. We wanted to let you know that your item is at risk of being removed from the Chrome Web Store. Please see the details below. And it gives it the item name Cyber haven Security Extension V3, the item ID, which is correct. And then under violations, it says excessive and or irrelevant keywords in the product description, which, you know. Okay. Whoops. Violation.

Leo Laporte

Sure.

Steve Gibson

Unnecessary details in the description. And then it says relevant section of the program policy. And then it quotes their policy that somebody felt at Google or, you know, Chrome Web Store management was wrong. And then there's a button for go to policy. Yeah, so? So, I mean, it.

Leo Laporte

Who wouldn't click that?

Steve Gibson

It looks like completely legitimate event. Once the employee clicked on the email, they were taken to the standard Google authorization flow for adding a malicious oauth Google Application, which was called, and it shows it on the screen, Privacy Policy Extension, which if you really stop to think about it, it's like, whoa, wait, I'm authorizing the addition of something called Privacy Policy Extension. Well, they named it that in order to be tricky because that's not something you want to do. But by naming it Privacy Policy Extension, you sort of obscure that fact. So again, you know, on Christmas Eve, it's like, time to go home. But we don't want to, you know, we don't want to have our extension yanked during the holidays. So let's take care of this now. The authorization page was hosted on google.com and was part of the standard authorization flow for granting access to third party Google applications. So just one tiny little glitch in an otherwise normal authorization flow. The employee followed the standard flow and inadvertently authorized this malicious third party app. The employee had Google's advanced protection enabled and had multi Factor Authentication covering the account. The credentials were not compromised yet. This still happened. So it was a very carefully crafted and phishing attack designed to capture even somebody who was paying attention. So what they found was that the militia's extension 24104 was based on a clean previous version of the official Cyber Haven Chrome extension. So the attackers went to some effort in order to create this attack to set this up, and not just for them. Remember, as I said, 30 some other extensions were all compromised. The attacker made a copy of the clean extension, then added their malicious code to create a new malicious version of that that 24.10.4, then uploaded it to the Chrome Web Store. The Cyber Haven guys reverse engineered the malicious modification to their extension in order to determine what it was doing. In a subsequent posting, they wrote in our analysis of compromised machines, the Extension was targeting Facebook.com users. If the user was logged into Facebook and navigated to the Facebook website, the extension would execute the malicious code path. Here's what the malicious flow would execute. It would get the user's Facebook access token, meaning an impersonation attack, immediately. Anybody who had that could just open their browser as them and be logged in just as they are. Get the Facebook user's id, get the user's account information via the Facebook API, get the user's business accounts via the Facebook API, retrieve the user's ad account information again through the Facebook API package all this information, along with Facebook cookies and the user's agent string, and send it to their command and control server. They said after successfully sending all the data to the command and control server, the Facebook user ID is saved to browser storage. That user ID is then used in mouse click events to help the attackers with two factor authentication on their side, if that's needed. So again, a high level attack against browser extensions. So the web browser extension attackers were interested in attacking the accounts of any Facebook users whose Chrome browsers might update to the malicious extension before it was detected and removed from the Chrome Web Store. Obtaining a Facer's Facebook Access Token cookie, as I said, allows full impersonation of the user. And because Facebook now has a very feature complete API, a lot of damage can be done. Another security site, Secure Annex, provided a broader perspective because, you know, the the Cyber Haven guys were just focused on theirs, but this was, as I said, a much broader attack. Security Annex provided that perspective into the attackers behind this campaign. By pivoting from the known malicious Cyber Haven extension, indications of compromise were obtained. That's how we know now how many more Chrome web extension developers fell victim to these phishing attacks. The earliest known instance of one of this group's many attacks was way back last May. So these guys have been active since then. I think it's important for everyone to have some sense for the scope of this. So here's for example, 19 of the compromised Chrome web extensions. VPN City with 10,000 users Parrot Talks with 40,000 users U Voice with 40,000 users Internext VPN with 10,000 users Bookmark Fave Icon Changer with 40,000 users Castorus with with 50,000 Weigh In A PI Weigh In AI with 40,000 Search Copilot AI Assistant for Chrome with 20,000 Vid Helper Video Downloader with 20,000 AI Assistant Chat GPT and Gemini for Chrome with 4,000 Vidnox Flex Video Recorder and Video Share with 6,000 Tinamind the GPT4O Power AI Assistant with 40,000 Bard AI Chat with 100,000 users Reader Mode with 300,000 users Primus which was previously Peyto with 40,000 GPT4 Summary with OpenAI 10,000 users GraphQL Network Inspector with 80,000 users yes Captcha Assistant with 200,000 users and proxy Switchy Omega with 10,000. So every one of those Chrome web extensions was compromised last year, and there are more. Just those exposed as many as 1,060,000 users of Chrome to malicious browser side code. Now, the good news here, if there is any, is that the attackers appeared to be focused solely upon Facebook users and their accounts. But that was this time, and they are certainly willing obviously to go well out of their way to compromise those accounts. It wasn't long ago that we were talking about the move from Chrome's v2 extension manifest to the significantly more limited v3 and how as a consequence, U block origin, for example, the full U block Origin won't ever be offering its full strength v2 version under v3 once Chrome completes that switch. I'm certain that the Chromium team understands how much value the third party browser extension ecosystem brings to their Chrome browser. But given this attack campaign as just one example, and you, you got to know they know about way more about abuse of this than is even publicly known, it's not difficult to see why they would be anxious to curtail the damage that aberrant extensions are able to do to those extensions users. Thus the move to the more limited scope version 3 manifestations. And note that none of this is ever about an extension's user doing anything wrong. That never happened. It was the extensions developers whose account was accessed and abused. So this is another form of supply chain attack. And users of Chrome, you know, as users of Chrome, the one thing we can do is practice good what I would call browser extension hygiene, meaning keeping the set of extensions which we're loading and using to a minimum and removing any deadwood that might needlessly expose us through that extension's inadvertent compromise. Every additional extension that is loaded has access to deep user data in the browser, so there's nothing you can do to prevent the extension from being compromised. But. So just minimize the number that you're using. And when you look at that list, there's a bunch of crap there. It's all crap.

Leo Laporte

A lot of this stuff was AI assistance to work with the AI that you don't need.

Steve Gibson

Right.

Leo Laporte

However, just. It's clear with this very effective phishing attack that it doesn't have to be crapware. It could be anything. Right?

Steve Gibson

I mean, yes.

Leo Laporte

Is there something about browser extensions that are inherently insecure? I know, I remember Google saying, oh, you shouldn't use browser extensions for your password manager because they're inherently insecure. Because this was a bid to get you to use Chrome's password manager manager.

Steve Gibson

But consider that when we enter a username and password, our password manager pops up and says, would you like me to save that for you? It has. It sees our username and password.

Leo Laporte

Yeah, yeah, it has a lot of information.

Steve Gibson

Oh goodness. Yeah.

Leo Laporte

I mean, and they're all written in JavaScript. Is that inherently problematic or.

Steve Gibson

No, it's possible to write no. In fact, here the extensions are not the problem. Right. It's that somebody crawled into the engineered. Yeah, exactly. Well, they crawled into the developer and turned the extension malicious, added deliberate code to the extension, and then rode the developer's coattails, uploaded an update to the extension, just like the developer would if they were fixing a bug in their extension. Yeah, and then of course, the Chrome wants to remove any bugs that might be in extensions, so it's checking to see if there's a new version and if so, get you the new one.

Leo Laporte

So is there an argument for not using any extensions at all?

Steve Gibson

There's an argument for it, but that would cripple us. I mean, you know, we want Bitwarden to be able to auto populate our login fields.

Leo Laporte

I do like what Brave has done in response to.

Steve Gibson

And we want UBlock origin to manifest.

Leo Laporte

V3, because that will eventually turn off UBlock origin. Brave just built it into the browser, so maybe that's the better way to do it. If it's a browser company you trust, let them handle a password manager and all of that.

Steve Gibson

Well, yes, and you bring up a good point, which is you are trusting the security, the security provisions of every extension developer whose extension you load. You can imagine the lengths that the Chrome team go to to make sure that the base browser is secure. And even then there's the occasional error all the time. Yeah.

Leo Laporte

And really the reason is these browsers are your interface to the outside world, so they're the prime vector. Yeah, it's an OS and it's an operating system. Yeah, it's a very complex piece of software.

Steve Gibson

It's become. So, as I said a long time ago, it's no longer possible to create one from scratch. You can't, you know, you don't have to now because Chromium Core is open source, so you don't have to.

Leo Laporte

But yeah, yeah, I mean, I use, I'm looking at my browser extensions. I use a Chrome compatible browser called arc. I've got Bit Warden, I've got Snowflake. I didn't put that on there. Let me take that off. I've got Ublock Origin. Those are the two I have to have pretty much everywhere.

Steve Gibson

I would say your, your password manager And UBlock origin 2 must have tools.

Leo Laporte

Oh, I know what Snowflake is. That's the thing we recommended that enables TOR to work.

Steve Gibson

Oh, right, right, right, right.

Leo Laporte

I'll leave that. I forgot about that.

Steve Gibson

Yep. Okay, so Leo, we're an hour in, let's take a break and then we're gonna get to Sonic Wall and some more news from the last three weeks.

Leo Laporte

Loving the news, loving it all. And just a reminder, Steve, we're gonna have an extra break in the the show.

Steve Gibson

So I've already. That's where. That's the pace we're keeping.

Leo Laporte

Yeah, we're very happy about that actually. This, you know what? A little props to Steve. This is easily the most in demand show on the network. Companies really want to be on the show and probably because a lot of these companies are security companies like Veeam, our sponsor for this segment.

Steve Gibson

Well, and Leo, if they're also, if they're re upping, it's because these that this is working for them.

Leo Laporte

It works. Yeah. Yeah, we have some pretty happy sponsors, I must say, without Veeam is back as well. Welcome back to 2025. Veeam. Without your data, your customers trust turns to digital dust. Veeam, this is something I really feel like everybody, every business listening to this show ought to be using Veeam. Veeam's data protection and ransomware recovery tools. Right. That's what you need. It ensures you can secure and restore your enterprise data wherever and whenever you need it, no matter what happens. Actually, most of you do use Veeam, so I'm talking to the handful that don't. It is the number one global market leader in data resilience. And get this stat, 77% more than 3/4 of the Fortune 500 uses Veeam to keep their businesses running when digital disruptions like ransomware strike. 77%. I always ask this when I hear that a company, oh, we got hit by ransomware. We gotta pay $12 million in Bitcoin to get our data back. We have no other way. Don't you have a backup? Turns out it's a hard thing to do. That's why you need Veeam. Veeam will let you back up and recover your data instantly. And the reason it's the hard thing to do is because your data lives all over the place, including in the entire cloud ecosystem. Right. But Veeam does it. They also will, in many cases, stop ransomware in the first place by proactively detecting malicious activity. They'll say you can also remove the guesswork by doing something. Even if you didn't have Veeam, everybody should be doing, having a recovery plan and policy. You have a recovery plan and policy, right? Most, I think a lot of companies go, it's not going to happen to us. It's not going to happen to us. Oh, I don't want to. I don't want to think about it. No, Remove the guesswork. Use Veeam to automate your recovery plans and policies. Plus Veeam is the greatest. They are the experts. So you can get real time support from ransomware recovery experts as part of your Veeam subscription Data. It's the most important part of your business, right? So get Data Resilient with Veeam. Now the only complicated thing here is it's two E's. V E E A M. Okay, make a note of that. V EE A M. Easy to remember. Veeam.com you can learn more there. Get Data Resilient with Veeam and actually this is one of those sponsors where I feel like we should be doing the ad for free. Don't tell them that because this is something everybody should have. I don't understand why anybody would get bit by ransomware in this day and age. Veeam.com all right, back to Steve.

Steve Gibson

Okay, so back in August, Sonicwall, you know, a well known manufacturer of popular network security appliances and now NSA has got two meanings. It's the national nsa, National Security Administration.

Leo Laporte

The that, you know, it's funny I should know that. We must be getting old, Steve. National Security Administration. I believe that's correct, yes.

Steve Gibson

And also, also network security appliances. NSA network security appliances.

Leo Laporte

Oh.

Steve Gibson

Anyway, Sonicwall revealed a serious vulnerability in their SSL VPN firewall product. Now they rated it with a severity of of 9.3. However NIST NIST officially gave it a 9.8 which, you know, that's not good. And shortly afterward CISA formally warned of the serious potential for its exploitation. They both CISA and Sonicwall, they called it the Sonic os, which is the OS in their appliance improper access control vulnerability, which already doesn't sound good and noted that it was potentially in quotes being. Well, they didn't have it in quotes, but everybody else has being successfully attacked in the wild. Now among the reporting on this, I particularly like the write up by the security intelligence firm Field Effect. They wrote while it's unclear what Sonicwall means by potentially exploited Field effect can confirm that we have seen an increased targeting of sonic wall firewalls since CVE 2024. 40766 was announced on August 23rd. However, further investigation is required to determine if the threat actors are specifically targeting 40766 or other older unpatched vulnerabilities. I really thought this was interesting. They said traditionally when vendors disclose critical vulnerabilities in edge devices, it draws attention of threat actors toward the devices in general. And that could be what we've observed in relation to the Sonicwall firewall. So I really appreciated their, their measured response. You know, there's no breathless hyperbole here. They finished by noting sonic Wall firewalls are very popular among critical infrastructure industries and corporate environments and are thus frequently targeted by threat actors looking to obtain initial access into networks of interest, according to the Shadow Server Foundation. And you're going to be hearing about Shadow Server Foundation a couple more times before we're done here. Today they said approximately 400,000 sonic walls are deployed worldwide, representing a significant potential attack surface for threat actors who possess Sonic Wall exploits. Okay, so that was back in August, where and when we have an estimated 400,000 Internet facing sonic walls with a known remote authentication vulnerability. This was three generations. Generation 5, 6 and 7 all had this vulnerability. So here we are. Now where are we? Two days after Christmas, on December 27, a Japanese security researcher posted his own update on the state of play with Sonicwall devices. Today he wrote, In August 2024, the SonicWall NSA vulnerability 40766 was disclosed. He said, I have found strong indications that the ransomware groups Akira and Fog are still exploiting this vulnerability for unauthorized access. Through my ongoing investigations, I found that as of December 23, 2024, the number of companies suspected to have been compromised by these two groups via this vulnerability had exceeded 100. Okay, so you know, here we're on the, the, the, the edge of the corporate network facing the Internet. Oftentimes we're just talking about, oh look, they got hit by ransomware. How'd that happen? Well, this is how that happens here. This guy has identified these two ransomware groups, Akira and Fogg, that have used this vulnerability, which was announced and for which a patch was available last August. Having penetrated 100 companies that did not patch, he says. In this article, I will share the details of this investigation and highlight the current situation in which at least 48,933 devices remain vulnerable to CVE. You know, 20, 24, 407 66. In other words, that was August. Patch was made available and announced today. 48,933 of those devices are still vulnerable. And in this case, these two groups are known to have gotten into a hundred organizations that didn't bother to update their Sonicwall. He said. Since the vulnerability was disclosed, I've been investigating whether the organizations listed on various ransomware groups leak sites, own Sonicwall network security appliance devices. Focusing on the 218 organizations identified as victims of Akira and Foggy, I found that over 100, approximately 46% were running SonicWall. Considering that the Sonicwall network security appliance ownership rate among organizations victimized by other ransomware groups, excluding Akira and fog, remains around 5% or less, this figure of 46% for those two groups is remarkably high. In other words, me speaking. Whereas the general rate of overall Sonicwall presence among companies who've been breached and listed by ransomware groups other than Akira and Fog is down at 5%. Still not great. But we don't. We can't blame Sonicwall for like, being the cause. The fact that around 46% of the organizations victimized by just those two ransomware groups which are currently exposing a Sonic Wall device to the Internet, strongly suggests that those two groups have successfully designed an exploit for the vulnerability and are working their way through the inventory of of still exploitable and unpatched Sonicwall device owners. This Japanese reporter wrote he said. Or a researcher wrote, he said, I developed a proprietary method to evaluate patch status by examining the HTML structure of Sonic Wall devices to assess mitigation efforts for the CVE 2024 407. 66. Now I'll just stop right there and say the fact that you're getting HTML from a device exposed to the Internet, that immediately makes me worry because that means there's a web page that you visit and this thing delivers. And we know what a problem people have securing web pages because it just seems that programmers are so sloppy about the code that's used to put up a web page. It's incomprehensible to me that this is a problem today, but it still is. You know, all these web management interfaces are what's constantly being cut through. And here's a security vendor like, you know, a serious security vendor who's got the same problem. So he says for SonicWall NSA devices with SNMP exposed, it's possible to obtain accurate model and version information. You know, SNMP is the network management protocol which exposes an API that allows you basically to access lots of settings in a device. In this case, it's able to obtain model and version information. So he's able to create a correlation, he said, by comparing the results of my custom method that his HTML structure reverse engineering with the SNMP data from around 5,000 devices. He says, I've confirmed the accuracy of this detection approach. So anyway, he then posted a chart showing the lackluster patch status across these devices. The United States has more than half of the globally deployed Sonic Wall devices. Actually, that's a different Heat map. We'll get to that one in a second.

Leo Laporte

Sorry, I'm on the wrong heat map.

Steve Gibson

Well, I apologize, yes. But shadow surface 1 heat map looks.

Leo Laporte

Much like the other. I just.

Steve Gibson

Actually, that's a very good point. It is the case, so. So Sonicwall, of course, is a US organization. So it's no surprise that the US has more than half of the globally deployed sonicwall devices. There are 390,474 worldwide SonicWall devices in the US 238,678. So sadly, of the identified global 48,933 currently known vulnerable. Still vulnerable. Since last August, SonicWall devices, 29,107 are detected as still being vulnerable in the US four months after their publishers and CIS's warning of a 9.8 CVSS vulnerability, which is exploitable. So I say it again, something needs to change. And is it, you know, any surprise that ransomware continues to be a scourge across the Internet? On the one hand, any company being victimized with their proprietary data exfiltrated and then held for ransom, you know, that's a crime doing that to them, that's hacking. But we all know that Internet security can never be a one and done install and forget. The connection of an internal corporate network to the global public, global public network is incredibly empowering. But with it comes the responsibility of managing the security of that interconnection. Because that's what you're talking about doing. You're talking about taking your internal proprietary corporate network where all kinds of private stuff exists and flows, and interconnecting it to a global network that is jam packed with bad guys and they want to get in. So to ever take for granted that the nature of the need for security of that interconnection is to risk everything that the organization holds dear. And so I just. It's unconscionable that you could have a sonic wall device like this for which a problem is found in August. And in the U.S. 20 more, more than 29,000 of them are sitting there. Just, you know, these two groups, the ransomware groups, are just working their way through them. It feels like the fact that the number is only 100. To me, that feels like it isn't. You know, like even though the severity is high, it must be that the exploitability index is low. That is, you know, it takes some work to like, you know, pounding at these things in some way in order to get, get in, but eventually you do. So, boy, again, to our listeners, just be sure that Some sort of email account exists that is being monitored and that is receiving the notifications. You know that you're on all the equipment vendor notification lists for the equipment that you're using and that somebody is like, okay, I'll get around to that. No, it's. Get that done as a top priority. It just. As I said, something needs to change. I ask why Sonicwall isn't just able to go fix this themselves?

Leo Laporte

They should be able to push it, shouldn't they?

Steve Gibson

Yes, yes. We have to get there. We're doing it now with consumer routers. It's time to move up to the big iron.

Leo Laporte

Is Sonic Walls hardware?

Steve Gibson

Yes.

Leo Laporte

Okay.

Steve Gibson

Yeah. It's a top tier.

Leo Laporte

Oh, yeah.

Steve Gibson

Firewall vendor.

Leo Laporte

Absolutely. Yeah.

Steve Gibson

Yeah. Okay. So Shadow Server foundation and email encryption, or lack thereof.

Leo Laporte

This blows me away.

Steve Gibson

Yeah. Speaking of the Shadow Server foundation, on New Year's Eve morning, they posted to their bluesky social account. They. They posted. We've started notifying owners of hosts running POP3 IMAP services without TLS enabled, meaning usernames and passwords are not encrypted when transmitted. We see around 3.3 million such cases with POP3 and a similar amount with IMAP because most overlap. They said it's time to retire those services.

Leo Laporte

You got to wonder if some of them are just being run by individuals. Right? Is it what email company would not use tls?

Steve Gibson

Individuals can't. And I'll get to that in a second. Because all ISPs blocked port 25.

Leo Laporte

Right.

Steve Gibson

Which is the unencrypted SMTP port.

Leo Laporte

Right.

Steve Gibson

So can't happen. So this is something we don't talk about often, but it bears reminding everyone, like the rest of the entire original Internet, meaning Web, FTP, DNS, and all the rest. Electronic mail exchanged over smtp, POP and IMAP protocols was not originally encrypted. It was all sent over simple, unencrypted TCP connections in ASCII plaintext, thus making it all completely readable by anyone tapping into any location, whether near to any sender or receiver, such as by an ISP or wireless hotspot operator, or over the public Internet, wherever traffic is moving past. Now, with inertia being the prevailing force that it obviously is on the Internet, we just talked. Look at the sonic wall. Sitting there for four months, patches available, nothing's happening. With inertia being the prevailing force that it obviously is on the Internet, the Shadow Server foundation reminds us that a sizable portion of email servers have never bothered to move to encryption. You know, no one has ever made them encrypt. Unlike the web with HTTPs, where encryption became mandatory, email security has largely fallen through the cracks, even while it has arguably become more important than ever, as we depend upon it as our identity authentication of last resort. That means that all of the email these 3.3 million servers send and receive has remained the same unencrypted plaintext that it was 35 years ago. Right now, today, those emailed oops, I forgot my password recovery links. The we just sent you a super secret six digit one time code to authenticate yourself because it's so important. Emails. Those are all out there for anyone to see. Unless we imagine that these 3.3 million email servers must be scattered among backwater countries no one has ever heard of and can't spell. The Shadow Server foundation thoughtfully provided a heat map. Now.

Leo Laporte

Now you want the heat map now?

Steve Gibson

Now we need the heat map, Leo. Just where these utterly security negligent machines are located. Guess which country leads the pack? Wow. Yep. None other than the good old US of A.

Leo Laporte

It's not within possible that these are misidentified or they're honey pots or something like that.

Steve Gibson

No. Within our proud borders lie some 898,700 completely unencrypted email servers.

Leo Laporte

Believable.

Steve Gibson

Those nearly 899,000 email servers are right now, today, this very moment, exchanging email for people who probably have no idea that everything they're sending and receiving is in the clear and readable by anyone who might even be the least bit curious. Because it takes very little effort. And we know that none of these people at home, or I'm sorry, are at home. To your point Leo, we know that they're not at home because long ago ISPs blocked SMTP's Port 25 due to rampant spam abuses. So these must be organizations of some size who probably think it's, you know, super spiffy to save some money by running their own email while apparently never stopping. Spiffy. That's super spiffy. We got our own email, you know, we're saving money. That's right.

Leo Laporte

Super spiffy.

Steve Gibson

Super spiffy. Unfortunately, the all the email that they're transacting is readable by anyone. Now I said there were a total of 3.3 million and we've accounted for the US taking the top slot at nearly 899,000 instances. Well, there are others. Germany takes the second spot at 560,900 unencrypted email servers. Poland is in third place at 388,000 followed by Japan at 294,000 and then the Netherlands down to 137,300. Then France, Spain and you got to get down to, let's see, France is still over 100,000, Spain at 88.2 thousand and the UK at 84.7. So you know, this is a thing now having seen these numbers, it would be very interesting to know what is going on. You know, who are these 890, 899,000 LEO entities in the US who probably run unencrypt run encrypted web servers with up to date TLS certificates because why the world insists upon it, but they never bothered to think about their email. Email servers, just like web servers, connect to each other using the TCP protocol. So just like web servers, it is very possible for email servers to add a layer of authentication and encryption by negotiating TLS certificates with each other. This allows them to each verify the other's identity and to agree upon a shared secret key to use for encrypting and decrypting each other's traffic. The $64,000 question is how is this ever going to be made to change? Because we know that the phrase being made to change is the only way it will ever happen. Web browsers, thanks to the tightly coordinated efforts of the CA browser forum, were able to force the entire web server industry to move to encrypted connections by rightfully scaring anyone using a browser that was unable to establish an encrypted connection to a remote web server. At first it was a frightening experience. Today one really needs to work at establishing an unencrypted connection to a web server. You know, I gotta click all sorts of yes, I'm sure and I know what I'm doing and you know, my will is updated. So yes, please let me have an unencrypted connection. It's crazy. So as a consequence, because web browser, you know, nobody wanted to run a server that users would say I don't think I'm going to go here and they just go somewhere else. Consequently, didn't take long for all web servers to obtain TLS certificates. As we know, this transition to HTTPs everywhere was tremendously aided by the creation of let's Encrypt and the ACME Protocol which automated the issuance and installation of free web server domain validation TLS certificates. Unfortunately, nothing like let's Encrypt exists for email servers. The ACME protocol is able to verify a server's control over a domain through the presence of a transient signature file located in the wellknown root directory of a web server, or by querying for a text record with that domain's DNS. But there is no similar direct support for email servers, despite there being clear demand for it evidenced within let's Encrypt Feedback forums. People are wanting to encrypt their email. Let's Encrypt says yeah, we don't do that. Sorry about that, you know, all of GRC's email transactions are of course encrypted at the moment. Once every year, after I've updated all of GRC's servers with a new certificate from DigiCert, I need to manually reformulate the certificate from binary to to ASCII base 64 encoded and install it into GRC's beloved H mail server. That's a manual process which I don't mind performing once a year. But as and if certificates continue their apparently inexorable reduction in lifetime, any sort of manual process will obviously become increasingly problematic. Since I have multiple Windows and Unix servers that need to be kept synchronized with wildcard domains, this entirely pointless reduction in certificate lifetime will eventually force me to roll my own solution to keep everything running without my intervention. I've received a great deal of feedback from our listeners who've chimed in with their own issues surrounding shortening certificate lifetimes and the headaches this is creating for them and for their non web services. Because there are many non web services and Acme is only used for for web services and DNS, you know, certificates are not used only for the web, you know, and we wish it would. They were being used for more more for email, you know, but they're used for many other purposes which are being ignored. It appears that the CA browser forum is being, I think somewhat myopic in their apparent belief that the entire world is the web and thus forcing these short lifetime certificates on everyone. I've not looked deeply enough into this mess to determine whether it might be possible to delineate the use of short life certificates only for web services where automation is convenient and supported, while allowing non web server TLS certificates to remain reasonably multi year. Alternatively, since we know that web browsers are able to and have said they would be eventually independently rejecting any certificate having an out of specific total lifetime, meaning the span between not valid before and not valid after dates, both of which are available, browsers have said if that's more than whatever it's supposed to be like now it's a year. We're just, you know, doesn't matter if it's still valid. If you got it too long ago, we're going to, you know, say no. That means that everything could be left as it is, with web browsers being the sole enforcers for short life web certificates, which would allow everybody else to use longer life certificates anyway. I've wandered well off course here, but my point is, without some means of enforcing the use of TLS certificates for email history shows us that nothing will ever move these recalcitrant email servers to encryption. If, you know, if they don't see any problem today, why would they ever make the effort? Especially when it's not particularly easy. And boy, if we ever get 6 days search, forget about it. The only obvious mechanism for forcing this change would be for those web servers that do support encryption to refuse to accept any insecure email connections.

Leo Laporte

And Gmail could do this with a stroke of a pen because yes, they're so big.

Steve Gibson

Yes, the problem is, for example, out of fear of missing anyone's important email, I historically configured GRC's email server to accept unencrypted email over port 25 while offering to dynamically upgrade the connection to full security using Start tls, which is an SMTP command that allows cooperating email servers to add encryption over a traditionally unencrypted port. But I have to say now I'm beginning to think that perhaps it's time to end that practice for GRC to refuse unencrypted email. Because another interesting bit tidbit here is that port 25 has largely become the domain of spammers. Spammers use port 25 because they don't have to have any certs. They can pretend to be anybody they want to be, and there's no verification of their identity which certificates do enforce. But for those 3.3 million unencrypted email servers in the world, nearly 899,000 of which are in the U.S. you know, before they're going to be able to move to encryption, they're going to need some means of obtaining reasonably priced and reasonably maintained TLS certificates. And that doesn't exist today for small independent servers. You know, it's easy to run an email server unless you. You have to constantly be updating its certificates so nobody bothers. It's a mess.

Leo Laporte

Leo, I'm shocked because I, I really thought that every email server now used encryption. I mean, I just, I'm stunned. Do you, do you think these are commercial providers or who are these people?

Steve Gibson

I really do wonder.

Leo Laporte

Yeah, who.

Steve Gibson

Who they are and May well be.

Leo Laporte

Companies with their own, you know, email honey.

Steve Gibson

It's those super spiffy.

Leo Laporte

Anybody, anybody who could have the smarts to configure an email server would, one would think, be able to get a certificate for it. Boy, that's.

Steve Gibson

I mean it, it is free. If you bring up an email server and you've got a connection to the Internet, it's free.

Leo Laporte

Yeah.

Steve Gibson

And I'll bet you that that's how this happened. And because it was working 20 years ago, nobody's revisited it. It's like, well. And they're just not thinking about it.

Leo Laporte

Wow.

Steve Gibson

They're, you know, they had to have a certificate for their web server because they probably have a little corporate website, you know, but no, but it isn't easy to do. And we know that, you know, if it isn't easy and if no one makes them do it, no one makes it. They're just not doing it yet. The employees in that company are receiving password recovery links and everything. Six digit, one time passcodes everything. And it's completely in the clear.

Leo Laporte

I would love to see yet another heat map on which servers are being used. Are these primarily Exchange servers? Are they traditional IMAP servers? What are they, you know, SMTP mail? I don't. What are people using? Very wild.

Steve Gibson

Okay, a break.

Leo Laporte

Break. And more of Steve Areno coming up in just a bit, including, I think the best part of this show. I'm waiting for his AI, saving it for last AI analysis.

Steve Gibson

I think I have.

Leo Laporte

Ready to hear this. Ready to hear this. He's read all the stuff. Now, our show today, brought to you by a really good company we like quite a bit, threatlocker. And you've maybe heard of Threat Locker, I hope you have. It's the best way to secure your endpoint. And it's by the way, extremely affordable and easy to set up. It's never been easier to harden your security with Threat Locker and never again worry about zero day exploits or those nasty supply chain attacks. Big companies use it. I mean, JetBlue uses threat locker to secure their data and keep their business operations flying high. Notice they were not brought down by the CrowdStrike hack because they didn't use it. They use ThreadLocker. Imagine taking a proactive. It wasn't a hack, was it? It was a bug. Imagine taking a proactive. Deny. This is what I love about it. Deny by default approach to cybersecurity. It blocks every action, every process, every user. Just everything's blocked by default unless explicitly authorized by your team. ThreatLocker helps you do this so easily and, and this is important, provides a full audit of every single action, all those authorizations, all those blocks. And that's so useful for risk management but also for compliance. And ThreatLocker is a great company with a 24.7us based support team. They are there to help you get on board. They are there for anything that comes up. This is a way to stop the exploitation of trusted applications within your organization. You can keep your business secure, protect you from ransomware. It doesn't matter what your industry is, it doesn't matter what your business is. And really in many ways it doesn't matter what your budget is. Threat Locker can solve your problem. Threatlocker's ring fencing, so cool. Isolates critical and trusted applications from, from unintended uses or weaponizations. It limits attackers lateral movement within the network. And oh by the way, it works on Macs too. So your whole network can be protected and you get unprecedented visibility and control of your cybersecurity quickly, easily and cost effectively with Threat Locker. Zero Trust endpoint protection platform. We've talked about Zero Trust on the show before. It's a really great way to protect yourself. Get a free, free 30 day trial. You can see for yourself how easy it is to set up and configure. I think one of the reasons people didn't do Zero trust in the beginning was oh, it's going to slow everything down. This makes it so easy and the compliance piece is huge. Learn more about how ThreatLocker can help you mitigate unknown threats, ensure compliance. Just go to threatlocker.com that's threatlocker.com we're thrilled to have him back in the year 2025 and we're very excited. I think Jonathan Bennett's going out to this. I would be. I can't but for a limited time you can go visit 0TrustWorld.threatlocker.com that's their big event. Zero Trust World use their special code. Okay, now get ready for this. It's a lot of letters. ZTW Twit 25. Okay. It's easy to figure out. ZTW Zero Trust World Twit 25. 200 bucks off registration for Zero Trust World 2025. It's coming up next month. ZTW Twit 25. You'll get access to all the sessions, you'll get hands on hacking labs. You even get meals in an after party. This is the event of the year. It's in Orlando this year. This is the most interactive hands on cybersecurity learning event of the year, February 19th through the 21st, 19th through the 21st, three days. It's at Carib Royale in Orlando. I wish I could go to this. Oh well, you can. And don't forget, save 200 with the code ztw twit25threatlocker.com we love these guys. Welcome back to Security now for 2025 threatlocker.com and don't forget the code ztwit25. Okay, Steve, on we go with Salt Typhoon.

Steve Gibson

So following up on the news, we talked about this. Last year, which wasn't that long ago, not so long ago, this Chinese backed advanced Persistent Threat group known as SALT Typhoon had infiltrated all telecom providers. Now three U.S. providers, AT&T, Verizon and Lumen, all say that they've now evicted Salt Typhoon from their networks. Okay. After this widespread and frighteningly successful hacking campaign came to light, CISA suggested that we should not be relying upon the security of telecom carriers and should instead add our own strong encryption provided by third party apps such as Signal. Imagine that. In the aftermath of these attacks, remaining with SIS's recommendation would seem prudent because, you know, who knows whether they actually did evict these guys. And if your traffic happens to cross over some of the telecom carriers that have not yet succeeded in successfully evicting Salt Typhoon, then your communications is still probably not very secure. So if, you know, if you're just ordering pizza, don't bother. But if it's something super sensitive, it's probably worth bringing up a, you know, something like Signal to hold your conversation. Also, on December 27, the US Department of Health and Human Services issued a Notice of Proposed Rulemaking. God, there's acronyms for everything. We have hhs, Health and Human Services. We also have the Notice of Proposed rulemaking. That's the NPRM. Oh yeah, to modify HIPA.

Leo Laporte

Oh Lord.

Steve Gibson

So that's of course HIPAA, the Aging Health Insurance Portability and Accountability act of 1996. So it's been around for a while. Anyway, you could imagine it needs some modernizing. HIPAA regulations will be getting a bunch of new welcome and needed cybersecurity rules, including the mandatory use of encryption Multi Factor Authentication Network segmentation. That'll be nice. Vulnerability scanning and more. The show notes went out last night and I've already seen some of our listeners who had some interesting feedback about this HIPAA change. So I may have some interesting stuff to share from them in follow up to this next week. I also got a kick out of this Wacky bit under the label of true miscellaneous. I wanted to mention in passing that the eu, apparently having nothing more pressing to legislate at the moment, which is saying something for the eu, has taken the time to establish USBC and as the official common standard for charging electronic devices throughout their union. There's actually an official document bearing the headline one Common Charging Solution for All. In part, the EU legislation reads, quote the Commission capital C promotes solutions that favor technological innovation in electronic device charging, which one would while avoiding market fragmentation. The voluntary approach did not meet consumer European Parliament or Commission expectations, so we put forward a legislative approach. The common charger will improve consumers experience, reduce the environmental footprint associated with the production and disposal of unneeded chargers, while maintaining innovation. Wow. In other words, the market didn't settle into any sane and rational standard by itself, so we're going to impose some legislation where needed. Here they said the common charging requirements will apply to all handheld mobile phones, tablets, digital cameras, headphones, headsets, portable speakers, handheld video game consoles, E readers, earbuds, earbuds, keyboards, mice, and portable navigation Systems as of 28 December 2024, meaning end of end of last year. These requirements will also apply to laptops as of 26-04-28, 28-04-2026.

Leo Laporte

Oh good.

Steve Gibson

Yeah, so we have some time with our laptops, but I think that's huge.

Leo Laporte

I mean, most of my laptops now do use exactly charging, but those proprietary.

Steve Gibson

Chargers just were awful dumb. Such transition periods will give industry sufficient time to adapt, which would be nice before the entry into application. The main elements are as follows. A harmonized charging port for electronic devices, USB C will be the common port. This will allow consumers to charge their devices with any USB C charger regardless of the device brand. Harmonized fast charging technology harmonization will help prevent different providers from from unjustifiably limiting charging speed and will help to ensure that charging speed is the same when using any compatible charger for a device. Unbundling the sale of a charger from the sale of the electronic device. Consumers will be able to purchase a new electronic device without a new charger. This will limit the number of chargers on the market or left unused. Reducing production and disposal of new chargers is estimated to reduce the amount of electronic waste by 980 tons yearly. Wow. 980 tons worth of chargers eliminated. No more drawers full of unneeded, unwanted, unused and forgotten chargers. So before long, those in the EU will be spared the experience of opening the box and thinking oh shoot, not another damn charger. They did note that since the wireless magnetic induction charging market is so far behaving itself and is not showing undue fragmentation, they did not feel the need to impose any order there. But that market too might need some harmonization if things start going all wild and woolly, so they're keeping a watchful eye on it. They just wanted everyone to know. Now you guys behave yourself over there in the magnetic induction side. And we have the Doom captcha. That's right. Since nobody likes captchas, an enterprising software engineer has created a Doom captcha system where you have to kill at least three bad guys in the Doom video game to proceed to a website and it's actually a functioning captcha. Since I thought our listeners would get a kick out of it, I gave it one of GRC's shortcuts of just Doom. So GRC SC Doom will take you to Doom Captcha version Vercel V E R C e L app and its author wrote a captcha that lets you play Doom to prove you're human and he said for educational entertainment purposes. He said the project works by leveraging emscripten to compile a minimal port of Doom to web SEM and enable intercommunication between the C based game run loop, which is GGame C, and the JavaScript based CAPTCHA UI. Some extensions were made to the game to introduce relevant events needed for its usage in the context of a captcha. Started out with a minimal SDL port based of Doom that can be efficiently compiled to webassem, then tweaked the build to make it compatible with the shareware version of WAD. That's Doom 1 WAD for legal use.

Leo Laporte

So you know any computer can kill three monsters in Doom.

Steve Gibson

That is the worst captcha ever actually yes, I'm no video gamer, Leo, so I was promptly I was promptly killed right off the bat while I was working out the arrow keys and the space bar for movement and firing.

Leo Laporte

Computer's better at a human.

Steve Gibson

It's not that difficult to three baddies since I to kill three baddies because I was even I was able to pull that off on my second try anyway, since as I said GRC scdoom One of the people who received the show notes last night sent me a note and said I thought I remembered this from the past and I think it was maybe episode eight. It was 890something he said where we talked about this. I don't know whether this is exactly the same or whether this has been updated to to be using webassembly. But, you know, I mean, it does run in a browser and I one of these, you know, boy, if I got into webassembly, I would be dangerous, I think because, you know, mix my assembly language interest.

Leo Laporte

This isn't that easy, is.

Steve Gibson

It's not that easy. Now what I did was I just stood there. So they come out, right? Yeah.

Leo Laporte

You shouldn't go to them. That's right.

Steve Gibson

Yes, exactly.

Leo Laporte

Yeah.

Steve Gibson

I managed kill the three just by.

Leo Laporte

He's got me.

Steve Gibson

Oh, yeah.

Leo Laporte

Oh, this is harder than it looks. There we go. There we go. Oh.

Steve Gibson

Oh, you solved it. Yep, that's what I got.

Leo Laporte

That is not good. Any computer will play this better than you will, I promise. Yeah, that's hysterical.

Steve Gibson

I think that's true.

Leo Laporte

Yeah.

Steve Gibson

Okay, so we're ready to go to AI training and inference. We have one last break, so let's take that and then we'll plow in AT T Mobile.

Leo Laporte

We'll give you four free 5G phones and four lines for only $25 per line per month with eligible trade ins.

C

And no, it's not a contest.

Leo Laporte

It's every day for a limited time. Everyone's a winner on America's largest 5G network. Minimum of 4 lines for $25 per line per month with autopay discount using debit or bank account. $5 more per line without autopay. Up to $830 off each phone via 24 monthly bill credit plus taxes, fees and $10 device connection charge. 4 well qualified customers. Contact us before canceling entire account to continue bill credits or credit. Stop and balance on required finance agreement to bill credits and if you pay off devices early.

C

CT mobile.com people are driven by the search for better. But when it comes to hiring, the best way to search for a candidate isn't to search at all. Don't search match with Indeed. The hiring process can be slow and overwhelming. Simplify hiring with Indeed. Indeed is your matching and hiring platform with over 350 million global monthly visitors, according to Indeed Data and a matching engine that helps you find quality candidates fast. Ditch the busywork. Use Indeed for scheduling, screening and messaging so you can connect with candidates faster. Join more than 3.5 million businesses worldwide that use Indeed to hire great talent fast. Listeners of this show will get a $75 sponsored job credit to get your jobs more visibility at Indeed.com pod K A T Z 12. That's Indeed.com P O D K A T Z 12. Terms and conditions apply.

Leo Laporte

It's a quick break. Merely A suggestion that you all join Club Twit. I mentioned that. We were very grateful to all the new members. Welcome. Thank you. Seven bucks a month. It really makes a big difference in our bottom line. With Club Twit, we were able to meet half of our payroll two weeks out of the month. And you know, yes, advertising supports most of what we do, but not all of it. And in order to keep doing this at the level we're doing, we need you to join. And if you, if, if enough people join, if we could get 5%, 1 in 20 of our audience to join, the sky's the limit. We could have an AI show. We could do so much more. So what do you get? Ad free versions of all the shows. You get the Club Twit Discord, which is really actually a wonderful hangout, a great place to play, to chat, not just during the shows, but all the time. And there's events that go on in the club. We've got a Chris Marquardt's photo event. Photo time is coming up Thursday. Micah's crafting corner is January 15th. We've got Stacy's Book Club coming up. In fact, we're voting right now on which book we should be. We should be reading for Stacy's Book Club. And you also get to hang out with some really fun people. That's not all. I mean, there's a lot more to join in the club. Seven bucks a month, less than a couple of cups of Starbucks Americano blend and you could be a member of Club Twit. The most important thing you get out of it is the warm and fuzzy feeling knowing the that you're helping us do this work. And if you find it valuable, if you listen, please consider joining. We'd love to have you Twit TV Club Twit. You can give more if you want. Seven is just the, you know, starting point. And I think there are other things in there. I don't know. Are we still doing the two week free trial? I think we are. There's also a referral code you get when you join so you can tell people about it on your socials and for every one of them that joins, you get a free month. We want to make it fun. Maybe not as fun as playing Doom in a captcha, but we want to make it fun. And we sure would love to have you Twit TV Club Twit. Now, whether you're a member or not, there is another thing you can do to help us. Right now we're doing our annual survey A couple more weeks to go to Twitt TV survey. It's just 5 minutes, 10 minutes. Answer some questions. It helps us know you better understand, you better know what you want. It also helps us, I'll be honest, attract advertisers. We don't tell them anything about you individually, but in aggregate we like to be able to say, yeah, you know, 75% of our audience are decision makers in it. That's actually true, things like that. Advertisers love hearing that kind of stuff. So help us out, don't lie, help us out, answer honestly. That's all you need to do. TWiT TV survey. Take the survey. We really, really appreciate it. Thank you. Butch, Put, put the link up in the discord. It doesn't have to be club members, anybody, in fact, all of you. We'd like you all to, to take the survey. All right, Steve, I am dying to hear. Okay, what you think about all this AI.

Steve Gibson

So, as I said at the top of the podcast, and I will reiterate, Security now will not be evolving into AI today.

Leo Laporte

No, we have shows for that. That's fine.

Steve Gibson

Yes. And that said, aside from the fact that the recent, truly astonishing advances in AI are going to directly impact everyone's lives outside of the security sphere, I'm also very certain that we're going to be seeing AI's impact upon the security of our software and operating systems. And we may not be needing to wait long. So over the course of the next few years, I'm sure that the topic of AI will be re emerging. And I'm not saying, I'm not saying I'm never going to talk about it again because, you know, it'll just be fun to, to talk about the major advances that I expect that we're going to be seeing. 1 actually, I'll be talking about in a second, only about a month away. So our listeners have been following my journey through this topic, you know, and it's not been a straight line. You know, more than anything else, I endeavor to be an honest researcher. An honest researcher will readily revise their entire belief system as required when presented with new facts and information. You know, clutching to obsolete dogma simply because it's familiar and comfortable is not the way of science, you know, and it was because I was puzzled and confused by what I was experiencing firsthand that I went searching for that information. I believe I found it, I believe I understand it at least as much as is possible without actually implementing it myself. And I've got other work to do. So that's not going to happen. And I've been changed by what I learned three weeks ago. As I said, I might have something to say about this before we met again today and that and I said if so, I would probably enjoy sharing that with this audience with a special email over the holidays. Now, the possibility of that happening induced more than 1100 of our listeners who had not already signed up to the security now mailing to do so. So for that reason alone, you know, due to that declaration of interest, I felt I had to say something today. I have much more to say on the topic than I did nine days ago last Monday, December 30, when I sent that out. But let's start with what those 15,060 subscribers received from me last week. Then I'll expand a bit on what I think are the most important points and what I've continued to learn since. So what I wrote then was When I first set about writing this email, my plan was to share what I had learned during the first half of our three week hiatus from the podcast. But it quickly grew long, even longer than this because I've learned quite a lot during a lot about what's going on with AI. Since I suspect no one wants to read a podcast length piece of email, which I would largely need to repeat for the podcast anyway, which is what I'm doing now, I'm going to distill this into an historical narrative to summarize a few key points and milestones. Then I'm going to point everyone to a 22 minute YouTube video that should serve to raise everyone's eyebrows. So here it is. First, everything that's going on is about neural networks. This has become so obvious to those in the business that they no longer talk about it. It would be like making a point of saying that today's computers run on electricity. Duh. Okay. AI computation can be divided into pre training and test time, also called inference time. Pre training is the monumental task, and it is monumental, of putting information into a massive and initially untrained neural network. Information is put into the network by comparing the network's output against the expected or correct output, then back propagating tweaks to the neural network's vast quantity of parameters to move the network's latest output more toward the correct output. A modern neural network like GPT3, which is already obsolete, had 175 billion parameters interlinking its neurons, each of which requires tweaking. This is done over and over and over, many millions of times across a massive body of Knowledge, which I have in quotes, to gradually train the network to generate the proper output for any input. Counterintuitive though it may be, the result of this training is a neural network that actually contains the knowledge that was used to train it. It is a true knowledge representation. Now, if that's difficult to swallow, consider human DNA as an analogy. DNA contains all of the knowledge that's required to build a person. The fact that DNA is not itself intelligent or sentient doesn't mean that it's not jam packed with knowledge. In fact, the advances that have most recently been made, which I'll get to in a bit, are dramatic improvements in the technology for extracting that stored knowledge from the network. That's why I titled today's podcast AI Training and Inference. The inference is the second half the implementation of neural networks is surprisingly simple, requiring only a lot of standard multiplication and addition pipelined with massive parallelism. This is exactly what GPUs were designed to do. They were originally designed to perform the many simple 3D calculations needed for modern gaming. Then they were employed to solve hash problems, to mine cryptocurrency. But now they lie at the heart of all neural network AI. Now, even when powered by massive arrays of the fastest GPUs rented from Cloud providers, this pre training approach has become prohibitively well, was becoming and is prohibitively expensive and time consuming. But seven years ago in 2017, a team of eight Google AI researchers published a truly groundbreaking paper titled Attention Is all youl Need. The title was inspired by the famous Beatles song Love Is all youl Need. And the paper introduced the technology they named Transformers. Actually it was named that because one of the researchers liked the sound of the word. The best way to think of transformer technology is that it allows massive neural networks to be trained much more efficiently. In parallel, this insightful paper also introduced the idea that not all of the training tokens that were being fed into the network, which is the long string of data being fed into a model during one training iteration. Not all of those tokens needed to be considered with equal strength because they were not all equally important. In other words, more attention could be given to some than others. These breakthroughs resulted in a massive overall improvement in training speed, which in turn allowed vastly larger networks to be created and trained in reasonable time. Basically that paper allowed it solved the problem that they were hitting five years ago, six and seven years ago that it just training took too long, that limited the size of the networks, so that limited the quality of the networks. What happened was it then, thanks to this breakthrough, it became practical and possible to train much larger neural networks, which is what gave birth to today's LLMs, large language models. Now the GPT in ChatGPT stands for generative pre trained transformer. Pre trained is the training transformer is this technology. But over time, once again, researchers began running into new limitations. They wanted even bigger networks because bigger networks provided more accurate results. But the bigger the network, the slower and more time consuming and thus costly was its training. It would have been theoretically possible to keep pushing that upward. But a better solution was discovered post training computation. Traditional Training of massive LLMs was very expensive. The breakthrough transformer tech that made LLM scale neural networks feasible for the first time, well now that was big tanker for granted. But at least the training was a one time investment. After that, a query of the network could be made almost instantly and therefore for almost no money. But the trouble was that even with the largest practical networks, the results could be unreliable, known as hallucinations. Aside from just being annoying, any neural network that was going to hallucinate and just make stuff up could never be relied upon to build chains of inference where its outputs could be used as new inputs to explore consequences when seeking solutions to problems. Being able to reliably feed back a network's output into its inputs would begin to look a lot like thinking and thus inference for true problem solving. Then a few years ago, researchers began to better appreciate what could be done if a neural network's answer was not needed. Instantly they began exploring what could be accomplished post training if when making a query, some time and computation and thus money could be spent working with the pre trained network. This is known as test time computation and it's the key to the next level breakthrough. By making a great many queries of the pre trained network and comparing multiple results, researchers discovered that the overall reliability could be improved so much that it would become possible to create reliable inference chains for true problem solving. Using the jargon of the industry, this is often called chains of thought. Although I still object to, you know, giving too much credit to, you know, to, to imbuing these with too much human brain. Yes, yeah, technology involved. So inference chains would allow the problem solving behavior, would allow for problem solving behavior by extracting the stored knowledge that had been trained into these networks. And the pre trained model could also be used to for the correction of its own errors. Now I should note that the reason asking the same question multiple times results in multiple different answers is that researchers also had long ago discovered with neural networks that introducing just a bit of random noise, which is called the temperature into neural networks, resulted in superior performance. And yes, if this all sounds suspiciously like voodoo, you're not wrong. But it works anyway. OpenAI's recently released O1 model, which I talked about at the very end of last year, is the first of these more expensive test time inference chain AIs to be made widely available. It offers a truly astonishing improvement over the previous chat GPT4O models that we were using. Since O1 is expensive for OpenAI to offer on a per query basis, subscribers are limited to seven full queries per day. But the O1 mini model, which is faster and still much better but not as good, can be used without limit. But wait for there's more. The big news is that during their celebration of the holidays, OpenAI revealed that they have an O3 model that blows away their brand new O1 model. It's not yet available, but it's coming soon. What is available are the results of its benchmarks and that's why I believe you need to make time to watch this YouTube video. I created a GRC shortcut with this episode number which is 1007. So GRC SC 1007 that will bounce you to a I think it's 22 minute YouTube video talking about the benchmarks that have been the independent benchmarks that have been run against this O3 model. Okay, so is it AGI? OpenAI is saying not quite, but there's little question that they're closing in on it. As you'll see in that video, the performance of OpenAI's latest O3 model when pitted against independent evaluation, benchmarks designed specifically to measure the general reasoning strength of AIs when confronted by problems that were absolutely never part of the AI's training set, demonstrate reasoning abilities superior to most humans. You need to watch the video GRC SC1007 even if it were AGI, even if it were AGI, and we're probably not far from that people are saying it is, I don't care. But that doesn't mean it's taking over. The AGI designation is only meant to indicate that over a wide range of cognitive problem solving tasks, an AI can outperform a knowledgeable person. Computers can already beat the best chess, go and poker players. I think it's very clear that today's AIs are not far from being superior to humans at general problem solving. That doesn't make them Frankenstein's monster to be feared. It only makes AI a new and exceedingly useful tool. Many years ago I grabbed the domain clevermonkeys.com just because I thought it was fun. It occurs to me that it takes very clever monkeys indeed to create something even more clever than themselves. All the evidence I've seen indicates that we're on the cusp of doing just that. Okay, so with that, with a little bit of editing to improve it, that's what our listeners received from me over the holidays. If you take nothing else away from this discussion of AI today, here is the one point I want to firmly plant into everyone's mind. Because this is the sticking point that I see everywhere. Nothing that was true about this field of research yesterday will remain true tomorrow. Nothing. This entire field of AI research is the fastest moving target I have ever experienced in my nearly 70 years of life. There are a number of consequences to this fact. For one, no book about AI that was written a year ago or six months ago, or even last month will be usefully up to date about what's happening today. Books written in the past can definitely be useful for describing the history of AI and as a snapshot of a point in time, but even their predictions will prove to have been wildly wrong. The guys at OpenAI who are working on this and ought to know, believed two years ago that at least another decade, another 10 years would be needed to achieve what they announced last month and are getting ready to unveil. They thought it would take 10 years. It took two. One of the factors in facilitating this astonishing speed of development is that it turned out that much of what was needed was scale. And a weird side effect of cloud side computing is that it's massively scalable. If you can pay to rent it, you get to use it. So investor dollars were pumped into the training of ever more complex models, and they kept seeing surprising improvements in performance. Leo's original appraisal of large language models as fancy spelling correctors was an accurate and useful from the hip summary of OpenAI's Chat GPT3 model. That's their take on it too. Chat GP3 produced grammatically correct language, but it only coincidentally and occasionally produced anything highly meaningful. If it was left to keep talking, it would soon get lost and wander off course to produce grammatically correct nonsense. Even so, back then, highly creative people who operate on the cutting edge, like MacBrake Weekly's Alex Lindsey, were using the ChatGPT3 model as a source of new ideas and inspiration. As I wrote this, I was reminded of how popular formal brainstorming once was, where sometimes random ideas were just tossed out without any filtering and that was the. You know that. That was the entire point, to say something as a means of inspiring some new perspective. So even chat GP3 was useful for the nonsense that it sometimes produced. But as a consequence of everything I've learned over the past three weeks and of the events which have transpired since our Previous podcast title, podcast 1005 three weeks ago, the wizard of Oz.

Leo Laporte

How quickly it ages, huh?

Steve Gibson

No longer seem. Yes, no longer seems to fit. And I'm a bit embarrassed by what I wrote because it no longer reflects reality. As I said earlier, an honest researcher may need to discard previous belief systems when confronting confronted with new information and facts. Never has that been more true than it is here. I'm needing to continuously update my own internal model. There is an unfortunate downside emerging, however unfortunate, I suppose, but inevitable. With startling speed, AI has moved from a curio in the corner of university and corporate R and D labs into big business. That meant that the suits in their neckties with their non disclosure agreements descended upon the labs of the once freely and fruitfully collaborating academia oriented researchers and dropped the cone of silence over their ongoing work. In the distinguished lecture series at the Paul Allen school, one of OpenAI's leading researchers, Narrative Noam Brown, gave a lecture titled Parables on the Power of planning in AI from poker to diplomacy. I have a YouTube link to Gnome's excellent talk at the end of the show. Notes during his lecture you could so clearly see Gnome's unbridled enthusiasm and love of his subject, and also his disappointment when he was forced to stop himself short to prevent sharing some detail of his work that was now deemed to be proprietary and no longer his to share. We only have Google's breakthrough transformer and Attention technology, which was the sole enabler of the subsequent LLM revolution, because seven years ago, back in 2017, when things were still moving somewhat slowly, Google AI researchers were freely publishing their work as the academic curiosity that it was. At the time, they were working on improving Google's inter language translation capabilities, and this inspiration emerged unbidden from a chance meeting of eight Googlers from various parts of the organization. Would such a breakthrough be published in today's climate? Seems unlikely, and now OpenAI is seeming less open than it once was. We know that chat GPT3 used a neural network containing an astonishing 175 billion neuron interlinking parameters, but 10 digits of accuracy each. We know that because OpenAI freely told us, but we have no similar information about any of their succeeding models. The sizes of the various Chat GPT4 models, not to mention 01 and 03, have become closely held secrets, as have details of their operation.

Leo Laporte

This is something that that Elon's been complaining about, right? This is why he's suing them.

Steve Gibson

Yep, yeah, he said. Fortunately, a massive amount of detail, all detail needing for recreating much of what we see today from the corporate side had previously been shared in the public domain, and research continues with new vigor and doubtless with new funding within academia. And remember that it wasn't so long ago that Apple was getting patents on Andy Hertzfeld's clever stepwise circle drawing algorithms for bitmaps. Very little of anything that's really useful remains secret forever, and it seems clear that before long we're going to have AI everywhere. Okay, now I would love to spend more time talking about the way neural networks function in detail, because there's some very cool aspects of that too. But that's not the purpose of this podcast, and perhaps I'll find another opportunity for that in the future. There are absolutely already tons of videos on YouTube talking about all of this for anyone who's interested. And YouTube's recommendation engine appears to be quite excellent because as soon as I started digging around in there, I got a lot of good news. Yeah, I do need to point out a specific series of of astonishingly well conceived and produced instructional videos on this topic from a guy named Grant Sanderson.

Leo Laporte

Oh, I've watched these. They are really good. This was how I got my education in this stuff.

Steve Gibson

Yes, Grant's website is 3blue1brown numeral 3blue numeral1brown.com and Grant's bio says these videos and the animation engine behind them began as side projects as I was wrapping up my time studying math and computer science at Stanford. After graduating, I worked for Khan Academy, producing videos, articles, and exercises primarily focused on multivariate calculus. Since the end of 2016, my primary focus has been on three blue, one brown and its associated projects. In those years, I've also had the pleasure of contributing to a number of different outlets for math exposition, including spending a semester lecturing for an MIT course on computational thinking, contributing a Netflix documentary about infinity, writing for Quanta, and collaborating with many other educational YouTube channels. I have to say his animated visualizations they're very good, are astonishing.

Leo Laporte

This is the one I found the most useful. If you just want a quick introduction, he put it out in November. LLMs for beginners very good. Very really well done and knowledgeable.

Steve Gibson

Yes, I have a link in the show Notes. He did a series of Eight which are. It starts on neural networks and runs through all of this technology, transformers, back propagation, how the whole breakthrough of attention and how that operates. Anyway, I recommend them without reservation to anyone who's interested in understanding more of the inner workings of the comparatively and I love the word ancient technology of neural networks, because this stuff's been around forever. Now what's interesting about this is that this old technology of neural networks has recently been given new life thanks solely to the scalability of cloud based computing and the presence of GPUs which are able to perform massive amounts of simple computation operations so long as we have sufficient power. It appears that processing power, and as we know, electrical power too, that the world is facing, I believe a true breakthrough. Thanks to the scale of compute and training we've been able to throw at the problem. However, what we have today works and is working, but it is incredibly inefficient. It works only due to the massive scale we've managed to throw at neural network technology, which is itself an extremely flexible but inefficient technology. For example, it's possible to train a neural network that has just a handful of neurons to perform a simple binary adder function. But the same thing can be done far more efficiently with a couple of logical NAND gates. The thing that makes the handful of neurons potentially more interesting is that the same network could be trained to perform other simple functions. But the fundamental problem remains that any simple function that a neural network could be trained to do could be reduced to a far more efficient couple of NAND gates. So here's what I think will eventually emerge someday, and I have no idea whatsoever when that might be. My hunch is that just as with the handful of neurons that can be trained to perform simple logic functions, we're going to eventually discover that there is a far simpler way to solve the same AI implementation problems much more efficiently than we're currently solving them by throwing massive scale of inefficient neural networks at the problem. I have no idea what that solution might be, but the intriguing thing here is that cognitive science researchers now have a crude sort of brain that does manage to store a useful amount of knowledge and is able to use that knowledge to solve novel problems and I suspect before long to invent newly true things. I mean, you know, to, to truly invent new things. People are already beginning to ask, looking at these networks, exactly how it does this, because believe it or not, that remains a mystery. What is no mystery is what transpires here every Tuesday, as it will next Tuesday and for many more Tuesdays to come.

Leo Laporte

You know, I like your idea that it might be not simply throwing more power at the existing structures, but finding a new structure that might be more efficient. There is a. I sent you a link. There is an article that came out five years ago by this guy who is a well known researcher in reinforcement learning and AI and he actually had an insight. It's kind of funny, he had an Insight back in 2019. He calls it the bitter lesson. He says the biggest lesson that can be read from 70 years of AI research is that the best way to make AI better is to just give it more power. Because of Moore's Law. That's what we're seeing. It's more powerful. So he says. The other, the second general lesson is the actual contents of minds are our own minds. Right. Are tremendously, irredeemably complex. So let's stop trying to find simple ways to think about the contents of minds. That's probably the wrong thing to try to do to duplicate the human mind. We want AI agents that can discover like we can, can learn like we can so that we don't have to reproduce the complexity of our own minds. We, we can let them.

Steve Gibson

Yeah, that, that's really what happened is, you know, neural networks are interesting because they're self organizing. And, and when like, like when you train a multi level neural network that has like three or four layers of interconnected neurons to do image recognition, it turns out you're able to do it. It's able pretty easily to recognize handwriting. And that works when you give it a whole bunch of samples. But then you look at how it's doing it. Like, what do the individual layers of neurons hold?

Leo Laporte

We have no idea.

Steve Gibson

And it looks like noise. It's just junk.

Leo Laporte

Yeah.

Steve Gibson

And it's like, you know, how is it doing this? And we don't know. And believe me, Leo, when you're Talking about even chat GPT3, that is now a comparatively simple old technology from, oh gee, 90 days ago and 175 billion neurons. We have no idea. You know, it comes out and we, it's like, whoa, look at that. It works.

Leo Laporte

We don't know what's going on in there. No, it's a black box. I'm very excited. I do think that, I mean, I, you know, look, Sam Altman's a great marketer and a great showman, but I do think that he has something that we're going to see in the next few months that is probably as close to AGI as we need to get.

Steve Gibson

Yes, yes. I think that's absolutely right. I'm worried about what it's going to cost because I probably want to use it and it looks like it's going to be expensive. You know, there's like a pro version of 200 bucks.

Leo Laporte

He says they're losing money on the Pro version at 200 bucks a month because people are using it so much.

Steve Gibson

Yeah. So let's hope they can make it up in quantity.

Leo Laporte

I have a friend who works in the, in the business who took me aside some months ago and said the next decade is going to look very weird. It every. Just as what you said, it's moving so it's faster than anything we've ever seen.

Steve Gibson

Yes.

Leo Laporte

And that the, the developments that are going to happen over the next few years even are mind bending.

Steve Gibson

Yes. I would advise anyone listening when anyone asks them what they think about AI they can say, well, I'll tell you what I thought last month.

Leo Laporte

Yeah.

Steve Gibson

Because I, I'm, I'm not kidding you. It is, it is a shockingly fast moving target. And the reason is it turns out there was an infrastructure ready to scale. There was an infrastructure waiting for AI and then.

Leo Laporte

Yes. And Moore's Law has scaled it so fast that's, it's a, it's my. So just so you feel reassured, you do not have to become the AI show at this point. We're. I'm probably going to rechristen this week in Google to this week in Intelligent Machine because I think that's really the most interesting development for this year and the years to come. And Google has become less and less interesting as a single company. But what's happening in all of those companies is more interesting.

Steve Gibson

Well, that's good because that, that's also this week in im.

Leo Laporte

Yeah, I like it. Right. Twime Intelligent Machines I thought was better than AI.

Steve Gibson

Tell me about Elon because I've not. I'm not up to speed on his recent.

Leo Laporte

It's hard to know what his reasoning is. But he is sued now OpenAI because he says, you know our original concept. It's true. The chart the found he was a founding member.

Steve Gibson

Was it to be open?

Leo Laporte

Was it to be open that he said in the beginning no company should control artificial intelligence. And so he's suing them because they want to eliminate their nonprofit status and they're converting to a full fully for profit. Although it might be a public benefit corporation. Nevertheless, Elon's right on the surface that it shouldn't be controlled by any big company. You might say, if you were cynical, that he's really just trying to slow OpenAI down so his own corporate commercial for profit AI Grok can catch up. I think that might be the closer to the truth. You never know with Elon. But I think on the surface he's right. No big company should support, should, should be in control of this. This needs to be something we all use. And it saddens me when I hear scientists because of an NDA say, oh, I can't tell you what I'm doing.

Steve Gibson

Yeah, you probably heard that there was a paper out of China also where they've, they believe they figured out how O3 works, even though OpenAI is not saying.

Leo Laporte

Yeah, that's the good news is that this is such a game changer that I think every country, every scientist, everybody's working on this and I. It's going to be very interesting time we're in. I don't know if it's going to be a good time, but it's gonna be interesting.

Steve Gibson

Yeah. Well, as Rod said, I got into this because I started using it as sort of a super Internet search engine.

Leo Laporte

Right.

Steve Gibson

And it's good for that. It is very useful. Absolutely. Have to check its work because it does, you know, I, I, I, the.

Leo Laporte

Best ones give you references that you can follow back.

Steve Gibson

Yeah.

Leo Laporte

That's why I use Perplexity AI for my search research. And it's always very good about. First of all, it's very up to date. Unlike some of the older models, its training continues.

Steve Gibson

Well, and I did ask, I think it was four. Oh. Because I, I asked it something that it didn't seem right. And I said, when, when were you, when did your training stop? And it said, I stopped in October of 2023.

Leo Laporte

Yeah.

Steve Gibson

So, okay, well, then you don't know what I'm asking you.

Leo Laporte

Exactly. Exactly. So OpenAI does have a GPT that is connected to the Internet, but Perplexities, I think is the best. It's not only a very good model, but it's pretty.

Steve Gibson

I'm hearing that Claude is also very good.

Leo Laporte

Yeah, Claude has a search tool. I do think this is going to replace search. I have stopped using traditional search entirely.

Steve Gibson

And you have to know that's where Google is putting so much of their effort.

Leo Laporte

They seem a little behind. Anyway, it's going to be a very, very interesting time, shall we say. And you don't. Well, I want you to continue to cover AI to your whatever extent you wish. Just be reassured. AI is absolutely the focus of a number of our Shows and especially I think this week in Google is going to become more of an it already.

Steve Gibson

Is a lot about AI and no one better than Jeff to steer the ship.

Leo Laporte

Well, I'll put my two cents into. And one of the things we're going to do as we transform that show is to bring in experts because we need expert information, you know. Yeah, I think that's going to be very fun. Well, I appreciate Steve. You're an expert by virtue of your deep knowledge and, and continuing research. And we're so glad to have you on the network.

Steve Gibson

Satisfy my curiosity for now. I have a sense for what's been going on.

Leo Laporte

Yeah.

Steve Gibson

And back to security next week we got a lot of feedback from our listeners that I'll be sharing and onward into 2025.

Leo Laporte

Yeah. And by the way, if you want the links that Steve was talking about his entire show notes are available on his website, GRC.com you can also subscribe because he has a mailing list that will send you the show notes ahead of time so you have an early look at them. But in order to do that you need to go to grc.comemail It's a chance to register your email so you can give him feedback too. Here you won't accept email that isn't validated first, but while you're there, you'll see and they're not checked by default, so pay attention. There's two different newsletters you'll see subscribe y. You can check those and get those at your preferred email address. You can also get copies of the show there. He has the normal, you know, 64 kilobit audio, but he also has a very abnormal 16 kilobit audio for the bandwidth impaired. He also has a very useful transcriptions written by Elaine ferris from that 16 kilobit audio. She doesn't transcribe the hiss and the clicks. She just transcribes our words and does an excellent job. So show notes, 64 kilobit audio, 16 kilobit audio and and transcripts all available@grc.com While you're there, pick up a copy of Steve's Bread and butter. He, he, he, he buys lunch with Spinrite, the world's finest mass storage performance enhancer maintenance utility and recovery utility. If you have mass storage, you really should have Spinrite 6.1, the current version. Go get it. Grc.com Lots of other stuff including soon, I think the DNS benchmark and working.

Steve Gibson

On a new toy for people.

Leo Laporte

Yeah, I'll subscribe the minute it's available. I'm very excited about that. Lots of free stuff too. Check it out. GRC.com we have a copy of the show at our website, Twitter TV SN for Security. Now once you get there, you'll see a link to the YouTube channel that has every video of Security. Now that's useful if you want to share a clip. If you have a friend who's got an interest in AI, for instance, you could share just that portion of the show. YouTube makes that very easy and I encourage you to do that because not only does it help your friend, it spreads the word. And I think more people should subscribe to this show. I think this should every. This should be required listening all over the. All over the world. So use that YouTube for that. Best thing though, if you do listen to the show on a regular basis, subscribe. You can do it in any podcast client and automatically get it as soon as we're done with it. If you want the very freshest version, you can even watch us do this live. We record Security now right after Mac break weekly on Tuesdays, usually about 1:30 to 2pm Pacific, 5pm Eastern, 2200 UTC. The streams there are eight of them. Our club members get the access behind the velvet rope in our club, Twit, Discord. But there's also YouTube, Twitch, TikTok, X.com, linkedIn, Facebook, and Kick. So eight different ways you can watch. If you watch live, you'll be getting the very freshest version, but you probably still want to subscribe so that you have a copy for later Delectation. Steve, have a wonderful week and I will see. What are you reading now? Are you, you. You're done with the Peter Hamilton.

Steve Gibson

I know I am and I miss it now. I was grumbling, I was complaining that it was endless and I would never get through it. And so I was like, oh, okay, how long have to wait?

Leo Laporte

You develop an affinity for the characters and for the scene and you want to know what's. What's going on.

Steve Gibson

Yeah, yeah, yeah, it did get me. But you know, if it's a couple years, then I'll reread it like John did immediately. Right? And. And then plow into number two.

Leo Laporte

So Jammer B is in our, in our Discord chat and he says, told you. Yeah, we will see you next week. Steve on Security now.

Steve Gibson

Thanks buddy. Till then, by.

Leo Laporte

Security now, if you have a locked AT&T phone, we're here with bolt cutters. T mobile will help pay off your locked phone and give you a new 5G phone for free. All on America's largest 5G network. Visit t mobile.com carrierfreedom Be a virtual prepaid MasterCard in 15 days. Free phone up to 830 via 24 monthly bill credits plus tax and a $10 device connection charge. Qualifying port and trade in service on Go5G next and credit required. Contact us before canceling entire account to continue bill credits or credit stop and balance on required finance agreements, due bill credits and if you pay off devices.

C

Early People are driven by the search for better. But when it comes to hiring, the best way to search for a candidate isn't to search at all. Don't search Match with Indeed. The hiring process can be slow and overwhelming. Simplify hiring with Indeed. Indeed is your matching and hiring platform with over 350 million global monthly visitors, according to Indeed Data, and a matching engine that helps you find quality candidates fast. Ditch the busywork. Use Indeed for scheduling, screening and messaging so you can connect with candidates faster. Join more than 3.5 million businesses worldwide that use Indeed to hire great talent fast. Listeners of this show will get a $75 sponsored job credit to get your jobs more visibility at indeed.com podkatz12 that's indeed.com podkatz12. Terms and conditions apply.