Leo Laporte (4:25)

All the ads, Steve, after you hear all the ads.

Steve Gibson (4:27)

Oh, that's right. After the last ad, we'll let you know. You can leave now. You can leave the classroom, children.

Leo Laporte (4:37)

You can leave any time.

Steve Gibson (4:39)

Cybersecurity. But we're going to talk about first Sparkcat, which I know you guys talked about over on MacBreak weekly. Sparkcat is the name of the secret stealing AI image scanner which has been discovered in the app and the Play stores. Also, I also saw you mentioning the UK's new demands about Apple doing the impossible. And we're going to touch on the whole advanced data protection issue. We talked about it when Apple first announced it. UK's back again. France is also moving forward on legislation to require backdoors into encryption. And as I've been saying now for a couple years, this is the great question, right? This is why we're glad we went past 999, because how do you solve this? And I'm going to reiterate the solution that I think exists, which also diffuses the arguments about why government needs this stuff. Firefox has moved to their number 135 and it has a bunch of useful new features which I don't see all the time, but if you hold I think it's Control Shift X up pops chatgpt. And yeah, they've added chatting to an optional sidebar in Firefox and a bunch of other stuff we'll talk about. Also, the Five Eyes alliance has published their guidance for edge device security, which I know our listeners who are involved in enterprise environments will like because it's both a checklist and a cya for them. Six Netgear routers contain three each in three sets. CVSS 9.6 and 9.8 vulnerabilities, unauthenticated remote code execution. You want to make sure you don't have any of these six routers and you're only vulnerable if you also didn't follow the guidance. And you've got remote admin enabled, which of course I'm sure none of our listeners have, but if you did, oh boy. And one of our favorite classes of utilities, those from sysinternals, it turns out that most of them allow malicious Windows DLL injection and apparently Microsoft doesn't care. We'll look at that more closely. Google has removed restrictive do gooder language for from their AI policies which has raised some questions. And there's an open source posted up on GitHub AI fuzzer which has successfully jailbroken the most powerful and supposedly guardrail equipped ChatGPT03 model. We're going to look at all that and then we're going to end by examining the well and deliberately hidden truth behind ransomware cyber attacks on the US's K12 schools. And of course we have a picture for the ages. Leo, this is one where it's like, okay, I think I mentioned it actually, either last week or the week before. The nominee for the 2025 Darwin Awards.

Leo Laporte (8:10)

You know, I love the Darwin Awards. I haven't thought about them in a long.

Steve Gibson (8:14)

Well, I think we remember the one where someone like strapped a skateboard to a jet engine or something. I mean, there was like, what?

Leo Laporte (8:23)

Anyway, the Darwin Awards because most of the people who do these experiments do not survive and it is the survival of the fittest or at least the least risk taking. Good. I can't wait. I haven't looked at it yet. We'll look at it together in just a moment.

Steve Gibson (8:39)

One of those where it takes a minute to sort of parse the picture and then you think, omg.

Leo Laporte (8:46)

Oh, I can't wait. I love the puzzle ones. That's good. All right, standby, that's coming up in just a second. But first, a word from our sponsor. You may remember, after the national public data broker breach, Steve had a tool that you could go and you could look and see what you know because this revealed the Social Security numbers and private information of millions, hundreds of millions of Americans. And he had a little tool that you could go and look up your name and see if you were in there. And Steve and I both were in there. Our Social Security numbers both had been revealed in the breach. Sigh. But then I did something interesting. I wonder about Lisa, my wife and our CEO. Not a trace. And I realized why. Because she's been using Delete me. We needed it. If you've ever searched for your Name online. You will be dismayed. I don't recommend it. By how much of your personality information is available online. It is a gold mine. And not just for advertisers and marketers, but for bad guys as well. It is a source of harassment. Spear phishing attacks. That's what happened to us. People were using Lisa's phone number and her name, texting her direct reports because they knew their phone numbers with spear phishing attacks. You know, I'm in a meeting right now, too busy. But I gotta get these Amazon gift cards. Just go order 1,000 of them, use your TWIC credit card and send them to this address. Thank you very much. Fortunately, our staff's smart, but I wasn't going to sit back and take that. It told me something that the bad guys could find a lot of information about our company with these data brokers. Same thing true of your family. Delete me's got personal plans, corporate plans and family plans, which will help you ensure that everyone in your family feels safe online. DeleteMe reduces the risk from identity theft. That's a big part of it. Cybersecurity threats like those, spear phishing attacks, harassment, and more. There's just no reason for your data to be online. DeleteMe will go out. They'll find all their experts, will find and remove your information from hundreds of data brokers. They have a list, they know them all. And of course, here's the problem. Those data brokers will sure, they'll delete that. They're required to, but then the data still comes in and your dossier gets rebuilt. Plus there's new data brokers every single day. It's a very lucrative business. So delete me will go back out and periodically rescan and remove that information again so that like Lisa, your stuff is just, it's just not there. And as I said, they will continue to remove your information regularly so this stuff does not pop back out. I'm talking. And by the way, that what they what, what's out there, what those data brokers collect, it's everything. I mean, it's just basically everything. Addresses, photos, emails, relatives, phone numbers, social media, property values and more. Do what we did. Protect yourself. Reclaim your privacy. Visit joindeleteme.com TWiT offer code TWiT gets you 20% off. Joindeleteme.com twit use the promo code TWiT for 20% off. We thank them so much for their support of security. Now, time for our picture of the week. Now, I'm not. I want to scroll up. And then after I do, I will look at it for a minute and then I'll let you all nominee for the Darwin Awards. Oh my God, that's gotta be staged. If it's not, then let's do a little requiem for this guy.

Steve Gibson (12:22)

Yeah. So.

Leo Laporte (12:26)

I understand the need to party. I certainly do.

Steve Gibson (12:31)

So we start with a very large inflatable backyard swimming pool. Looks like it could hold about 50 people. So, you know, big blue perimeter filled with water. Now, apparently these guys didn't want to get out of the pool in order to, I don't know, enjoy some grilled meat.

Leo Laporte (12:56)

It's a party in the pool. They got the beers. They've actually taken a table. They put a table in the pool.

Steve Gibson (13:03)

Yes, yes. Now the problem is that rather than using briquettes of any sort, they thought, well, let's just, you know, we don't have a wood burning grill.

Leo Laporte (13:14)

We have an electric griddle.

Steve Gibson (13:15)

We got an electric grill. Now we need to get power to this grill, but the cord's not long enough to reach from the grill to past the perimeter of this round backyard pool. So we need to use an outlet strip which in order to like, you know, bridge from the, the grill to outside of the pool.

Leo Laporte (13:41)

But these guys are very safety conscious. They know you can't submerge that strip.

Steve Gibson (13:46)

Oh, no, no, that would not be good. No. So they took some floating flip flops.

Leo Laporte (13:52)

Some floating shower slippers.

Steve Gibson (13:55)

Yes. Some sandals. And they, they stuck them on each end of the power strip to float them in the middle of the pool. Meanwhile, we see the cord from the power strip going over to the edge where it meets some sort of. Looks like a wood block. Like what they're doing with a door wedge connected to another. Maybe that's.

Leo Laporte (14:22)

The cord will float if it falls in. This is ridiculous.

Steve Gibson (14:29)

Yeah.

Leo Laporte (14:30)

So what, you know, just out of curiosity, what would happen if that power strip fell in the pool?

Steve Gibson (14:38)

Okay, now to the credit, giving credit to our listeners, I finished putting the show notes together yesterday, late afternoon. So I did the mailing. It went out to 16,100 of our listeners who have subscribed to the weekly mailing. So I've had feedback about this picture since then. Many of our, of our listeners said, well, you know, they're in a plastic, they're in a, they're in a plastic rubber pool.

Leo Laporte (15:09)

It's insulated.

Steve Gibson (15:10)

They're not connected to ground.

Leo Laporte (15:12)

They're not grounded.

Steve Gibson (15:13)

They're not yet. That's right.

Leo Laporte (15:14)

Very much like a surge strip. It probably has a fuse.

Steve Gibson (15:17)

Well, it's very much like one listener drew the analogy to the bird that lands on the high tension wire. It lands on the wire. It doesn't turn into barbecued bird immediately. You know, it doesn't know what's going on. Maybe its teeth hurt a little bit, I'm not sure. But basically it's gonna survive. So. So the problem would be assuming that this weird sandal power strip thing capsizes in the pool, it would just blow the fuse. I mean, back at the house, a fuse would blow.

Leo Laporte (15:53)

Yeah.

Steve Gibson (15:53)

The coffee turn off in the kitchen.

Leo Laporte (15:56)

Yeah.

Steve Gibson (15:56)

You know.

Leo Laporte (15:57)

You know what could be a trouble is if at the same time as it sank, somebody stepped out of the pool and had one leg in the.

Steve Gibson (16:04)

Pool and one leg on the ground. Then you're the bird that lands, straddles two wires. And we remember what happened with Wile E. Coyote on the Roadrunner turns into a little poof. Just a little, little shadow of its former self. Little crispy sticks that then drops down to the bottom of the ground.

Leo Laporte (16:26)

So I want to see more, more Darwin Award pictures.

Steve Gibson (16:30)

So what you need to do, basically.

Leo Laporte (16:31)

Burke has probably been electrocuted many times in the studio. He says the wire is the ground. So maybe it, I mean, it could just go right back to the ground through the wire. Right.

Steve Gibson (16:43)

Well now this guy in the. Who's further away, who seems to think this is quite entertaining, he's smiling. It looks like he's pushing the edge of the pool down also because he's fake like. Yeah. And so if any water is running out past him, that's running to ground and he could be helping to close the circuit. Yeah. Being struck. People have survived being struck by lightning, apparently again, their teeth hurt.

Leo Laporte (17:13)

So do not throw a toaster in the pool. I'm just saying.

Steve Gibson (17:16)

No.

Leo Laporte (17:16)

Or a grill. Don't do that.

Steve Gibson (17:18)

Actually, don't do any of this, kids. Bad idea. Thus the Darwin Award. Although it looks like these people probably already have reproduced, so they will not. This won't be limiting their future ability to propagate this foolishness. So as we know, the United States has shunned the Russian cybersecurity firm Kaspersky over understandable, if unfair, concerns of the potential for Russian influence, which would be truly devastating if Kaspersky were to ever turn malicious. Given the, I mean, like, how much of their software was, you know, phoning home from inside the U.S. again, it's unfortunate that this happened. Kaspersky is nevertheless continuing to contribute their important security research to the world and their publication last Friday about their discovery of a new Trojan, which they've dubbed Spark Cat. S, P, A R, K, C, A, T. Spark Cat is another example of Kasper Ski's continuing value to everyone, even though we don't want to trust them anymore, which, as I said, is too bad. So I want to share the details of their discovery because it should put everyone on notice of the way malware is evolving. And I'm sure that the fact that it illustrates the potential for the abuse of Microsoft's own screen scraping recall technology will not be lost on any of our listeners who dislike the idea of having their PCs constantly being scraped and archived, because that's sort of the way this thing works. Kaspersky's piece is titled sparkcat Trojan Stealer Infiltrates App Store and Google Play Steals data from Photos when they follow that with the tag. We've discovered apps in the official Apple and Google stores that steal cryptocurrency wallet data by analyzing photos. So here's what they published last Friday. And you know, it strikes me this is, this is sort of the evolution of the earlier cryptocurrency stealers which were monitoring people's clipboards, right? They were like, you know, polling the Windows clipboard because it would be like, it would be natural for a Windows user who is wanting to send some cryptocurrency somewhere. You know, it's like, you know, you're paying somebody through Bitcoin and they say, here's our address. Send us X Bitcoin. And so, you know, the addresses are crazy. So you copy that address with your mouse, you know, hit Control C to copy it. Then you, you go over to your Bitcoin wallet where you want to send Bitcoin to an address and you paste it. Well, you don't even. At no point do you try to like, study that Ghibli gibberish of a bitcoin, of a bitcoin address you just blindly copy and paste. Of course, as we know, cryptocurrency stealers, first generation ones, they would watch for the arrival of a bitcoin address and quickly substitute their own so that, so that the address you pasted was not the address you had copied. And you ended up sending them the money that you were intending to send somewhere else. And then, you know, after a while, you contact the original group and say, hey, where's my thing that I ordered? And they go, where's the money that you're supposed to send? And you say, I sent you the money. It was like, well, no. Anyway, bad guys got it. So here's the evolution of that, kaspersky said. Your smartphone gallery may contain photos and screenshots of important information you keep there for safety or convenience, such as documents, bank agreements or seed phrases for recovering cryptocurrency. Wallets all of this data can be stolen by a malicious app, such as the sparkcat stealer. We've discovered this malware is currently configured to steal crypto wallet data, but it could be easily repurposed to steal any other valuable information. And again, it's like it's one thing to be careful about not putting like taking a photo of something with your phone, despite the fact that we're told how secure that is. But it is really creepy if you know your Windows desktop was doing that continuously, they said. The worst part is that this malware has made its way into official app stores with almost 250,000 downloads of infected apps from Google Play. Although malicious apps have been found in Google Play before, this marks the first time a stealer Trojan has been detected in the app store. How does this threat work and what can you do to protect yourself? Apps containing sparkcat's malicious components fall into two categories. Some, such as numerous similar messenger apps claiming AI functionality, all from the same developer, were clearly designed as bait. Some others are legitimate apps. Food delivery services, news readers, Crypto wallet utilities, they said we don't yet know how the Trojan functionality got into these apps. It may have been the result of a supply chain attack, you know, where they broke into the app's developers and injected their library, they said, where a third party component used in the app was infected. Alternatively, the developers may have deliberately embedded the Trojan into their apps. The stealer analyzes photos in the smartphones gallery and and to that end, all infected apps request permission to access the user's photos. In many cases, this request seems completely legitimate. For example, the food delivery app Come Come requested access for a customer support chat, right upon opening this chat, which looked completely natural. Other applications request gallery access when launching their core functionality, which still seems harmless. After all, you do want to be able to share photos in a messenger, right? However, as soon as the user grants access to specific photos or the entire gallery, the malware starts going through all the photos it can reach, searching for anything it might find valuable. To find crypto wallet data among photos of cats and sunsets, the Trojan has built in optical character recognition module based on the Google Machine Language Kit. You know, the Google ML kit, a universal machine learning library. Depending upon the device's language settings, sparkcat downloads models trained to detect the relevant script in photos, whether Latin, Korean, Chinese or Japanese. So multilingual. After recognizing the text in an image, the Trojan checks it against a set of rules loaded from its command and control server. Thus its function, what it's doing when it finds things can be varied on the fly, they said. In addition to keywords from the list, e.g. mnemonic, the filter can be triggered by specific patterns, such as meaningless letter combinations in backup codes or certain word sequences in seed phrases. The Trojan uploads all photos containing potentially valuable text to the attacker's servers, along with detailed information about the recognized text and the device the image was stolen from. So it's serving sort of as a front end filter. Doesn't want to swamp these nefarious creators, the developers with everything every photo in everyone's phone who who downloads it, so it does upfront filtering to determine if anything is interesting. No sunsets and cat pictures, they said. We identified 10 malicious apps in Google Play and 11 in the app Store. After notifying the relevant companies and before publishing this, all malicious apps had been removed from the stores. The total number of downloads from Google play alone exceeded 242,000 at the time of analysis, and our telemetry data suggests that the same malware was available from other sites and unofficial app stores as well. Judging by sparkcat's dictionaries, it is trained to steal data from users in many European and Asian countries, and evidence indicates that attacks have been ongoing since at least March of of 2024, so this is coming up on a year old. The authors of this malware are likely fluent in Chinese. More details on this, as well as the technical aspects of Spark Cat can be found in the full report on seclist. So that you know which is the the secure list is where Kaspersky posts all of their technical stuff. So under how to protect yourself from OCR Trojans, they write. Unfortunately, the age old advice of only download highly rated apps from official app stores is a silver bullet no longer. Even Apple's App Store has now been infiltrated by a true infosteeler and similar incidents have occurred repeatedly in Google Play. Therefore, we need to strengthen the criteria here. Only download highly rated apps with thousands or better still millions of downloads published at least several months ago. Also verify app links in official sources such as the developer's website to ensure they're not fake and read the reviews, especially the negative ones. They said. You should also be extremely cautious about granting permissions to new apps. Previously this was primarily a concern for accessibility settings, but now we see that even Granting gallery access can lead to the theft of personal data. If you're not completely sure about an app's legitimacy, for example, it's not an official messenger, but a modified, like, enhanced version. Don't grant it full access to all your photos and videos. Grant access only to specific photos and only when necessary. Storing documents, passwords, banking data, or photos of seed phrases in your smartphone's gallery is highly unsafe.

Leo Laporte (28:39)

Don't do that.

Steve Gibson (28:40)

Don't just start with not doing that.

Leo Laporte (28:43)

Yes, get a password manager.

Steve Gibson (28:47)

Yep. They said besides stealers such as sparkcat, there's also always the risk that someone peeks at the photos or you accidentally upload them to a messenger or file sharing service. Such information should be stored in a dedicated application. To your point, Leo. Exactly that. And they said, finally, if you've already installed an infected application, the list of them is available at the end of the seclist post. Delete it and don't use it until the developer releases a fixed version. Meanwhile, carefully review your photo gallery to assess what data the cybercriminals may have obtained. Change any passwords and block any cards saved in the gallery. Although the version of sparkcat we discovered hunts for seed phrases specifically, it's possible that the Trojan could be reconfigured to steal other information. As for crypto wallet seed phrases, once created, they cannot be changed. Create a new crypto wallet, transfer all your funds from there, and completely abandon the compromised one.

Leo Laporte (29:53)

We should say that Apple Deleted has presumably killed.

Steve Gibson (29:57)

Well, I don't know if they've retroactively killed the.

Leo Laporte (30:01)

Yeah, they killed the apps in the store, but maybe they didn't use the kill switch. They have a kill switch to delete apps that are unsafe like that and.

Steve Gibson (30:09)

Casper Keys point is that even if they did, yeah, it's worth it. I mean, and you know, the good news is these are not mainstream apps, you know, Come Come, which is some Chinese food delivery service.

Leo Laporte (30:27)

Okay?

Steve Gibson (30:27)

It's, it's, you know, it's not something that a lot of people are probably going to have. On the other hand, 242,000 people have had downloaded apps that had this in it from Google Play. And so Kaspersky's point is, it's worth auditing the photos that you have to see what they may have gotten and get proactive. Because if you've got a bunch of Bitcoin and you're storing your recovery phrases in a photo in your photo library, first of all, bad idea. But secondly, you know, if you were to find that in, in your photo library, Good idea to just create a new wallet and move everything over there and just don't do that again.

Leo Laporte (31:16)

Now if somebody stole the password or the recovery phrase from my wallet, I would really appreciate it if you just let me know.

Steve Gibson (31:23)

Because yes, you would call it a commission if they. That's right. Okay, so I linked to Kaspersky's full technical report. For anyone who wants to dig into this more deeply, I'll go one step further than Kaspersky has in my advice. Just as as is true with today's web browsers whose users have demanded openness in the form of browser add ons, the same openness has been demanded and received from mobile phone manufacturers. Unfortunately, there are bad guys in the world who profit from victimizing others. The other thing we've seen is that despite the best efforts of those managing the add ons that are available for our browsers and our phones, malicious applications still manage to sneak in. The good news is that one thing we've seen over and over is that the least secure and and malice prone applications are typically, you know, again, as I'd call them, I guess I would call them sort of gratuitous additions. They're apps that everyone can live without. So their victims tend to be people who download anything that comes along that looks even remotely interesting. I mean, they've completely lost control of their phones. They don't know where any of their apps are. They don't. They just scroll endlessly trying to find an icon for something that they're looking for. They have no appreciation for the fact that there is a non zero chance that the creator of any given app may have malicious intent or may not, but used a malicious library without knowing it. The point is non zero, which tells us just the law of statistics and probability and numbers. The more apps you have where each one has a non zero chance of being a problem, the greater the total problem. And it only takes one in order to create a leak. So my advice is always to keep this in mind when deciding whether you really need the app you're considering. And because our devices manufacturers have done everything they can to give us the tools to restrain what apps can do even after they're resident in our devices. Be parsimonious with the access permissions that apps are granted. And I know this is tricky since apps will be cleverly designed to need the permissions they wish to abuse, but at least always question their need. And Leo, it just is a fact that that that we're seeing arguably more of this today than when this podcast began 20 years ago.

Leo Laporte (34:23)

Because there's more money to be had, right?

Steve Gibson (34:26)

Yeah, we are. Everything's on our phones nowadays and, and more devices available. I mean, you know, I mean everybody has one. You don't see. I see people. You know, everybody sitting in a restaurant is staring at their individual phones. I don't know how people don't fall off. They're walking down the sidewalk really bad staring at their phones. I think. What, what is it? What are you doing?

Leo Laporte (34:50)

It's amazing. Well, yeah, they're desperately avoiding any boredom or feelings or, or knowledge of the world. They're, they're, they're. It's there. It's narcotic. Narcotic. They're not narcotizing themselves. I do think. And you said something really important. I really would underscore this and I always said it on the radio show. Install the fewest possible apps. You know, don't. On your desktop, on your laptop, on your iPad, on your phone. The fewer the apps the better because every app raises the specter of a security flaw or just a bug.

Steve Gibson (35:29)

Also we are seeing the built in apps slowly subsuming the functionality. I used to use. I had a really cool perspective correction app that I was using. Now it's built in. There was never an edit button in the beginning for photos. Now you push edit, you can rotate them, you can fix the perspective, do all this kind of stuff. So you don't need third party apps to do that.

Leo Laporte (35:59)

You probably on an iPhone or a good Android phone like a Google Pixel could get away without any apps.

Steve Gibson (36:05)

I think that's really the case and.

Leo Laporte (36:07)

That would be a lot safer for sure.

Steve Gibson (36:10)

I should mention one of your guests. I think it might have been Alex mentioned Forca. F O R E C A. Yeah.

Leo Laporte (36:20)

We'Ve been talking about that for a long time as the best weather app.

Steve Gibson (36:23)

I absolutely. I just, I've been wanting to mention to our listeners, I don't. Is it multi platform? Is it available on Amazon?

Leo Laporte (36:31)

It's everywhere.

Steve Gibson (36:31)

Yeah, it is so good. They asked me after a year, I think they said could we have a little more money? I said yes because it, I, you know, I want them to keep it the way it is. Anyway. It, it's a, it's short for forecast. F O R E C A I'm I. It's an app. It made me think of it because you know I'm not, I don't think Apple's weather thing, it's pretty bare bones. Holds a candle to forecast.

Leo Laporte (36:59)

It's pretty bare bones.

Steve Gibson (37:00)

So there's an example of something where you really. Okay, yeah, but you can trust these guys.

Leo Laporte (37:04)

Yeah, I think you trust them. A lot of weather apps actually use forecast the back end. I think my carrot weather is using or at least you can choose forecast backend.

Steve Gibson (37:13)

But look at satellite and radar and it does take some getting used to. It is very information dense and it's also customizable what things you do care about and you don't. I don't care about wind that much. So I turn it takes up space on my screen, get rid of wind. But I do want rainfall and boy, like to know what time of day something's going to happen. Anyway, just a unsolicited note that I've been meaning to mention it because I just keep really liking it.

Leo Laporte (37:45)

They're on the web. They're on the Google Play Store, the Apple Store, the web. It looks like they. Yeah, you can use the web version.

Steve Gibson (37:53)

Big screen.

Leo Laporte (37:54)

Yeah.

Steve Gibson (37:55)

Nice.

Leo Laporte (37:55)

And it has the videos and everything too, which is really pretty cool. I like it. Look at that. If all you need is a green screen, Steve. And you can do your own weather report.

Steve Gibson (38:06)

Yes. I don't. Okay, I was gonna say something off.

Leo Laporte (38:09)

Color, but no, no, I'm not a weather girl.

Steve Gibson (38:15)

But on that note, let's take a break and then we're gonna come back and talk about the UK's new demand for Apple's encrypted data.

Leo Laporte (38:22)

Oh, I do really want to hear what you have to say about that. We knew it was coming. It just. It's finally happened, right?

Steve Gibson (38:30)

Yes. Well, this, you know, it's like they, they keep trying, right? They just like they, they keep hitting this immovable wall. I have an idea, though.

Leo Laporte (38:40)

Oh, now I'm liking it. Stay tuned. Steve has an idea. But first, a word from our fine sponsor, Thinkst Canary. We've been talking about them for years. They are really a great product. In a nutshell, Thinkst Canary is a honeypot that is ultimately configurable. You can deploy it in minutes. You know, no coding on your part, but it can be anything from a Windows server, a web server, a SCADA device, an SSH server. Mine's a Synology nas. And it impersonates these. I mean, it's really nicely done. My Synology NAS has a Mac address that's a Synology Mac address. It's got the login screen just like DSM 7. I mean, it really looks real. In fact, the hacker is going to look at it and go, oh, that's not a setup. That's the Real deal. I'm going to get in there. That's what's so great about Thinks Canary. If someone is accessing your fake internal SSH server. Or by the way, the Canary can make files that you can spread around as well. PDF, Excel, DocX, give them provocative names, employee information, SS XL, or something. And if a bad guy or malicious insider attacks those files or tries to brute force your fake SSH server, your Thinks Canary is immediately going to tell you you got a problem. Because there's no way anybody's going to access that by accident. That's somebody who's trying to steal from you. No false alerts, just the alerts that matter. And by the way, you get them any way you want. It supports Syslog, of course, they have an API, but also web hooks, Slack text messages, email. You could have a phone call, I bet. I mean, it's really flexible, very smart. So you. You get the Things Canary. It looks like a usb, external USB drive, just kind of a little black thing that you connect into the wall and to your Ethernet, okay? Then you choose. You go into the console on your browser, you choose log into your account, choose a profile for your device, then you register with the hosted console. And so now that console is going to monitor, it's going to handle the notifications, it's going to get them out to Syslog if you want, wherever you need it, any way you want it. Web hooks they support. Then just sit back. If an attacker is inside your network or there's a malicious insider, they will make themselves known because they will inevitably access your Things Canary. They don't look vulnerable, they look valuable. Bad guys can't resist the Things to Canary. Visit Canary Tools slash twit. Some big banks might have hundreds of them. A small operation like ours, a handful. I'll give you an idea. This is what it costs us for 7500 bucks a year. Five thingst canaries. Okay? You get your own hosted console. All the upgrades, all the support, all the maintenance, and they're very responsive, they're very helpful. And I'm gonna save you even more because if you use the Code Twit in the how did you hear about us? Box, they love us. They will give you 10% off. Not just for the first year, but forever. As long as you have a subscription, 10% off. And if you're at all nervous. Cause I understand maybe this is the first time you're hearing about this. Although we've talked about it an awful lot. You should not worry because you can always return your thinkscanary. They have a 2 month 60 day money back guarantee for every penny. All right, Full refund. I should point out that in the eight years that we have been doing ads for ThinksCanary, no one has ever claimed the refund. Literally zero. Because once you get it in there you go, oh yeah, I don't know how I live without it. It's a brilliant idea. Visit Canary Tools Twit Use Twitten how did you hear about us? Box. You get 10% off for life. Canary Tools Twitter Love this product. Think you should check it out. Honestly, there's no risk. Why not? You could be the first one to return it. You won't though. We know you won't. It's such a good, good idea. Canary Tools Slash Twit all right Steve, I'm very curious. They call it the Snoopers Charter, you know, the Investigative Powers Act.

Steve Gibson (42:55)

So last Friday the news broke that the United Kingdom was demanding that Apple provide access to its users cloud data. I received links from our listeners to stories of this in the Register, the Guardian and the BBC. These reports were all picking up the news, which was first reported in the Washington Post. And the Post provided the best coverage of all. So let's turn to the source for, of, you know, for the whole story. So here's what we know from the Washington Post's reporting. They said security officials in the United Kingdom have demanded that Apple create a backdoor allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud, people familiar with the matter told the Washington Post. Okay, so again, all the content any Apple user worldwide has uploaded to the cloud. Good luck with that. But this is what they say they want. The British government writes the Post, undisclosed order issued last month requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies. Its application would mark a significant defeat for tech companies in their decades long battle to avoid being wielded as government tools against their users, the people said, speaking under the condition of anonymity to discuss legally and politically sensitive issues rather than break the security promises it made to its users everywhere. Apple is likely to stop offering encrypted storage in the uk, the people said. Yet that concession would not fulfill the UK's demand for backdoor access to the service in other countries, including the us. The Office of the Home Secretary has served Apple with a document called A Technical Capability Notice, ordering it to provide access under the sweeping UK investigative investor. I always trip up on that UK Investigatory Powers Act 2016, which authorized law enforcement to compel assistance from companies when needed to collect evidence. The people said the law, known by critics, as you said, Leo, the Snoopers Charter, makes it a criminal offense to reveal that the government has even made such a demand. An Apple spokesman declined to comment. After all, they can't reveal that Apple can reveal can appeal the UK capability notice to a secret technical panel which would consider arguments about the expense of the requirement, and to a judge who would weigh whether the request was in proportion to the government's needs. But the law does not permit Apple to deny complying during an appeal, meaning you can't use the appeal to delay the order, which of course means that the information that the UK would want would already be in their possession. Even if Apple were to win the appeal, it'd be too late. So this is a mess. In March, writes the Post, when the company was on notice that such a requirement might be coming. So almost a year ago, it told Parliament there is no reason why the UK government should have the authority to decide for citizens of the world whether they can avail themselves of the proven security benefits that flow from end to end encryption. The Home Office said Thursday that its policy was not to discuss any technical demands. But their spokesman said, quote, we do not comment on operational matters, including, for example, confirming or denying the existence of any such notices. In other words, no comment. Senior national security officials in the Biden administration had been tracking the matter since the UK first told the company Apple it might demand access, and Apple said it would refuse. It could not be determined whether they raised objections to Britain. Trump, White House and intelligence officials also declined comment. One of the people briefed on the situation, a consultant advising the United States on encryption matters, said Apple would be barred from warning its users that its most advanced encryption no longer provided full security. The person deemed it shocking that the UK government was demanding Apple's help to spy on non British users without their government's knowledge.

Leo Laporte (47:53)

This is really important. It includes us.

Steve Gibson (47:56)

Yes, yes. And a former White House security advisor confirmed the existence of the British order. So in their reporting the Washington Post, you know, did their due diligence and they got multi source confirmation that this is all happening and has happened. At issue they finish, is cloud storage that only the user not Apple can unlock. Apple started rolling out the option which it calls advanced data protection in 2022. It had sought to offer it several years earlier, but backed off after objections from the FBI during the first term of President Donald Trump, who pilloried the company for not aiding in the arrest of quote killers, drug dealers and other violent criminal elements. Unquote. The service is an available security option. We're talking about advanced data protection for Apple users in the United States and elsewhere. While most iPhone and Mac users do not go through the steps to enable it because it's not enabled by default, the service offers enhanced protection from hacking and shuts down a routine method law enforcement uses to access photos, messages and other material. Icloud storage and backups are favored targets for U.S. search warrants, which can be served on Apple without the user knowing. So, and just for the record, remember, it's often not a question or choice about whether you want ADP enabled. I'd love to have it enabled, but I cannot. In fact, the more faithful and loyal a user is to Apple, the less likely it is they'll be able to enable advanced data protection. I just double checked as I was preparing the notes on Sunday I tried to enable it. I was provided with a list of six older but still in use by me Apple devices that would need to be running a newer edition of iOS or iPad OS than they're capable of running. So ADP is a non starter for me since I still use those older and still working Apple devices every day anyway, the Post continues saying technologists, some intelligence officers and political supporters of encryption reacted strongly to the revelation. After this story first appeared, Senator Ron Wyden, a Democrat on the Senate Intelligence Committee, said it was important for the United States to dissuade Britain. He said, quote, trump and American tech companies letting foreign governments secretly spy on Americans would be unconscionable and an unmitigated disaster for Americans privacy and our national security. Meredith Whitaker, of course, who we know is the president of a nonprofit encrypted messenger signal, said, quote, using technical capability notices to weaken encryption around the globe is a shocking move that will position the UK as a tech pariah rather than a tech leader. If implemented, the directive will create a dangerous cybersecurity vulnerability in the nervous system of our global economy. Now, she didn't say they would pull out, but we know they would. She has previously said that when the EU was was rattling their sabers. Similarly, law enforcement authorities, writes the Post, around the world have complained about increased use of encryption and communication modes beyond simple phone traffic, which in the United States can be monitored with a court's permission and as we know, can also be monitored without the court's permission by China. The UK and FBI in particular have said that encryption lets terrorists and child abusers hide more easily. Tech companies have pushed back, stressing a right to privacy in personal communication and arguing that backdoors for law enforcement are often exploited by criminals and can be abused by authoritarian regimes. Most electronic communication is encrypted to some degree as it passes through privately owned systems before reaching its destination. Usually, such intermediaries as email providers and Internet access companies can obtain the plaintext if police ask. But an increasing number of tech offerings are encrypted end to end, meaning that no intermediary has access to the digital keys that would unlock the content that includes signal messages. Meta's WhatsApp, which as we know is based on Signal and Messenger, WhatsApp and Messenger, both from Meta and of course Apple's iMessages and FaceTime calls. Often such content loses its end to end protection when it's backed up for storage in the cloud. That does not happen when Apple's Advanced Data Protection option is enabled. Apple has made privacy a selling point for its phones for years, a stance that was enhanced in 2016 when it successfully fought a US order to unlock the iPhone of a dead terrorist in San Bernardino, California. It has since sought to compromise, such as by developing a plan to scan user devices for illegal material. I'll mention that again in a second. That initiative was shelved after heated criticism by privacy advocates and security experts who said it would turn the technology against customers in unpredictable ways. Google would be a bigger target for UK officials because it's made the backups for Android phones encrypted by default since 2018. Google spokesman Ed Fernandez declined to say whether any government had sought a backdoor but implied none had been implemented. He said, quote, google cannot access Android end to end encrypted backup data, even with a legal order. Meta also offers encrypted backups for WhatsApp. A spokesperson declined to comment on government requests, but pointed to a transparency statement on its website, saying that no backdoors or weakened architecture would be implemented if the UK secures access to the encrypted data. Other countries that have allowed encrypted storage, such as China, might be prompted to demand equal backdoor access, potentially prompting Apple to withdraw the service rather than comply. And of course, that's what everyone thinks they'll do. The battle over storage privacy escalated in Britain is not entirely unexpected. In 2022, UK officials condemned Apple's plans to introduce strong encryption for storage, a government spokesperson told the Guardian newspaper, referring specifically to child safety laws. End to end encryption cannot be allowed to hamper efforts to catch perpetrators of the most serious crimes. After the Home Office gave Apple a draft of what would become a backdoor order, the company hinted to lawmakers and the public what might lie ahead. During a debate in Parliament over amendments to the Investigatory Powers Act, Apple warned last March that the law allowed the government to demand backdoors that could apply around the world. In a written submission, Apple stated these provisions could be used to force a company like Apple that would never build a backdoor into its products to to publicly withdraw critical security features from the UK market, depriving UK users of these protections. Apple argued that when wielding the act against strong encryption, would conflict with a ruling by the European Court of Human Rights that any law requiring companies to produce end to end encrypted communications, quote, risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users and violates the European right to privacy. Finally, in the United States, decades of complaints from law enforcement about encryption have recently been sidelined by massive hacks by suspected Chinese government agents who breached the biggest communications companies and listened in on calls at will. In a joint December press briefing on the case by FBI leaders, a Department of Homeland Security official urged Americans not to rely on standard phone service for privacy and to use encrypted services when possible. We mentioned that at the time. Also that month, the FBI, the NSA and CISA joined in recommending dozens of steps to counter the Chinese hacking spree, including, quote, ensure the traffic is end to end encrypted to the maximum extent possible, unquote. Officials in Canada, New Zealand and Australia endorsed the recommendations. Those in the United Kingdom did not. Okay, so the Washington Post's report correctly noted, and as we analyzed after its architecture was published, Apple has properly implemented true end to end encryption for every one of its cloud based services where its use is feasible. As such, only the user's various iOS and iPad OS devices contain the key that's required to decrypt the contents of the data stored and shared in the cloud. Everything transiting to and from the cloud is, as we used to say, PI pie pre Internet encrypted and cannot possibly be accessed by anyone with access to either the data stored or in transit. The data could only be encrypted or decrypted on the user's device, and the key can never be removed from the user's device. So we're back here once again with the UK demanding something that none of the providers of secure messaging or secure storage will be willing to accommodate. But there's been a recent change that promises to provide the long sought after solution to at least part of this problem. At least one of the reasons that everybody like that the bureaucrats and politicians are saying they need this and that's for the children and that's AI. Back in 1964, as part of a ruling about pornography, U.S. supreme Court Justice Potter Stewart famously said, I may not be able to define it, but I know it when I see it. I see no reason why AI functioning as an autonomous angel perched on every iOS user's shoulder should not be able to stand in for Justice Stewart. This AI would not need to contain the library of known CSAM child sexual abuse material, you know, the hashes for which users refused to have preloaded into their devices, feeling that this, this awful stuff was somehow in their phone. Instead an AI would be trained to recognize such images. We know that Apple devices are already, already actively performing some of this nanny function. They are already empowered to warn their underage users when they may be about to send or receive and view any imagery that might be age inappropriate for them. And this is, you know, all that any far more capable AI enabled monitoring system would need to do. What's significant is that it would not need to prevent the device from capturing and containing whatever content its user may wish to have. Parents can still take photos of their own kids in the bath. The system simply needs to filter out and prohibit the device's communication, its reception or transmission of any such content that could potentially be subject to abuse. And once such filters are in place, there will be no need to gain access to anything stored in the cloud because there will be no way for anything abusive to leave or be received by any Apple device. Given the history of government abuse of surveillance powers. And many argue that the urgency to protect the children is just a smokescreen behind which lies a thirst for wider surveillance that could be turned, as it has been elsewhere, onto political rivals and other non juveniles. So having companies like Apple, Signal Meta and others deploy local AI to lock down the content which their systems would refuse to send or receive, short circuits any government attempt at overreach. And one of the best things about such solutions is that their effectiveness is so readily tested. Just present an AI protected device with some test content that should not be communicated in order to verify that it's doing its job. So I really, I could see this. You know, the world is all abuzz about AI. We're understanding how capable it is. It seems, it seems easily possible that a local competent AI image recognition system could perform filtering functions on individual users devices.

Leo Laporte (62:43)

Well Yes, I guess, I mean yeah, I think people, it wasn't merely that they didn't want the key, the hashes on there. I think they just don't like the idea of that kind of scanning going.

Steve Gibson (62:58)

On of any involvement of any kind.

Leo Laporte (63:01)

Yeah, maybe, you know, if it's a trade for that to encryption, I think, I mean it's obvious they want everything. CSAM is just the pretext. They, they want everything.

Steve Gibson (63:13)

Yeah, yeah. Also I, as I mentioned at the top, France is doing something similar. An article appearing in Intelligence Online carried the headline France makes new push for backdoors into encrypted messaging apps. And the additional detail about that was behind a paywall but also showing it said French senators have passed an amendment paving the way for intelligence agencies to access backdoors in the messaging apps such as WhatsApp, Signal and Telegram and presumably, you know, iMessage. But what we believe is there are no such backdoors so that would be requiring them to compel their creation. It's going to be interesting, Leo, to see what happens. Is Apple what going to say to the uk? Well we're going to not offer any encryption in the uk but as we know that's not what the UK is demanding. They're demanding access to any user anywhere. Like, you know, demanding the end of encryption.

Leo Laporte (64:30)

Right. Basically, yeah. The thing that we don't know and probably will never know is because this was secret. I mean the UK has not admitted to it, as you said, nobody. It's just it was a leaker. I would imagine they've also sent similar requests to signal WhatsApp. Google. Right.

Steve Gibson (64:51)

Just hasn't leaked. Right. Why would they target Apple? And Apple's not even the majority platform. Google and Android are the larger platform.

Leo Laporte (64:59)

Right. Why stop at Apple? So that, I mean there will be no refuge except for doing something roll your own kind of a thing if you really wanted end to end encryption.

Steve Gibson (65:08)

And as we've said, if encryption is outlawed, only the outlaws will be using encryption.

Leo Laporte (65:13)

Yeah, people with incentive because frankly very few people use advanced data protection. You found the. One of the things that stopped me is, you know, you have to have everything up to date, but also you lose some capabilities and there's this whole big risk of losing all of your data too if you forget your password. Most people don't use it. So I mean the people who are most motivated to use encryption who are criminals, of course. Well no, not exclusively, but criminals are among those are going to find ways. So this isn't going to have any effect. It's it's 1984 is what it is.

Steve Gibson (65:51)

Yeah.

Leo Laporte (65:52)

Depressing.

Steve Gibson (65:53)

Okay, another break, and then we're going to talk about Firefox 135.

Leo Laporte (65:56)

Okay.

Steve Gibson (65:57)

And a bunch of new features.

Leo Laporte (65:59)

Yes, sir. I'll start downloading it right now. But before I do, let me tell you about our sponsor for this segment of security. Now, Zscaler, the leader in cloud security, you've heard us talk about Zero Trust. This is the way, right? This is the way forward Enterprises have spent billions of dollars on firewalls, perimeter defenses. Right, and VPNs so that you can get through the firewall and get to work. But breaches, they're not going away. They rise every year. 18% increase in ransomware attacks in 2024. $75 million. Record payout in 2024. And that's probably only the tip of the iceberg. As we're going to learn later, a lot of, a lot of companies and others are reluctant to say, oh, yeah, we, we paid the bad guys. They don't want to, they don't want to say it. We know this is going on. It's just getting worse and worse. The problem is that these perimeter defenses actually expand your attack surface. In order to make it possible to VPN in, they have to get public facing IP addresses. Bad actors now have something to hang their hat on, and they can get in even more easily than ever before because they're using AI to crack these security, frankly, flawed security perimeters. Oh, and there's another problem. Because VPNs and firewalls enable lateral movement the minute you're in the network. The assumption is, oh, he's an employee, he's a good guy, so they'll connect you to the entire network. So now there's lateral movement. A bad guy, once they're in, they can move anywhere and start exfiltrating stuff like your corporate emails, your customers information. And they do it via encrypted traffic that the firewalls struggle to inspect at scale. I mean, it's just a mess. The bottom line is hackers are exploiting traditional security infrastructures and they're doing it faster than ever using AI. So they're outpacing your defenses. Now's the time to think differently, to find a new way to rethink your security. Don't let the bad actors win. They're innovating and exploiting faster than you can defend. You need Zscaler Zero Trust plus AI. It stops attackers by, well, one, hiding your attack surface. Your apps and IPs are invisible attackers. Hackers can't attack what they can't see. It also eliminates lateral movement connecting user Once you're in right, you're just not. You don't get carte blanche. You can only access specific apps, not the entire network. And based on the permissions that you've been given. And by the way, Zscaler+AI continuously verifies every request based on identity and context. AI is really great for this. It also simplifies security management because of the AI powered automation. And they have to use AI because one of the things Zscaler does is they analyze half a trillion daily transactions looking for malicious intent, malicious action. And you know, that's a needle in a very big haystack. But the AI can really help find that hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at Zscaler.com Security Z S C-A L E R.com Security thank you Zscaler for supporting Steve and Security now. And you support us when you use that address so they know you saw it here. Zscaler.com Security Steve so Firefox 135 was.

Steve Gibson (69:37)

Released one week ago last Tuesday, and there's some interesting news about some new features. Despite having launched Firefox four days after last Tuesday, my Firefox was still on the previous 134 release. So I went to about Firefox and that's how I saw that I was on 134 and it said, you know, update or upgrade or whatever. I clicked the button and it did that and restarted. I was first greeted with a big page telling me that I'm now able to edit PDFs directly in Firefox, which may indeed come in handy. But beyond that, Firefox translations now supports more languages than ever. Pages in simplified Chinese, Japanese and Korean can now be translated, and Russian is now available as a target language for translating into. And in fact I used that a couple days ago for some Russian site that I went to when I was pursuing news for the podcast and it came up unintelligible, but there was that little translation icon at the right hand of the URL. I clicked it and blink it turned it into English. So actually I think some of the text that's in here is from the translation. So very handy. Also, credit card autofill is now being rolled out gradually to all users globally. And as I mentioned, AI chatbot access is now also being gradually rolled out. I already had it when I updated. To use it, you choose the AI Chatbot from the sidebar list of available sidebars, or you can go to Firefox Labs under the Settings page in order to find it. Then you choose which provider you want and so forth. I'll talk about that in more detail in a second. Firefox also enforces certificate transparency, meaning that web servers must provide sufficient proof that their certificates were publicly disclosed before they will be trusted. And this only applies to servers using certificates that were issued by a certificate authority in the Mozilla's Root CA program. But that's all mainline certificate authorities, so that's just tightening up Firefox's public key certificate management. Also good news, CRLite, which we've talked about, that's the Bloom Filter based CRL revocation system is also now being gradually rolled out. So before long from Firefox 135 on we will have, as we discussed when we talked about this, Mozilla several times a day, updating a master Bloom filter which our browsers will download and then we will be doing browser side revocation checking with very short delay and no privacy concerns. Our browsers will not be reaching out to anybody asking whether the certificates that they're receiving from web servers are still valid. Firefox now includes, they wrote, safeguards to prevent sites from abusing the History API by generating excessive history entries. I'm sure we've run across this. It bugs me when this happens. That makes navigating with the back and forward buttons difficult by deliberately cluttering up the history. You go to a page and it refers you to another page, but then the back arrow doesn't allow you to get back to where you came from. Sometimes you're able to hit back very quickly several times in order to get around that, but not always. So they've built that in so that only the history can no longer be inserted through JavaScript API without the user actually taking actions that create a breadcrumb history. They also said that the Do Not Track checkbox has been removed from preferences. That's only because it's been incorporated into the Global Privacy Control. So GPC is where that much stronger protection has been incorporated. And the Copy without Site tracking menu item was renamed Copy Clean Link. Basically, if you're copying a link that has tracking crap in it, Firefox will remove that debris in order to give you a clean link. So it's now called Copy Clean Link rather than Copy without site tracking. So, and that's about half of those are the most interesting half of the of the changes that are now in 135. Being a user myself, as we know of ChatGPT, the idea of having it even more handy in my Firefox sidebar, where, you know, normally I always have tree style tabs open there. That's intriguing. As I said, I already have access to it. It'll be interesting to see what percentage of our listeners do. They're saying it's being rolled out, but it already came to me. It's Control Alt X for it is the shortcut which immediately jumps you to the AI chat in the sidebar. And at the moment, Anthropic's Claude Chatgpt, Google's Gemini Hugging Cat and Lichat Mistral are the various AIs that are supported. You're able to choose among them and jump around them dynamically as well. So anyway, you can also, if you go to the Settings page under the Hamburger menu icon in the upper right and then under Settings over on the left, go to Firefox Labs, you're able to enable it and see if it's available on your browser if you couldn't get to it in the sidebar. So anyway, a bunch of cool things added to our favorite browser that Leo, at least you and I use it. And I know that a lot of our listeners do too. The United States National Security Agency, our nsa, in coordination with our four partner countries, which together form the Five Eyes alliance, has just released the latest guidance on securing network edge devices. I'm just going to share their joint announcement, which is relatively short, but I know that many of our listeners have frontline responsibility in their enterprises, with a great many necessarily exposed devices on the edge, meaning, you know, the network edge, typically the edge where the Internet connects to the enterprise. So the NSA.gov sites release of this in coordination, it was dated from Fort Meade, Maryland, and they said the National Security Agency has joined the Australian Signals Directorates, Australian Cybersecurity center, the Canadian center for Cybersecurity and others to release three cybersecurity information sheets. Of course, everything is an acronym with these guys. So they are CSIS Cybersecurity. It ought to be CISS Cybersecurity Information Sheets that highlight critically important mitigation strategies for for securing edge devices, including firewalls, routers and virtual private network gateways. Collectively, these reports are Mitigation Strategies for Edge Devices. And the first sheet is the Executive Guidance. The second is Mitigation Strategies for Edge Devices, the Practitioner's Guidance, and then the other is Security Considerations for Edge Devices. They said they provide high level summary. So I've got links in the show notes to the announcement from the NSA of this and in the announcement are the links to each of those three reports. And you know the they're the executive guidance is a broad overview. You know, know the edge procure, secure by design devices, apply hardening guidance and so forth, sort of basic stuff. The security guidance is much more detailed and very useful. But it occurred to me that for our listeners it's always useful to have a checklist, right? Just to go through and say yep, took care of that. Yep, considered that. Yep, considered that. And that's nice for coverings ones but if anything does happen you're able to say well you know, we're, we're in full compliance with the NSA's latest guidance and there's also a sheet you can give to your boss and say look boss, we need to buy some stuff here because you know, our stuff won't, you know, won't do what the NSA is telling us we need to do. So useful info. I mentioned Netgear at the top. Anyone having a Recent Netgear Wi Fi 6 access point or a Netgear Nighthawk gaming router should be very sure that you're running the latest recently released as of last week firmware. Make sure now three Netgear Wi Fi 6 devices, the models Wax 214 V2, also that same Wax 206 and Wax 220. Those three models, until and unless updated, all contain highly critical CVSS 9.6 authentication bypass vulnerabilities. And we know what that means. If there's anything exposed to the Internet, there's now a way for bad guys to get in. And as I said, I already know that as a follower of this podcast, you would never enable any Internet facing remote management capabilities. No. But it's also human to assume that it could never happen to you. So please make sure that you're running the latest firmware as of last week and better yet, arrange to never be vulnerable in the first place by not opening any of those sorts of ports. So those three WI fi routers were vulnerable to a now patched authentication bypass with that, you know, 9.6 out of 10. But three other Netgear Nighthawk gaming routers rated an even higher CVSS score of 9.8 for their unauthenticated remote code execution vulnerabilities. The three affected routers are the XR500, the XR1000 and the XR1000 V2. They are all Nighthawk Wi Fi 6 Pro gaming routers. If any of those numbers sound familiar, and especially if you if you or someone you know may have been unable to resist the temptation of enabling any sort of remote access, you'll want to update them to the latest firmware immediately. I saw no reports of this being a zero day. As far as I know, the vulnerability was responsibly reported to Netgear. But we also know that once it is known that these problems exist, bad guys can reverse engineer the firmware in the unpatched routers, figure out how to get in, and then start attacking. So there's a window here you want to make sure that you're not vulnerable within that time period. Okay Sysinternals There was a surprising bit of news involving the much beloved Sysinternals tools. As many of our listeners know, they were a collection and still are, of truly unique and powerful utilities that were originally created by Mark Russanovich and Bryce Cogswell. Their little Texas based company was purchased lock, stock and barrel by Microsoft back in 2006, much to many people's chagrin, since everyone was quite worried at the time that it might spell the end of of that fabulous and really irreplaceable tool set. Fortunately, that didn't happen and the tools remain available today from Microsoft and are still being maintained and upgraded. Which makes this news of a recent discovery all the more curious and troubling. A software engineer by the name of Rake Schneider has reported that he has discovered DLL hijacking bugs in the Sysinternals tools. Oh, in fact, it's this guy's page, it's written in German and it was Firefox's built in translator that allowed me to turn it into English. So the curious and troubling part is that Microsoft has done nothing about these problems. They remain unpatched and worse, their existence is now public and widely known, even after a 90 day responsible disclosure window. So Rake's detailed public disclosure reads, and this is just the beginning of it. He said, quote, I've identified and verified critical vulnerabilities in almost all Sysinternals tools and presented the background and attack in a video. A summary of the weak spot and the link to the video can be found here in this blog post. These tools, developed by Microsoft and actually originally Sysinternals, of course, are widely used in IT administration and are often used for analysis and troubleshooting. The vulnerability demonstrated in the video affects numerous applications of the suite and allows attackers to use DLL injection to inject and execute defective code. And now okay, that may be part of the translation. We know it could be not defective, but malicious code. And he said now that more than 90 days have passed since the initial disclosure to Microsoft, it's time to talk about it. And then he goes on to do so. I have a link to his posting in German in the show Notes, and if you've got a translator built into your browser and don't speak German, then it'll do a good job of translating it into English for you.

Leo Laporte (85:10)

Actually, my translation, and I'm not sure where it came from, says malicious code.

Steve Gibson (85:15)

Ah, interesting.

Leo Laporte (85:16)

Okay. Yeah, this is arc, so I don't know what translator it's using. Yeah, interesting. Probably not Google.

Steve Gibson (85:22)

Okay, so the problem is it's a well known and common problem with Windows DLLs where, and you know, among many problems, DLLs made sense back when we had 128 megabyte Windows 2 computers because it was a way of sharing code. And the idea would be that rather than various applications all needing to bring their own code along, not only because we had applications that were sharing 20 megabyte hard drives or floppies, but because there wasn't much RAM. So you just wanted to be able to share these libraries. Great idea back then. Today it's pure legacy. It absolutely makes no sense whatsoever. But there's never been a point in time where Microsoft could break this. So we still have it today. So what happens is the Windows executable file loader, when it's loading an executable file, is able to in the executable, the executable declares the DLLs that that it's reliant upon the system code DLLs that it needs. And so the executable file loader loads those for the executable so that they're there and linked up to it and ready to go. It first looks in the application's own directory, that is where the XE is being run from. And this behavior was originally deliberate since it allowed applications to bring along their own more recent or maybe even older versions of DLLs. This is where the whole DLL thing began to fall apart, because they would then be loaded and used preferentially over whatever same named DLLs the system might already or might not have. The problem is that convenience feature can be readily abused. In the case of the sysinternals executables, they're not relying upon any of their own DLLs. This is actually one of the things that makes them so nice, is that they are single executables that just get their jobs done very clean. But like all Windows applications, they do rely and heavily upon many system DLLs. But rather than insisting that the system DLLs they require be loaded from within the system's own protected directories as they should, the sysinternals apps use the default behavior where Windows will first look inside the app's own directory, and this enables the exploit. Bad guys can place a DLL that's named the same as a system DLL in sysinternals execution directory and it will be loaded instead of the intended system dll. This flaw has been widely picked up and reported by the tech press over the past few days. The reporting notes that many of the sysinternals utilities prioritize DLL loading from untrusted paths, such as the current working directory or network paths before looking in secure system directories for their DLLs. One piece of this reporting wrote. The vulnerability was responsibly disclosed to Microsoft on October 28, 2024. However, Microsoft has classified it as a defense in depth issue rather than a critical flaw. This classification implies that mitigation relies on secure usage practices rather than addressing it as a fundamental security defect. While Microsoft emphasizes running executables from local program directories, researchers argue that network drives where the current working directory becomes the application's execution path pose significant risks, as indeed they do. So what's most significant here is the to me is the breadth of press coverage and reporting that this news has generated. I mean, this got picked up because this internals is so popular. This got picked up everywhere.

Leo Laporte (90:07)

Yeah, everybody uses it.

Steve Gibson (90:09)

Yeah. Yes. So we've seen Microsoft respond when sufficient noise is made. We saw how quickly they backpedaled on the first release of their Copilot plus Recall Screen Scraper. So I would imagine that the amount of bad press that is being generated here will result in someone's attention being pointed at updating all of the vulnerable sysinternal tools. I suspect Microsoft is regretting that they blew this off and said, oh, it's not our problem. You just have to be careful how you use them. It's like, okay, good luck with that. Unfortunately, there's no update mechanism for the bazillion copies of Sysinternals tools that have already been downloaded and are deployed. They will never be updated.

Leo Laporte (91:04)

Interesting.

Steve Gibson (91:05)

Unless they're manually replaced, they all have this behavior.

Leo Laporte (91:09)

Yikes.

Steve Gibson (91:09)

Yeah, okay, yeah. This creates an enduring opportunity for exploitation.

Leo Laporte (91:15)

What is a defense in depth issue? What does that Mean that just. You should be careful.

Steve Gibson (91:20)

Yeah, yeah, exactly.

Leo Laporte (91:22)

Job.

Steve Gibson (91:23)

Yeah, exactly. Like. Well, yes, but you know, these are advanced sleuthing tools, so you shouldn't leave them around on computers where they could be exploited. Thanks, but everybody does.

Leo Laporte (91:37)

Yeah. I imagine it's a custom DLL that the sysinternals run. In fact, they probably have a common d in that dll.

Steve Gibson (91:45)

No, no, it's like kernel32 dll needs to get loaded.

Leo Laporte (91:51)

Oh, it should definitely be getting that from the secure.

Steve Gibson (91:54)

Exactly. And they don't. They don't. So someone malicious names their malicious code kernel32DLL puts it where the sysinternals tool is and that's the one that gets loaded.

Leo Laporte (92:07)

Isn't this a widespread problem though, in Microsoft?

Steve Gibson (92:10)

Yeah, yeah, yeah. I mean, it requires overriding Windows standard default behavior, which they can't change because it will break things that depend upon it.

Leo Laporte (92:24)

They didn't used to have a secure place to store those DLLs.

Steve Gibson (92:28)

Actually, security was never a consideration. If you've got a Windows 2 machine with floppy disks, what security? Why not let a Windows metaphile execute code in the image? Because that might come in handy. That's what they did in the beginning.

Leo Laporte (92:49)

I think that DLLs are just running on inertia. There's no. You don't need it anymore.

Steve Gibson (92:54)

There was never a time when they could afford to break this. I mean, you know, I mean on.

Leo Laporte (92:59)

Linux you have static linked executables. I mean, that's. They're bigger because of it. But then you don't have that problem. You don't have libraries and you don't have the DLL hell, that you get with Windows.

Steve Gibson (93:11)

Right.

Leo Laporte (93:12)

With conflicting DLL versions and so forth.

Steve Gibson (93:15)

Yeah.

Leo Laporte (93:16)

Maybe it's time to think about getting rid of those. Just don't do it.

Steve Gibson (93:21)

Maybe go VM Happy and execute each X everything in vm.

Leo Laporte (93:27)

That was a plan.

Steve Gibson (93:28)

Yeah, I know. It's a mess. Okay. Google removes the ban on using AI for harm. What? Last Tuesday, Wired covered an interesting change in Google's policies regarding the conduct and use of its AI. Wired's headline was quote, Google lifts a ban on using its AI for weapons and surveillance.

Leo Laporte (93:57)

Well, it's about time.

Steve Gibson (93:59)

That's right.

Leo Laporte (94:00)

This is the to. When you talk about the existential threat of AI, this is the first thing that leaps into my mind. Right. Don't. Don't have autonomous nuclear weapons.

Steve Gibson (94:09)

Yes, the tagline and Wired's coverage said Google published principles in 2018 barring its AI technology, such as it was from being used for sensitive purposes. Weeks into President Donald Trump's second term, those guidelines are being overhauled. Okay, now I have no idea why Wired, you know, referred to our current president's administration, since there's no reason I can see to believe that there's any connection between the two. Here's what Wired wrote They said Google announced Tuesday that it is overhauling the principles governing how it uses artificial intelligence and other advanced technology. The company removed language promising not to pursue, quote, technologies that cause or are likely to cause overall harm, weapons or other technologies whose principal purpose or implementation is, is to cause or directly facilitate injury to people and finally, quote, technologies that gather or use information for surveillance, violating internationally accepted norms and finally, quote, technologies whose purpose contravenes widely accepted principles of international law and human rights. That all all that language was taken out. The changes were disclosed in a note appended to the top of a 2018 blog post unveiling the guidelines saying, quote, we've made updates to our AI principles. Visit AI Google for the latest, the note reads. So in a blog post on Tuesday, a pair of Google executives cited the increasingly widespread use of AI, evolving standards and geopolitical battles over AI as the backdrop to why Google's principles needed to be overhauled, Wired wrote. Google first published the principles in 2018 as it moved to quell internal protests over the company's decision to work on a US Military drone program. In response, it declined to renew the government contract and also announced a set of principles to guide future uses of its advanced technologies, such as artificial intelligence. Among other measures, the principles stated Google would not develop weapons, certain surveillance systems, or technologies that undermine human rights. But in an announcement on Tuesday, Google did away with those commitments. The new web page no longer lists a set of banned uses for Google's AI initiatives. Instead, the revised document offers Google more room to pursue potentially sensitive use cases. It states Google will implement appropriate human oversight, due diligence and feedback mechanisms to align with user goals, social responsibility, and widely accepted principles of international law and human rights, unquote. Google also now says it will work to, quote, mitigate unintended or harmful outcomes, unquote. Which, okay, still says some of the same things, though maybe a little less pointedly. James Many, AKA Google's senior vice president for research, technology and society, was quoted, so this guy, a Google person, quote, we believe democracy should lead in AI development guided by core values like freedom, equality and respect for human rights, unquote Right? And Demis Hasabis, The CEO of Google's esteemed AI research lab, DeepMind, said, quote, and we believe that companies, governments and organizations sharing these values should work together to create AI that protects people, promotes global growth, and supports national security. They added that Google will continue to focus on AI programs that, quote, align with our mission, our scientific focus and our areas of expertise, and stay consistent with widely accepted principles of international law and human rights, unquote. At the same time, multiple Google employees expressed concern about the changes in conversations with Wired. Okay, well, my own feeling is that we should not read much into this. And I guess I salute Google for being upfront about it. I mean, they're not hiding at all behind the fact that they've changed their wording on this. You know, these guidelines were first created seven years ago back in 2018. Seven years in AI time frame, you know, is Jurassic. The world of AI has obviously been dramatically transformed since then. And I suspect that this is just Google being upfront about needing to operate on a level playing field alongside everyone else. You know, they could have left that language there and ignored it if necessary. You know, they're not saying that they're going to proactively do bad. They're just saying that they're going to abide by the same rules as everyone else. So. Okay, we got a few more things to talk about. Leo, an open, open AI jailbreak. And I've got a bit of my own news. Let's take another break and then we will continue.

Leo Laporte (100:04)

Gladly, gladly. Right now we would like to tell you a little bit about one of our sponsors for the hour. USCloud A name I hope you know by now. We've been talking about it for a while. They are the number one Microsoft Unified support replacement. Can I make it a shameful admission? When they first came to us for advertising, I said, I never heard of you guys. I guess I'm just ignorant because they are literally the number one company in this. And actually, after talking to them for a while over the last few months, I've gotten to really know US Cloud and I understand now why they are the global leader in third party Microsoft support for enterprises. They now support 55. 0 of the Fortune 500. And there are three reasons really. They said, you know, well, what we find is our customers are really excited because they can save 30 to 50% over Microsoft unified and Premier support. And I said, well that's good. You're a lot less expensive, as much as half as much, but are you better? And they said, well, yes, we're a lot better. We're twice as fast on average time to resolution than Microsoft That's a lot, by the way. That's a big deal when everything, when you're, everything's down, whatever, your network's collapsed, your hair is on fire, twice as fast, response time is a big deal. So there's two of the three. They're a lot less expensive, they're twice as fast. They're also better. They, they have engineers with an average of 16 years experience in brake fix. They know what they're talking about. They are the guys you want, the guys and gals you want on the other end of the line when everything's falling apart. So now you're getting the picture, right? Twice as fast, smarter and half the cost. Sounds pretty good. But now US Cloud is excited to tell you about a brand new offering. This is something I think a lot of us can use. It's their Azure cost optimization services. So let's be honest. When was the last time you evaluated your Azure usage? If it's been a while, you probably have some, you know, Azure sprawl, little spend creep going on. It's easy, right? You know, you forget a server there, you spin up an instance there and you just don't do anything. The good news is saving on Azure is easier than ever with US Cloud. US Cloud offers an eight week Azure Engagement. It's powered by VBOX and identifies key opportunities to reduce costs across your entire Azure environment. You're not just going to flip a switch and walk away. You're going to get expert guidance and access to US cloud senior engineers. As I said, an average of 16 years with Microsoft products, they're super smart. By the end of those eight weeks, your interactive dashboard will identify, rebuild downscale opportunities, unused resources, allowing you to reallocate those precious IT dollars that are getting wasted right now towards needed resources. If I may make a suggestion, you could invest those Azure savings into US Cloud's Microsoft support, like a few of other US Cloud's other customers. Completely eliminate your unified spend. Now the savings goes on, right? On and on and on. I'll give you one testimonial review we got recently from Sam. He's a technical operations manager at Bead Gaming. He gave you us Cloud 5 stars saying, quote, and this is about the Azure engagement. Actually, we found some things that had been running for three years which no one was checking. These VMs were, I don't know, 10 grand a month. Not a massive chunk in the grand scheme of how much we spent on Azure. But once we got to 40 or $50,000 a month, it really started to add up. End quote. It's simple. Stop overpaying for Azure, identify and eliminate Azure creep and boost your performance all in eight weeks with US Cloud, I think you're going to be very impressed. This is a service everybody should know about. USCloud.com, book a call today to find out how much you can save. Uscloud.com, book a call. Better, faster Microsoft support for a whole heck of a lot less. That's a pretty good deal. US Cloud, we thank him so much for supporting Steve and the work he does on security. Now, don't you forget, if they said, oh, how'd you hear about us? You just. You tell them. Security now. Okay. All right, let's talk about. I've been, by the way, quoting last week's episode all week long with, with the, the, you know, the, the bottom line being there is really no AI that hasn't been jailbroken. This AI safety is an illusion, basically.

Steve Gibson (104:56)

And my intuition is that, that we're going to have a hard time putting guardrails around AI. It. I mean, we're, we were surprised when this worked at all. There's a still big questions like surrounding how does it work at all?

Leo Laporte (105:19)

We don't really even know how it works.

Steve Gibson (105:21)

No. So you know, it's like, okay, if you don't know how it works, how are you going to tell it not to talk about some things that it knows?

Leo Laporte (105:29)

The old hacker creed was information wants to be free. AI wants to be free. It, it wants to, it wants to help you, wants to tell you what you want to know. Pretty hard to stop it.

Steve Gibson (105:40)

So yes, following up on last week's look at the relative weakness of the deep seq AI model resistance to jailbreaking, we have a post on LinkedIn by Aaron Shimoni, whose title is principal Vulnerability Researcher at Cyberark. Aaron's post reads, OpenAI recently released the O3 family of models. Right? That's the top end. Best there is right now, showcasing significant advancements in reasoning and, and runtime inference. Given its expected widespread use in development, ensuring it does not generate malicious code is crucial. OpenAI has strengthened its security guardrails, mitigating many previous jailbreak techniques. And Leo, to your point, you called it whack a mole last week and that's exactly right. I mean, it's like, oh, how about try this? Oops. Okay, let's go fix that. How about this?

Leo Laporte (106:45)

Oops.

Steve Gibson (106:46)

Oh good. Let's go fix that. Doesn't feel solid, he said. However, using our open source tool fuzzy AI, we successfully jailbroke O3 extract. Get this. Extracting detailed instructions on injecting code into LSASSEXE, including a breakdown of the obstacles involved, ultimately leading to functional exploit code.

Leo Laporte (107:19)

Oh my God.

Steve Gibson (107:20)

Okay, now LSASS always shows up in any list of running Windows processes.

Leo Laporte (107:27)

I know, I've googled it saying what the hell is this?

Steve Gibson (107:30)

Ls? Yes, LSASS stands for Local Security Authority Subsystem Service. It is the security God of Windows because it's the Windows process that manages user authentication and all security policies. Being able to inject attack code into that process would create the mother of all privilege escalation and restriction bypasses. And These guys tricked ChatGPT's latest and most powerful code generating O3 model to write the code to do just that.

Leo Laporte (108:16)

Which on the one hand is extremely impressive. Right? Like, wow, it wrote the code. Wow.

Steve Gibson (108:23)

On the other hand, it is impressive, but it's also very worrisome. Right? He said. While AI security is improving, our findings indicate that vulnerabilities still exist, highlighting the need for further safeguards. We've opened a Discord community for our open source tool. You're welcome to join.

Leo Laporte (108:46)

I just tried to join it. It's gone.

Steve Gibson (108:50)

Really?

Leo Laporte (108:51)

Yeah, I'm not sure if they got booted or.

Steve Gibson (108:54)

I got an invite when I went there yesterday, so.

Leo Laporte (108:57)

Is it there? Were you able to get in?

Steve Gibson (108:59)

I did yesterday. Oh, okay, maybe I'm in that link.

Leo Laporte (109:02)

Oh, maybe there's something I'm doing wrong. Then I'll try again.

Steve Gibson (109:06)

It's waiting to come up and yep, I got. Oh no, invalid invite.

Leo Laporte (109:11)

Yeah, that's what I got.

Steve Gibson (109:12)

Invite may be expired or you might not have permission to join.

Leo Laporte (109:14)

Right. Yep, that's what I got.

Steve Gibson (109:16)

So probably. And it was a LinkedIn obscured link which I delink identified, so. But you can also go to go to his GitHub page. It's GitHub.com cyberark C, Y, B R A R K and then look for the project Fuzzy AI. And in fact you. It might be that if you go there you'll find the the Discord invite. Anyway, the fuzzy AI GitHub page says the fuzzy AI fuzzer is a powerful tool for automated LLM fuzzing. It's designed to help developers and security researchers identify jailbreaks and mitigate potential security vulnerabilities in their LLM APIs. It features comprehensive fuzzing techniques, leverage mutation based generation based and intelligent fuzzing built in input generation, generate valid and invalid inputs for exhaustive testing, seamless integration, easily incorporate into your development and testing workflows and extensible architecture, customize and expand the fuzzer to meet your unique requirements. And it supports anthropics, Claude OpenAI's GPT4O, Gemini's Gemini Pro, Azure's GPT4 and GPT 3.5. Turbo bedrock that has Claude AI21's Jamba, Deepseeks, both V3 and V1, and Olama and both Llama and Dolphin Llama. So this sort of research and experimentation is exactly what is needed. So a big bravo to Cyberark and Leo. It feels to me as though the problem is inherently intractable and I'm sure this is a major source of anxiety for AI developers. The, the problem is that you're, you're not going to get a, a clean edge. You're not, you're not going to be able to create a clean boundary. So that if my, my, my point is in order to prevent these things from answering questions you don't want them to, from generating code you don't want them to, you're going to have to so restrict them that they are no longer able to answer questions you do want them to and generate code you would like them to be able to do. Because there just isn't a, you know, like what's the boundary between something malicious and not. It's sort of your view, right? It's, you know, one person's malicious code is another person's requirement for solving a problem in it, right? So, you know, we, we're dealing with fuzzy definitions.

Leo Laporte (112:45)

It's very subjective.

Steve Gibson (112:46)

And when your definitions are fuzzy, how can you expect the AI to make that determination?

Leo Laporte (112:51)

Right? All you could do is give it a list of words and things. You know, I mean, that's really, all they're doing is saying if somebody says TMN square, make sure you don't say anything about that. And that's an infinite list. You can never get everything right and you can get around it. What is fuzzing? So fuzzing in this context, is it the same as fuzzing in other exploit generating?

Steve Gibson (113:18)

Yeah, basically just trying to confuse it. Well, okay, so it's almost like randomized prompts. It's not the same thing in as much as, as, you know, fuzzing data to a port is very specific. But, but yes it is, you know, you know, feeding gibberish in and seeing what comes out. And like, like we know that the models grow the context over time and that that context is one of the things that gives them the power that they have for, you know, it's what makes the model interactive and allows you to say, oh, I'm sorry, I didn't explain what I wanted correctly. I meant more like this. And allows you to set up scenarios that allow models to be tricked. And so the more we automate this and the more crap we throw at the wall, the more we're able to see whether we're able to get an answer that the designers didn't intend the model to produce. So it'll be useful for them. For the designers as well. It's a mess, Leo.

Leo Laporte (114:41)

And also it can do it at speed.

Steve Gibson (114:43)

Yes.

Leo Laporte (114:44)

Which is a big advantage. You can throw a lot of.

Steve Gibson (114:47)

As long as. As long as you're able to afford the API cost. You know, it's not going to be cheap to, to run lots of deep inferences as this fuzzing would require, but costs are going to come down too.

Leo Laporte (115:00)

Right.

Steve Gibson (115:03)

Next page is something that I'm very excited to share.

Leo Laporte (115:08)

I like this. Oh, I like this.

Steve Gibson (115:11)

I saw it for the first time myself yesterday evening. It is a screenshot of GRC's DNS benchmark, which is the first ever simultaneous multi protocol. Look at this benchmark of name servers showing DNS over HTTPs, DNS over TLS, IPv4 and IPv6 name servers all being benchmarked at once and with their performance compared against each other. And the preliminary results are interesting. That fastest of all is at the very top. There is nextdnses DNS over HTTPs name server.

Leo Laporte (116:04)

Well, that's what I use.

Steve Gibson (116:07)

But you have to be using HTTPs, so you have to be using DNS over HTTPs. So you need to configure your web browser to do that. My guess is it's fastest because it's not being heavily used yet.

Leo Laporte (116:25)

No one's using it.

Steve Gibson (116:27)

Yeah, and in the number two place, you'll notice under the bars at the top it says determining ownership. That's still old code. The benchmark always used to just resolve IP addresses. So there's a system called Sender Base that allows you to give it an IP and look up the owner of that IP space. Well, that's not widely supported for, for URL based name servers, which is what DOH and DOT are anyway, so my point is that what will be shown shortly. I mean this just came to life last night.

Leo Laporte (117:07)

Yes, and we should mention that these results are local to you. That's why everybody needs to run their own.

Steve Gibson (117:13)

That's exactly, exactly right. From my location in Southern California. That's what I saw. And, and in Fact. What isn't there is normally these bars would have been squished way down by the other name servers that were so slow by comparison. I deleted them in order to so that only so that you can see at the bottom is that one green bar is the one that is the slowest of all. That is what set the scale for everything else. Anyway, the second one from the top is quad nines.

Leo Laporte (117:48)

I see quad one and quad nine.

Steve Gibson (117:50)

Yeah, yeah, yeah, yeah. And quad nine is that second fastest DNS over tls. So yeah. So from my position in Southern California, that's what I saw. I've got more work to do on the ui, but I will be producing the fifth release of this for testing by our gang probably in the next few days.

Leo Laporte (118:12)

Is this multi threaded? It must be.

Steve Gibson (118:14)

Oh my God. It's crazy. Multi threaded. I mean everything is running at once and that's so cool. It is really.

Leo Laporte (118:23)

How many processors do you have in this machine?

Steve Gibson (118:26)

It'll run multithread. Remember, everything's in assembler. It's still only 100. It's only a couple hundred K because it is super efficient and actually doing DNS queries is not time consuming. Just sending a short packet out and then timing how long it takes for it to come back. So yeah, it is a, it's massively. A massively parallel application.

Leo Laporte (118:49)

Oh, that's awesome.

Steve Gibson (118:50)

But it's, it's starting to come to life. So anyway, I'm very, very happy to be able to share that and show it and I'll get it done.

Leo Laporte (118:59)

Yay.

Steve Gibson (119:00)

Okay, we're going to now talk about the hidden fact of ransomware attacks in K through 12 schools in the US. I don't know whether or not it would come as a surprise that hiding school cyber attacks is a thing. You know, it might come as a surprise that it's actually a job description. Really it is. There are people whose job description is hiding school cyber attacks and they're being paid to do it. So exactly one week ago last Tuesday, the website of an organization called the 74 published an eye opening piece of investigative journalism that I knew would make a terrific topic for the podcast. As I said at the top of the show, 74 stands for 74 million, which is the number of American school age children being educated in from kindergarten through high school in the U.S. the 74's Code of Reporting Ethics states the 74 is a non profit, nonpartisan national news organization covering K through 12 education. The organization's mission is to spotlight innovative thinking and models that are helping students succeed, to cover and analyze education policy and politics, and to use journalism to challenge the conditions that deny too many children access to a quality education. The 74 is committed to reporting stories without fear or favor about what is working well for students and families, and to expose and hold accountable the systems that are failing them. And I took some time browsing around there and it looks like a neat organization. So last Tuesday, this group published a story titled Kept in the Dark Meet the hired Guns who make sure School Cyber Attacks Stay hidden. Here's what they reported, they said. An Investigation by the 74 shows that while schools have faced an onslaught of cyber attacks since the pandemic disrupted education nationwide five years ago, district leaders across the country have employed a pervasive pattern of obfuscation that leaves the real victims in the dark. An in depth analysis chronicling more than 300 school cyber attacks over the past five years reveals the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents and staff about the security of their sensitive information. At the same time, consultants and lawyers steer privileged investigations which keep key details hidden from the public. In more than two dozen cases, educators were forced to backtrack months and in some cases more than a year later after telling their communities that sensitive information, which included in part special education accommodations, mental health challenges and student sexual misconduct reports that had not been exposed. While many school officials offered evasive storylines, others refused to acknowledge basic details about cyber attacks and their effects on individuals, even after the hackers made student and teacher information public. The hollowness in school's messaging is no coincidence, because the first people alerted following a school cyber attack are generally neither the public nor the police district. Incident response plans place insurance companies and their phalanxes of privacy attorneys first. They take over the response, with a focus on limiting schools exposure to lawsuits by aggrieved parents or employees. Attorneys, often employed by just a handful of law firms, dubbed breech mills by one law professor for their massive caseloads, hire forensic cyber analysts, crisis communicators and ransom negotiators on school's behalf, immediately placing the discussions under the shield of attorney client privilege. Data privacy compliance is a growth industry for these specialized lawyers who work to control the narrative. As a result, students, families and district employees whose personal data was published online from their financial and medical information to traumatic events in young people's lives are left clueless about their exposure and risks to identity theft, fraud and other forms of online exploitation. Told sooner they could have taken steps to protect themselves. Similarly the public is often unaware when school officials quietly agree in closed door meetings to pay the cyber gang's ransom demands in order to recover their files and unlock their computer systems. Research suggests that the surge in incidents has been fueled at least in part by insurers willingness to pay. Hackers themselves have stated that when a target carries cyber insurance, ransom payments are all but guaranteed. In 2023, there were 121 ransomware attacks on US K12 schools and colleges, according to Comperatech, a consumer focused cybersecurity website whose researchers acknowledge that the number is an undercount for the same year. An analysis by Malwarebytes reported 265 ransomware attacks against the education sector globally in 2023, a 70% year over year surge making it the worst ransomware year on record for education. Daniel Schwartz, a University of Minnesota law professor, wrote a 2023 report for the Harvard Journal of Law and Technology criticizing the confidentiality and doublespeak that shroud school cyber attacks. As soon as the lawyers often called breach coaches arrive on the scene, Schwartz told the 74, quote, There's a fine line between misleading and, you know, technically accurate. What breach coaches try to do is push right up the to that line and sometimes they cross it. The 74's investigation into the behind the scenes decision making that undermines what, when and how school districts reveal cyber attacks is based on thousands of documents obtained through public records requests from more than two dozen districts and school spending data that links to the law firms, ransomware negotiators and other consultants hired to run district responses. All of this otherwise kept off the off the books and private of course. It also includes an analysis of millions of stolen school district records uploaded to cyber gangs leak sites. Some of students most sensitive information lives indefinitely on the dark web, while other personal data can be found online with little more than a Google search. Even as school districts deny that their records were stolen and cyber thieves boast about their latest score, the 74 tracked news accounts and relied on its own investigative reporting in Los Angeles, Minneapolis, Providence, Rhode island and Louisiana's Saint Laundry Parish, which uncovered the full extent of school data breaches, countering school officials false or misleading assertions. As a result, district administrators had to publicly acknowledge data breaches to victims or state regulators for the first time or retract denials about the leak of thousands of students detailed psychological records. In many instances, the 74 relied on mandated data breach notices that certain states like Maine and California report publicly. The notices were sent to residents in these states when their Personal information was compromised, including numerous times when the school that suffered the cyber attack was hundreds and in some cases thousands of miles away. The legally required notices repeatedly revealed discrepancies between what school districts told the public early on and what they later disclosed to regulators. After extensive delays, some schools, meanwhile, failed to disclose data breaches, which they are required to do under state privacy laws. And for dozens of other schools, the 74 could find no information at all about alleged school cyber attacks on uncovered by its reporting, suggesting they had never before been reported or publicly acknowledged by local school officials. Education leaders who responded to the 74's investigation results said any lack of transparency on their part was centered on preserving the integrity of the investigation. Uh huh. Not self protection. School officials in Reed Springs, Missouri said, quote, when we respond to potential security incidents, our focus is on accuracy and compliance, not downplaying the severity, unquote. Those in Florida's River City Science Academy said the school, quote, acted promptly to assess and mitigate risks, always prioritizing the safety and privacy of our students, families and employees. In Hillsborough County Public Schools in Tampa, Florida, administrators in the nation's seventh largest district said they notified student breach victims by email, mail and a telephone call and set up a special hotline for affected families to answer questions. Hackers have exploited officials public statements on cyber attacks to strengthen their bargaining position, a reality educators cite when endorsing secrecy during ransom negotiations. Doug Levin, who advises school districts after cyber attacks and is the co founder and national director of the nonprofit K12 Security Information Exchange, said, but those negotiations do not go on forever. A lot of these districts come out saying we're not paying the ransom, in which case the negotiation is over and they then need to come clean. The paid professionals who arrive in the wake of a school cyber attack are held up to the public as an encouraging sign. School leaders announce reassuringly that specialists were promptly hired to assess the damage, mitigate the harm, and restore their systems to working order. This promise of control and normality is particularly potent when cyber attacks suddenly cripple school systems, forcing them to shut down for days and disable online learning tools. News reports are fond of saying that educators were forced to teach students the old fashioned way, with books and paper. But what isn't as apparent to students, parents and district employees is that these individuals are not there to protect them, but to protect schools from them. Aliyah, let's take our final break and then I'm gonna finish with this and then discuss it a little bit.

Leo Laporte (131:37)

Okay, good. It's a little upsetting. Yeah.

Steve Gibson (131:42)

It is going on behind the scenes and you know, deliberately obscured.

Leo Laporte (131:47)

Yeah. We'll talk more in just a bit. But first a word from 1Password. A little question for you. Purely rhetorical because I think you know the answer and I know the answer. Do your end users, those wonderful people working in your building, do they always work on company owned devices? Sure. Right. And IT approved apps? Yeah. They never bring their phone in or their laptop. They never have a Plex server running? I didn't think so. So how do you keep your company's data safe when it's sitting on all those unmanaged devices running those unmanaged apps? Well, that's why 1Password is here. Extended Access Management. Something brand new from 1Password. 1Password Extended Access Management helps you secure every sign in, every sign in for every app on every device. Because it solves problems traditional IAM and MDM just can't touch. Imagine your company's security like the quad of a college campus. There are nice brick paths between the buildings. Those are the company owned devices, the IT approved apps, the managed employee identities. It's all peaceful kingdom. And then there are the paths people actually use. The shortcuts worn through the grass that are actually the straightest line from point A to point B. Unmanaged devices shadow IT apps, the non employee entities like contractors on your network. Most security tools only work on the happy little brick paths. But many security problems occur on the shortcuts. 1Password Extended Access Management is the first security solution that brings all these unmanaged apps, devices and identities under your control. It ensures that every user credential is stored strong and protected, every device is known and healthy, and every App is visible. 1Password is ISO 27001 certified with regular third party audits. It exceeds the standards set by various authorities. It's a leader in security and it's security for the way we work today. 1Password Extended Access Management is now generally available to companies that use Okta or Microsoft Ed Entra. They're in beta for Google Workspace customers. You can try it right now. Secure every app, device and identity, even the unmanaged ones@1Password.com security now. All lowercase, that's the number. 1Password pass w o r d.com and don't forget this very important slash. Security now that's how they know you saw it here. 1Password.com security now. We thank them so much for supporting Steve and the good work he's doing here at Security Now. And you support us too by using that address. 1Password COM Security now, Steve.

Steve Gibson (134:37)

So when the Medusa ransomware gang attacked Minneapolis public schools in February 23, it stole reams of sensitive information and demanded four and a half million dollars in bitcoin in exchange for not leaking it. District officials had a lawyer at Mullen Coughlin notify the FBI. So at the same time, officials were not acknowledging publicly that they had been hit by a ransomware attack. Their attorneys were telling federal law enforcement that the district immediately determined its network had been encrypted, promptly identified Medusa as the culprit, and within a day had its, quote, third party forensics investigation firm communicating with the gang regarding the ransom. Mullen Coughlin then told the FBI that it was leading a privileged investigation into the attack and that the school and at the school district's request, quote, all questions, communication and requests in connection with this notification should be directed to the law firm. Mullen Coughlin did not respond to requests for comment. Minneapolis school officials would wait seven months before notifying more than 100,000 people that their sensitive files were exposed, including documents detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. As of December 1st, all schools in Minnesota are now required to report cyber attacks to the state, but that information will be anonymous and not shared with the public. One district took such a hands off approach, leaving cyber attack recovery to the consultants discretion, that they were left out of the loop and forced to later issue an apology. When an April 23 letter to Camden educators arrived 13 months after a ransomware attack, it caused alarm. An administrator had to assure employees that the New Jersey district wasn't the target of a second attack. The letter was about the one. More than a year ago, the attorneys had sent out notices after a significant delay and without the school's knowledge. Other school leaders said when they were in the throes of a full blown cyber crisis and ill equipped and ill equipped to fight off cybercriminals on their own. Law enforcement was not of much use and insurers and outside consultants were often their best option. Ron Ringlestein, the executive director of technology at the Yorkville, Illinois school district, said, in terms of how law enforcement can help you out, there's really not a whole lot that can be done, to be honest. Unquote. When the district was hit by a cyber attack prior to the pandemic, he said in a report, the FBI went nowhere. Instead, district administrators turned to their insurance company, which connected them to a breach coach who then led all aspects of the incident response. Under attorney client privilege. Northern Bedford County School Superintendent Todd Beatty said the Pennsylvania district contacted the CISA to report a July 2024 attack, but, quote, the problem is there's not enough funding and personnel for them to be able to be responsive to incidents, unquote, and too many incidents. Meanwhile, John Van Wagoner, the school superintendent in Traverse City, Michigan, claims insurance companies and third party lawyers often leave district officials in the dark, too. Their insurance company presented school officials with the choice of several cybersecurity firms they could hire to Recover from a March 2024 attack, Van Wagener said. But he, quote, did know where to go to vet if they were any good or not, unquote. He said it had been a community member, not a paid consultant, who first alerted district officials to the extent of the massive breach that forced school closures and involved 1.2 terabytes of stolen data. Breach notices and other incident response records obtained by the 74 show that a small group of law firms play an outsized role in school cyber attack recovery efforts throughout the country. Among them is McDonald Hopkins, where Michigan attorney Dominic Paloozzi co chairs a 50 lawyer data privacy and cybersecurity practice. Some call him a breach coach. He calls himself a quarterback. After establishing attorney client privilege, Paloozi and his term called in outside agencies covered by a district cyber insurance policy, including forensics analysts, negotiators, public relations firms, data miners, notification vendors, credit monitoring providers and call centers. Yeah, and who pays for this? The taxpayer. Across all industries, the CyberSecurity practice handled 2,300 incidents in 2023, 17% of which involved the education sector, which Paloozi noted is not quite always the best when it comes to the latest protections. When asked why District's initial response is often to deny the existence of a data breach, Paloozi said, well, it takes time to understand whether an event rises to the level that would legally require disclosure and notification. Paloozi said it's not the time to make assumptions to say we think this data has been compromised until we know that if we start making assumptions, that starts our clock on legally mandated disclosure notices, we're going to have been in violation of a lot of the laws. And so what we say and when we say it are equally important, which is why there are so many jokes about attorneys, of course, in other words, finessing the system. They said, you know, once we've acknowledged that a breach has occurred, notification requirement clocks start ticking. So the longer we wait to acknowledge, apparently even to themselves, that anything more serious than an incident is being investigated, the better, he said. In the early stage, lawyers are trying to protect their client and avoid making any statements they would later have to retract or correct. Uh huh, pelosi said. Quote while it often looks a bit canned and formulaic, it's often because we just don't know and we're doing so many things we're trying to get it contained, ensure the threat actor is not in our environment and get up and running so we can continue with school and classes and then we shift to whatever data is potentially out there and compromised. A data breach is confirmed, he said. Only after a full forensic review, a process that can take up to a year and often only after it's completed are breaches disclosed and victims notified, he said. We run through not only the forensics, but through the data mining and document review effort. By doing that last part, we're able to actually pinpoint for John Smith that it was his Social Security number, right, and Jane Doe that it's your medical information, he said. We try in most cases to get to that level of specificity and our letters are very specific. Sounds like a lot of billable hours to me. Makes you sort of wonder whether the cure is more, you know, is worse than the disease. According to they wrote a 2023 blog post by attorneys at the firm Troutman Pepper Lock, targets that respond to cyber attacks without the help of a breach coach often fail to notify victims and in some cases provide more information than they should. When entities over notify, they increase the likelihood of a data breach class action lawsuit in the process. Companies that under notify may reduce the likelihood of a data breach class action, but could instead find themselves in trouble with government regulators. Wow, what a mess. For school districts and other entities that suffer data breaches, legal fees and settlements are often among their largest expenses. Yeah, that's a shock. Law firms like McDonald Hopkins that manage thousands of cyber attacks every year are particularly interested in privilege, said Schwartz, the University of Minnesota law professor who wonders whether lawyers are necessarily best positioned to handle complex digital attacks. In his 2023 Harvard Journal report, Schwartz writes that the promise of confidentiality is breech coach's chief offering. The report argues that by inflating the importance of attorney client privilege, lawyers are able to retain their primacy in the ever growing and lucrative cyber incident response sector. Similarly, he said, lawyers emphasis on reducing payouts to parents who sue overstates schools actual exposure and is another way to promote themselves as providing a tremendous amount of value by limiting the risk of liability by providing a shield their efforts to lock down information and avoid paper trails, he wrote, ultimately undermine the long term cybersecurity of their clients and society. More broadly, school cyber attacks have led to the widespread release of records that heighten the risk of identity theft for students and staff and trigger data breach notification laws that typically center on preventing fraud. Yet files obtained by the 73 show School Cyber attacks carry particularly devastating consequences for the nation's most vulnerable youth. Records about sexual abuse, domestic violence, and other traumatic childhood experiences are found to be at the center of leaks, and hackers have leveraged these files in particular to coerce payments. In Somerset, Massachusetts, a hacker using an encrypted email service extorted school officials with details of past sexual misconduct allegations during a school show choir event. The accusations were investigated by local police and no charges were filed. The hacker threatened school officials and records obtained by the 74 by writing, quote, I am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory pedophilia incident describing described by young girls in one of your schools. This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities because that is some messed up stuff and he didn't say stuff. If the other files are as good, we regret not setting a higher price, unquote. Danielle Citron, a University of Virginia law professor, argues that a lack of legal protections around intimate data leaves victims open to further exploitation. She notes that the exposure of intimate records presents a situation where vulnerable kids are being disadvantaged again by weak data security. And of course, keeping all of this secret and in the dark doesn't improve data security. Danielle said, it's not just that you have a leak of information, but the leak then leads to online abuse and torment. Meanwhile, in Minneapolis, an educator reported that someone withdrew more than $26,000 from their bank account after the District got hacked. In Glendale, California, more than 230 educators were required to verify their identity with the IRS after someone filed their taxes fraudulently. In Albuquerque, where school officials said they prevented hackers from acquiring students personal information, a parent reported being contacted by the hackers who placed a strange call demanding money for ransoming their child. Nationwide, 135 state laws are devoted to student privacy, yet they are all unfunded mandates with no enforcement. All 50 states have laws that require businesses and government entities to notify victims when their personal information has been compromised. But the rules vary widely, including definitions of what constitutes a breach, the types of records that are covered, the speed at which consumers must be informed, and the degree to which the information is shared with the general public. It's a regulatory environment that breach coach Anthony Hendricks with the Oklahoma City law firm Crow and Dunleavy, calls the multiverse of madness. Hendricks said. It's like you're living in different privacy realities based on the state you live in, he said. Federal cybersecurity rules could provide a level playing field for data breach victims who have fewer protections because they live in a certain state. By 2026, proposed federal rules could require schools with more than 1,000 students to report cyber attacks to CISA. But questions remain about what might happen to the rules under the new Trump administration and whether they would come with any accountability for school districts or any mechanism to share those reports with the public. Corporations that are accused of misleading investors about the extent of cyber attacks and data breaches can face securities and Exchange Commission scrutiny. Yet such accountability measures are missing from public schools. The Family Educational Rights and Privacy act, the federal student privacy law prohibits schools from disclosing student records, but does not require disclosure when outside forces cause those records to be exposed. Schools having a policy or practice of routinely of routinely students records in violation of ferpa, that's the Family Education Rights and Privacy act, can theoretically lose their federal funding, but no such sanctions have ever been imposed since the law was enacted in 1974. The patchwork of data breach notifications are often the only mechanism alerting victims that their information is out there. But with the explosion of cyber attacks across all aspects of modern life, they've grown so common that some see them as little more than junk mail. Schwartz, the Minnesota law professor, is also a Minneapolis Public Schools parent. He told the 74 he got the district's September 2023 breach note in the mail, but he, quote, didn't even read it. The vague notices, he said, are mostly worthless. It may be enforcement against districts misleading practices that ultimately forces school systems to act with more transparency, said Attai, a data privacy consultant. She urges educators to communicate very carefully, very deliberately and very accurately the known facts of cyber attacks and data breaches. So, Leo, this is all a big mess. Yeah, no kidding. When an enterprise's security is breached and its proprietary data are leaked, details of its internal operations, employees and customers, as we know, can become public.

Leo Laporte (151:27)

I think it has to, right? I think the law requires it, does it not?

Steve Gibson (151:31)

Well, yes, the SEC absolutely requires it. And you know, heads will roll among those on the board if that doesn't happen. Sure. There isn't the same thing within our educational system when personal and private records being kept by US Public schools are leaked. As now happens with distressing regularity, disclosure of the private and potentially damaging details of our nation's children hangs in the balance. Administrators of these public institutions fear reprisals from the parents of the students that have been placed in their charge, and also fear the loss of trust that accompanies any acknowledgment of wrongdoing. So expensive specialist law firms and attorneys are now being brought in under the COVID of darkness as a means of abusing the attorney client privilege, privacy shield protections, and responsibility is handed over to these attorneys who are only too happy to take the reins in return for their fat attorney fees. At this point, the school administrators are able to answer any question with, you'll need to speak with our attorneys since they're conducting an ongoing investigation, which, as we saw, can stretch out for more than a year because, well, you know, these things take time. We can't rush these things. We wouldn't want to over report or under report. Meanwhile, insurance companies are working to determine how to best profit from the panic and the threat of ransomware which has been ignited throughout the public school system. On the one hand, they want to write policies and collect their quarterly insurance premiums, and on the other hand, they want to minimize and limit their exposure. The ransomware extortionists are able to use the threat of student body private information disclosure to induce the insurers of these school systems to cough up juicy ransom payments. So it's always useful when we're able to examine the facts and find some way to see that things will somehow get better. But I'm at a loss here. As I said at the top, ultimately, taxpayer money is being funneled into the wallets of cybercriminals from insurance companies by way of our nation's public school systems. And I can't see, you know, any functional mechanism for holding anyone accountable. So why would we expect any of this to change?

Leo Laporte (154:16)

Well, I think you can. You do the same thing the SEC does with public corporations, you do with schools. With public schools. Anyway, you can't do it with private schools. Probably heads roll. Yeah. You pass a law, this is a data breach. And the subjects of the data breach have the right to know that their information's been compromised.

Steve Gibson (154:37)

So it sounds like here that there will be some federal legislation that may pass.

Leo Laporte (154:43)

You just need expansive data breach legislation that says anytime there's a data breach, you have two weeks to reveal it to the people who were the subject of the breach.

Steve Gibson (154:53)

And you can't leave it up to the states because as these Guys said it is an absolute disaster. Patchwork. It's just a quilt of overlapping and contradictory regulations.

Leo Laporte (155:05)

Yeah, yeah. But I think you could have a comprehensive federal data breach law. Absolutely. And that's what you need.

Steve Gibson (155:12)

And we don't yet.

Leo Laporte (155:13)

No, but there are a lot of things Congress needs to do. It's, it's very busy right now and it's got to get to work. So I won't hold my breath for that one. Steve, as always, great show, always interesting, full of good information. Kind of a must listen for anybody. I almost said for anybody who works in security, but really, everybody, everybody should hear. Thank you so much for doing this job. We, we do this show every Tuesday right after Mac break weekly, which usually comes around 1:30 to 2pm Pacific, 5pm Eastern, 2200 UTC. There are eight ways to watch it live, thanks to the club. You can watch in Club Twit Discord if you're a member. That's a great way to watch. Or on YouTube, on Twitch, on Kick X.com, tikTok, LinkedIn or Facebook. You take your pick. But honestly, most people don't watch Live because why, why watch live when you can download a copy of the show and listen at your leisure or watch at your leisure? Steve has a couple of versions on his website. The unique. We've mentioned the 16 kilobit audio version. He also has a 64 kilobit audio version and that's actually a version we stopped putting out. But Steve does have that. He has transcripts, human written transcripts from Elaine Ferris. They're fantastic. Great way to read along or to search every show that's been all 10, 12 shows all there. He has the show notes there. GRC.com now while you're at GRC, pick up a copy of Spinrite, the world's best mass storage, maintenance, recovery and performance enhancing utility. Soon we're going to get that DNS Benchmark Pro, which will be great. That'll all be@grc.com there's lots of other free stuff there too, including Shields Up.

Steve Gibson (157:01)

And you were mentioning Elaine and there was something that I couldn't remember that I wanted to mention that just that goes to who she is. She wrote this was last Friday. She said, Steve, the podcast has been transcribed, it has been proofread, but it's not ready to send because I have a counting problem. Leo speaks 174 times. You speak 172 with Leo beginning and ending. There should be only one digits difference. I can't make this work out. Because she's saying you and I are alternating.

Leo Laporte (157:44)

We do alternating.

Steve Gibson (157:45)

Well, you speak 174. She had a count of 172 for me. Either you had to be 173 or I had to be 173. She wouldn't let me have the transcript script until she figured out.

Leo Laporte (158:00)

How did she figure it out? She just missed something.

Steve Gibson (158:02)

I don't know. She sent at. So that was at 7:49. At 8:16, she sent. Hi, Steve fixed it.

Leo Laporte (158:14)

Whew.

Steve Gibson (158:14)

I was so worried about the horses that I couldn't concentrate. Once I gave up, I found the problem. Have a good weekend, Elaine.

Leo Laporte (158:21)

So that's a sanity check she does. In addition to everything else, she counts the number of times each of us speaks, and they need to match up. One of us might speak one more time than the other. Well, never.

Steve Gibson (158:33)

You always lead off the podcast.

Leo Laporte (158:34)

I start it in, so.

Steve Gibson (158:36)

So you're gonna have one more. Yeah, Speaking interval.

Leo Laporte (158:41)

You always get the last word. So it's I get the first word, you get the last word.

Steve Gibson (158:46)

That's right. Because I say okay or like you say, yeah, see ya.

Leo Laporte (158:49)

Yeah, that's so funny. Good for you, Elaine. Put a little Easter egg in the transcript this week. Just a little something just to let us know you're there. You can also get everything Steve has@grc.com including getting on his mailing list. Now, this actually is a twofer. When you go to grc.com email, submit your email address, you're then telling Steve, I'm a real person, I'm not a spammer. And you can now email him with thoughts, questions, pictures of the week, that kind of thing.

Steve Gibson (159:24)

Security now@grc.com oh, did I say it wrong?

Leo Laporte (159:27)

Security.

Steve Gibson (159:28)

No, no, no.

Leo Laporte (159:28)

Oh, that's the email. Yes.

Steve Gibson (159:30)

Yeah, yeah, yeah.

Leo Laporte (159:31)

So, yes, from then on, you'll be able to email. Right now, if you email securitynowrc.com without validating right, it goes. Disappears completely. Now the other thing, though, is when you do that, you'll see a page and there are two boxes unchecked because it's opt in for his newsletters. So if you want to get the show notes, for instance, ahead of time, you can. The show notes are also available for download@grc.com we have 128 kilobit audio version. No one knows why, but we do. I don't know why is it stereo? I don't understand. It's very high quality. We also have a video version. Those are at our website, Twitter, tv, sn. Another place you can download. If you go to that page, you'll also see a link to the YouTube channel. That's the way we encourage you to share clips from the show. If you have a friend that you want to send, you know, hey, did you see the new AI integration in Firefox 135? You could just take that little clip and send it to her and that would be a cool way of sharing. The show makes it very easy to do that on YouTube. They had the easiest clipping thing ever. But the best way to get it probably subscribe in your favorite podcast client because that way you can be able to get it right away, the minute it's available without thinking about it. So you always have the next Security now ready queued up on your device. You have your choice between audio and video. All of that. The information for all that is @Twitter TV SN. I think that's everything. I'm taking tomorrow off. I won't be here tomorrow, but I will be back on Sunday for this Week in Tech. And Steve and I will be back next Tuesday for another gripping edition, episode 1013 of Security.

Steve Gibson (161:12)

1013 it is. See you then my friend.

Leo Laporte (161:15)

Bye.

Steve Gibson (161:18)

Security now like your favorite startup's growth curve, T Mobile's coverage keeps scaling because T Mobile helps keep you connected from the heart of Portland to right where you are on America's largest 5G network switch. Now keep your phone and T Mobile will pay it off up to $800 per line via prepaid card. Visit your local T Mobile location or learn more@t mobile.com keepandswitch up to 4 lines via virtual prepaid card will have 15 days qualified unlock device, credit service port in 90 days device and eligible carrier and timely redemption. Required card is no cash access and expires in six.