Security Now 1018: The Quantum Threat

Leo Laporte

It's time for Security Now. Steve Gibson is here. He'll talk about a bug Microsoft has known about for years, refuses to correct, and is now being used by 11, count them, 11 hacker organizations. A very disturbing remote takeover of Apache Tomcat server, something you're going to want to patch right away. He's going to talk about the signal breach, the Department of Defense use of signal, and why that's an unsafe thing to do. And then finally, if you weren't worried about the future already, stay tuned, because Steve's gonna be talking about the threat that post quantum cryptography poses to everything you know. It's all coming up next. A big one on Security Now.

Steve Gibson

Podcasts you love from people you Trust.

Leo Laporte

This is TWiT. This is Security now with Ste. Steve Gibson. Episode 1018, recorded Tuesday, March 25, 2025. The quantum threat. It's time for Security now, the show. We cover the latest security news, privacy information, with a little dollop of sci fi and stuff like that thrown in with this guy Right here, Mr. Steve Gibson, the man of the hour. Hi, Steve.

Steve Gibson

And hopefully some fun. One of the things that I often hear from our listeners in Feedback is that they find this entertaining.

Leo Laporte

It is entertaining.

Steve Gibson

It's a strange crowd we have.

Leo Laporte

If you're a nerd, if you're into this stuff, it's the best thing ever, right? It's better than sliced bread. I mean, this is the good stuff. I know people, many people consider this the best show on the network and wait all week long for Steve to show up on Tuesday. So we're glad you're here.

Steve Gibson

Well, we're back again for episode 1018. And whenever I tell my neighbors, my neighbors sort of had this vague sense that I do something with a podcast. And so when Laurie and I encounter them out walking, they go, still doing that podcast? I said, yep, I just did number 1070. And they go, 1017.

Leo Laporte

What?

Steve Gibson

That's right.

Leo Laporte

You're a madman, Steve. Congratulations.

Steve Gibson

Well, we got a neat episode this week. I titled this one the Quad Quantum Threat. I ran across a really nice piece of sort of a where the industry is update from Hewlett Packard's security people, which just perfectly contextualizes the status now. And I found that after I had absorbed it, I thought, okay, there's so much good stuff here. This needs to get shared. So that's going be where we wrap things this week. But first, we're going to talk about the dangers of doing things you don't understand. Expressifs. You know, the Chinese producer of the ESP32, the most popular IoT processor. They've responded to those claims of that back door.

Leo Laporte

The Bluetooth back door.

Steve Gibson

That Bluetooth back door, which we decided wasn't. We've got a widely leveraged mistake which we talked about last summer, but Microsoft stubbornly refuses to correct, even though I can't remember now 14 different threat groups are all using it now. It's like, come on, Microsoft. A disturbingly simple remote takeover of Apache Tomcat servers. Like all Apache Tomcat servers, There's also a 10 out of 10 vulnerability affecting some ASUS, ASRock and HPE motherboards. Google has snapped.

Leo Laporte

Do they call that, by the way, asrock?

Steve Gibson

No, well, as asrock or asrock. You're right, there are, there are not two S's So I guess it is.

Leo Laporte

Ought to be not a great name if that's what they call.

Steve Gibson

Although I did rename though those other routers the MIC router.

Leo Laporte

Oh, the micro ticks.

Steve Gibson

Yes, the microtic. Yeah, that sounds really bad. It's like, oh, I think that's microtic. You better have that removed. So we also, oh, I was saying that Google snapped up another cloud security firm, but they did pay a price for doing so. We have RCS messaging soon to be getting full end to end encryption and it was done. Right. We're going to talk about that. Also, how did an AI crypto chatbot lose $105,000? And what is an AI crypto chatbot? Yeah, I'd like what we're going to note that looks like Oracle may be taking over stewardship of TikTok in order to keep it in country. And whoops, 23andMe is sinking. You may not want to let them take your genetic data with them on their way out. Also, the White House says that the cyber guys should stay. We'll touch on that. Also, AI project failure rates are on the rise. Is anyone surprised? We've got some really, I think relevant and interesting listener feedback to share. And then as I said, we're going to wrap up by looking at just where do we stand with quantum computing and what's the threat? We've got a picture of the week. And because the news broke after I put all of this together, which was actually early yesterday afternoon, we need to talk about the only cyber thing that anybody is talking about at the moment, which is this mistake that the White House, I guess cabinet members made of using signal to discuss very privacy sensitive national security sensitive war plans. So that's not in the show notes, but we should open with that after we look at our picture of the week.

Leo Laporte

Yep, I have the picture here I am ready to scroll up at your command. We'll do that and get into the meat of the matter in just a bit. But first, a word from our sponsor. Happy to say they have just re signed for 2025. The great folks at Zscaler, they are the leader in cloud security because they do something that really works for your security. Over the past few years, enterprises have spent billions of dollars on perimeter defenses, on firewalls and of course VPNs so people can get through the firewall and get to work. Has that solved the security issues? No. Obviously if you listen to this show, you know, breaches are going up 18% year over year. Increase in ransomware attacks last year alone. I think it's going to be even more this year. A $75 million record payout in 2024. And that's just the tip of the iceberg. Problem is that traditional security tools, perimeter defenses and VPNs, expand your attack surface. They give you public facing IPs that are easily exploited by bad actors, especially now that they're using AI tools to hammer away. Also, the real problem is once somebody penetrates the perimeter defenses, the firewalls, it's presumed, oh, they're an employee, they're in, that's okay, let them do whatever they want. Which means you've enabled lateral movement. Users are connected to the entire network. If that user is not a good guy, but a bad guy, they can find embarrassing material, customer information, emails, and then exfiltrate it using encrypted traffic, which the VPNs and the firewalls struggle to see, so that you're, you know, you've got a porous situation. It's just not good. I mean, the bottom line is hackers are exploiting traditional security infrastructure. They're doing it with AI. They're outpacing your defenses. We gotta rethink security. Can't let these people win. They're innovating faster than we are. They're exploiting our defenses. That's why you should turn to Zscaler. Zero Trust plus AI. How does it work? Well, first of all, Zscaler hides your attack surface, making your apps and IPs invisible. Bad guys can't attack what they can't see. Right. Also, it doesn't make any assumptions about anybody on the inside. It eliminates lateral movement because users can only connect to the specific apps they're authorized to use, not the entire network. And it continuously verifies every Request based on identity and context. It simplifies your job with AI powered automation. And it uses AI to detect threats. You know, right now, Zscaler is handling over half a trillion with a T daily transactions. Now, of course, the vast majority of them are legit, but there are threats. Little needles in that giant haystack. They're using AI to scan it and find it so they can stop those threats before they happen. Bottom line, hackers can't attack what they can't see. Protect your organization with Zscaler zero trust plus AI. You can learn more@Zscaler.com Security please use that address. That way they'll know you saw it. Here. Zscaler.com Security we thank him so much for supporting the very important work Mr. Gibson does here on Security Now.

Steve Gibson

Well, I will say that a lot of our listeners have said that the podcast has made a huge difference to their lives and their careers and.

Leo Laporte

Nice.

Steve Gibson

And so I would agree with that. I.

Leo Laporte

It's made a big difference to my life and career, actually, to be frank.

Steve Gibson

I appreciate the feedback. Okay, so I gave this one the. The caption, once seen, never forgotten. Because this is just. I. I love human cleverness.

Leo Laporte

Wow, that's clever.

Steve Gibson

I don't know who could look at 3.14. This was, of course, on the radar because we just, we just had March 14th a couple weeks ago. And who could look at 3.14 and realize that if it were in the mirror and you tweaked the. The shape of the numerals a little bit, the mirror image is piece. That's just brilliant.

Leo Laporte

That's cute. It's very.

Steve Gibson

Again, once seen, never forgotten. I. I actually had a really, really good picture of the week, and I thought, oh, I just.

Leo Laporte

Okay, this one's timely. You have to do this one.

Steve Gibson

Yes, exactly. Because we're. It's gonna be April Fool's Day next time we're doing a podcast. And you never know what could happen there.

Leo Laporte

That'll be fun.

Steve Gibson

Okay. So I've said many times that, like when someone screws up, an employee makes a mistake, I know that some people's reaction is to say, you're out of here. You're fired. To coin a phrase. I've always thought, I guess I've taken a more tempered approach and thought, okay, well, if a lesson has been learned, if the employee who made a mistake, an honest mistake, who didn't attend to do what they did, learned from it, then you've got a better employee after that than you had before. So are you going to can a better employee, some other employer is going to get him and he will have learned the lesson at your expense and the other employer gets the benefit. So for that reason, I'm glad that what happened yesterday, I guess it was happened. And I'm not glad because there's, you know, it's egg on the Trump administration and Cabinet's face that doesn't do anybody any good. I'm glad because this was a crucially important lesson for this new group of cabinet officials and people who are in charge of the nation's security to learn. We on this podcast more than anywhere else know that our phones are not secure. It doesn't matter that signal is secure. We know it is. In fact, I'll be talking about a little bit later and the ratchet protocol which we talked about a long time ago when it was called text secure. We know signal is state of the art security. We also know that, that Pegasus and many other types of malware are arranged to get themselves installed in people's smartphones specifically so that if they do something like this, foreign intelligence agencies will obtain that information. So I'm sure that everyone must know that a mistake was, was found because a journalist was inadvertently included in a multi way signal conversation where the details of war planning by the US was being shared using signal and people's smartphones. And that's just not secure. And I'm watching the press coverage and people saying, well, signal is secure. It's like, yes, but we know that you get the data after it's decrypted and displayed on the screen. And while it's being typed in before it is encrypted, it's unencrypted on your.

Leo Laporte

Device is the point. Right?

Steve Gibson

Yes. And that's the key. And these smartphones we absolutely know cannot be trusted. And you know, and there's, there's been lots of dialogue, that's why there are skiffs, that's why people have to leave their smartphones at the door and come in without them. And on, on, on. So anyway, so my take is that this mistake will not get made again. And that, and that there was there was without question a cavalier, too casual, but probably due to just a lack of understanding, lack of appreciation. You know, these are people who are not in the administration, haven't been historically. In fact, that's why they're here. Right, because the US voted for the return of Donald Trump and he was gonna bring his own people that he felt comfortable with who were not part of the so called deep state so this is what you get, is you need to learn some lessons. This was an important lesson and I'm sure everybody involved has learned it. I'm sure we're not going to have more national security conferences being held on random smartphones any longer and better. That happened now, like soon, and that now for the rest of this administration, I'm sure this won't happen again. So, you know, again, I don't tend to fire employees when they make mistakes if they've, if they've learned a lesson. And it was an honest mistake and it wasn't malicious. It certainly wasn't. It was just casual and that can't happen. So I'm sure that message has been received, you know, across the administration. So lesson learned. That's the way these things happen. Okay, Our first piece of news that I had, I said don't try this at home or anywhere else for that matter. I've touched on this before, but it's worth repeating again. I don't think it's something that would affect our listeners, but over 100 auto dealerships were being abused in a supply chain, chain, supply chain attack from a compromised shared video service which was a, it was unique to dealerships. It's something that the dealerships were using as a, you know, an outsourced managed service provider that was providing these video services to them. Who knows what for. But when active, the attack would present visitors to this dealership hosted website, excuse me, with a web page containing infected JavaScript. So when they visited this at any of over 100 dealerships, there was a chance that a Specifically, this malware JavaScript would load containing malicious code. If it did, it would redirect the user to a page on a compromised host that prompted the user with something everybody is now seeing, right? It's that it would show a dialog box with a big headline robot or human. Then it would say check the box to confirm that you're human. Thank you. And then the thing we've all seen, just a checkbox that says, you know, that alleges I'm not a robot. And the little recaptcha logo and you know, who would not click it. We're having to do that now increasingly in this case. However, of course this is malicious. So this is not actually the recaptcha, you know, single click dialogue. This is malicious JavaScript running. So the next thing that would happen is unusual. It would drop down like that little I'm not a robot dialog would drop down, expanding with three additional verification steps. And here's Where I said we've encountered this before because we've talked about this before. The first verification step, press Windows button, Windows R. Second step, press Control V. Third step, press Enter. Well, okay. Listeners of this podcast understand that Windows R opens the Run dialog down at the lower left of your screen and gives it focus pressing. Then Control V will paste whatever the malicious script had placed onto the Windows Clipboard. And it was able to do so when you clicked the I'm not a robot button. That wasn't actually I'm not a robot. That was, yes, here's permission to paste onto my Windows Clipboard. So now the string has been pasted into the Run field of the Run dialog, which will be executed when you follow step three and press Enter. So if the user performed these steps, a PowerShell script was executed on the user's machine that would download further payloads and ultimately install the Remote Access Trojan sectop rat a Remote Access Trojan R A T And again, I've mentioned this before. I'm deliberately revisiting this because it's so diabolically clever and because I mean diabolic. And I believe that it perfectly captures a significant and fundamental problem that doesn't have any simple solution. And that's the human factor. I know that listeners of this podcast, you know, would not blindly follow these instructions, but we would all pause to consider what's going on here, which suggests we like, we're like, wait, what? And then we're looking at and go, oh, I'm not doing that. But the important point here is that tech savvy PC users are in the clear minority. We've all, we as the techies in our social groups, our families, our, you know, you know, the people that others come to, we hear their questions. We understand that many people when presented with this would go, oh, okay, I get, you know, and like followed 1, 2, 3, followed the instructions. The vast majority of PC users have no idea what's going on at all. And as a consequence, instruction following has always been their way of life within the PC world. Leo, you had a radio show for decades and you were Mr. Instruction giver. So that, you know, because people needed to follow instructions in order to solve their problems. You know, the person could be a brain surgeon by training and education and experience, but that would still not prepare them for all of the many clever ways a PC user can be tricked into doing something self destructive. The great annoyance for me is that I cannot see a future where this is resolved. I don't know how we get out of this Mess. The only thing I can see that might resolve this, and I'm actually not kidding, would be an entirely different user interface experience with our PCs. Meaning there isn't a run dialogue, there isn't a copying from the clipboard and pasting into it and pressing Enter. Those things go away. Imagine an entirely different user experience for our personal computing environment where active AI agents interface the user to their personal computation and communications devices. It might sound far fetched, but I was watching Leo before Mac Break Weekly talking to an AI, having a conversation with it back and forth, and it was very. Yeah, I mean it was like you could. And here was Alex talking about how he's using was it Vibe in order to.

Leo Laporte

They call it Vibe coding, but it's. I don't know what he was using. There's a variety of tools.

Steve Gibson

Oh, so, so, so Vibe is a generic term for like, not. It's sort of the way you read books, Leo, without actually doing any reading. I get it.

Leo Laporte

Audio counts.

Steve Gibson

I get it.

Leo Laporte

Audio counts. Yeah. You're not typing code because you don't know how to code. You're telling the chat bot to code. You're giving it the Vibe of the, of the app, not the actual.

Steve Gibson

I see. We want something sort of like this.

Leo Laporte

Yeah, yeah.

Steve Gibson

A little more green in there, on the corners. Yeah. So as we know, the reason, I mean the reason I think I'm kind of serious is once upon a time, let's go back in time, all interaction with computers was via, I mean, all a teletype, which had a clunky clankety keyboard and it typed text onto a wide roll, a continuous roll of paper. A big jump was to the textual video display screen, which was faster and a lot quieter. And then for a long time, that's all we had. That's all there was. And then the next big change was to a graphical display which we interfaced to not only with that same keyboard, which was now quieter, but also the game changing mouse and on screen pointer. You know, that was. So my point is there have been in the past several real upheavals, several real arguable breakthroughs in the way humans interface interact with computers. I think we're on the cusp of another one. And so I could see where one way of taking the human out of the execution loop, which hurts them as much as it helps them, is for there to be an AI agent, a Dave, saying, I'm afraid I can't do that.

Leo Laporte

I mean, Hal said Attack would not have worked on an iPad or a Chromebook it works on Windows and it could probably work on Macintosh. I think we need both. Steve. I don't want to give up my capability to run arbitrary code on my computer. That's my computer. But there are a lot of people who shouldn't have that capability. They should probably be using a Chromebook or an iPad. And I think that's the theory of this.

Steve Gibson

I completely agree. And again, I'm, you know, Windows 10, which, where I plant, I'm planting my stake here, baby. There's no copilot anything here, so I'm safe. But you know, this would be a great benefit for many people who just want. I mean this whole notion of agency coming, that's overall a good thing. We got a lot of, you know, sharp edges and corners and things to. To polish off.

Leo Laporte

I think it's just going to introduce more exploits. It's not going to get rid of them, is my personal feeling.

Steve Gibson

Change them. Yes.

Leo Laporte

Yeah. It's just going to be different. Yeah. I think then they'll take advantage of data.

Steve Gibson

I would have a hard time arguing that, Leo. I think you're probably right. Yeah, I think that is the case. Okay. Shanghai, China Recently Express F just responded to the Spanish researchers backdoor discovery they wrote quote recently some media have reported on a press release initially calling out ESP32 chips for having a backdoor. They used air quotes Expressif would like to take this opportunity to clarify this matter for our users and partners. Recently some media have reported on a press release initially calling out ESP32 chips for having a backdoor. Of note is that the original press release by the TAR Logic research team was factually corrected to remove the backdoor designation. However, not all media coverage has been amended to reflect this change. So they said what was found the functionality found are debug commands included for testing purposes and that's entirely feasible, by the way. I didn't suggest that when we talked about this, but yes, that makes absolute sense that you would want to verify that the host controller interface, for example, is able to read and write to main memory as it must for DMA direct memory access to function. So the way to do that, have some undocumented commands that cause it to do so and then check to see whether main memory has been altered as those commands requested in order to verify. So it fits perfectly. They said these debug commands are part of Espressif's implementation of the HCI host controller interface protocol used in Bluetooth technology. This protocol is used internally in a product to communicate between Bluetooth Layers. Please read our technical blog to learn more. But they said they had five key clarification points. First, internal debug commands. These commands are meant for use by developers and are not accessible remotely, which is the main point we made when we talked about this. They said having such private commands is not an uncommon practice. Two, no remote access. They cannot be triggered by Bluetooth radio signals or over the Internet, meaning they do not pose a risk of remote compromise of ESP32 devices. Third, security impact. While these debug commands exist, they cannot by themselves pose a security risk to esp32 chips. Espressif will still provide a software fix to remove these undocumented commands, which that's news. Okay. Fourth, scope if ESP32 is used in a standalone application and not connected to a host chip that runs a ble, you know, Bluetooth low energy host, the aforementioned HCI commands are not exposed and and there is no security threat. And finally, number five affected chipsets. These commands are present in the ESP32 chips only and are not present in any of the ESP32C hyphen S& H series of chips. So they finished with their commitment, stating just like to put everyone's mind at rest, Espressifies has always prioritized security and is actively working on continuous product security improvements. We have a standard product security incident response process which underlying bug bounty with underlying bug bounty program that is active since 2017 meaning they're state of the art in like saying we want to know if we make any mistakes. They said this program offers a bug bounty encouraging researchers to collaborate with us to discover and fix potential issues enhancing the security of the entire ecosystem. Now we should note that the guys, the Spaniards at the conference said that they had contacted Expressif who had not responded. We don't know the backstory there. So okay, Expressif said. Expressif also extends its gratitude to the security research community for promptly clarifying that the disclosure does not constitute a backdoor. Their responsible disclosures and continued support have been invaluable in helping users accurately assess the security implications and maintain the integrity of their connected devices. And understand this was initially right, like a big black mark and oh, China, you know. So it's good that a lot of the community said, oh wait a minute. At the same time they finish, we recommend that users rely on official firmware and regularly update it to ensure their products receive the latest security patches. Should you have any questions, please do feel free to contact Expressif's official support channels. So you know, as we know this is exactly what we concluded from an examination of the location and nature of these so called backdoor commands. The key is that they were never externally accessible. They were simply commands for the internal native Bluetooth HCI controller. And boy does the idea that they would be for debugging the hardware like during initial qa you want to make sure that the controller's working. That's able to do these things. So totally makes sense. And also for doing things like setting the Mac address, could you use it for spoofing? Ooh, yes, but you can always change the Mac address of this stuff. So fine, not a big problem. And besides, you can't do it remotely. You have to deliberately do it on the chip using those commands. So that wasn't a problem. Here's something that is 1111 advanced persistent threat groups are known to be abusing a Windows Zero day.

Leo Laporte

Oh man, 1111.

Steve Gibson

We know, we know them by name, but because what they're doing is not technically leveraging a flaw in Windows so far, although this was reported to Microsoft by Trend Micro's zdi, their zero day initiative, six months ago last September, Microsoft has declined to address the issue. There's like, it's not, it's like, it's what it's supposed to do. It's like. But Microsoft, it's bad. We talked about this at the time because it was just a head Shaker that in 2024, let alone still today in 2025, Leo Windows LNK link files are still being exploited. And what's more, despite the fact that the exploitation of this single zero day vulnerability goes back eight years, Microsoft says no fixie. The 11 APT groups operate out of North Korea, Iran, Russia and China. So you know the good guys, none who have recently been behaving as friends of the west, they've all used this zero day to hide their malicious instructions in LNK files sent to targets. And Trend Micro has discovered nearly 1000 malicious LNK files which are abusing the technique. Microsoft's response is that it's all working just the way they want it to. As I said, we covered this before recall that there was and unfortunately still is a way to format the fields of the link file to essentially white space pad the actual content of the link field, the target field, so that so far off to the right that none of it shows up where the user goes to examine the link files properties. So if you right click and do properties to look at the link file, you don't see anything in the target field. The user won't see that they're going to run evil malware downloader exe when they click the link. I have a link to Trend Micro's fully detailed report in the show Notes for anyone who's interested. The high priority takeaway for our listeners is to never click any link that has an apparently empty target field. Because the target field cannot be empty. That field must be non empty for the link to have any effect. That's the field that tells it what to do. So it makes no sense for the target to ever be blank. Never make the mistake of assuming that a blank field means the entire link is benign just because there's nothing obviously nefarious about it. It's just heavily space padded in order to move the bad news out where you can't see it. And in fact, I think I recall that there was also an exploit where what you would see looked deliberately benign because that was just the left hand portion of a much longer thing which had a bazillion spaces in it and then the actual bad news. So it's even possible to spoof what is in. I mean, Microsoft, as we've seen from time to time, there are some design corners that you can get yourself painted into which just don't have good solutions. And so here's Microsoft basically committed to supporting link files. They can't take them out now. It would break all kinds of stuff in Windows, so they're stuck with it. But it was a bad idea back when it was added to Windows 1.0 and it's not gotten any better since. But Leo, half an hour in.

Leo Laporte

Yes?

Steve Gibson

I think we should talk about what has gotten better since.

Leo Laporte

Oh, okay. I think we could do that.

Steve Gibson

And then we're going to look at the trouble that Apache Tomcat servers are in.

Leo Laporte

Oh, please. Oh, that's bad news. There's got to be some reason for LNK files, right? I mean, people share lnks or something.

Steve Gibson

Oh, they're handy. My desktop is covered with them.

Leo Laporte

Well, there you go.

Steve Gibson

Yeah.

Leo Laporte

You can't get rid of them. No, Steve's desktop is covered with them.

Steve Gibson

Can't actually, I haven't clicked on any of them in about 12 years, so I'm not really sure what they do.

Leo Laporte

I'm thinking at this point you might not want to. That's hysterical. Yeah, yeah. Those are the aliases, right? Yep, yep, I use them too. Maybe they should change how they work. That might be a better, better solution to that than a minute.

Steve Gibson

Well, one wonders why Microsoft is just saying, no, we're not, we're not. If if we're not, we don't care that you've got. Literally. I saw some examples in this Trend Micro link. There are some. There are 32k of spaces. How do you defend that? Microsoft?

Leo Laporte

Yeah.

Steve Gibson

How do you. Yes. How do you defend having something that is obviously makes no sense.

Leo Laporte

Yeah.

Steve Gibson

Well, here's the thing which is also being abused.

Leo Laporte

Yes. Here's something that makes a little bit of a sense. Actually. People are doing something that does make no sense in the world of security. Our sponsor for this Porsche Security now is Legato Security. Would it make sense for you to put in a burglar alarm that didn't have any monitoring? So if you're gone for the weekend and somebody breaks into your house, no one knows. The alarm knows, but nobody's paying attention. Well, what doesn't make sense to me is there are a lot of security folks who have all of the defenses and all the alarms, but then they go home for the weekend and nobody's keeping an eye on things. I understand why it's expensive, but no business should be their own burglar alarm. And that applies to cybersecurity too. Legato Security is great for the small or mid sized business that doesn't want to have a security operations center monitoring everything, they'll do it for you. Legato Security provides the same standard of security controls the big guys use that large enterprises use without the cost of building your own internal security operations center there. It's a recognized leader by CRRN, by MSSP Alert. In 2024, Legato Security transforms how businesses approach cybersecurity. Now, first of all, you're going to say, well, I don't want to put in all new stuff. No, it's a technology agnostic MSSP platform, Manage secure provider platform. It provides your business with with a custom suite of security solutions tailored to your needs. You know, you can continue to use exactly what you like. It integrates seamlessly with your existing tools so you don't have to do a big infrastructure overhaul. What you're adding is a security operations platform on top of it. They call it ensemble and it delivers consolidated, prioritized and actionable alerts in real time via a comprehensive single pane. That's nice too, because if you have it in multiple pages, multiple locations, it's hard to know what's really going on. This is a single pane of security. You know, hackers don't take holidays. Remember that story we had where the malicious Chrome extensions were pushed on Christmas Eve because they knew nobody would be around for a Few days and they could run untrammeled. Unhampered hackers don't take holidays. In fact, they actually actively attack you when they know you're off the clock. You need Legato Security's 100% U.S. based team all in the U.S. they provide proactive threat detection. They also do triage and remediation so if something happens, they can help you fix it 24 7, 365 days a year. You should go look at the website because they have this beautiful purpose built soc security operations center. Your team can focus elsewhere. You know what, Wouldn't you like to be able to clock out, go home for the weekend and not have to worry? From entrepreneurs to Fortune 100 companies, Legato Security creates custom MDR solutions that protect businesses so leaders can focus on growth and you can focus on having a beer out by the swimming pool. A recent customer says quote, legato Security is the only supplier that has delivered everything they said they would and we didn't have to drive them. They just get it done. In fact, what I love about Legato Security is they won't call you and say you got a problem. They'll call you and say you had a problem, we fixed it. Wouldn't you like that? It and security professionals. Just remember this Legado Securities MSSP team is here to augment your team, not replace them. They're the professionals you want on your team to back up your cybersecurity forces and fortify your proactive defenses every hour of every day in the year. 24 7, 365. It's not enough just to have security tools. You know this. You gotta have the expertise to back it up. See if your defenses are as strong as you think. Legado's got a great at their website. Legato Security.com free risk assessment. You could just go through this checklist and see where you might have a problem. Visit legatosecurity.com that's free. Just to give you a sense of where Legato can really help out. Find out what they can do to help you regain control and enjoy your weekends like you used to. Legato Security.com, the bad guys aren't taking time off but you get to legado security.com I talked to these guys, had a great conversation with them a couple of months, maybe last month, I guess not so long ago. And I was so impressed with what they're doing. Legato Security.com thank you Legato for supporting the important work Steve's doing here. He's also part of your Security team. Isn't he on? We go with the show, Steve.

Steve Gibson

Okay, so the API security firm wall ARM W A L L A R M posted an announcement last week titled One Put Request to Own Tomcat. And they said CVE 202524813 RCE is in the wild. They wrote a devastating new remote code execution vulnerability 2025.248.13 is now actively exploited in the wild. Attackers need just one put API request to take over. Oh, Leo, it's so bad to take over vulnerable Apache tomcat servers. The exploit, originally published by a Chinese forum user, IC857, is already available online. Okay, so here's what we know. This newly disclosed attack leverages tomcat's default session persistence mechanism, along with its support for partial put requests. Tomcat is Apache's Java web application server that provides a pure Java HTTP web server environment in which Java code can run. This new exploit works within this environment and requires just two simple steps. One of the reasons this is so bad is it is so easy to do. First, the attacker starts by sending a put request to upload. I should explain, HTTP has a number of sort of at its base, original definition, a number of verbs. There's get, which is the most commonly used verb ever, which just gets, you know, gets content, gets HTML content from the server. So you, you, you. The. The client says get and then provides the path to where to. To what page should be gotten, and then receives it. Post is another common one where the client is sending some data back. That's what typical forms use. They use posts in order to send data back to the server. Another one is head, which says just give me the headers of the page so I can see if it's changed recently, how big it's going to be. You know, I don't want the whole page, I just want the headers. And then similarly, a final verb, although there's a bunch of others, is put, which says, here is a file that I want you HTTP server to accept from me. So the attacker starts by sending a put request to upload a malicious session file to the server. The payload of that put Request is a Base 64 encoded YSO serial gadget chain that's designed to trigger remote code execution when it's deserialized. And we've talked about serialization and deserialization, deserialization being the interpretation phase. This initial put request writes a file inside tomcat's session storage directory where it stores session state. Because Tomcat automatically saves session data in files, the Malicious payload is now stored on disk, just like any other valid session would be waiting to be deserialized. So the first step essentially causes the Apache tomcat server to upload and store the attacker's Java attack file in toto in whole. Then, with the session file uploaded, the attacker Simply triggers deserialization, I.e. the resumption of what Tomcat believes is a stored and saved session, which it has every reason to trust because it thinks, well, I create the session files, right? I'm the one who made these. So now I'm going to. I'm going to reconstitute this previously stored session. The attacker triggers the deserialization of that file by sending a simple get request, providing a jsessionid cookie which points to the malicious session. So literally two commands, two simple, well documented, well understood, out in the public domain now with proofs of concepts floating around. And it happens. Seeing that session id, tomcat dutifully retrieves the stored file, deserializes it, and executes the embedded Java code, which typically grants full remote access to the attacker. So this is about as horrible as a remote attack can get because it's dead simple to execute, requires no authentication and very little imagination, even no technical expertise. Lots of proofs of concepts are out there. The only technical requirement is that the tomcat server is using file based session storage, which is common in many deployments. Also, the use of base 64 encoding allows the exploit to bypass traditional security filters, making detection somewhat more challenging. And of course, before you can detect it, you need to know to look for it in the first place. Wall ARM detected the first attack in the early afternoon of March 12th. I'm sorry. Yeah, March 12th, Central Standard Time, originating from Poland, a few days before the first public exploit was released on GitHub. For anyone who's curious and interested, I've got the GitHub posting from this person who tweeted it. Ic857 with the proof of concept ready to run the wall ARM folks caution about the future writing. While this exploit abuses session storage, the bigger issue is partial put handling in tomcat, which allows uploading practically any file anywhere. Yeah, just like what year are we. We're still doing this. Attackers will soon start shifting their tactics, uploading malicious JSP files, modifying configurations and planting backdoors outside of session storage. They said this is just the first wave. The reality is that reactive security waiting for CVEs, adding web application firewall rules and hoping logs will catch threats will always be a losing game. CVE 2020524813 went from disclosure to public exploit in just 33. 030 hours. So a day plus six hours and Wang, now it's happening. It's not the first time that this has happened. And I'll just note that 30 hours is not time enough for Apache's Tomcat team to get up to speed and patch, let alone test and deploy what is a critical update. To say nothing of having those updates deployed and actually get servers patched. I mean, this is just too quick to turn around. And of course, that's what we're seeing now, right? We've talked about this before. There's a race to see for. For exploitation to occur before patches can be deployed.

Leo Laporte

It feels like they may be that the disclosure was either too complete, like it gave people too much information, or maybe they should have done it in private first.

Steve Gibson

Well, it wasn't. It was certainly not a responsible disclosure. This just was posted on a Chinese forum.

Leo Laporte

Yeah, that's right. Okay.

Steve Gibson

And so this. Yeah, this wasn't a security. No way was this responsible. And we can't always count on that. Right? It'd be nice if we could, but not everybody says, hey, I need brownie points here, please. You know, this was some, you know, Chinese person, or at least a person posting over on a Chinese forum saying, look what I found. Everybody give this a shot, see if it works. And lo and behold, they did.

Leo Laporte

Ouch.

Steve Gibson

Wow. Yeah. NIST's National Vulnerability Database Concursion about the severity of this CVE, assigning it the maximum common CVSS severity rating of 9.8 and formally labeling it critical. Now, there's a little bit of good news here. The global inventory of these Apache Tomcat servers appears to be somewhere just short of about 19,000 installations. So it's not 19 million. That's good. It's not a huge amount of global exposure, but on the other hand, they're likely to be running within enterprises that would qualify as prime targets for an enterprise to be running a Java application server, probably a more substantial organization. So our takeaway here is to the refrain that, yes, security is difficult and features will almost always come back to bite you in the butt no matter how you pronounce the ASROCK server.

Leo Laporte

I think we've decided.

Steve Gibson

ASRock motherboard.

Leo Laporte

It's ASRock now.

Steve Gibson

ASRock.

Leo Laporte

Yes. Good. Not ASRock. Okay?

Steve Gibson

Not ASRock.

Leo Laporte

Just be clear.

Steve Gibson

Before we leave the topic of really bad remotely exploitable vulnerabilities, I should mention that the firmware security company Eclipsium discovered a remotely exploitable vulnerability In AMI Mega rack RAC, mega rack baseboard management controllers, you know, BMCs, those are the sort of like the pre boot firmware which allows remote management of servers over the Internet by connecting. Typically you have a reserved nic, a network interface, you know, an ethernet connection to allow you to manage that server remotely. Well, they found a problem. The vulnerability, which is being tracked as CVE 2024 54085, received a 10 out of 10 severity score. The reason for the maximum score is that the vulnerability allows attackers to bypass authentication and access the baseboard management controller's remote management capabilities. In other words, you're certainly going to protect this. You sure don't want this thing exposed to the Internet. But over a thousand devices with these Mega Rack interfaces are currently exposed on the Internet with ASUS, ASRock, Rack and HP Enterprise being the major vendors that supplied the machines. So unfortunately, over 1,000 of these buggy, now known to be vulnerable baseboard management controllers are publicly accessible. Meaning that bad guys are going to say, hey, let's have some fun and bypass authentication and then you're in. I mean you can upload firmware, you can change the passwords, you can reboot the systems, you can get up to all kinds of mischief using the BMC port and not something you ever want to have publicly exposed. Google purchased Wiz cloud security and we've recently covered some news involving the good work of the cloud security startup Wiz. And due to the sound of its name, I felt the need to spell it. It's W I Z as in wizard. In case we talk about them in the future, and I imagine that we will be. I wanted to note for the record that they were just acquired by Google in what must have made their venture capital investors very happy since as I said, this was a startup and the acquisition was the largest cybersecurity related acquisition ever. So you know the size of Google doesn't appear to be shrinking. Google first attempted to purchase Wiz last year for the measly sum of $23 billion. But that deal fell through and I imagine there was plenty of disappointment to go around. But Google came back again, this time closing the deal for 32 billion in cash. The deal will need to pass regulatory review and that might be such smooth sailing at this point, but I have no real idea since I expect we'll be encountering them in the future, just as we do Mandiant. Another one of Google's security acquisitions recently, I wanted to mention that. So they are now part of the Google juggernaut.

Leo Laporte

Are they like Mandiant. Are they a security research firm?

Steve Gibson

What is it that they They're a cloud security group. You know, they find things and report things and offer security services.

Leo Laporte

Yeah, yeah.

Steve Gibson

GSMA is the GSM association where GSM stands for the Global System for Mobile as in communications. Right. They made some news Friday. Actually it was Friday before last with their announcements headline RCS Encryption A Leap towards Secure and Interoperable Messaging so here's what Tom Van Pelt, the Technical Director of GSMA posted he said in my last post, which was RCS now in iOS, he said a new chapter for mobile messaging. He said, I celebrated the integration of rich communication services rcs with Apple's iOS 18. Accumulation of years of collaboration across mobile operators, device manufacturers and technology providers, he wrote. Today I am pleased to announce the next milestone the availability of new GSMA specifications for RCS that include end to end encryption.

Leo Laporte

Hallelujah.

Steve Gibson

Yes. Based on the Messaging Layer Security MLS protocol Messaging Layer security, he said. Most notably, the new specifications define how to apply MLS within the context of rcs. These procedures ensure that messages and other content such as files remain confidential and and secure as they travel between clients. That means that RCS will be the first large scale messaging service to support interoperable end to end encryption between client implementations from different providers. Together with other unique security features such as SIEM based authentication, end to end encryption will provide RCS users with the highest level of privacy and security for stronger protection from scams, fraud and other security and privacy threats. These enhancements to support end to end encryption are the cornerstone of the new RCS Universal Profile release. In addition to end to end encryption, rcs universal profile 3 makes it easier for users to engage with businesses over RCS messaging through a richer deep link format and includes additional smaller enhancements such as improved codecs for audio messaging and easier management of subscriptions with business messaging senders. In addition, RCS continues to support a range of interoperable messaging functions between iOS and Android users, such as group messaging, the ability to share high resolution media and see read receipts and typing indicators. He finishes, I would like to thank all of the contributors for their support in developing and finalizing these new specifications. They represent significant progress in enabling even more of a thriving RCS ecosystem built on the foundation of secure and private messaging for the benefit of end users worldwide. Okay, now I took a brief look at the 90 page specification and it looks like the right people have been involved. Among other things, I noted that the word ratchet appears 20 times in the document. We've discussed the use of ratchets for group messaging key distribution in the past, having first encountered the term when we discussed Moxie Marlin Spikes Axolotl ratchet. Actually it was a double ratchet which he developed along with Trevor Perrin as part of the Text Secure project, which was later rebranded and expanded into what we now know today as the signal protocol. I guess I would take issue with Tom's characterization of the RCS's MLS as more secure and better and blah blah blah. It's not, it's at parity, but that means it's really, really, really secure. Yeah, you know, it's all you need. It's, you know, it's good as it gets. It's good enough for the Department of.

Leo Laporte

Defense, it's good enough for me.

Steve Gibson

That's right. It's good enough to discuss war planning. So the bottom line is that it appears that the cross platform RCS multimedia secure messaging protocol that even Apple now supports as of iOS 18 will be obtaining strong state of the art end to end double ratcheting, you know, signal style encryption and it will be done correctly. So one has to wonder what the UK and the EU will have to.

Leo Laporte

Say about that little bit of history. When rcs, the RCS spec came out from the GSM association, it had no encryption. Google decided encryption had to happen. So their implementation had a Google end to end encryption. But because that came from Google, Apple did not implement it. Apple said until there is a standard we're not going to implement encryption in, you know, Apple messages has encryption but not rcs. So that was a problem because Apple users using RCS might have thought oh, it's encrypted because it is if it's Google to Google, but not if it's Apple to Android. So this is a big, a very important improvement and I do hope Apple moves quickly to implement it because. Well, I mean that's the problem right now with sms. It's not secure.

Steve Gibson

Yes.

Leo Laporte

Then we will have on Both Android and iOS and encrypted secure messaging technologies and that's a big, big improvement. You're right, it's going to EU and the UK are going to hate it.

Steve Gibson

But yes, they are. I mean they're going to have a fit.

Leo Laporte

Yeah, because all your text messages will be suddenly encrypted.

Steve Gibson

Yeah, I mean like, well, encrypted where it's encryption done right a la signal and messenger and everything.

Leo Laporte

Although again, and this is an important lesson that I do hope Pete Haggs.

Steve Gibson

Smith has learned the fact that it's Encrypted in flight does not mean that it's encrypted on your phone.

Leo Laporte

On your phone. And of course, I don't know what it'll be like with RCS, but when you use iCloud to back up your signal messages, they're backed up in the clear. So, you know, that's something you might want to consider as well. You know, I don't know what they're gonna. I would, I will read up on this. I'd be very curious what happens to it back.

Steve Gibson

Well, and I know I have not ever really paid attention to what equipment our presidents receive, but I think they have special phones, don't they? I remember Obama was bitching and moaning.

Leo Laporte

About he had a BlackBerry and he really loved his BlackBerry, but he got elected president and the first thing the Secret Service did is hand him a greatly modified Windows CE phone that Obama hated. He hated it. And he came on. I was on the Tonight show bitching about it. But that was a long time ago. When Trump was elected in 2016, when he took office in 2017, very famously refused to hand over his iPhone. So it's my guess that they don't give them a Windows CE phone anymore. But that really does raise issues because, you know, if you're using it to communicate super secret stuff, it's not super secret, especially with Pegasus out there and, you know, all these other ways the Chinese hackers who are sitting in our phone system specifically listening to governmental interactions. This is. You should be in a skiff.

Steve Gibson

Well, I get in a scenario again, Leo, there's no way this lesson has not been learned.

Leo Laporte

I mean, they only got caught, remember? They got caught. That's the problem. They've probably been doing this all along. It is a violation of.

Steve Gibson

That's why I'm glad they're glad they got caught.

Leo Laporte

Because it is a violation. There are going to be hearings because it's a violation of DoD regulations. I'd be really curious. DoD has its own secure messages technology that they use and they of course have skiffs. I'd be very curious. We probably won't be able to learn any details.

Steve Gibson

I just think this, it was very convenient and they just, they didn't understand that they have to have these kinds of communications under really controlled circumstances. Now they understand.

Leo Laporte

I'm sure they were told that.

Steve Gibson

Probably part of the, part of the briefing, the instruction manual that you received.

Leo Laporte

Maybe they slept through that part, I don't know.

Steve Gibson

Let's take a break and then we're going to ask. We're Going to answer the question, what world are we living in today?

Leo Laporte

What timeline are we living in?

Steve Gibson

I don't recognize some parts of this world.

Leo Laporte

I know exactly what you mean. I can't wait to hear what what you have to say about that. Steve and I are the old men shouting at the clouds. Why I. Let's talk about our sponsor for this segment.

Steve Gibson

My Wi Fi.

Leo Laporte

My WI Fi. I'm using it. How dare you put a password on and I was using your WI fi. We've talked about this sponsor before. Delete me. And we have a very clear example of why here at Twit we use delete me. I think every business for at least its management should have delete me because it protects you against the worst kind of spear phishing attacks. Our CEO was impersonated by a bad guy who not only knew her name and her phone number, but the names of her direct reports and their phone number. And the problem is all of that information is easily found online. If you've ever searched for your name online, and I don't recommend this, you will not like how much of your personal information is just sitting there. And then, you know, all the sites say this, and for a buck fifty, I could tell you his criminal record. They all offer, give me a little more and I'll tell you more. That's why maintaining privacy has just become an urgent concern, not just for individuals, but for families, for businesses. And the good news is DeleteMe has plans for all of the above. With Delete Me's family plans, you can ensure that everyone in your family feels safe online. Their enterprise plans help everybody in your company stay safe. We immediately got Deleteme for Lisa, our CEO. And the good news is when Steve and I searched the big national public database breach and we found. Steve and I both found our Social Security numbers in there. We did not find any information about Lisa. And that tells me that Delete Me had been working. Delete Me helps reduce risk from identity theft, from cybersecurity threats, from harassment, and it really works. Delete Me's experts will go out, they will find and remove your information from the hundreds of data brokers, by the way, completely legally operating in the United States. These data brokers, it's not even illegal for them to sell your Social Security number to the highest bidder, whether it be China, a marketer. With Deleteme, you can assign a unique data sheet to each member of your family that's tailored to them. With easy to use controls, account owners can manage privacy settings for the whole family. Then, and this is important, Delete Me will continue to scan and remove your information regularly because there are new data brokers literally every day. It's such a profitable business. More people get into the business, plus data brokers. Not the nicest people in the world. Even if you delete your data, chances are that dossier is going to start repopulating almost immediately. So you need to go back and check. I'm talking everything that you don't want the public to know, like your address, your photos, your emails, your relatives, your phone numbers, your social media, your property value, your Social Security number. Protect yourself, reclaim your privacy. Visit joindeleteme.com TWiT when you use the offer code TWiT, you'll get 20% off. Joindeleteme.com twit Offer code TWiT for 20% off. And I can say it really works. Join delete me.com TWiT thank him for supporting Steve and the work he does. Very important work here at Security now. Okay, tell us about this brave new world we're living in, Steve.

Steve Gibson

Okay, now I want everyone to just listen to and contemplate this sentence, which for me at least begs the question. As I said, what world are we living in today? Here's the sentence that was published as a quick one liner news blurb in a prestigious security newsletter. It read, an attacker used malicious Twitter replies to hack an AI crypto chatbot and steal over $105,000 worth of ether. Wow. Okay. An attacker used malicious Twitter replies.

Leo Laporte

Okay.

Steve Gibson

To hack an AI crypto chatbot and steal over $105,000 with ether.

Leo Laporte

I have.

Steve Gibson

I don't even know what that means.

Leo Laporte

What does that mean?

Steve Gibson

First of all, you have to have some malicious Twitter replies, whatever those are, and those malicious replies need to be able to hack an AI crypto chatbot. What did, did those replies hurt the AI crypto chatbots feelings? Oh, like. And what the hell is an AI crypto chatbot anyway?

Leo Laporte

It sounds like just a mushed together bunch of words.

Steve Gibson

And who, who in their right mind would give this thing rain over a big pile of Ethereum cryptocurrency?

Leo Laporte

What is wrong with people? What's going on?

Steve Gibson

So you know this. Podcast listeners know that historically I am more or less bullish on cryptocurrency, at least upon the fundamentals of the technology, which I've understood from the start well enough to code it up myself if I had to. But what this has all become, Leo is utterly unrecognizable. It's just insane. Need Any tulips? Anybody? An attacker used malicious Twitter replies to hack an AI crypto chatbot and steal, you know, more credit to them if you are able to use malicious Twitter replies and hack an AI crypto chatbot. Okay. You earned your money. Wow. You know, maybe I could try knitting. Is that still a thing?

Leo Laporte

Yes, it is. We still all need socks. Steve. It's.

Steve Gibson

I've. Oh, I forgot to mention that the Twitter account that perpetrated the heist or the hack or whatever the hell it was, the guy's Twitter account was fungus man.

Leo Laporte

Which is, of course, it was just perfect. Of course.

Steve Gibson

Just perfect. Okay, so the news on the TikTok US takeover front is that Oracle is the front runner at the moment. POLITICO's reporting about this is contained. About this contained enough interesting techie bits to make it worth sharing here, so. Particularly because there are still lots of technical questions left to be resolved about how it's possible to use TikTok safely and because it looks like it's going to happen. So here's what Politico reported. They said the software company Oracle is accelerating talks with the White House on a deal to run TikTok, although significant concerns remain about what role the app's Chinese founders will play in its ongoing U.S. operation, you know, like U.S. side operation, according to three people familiar with the discussion. So this was multiply sourced reporting, you know, done right. Vice President J.D. vance and the National Security advisor, Mike Waltz, the two officials President Donald Trump has tasked with shepherding a deal to bring TikTok under US ownership, are taking the lead in negotiations. While senators have voiced a desire to be read in on any talks, two people familiar said. A third person described the White House discussions as in advanced stages. The people who were granted anonymity were not authorized to discuss sensitive details of ongoing negotiations publicly. It comes amid ongoing warnings from congressional Republicans and other China hawks that any new ownership deal, if it keeps TikTok's underlying technology in Chinese hands, could be only a surface level fixed to the security concerns that led to last year's sweeping bipartisan ban of the app. Key lawmakers, including concerned Republicans, are bringing in Oracle this week to discuss the possible deal and rising national security concerns, according to four people familiar with the meetings. One of the three people familiar with the discussions with Oracle said the deal would essentially require the US Government to depend on Oracle to oversee the data of American users. You know, Oracle obviously being big database people and ensure the Chinese government does not have a backdoor into it, a promise the person warned would be impossible to keep, the person told Political quote if the Oracle deal moves forward, you still have this algorithm controlled by the Chinese. That means all you're doing is saying trust Oracle to disseminate the data and guarantee there's no backdoor to the data. If the algorithm isn't entirely rebuilt by its US owner or if TikTok's Beijing based parent firm ByteDance retains a role in its operations, it could retain vulnerabilities that could be exploited by the Chinese government. In other words, you know we need clean room and how are we going to get to clean room status here? The data security company Haystack ID, which serves as independent security inspectors for TikTok U.S. said in February last month that it has found no indications of internal or external malicious activity, nor has it identified any protected U.S. user data that has been shared with China. Spokespeople for Oracle, TikTok, ByteDance and the White House did not respond to requests for comment. The deal is still billed as a project Texas 2.0 in a nod to a previous agreement between TikTok and Oracle to relocate American users data to servers based in Texas and block ByteDance employees in China from having any access to it, according to the first person. But that agreement, which also required Oracle to review TikTok's source code to determine its safety, failed to assuage congressional and Biden administration concerns that the app is being used by China as a spying and propaganda tool. The tech focused outlet the information reported Thursday the Oracle is a leading contender to run TikTok, with ByteDance, preferring it for the role. The details about the White House's approach and the seriousness with which White House officials are considering the proposal have not yet previously been reported. It comes as Trump stares down an April 5 deadline to secure a new owner for the Chinese video sharing company after he signed an executive order in January delaying enforcement of Congress's ban on the app for 75 days. The app briefly went dark for about 12 hours in January after TikTok's parent company ByteDance failed to meet the deadline to sell its stake and the Supreme Court upheld the congressional ban. Vance JD Vance, during an interview with NBC News on Friday, said he was hopeful a TikTok deal would be reached by the early April deadline. Last week, Trump said his administration was in talks with four different groups about a deal. Trump told reporters in January that he was open to Oracle founder and Executive Chairman Larry Ellison buying TikTok. Ellison is a longtime Trump supporter and he's part of the so called project Stargate, a 500 billion AI infrastructure initiative that also operates OpenAI, SoftBank and MGX. While Trump, during his first administration, sought to ban TikTok over national security concerns, he embraced the app last year on the campaign trail. In December, he told throngs of young conservative supporters that at a Turning Point rally in Phoenix that he has a warm spot in Mike heart for TikTok. He said because of the outpouring of support he received from younger voters in the 2024 election. It's unclear whether the deal the White House eventually reaches will satisfy China hawks on the Hill, though they may have little power to complain. Trump's executive order extending the initial deadline in the face of concerns from GOP lawmakers and legal experts about the order's legality showed his willingness to defy congressional will and the decision on whether ByteDance sells TikTok or license its use by a U.S. company ultimately rests with the Chinese government. Beijing wants to protect TikTok's monopoly access to its user data and is hostile to any suggestion that Chinese firms bend to the will of suspicious foreign governments. Over the past year, authorities in Beijing and in the Chinese Embassy in Washington have mostly dodged questions about the status of possible talks for the purchase of TikTok by a non Chinese firm. What little Beijing has said about that possibility hasn't offered much hope that it's in favor of such an agreement. The Chinese government will firmly oppose is their direct, quote, any forced sale of the company and require ByteDance, quote, to seek governmental approval in accordance with Chinese regulations, unquote, for any potential foreign ownership deal, a Chinese Commerce Ministry spokesman told reporters in March. That same month, a Chinese Foreign Ministry spokesperson accused Congress of resorting to hegemonic moves to try to take control of the app. In January, the Chinese government deployed more conciliatory language about a possible TikTok sale, but offered no clues on whether it would approve such a deal. Any such transactions, quote, should be independently decided by companies in accordance with market principles, unquote, a Chinese Foreign Ministry spokesperson said in January. So, Leo, I guess the question is whether China would rather lose the US market or compromise, you know, bifurcate TikTok.

Leo Laporte

If that's what it it seems like. To be honest, this is the least of our worries. I mean, what are we worried about TikTok for? They have Chinese hackers in our phone system that we will never eradicate because.

Steve Gibson

We'Re unwilling to upgrade our routers, our Juniper routers.

Leo Laporte

We have hundreds of unregulated data brokers in this country who are selling your personal information to China completely legally, and we're not willing to do anything about it.

Steve Gibson

China, no evidence. There's no evidence that TikTok ever misbehaved.

Leo Laporte

But even if it does, they don't need it to. They already use Twitter and Facebook and every social network for disinformation. I mean, honestly. And at this point, either way, I don't care what happens to tv.

Steve Gibson

Well, and it might well be that a little bit of a dance is done here that Oracle is allowed to bless this and we just sort of let this all stay the way it is and not worry about it anymore.

Leo Laporte

Further, this is the problem with corruption, is at some point you just throw up your hands and say, what do you. I give up. It's just more corruption. You know, Larry Ellison, you even said it is a big donor to the president. The president saved TikTok after wanting to delete it, by the way, because Jeff Yass, who's another giant Republican donor, owns 30% of it. It's just crony capitalism of the worst kind. And I don't. I no longer can be bothered. Well, they win, they win. We have other technology here, other big problems. So worry about.

Steve Gibson

Yeah, yeah, yeah.

Leo Laporte

And you have a few of them coming up.

Steve Gibson

And One is.

Leo Laporte

Yes.

Steve Gibson

Two days ago, day before yesterday, on Sunday, March 23rd, the original personal genomics company 23andMe, filed for protection under Chapter 11 of the Bankruptcy Act. Their press release had the headline, 23andMe initiates voluntary Chapter 11 process to maximize Stakeholder value through Court Supervised Sale Process. Now, I'm mentioning this here from a personal privacy standpoint because now might be a good time for anyone worried about the future of any of their genetic data being held by 23andMe to delete it from 23andMe's databases and to close their account. As a founding member of 23andMe, I just did exactly that. I have a picture in the show, notes of the little pop up that I received saying, your data is being deleted. We've received your confirmation to delete your data and we're in the process of deleting your data. Your account will no longer be accessible and will be deleted per your request for any further assistance. Contact customer care. Since it took me some poking around their website, I recorded the process to make it easier for anyone who might wish to do the same. You know, I spit in their test tube long ago and I'm not in a panic about it, but given that they're going under and someone I don't know will be purchasing their Assets for pennies on the dollar. Leaving my genetic data behind in their database seems unlikely to do me any good at this point. So I logged in selected settings under my, you know, shadow head and shoulders icon in the upper right of the page. Once that page came up, which I thought it was interesting, it took a while. I've not used their site a lot, so I don't know if it's always been slow. Maybe there's just a lot of people doing this at the moment. So I may have not case I may have not been alone. Yeah, yeah. So then scroll to the very bottom of the page to the 23. After you click on settings under there and that file, that page finally comes up. Go to the very bottom under the 23andMe data section, then click the view button. Now when I did that, I noted that the view page has a clean looking URL. There's no subscriber specific gobbledygook in the URL, so it looks like it takes you directly to the page. It's u y o u dot 23andme.com user edit records. Alternatively, I wanted to make that easier for people. So after logging in, you could just use the GRC shortcut link I created to jump directly to the Sayonara page. It's GRC SC byebye by E B Y E. But you have to be.

Leo Laporte

Logged in for that to.

Steve Gibson

Yeah, log in first. And after you're logged in at 23andMe GRC scbybuy.

Leo Laporte

Did you download your genome before you deleted the data or do you, you.

Steve Gibson

Know, I selected all those things to download everything.

Leo Laporte

Yeah, but what are you going to do with it?

Steve Gibson

Well, exactly, well exactly, because I got plenty of saliva for the future. So I'm generating it, you know, with great alacrity. So it's not a problem. It takes time for them to get the data to you. They said, okay, we've received, I mean I checked all those things and I queued myself up and it said, once we get your data assembled, we'll send you a link in your registered email and then you click on that in order to get it. And I just thought, screw it, I don't care, get me out of here. So, you know, I just, I deleted my, my, all my data and my account before I had a chance to receive any of that. So, so you can, they, they, they will send you all your reports. You're able to download your raw genetic data in its entirety. You know, your entire, you know, DNA readout. And so you could wait for that and then delete your data. But I just figured, you know, if I need to spit in a tube somewhere else, I'll do that.

Leo Laporte

I actually, I actually have done it elsewhere. One of the things, one of the issues with 23andMe is it doesn't actually do a full genome. It does a weird like statistical analysis of a small part of your genome. I had the father of modern genomics on triangulation a couple years ago, George Church, and he has his own company, Nebula Genomics. It's more expensive than 23andMe, but it's the full genome and you can download it, it's gigabytes of data and then send it off to. There are many companies now springing up saying, oh, we'll analyze. If you have your genome, we can analyze it for, you know, certain diseases.

Steve Gibson

My sense is this is only going to get better with time.

Leo Laporte

Exactly.

Steve Gibson

And you know, and I'm carrying my genome around with me. I'm not in any danger of losing it.

Leo Laporte

So I'm trying to remember if Nebula did. I think it did spit as well. Some do a cheek swab, but this did spit as well. And it was, it took a while, but it was, it's a very. And it was like a thousand bucks. It wasn't cheap. But it is the complete genome which is, you know, still not that useful. But maybe someday, I don't know, I guess I'll.

Steve Gibson

23 and I'm. I know there are people that are big on it. I, I think that it tells you something about some various propensities that you might have. But you know, I've got some long.

Leo Laporte

Lost third cousins, things like that.

Steve Gibson

Actually I had one of my high school buddies who I mentioned, I'm still in touch with, he knew that he was adopted, but it turns out that his birth parents were far more prolific than he ever knew. And he's found a huge extended family. Oh, that's cool. I mean he's reconnected with them all and he visits them and I mean it's transformed his life that he was able to find all of these other siblings that he never knew he had.

Leo Laporte

The same thing happened to Jennifer and I think it was through 23andMe she met a long lost cousin, explained that they shared a grandparent and they just had a family reunion for Thanksgiving where he and his family came out because he was adopted, same story. And his long lost family and they all. I think that's wonderful. Right? That's an amazing thing.

Steve Gibson

Yeah. Paul connected it through ancestry DNA and that allowed him to link up with other people that he never did do something.

Leo Laporte

Yeah, yeah, yeah.

Steve Gibson

Very cool. Okay, so.

Leo Laporte

All right.

Steve Gibson

Finally, in some good news for cybersecurity professionals though, the White House administration has reportedly told federal agencies to please avoid firing any cyber guys.

Leo Laporte

We can't figure out if we need them or not.

Steve Gibson

And I think to ask you today, they probably think they need them more than they did yesterday. So that's good. Here's part of what Reuters wrote under their headline White House Instructs Agencies to avoid firing Cybersecurity Staff, they wrote. According to an email seen by Reuters, the White House is urging federal agencies to refrain from laying off their cyber security teams as they scramble to comply with with a Thursday deadline to submit mass layoff plans to slash their budgets. Greg Barbaccia, the United States federal Chief information Officer, sent the message Wednesday in response to questions about whether cybersecurity employees work is national security related and therefore exempt from layoffs. He wrote in the email to information technology employees across the federal government, which has not been previously reported. He said, quote, we believe cybersecurity is national security and we encourage department level chief information officers to consider this when reviewing their organizations, unquote, describing, quote, skilled cybersecurity professionals as playing, quote, a vital role in mission delivery and information assurance, unquote he said, quote, we are confident federal agencies will be able to identify efficiencies across their non cyber mission areas without negatively affecting their agency's cyber posture, which I guess means fire any of the non cyber people you need to, but keep the cyber guys because we want to keep them. So, you know, as part of the downsizing that Trump and Musk have controversially been engaged in recently, CISA had more than 130 positions cut. We've talked so much about CISA more and more often for the past few years since they've objectively been doing an astonishingly good job, which is more than unusual for anything within the government bureaucracy. I certainly never expected CISA to, to amount to what it has. So I've been hoping that CISA would survive and remain as highly functional as they have been. And to that end, there was some recent news that those jobs were being reinstated. So that's reassuring. We need cisa. They've really been implementing some terrific policies and creating, you know, needed requirements for the cybersecurity of federal agencies and setting policies that the CIOs are able to use when having, you know, that difficult conversation with the CFO about, you know, the money that they're going to need to keep their enterprises secure. So yay. Oh God, I love this one. I said the bit of news was AI project failure rates are on the rise. It was an interesting piece that I saw in Cybersecurity Dive, which caught my eye. It was a report that said that AI project failure rates were on the rise, which I thought was interesting. It suggests that just slapping a now even more better with AI label on anything and everything may not always produce a win. My guess though, about the reason for failure rates rising is mostly the explosion in all of those labels having been hastily added. Still, it was interesting that according to a report From S&P's global market intelligence, based upon a survey of more than a thousand responding enterprises across North North America and Europe, the share of businesses scrapping Most of their AI initiatives increased to 42% this year, up from 17% last year. Again, I'm sure largely this is because so many more were trying. The average organization scrapped 4 46% of AI proof of concept, just proof of concepts before they even reached production. 46%. So you know, nearly half were like, let's try this. It's like, okay, that didn't work. Just forget about it. The surveyed enterprises cited cost, data, privacy and security risks. Yay. As the top obstacles. I wonder whether they heard any news about that AI crypto chatbot. Anyway, at this point, AI adoption is predominantly being found within IT operations, followed by customer experience workflows. You know, like your little AI thing that comes in the lower right corner and says need me to help you, need me help you. And also marketing processes. So it appears that the initial AI everywhere euphoria is quickly coming back down to earth and closer to reality. You know, I'm sure not letting any of it get near anywhere near spin, right? That's for sure. Speaking of which, in a piece of listener feedback, Ken wrote saying, hi Steve, Ken here, 65 years old, Canadian trucker for 40 years. He said, I just wanted to say thank you for your dedication and enthusiasm in the tech world and the beautiful things you've contributed to tech. I just bought Spinrite recently and it's a total game changer. I ran it on my current machine and it tuned up my SSDs like crazy amazing software. Thank you. I build computers and repair them and recently a buddy of mine dropped off an old Windows 7 machine that was in a closet for seven years. He wanted the old pictures from it. Of course I managed to get it to boot and got all his old picks and transfer them to a new rig I had ready to go. I ran Spinrite of course, and now that old beast runs like a champ. So thank you for your report, Ken. The best thing about spinrite for me is, aside from it being the miracle that is largely provided for my life, is I get to hear about how much its use helps people. And really, nothing beats that. Tom wrote hi Steve, now that Ublock Origin is no longer supported in Chrome, I'm going to start using Firefox. I've exported my bookmarks from Chrome to Firefox, but I'll likely be using both browsers, at least for the time being. Do you know of any browser extension that mirrors favorites between Chrome and Firefox? If I make a change to any bookmarks while I'm using Chrome, I'd like for those changes to sync to my Chrome. Wait while I'm using Chrome. So he meant from Firefox to Chrome. Make a change in either browser. Like to have them sync over to the other. Thanks Tom. So that's a terrific question. I suppose for my part, I become so accustomed to only using a single browser platform at a time and just assumed that each would have its own native and closed ecosystem that I never considered wanting or needing Cross platform Synchronization. But spurred by Tom's question, I poked around and found a very nice looking third party cross platform extension for both Chrome and Firefox as well as for Android. It's called X Browser Sync sync and it's www.xbrosync.org and boy these guys sure are saying all the right things. Here's a little snippet from their site that says X Browser Sync, as in Cross Browser Sync is a free and open source. So there it is. Open source alternative to browser syncing tools offered by companies like Google, Firefox, Opera and others. The project was born out of a concern for the over reliance on services provided by big tech who collect as much personal data as they can and have demonstrated that they do not respect their users privacy. Now, with the proliferation of open source code and projects, it's easier than ever to create tools and services that allow users to take back control of their data. Cross Browser Sync respects your privacy and gives you complete anonymity. No signup is required and no personal data is ever collected. To start syncing, simply download Cross Browser Sync for your desktop browser or mobile platform, enter any encryption password and click Create New Sync. You'll receive an anonymous sync ID which identifies your data and can be used to access your data on other browsers and devices. Cross Browser Sync does not only sync, but also enhances your productivity by enriching your data. Browser bookmarks with the addition of descriptions and tags and an intuitive search interface enables you to find, modify, and share bookmarks quickly and easily. Cross Browser Sync even adds descriptions and tags to new bookmarks for you automatically. And you don't ever worry about losing your data thanks to the included backup and restore functionality. The Cross Browser Sync Desktop Browser Web Extension syncs your browser data between desktop browsers. It works with the browser's native bookmarking features, so you can keep using the native tools whilst always staying in sync. If you like to organize your bookmarks into folders, don't worry, Krause Browser Sync respects your bookmark hierarchy and syncs it across your browsers. So wow, that sure sounds like exactly what Tom is looking for. And it's from folks who clearly share the spirit and philosophy we'd like them to have. After reading Tom's note and running across that Crafts Browser Sync extension, I sent this all back to Tom not long after that. He replied, thanks Steve, I will look into this a bit more, but when I clicked to download for Chrome, I'm taken to the Chrome Web Store, which shows this extension is no longer available because it does not follow best practices for Chrome extensions. Thanks Tom, he said. Okay, so that sure sounds like the Chrome folks don't like the whole idea of cross platform browser synchronization. On the other hand, I tried it and it worked for me. And as I said, I sent these notes out in the late afternoon yesterday and I've already had feedback from a bunch of our listeners who are using it and it is working for them. So I don't know what Tom hit. Maybe it was a temporary snag. I can't explain it, but for what it's worth, I've already had feedback from our listeners who have said this thing is great and it works. So Tom, I hope you can get it working. Maybe just try again. Maybe there was something stored in a cache or who knows what that caused some trouble. And Leo, we're at an hour and a half in. I've got a couple more bits of feedback before we get to our main topic, so let's take a break.

Leo Laporte

Absolutely. It's not going to be a long break. It's just enough for me to say thank you Steve, for doing what you do. And thank you to our Club Twit members for doing what you do. Because it's your donations, contributions, subscriptions, that's probably the right word that make all the Difference in our bottom line. If you're not yet a Club Twit member, I'd like you to consider it. Seven bucks a month. It's very affordable. You get ad free versions of all the shows. You wouldn't even be hearing this if you're a Club Twit member. No begging allowed. You also get special events. We've got Chris Markworth's photo show coming up. We're gonna have another wonderful evening of cozy quilting or whatever it is Micah does in his crafting corner. Stacy's book club is ahead. We even have a coffee show scheduled with Mark Prince, the coffee geek. That's all coming up in the next month. All four club members. There's also the Discord, which is a great place to hang, not just when the shows are on the air, but 24 7. That's one of the fun things about Club Twit is it's not just about Twit programming. It's about really a great community of people who share an interest in technology and have a lot of fun talking about it, answering questions as much as anything else. So if you're not yet a member of the club, can I invite you to join? 7 bucks a month, fabulous benefits. Most importantly, it helps us keep Steve and all the others on the air keep doing what we're doing. We started Club Twitter two years ago when with a. We had a big downfall in ad revenue due to Covid and a variety of other things that got even more scary towards the end of last year. I'm very happy to report that the advertisers have come back. I think they realize the value of advertising on our shows, but they still don't subsidize the entire effort. They get us about 90, 95% of the way there. It's the club that makes up the difference and it gives us the opportunity to do more interesting things. If you're not yet a member, please consider going to Twit tv. Club Twit. Seven bucks a month. Join the club. It's a lot of fun and we love having you. It's a vote in effect, for us to keep doing what we're doing, what we love to do. Twit tv. Club Twit. And thanks in advance. All right, back to you, Steve. On we go.

Steve Gibson

Someone whose handle is back Ghost said, I found your comments on the state of vendor support for old and outdated hardware intriguing and wanted to add more insight into what is a very complex issue, as I work for a service provider that is also a manufacturer of Networking gear and often see both sides of the issue. So this is somebody you know on that side. On the industry side, he wrote, hardware manufacturers deal with the same software and hardware end of life, end of service EOL eos. He abbreviated issues as customers just at a micro level. Every ASIC CPU IC has a lifetime and its own software with a lifetime. When vendors have to support more products from a software and hardware standpoint, it costs the vendor more. The vendor can and often does charge more for this support of old gear, but at some point the cost of support will outweigh the cost that could be charged to a shrinking set of customers. Vendors will often discount or offer trade ins for old gear to encourage customers to upgrade to new gear. Luckily, the vendors, while the big iron guys will give advanced notices of EOL EOs and have the sales team always eager to engage the customer on new sales opportunities. As service providers, we struggle with the never ending notices of end of life, end of service of gear and will often have to fight for capital to do upgrades or replacements. These efforts will be taken on based on business objectives, risk, etc. And leads to the never ending dance between the CTO, CFO sales and product development. He said the service provider side, hardware manufacturers will always EOL equipment and often give notice well in advance. Larger companies that sell big iron will give notice years out. For example, Juniper off the top of my head provides three years for hardware support and one to two years on software support after the hardware is no longer supported for replacement support. So there's normally plenty of time for planning for obsolescence and replacement. Of course, these replacement plans are driven by business goals, which leads to point 2, the CIO CFO battles, which I of course is. This is what he's talking about that I talked about last week when I made up that dialogue between the CIO and the cfo, you know, and their and their competing priorities. The CIO CFO battles are the norm and this battle is complex at best. Do we update now, later, never? Do we roll the dice? Are we doing a new build somewhere else that has our focus? These are endless, just to say it's complex. The other side of this equation is the hardware manufacturer side and this is what drove me to send this feedback. On the hardware support side, we've got discrete components, ICs, chips, et cetera, can no longer be sourced. Discrete component replacement causes board redesign and the cost of redesign is too high. Discrete component software support is end of life due to the manufacturer end of life of the ic. The IC you know integrated circuit library is no longer supported due to end of life on the software support. The new replacement product is just cheaper, better, faster. Why keep the old one around given its installed base? He says this is too complex, often political. You don't want to upset a long time big customer with a hardware upgrade, whatever. And on the Software support side, for example, see the issue with hardware support ICs as this is part of the software chain. OS and supported software no longer supported by the vendors. New or upgraded replacement hardware uses different software for various reasons and thus is not compatible with the old hardware. This causes a complete new new software support development and test chain. The cost of support is higher than the customer can sustain and can drive the customer to find other solutions like the hardware side. This is complex and often political. Software licensing has a lifetime limited in volume, developer seats, et cetera. That forces an EOL action. Yeah, so obviously lots of things to consider. I thought this person's comments were worth sharing. For one thing, I would never expect ongoing hardware support for any device beyond the manufacturer's original commitment if it might be available. Okay, fine. You know, things like power supplies can often be somewhat generic and might be easily replaceable. But I get it that like if a circuit board dies and the components are no longer available, then the thing died. But if you know, for example a port dies on an expensive router or on a switch that is out of warranty, then the calculus from my perspective is entirely different. And the conversation with the CFO is then very different. It's the mission critical device just died, we're currently limping along and we need it replaced asap. You know, that's not the conversation that I hypothesized last week. I do really understand that maintaining old software has a decidedly non zero cost. But you know, the point I was making last week was that it felt like revenue was being left on the table. The manufacturer hopes that, you know, the vendor of the equipment hopes that a lack of ongoing support will force their customers to move to newer equipment because the vendor understands the security risk of not having security updates to old hardware. That's where the gap is. The customer doesn't quite understand the security implications, so their trade off is different. The reality is most of those devices will remain out of warranty and out of support and will suffer the potential consequences from the security side. But great conversation and dialogue and one that CIOs and CFOs should be having. Dan Linder said hi Steve insecurity now episode 1017 you made a comment about a Juniper router being unsupported and vulnerable, and then a hypothetical conversation between a CIO and CFO about replacing that otherwise hardware just because it was out of support. I too have some experience with U.S. department of Defense rules, and one thing I haven't heard you discuss on the show are the Stig documents. S T I G stands for Security Technical Implementation Guide, and of course you haven't heard me talk about them because I've never been in government and hope to never be. I'm sure at this point there's no no danger of that happening, he said the Stig document is a series of checks or control and actions to take on a specific system that can harden it to some degree to mitigate threats to its overall security. Okay, that sounds great. Each control is given a Category 1, 2 or 3 rating, with Cat 1 being the most important controls to implement. Within each control there are some checks text steps and corresponding fix text steps, which is why I'm glad I'm not in the government. No which list a simple command or action to take to validate that the control is in place and if not, what can be done to enable it. Okay, now all seriousness, that sounds great because it's a check. It's, you know, it's a checklist. It's like these things you have to do and this is how you do them and this is how you check that they're done, he said. While the Stigs give a specific fixed text to implement, most security organizations that review the application of these Stig controls allow for additional external controls that will mitigate a specific problem if it can't be addressed with the fix text suggested. For instance, if an insecure system is being used, but is only used in an air gapped environment only accessible by a small number of people already vetted and trusted, they might well be willing to overlook a Cat 1 finding in all the Stigs I have worked with. And Dan, I I'm glad you've maintained your sanity. They all have a security question which requires confirmation that the system being secured can still receive updates from the manufacturer. If the company in your example was applying and enforcing the Stigs as written, then the CIO has quite a bit of leverage to go back to the CFO to get this system replaced. Yay. And that's why I want CISA to stay whole and functioning, he said. I hope you can find time in a future episode to give a brief talk about the SIG documentation. No Dan, don't hold your breath and some of the potential. Please don't make me do that. For securing anyone's environment, regardless of government affiliation.

Leo Laporte

Whew.

Steve Gibson

Well, Dan, I'm glad you're there. And I'm glad you're following the Stigs to the letter.

Leo Laporte

Maybe that's why they use signal, because they just couldn't bear to read the Stig. Wow.

Steve Gibson

And get in a skiff and then row, row, row your boat down whatever it is they do in the skiff.

Leo Laporte

Oh, my.

Steve Gibson

Yeah.

Leo Laporte

Okay, security now continues on. It is time to examine the quantum threat.

Steve Gibson

I think people are going to be surprised and interested by this. I really liked what HP had to share. We love showing up for this podcast every week, which, after all, Leo, we've been doing for nearly 20 years. And as much as I would dearly love to be, I doubt we'll still be here the day a quantum computer first cracks actual working strength public key encryption.

Leo Laporte

Oh, I was hoping it would open my wallet for me, but I guess if I'm dead, it doesn't really matter. Boy, I'll leave it to myself.

Steve Gibson

Actually, I don't know if your password is protected by public key. It's probably private key. It's probably just a password. Just a password that generates a symmetric key, in which case you're still gonna be locked up tight, even. Thanks, dad.

Leo Laporte

You left me something completely useless.

Steve Gibson

But you could give the wallet to Hank and, you know, in his lifetime. That's right. Although he's doing so well without salt, by the way. We, you know, we use the crap out of that stuff. Oh, my God. It is our. It is our go to present for our friends. We bought 20 bottles of the. Oh, what was it? It was the. The flaky.

Leo Laporte

The flaky essential. Oh, you bought the garlic truffle. Really good on popcorn and stuff.

Steve Gibson

Oh. Or a little bit on. On some filet. It makes a really nice, excellent steak. Yeah, yeah, yeah, we use it on steak.

Leo Laporte

You know, he's opening in the next few months a sandwich store in New York City. We should make Hank. Yeah, it'll be Salt Hank. It's on Bleecker street next to John's Salt Hanks sandwich store.

Steve Gibson

Wow.

Leo Laporte

Go get a delicious sandwich there.

Steve Gibson

Good for him.

Leo Laporte

He'll probably be selling the salt. And now he does pickles, too, by the way. Well, I only mentioned that because I am an investor in the pickle business.

Steve Gibson

Well, this was an unsolicited commercial, and I. It's the truth. We use the truffle garlic salt. It's like our. We got 20 bottles. He was sold out for a long time.

Leo Laporte

Yeah, yeah.

Steve Gibson

And. And then I did the same.

Leo Laporte

It's funny that you did that the same thing. I bought a case. Yeah.

Steve Gibson

Yeah.

Leo Laporte

He. One last thing, though. To his credit, he made it on his own. He never used my last name. Nobody knew who he was. He didn't go. He didn't, you know, somehow ride my coattails. He did this all on his own. I'm very proud of him.

Steve Gibson

I've seen his TikTok stuff. It's astonishing.

Leo Laporte

It's good, isn't it?

Steve Gibson

He's got the gift. Yeah, yeah, yeah. He's got it. Anyway, through the years of this podcast, we've all become students of the history of computer security. And one lesson we've all learned together is just how very, very long it's going to take to wash all of the old pre quantum crypto out of our existing systems. Everything we have now is pre quantum crypto. We know that there are a couple messaging systems that are mixing pre and post. That's good. That all leads to the simple and incontrovertible conclusion that there's no time like the present to begin. Last Tuesday, Hewlett Packard's threat Research group posted a terrific piece called From False Alarms to Real Threats Protecting Cryptography Against Quantum that's what I want to share today. In their opening, they make some great points that are well worth appreciating. They wrote, quantum computers could break asymmetric cryptography, which would be catastrophic for society's digital infrastructure. I mean, and that's. It's truer words have never been written. Quantum computers powerful enough to break cryptography do not exist today, but the threat of one being created steadily advanced in 2024. So they're talking about last year. Of course. With multiple quantum computing technologies overcoming development obstacles, the security community is now more sure than ever that sufficiently powerful quantum computers will come. Some think it could be 10 years, but with the speed of recent innovation, an unexpected breakthrough could accelerate that. This has created a significant security risk because we rely on protections for a long time and need them in place before threats arise. Since we last wrote on this topic a year ago, authorities around the world have increased efforts to urge organizations to start migrating systems to quantum resistant cryptography. Critical industries are especially advised to mitigate these quantum risks, given they are high profile targets. Particular priorities for migration include sensitive data vulnerable to capture and decrypt attacks, and protections rooted in hardware. That's a key protections rooted in hardware. Without upgraded protections at the hardware and firmware Foundation Quantum attackers can compromise devices even if the software running on the hardware is quantum resistant. 2024 also saw several false alarms of quantum breaks to cryptography. We expect that that is false alarms to become a trend as innovation in quantum computing progresses. What we have seen is that such false alarms will elicit panic in some, but only complacency from others. But they also proved useful in raising the conversation about readiness and an understanding of the consequences of a real alarm. In short, we must stay vigilant and prepare for the real threat. Over the last year we at HP also made progress to protect customers from the threat of cryptography being broken by quantum computers. Last year we announced the world's first business PCs to protect firmware integrity against quantum computer attacks. Today, we are announcing the world's first printers to provide firmware integrity against quantum computer attacks. These security innovations demonstrate our dedication to safeguarding our customers against future threats. They then quoted Boris Balachev, the head of the HP Security Lab, an HP Fellow and chief technologist for security research and Innovation. Boris said, quote, as innovation as innovation progresses toward more powerful quantum computers, it is urgent to prepare for the threats this represents to the asymmetric cryptography we depend on in our daily digital lives. This starts with migrating systems that cannot be updated easily once deployed after the introduction of quantum resistant firmware integrity protection in PCs last year. Today we are announcing the launch of printers with similar capability to protect against future quantum computing threats. We continue with our commitment to lead the way with endpoint security innovation and keep our customers safe into the future. Now, this is not something we focused upon or talked about previously and of course they're correct. As we know, all of the secure booting technology we have today is based upon the motherboard's firmware being able to verify the digital signatures of the software that the motherboard's UEFI firmware first loads. And all of that secure boot technology is currently pre quantum. It's embedded into the hardware with technologies such as the TPM, the trusted platform module that dates from 2003. Listening to what HP has to say here really serves, I think to put a much finer point on this looming issue. I've edited the piece which follows to remove HP's non technical self promotion. There was a lot of it in here and for its length because it went on longer than it needed to. But there's a great deal of information here still. I want to share it, they wrote. In the past 12 months the cryptography and security community has experienced heightening concern over the progress of Quantum Computing the last year has been marked by key developments in quantum computing technology, as well as multiple instances of false alarms over potential quantum breakthroughs that put cryptography at risk. Although these alarms were ultimately disproven when considered alongside genuine advancements in quantum computing, they highlighted the fragility of society's digital infrastructure. A sufficiently powerful quantum computer could break much of the cryptography relied upon globally. Given how fundamental cryptography is to security everywhere, a quantum computing breakthrough before the world is ready would jeopardize security. It could allow attackers to run riot across our digital infrastructure, giving them freedom to access network services, take over devices, steal blockchain assets, decrypt sensitive data, and more. In reaction to these advances, there has been an increased sense of urgency to fortify cryptography. Driven by technical authorities and experts. This urgency has led to accelerated timelines and new policies to address the looming quantum threat. Against this backdrop, the security community has intensified its preparations. Academia, standards bodies, governments and industry are collaborating and making concerted efforts to migrate technologies to being quantum resistant. In this blog post we discuss two false alarms that percolated through the community over the last year and what we learned from them. We explore the current state of the quantum computing threat to cryptography and how the community is preparing a response. The first alarm took place in April of 2024 during the NIST 5th PQC Post Quantum Computing Standardization Conference, which had convened to discuss cryptography designed to withstand quantum computer attacks. The trigger for the alarm was an academic paper, newly published and not yet reviewed or corroborated, describing a new quantum computer attack that could have been effective at breaking the new Post quantum cryptography the technical community had been working on for almost a decade. This cryptography was meant to become a global standard to protect digital infrastructure should quantum computers break traditional asymmetric cryptography like RSA and most elliptic curve cryptography. It claimed a claim, so they said a claim it was broken was shocking and would leave the quantum resistant migration in disarray if confirmed true. Speculation about the paper entitled Quantum Algorithm for Solving Lattice Based Cryptosystems lit up our technical social media networks. One of our team was at the conference. While the talks continued and the audience listened attentively, attendees gradually started to form small huddles trying to make sense of the publication. Remarkably, no one was sure the paper was incorrect. Most hoped it probably was incorrect, but at face value it was convincing, presenting a credible nine step algorithm that put quantum resistant lattice based cryptography in a very precarious position. For eight days there was furious analysis among cryptographers and quantum computation experts. With very few people claiming to be experts in both fields, many researchers wrestled with analysis beyond their areas of expertise. A discord community sprang up, crowdsourcing a comprehensive analysis and triage of the paper's claims. This intense assessment phase ended when two researchers found an inconsistency in the final step of the nine step algorithm. The paper's author engaged with this critique and confirmed the final step had an irreconcilable error and thus the community breathed again. But for an entire week, the community responsible for developing the cryptography that will protect much of our digital lives into the future had seriously considered the possibility that they had got it wrong. Because this was so technical and didn't impact the cryptography we currently use, the news didn't make the broader security community panic, and the doubt didn't last long enough within the cryptography technical community to gain momentum and spread. And of course, our podcast listeners may recall that we did touch on the fact of this having happened at the time. We will keep you in the loop, HP continues. The second moment of 2024, when the broader security community thought that cryptography was broken, was also triggered by an academic paper. The paper, quote quantum annealing public key cryptographic attack algorithm based on D Wave advantage, unquote, was published in May of 2024 in the Chinese Journal of Computing. This false alarm caused more widespread uncertainty and panic within the technical community and beyond, with several reports stating incorrectly that some researchers were able to break RSA encryption using a D wave advantage quantum computer. And again, that news made it into this podcast because it would be difficult to overstate just what havoc would ensue if that were to be true, HP wrote with a general audience unable to assess the original paper. Only the abstract was published in English. The reports generated real anxiety. However, there was little credibility in the claim that RSA had been broken. An expert consensus rapidly emerged. With a bit of scrutiny, it was established that the researchers had only broken a very small scale simplified rsa, and their solution did not scale to the kind of numbers used for security and was therefore not a credible threat. Again, after a week or so, concerns about pre quantum cryptography having been broken were largely quelled. However, for several months afterwards, incorrect reports still appeared, sparking fresh waves of concern among those who had missed the initial reporting. One benefit of these events is that they test the security community's preparedness for the sudden removal of some fundamental underlying cryptographic primitive. From that perspective, these alarms have been like the safety briefing before an airplane flight Forcing the community to grapple with what to do in the worst case scenario. If the event were real, are we ready? What preparations should be in place? And are they? The fact that a broad audience was alarmed tells us that there is a growing understanding of the critical impact of the quantum threat and that action will increasingly be called for. The successful resolution of these incidents underscores the importance of a measured and collaborative approach to evaluating cryptographic research. For the community has shown it can be relied upon to robustly evaluate these complicated ideas. Unfortunately, analyzing such academic papers is inherently complex, requiring expertise that is rarefied and spans multiple cryptography, mathematics, quantum algorithms, quantum computer engineering and physics. So we should anticipate regular moments of doubt in the security of our cryptography and have the patience to wait for assessment before panic induced reactions. One day there could be surprise news or even a significant rumor of a real breakthrough. Rather than panic, we should instead ensure we're prepared and have put in place quantum resistant protections, starting with our priorities. This said, there's also concern that too many false alarms related to quantum computing breakthroughs could eventually lead to a false complacency and inaction. This might cause people to believe the quantum threat is not yet a serious concern when it is. If too many incidents lead to unwarranted panic, a genuine threat might be ignored as just another false alarm when it finally does arrive. So what becomes clear is that where we need to be and as soon as is practical is at a point where we're no longer reliant upon classical pre quantum crypto. So that the eventual announcement of a true breakthrough is just met with a yawn and a shrug. So where exactly are we today? What is the current true level of alarm we should be feeling? HP addresses that and we will address it after this final break.

Leo Laporte

Well, fascinating. And I take it, well, I don't.

Steve Gibson

Know, cause for concern, Cause for real caution. Yeah, I think when I'm done here, after this next piece, our, our listeners will understand that as soon as post quantum stuff, post quantum solutions are made available, they really should switch. For example, there, there will be. You know, here we were talking about obsoleted Juniper routers. Well, they're all pre quantum. So when Juniper offers post quantum protected router technology, you don't want to wait until. You know, let's hope there's enough time between the availability of post quantum safety and that breakthrough that the natural life cycle of router death will have taken all of the pre quantum technology out of service. But we know, Leo, there's some dusty back cabinets and some back rooms that have stuff running. There's still a wind up key on some of these things.

Leo Laporte

Well, we'll talk about preparing for I guess, inevitable future in just a bit. You're watching Security Now. Steve Gibson, Leo laporte, We do this show every Tuesday. We're glad you're here watching A reminder. You can watch live if you tune in. You know it's right after Mac break weekly and that time varies roughly 1:30pm Pacific, 4:30 Eastern, 20:30 UTC. The live streams are, well, there's eight of them. Discord for the club members. There's YouTube, Twitch, TikTok, X.com, facebook, LinkedIn and Kik. Watch wherever you like. But of course the best thing to do is download a copy of the show. You can get it from Steve's site. I'll tell you more about that in a bit. Our site of course, or subscribe and that way you'll get the audio or the video the minute it's available. I'll have more information about that in a second. But now let's get back to security.

Steve Gibson

Now, Steve, okay, HP said with so many possible quantum breakthroughs to be assessed and uncertainty about what is credible, it can be difficult to understand the landscape of quantum computing and separate fact from fiction. Let's take a closer look at the reality. To gauge the true alarm level, we should examine the process of quantum computing technology. Over the past year, there has been impressive advancement in several technologies with multiple promising pathways emerging. Even if some fail, others may succeed. And of course, remember, we only need one to succeed to be in trouble, they said. Compared to a year ago, large scale quantum computing now seems more likely. We look to experts to qualify this likelihood. The Global Risk Institute's 2024 report highlights a significant chance of a quantum threat emerging by 2034, posing an intolerable risk from a cybersecurity perspective, unquote. So a significant chance of a quantum threat emerging in 10 years posing an intolerable risk from a cybersecurity perspective. Okay, so how significant? Nearly 1/3 of the 32 experts surveyed estimate a 50% or greater chance of quantum computers breaking cryptography by 2034. Okay, 1/3 of 32 experts. So 10 of the 32 experts estimate a 50% or greater chance of quantum computers breaking cryptography by 2034, with an average estimate of 27%. So the experts on average think there's a 27% chance of crypto being broken in 10 years, they said, the highest in the six annual surveys conducted so far. So they've been polling every year to summarize recent changes. The report states, quote the progress in the last year has included many people both within and outside the quantum research community to realize that the quantum threat may be closer than they thought. The German Information Security Authority BSI recently updated their comprehensive assessment of quantum computer technologies. The report concludes that due to major roadblocks being resolved, quantum computers are likely to break cryptography within at most 16 years, but recognizes that new developments could lead to a breakthrough as soon as a decade. Progress has been made not only in various quantum computing candidate technologies, but also in aspects like scalability, scale interconnectivity and operating software. Stability is a major challenge for current quantum technologies as they do not hold their state for long before deteriorating. Reducing noise and using effective error correction where more errors are corrected than introduced is crucial for long term stability. Demonstrating this effectiveness is a milestone that has been achieved by four technologies superconducting transmons, ion traps, neutral atoms and color centers. Of course, sizes of systems have increased as production processes mature, with Google announcing their 105qubit Willow, IBM introducing the 156qubit Heron along with a roadmap for processor scaling, and Microsoft and Quantinium upgrading the H2 trapped ion processor to 56 qubits. The stability and size of the relatively new neutral atom technology, whose key elements were only demonstrated as recently as 2022, has shown a massive improvement with potential for acceleration. The QAERA startup that came out of this research has just this February been backed with a $230 million investment, providing an indication of the high interest in this research. A very recent note A new technology with greater natural stability, the topological qubit, has been demonstrated for the first time as a proof of concept by Microsoft, who claim the technology offers a clear path to fit a million qubits on a single chip, which would be needed for scaling. Advances in interconnected quantum states between different chips are starting to show promise for enabling the distributed quantum computation needed for large scale quantum computers. Additionally, an ecosystem of organizations are developing the necessary developer tools and software stack for operating quantum computer and creating quantum programs. This stack, like the classical computation stack, ranges from physical machine instructions to higher level programming languages, allowing specialists to effectively use their expertise and enhance progress. Given all these advancements, Scott Aronson, a quantum computing expert, recently said he believes that, quote, the race to build a scalable fault tolerant quantum computer is actually underway. His position on the urgency of addressing the quantum threat to cryptography has shifted from maybe to unequivocally worry about this now have a plan. In summary, in just the past year, breakthroughs in quantum computing have strengthened the consensus that quantum computers are capable of breaking Today's cryptography may become feasible soon. It may only take a surprise acceleration from one of the promising technologies to break cryptography in less than a decade. Therefore, it's crucial to assess our preparedness and take action to ensure we're fully ready. And then HP notes Almost needlessly under migrating quantum vulnerable cryptography is on a whole new level compared to patching a zero day vulnerability. Although I'm sure our listeners are aware that we're talking about a sea change that requires us to scrap everything we've built, it's worth hearing HP out on this. They write it's tempting to think the problem of fixing of course, they're writing for different audience than ours. It's tempting to write the problem of fixing quantum vulnerable cryptography is like patching a zero day vulnerability in code. However, this analogy under represents the scope of the quantum threat. A zero day vulnerability is an error in a specific sequence of computer instructions in a specific program or library, which can typically be identified and then patched. Even if the error occurs in a pervasively common library, such as the log 4J vulnerability, it is still fixable by developing a patch. Unlike a zero day, the quantum threat does not apply to a specific sequence of computer instructions, but instead applies to all implementations of vulnerable asymmetric cryptography. These implementations vary widely, potentially manifesting in millions of different code sequences. When quantum computers become viable, each of these will need replacement individually by upgrading the cryptographic algorithms and keys used, requiring a global effort and collaboration by security practitioners, business leaders, and cryptographic experts. And you know, the more I think about it, the more I'm glad that this podcast will probably not be around to see this disaster before it's worse than Y2K.

Leo Laporte

That's.

Steve Gibson

Oh, Leo. Oh, every light switch and router and webcam and, and toaster and microwave oven. I mean, we're Ioting everything. And it's all bad because none of this stuff. This is all, you know, $5.

Leo Laporte

You forget how widespread this would be. I mean, this is.

Steve Gibson

It's everything.

Leo Laporte

Yeah. Yeah, it's.

Steve Gibson

It's everything.

Leo Laporte

Yeah.

Steve Gibson

Given, you know, the reluctance to change that we've witnessed throughout the past 20 years, what chance is there that we're going to be the least bit prepared for this? We're talking about replacing everything and doing it even while it's not obviously necessary, that it needs to be done at all. That's the problem is that it's working great. What's the problem here?

Leo Laporte

Unlike Y2K or 2038, we don't know when this is going to be.

Steve Gibson

Right. Exactly. It is not an approaching deadline. We had a. We knew when the elevators were going to stop running on Y2K.

Leo Laporte

Wow.

Steve Gibson

Yeah.

Leo Laporte

You know, I didn't realize. I hadn't really thought about how widespread this issue would be. I thought, oh, it's just encryption, it's not a big deal.

Steve Gibson

And remember that security is only as strong as the weakest link.

Leo Laporte

Yeah.

Steve Gibson

You know, who's not going to have some old webcam, light switch, thermostat router lying around that continues relying on pre quantum crypto? And that's the bad guy's way in.

Leo Laporte

Right?

Steve Gibson

HP wrote. Go ahead.

Leo Laporte

Go ahead. No, you go ahead. I want to hear more.

Steve Gibson

Okay. HP wrote. This process of patching has already started and as part of the migration to quantum resistant cryptography that the security community is currently undertaking. But how should organizations be responding? Across government, industry, academia and standards bodies, mechanisms to protect against quantum attacks are being put into place with some urgency. Our advice is to start by inventorying what would be vulnerable to quantum attackers, what wouldn't be, then prioritize what needs migrating and protecting first. The most urgent priorities for most organizations include protecting data with long term confidentiality requirements. That's right, all everything backed up and stored in the cloud is vulnerable. Protecting long lived systems by upgrading cryptography in hardware because all of their hardware is vulnerable Today, the cost of upgrading hardware is expected to be significant. In July of 2024, the U.S. office of the National Cyber Director published a report estimating the total cost of quantum resistant cryptography migration for prioritized US government systems. This is only the US government between 2025 and 2020 and 35 at somewhere around $7.1 billion in their calculation. They specifically call out that migrating the cryptography hardwired into hardware or firmware would constitute a significant portion of that overall cost. Government authorities are uniquely positioned with expert insights and the responsibility to protect national assets. Understanding their strategy and policies for critical systems and infrastructure should help any organization plan for migration with appropriate urgency. Let's hope that we have a vital and functioning CISA to keep this on the forefront of everyone's mind. HP continues saying. Let's start with the US who have a comprehensive plan and set of actions in place. In 2022, U.S. authorities established a tempo for migration. This has led to all federal agencies planning, taking inventories and reporting on progress annually. A timetable to migrate National Security Systems was also established with all new acquisitions. Get this, with all new acquisitions from 2027 needing to be quantum resistant and all non migrated products to have been phased out by the end of 2030. So just five years hence that's great, they said. Migration of firmware signing is prioritized as even more urgent with migration of firmware roots of trust, the firmware integrity protections in the hardware expected to be implemented for some long lived signatures this year in 2025. Since 2022, authorities have put in place guidance including a guide published by cisa, NSA and NIST and organized outreach to help engage and ready the industry. Most recently the Executive Order on Strengthening and Promoting Innovation in the Nation's cybersecurity of 16th of January this year 2025 further emphasized the urgency to migrate. It specified that when procuring products, federal agencies must require quantum resistant cryptography when it is widely available in a product category and require quantum resistant protection in networks as soon as practical. Now that's cool because that means it becomes a competitive advantage and requirement as soon as any is available in a category that's the one that must be purchased, which means one early mover forces the movement of all of their competitors, HP said. Alongside this, NIST recently released its draft plan to deprecate Classical Asymmetric Cryptography. Deprecate Classical asymmetric cryptography, rsa and relevant ECC from the end of 2023 I'm sorry, from the end of 2030 the plan to deprecate asymmetric crypto, RSA and ECC from the end of 2035 years and entirely disallow it for security purposes after 2035. Assuming this plan is confirmed. This will be highly influential in establishing migration urgency because it means there is an end date within the lifetime of many current systems, maybe even this podcast. Even during 2031-2035, data owners will only be able to use quantum vulnerable cryptography by exception where they evaluate and accept the risk. Beyond the us, the Australian Cybersecurity Center ACSC is also setting up Urgent timeline for migration. The ACSC recently updated its cryptography guidelines for government and industry to disallow quantum vulnerable cryptography after 2035 years disallow its use in Europe. The security authorities of the uk, France, Germany, the Netherlands, Sweden, Norway and Switzerland all urge preparation and are giving increasingly comprehensive guidance on how to migrate and prioritize. In April of last year, 2024, the EU recommended establishing a strategy to migrate public services and critical infrastructures as soon as possible, building on this In November of last year 2024, 18 EU member states issued a joint statement urging nations to make the transition to quantum resistant cryptography a top priority. However, we want to be able to see your texts and protect the most sensitive data as soon as possible. Latest Latest by the end of 2030 again five years the last 12 months have seen an intensification of the calls to migrate by national authorities. This underlines the need to act, assess cryptography dependencies, plan and prioritize for migration and start to migrate priority assets. The heightening of the quantum threat to cryptography and the intensification of national calls to action during the last year have fortunately been met with significant progress in the range and availability of migration solutions. New quantum resistant cryptographic algorithms were released as NIST standards last year to celebration of government, academia and industry. Following a collaborative selection process spanning nearly a decade. These new algorithms offer quantum resistance suitable for general use in protocols and applications. They also complement existing standardized quantum resistant hash based signatures suitable for special purposes such as code signing. With this suite of standards, it has now become possible for industry to migrate. In many scenarios, standards capture community consensus and security best practice while enabling interoperability between different elements across a system. As such, standards are a crucial part of of industry migration to quantum resistance. From standards that define new cryptographic algorithms through to protocols that use these algorithms and applications that adopt them, the community is carefully and steadily integrating quantum resistance into the technology stack and making resistance available to customers in products. This is why collaborating with other vendors and participating standardization efforts is essential. Notably, HP is engaged in NIST's National Cybersecurity center of Excellence Migration to Post Quantum Cryptography project. This NCCOE project was convened to bring industry and end user organizations together to help solve the practicalities of quantum resistance adoption and transition. To stay ahead of the quantum threat to cryptography, we cannot afford to take a wait and see approach. At hp, our strategy is to prioritize quantum resistance from the hardware up and securely migrate from there. When prioritizing and planning what protections to migrate, it is crucial to consider the cost, effort and difficulty of engineering the change. Migrating hardware and the solutions baked into hardware often requires changes to physically engineered parts, which can be slow and needs a lot of forward planning and sometimes years ahead. So all that makes a lot of sense. We've seen, for example, in the case of HP's printers, how printers can become the home to advance persistent threats. You don't want your printers to get taken over by bad guys, so having them be proof against that is super important. So anyway, HP's excellent state of the art or state of the race overview was heavily resourced with links to back up everything they said. I've included a link to their full article in the show Notes for anyone who wants to follow and get more background information. We really are in a time of significant change. Governments are tackling the tough problem of wanting to protect their citizens privacy while not wishing to allow criminals to evade responsibility for their crimes by abusing absolute privacy. The move from the physical to the cyber world has parents and their guardians wishing to protect their children from online harms. Which means there's no way getting around knowing at least something about who's who on the Internet. And on top of all this is the fundamental technology that underlies any of our ability to do these things is strongly expected to collapse and be rendered completely useless once quantum computers, whose arrival now appears to be inevitable, are brought to bear. So we certainly are living through interesting times.

Leo Laporte

And I mean, is it so severe a problem that I should from now on only buy IoT devices that say NIST approved cryptography? Can I buy anything like that?

Steve Gibson

I don't think it's percolated down there yet. No, no. And it will be a selling point where at some point, you know, there will be a consumer seal that says, you know, pqc.

Leo Laporte

We got to, yeah, post quantum computing, we really got to get the word out. I'm really glad you, you brought this in and shared it with the class because it's, it's clearly an oncoming train.

Steve Gibson

It is a looming, yes, a looming problem. It went from academia like, oh look, lattice based crypto, you know, we got some new algorithms to replace what we have, you know, and it was like you, you and me joking about, okay, well they managed to factor four bits, so I guess we're safe for now. Times out was a few years ago and they've been working hard on this problem.

Leo Laporte

There are a number of technologies looming. Artificial superintelligence, fusion, quantum crypto, quantum computing, all of which would change the world drastically.

Steve Gibson

And it's kind of changing the world drastically. Yeah, right.

Leo Laporte

It's hard. Well, but none of those three.

Steve Gibson

I mean, AI is, AI is changing.

Leo Laporte

But ASI is not here yet. And it's also possible to say that it seems unlikely that we'll get any of those three. Asi, quantum computing or fusion. It's speculative and it's easy to say, well, it's not going to happen, so I'm not going to worry about it. But it's prudent to say, but what if it does happen? I still don't know. I mean, what do they. They gave it 100% probability in the next 50 years or something? Right? I mean, but we don't know. It could be 10 years, could be five years.

Steve Gibson

Could be a breakthrough. A breakthrough could happen.

Leo Laporte

Could be tomorrow.

Steve Gibson

Yes, could be tomorrow.

Leo Laporte

And I guess the thing to point out is that companies are spending lots of money to make this happen. Big companies are spending lots of money to make all three happen. Right. We had a guy on intelligent machines the other day who was very concerned about asi. He said it's the equivalent of five or six Manhattan Projects. We're spending hundreds of billions of dollars to develop this thing without any regard to the consequences. We are living in interesting times. You're right, Steve. I'm glad we won't be around to report on it. Retirement's looking better and better. No, no, we need to. We have to stay here. You all, you know, you're here so that we can cover this stuff. We appreciate it.

Steve Gibson

We will be back here next week on April Fool's Day. I will not take advantage. I have never taken advantage of April Fools Day. Nor have I. I don't think that's fair to our listeners. So. Yeah, yeah.

Leo Laporte

And I strongly encourage. The problem is that I'll read stories in the next week and I will not know are these legit? I really have to dig deep to figure it out. I hate April Fool's Day. All right, Steve, have. Have a wonderful week. You could find this show on Steve's site. He has actually, every version of it he has is unique to Steve's site. GRC.com he's got a 16 kilobit audio version. We don't make that. He's got a 64 kilobit audio version. We used to make that, but we don't make that anymore because we do 128 kilobit for complicated reasons. He also has really good human written transcripts by Elaine Ferris. Those come out a few days after the show. Of course, she has to have time to. To transcribe our words here. And you have the show notes, which are the next best thing to a transcript. You can read along as Steve does the show. All of that's@grc.com. while you're there, pick up a copy of Spinrite, the world's best mass storage performance enhancer maintenance and recovery utility. If you have mass storage, you have to have Spinrite. You heard the story from our Canadian truck driver. It is a must have Also lots of free stuff. That's fantastic. If you want to email Steve, if you want to send him comments, people email me like I have a path to you. I don't. I can't get through to Steve. If you want to get through to Steve, here's what you do. You go to grc.com email and you give him your email address. Now you're not going to do anything with that except to whitelist it so that your email will come through to him. That's all it does. But you'll notice there are a couple of checkboxes unchecked, but below there for his newsletters. One, of course, the weekly show notes. The other, a very infrequent update on what Steve's doing. The next one will probably be his DNS Pro benchmark, which I'm looking forward to. So that's one letter, one email I can't wait to get. So all of that GRC.com that's the place to be. Do you still post your show notes on Twitter, right? Or an X, Right?

Steve Gibson

Yeah, on X. Yeah. It's funny, I had a piece of feedback who said to solve this X versus Twitter problem. Here it is. It's spelled X and it's pronounced Twitter.

Leo Laporte

Yeah, we are at Twit tv. No relation to Twitter. We predated Twitter. They stole it from us. That's why I'm glad it's X. I want everybody to call it X. Forget that you ever heard the word Twitter were the one and only Twit. Even now my autocorrect will replace Twit with Twitter every time. It drives me nuts. Nuts. That tells ya. Twitter TV SN for the latest versions of the show. Actually all the versions, all 10, 18 versions of the show are on that website. Most audio and video, but the early ones just audio. You will also see link there to the YouTube channel. Great place to share little clips if you want to scare somebody. Send them this thing, this post. Quantum crypto problem that might be of interest to some people. Easy to do on YouTube. You can clip it right from you know, the beginning or wherever you want in the show. And of course the best way to get it, I think is to subscribe. You can subscribe to audio or video. Any podcast player, I'll have it and that way you get it automatically. And I think it's probably a good thing. Something you want to hand down to your kids. A complete set of security now F episodes so they can learn what it was like.

Steve Gibson

Thanks, dad.

Leo Laporte

To live in the 21st century. Oh, dad.

Steve Gibson

Wow. What's a honey monkey?

Leo Laporte

Steve. Have a wonderful week.

Steve Gibson

I will see you next time on April Fools. Bye.

Leo Laporte

Security. Now.