Security Now 1019: EU OS

Leo Laporte

It's time for Security Now. Steve Gibson is here. We're going to talk about how Kuala Lumpur's international airport responded to a ransomware attack. I'll give you a hint. It involves whiteboards. The creator of have I Been Pwned? Just got pwned. We'll read his disclosure. He handled it well, I thought. And then is the EU gonna switch to Linux? And why that might not be such a bad idea. All that coming up and a whole lot more next on Security Now.

Steve Gibson

Podcasts you love from people you Trust.

Leo Laporte

This is TWiT. This is Security now with Steve Gibson. Episode 1019 recorded Tuesday, April 1, 2025. EU O S. It's time for Security now. The show you look forward to all week long because, well, when else you're gonna have a chance to get together with the wonderful Steve Gibson and talk about technology and computing and security and privacy. Here he is, the man of the day, the man of the hour.

Steve Gibson

Sometimes a little AI, sometimes a little supplement, sometimes a little D sprinkled on top. Yeah. Today of course is April Fool's Day. Oh, and as you and I, you and I are in agreement that it's a dumb thing to do jokes. I mean, I don't want to go over and look@the register.co.uk it's like, who knows what's happening there? I did hear one good security conscious buddy of mine, we were together at Berkeley, I met him there and we've stayed in touch. He sent me a Note. He said, April 1st is the only day people critically consider what they read on the Internet. He said, let's make every day April Fool's Day.

Leo Laporte

Good point, good point. We should always be skeptical, shouldn't we? It's like, no, even the reg is not doing any April Fool's. I think people have finally realized.

Steve Gibson

Burned out. Finally.

Leo Laporte

Yeah. Remember Google used to spend many, many cycles working on an air April Fool's jokes? It seemed like a waste.

Steve Gibson

Yeah, well, what is not a spoof or an April Fools is the existence of something called EU os, as in European Union operating system.

Leo Laporte

Wow.

Steve Gibson

Yeah, baby. It's like, bye bye Microsoft. So for Security now, episode 1019 for yes, April 1st, we're going to finish by talking about that. And it brings up some interesting things, Leo, that you and I are going to have fun talking about. Like when foss, you know, free open source software gets to be so important that, you know that little guy with the block down in Nebraska holding up the pyramid, it's like, okay, wait, you know, is this fair that like the European Union would be getting arguably an incredible amount of value out of this work, which was volunteered and is thankless. So, you know, I mean it feels to me like when it moves from hobby land, as it's kind of largely been into like running the world, you know, does the model change? It's, you know, that's a good question. Yeah, yeah. So. But we got lots of other fun stuff to talk about first. Of course, the first story was driven by a picture that I saw. The Kuala Lumpur International Airport immediately said no to a ransom attack and got out their whiteboard.

Leo Laporte

Wow.

Steve Gibson

It's like, hey, we don't have that many flights so we're just going to have Benjamin write him down Also. Oh, Leo, a tired and jet lagged Troy Hunt got fished.

Leo Laporte

Oh no.

Steve Gibson

Then had to list himself on his own site.

Leo Laporte

Have I been pwned? Yes.

Steve Gibson

Anyway, he did a really good takedown of himself and like looked at like how did, what. How did this happen to me? Anyway, so we're going to have some fun there. Also, Cloudflare decided to completely pull the plug on port 80 HTTP no more. Which, you know, it takes actors like that to be able to do, to do that and make it happen. Also, malware is switching to obscure languages to avoid detection and I said this is sort of. Well, it's apropos of that. Fourth anyone? And actually Lisp is among them.

Leo Laporte

Lisp is one of them.

Steve Gibson

Yeah, yeah. Password reuse, it appears, is not dropping. Cloudflare has numbers. A listener has shared his log of malicious Microsoft account login attempts and I asked the question, seeing the list which we'll be sharing, why no geofencing? Microsoft 23andMe is again down for the count. Just a little reminder there and I have a little bit more information. Also we've got a sobering ransomware attack and victim listing website which for those who want to jump ahead is this week's episode numbered shortcut of the week. Also a nice post from a listener, a bit of feedback sharing that incontrol one of my pieces of freeware is helping keep helping him to keep his VR planes aloft. And then we're going to take a look at what this EU OS means for them and sort of what it suggests about where FOSS goes from here. So I think for A non foolish April 1st we've got a great podcast.

Leo Laporte

For our listeners and we promise that all the stories you will hear today are true.

Steve Gibson

Yes, EU OS is. That would have been a great one but it turns out it's true.

Leo Laporte

Sadly, they're all true. That's really the truth. Sadly, they're not made up. All right, well, we're going to get to the show in just a second. Of course, our picture of the week. Steve says we seen it before. I don't remember it, but if you do, you could let us know. It's a repeat, but it's worth repeating, I think.

Steve Gibson

Yeah.

Leo Laporte

And somebody has already fed it to Chat GPT and come up with a replacement for you, Steve, that, that no one has seen before. So we'll show you.

Steve Gibson

Replacement for me, the podcaster?

Leo Laporte

No, no, just for that cartoon.

Steve Gibson

Because, you know, I've already heard from our listeners say, I dumped all of these transcripts of. Of the past shows into AI and. And then I gave it like, scan the news of the week and just be Steve. And so if I suddenly start looking younger, then it could happen.

Leo Laporte

It could happen. Our show today, brought to you by Drata. You might know this name if you're leading risk and compliance at your company. I hope you know the name Drata. It's a tough job you've got. You're wearing ten hats at once. You're managing security risks, compliance demands, of course, budget constraints. They're always there, all while trying not to be seen as the roadblock that slows business down. You don't want to be the speed bump, but GRC isn't just about checking boxes. It's a revenue driver. It can be. It builds trust, it can accelerate deals, it strengthens security. Of course, that's why modern GRC leaders turn to Drata, a trust management platform that automates those tedious tasks so you can focus on reducing risk, proving compliance, and scaling your program without breaking a sweat. With Tronic, you can automate security questionnaires, you can automate evidence collection, you can automate compliance tracking. That's just a. Isn't that just. Do you feel like a sigh of relief just hearing that? Right. You can also stay audit ready there with real time monitoring, which is really great. Simplify security reviews with Drata's trust center and AI powered questionnaire assistance. Instead of spending hours proving trust, build it faster. With Drata ready to modernize your GRC program, I think you owe them a visit. Drata.com SecurityNow to learn more. Drata.com SecurityNow we thank him for supporting the work Steve's doing here. And the work you're doing too, I guess. And we thank you for using that address so they know you saw it here. Drata D R-A-T A.com Security now picture of the week. Time, Steve.

Steve Gibson

So, yeah, this takes, this picture takes a rather boring sort of somewhat. I guess it's not really esoteric. It's important if you're writing code that you want to be correct topic. It makes it like really puts a good sharp point on it and makes it a lot more fun. I gave this picture the caption. Subtle coding choices can land you at the bottom of the canyon. And so the picture we have shows the famous Wile E. Coyote and the roadrunner. And so the issue here is whether you test for your loop completion in code at the top of the loop or the bottom of the loop. And both placements have a terrific coding purpose. So the idea being in code, you have this general notion of flow control that is an if instruction that jumps you somewhere else changes the flow of the control of the code. Similarly, you've got looping where you want to do something some number of times. And in some cases the control of the loop is it is an expression which evaluates to true or false. So for example, in the first case you would say while something is true, and that could be an inequality expression or a boolean variable or whatever. While something is true, do the following. And so then that following whatever it is inside the loop would be done. And then you'd come back up to the top and re evaluate that expression and it may now no longer be true, in which case you fall out of the loop, you drop out of the loop, and you continue executing code below. The alternative is an expression which is expressed as do that something, and then down at the bottom while. And then you have your expression that you evaluate as true or false. So obviously the difference here is in the first case, you're testing that expression at the top before you have even done what the loop contains once. In the second case, do something while. You don't get down to the while until you've done it once. So this is so beautifully illustrated in the cartoon because in this coding example, in the cartoon, the loop says while not at the edge, run. That is as in run toward. You know, like the coyote is chasing the roadrunner and they're running toward the edge of this cliff. And if they're like with a really long canyon below, of course, we all remember seeing the little whee and and then a little puff of smoke down there when the coyote hits the bottom and miraculously survives. So the roadrunner is using the first instance while not edge run, meaning that I'm not at the edge, is being tested before we run so it stops before it reaches the edge. Unfortunately, the coyotes logic is the other loop, in this case the wrong one, which says do run while not at edge, meaning that the run happens before the testing for whether we've gotten to the edge. The coyote overruns the edge, falls to the bottom of the canyon. Anyway, just, you know, you'd have to be into code and geeky nerdiness to think that this was wonderful. But, you know, just a great illustration of the difference. And from a true coding standpoint, you know, the caption I gave it. Subtle coding choices can land you at the bottom of the canyon. It's probably always the case when someone is writing code that this choice matters. I have used both often because sometimes I do always intend to. To do something once, then decide after that's done do I want to do it again. Other times I want to check to see whether I need to do it at all and just skip over it. Never execute the loop if that's the case.

Leo Laporte

So I guess you could say that you should check your edge cases before you get to the cliff is what you're saying.

Steve Gibson

Yes. You want to make sure that you're not at the edge when you run.

Leo Laporte

Unless you could put a try and a catch at the bottom. If you had a catch at the bottom, you'd be, you'd be okay. By the way, here's a ChatGPT redo of this with me apparently putting my test clause at the wrong part of the loop. And that's not good.

Steve Gibson

Very nice.

Leo Laporte

Yeah, ChatGPT can do those now. It's a. Kind of a fun. Yeah, it's amazing. Yeah.

Steve Gibson

Okay, so the Malaysian Prime Minister Anwar Ibrahim has declined to pay a $10 million ransom after hackers. And you can put this on the screen. I think it'd be good, Leo, for people to see it. To pay a $10 million ransom after hackers paralyzed the IT systems at the country's main airport over. Over the weekend.

Leo Laporte

Oh, my God.

Steve Gibson

This incident forced the staff at the Kuala Lumpur International Airport to manually post the flight information on a large whiteboard with a pen.

Leo Laporte

Wow.

Steve Gibson

And it's just wonderful. I mean, it's like, you know, it's like you can imagine, you know, grandchild saying to grandpa, grandpa, how did you used to know what gate to go to before computers? And there's your answer. So we've got, you know, flight numbers, destinations, time of departure, and then gate numbers in, in several columns. It's. Anyway, just this is what happens if you say, no, we're not Knuckling under to the ransomware guys. So, and we have ran, we, we touch on ransomware a few times in this podcast. I've stumbled on a site that is quite sobering. So the, the Prime Minister said that it took him, he said it took me less than five seconds to decide to decline to pay the ransom.

Leo Laporte

Wow.

Steve Gibson

And no particular group has taken credit for the hack. And maybe now if they see this picture they go, well, I guess we're not going to get our 10 million. We're just, you know, I don't know if they're going to give them back the decryption keys. Hopefully they're restoring their systems from backups and they were able to retire the whiteboard, but they didn't waste any time coming up with a workaround. So, okay, we would file this one under the heading it can happen to the best of us. And I'm just, I'm always saying there but by the grace of God, because I'm not saying none of this can happen to me. You know, I may be have an expired certificate or a compromised server. I mean, as I said, what is a week or two ago when I learned about that PHP flaw where in the CGI invocation of PHP I was using a vulnerable version of php, I will say that because php, it's on an isolated server, you know, I mean literally that server can't do any damage if anything gets loose in it because I just don't trust that stuff that I didn't write myself. So you know, again, it could happen to the best of us anyway. So an alternative heading might be even the most security aware person can get tripped up. Last week, Troy Hunt, who's famous for his have I been pwned? Password password leakage tracking site and service posted his piece titled A sneaky fish. You know, P H I S H A sneaky fish just grabbed my mailchimp mailing list. So Troy wrote, you know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now. And the penny has just dropped that a male chimp fish has grabbed my credentials, logged into my account and exported the mailing list for this blog. He said, I'm deliberately keeping this post very succinct to ensure the message goes out to my impacted subscribers asap. Then I'll update the post with more details. But as a quick summary, I woke up in London this morning to the following. And then he posted for us. And it's on the screen, what he saw, which was the mail the Intuit Mailchimp logo and the page looks 100% legit. And it says sending privileges restricted. And it says, hello, we're reaching out to inform you that your mailchimp accounts sending privileges have been restricted due to a spam complaint received on March 24, 2025. We take these reports seriously to maintain a safe and trusted platform for all users. Then it says under the heading, what happened? Your account has been flagged due to a spam complaint and as a result you are temporarily unable to send emails until this issue is resolved. What you need to do, it says, please review your recent campaigns and audience lists to ensure compliance with our policies. Then in bold, click below to review your account and take the necessary steps to restore your sending privileges. So anyone seeing this who uses mailchimp probably got a few of these in the early days before they'd established their reputation. While some people were saying, what is this? Ask to be on this list. And they, you know, they complain. And so, so I mean this is completely believable. And Troy makes a point later, as we'll see, that it wasn't over the top. It didn't say your life will end in 15 minutes if you don't, you know, it was just, it was pitched just right. So, and he was jet lagged and tired. He clicked the button review account. So Troy said, I went to the link which is on mailchimp SSO.com and entered my credentials, which crucially did not autocomplete from one password classword.

Leo Laporte

Wouldn't have let him do it.

Steve Gibson

It said, that's not a URL that I've seen before. So the fields were empty. He said. He said, I then entered the one time password. You know, he has an authenticator, so the, the, the, the OTP and the page hung. He said, moments later the penny dropped and I logged onto the official website, which mailchimp confirmed via a notification email which showed my London IP address. I immediately changed my password, but not before I got an alert about my mailing list being exported from an IP address in New York.

Leo Laporte

So that's what they wanted.

Steve Gibson

And moments later, moments after that, he said the login alert from the same ip quote, we'd like to confirm some recent activity on your account, unquote. He said, this was obviously highly automated and designed to immediately export the list before the victim could take preventative measures. There are approximately 16,000 records in that export containing info Mailchimp automatically collects like turns out, GPS coordinates. And you know more than people would like to have exposed, but that's what mailchimp collects, he said. Every active subscriber on my list will shortly receive an email notification by virtue of this blog post going out. Unfortunately, the export also includes people who've unsubscribed. He asks parenthetically, why does mailchimp keep these? He said, so I'll need to work out how to handle those ones separately. I've been in touch with mailchimp but don't have a reply yet. I'll update this post with more info when I have it, he said. I'm enormously frustrated with myself for having fallen for this and I apologize to anyone on that list. Obviously watch out for spam or further fishes and meaning like like somebody pretending to be him, for example, who wants them to do something with have I been pwned? You know, because that's the way that this could escalate or snowball. And he said obviously watch out for spam or further fishes and check back here or via the social channels in the nav bar above for more, he said Ironically, I'm in London visiting government partners and I spent a couple of hours with the National Cybersecurity center yesterday talking about how we can better promote pass keys in part due to their phishing resistant nature. And he had a face palm emoji. He said more soon. I've hit the publish button on this 43 minutes after the timestamp in that first email above. So he prioritized immediately, notifying all the people on on that fished list that this was what happened. So you know, hopefully no further damage will be caused. So that was the blog posting that he quickly pushed out to let his more than 16,000 subscribers know that, you know, the email address they had entrusted to him had escaped. Later, he continued under the headline More stuff from after the initial publish. And he wrote, every Monday morning when I'm at home I head into a radio studio and do a segment on scams. It's consumer facing so we're talking to the normies and whenever someone calls in and talks about being caught in the scam, the sentiment is the same. I feel so stupid that Friends, he wrote, is me right now. Beyond acknowledging my own foolishness, let me proceed with some more thoughts first. I've received a gazillion similar fishes before that I've identified early. So what was different about this one? He said tiredness was a major factor. I wasn't alert enough and I don't and I didn't properly think through what I was doing, the attacker had no way of knowing that I don't have any reason to suspect this was targeted specifically at me. But we all have moments of weakness. And if the fish event is timed perfectly, you know, by coincidence with that, well, here we are. He said, secondly, reading it again. Now, that's a very well crafted fish. It socially engineered me into believing I would not be able to send out my newsletter. So it triggered fear. But it wasn't all bells and whistles about something terrible happening if I didn't take immediate action. It created just the right amount of urgency without being over the top.

Leo Laporte

Yeah, that was smart, right? Yeah, because if it's like, oh my God, you're going to go to jail, then he would have known.

Steve Gibson

Yes, yes. And he said, thirdly, the thing that should have saved my bacon was the credentials, not auto filling from one password. So why didn't I stop there? Because that's not unusual. There are so many services where you've registered on one domain and that address is stored in one password, then you legitimately log on to a different domain. He said, for example, Qantas airlines uses both www.qantas.com and elsewhere accounts.qantas.com and so his point is, you know, we're all used to the occasional failure of our auto fill because as he said, the authentication has gotten so complicated that even that isn't as straightforward as it once was. You know, and he saw mailchimp hyphen SSO.com that looks, you know, possible, you know, probably should have been sso.mailchimp.com because then it would have been a subdomain of mailchimp. Obviously, the bad guys got this. And so they were doing.

Leo Laporte

So they had SSO.com and then they were pre pending.

Steve Gibson

No, no, it's mailchimp hyphen. So they just grabbed a domain that looked legitimate. No, knowing that someone like Troy or, you know, your typical user might go, okay, just make sure the URL seems right. And it's like, okay, that seems right.

Leo Laporte

I said, some password managers will say use the bit base URL for the.

Steve Gibson

This was. That might change mailchimp hyphen sso.

Leo Laporte

Well, that's a different base us URL though, right? Yeah.

Steve Gibson

Right. So. So one password said, yeah, yeah. Now what would be interesting would be if, if a future password manager did a soft match and saw that, well, I've got mailchimp.com Here it is again. And then brought up an alert and said, hold on, this looks like one of your domains, but it isn't right. So then it'd be like anyway. He said and the final thought for now is more a frustration that mailchimp did not automatically delete the data of. And he says this is not, you know, his fault. More of a frustration that mailchimp didn't automatically, automatically delete the data of people who unsubscribed. He said there are 7535 email addresses on that list, which is nearly half of all addresses in that export. He said I need to go through the account settings and see if this was simply a setting I hadn't toggled or something similar, you know, meaning it was his fault for not turning on delete, you know, email addresses when people unsubscribe.

Leo Laporte

Let me show you, by the way. And this is in bit warden, but bit warden, you have to do this on a per site thing, but does have switches for detection of base URL. So you can have base domain, but you can also have a regular expression. You could say it has to match. Exactly. I haven't tried 1Password. I would assume that 1Password would have this kind of feature as well. And then the next step is, well, if it doesn't fill, you really should check. Right. Don't assume because he obviously manually entered it, right?

Steve Gibson

Oh, no, no, no. Oh, yes, yeah, yes. He had to manually enter his username.

Leo Laporte

He said, oh, well, it's probably just a thing. So.

Steve Gibson

Yeah, and I'm, I'll often open the, you know, open the dialogue because, you know, none of us know our passwords anymore. So I'll copy the password and then manually, you know, paste it into the password field and it's like, okay, fine.

Leo Laporte

He might have done that too. Yeah.

Steve Gibson

So you're right. Anyway, he said the inclusion of those addresses was obviously completely unnecessary. He said, I also don't know why IP addresses. Oh, and I'll just say one other. One other thought, although that though Troy didn't is even if 1Password wanted to keep them around for some reason, they could have been excluded from an export.

Leo Laporte

Sure.

Steve Gibson

Or you know, so that they weren't exportable even if they. Like for example, maybe one. Maybe mailchimp. I'm sorry I said one password. I meant mailchimp. Maybe mailchimp needs to, you know, like keep them blacklisted. If somebody maliciously resubscribes after saying don't ever send me an email again. I mean, for example, my own system does that. There's a button that I have where it's like, I Don't ever want to hear from you again, no matter what. And there's, there's. And that goes on to a permanent list and it is if there's, and I've said, if you ever want to get yourself removed from that, I'm going to have to write some code because.

Leo Laporte

You'Re, you're stuck, buddy.

Steve Gibson

Yeah, I just, I don't, I never want to bother anybody with email that they don't want. So anyway, so he said also, I don't know why IP addresses were captured. Oops. Or how the latitude and longitude are calculated, but all of that was in the export. So he was a little bit annoyed by that. He said, but given I've never seen a prompt for access to the gps, I imagine it's probably derived from the ip, which is certainly reasonable. He said, I'll park this here and do a deeper technical dive later today that addresses some of the issues I've raised above. And again, I'm sure we can all give him a get out of jail free card just based on jet lag and fatigue. You know, he wasn't soliciting this notice from them. He didn't go there. It showed up in his email and, and again, looking absolutely believable.

Leo Laporte

That's when they get you though, when your guard is down.

Steve Gibson

When your guard is down. Exactly. You're in a hurry, you know, your, your, your buddies are outside saying, hey, you know, you know, like waiting for you to go to lunch and it's like, okay, you know, and you don't think, in fact I'm, I'm always so careful when I'm like when I'm logging away from my servers that I do that I, that I log out and don't shut down because, you know, whoops. So those sorts of things happen. Actually, I have removed the shutdown option. I've got to use to do that anyway. Then a bit later, Troy continued, he said, unfortunately mailchimp does not offer phishing resistant two factor authentication. And then we see a screenshot from them showing two factor authentication and, and what is configured is his authenticator app and not configured is sms because he knows that's not going to be useful. So that's all good. But he says by no means would I encourage people not to enable two factor via one time passwords. But let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the one time password as soon as it's entered. Good. So that's what happened.

Leo Laporte

That's what happened. It was so quick.

Steve Gibson

Yes, he was. You know, he went to, you know that mailchimp SSO.com was automated the moment he logged in and then prompted for his one time password. It took all three of those username, password, one time password immediately turned around, logged into his mailchimp account and triggered an automated mailing list export. And that's what it was designed to do. He also wrote, I just went to go and check on the phishing site with the expectation of now that's meaning the mailchimp hyphen SSO.com he went to check on the phishing site with the expectation of submitting it to Google's Safe Browsing. But it looks like that will no longer be necessary because he was presented with a Cloudflare intercept page stating that the page was suspected of being used for phishing. So in the interval of, I don't know, a couple hours probably when he got back to it, that site, that mailchimp SSO.com site had already been blocked because others reported it as being a phishing site. So he said 2 hours and 50 minutes after it snared my creds, Cloudflare has killed the site. I did see a Cloudflare anti automation widget on the phishing page when it first loaded, and later wondered if that was fake or they were genuinely fronting the page. As it turns out they were, he said. But I guess that question is now answered. I know there'll be calls of why didn't Cloudflare block this when it was first set up, he said. But I maintain, as I have before in their defense, that it's enormously difficult to do that based on domain or page structure alone without creating a heap of false positives. And Troy knew that he would need to load those addresses into his own have I been poned site? He wrote. When I have conversations with breached companies, my messaging is crystal clear. Be transparent and expeditious in your reporting of the incident and prioritize communicating with your customers. Me doing anything less than that would be hypocritical, including how I then handle the data from the breach, namely adding it to hibp. As such, I've now loaded the breach and notifications are going out to 6.6K impacted individual subscribers and another 2.4K monitoring domains with impacted email addresses. And he finished looking for silver linings in the incident. I'm sure I'll refer this blog post to organizations I disclose further breaches to. I'll point out in advance that even though the data is Just he has in quotes, just email addresses. And the risk to individuals doesn't present a likelihood of serious harm or risk their rights and freedoms. It's simply the right thing to do. In short, for those who read this in the future, not just as I say, but as I do so I've included a link to Troy's entire blog posting which proceeds with at the time of this writing, a series of seven additional follow ups. But so for anyone who's interested, there is more there if you, if you want to follow the the link or probably just follow it from Troy Hunt.com which is where he blogs from, he spends a lot of time looking at the benefits, the many benefits in these follow ups of passkeys which are inherently phishing resistant. Because the information being sent back to the authenticating server is neither static username and password nor short duration one time codes. The authenticating server sends a unique never before seen challenge over an end to end encrypted link which the user's client signs. So any man in the middle is cut out. But the biggest takeaway here is that phishing, which takes advantage of the human factor, remains an active threat today. And it can literally happen to anyone, even someone as astute as Troy, who lives and knows this stuff inside and out. It just happened to catch him at a time of fatigue and jet lagged weakness. But it did catch him. The addition of one time passwords has neutered non real time attacks where a user's login, username and password have been stolen in like in a site breach. But automated attacks which immediately forward the user's provided one time password to the authenticating server remain 100% effective. So that's worth keeping in mind. It's not like we get total protection from having to, you know, feel like we're James Bond and looking up our secret password, which changes every 30 seconds and type it in, you know. And remember that we've also seen how ridiculously long some authentication sites such as Microsoft will continue to honor tokens which expired many minutes.

Leo Laporte

Oh more. More than 30 seconds.

Steve Gibson

Oh yeah, yeah, yeah.

Leo Laporte

That's cause it takes time for people.

Steve Gibson

To get the thing. Yeah, I mean we covered it. There was an instance where it was like five minutes of window and the attackers were hacking Microsoft's one time password system because they were, by using crowdsourced brute forcing they were able to get all 1 million possibilities into that window to neuter anyone one time password. And finally the fact that attackers use the domain mailchimp SSO.com further masked the attack. You know, even to someone like Troy, who probably noticed the URL, that was a perfectly reasonable domain name of the sort we see every day.

Leo Laporte

Yes, I agree with him. This is why pass keys have to happen. That's why frankly, Squirrel should have happened. It would solve this problem.

Steve Gibson

Yeah, it did solve it. It's not the one we got, but we got one which is still fishing resistant. And now what we just need is everyone again, like, nothing makes the world change. And we've got a couple more instances we'll be encountering here today of like, what it takes to end. Actually, actually, our next story, but let's take a break and then we're going to talk about Cloudflare. Making the world change in a good way.

Leo Laporte

Change is good sometimes, not always.

Steve Gibson

Not easy. Not easy and not something you do voluntarily. It's like, hey, well, it worked yesterday and it looks okay today, so. Well, probably good for tomorrow.

Leo Laporte

Yeah. And pass keys would be resistant, right? I mean there's no. Nope. There's an interaction with the website. There's no way a third party could sneak up.

Steve Gibson

Cuts the third party out of the loop.

Leo Laporte

Okay, well, let's say hello to a brand new sponsor, shall we? Yes. Always happy to get new sponsors. Have you heard of the company Outsystems? You should. They've been there for 20 years. For over 20 years. The mission of Outsystems out is to give every company the power to innovate through software. Outsystems is the leading AI powered application and agent development platform. They've been doing this for a long time. It's kind of impressive. IT teams and you, if you're an IT team, you know this, you, you typically have two, two choices. It's the, it's the buyer build choice, right? We all know it buy off the shelf SaaS products for speed. But then, you know, they may not be a perfect fit. You lose flexibility, you also lose differentiation with the competitors. Right. Or build your own custom software. Always fun, right? You lose time and resources. There is a new way though, thanks to AI. AI has given us another path. The fusion of AI low code and DevSecOps automation onto one development platform means maybe you can kind of build custom applications faster, better, easier than ever. Well, you can. Without systems, your teams will build custom applications using AI agents. And we know we've started to see people doing this and it's really impressive. It will make it as almost as easy for them to do, you know, the build part of this as the buy part, as buying generic off the shelf sameware right and flexibility, security and scalability come standard with OutSystems. With AI powered low code teams can build custom future proof applications at the speed of buying with fully automated architectures, security integrations, data flow permissions. It's all built in now. That's a great idea. Outsystems is the last platform you need to buy, the last one you need to buy because you can use it to build anything and customize and extend your core systems too. Build your future with OutSystems. Visit outsystems.com TWIT to learn more. Now there's an answer to the build versus buy conundrum that's better than both. OutSystems outsystems.com TWIT Build your own custom built apps and agents faster than ever with Outsystems. I love this idea. Outsystems.com TWIT we thank them for their support and of course you support us when you use that address and make sure you do so they know you saw it on security now. Outsystems.com TWIT all right Steve, let's talk about Cloudflare.

Steve Gibson

So yes, their blog posting was titled HTTPs only for Cloudflare APIs shutting the door on Clear text traffic. They introduced this change by writing connections made over clear text HTTP ports risk exposing sensitive information because the data is transmitted unencrypted and can be intercepted by network intermediaries such as ISPs, Wi Fi hotspot providers or malicious actors on the same network. It's common for servers to either redirect or return a 403 forbidden response to close the HTTP connection and enforce the use of HTTPs by clients. And for example, you know if you are you can reach GRC over port 80 still HTTP, but my server just immediately bounces the user's browser over to the same URL but HTTPs in order to move you over to secure, they said. However, by the time this occurs it may be too late because sensitive information such as an API token may have already been transmitted in clear text in the initial client request. This data is exposed before the server has a chance to redirect the client or reject the connection. A better approach is to refuse the underlying clear text connection by closing the network ports used for plain text HTTP. And that's exactly what we're going to do for our customers. Wow. I mean that's okay. What will break they said. Today we're announcing that we are closing all of the HTTP ports on API.cloudflare.com we're also making changes so that API.cloudflare.com can change IP addresses dynamically in line with ongoing efforts to decouple names from IP addresses and reliably managing addresses in our authoritative DNS. This will enhance the agility and flexibility of our API endpoint management. Customers relying on static IP addresses for our API endpoints will be notified in advance to prevent any potential availability uses. So that suggests that people who've been using the Cloudflare API knew that the IP addresses Cloudflare was publishing, where their servers were listening was, would never change. And they've decided we're not going to do that anymore. We're going to, you know, you could look up the IP using DNS. So we're going to allow our IPs to float around. They're saying we need, we Cloudflare need that flexibility. So we're going to switch back to using DNS. And of course with DNS over tls, that becomes, or HTTPs, that becomes more feasible because then you've got your DNS also secured at their end. So they said, in addition to taking this first step to secure Cloudflare's API traffic, we'll provide the ability for customers to opt in to safely disabling all HTTP port traffic for their websites on Cloudflare. We expect to make this free security feature available in the last quarter of 2025. So first they're going to say no to API access over port 80 and then give their customers the option of turning off access to their own Cloudflare hosted websites over HTTP again for the sake of enhanced security. They said we have consistently advocated for strong encryption standards to safeguard users, data and privacy online as part of our ongoing commitment to enhancing Internet security. This blog posts details this blog post, sorry, details our efforts to enforce HTTPs only connections across our global network. I've got a link in the show notes for the entire posting because it goes on into great detail with network state diagrams and like showing how all this works and the problems that can be created if you're not careful and more and about, you know, how and why none of the options for redirecting initially plain text HTTP traffic over to HTTPs is able to achieve the same absolute level of security, you know, as simply saying no to all non HTTPs traffic from the start. They wrap up this lengthy blog posting by saying starting today any unencrypted connection to API.cloudflare.com will be completely rejected. Developers should no longer expect a 403 forbidden response because that means that the server there was a server listening on port 80 that accepted the connection and then sent back a 403 for forbidden. Now there is no port 80, it's just gone. So you know, TCP is banging its packets against the wall and nothing's happening. So they said developers should not expect a 403 forbidden response any longer for HTTP connections as we will prevent the underlying connection to be established by closing the HTTP interface entirely. Only secure HTTPs connections will be allowed to be established. We're also making Updates to transition API.cloudflare.com away from its static IP addresses in the future. As part of that change, we will be discontinuing support for non sni. Remember, that's server name indication, non SNI legacy clients for Cloudflare API specifically and they said currently an average of just 0.55%. So a little more than one out of every 200 TLS connections to the Cloudflare API do not include an SNI value that, as we know when you're connecting using HTTP, it is. It's possible for multiple domains to share a single IP because the in part of the, in part of the handshake is in part of the TLS handshake is the SNI value, the server name indication, which is the domain to which the client wishes to connect at that remote server ip. The server needs to know that in order to know which certificate to send back for in order to match the domain that the client wants to connect to for TLS. So they said only, you know, 1 in 200, little over 1 in 200 clients are still trying to do that. So they said, we are committed to coordinating this transition and we'll work closely with the affected customers before implementing that change. So what the other thing they're essentially saying is they're going to be doing some IP space collapsing right now they have, they have dedicated IP addresses that are associated with, with fixed domain names. They don't want to do that anymore. They want to require SNI and they're going to disconnect that binding between a fixed domain name and a fixed ip. So that altogether, what this means is they'll be able to serve more domains on fewer IPs, which helps with IP depletion problems and gives them a lot more networking flexibility. So they said we're committed to coordinating this transition and we'll work closely with the affected customers before implementing the change. This initiative aligns with our goal of enhancing the agility and reliability of our API endpoints. And finally, beyond the Cloudflare API use case we're also exploring other areas where it's safe to close plain text traffic ports. While the long tail of unencrypted traffic may persist for a while, it should not be forced on every site. In the meantime, a small step like this can allow us to have a big impact in helping make a better Internet. We're working hard to reliably bring this feature to your domains. We believe security should be free for all. So bravo, Cloudflare. This is the sort of step that's needed, as I said above, to push the Internet security forward. You know, just say no to port 80, which makes me wonder, I haven't looked, you know, how much port 80 traffic I still have. Our longtime listeners may remember that I jumped on the bandwagon very early in the in the HTTPs everywhere move, registering GRC with Google and Chrome. So that built into Chrome, GRC.com has been there from the start saying only use SSL. It actually was SSL back then. Now TLS, in order to connect to GRC and feel free to promote any attempt to connect via HTTP to HTTPs, because we will always be there answering a secure port. So anyway, port 80, you know, inherently unencrypted got us to where we are today. But for nearly all purposes, everyone is coming to the position that its day has passed. You know, we know from everything we've seen that inertia being what it is, nothing ever moves forward on its own, just doesn't. It's always easier to leave things as they are. But a more secure future means that organizations such as Cloudflare need to take a leadership stance as soon as it becomes feasible to just say no to port 80. And for them, they've decided that day is today. So bravo.

Leo Laporte

I guess I should turn off port 80 on my firewall.

Steve Gibson

I'm forwards. I'm gonna, I think I at some point, I mean like, not like I don't have other things to do, I do, but. And like all of us do so. But I'm curious, you know, how many, how many attempts are being made For a long time, if you just put GRC.com for example, in, in your browser would try to go to HTTP first and then if I didn't redirect it would try HTTPs. But I remember and you know, I don't know, it was a few years ago that I remember we talked about it on the podcast. The browser logic flipped when HTTPs became not only the preferred solution, but by far the majority, you know, let's encrypt had been there, certificates were now free. It wasn't, you know, you didn't have Richard Stallman having a seizure because people were saying we want to, you know, we want everyone to use a certificate based connection. And so it's like, okay, it's time. And so the browsers flipped over. I don't, you know, it's probably totally feasible to turn off port 80. It'd be worth taking a look. I'm. I'm kind of. Now I'm curious.

Leo Laporte

Yeah.

Steve Gibson

An interesting newly published research paper by researchers, researchers out of Greece and the Netherlands caught my attention. Its title is Coding Malware in Fancy Programming Languages for Fun and Profit.

Leo Laporte

Fancy. They call it fancy.

Steve Gibson

It's fancy. Well, Leo, when, when you, when you've worn the, the, the ink off of your, your open, closes, parentheses keys. Yeah. This is where you want those two shot key tops. Right? Where it's where the actual plastic goes all the way down.

Leo Laporte

Yes.

Steve Gibson

So you know, like, like the fuzz is worn off of the key top. It's now smooth.

Leo Laporte

I know where the parenthesis keys are. They're pretty good.

Steve Gibson

That's a good point.

Leo Laporte

Yeah, we don't actually, I don't need that. I don't need any hints.

Steve Gibson

If you didn't know, it's the fact that there's like ink missing from the O above the nine and the zero keys that would, that would be a clue. But this is a long piece, so let's take another break and then we're going to get into it.

Leo Laporte

Good. I always enjoy a good Lisp conversation.

Steve Gibson

I, you know about the F1 language, the F word language.

Leo Laporte

And there's, there's a. There are. Yes. There's a, A number of, shall we say, obfuscated languages out there that are probably very good for that kind of thing. For malware and so forth.

Steve Gibson

We're gonna have fun with this one.

Leo Laporte

Yeah. Yeah. I think assembly probably is a better way to go. I'm just saying to your bad guys. But they probably can't figure it out. They. That's why. Right, so they're not.

Steve Gibson

Yeah, yeah. Ease of use and transportability. Multi platform.

Leo Laporte

See, Lisp is great. Although they're using it for pico. They're using it for intermediate code, not for. Well, I mean, you're going to get into it. I won't, I won't steal your thunder. I will in fact tell people about our sponsor because this is the part of the show where I tell everybody about Bit warden. I was just showing how I really love. This is where open source shines because Bit Warden is because it's open source, more responsive to what its users want. Right. They become the trusted leader in passwords. Of course, they also support secrets now and of course passkey management. I store all my passkeys in Bit Warden because that's the easiest way for me because Bitwardens on every device I use, every computer, every laptop, every tablet, every phone. Bitwarden's everywhere. And so, so are my passkeys. I love that. And I just showed you, I thought how clever. I was pretty sure Bitwarden had this capability that to avoid phishing attacks. When you store your password in Bitwarden, you can even tell it how much of the website has to match, you know, where you stored it or how little. I think Stricter is probably better. It's really no surprise now Bitwarden has more than 10 million users across 180 countries. Surprised me a little bit to hear they have 50,000 business customers too. Yes, Bitwarden's widely used in business. In fact, it's consistently ranked number one in user satisfaction by G2. It's recognized as a leader in software reviews, Data quadrant. Bitwarden protects businesses worldwide. And part of the reason they're so popular with businesses is they're so simple, so easy to use, so easy to move to. The import's straightforward and they add features that are really important to businesses. We're coming close to tax time, you'll be glad to know Bitwarden lets you securely send documents. This is built in with Bitwarden Send, of course. It uses end to end strong encryption, so all your forms are protected. So if you're a tax accountant or you're dealing with a tax accountant, you can use this to send that information, including your socials and everything, your Social Security number and everything back and forth without being visible to the outside world. And here's another great feature of Bitwarden. I love them. Recipients don't need an account to access them. So you're not even saying to your accountant, well, you got to have Bitwarden. You're just saying, I'm sending this to you securely. So stop using risky email attachments. Start sharing confidential documents with password protection. They also have expiration dates, they have view limits. You get full control over who has access to your sensitive information. Of course, Bitwarden's got that built in. What a surprise. There are, by the way, new findings from Bit warden that highlight 65% of enterprises, more than half still rely solely on passwords. And password management is now cited as the top IAM challenge for 35% of organizations. Only 21% of them are implementing passwordless authentication, which is disappointing to me. But this is where Bitwarden can really help enterprises face ongoing credential security risks. But Bitwarden offers enterprises essential tools with end to end encryption, MFA secure password sharing and of course passwordless pass keys and sso. So you don't have these risks. Bitwarden always will be right on top the current and future needs in authentication. They added memory hard key derivative functions. Right when it was realized PBKDF wasn't memory hard, Bitwarden went out. I think they added S no argon 2. They added argon 2. So I mean this. In fact, it was one of our listeners who said, you know what I'm going to implement because Steve's been talking about this memory hard password key derivatives. I'm going to implement Scrypt and Argon and send it on as a pull request to Bitwarden. Bitwarden vetted it. They said, well, we don't want to confuse people with too many, so we're going to use the Argon 2. We're going to make that available to everybody. Literally within a month of you talking about this, it was in bit warden. Bitwarden has just announced its ISO 270012022 certification. This is of course an internationally recognized standard that assures enterprises and developers and security teams at Bitwarden meet stringent security and compliance requirements that I guess you know, those are table stakes. But it also is compliant with SoC2 type 2, GDPR, HIPAA. So if you're in the medical business, this is a solution for you and ccpa, the California privacy law reinforcing Bitwarden as a trusted security partner for enterprises. See, when you're open source, it's not about making money. It's about doing the right thing. And Bitwarden consistently does the right thing. And it prioritizes simplicity because they know if you're going to be using a password manager, it better be easy or your employees won't use it. They'll still write it on post it notes, right? Bitwarden setup takes just a few minutes. They import from most password management solutions in seconds. And as I said, they're open source. That means you can inspect their code, anybody can inspect their code and they're regularly audited by third party experts. And unlike some companies, they publish the results of those audits in full. You and your business deserve an effective solution for enhanced online security. You deserve Bitwarden. Get started today with Bitwarden's free trial of a teams or enterprise plan or, and this has been the case as long as I've known them, always been free across all devices as an individual. Free forever. Unlimited passwords, pass keys, hardware keys for individuals. Bitwarden.com TWIT in fact, if you're an individual, you can even host your own vault if you decide, all right, I want to do it all that you can. Bitwarden, again, it's open source, so they have their own implementation of a server, but there are others who've written one. A lot of people like the Rust based server. For Bitwarden, it's, it's flexible. It's your choice. This is the way to go, believe me. Bitwarden.com twit for you, for your family, for your friends, for your business. Bitwarden.com TWIT it's the only password manager I use. I'm very, very happy with it. And I see people struggling with passwords all the time. And I just say, get Bitwarden. It's free. Not for businesses. No, but for individuals, free forever. They have to make money somewhere. Actually, I pay the $10 a year.

Steve Gibson

I had the little bill come up again and it passed by. I said, yep, 10 bucks, that's not a problem.

Leo Laporte

Well worth it. Well worth it to support them. All right, let's continue on. Steve.

Steve Gibson

Okay, so coding malware in fancy programming languages for fun and profit. Okay, so I'm going to share the paper's abstract and its introduction, which will give us a sufficient sense for what these researchers have found. The abstract explains the continuous increase in. Oh, boy. Let. Hello. These numbers. The continuous increase in malware samples, both in sophistication and number, presents many challenges for organizations and analysts who must cope with thousands of new heterogeneous samples daily. This requires robust methods to quickly determine whether a file is malicious. Right. I mean, like, just there's so much software now, they said, due to its speed and efficiency, static analysis is the first line of defense. Okay, now I'll just interrupt here to mention that broadly, code can either be examined statically, which is just, you know, looking at the code bytes themselves after loading them into memory, but not actually running the code, or it can be looked at dynamically, which entails creating a sandbox of some sort often, and, you know, an industrial strength virtual machine to actually run the code after it's been loaded, to examine the code's behavior when it's running. Not surprisingly, static analysis, when you can do it, is much faster and more efficient. When that's feasible. So the abstract continues. In this work, we illustrate how the practical state of the art methods used by antivirus solutions may fail to detect evident malware traces. The reason is that they highly depend on very strict signatures where minor deviations prevent them from detecting shell codes that would otherwise immediately be flagged as malicious. Thus, our findings illustrate that malware authors may drastically decrease. Malware authors may drastically decrease the detections by converting the code base to less used programming languages. To this end, we study the features that such programming languages introduce into executables and the practical issues that arise for practitioners to detect malicious activity. So essentially, you know, in this ongoing cat and mouse never ending game of, of malware and malware detection and avoiding detection and avoiding the avoiding of the detection, here's another domain of, you know, for escalating this fight, which is, let's just change languages. The introduction that they provided gives us some more interesting background. They said, in the past decade, malware has undergone significant changes. The main drivers of these changes can be attributed to the vast digitization of products and services and the development of a payment system that allows anonymous transactions to bypass the protections of the traditional banking system. In other words, we've talked about this. Cryptocurrency was the enabling requirement for this explosion, we've seen, because it allows people to make payments, you know, secretly. They wrote. This has boosted the number of possible victims and the potential impact of malware. You know, creating a profit motive where there was, you know, viruses used to just kind of exist because they could. Now malware is there to make money. Moreover, anonymous payment methods enable a wide range of illicit transactions to be performed, which in the case of malware, is the apparent case of ransomware. They said both the U.S. cybersecurity and Infrastructure Security Agency, our beloved CISA, and the European Union's Agency for Cybersecurity have recognized malware as the top cyber threat. Indeed, malware attacks impact our everyday lives by harvesting sensitive information, crippling critical services, and causing significant damages to individuals and corporations. This has placed malware in a pivotal role in the crime ecosystem and created an individual ecosystem with independent roles operating in a business model called malware as a service, which is not something we've ever seen before. Malware as a service. They said the security industry's response to the above mentioned threats is collecting and analyzing malware samples. Right? So that's the threat. How do you go, how do you counter the threat? Well, you need to look at all this stuff and here was the number that just Astonished me. At a rate of around 280,000 malware samples per day in 2024. 280,000 per day? Malware samples per day, what, in 2024? There's just that much?

Leo Laporte

All distinct. Yes, who's what?

Steve Gibson

I know that's a lot of. I know a lot of it out there, they said, which is more or less similar to previous years static analysis. Given that load, static analysis remains the most efficient and profound remedy to detect malicious files quickly, they said. In this arms race between malicious actors and defenders, the development of malware has evolved into an underground industry. I think what I liked most about this was it gives, it gives us a sense of scale. I mean, the development of malware has evolved into an underground industry to bypass security controls, they wrote, by employing malware authors and monetizing the infected hosts. In other words, it makes money now. So this is an industry creating malware.

Leo Laporte

Unbelievable.

Steve Gibson

I know, it's just unbelievable. Wow. So they said, of course, bypassing static analysis does not grant them a foothold to the targeted host, meaning more is necessary. But that's the first step, right? You got to get, you got to get in before you can do anything. You got to get past the filter. So they said. Nevertheless, it significantly raises their chances of achieving their goal as they then often need to bypass behavioral checks. But static is first, they said. Although endpoint detection and response systems, you know, EDR as it's now called, endpoint detection and response systems, usually apply such checks and vendors often portray them as silver bullets, there are several ways to bypass them. In this work, we limit our scope to static analysis. That is the first stage of, of prevention is detection through static analysis, they said. Even though malware written in C continues to be the most prevalent, malware operators, primarily well known threat groups such as APT 29 increasingly include non typical malware programming languages in their Arsenal. For instance, APT29 recently used Python in their Masspie malware against Ukraine, while in their Zebrosi malware they used a mixture of Delphi, Python, C Sharp and Go. Likewise, Akira ransomware shifted from C to Rust, blackbyte ransomware shifted from C to Go, and Hive was ported to Rust. According to reports, the results of these changes was exhibited increased resistance to reverse engineering and a reduced detection rate or the malware's misclassification, which is fine with them. You know, adware, okay, we're just not, we know we're not bad, we're just annoying. On other occasions, C language malware families are not recreated from scratch. Instead, malware authors write loaders, droppers and wrappers in so called exotic languages. This provides them with several advantages such as bypassing signature based detection so they can effectively wrap their payloads with harder to detect shells that are newly built. So it's got a C core, but it's wrapped in something in rust or Go or, or you know, Kotlin or something in order to, you know, the the static analyzer goes what? And then lets it through because it doesn't know that it's bad. Then it unwraps and the bad stuff comes out, they said. Thus, attackers continue to use the same initial penetration vector and a significant portion of their methods, suggesting that threat actors prefer to transfer the original malware code to different languages instead of modifying their tactics, techniques and procedures, the so called ttps to avoid detection. This approach allows them to maintain the effectiveness of their attacks while remaining under the radar of security systems. Since these languages may be less widely recognized or understood, they add an extra layer of obfuscation to malware, making it harder to detect and analyze. Furthermore, security analysts have reported increased difficulty in reverse engineering such malware samples due to reprogramming efforts, meaning they don't have the tools for reverse engineering some bizarro language. Thus, combining different languages and obfuscation techniques complicates dissecting and reverse engineering the malware structure, functionality and intent. Our work, they wrote, explores the problem of detecting malware written in uncommon languages using a data driven approach. Rather than merely reporting and examining this trend, we performed a targeted experiment by writing malicious samples in different programming languages and compilers, drilling down to the distinctive characteristics. So they literally implemented their own malware and then wrote it in like 40 different languages and then explored what the different AV systems did and why they succeeded or failure or failed, they said. This analysis practically shows the unique features that adversaries gain and highlights the emerging issues for malware detection and analysis. This work led to the formation of some interesting research questions that have never been answered systematically and studied in the academic literature, and we try to answer them in this work. So there are three research questions. First, how does the programming language and compiler choice impact the malware detection rate? Second, what's the root cause of the disparity, if any, in detection? And third, are there any other benefits to an attacker from shifting the code base to less common programming languages and compilers beyond the detection rate by static analysis? What they learned was quite interesting. As I said, they created their own malware using the top two current malware exploit techniques that have been identified across the industry and they implemented the underlying malware concept in every language imaginable, even Leo Lisp.

Leo Laporte

Finally, we're getting our due.

Steve Gibson

That's right. Here's what that you too could write your own malware, if you are not shy of parentheses. So here's what their extensive research concluded and the answers they arrived at for each of their three research questions. They wrote Malware is predominantly. I thought this was interesting too, predominantly written in C and C and is compiled with. With Microsoft's compiler.

Leo Laporte

Interesting.

Steve Gibson

Yes, they had a chart and I mean it's like 98% visual studio. You know, it's like. Well, because Visual Studio Express is free.

Leo Laporte

Yeah.

Steve Gibson

And so that's what you're going to use and it's easy and hold your hand and you know, you don't have to remember anything they said. However, answering RQ1 research question one with our experiments, how does the programming language and compiler choice impact the malware detection rate? Our work practically shows that by shifting the code base to another less used programming language or compiler, malware authors can significantly decrease the detection rate of their binaries while simultaneously increasing the reverse engineering effort of the malware analysts. It is crucial to note that the malware authors do not necessarily need to radically change their code base as for instance, just the choice of. And this was really interesting to me, just the choice of using a different compiler, even for famous programming languages they wrote like C, have the same impact. That is, you don't have to go away from C, you just use GCC instead of msc. They said our experimental results illustrate that there are significant deviations in how programming languages and compilers generate binaries, and that they can serve as an additional layer of obfuscation for malware authors. So, okay, in other words, since nearly all of the malware code is written in C and compiled using Visual Studio, and they have that, they said so in their paper. The static analysis, AV detectors that, you know, blanket the industry have all been similarly oriented or biased toward that assumption because that's what they're seeing, right? Those are the. That's the code that they're charted, charted with blocking, detecting and blocking. So simply by switching to Turbo C or GCC or Whatcom C, those assumptions about the specific binary code bytes that are being produced will be broken and AV detection rates will drop without any need to rewrite their malware. And as I was reading this, it occurred to me, I'm not sure it was good for this paper to be published. But, you know, I guess it was, you know, true. Either way, whether they publish it or not? Because as they said at the top, they're already seeing malware moving to other languages. And the only reason any bad guys would move from a comfortable C programming environment over to Rust is specifically for detection rate avoidance, because they've already got, you know, their malware written and they don't want to do work they don't have to do. The researchers question number two asked about the root cause of the disparity. They wrote the root cause for the disparities that we raise in research. Question two, as highlighted with our use case in Haskell and the metrics for each tested pair of programming language and compiler, is that there are radically different ways that each of them reaches the same result. For instance, different ways of storing strings and different approaches in the internal representation of functions can render many static detection rules useless. As a result, there is no one size fits all approach. So further research is necessary to systematically identify these differences and group them. You know, the short version is AV is about to get a whole lot more difficult to do because the bad guys are no longer sticking exclusively with C and Visual Studio. Essentially, they're saying that since static code analysis is concentrated, sorry is constrained to simply examining code that's lying there in ram. You know, things such as function calling methods which pass parameters in different ways, or static strings that are stored and represented in differing ways, all of which will vary by language, all serve to dramatically confuse static analysis. It might result in false positives, and so they're wanting not to be overreactive, but it's just as likely when it's confused to allow bad code to slip past. In answering their final research question, are there any other benefits to an attacker shifting the code base to less common programming languages and compilers beyond the detection rate that's used by static analysis? They said. Answering question three, this shift in languages may come with additional benefits for attackers. An obvious case is cross compilation and multi platform targeting languages, which enable malware authors to build a single malware variant and have it compiled for multiple operating systems.

Leo Laporte

Not to mention, you're getting rid of all those buffer overflows in your malware.

Steve Gibson

Actually, yes, I make the point a little bit later. They're getting more reliable malware. Oh great. If they use Rust, yes. The strategy can significantly reduce the time they wrote and number of tools needed to achieve their objectives, thereby expanding the scope of any hostile campaign. IoT devices in particular support a range of CPU environments, making it necessary for malware targeting these devices to be compatible with not only x86 and x64 architectures, but also various other architectures such as armor, MIPS, M68K, Spark and SH4. You know, various microcontroller architectures, much lower end processors that are being used in IoT devices. A typical example is Mirai, which uses GCC. Yet one of its successors, Noah Bot, uses microc libc based cross compiler and is statically built to target embedded Linux systems. In this regard, other options could be more efficient. For instance, Go can be cross compiled to all major operating systems, as well as Android, JavaScript and WebAssembly. One of its advantages is that it provides statically compiled binaries by default, eliminating runtime dependencies and simplifying deployment on target systems. Oh, great, just what we want for the malware. Go also features a robust package ecosystem that allows developers, malware developers, to easily pull in code from other sources. Yeah, basically, you know, we've made programming much better for legitimate developers and unfortunately, malware authors benefit too.

Leo Laporte

Honestly, that's what's happening is these are all benefits to modern programming languages.

Steve Gibson

Exactly. Yeah, exactly. And they said as a result, malware can be developed at a faster rate. Oh, joy. Targeting a broader range of architectures and systems. Indeed. Hinata Bot, another descendant of Marai, is developed in Go to take advantage of the above. Hinata Bhat's discovery was much more difficult as a result. Unfortunately, the bar to creating a new variant of Mirai using Go or other languages is now quite low. This allows, get this, Leo criminal groups to create their own variations. So that's one of the reasons there's just so much of it. It's like, you know, oh, let's just, you know, tune it and tweak it for our own needs.

Leo Laporte

Fancy Bear Mirai.

Steve Gibson

Exactly. Yes. Beyond Cross compilation, they said there are several other reasons to witness more changes in the malware code base. After all, malware developers, like any other software developers, have specific needs when choosing programming languages and tools. Different languages offer various benefits for different scenarios, and the choice of language can significantly impact the development and functionality of malware. For instance, built in security mechanisms and type safety may be prioritized by ransomware authors who want to avoid leaks of the encryption keys. To guarantee that they're. Oh my God. To guarantee that their victims will not be able to develop decryptors. That's right. We want to scrub the RAM so we don't leave secrets behind. Not because we're the good guys trying to protect our keys, but. But because we're the bad guys and we just encrypted everyone's database and we want to make sure they don't get a hold of our decryption key. Wow. They said. A typical example is Rust, which offers built in memory mechanisms to prevent common vulnerabilities and and to offer type safety. So even malware is now benefiting from the enhanced memory management and security created through the use of more modern and safe languages. That's just wonderful, they wrote. Other aspects can include library availability, facilitating interaction with the underlying operating system and enabling critical malware functions, low level access and control over memory layout, having full control over the malware's behavior and performance, but also direct compilation to machine code, creating an executable file directly, and use other tools for obfuscation. So exactly as you said, Leo. Everything we've done to make languages better for the good guys has made it better for the bad guys.

Leo Laporte

Wow.

Steve Gibson

They said. While shifting to another programming language may seem complicated, especially when considering less popular ones, large language models LLMs.

Leo Laporte

Oh boy, they do a great job with Lisp.

Steve Gibson

Yeah, AI, yeah, may come to the rescue, they said. After all, they've proven their capability for generating code quite accurately, and various cybersecurity tasks and malicious actors are abusing them. As a result, AIs can translate code from one programming language to another, requiring little fine tuning. Don't even have to understand the language that the AI produced. This way, malware authors can seamlessly develop loaders, droppers and other components in languages they may not be familiar with. It's true that the malware that we examine in this work represents a small fragment of the total. Nevertheless, it is stealthier and introduces more bottlenecks for the reverse engineer. Given that the APT groups are shifting their code bases and the malware as a service model facilitates the trading of malware so different malware mixtures per campaign can be purchased, this diversification is expected to continue, and they finish. By disregarding these samples and only focusing on traditional programming languages and compilers, we provide malware authors with an effective hideout they can easily exploit. Therefore, we believe that a deeper analysis of the executables produced by other compilers and programming languages is needed to improve detection rates, but also develop better reverse engineering tools. So what we are now seeing is that, you know, the bad guys are noticing that the AV tools are blocking them right and left, and so they're saying, okay, fine, didn't want to, but we will, you know, change compilers, change languages. And of course this just it makes the detection rate go exponential because now that the code could be coming in under any language Other than as it used to be basically all C. You know, a given like Mirai would be written in C, so the detectors would be, would, would learn to detect the various variants of Mirai, but only under C. Now go. And all these other things. So, you know, I would say.

Leo Laporte

Don'T they all compile down to assembly and I mean machine language.

Steve Gibson

Yes, they do, except that as long as they're written all under the same compiler, that compiler is going to translate the same source into the same bytes.

Leo Laporte

Right.

Steve Gibson

And so the static analysis that doesn't actually run the code to see what.

Leo Laporte

Oh, it's just like string compare almost, right?

Steve Gibson

Yes, it is. It is a signature compare comparison.

Leo Laporte

Oh, okay.

Steve Gibson

And so any, of course that doesn't work. Yeah, right. So, yeah, so I wouldn't say that they've discovered anything earth shattering or surprising. You know, their results are pretty much what we would expect.

Leo Laporte

Yep.

Steve Gibson

But some of the tricks they highlighted, such as simply recompiling unchanged source under a different compiler for the same language, was interesting. You know, just change from Visual Studio to, to, to GCC and you get different code which will break the signature comparison. And you didn't have to rewrite your source at all.

Leo Laporte

Yeah.

Steve Gibson

So by clearly demonstrating in fact what we might assume, you know, their work should serve to get the authors of the static AV detection to, you know, I'm sure they must be looking at this thing and. Oh God, you know, we're, I mean it's going to, it's going to be what, 20 times more signatures that they need given all the compilers and the variants of compilers that are available.

Leo Laporte

Oh yeah, and that's without changing languages.

Steve Gibson

Right. And in reading of this, the one language I didn't see which would have been really interesting actually was fourth. Based upon what these researchers found, I would imagine that fourth would have a number of advantages for malware. For one thing, it only needs a very small and readily available runtime interpreter that's already been ported everywhere. And I often refer to fourth as a write only language. We've talked about it before.

Leo Laporte

It doesn't have to be.

Steve Gibson

Oh, Leo, it does, it does.

Leo Laporte

No, really it doesn't. Because you're creating a dictionary. You could make it almost English like, if you worked at it.

Steve Gibson

Well, you can make your verbs English like, but it is a oriented language, so you are the compiler.

Leo Laporte

That's a good point. Where you're getting the data from is very obscure because it's popping and pushing it.

Steve Gibson

So as you're writing it, you know, to put this on the stack. Put this on the stack. Put this on the stack, then call this verb. You're the compiler. And so, yeah, I've. You know, you come back and look at something you wrote a month ago, it's like, what does this do? I love Force.

Leo Laporte

I really love.

Steve Gibson

I do too. I. It is a beautiful, elegant, tiny language and I hope I didn't give the bad guys any ideas. On the other hand, it's not easy to use.

Leo Laporte

No, they're never going to use that. It's too much. Learning curve is too steep.

Steve Gibson

Yeah.

Leo Laporte

Although there is an excellent book called Starting Force that is just one of the best programming books ever written. That's actually how I got into it, is I read the. Leo Brody's Starting Fourth, and that actually is such a beautifully done book that I couldn't resist.

Steve Gibson

And it's just fun to play with.

Leo Laporte

It's fun. And eventually your program is one word.

Steve Gibson

Do or do it or go. Do it or go. Actually, normally the verb is the name of the program.

Leo Laporte

Right.

Steve Gibson

So it's just, you know, program, sort or something.

Leo Laporte

It does not compile to assembly, though. It is. It is a kind of a bytecode interpreter.

Steve Gibson

It is a. It is. Yeah. So it has. But. But the. It is so lean that the runtime is extremely small.

Leo Laporte

It was. I mean, it is written for telescopes and that kind of thing.

Steve Gibson

Yes, it was originally Charles.

Leo Laporte

I interviewed him. Moore. Charles Moore.

Steve Gibson

Moore.

Leo Laporte

And I remember interviewing him back at tech TV because I was a fan of 4th and he was puzzled. He said, I never thought anybody would want to talk to me, but he was brilliant. And it was. It was very small embedded environments like telescopes. That's why I think still may be used in robotics and things like that. It's great for.

Steve Gibson

Actually, it's in some motherboards. There are some motherboards that are using 4th as their engine for, like, getting systems booted.

Leo Laporte

So there are some hackers who still know fourth. That's interesting.

Steve Gibson

Yeah. We have another piece from Cloudflare, but let's take a break. We're an hour and a half and then we're gonna see the continued reuse of passwords, despite all advice.

Leo Laporte

You're making me want to go back and write some more Fourth.

Steve Gibson

I know. I'll bet our listeners are like, fourth. And yes, it is available everywhere.

Leo Laporte

Oh, yeah.

Steve Gibson

You can easily find a cute little.

Leo Laporte

Interactive fourth, except for the Mac, because the problem is it's so old, nobody's written fourth for Apple Silicon, as far as I know. In fact, a lot of the fourth stuff was written for PowerPC and was never ported to Intel.

Steve Gibson

So.

Leo Laporte

There was a great Mac 4th back in the PowerPC days. It was wonderful. But I don't know, today, I guess you could just run it in a vm. It's so tiny.

Steve Gibson

It is. It is a small runtime.

Leo Laporte

Here I have the book. I'm running over to my bookshelf and holding up my gently thumbed copy of Starting Fourth. This was such a good.

Steve Gibson

I recognize the COVID Did you read this book?

Leo Laporte

You probably didn't need to. You did.

Steve Gibson

I recognize the COVID right?

Leo Laporte

Oh, yeah.

Steve Gibson

It had.

Leo Laporte

It had great cartoons, and it was just a wonderful. Leo Brody, and he was working at 4th Incorporated when he wrote it.

Steve Gibson

Yeah. Manhattan Beach, I think, is where 4th was located.

Leo Laporte

Wow. Oh, my gosh. Yeah, this is. This is. This is so old. It's. It's not courier. It's just. It's. It's a typewriter. That ain't courier, folks. That's. That's just a type of Photostat of a typewriter.

Steve Gibson

And we can't do bold, so we do underline.

Leo Laporte

Right? Oh, but this was such a clearly written book. And he had such a great sense of humor. Here's his explanation of how the stack. Slicing the stack works.

Steve Gibson

Little samurai.

Leo Laporte

And then there's a rabbit popping numbers off and on the stack. It's great. Anyway, enough of that. Let me talk about our sponsor. You can get back to the real work of this show. Our show today, brought to you by Threat Locker. Now, these are some guys you should know about. I am very impressed by Threat Locker Effect. When I looked at how. How affordable it is, I thought, you know, everybody. Everybody should be using Threat Locker, especially nowadays. You listening to the show? Ransomware is rampant. In fact, we're gonna hear some more about how rampant. It's harming businesses worldwide. It's happening just, you know, like it happened to Troy Hunt. Phishing emails, infected downloads. You can't go to those download sites anymore. You're guaranteed to get something bad. Malicious websites, RDP exploits. Don't be the next victim. Threat Locker uses zero trust. Such a brilliant solution. It takes a proactive. And here's the key. Deny by default, deny by default approach that blocks every unauthorized action, protecting you from both known and unknown threats. Hackers can't get through it because they can't do anything. It's trusted by global enterprises like JetBlue. You know who uses Threat Locker. As we know, there's a huge risk from ransomware attacks on vital resources, you know, like the Pipeline, the Colonial Pipeline attack. The Port of Vancouver, a vital national resource in Vancouver, uses Threat Locker to make sure their operations run smoothly. And it works. Threat Locker shields you from zero day exploits and supply chain attacks, while providing complete audit trails for compliance. Threat Locker is used in some of the most risky businesses, the ones that are constantly under attack. And it's proven its usefulness. ThreatLocker's ring fencing technology, that's what they call it, isolates those critical applications from weaponization. It stops ransomware, stops zero days cold. And because it limits lateral movement within your network, you don't have to worry about a bad guy penetrating your defenses and then having free reign to put a malware on your Linux based camera. As we were talking about the other day, Threat Locker works across all industries. It supports Macs. That's good news. Your heterogeneous environment. Fine. You get 24. 7 US based support and they enable comprehensive visibility and control. Mark Tolson, who's the IT director, another target, the city of Champaign, Illinois. Here's his quote. Threat Locker provides that extra key to block anomalies that nothing else can do if bad actors got in and tried to execute something. I take comfort in knowing the Threat Locker will stop that. You know, I'm sure all the people of Champaign, Illinois also appreciate that. Stop worrying about cyber threats. Get unprecedented protection quickly, easily and yes, very cost effectively. You'll be impressed at ThreatLocker. Visit threatlocker.com twit you can get a 30 day trial right now. I think it's good to learn how ThreatLocker can mitigate unknown threats. And by the way, because it logs everything and ensures compliance, makes compliance easy. Threatlocker.com TWIT this is a brilliant solution. Couldn't recommend it more highly. Threatlocker.com TWIT we thank him so much for seeing the good in Steve Gibson and the value that he's providing and supporting it. You support it too when you go to threatlocker.com twit okay Steve, okay.

Steve Gibson

So once again, Cloudflare recently published a piece of research that I wanted to share. I was initially confused by the headline of their blog post which read password reuse is rampant. Nearly half of observed user logins are compromised. And I thought what do you mean nearly half of observed user logins are compromised? It turned out that the problem with their headline was the somewhat unclear word compromised. A better choice may have been to say nearly half of user logins use previously leaked passwords, right?

Leo Laporte

They've been compromised.

Steve Gibson

Compromised in the sense of got out, loose in other words passwords that are, you know, likely known by Troy Hunt's have I Been Pwned Site Cloudflare wrote accessing private content online, whether it's checking email or streaming your favorite show, almost always starts with a login step. Beneath this everyday task lies a widespread human mistake we have still not resolved. Password Reuse Many users recycle passwords across multiple services, creating a ripple effect of risk when their credentials are leaked based on Cloudflare's observed traffic between September and November 2024. So September, October, so three months, one quarter of 2024. Get this 41% of successful logins across websites protected by Cloudflare involve compromised meaning leaked, previously leaked passwords. 41% are people are logging in with passwords that have already been leaked out on the Internet and they said in this post we'll explore the widespread impact of password reuse, focusing on how it affects popular content management systems, the behavior of bots versus humans in login attempts, and how attacks exploit stolen credentials to take over accounts at scale. I'm going to skip over most of this because everyone listening, I know our audience, everyone listening to this podcast already well understands the dangers of password reuse. And I'm sure that everyone listening is now using some form of password manager, which is able to synthesize complete gibberish passwords, which is what we want on the fly for use, then store and later reuse. One thing I wasn't appreciating before this was the size to which Cloudflare has quietly grown. At one point in their blog posting, they wrote, our data analysis focuses on traffic from Internet properties on Cloudflare's free plan, which includes leaked credentials detection as a built in feature. So that's something they offer their free plan users. Leaked credentials, they wrote, refer to usernames and passwords exposed in known data breaches or credential dumps. For this analysis, our focus is specifically on leaked passwords with, get this Leo. With 30 million Internet properties comprising some 20% of the web behind Cloudflare, this analysis provides significant insights. Cloudflare is 1/5 of the Internet 30 million Internet properties. Wow, they've just been quietly growing since they were a cute little startup that we used to talk about. Oh you're so cute, you little startup, you. Holy crap. One out of every five sites is now running their traffic through Cloudflare. Well, that crept up on us. So they explain. One of the biggest challenges in authentication is distinguishing between legitimate human users and malicious users. To understand human behavior, we focus on successful login Attempts Those returning an HTTP 200. Okay. Status code. As this provides the clearest indication of user activity and real account risk. Our data reveals that approximately 41% of successful human authentication attempt. Okay, successful. 41% of successful human authentication attempts involved leaked credentials.

Leo Laporte

That's kind of amazing. How does Cloudflare know that?

Steve Gibson

Because they've got all of Troy going through them. Right, Exactly. Because it is coming through them and they're able.

Leo Laporte

So a huge proportion. What did you say? A third of the net is behind a Cloudflare wall? In effect.

Steve Gibson

Right. And so they're able to.

Leo Laporte

They could see those passwords in transit?

Steve Gibson

Yep.

Leo Laporte

Wow. Even on ssl they can see them in transit, huh?

Steve Gibson

Well, they're hosting the site, so. Yeah, so they're the server that is actually receiving the password.

Leo Laporte

Oh, so we're not talking about Cloudflares, like protection against DDoS, right? They're actually hosting. They have that much of the web.

Steve Gibson

Yes, that's what astounded me.

Leo Laporte

Because they have free pages.

Steve Gibson

30 million sites.

Leo Laporte

Kind of amazing.

Steve Gibson

30 million sites.

Leo Laporte

Wow.

Steve Gibson

Yeah. So they said. Despite growing awareness about online security, a significant portion of users continue to reuse passwords across multiple accounts. And they're watching people logging in with passwords with credentials that have been leaked, that are known. They said. According to a recent study by Forbes, users will on average reuse their password across four different accounts that in four different places. Oh, it's my password. Even after major breaches, many individuals don't change their compromised passwords or still use variations of them across different services. For these users, it's not a matter of if attackers will attempt to use their compromised passwords. They will, they will. It's a matter of when they will.

Leo Laporte

Yeah.

Steve Gibson

And they note, as we would expect, automation in the form of bots are the primary abusers of leaked credentials. Just like Troy Hunt got fished by an automated attack which was able then to buy thereby to bypass his one time password. Didn't matter that he had a password, you know, a six digit token that was going to expire in 30 seconds. Didn't he even take 10 seconds? So they said bots are the driving force behind credential stuffing attacks. The Data indicates that 95% of login attempts involving leaked passwords are coming from bots, indicating that they are part big part of credential stuffing attacks. Equipped with credentials stolen from breaches, bots systematically target websites at scale, testing thousands of login combinations in seconds. Data from the Cloudflare network exposes this trend, showing that bot driven attacks remain Alarmingly high over time. Popular platforms like WordPress, Joomla and Drupal are frequent targets due to their widespread use and exploitable vulnerabilities. Once bots successfully breach an account, attackers reuse the same credentials because that just validated the credential. Attackers reuse the same credentials across other services to amplify their reach. That is, oh, if it's good here, then it's probably going to be good somewhere else. So they do that immediately. They're like me. So like no stone has been left unturned by the bad guys. They're as clever as we would be if we were the bad guys. Like trying to figure out how to maximize our badness. They said they even sometimes try to evade detection by using sophisticated evasion tactics such as spreading login attempts across different source IP addresses, mimicking human behavior, attempting to blend in with legitimate traffic. The result is a constant automated threat vector that challenges traditional security measures and exploits the weakest link password reuse. Okay, now, purely by coincidence, one of our listeners, Jeremiah Albrand, sent a piece of feedback to me yesterday with the subject Microsoft Hotmail account. Password stuffing attempts are very real. In his email he said, talking to some co workers, they showed a screenshot of their sign in activity from their Microsoft account. So I checked mine, he said, I was blown away. My own screenshot is below the successful attempt. The one successful attempt. He said, I know Leo, it's so bad. He said, my only the successful attempt is my own. Clicking through each unsuccessful attempt shows they entered the wrong password. I am so glad I used unique passwords from my accounts. This is nuts.

Leo Laporte

And look at Mexico, Morocco, Saudi Arabia, Russia, Indonesia, India, Vietnam, Uzbekistan, on, Ethiopia, Jordan, you know I. Did I mention this? I put a SSH server out in public briefly. And I don't use passwords on my SSH server. I use a certificate. Certificate. So I wasn't too worried about it within two hours and I put it on port 22 because you know what, you could sniff the ports, it doesn't matter what port it's on. So I put it on the canonical port. Within two hours I had a dozen attacks from Albania, from China. They were sniffing around for SSH server on port 22 and then started hammering it within two hours of it going up. It's amazing they're out there, man. They're crazy.

Steve Gibson

Yeah, they really are.

Leo Laporte

Are they using shodan and stuff to find this?

Steve Gibson

No. There, there is. You know, I coined the the term 20 years ago. IBR, Internet background radiation. Maybe even when you and I were on screensavers at TV before because that's, you know, that's what I was seeing when I, when I was looking at IPs that nobody had any business poking at. There were packets inbound sniffing for stuff. It was just there was this out.

Leo Laporte

There and this IP address hadn't been public in at least a couple of years. They just found it right, right away.

Steve Gibson

It's unbelievable. Jeremiah's email finished Just for the sake of our list. No, no, no, no, no, no. This is, this is, this is stuff got me warmed. I know. For the sake of our listening says if others want to see their history, I clicked on my avatar in the top right from my inbox, then my profile, then the security tab, then view my sign in activity. He said, unfortunately the UI is primitive and doesn't seem to have filter or sorting options. So unless I click the View more Activity link over and over while expanding each item, I don't see any other way to determine whether someone has my password and just failed to get past Two factor Authentication. He says, in other words, it's necessary to expand each attempt to determine the cause of the login failure. Okay, now I'm glad you put that on the screen and you had the reaction, Leo, that I had when I saw that his login log shows about five attempts per day. Every single day at the top we see his one successful login showing its location in the United States, where he actually is. Three hours before that was a failed attempt made from an IP address in Mexico. An hour before that from Morocco. Six hours before that from Saudi Arabia. The previous day, attempts were made from, as you noted, the U.S. russia, Indonesia, India and Vietnam. And the day before that we see Uzbekistan, Oman, Ethiopia and Jordan. Given that the most obvious security feature for Microsoft to implement would be account access geofencing. But my quick search revealed that not only is there massive demand for this from everyone, anyone who has ever looked at that page that Jeremiah did says, hey, what? So there's massive demand, but it's only available from Microsoft for business class accounts, not for individual users. And I have to say that's difficult to explain since anyone examining their history of failed authentication attempts should be infuriated by their inability to block all such obviously bogus authentication attempts from across the globe. You know, as I said, I have no doubt that just like Jeremiah, all of our listeners are using unique gibberish passwords with the help of a password manager. But really, you know, make sure you are, and definitely you want second factor authentication use wherever it is Offered. That said, we all know that most of our friends and family are not listening to this podcast. So this amounts to a gentle nudge reminder for us to proactively annoy, you know, all of them about this. It would just be for their own good, make sure that they're, you know, doing this and that, you know, as, you know, as you saw from your. From bringing up an SSH server, as we can see from this login, it's just outlog. It's just. Yeah, it is.

Leo Laporte

What do you think it is? Are there hacker farms that are just constantly at work or what?

Steve Gibson

They must succeed enough that it is worth their time. It's. It's like, why is there spam? Enough people click on the link for the furry bunny before Easter from China. That it, you know, you got that one, too.

Leo Laporte

So. And it's probably automated, I would imagine. It's completely automated.

Steve Gibson

Oh, yeah, it's just set up and it runs 24. 7 and. And as new breaches occur, they, they, they just pour that, that, that new data into their database and start pounding on new username and passwords that have been leaked.

Leo Laporte

Yeah. So they've got the breaches, they download the database and then they just fire.

Steve Gibson

And runs and runs. Just grinds away.

Leo Laporte

Wow.

Steve Gibson

Bandwidth doesn't cost anything. So they just pound and I mean, again, the idea that Microsoft is not offering a are you in Uzbekistan Block is ridiculous. You know, you could turn it off when you're going to go take a trip to France or Mexico or somewhere, but it ought to be on this guy. Jeremiah, our listener should not have Microsoft thinking, hmm, is that him?

Leo Laporte

Is he in Morocco?

Steve Gibson

He must have teleportation because they can.

Leo Laporte

Easily spoof their location. It's not a. It's not going to be. I mean, in fact, I'm surprised they show that they're from China. Right. I mean, why bother?

Steve Gibson

I guess. I guess that's a good point. They don't bother spoofing location because they know Microsoft isn't checking.

Leo Laporte

He's checking. Darren in our club, Discord said a few months ago at work, I gather he works for. I remember he works for a financial institution. We had a thing where people were using our site as a vector for checking credit cards. They used some bot to go to the payment page, then tried to purchase, get this, with tens of thousands of different cards. They had a database of cards, right. Of breaches. They got maybe 30 successful purchases.

Steve Gibson

Wow.

Leo Laporte

But what was interesting, they started very naively, always with the same details, and then things as they locked things down, started changing and they eventually made their way in. They couldn't even with the geographic blocks, they couldn't find a way to stop people from doing this. And then he said eventually just stopped, just like DDoS attacks and they moved on to some other site that they could do the same thing with. That's why rate limiting is also really important. Right.

Steve Gibson

I, from day one I built strict blocking into GRC's e commerce system. Yeah. Sometimes users have a problem and they say, I'm sorry but I'm just told I've been trying too many times to get my card to get clear. And then so they'll write to sue and sue says, okay, you know, yeah.

Leo Laporte

We'Ll do that, that's fine.

Steve Gibson

You know, well, you know, give me the information and I'll do it for you. But because I just like, I'd rather, you know, say no to people that are going to do that. Malicious.

Leo Laporte

But this, he says, this is why people have recaptchas on their sites because that basically slows it down enough that it's not economical for them to continue.

Steve Gibson

Wow, wow, wow. So just a quick follow up on last Week's mention of 23andMe. I ran across a bit more information in a security newsletter under the headline 23andMe files for bankruptcy after mega hack. It said, and I didn't cover this last week it said DNA and genetic testing service 23andMe has filed for bankruptcy that we know 15 months after experiencing a major data breach. The company has been losing money for years, but its problems were amplified last year after a series of class action lawsuits related to the breach. Its entire board resigned last year, its CEO last week, and the company is now attempting to sell itself under the supervision of a court. The company has DNA profiles on over 15 million users. Privacy regulators across the US and Europe are now urging users to request the deletion of their data before it sold. And I did mention after I wrote this and before now I saw another bit of news saying that a court just approved the inclusion of its members DNA data in the bankruptcy.

Leo Laporte

So they can sell it now.

Steve Gibson

Yes.

Leo Laporte

Okay, now I am going to delete it.

Steve Gibson

So I'll just remind our listeners that once you log in to your 23andMe account, you can use the shortcut I created last week, GRC sc. Bye bye bye bye bye bye. And that'll immediately jump you to the page containing the various account data dumping and deletion options.

Leo Laporte

It's funny, when I log in, they're still trying to Upsell me now. It's some sort of heart health thing.

Steve Gibson

God. Yeah. So again, not a house on fire issue, but the judge, a court did say, yes, those are your assets. Genetic data which. Which your. Your members gave you voluntarily is yours to sell. So it's going to be of use to somebody. I would just say.

Leo Laporte

Bye.

Steve Gibson

Bye. Okay, now, today's shortcut of the week. Oh, Leo, you probably want to go there while I'm talking about this. GRC SC 1019. I was pursuing information about a new on the scene ransomware group calling itself Arcana Arkana. Arcana's first victim was. Wow. One of the largest ISPs in the US ransomware hit. Wow. This large US ISP. But in following some trails, I ran across a site I had never seen before and which we've never Talked about. It's RansomLook IO. So you can also go O K IO or just GRC SC 1019. The site's been around since 2022. They're on Mastodon and Blue sky and a huge amount of work has. That is. You're now looking. You're scrolling, Leo. Through a list of.

Leo Laporte

These are all from today.

Steve Gibson

They're victims of ransomware attacks. Today.

Leo Laporte

Today. And then here's yesterday.

Steve Gibson

Yes.

Leo Laporte

Oh my God, it is. These are victims. These are not people under attack. These are people who actually been encrypted.

Steve Gibson

Yes, they are victims.

Leo Laporte

And some of these names I recognize. These are well known companies.

Steve Gibson

I know once you get to the homepage under group profiles, you'll find listed there every group we've ever talked about and hundreds more lesser groups or newer groups that we haven't yet. And they're familiar names. The ransomware notes section lists all of the various notes that the ransomware groups have sent to their victims.

Leo Laporte

By the way, they're getting much more grammatical.

Steve Gibson

Yeah. Thanks to AI. Yes. Oh, and. And chilling. Most chilling of all is what you started with that recent posts page, which contains a listing in reverse chronological order starting with the most recent of the latest ransomware victims and which group took them down as when I was writing this at 3pm yesterday, there were 22 new ransomware victims listed just for March 31st yesterday by name. And I don't even know what time zone they're in, so I don't know when they started March 31, but. But listed there in black and white are the corporate names and domain names of many victims. And there's just no way to come away from a perusal of this site without the very clear knowledge that the ransomware category of criminal cybercrime is very much a going concern.

Leo Laporte

How do they get. Because some of these companies, many of these companies don't want anybody to know they were hacked. How do they get these names from.

Steve Gibson

The postings of the ransomware?

Leo Laporte

Oh, the ransomware people announce it it.

Steve Gibson

Yep, of course they did. There was a, there was an Irvine based architecture firm that I, that I clicked on yesterday and it brought up their, their homepage that is legitimate. And then I looked at the, some of the data that some samples of the data that had been exfiltrated and it was architectural drawings by this firm, this major architectural firm from yesterday.

Leo Laporte

It was like, this is a great site.

Steve Gibson

Isn't that great? Wow.

Leo Laporte

Wow.

Steve Gibson

Yeah.

Leo Laporte

Just the recent posts alone, I know, it's just astonishing. This is today.

Steve Gibson

Yes.

Leo Laporte

Hospital, pharmaceuticals, fancy films dot com. I mean, unbelievable.

Steve Gibson

And this also talk about an example of the security problems we still have in this industry.

Leo Laporte

Well, I think it's getting worse, isn't it? Yeah, this must be getting worse.

Steve Gibson

Goosehead.com?

Leo Laporte

How about Jackpot Junction?

Steve Gibson

Ransom Hub? Got them.

Leo Laporte

Kyocera Document Solutions Europe.

Steve Gibson

Okay, Kill sec three take took them down.

Leo Laporte

Unbelievable.

Steve Gibson

I know. Wow.

Leo Laporte

Boy, if you're a ciso, this has got to be terrifying. Just.

Steve Gibson

And if you are a CIO who needs to get some money from your cfo, show them. Just go. Yeah.

Leo Laporte

You know, this is the problem. We hear this again and again that it especially cybersecurity is not a profit center, it's a cost center and they just want to cut it. Look what they just did to cisa. It's not a profit center. It doesn't make them money. So. Okay, well, we don't really need it.

Steve Gibson

Right.

Leo Laporte

Wow. What a great site. That is an eye opener.

Steve Gibson

It is a sobering look at reality ransomware and I have one piece of listener feedback I wanted to share. Just a reminder about Incontrol. Ben Dean from the UK wrote. Hi Steve. Just thought I'd send you a quick message to let you know how thankful I am for your incredibly useful little program in control. I'm an avid flight simulator enthusiast and the best way to enjoy flight simulation these days is with a high end VR headset. Wow, I can imagine. As long as you don't get, you know, airsick. As such, I have an HP Reverb G2 V2 headset which when new in 2021 was several hundred pounds or dollars. This headset.

Leo Laporte

Oh, I thought he was talking weight. Okay, I don't want to wear £700.

Steve Gibson

Pulling it up okay, this headset uses Microsoft's Windows Mixed Reality platform, which is built into Windows. While the headset itself is excellent, the WMR platform Windows Mixed Reality was somewhat of a failure for Microsoft, with most other manufacturers using other platforms. Despite that many he has on all caps, people in the flight sim world still use the Reverb G2 with Windows mixed Reality because of its high resolution. In their infinite wisdom, Microsoft have decided to remove Windows Mixed reality from Windows 11 from update 24H2, rendering all WMR headsets like my HP reverb completely useless. Indeed, friends of mine have have the update have had the update only to find their VR headsets no longer work and they have to go through the huge hassle of somehow stepping back to 23H2 to get their setups working again. Thankfully, within control we can stay on 23H2 and retain the WMR functionality. I recommended incontrol to several of my friends and it seems to do the trick of Ms. Forcing them to update against their will. Sorry for the long email, but many thanks for your work. Cheers. Ben Dean UK Nice. So just a little reminder to our listeners. It's there, it's free and it works.

Leo Laporte

In control. Do not upgrade. Although October 25th Windows 10 goes out of update.

Steve Gibson

Yes it does.

Leo Laporte

And the life asks me if I care. You don't care, do you?

Steve Gibson

No. I never forget how much you laugh. Leo. When I announced the my creation of Never ten, I mean I gave it that name. I described it, it was called never, never 10 never. Then they went to 11 and then I thought, okay, it's not going to be never 11. That didn't sound good anyway, so it's in control that way. We're ready for 12 when it comes along. And lucky 13. I bet that's going to be a winner. So our last break and then we're going to talk about the EU os.

Leo Laporte

Yeah, that's fascinating. Although as you point out, it probably stands on the shoulders of open source giants and so but we'll see.

Steve Gibson

The question is, will it crush them?

Leo Laporte

Yes, those shoulders are getting are broad. But yeah, there's a lot of people.

Steve Gibson

Sitting on shoulders or take it for granted.

Leo Laporte

Our show today brought to you by don't take this for granted. Legato Security if you think about it, you wouldn't get. You wouldn't put a burglar alarm in your house, but not have monitoring, right? Because when you go away for the vacation. So what if you got a burglar alarm if nobody's monitoring doesn't matter. Oh, there's a bell ringing. No business should be their own burglar alarm. Right. And this applies to cybersecurity. Absolutely. Because we know, in fact if you listen to the show, you know, the bad guys choose the weekends, they choose Christmas Eve to target their attacks because they know the IT team will be home with their family. We'll have free reign for a few days at least. Legato Security solves this problem. Perfect for small and medium sized businesses. They give you the same standard of security controls large enterprises. You better believe the. You know the Caesar's palace casino operation has full time security monitoring going on, right? They've got a security operations center. They're sitting behind the screens, keep an eye out at everything. But if you're a small or medium sized business, a business like ours, you can't, you're not going to do that. Well, thanks to Legato Security, you get that same standard of security controls that the big casino enterprises the big banks depend on. But you don't have to build your own security operations center. You can use Legatos as a recognized leader by CRN and MSSP alert. In 2024, Legato Security transforms how businesses approach cybersecurity. Their technology agnostic MSSP platform provides your business with a custom suite of security solutions tailored to your needs. Now you might say, well wait, there's two concerns. I know, I hear every, every, every IT department come up with. First of all, what about what we're using right now? No, don't worry. Legato Security integrates seamlessly with all of your existing tools so you don't have to do a big overhaul of your infrastructure. Legato has this proprietary security operations platform. They call it Ensemble. And what it does, it takes all of the signals from the tools you're already using and delivers consolidated, prioritized, actionable alerts in real time on a single comprehensive pane of glass. Now I know the second concern is, oh, they're going to replace us. No, they work with you. They are not taking your job. They're there so you could take a break. Hackers don't take holidays. They don't stop working when you go home. Legato Security's 100% US based team provides proactive threat detection. They'll do triage, they will do remediation and they will do it anytime, 24, 7, 365 days a year. Christmas Eve, you bet. Go home, be with your family. Because you've got Legato Security through their purpose built SoC. Yeah, you should see it it's on the webpage. They have a security operations center so your team can, you know, focus elsewhere when it's time to clock out. From entrepreneurs to Fortune 100 companies, Legato Security creates custom MDR solutions that protect businesses leaders. You focus on growth and let Legado help a recent customer. Here's a review. Says, quote, Legato Security is the only supplier that's delivered everything they said they would. We didn't have to drive them. They just get it done. This is somebody you want on your team. You know, if you get a call right from Legato Security, they're not going to call and say you got a problem. They're going to call to say you had a problem. We fixed it. We fixed it. So there. I love this. It and security professionals, Legato Securities MSSP is here to augment your security team, not replace them. They're the professionals, the pros from Dover. You want on your team to back up your cybersecurity forces to fortify your proactive defenses 24, 7, 365 days a year. Security tools alone are not enough. You need the expertise, the monitoring to back it up. See if your defenses. Oh, this is good. You should do this. Or maybe get the boss to do this, the guy who controls the purse strings. See if your defenses are as strong as you think, boss. With Legato securities, free risk assessment. It's there right now on their website. Say, hey, come here, boss. Let's, let's go through this. Just see how safe we are. Visit legato security.com, discover how they can help you regain control. And yeah, and you know what? Enjoy your weekends like you used to. Legato Security.com you can take a break without letting your guard down. Legato Security.com and you know, do us a favor. We really appreciate their support for security now. They, they said we're going to be. We got to be on security now. Let them know when you talk to them. Say, I heard it on Security now. Because that helps us. Oh, yeah, it was worth it because, Steve, you're not cheap. Look at security. I just found out this is the most expensive show to get an ad on. As it should be, right? The companies who advertise on this show, no, they're talking to the people who really are in this business and need their help. All right, let's talk about the subject at hand.

Steve Gibson

The EU OS So, yes, Robert Reiman is the head of sector for digital transformation in the technology and privacy unit at the European Data Protection Supervisor in Brussels. He contributes to the overall IT governance of the EDPs, which is European Data Protection Supervisor and supports the EDPS representation in several EDPB subgroups. Whatever. That is something. Oh that Data Protection Supervisor in Brussels. So his CV indicates that he holds a PhD in computer science with a thesis on distributed protocols for aggregation of confidential data with applications. So he's a serious comp sci guy in, for example, online voting. He also has his Master's in Physics from Berlin's Humboldt University. So he's the guy. As the title of the podcast EU U O S suggests, Robert is spearheading a well thought out departure from EU's dependence upon Microsoft Windows. The site where this is being organized calls itself the European Union's home for their free public sector personal computing operating system, highlighting three key features of the project. Secure, Sovereign and Sleek. I guess. I guess we wanted three S's. Yes, Sovereign.

Leo Laporte

I like this. This is good. They've got an ad man right now their copy. That's good.

Steve Gibson

Secure, Sovereign and sleek. Secure means an OS built from open source and they said that does not phone home.

Leo Laporte

Yes, that means Microsoft. Okay, go ahead.

Steve Gibson

Sovereign means an OS built to the requirements for the EU public sector. Meaning for example, it inherently honors gdpr. Gdpr. Exactly. And sleek means an OS that is fast and eco friendly on new and old hardware. So obviously none of those goals. Sorry, Microsoft.

Leo Laporte

Sorry.

Steve Gibson

None of those goals are met by Windows.

Leo Laporte

No.

Steve Gibson

On that homepage they ask the reader the question what is EU os? And their answer is EU OS is a proof of concept for the development of a Fedora based Linux operating system with a KDE plasma desktop environment in a typical public sector organization. Other organizations with similar requirements or less strict requirements may also learn from this proof of concept. Despite the name, EU OS is technically not a new operating system. Distrowatch lists currently over 250 Linux operating systems. Then they say distributions, not counting their many various flavors, spins or sub variants. The added value of EU OS is a different one. First, a common Linux OS as a base for all EU OS users with options to layer on top modifications at the national layer, the regional or the subs or the sector specific layer or organization specific layer. You know, different configurations is what he means. A common desktop environment and a common method to manage users and their data, software and devices. The site is at EU OS GitLab IO which endeavors to fully articulate the goals of this initiative. Again, EU OS GitLab IO and they said when at the beginning the user base is too small to pool sufficient resources to take care of the EU OS that is the base version. Within the public sector it may be possible to contract commercial support for maintenance that is like until they can like generate their own internal maintenance organizations to support it. For this reason, the EU OS proof of concept proposes to choose an upstream Linux OS with options for commercial support. EU OS is not the first to propose a Linux based operating system for the public sector. The motivation is often the same and could be looked up from projects like genbuntu and lemux. And those are public money. Public code means the public investment profits the entire public and the private sector. Synergy effects lead to tax savings because there's no per seat license cost independence from software suppliers and vendor lock in independence in scheduling software migrations and potential hardware upgrades. Windows 11 anyone deploy new technologies with controlled cost. Use of open standards to foster innovation, better use of IT administration resources. Then it says Parens reportedly for the French use case with 9,009 0,000 seats ability to do own code analysis. In other words, open source not closed, not proprietary, worldwide free software community. And then the project lists as philosophical goals as the use of open source, the use of desktop environment, KDE plasma and then it says though GNOME as an alternative is not excluded and the use of GitLab. They're leaving the entire scope of the project somewhat open ended writing there is no clear scope yet and the scope may evolve in the future. But the rule of thumb so far in scope is that is in scope is everything necessary to deploy a Linux based operating system to an average public body with a few hundred users. And they do give examples of what is clearly out of scope. So for example not the development of a novel Linux os, a distribution from scratch. Instead EU OS they write should build on top of an existing well established Linux distro. Distro also not is the development of EU OS outside of a corporate environment for their personal computers. People can already choose between a large variety of Linux distros. So this is not meant. I mean it's not meant. It's not directed at the personal user that already has all their choices choices wide open. They're aiming this more at the. At the several hundred user level public sector or organization, you know, like a police department, for example. Also out is the deployment of EU OS on other devices than typical desktop works, desktop workstations or laptops. Hence for example smartphones are out of scope. So. So it's really the Windows desktop environment replacement is their target, but not for everyone, although everyone could use it if they wanted to. So looking at use cases and at some previous attempts and successes. The site notes to make EU OS a success, it should support a large number of use cases and consequently a large user base. This helps to gather political support and funding for continuous improvements and innovation. They note that some specific reason regions outside of Europe have already utilized the benefits of an operating system which is under their control and these are historical back from the early 2000s, they said. Astra Linux is a Russian Linux based computer operating system that's being widely deployed within the Russian Federation to replace Microsoft Windows. Kylin is an operating system developed by academics at the National University of Defense Technology in the People's Republic of China ever since 2001. Together, Kylan and Neo Kylan share a 90% market share within the government in China. Nova Linux was central to the Cuban government's desire to replace Windows. Hector Rodriguez, director of University of Information Science in Havana, said that, quote, the free Software movement is closer to the ideology of the Cuban people, above all for independence and sovereignty. Other cited reasons of course to develop the system include the United States embargo against Cuba, which made it difficult for Cubans to purchase and update Windows, as well as potential security issues feared by the Cuban government because of the US Government's access to Microsoft source code. So here the site is making the point that other governments, you know, government size decisions have been made to say goodbye to Windows and Linux is where they've gone just to sort of like, I'm sure to demonstrate that this is feasible and they would not be the first movers on this. Citing these use cases, the site sets states, this leaves no doubt about the feasibility of large scale Linux deployments in the public sector. It is only a matter of political support, priority and funding. The site notes some details of past migrations away from experiences with Microsoft and Windows, the city of Munich and again historically, this was 20 years ago, but it serves to highlight the problems inherent in the use of another country's commercial operating system for public sector needs. The report wrote. The city of Munich is migrating its desktop computers from Windows to GNU Linux after preparations began in 2003. The city's basic client, a customized version of Debian GNU Linux, is being developed on a growing number of PCs since the fall of 2006. The Lemux project puts great emphasis on becoming independent from software suppliers. Florian Scheibel, the deputy project coordinator for lemux, explains, Microsoft has shown us what it means to be dependent upon a vendor. Until 2003, the city was using Microsoft Windows NT4 across the board and was by and large satisfied When Microsoft decided to end the support for this operating system, this meant that hardware and important procedures would eventually stop working. It was from this experience of being totally at the mercy of an external party that we wanted to take the road to more independence. So they cut that umbilical cord 20 years ago and didn't look back. For the French gendarmerie, Genbuntu is possibly one of the largest Linux on desktop deployments in the EU public sector, with about 82,000 seats. Lt. Col. Guimard said, quote, moving from Microsoft XP to Vista would not have brought us many advantages. And Microsoft said it would require training of users. Moving from XP to Ubuntu, however, proved very easy. The two biggest differences are the icons and the games. And he said, games are not our priority. Yeah, they didn't want people playing games in the police department.

Leo Laporte

No Tux runner on this one.

Steve Gibson

He said the transition to Linux went unexpectedly smoothly. Almost no additional training was required. For the local police forces using the computers in their daily work, the Ubuntu user interface was easy to get used to. Pascal Danek points out that a transition From Microsoft Windows 2000 NXP to Vista would have been more difficult since the new version of that OS introduces many new features and designs which might confuse users, unquote. The French currently uses a customized version of Ubuntu called genbutu. If EU OS would be used instead, writes Robert, resources could be mutualized across all users of EU us. So the idea being over time that, you know, there already have been major public sector deployments of Linux. It would be a value to, to, you know, homogenize all of these under a, under a single umbrella. And he's proposing EU os. One of the references for this on the page was an Ars technica piece from 2009 with the headline French Police Save Millions of Euros by Adopting Ubuntu. And it's not difficult to imagine at this point that they're glad they did that back then. You know, they're likely still running on the same hardware without any trouble. And then we have the case of the Swiss Federal court. Quote, Until 2001, the court had a simple all in one IT platform which lacked greatly in functionality and ultimately became outdated. The court's IT direction thus saw the necessity to introduce a new IT infrastructure that would ensure sustainable standards in the future. During the analysis done as part of the planning process, Open Source software emerged as more sustainable than proprietary software, especially with regard to modularity and file formats. The use of Open Source software also ensured vendor independence and security, which are two very important aspects for a court. In 2001, the new IT system running on the operating system Solaris by Sun Microsystems was introduced. With this also came the introduction of the Office suite Star Office, the Internet browser Firefox and the email client Novelle Evolution, besides other more specialized applications. At the early stages of the migration, users had to get used to the new programs. But as the migration from the previous system brought numerous improvements, the process went relatively smoothly and was broadly accepted. Where some doubts about open source software existed in the beginning, they've mostly faded by now. And finally Linux. Or I have two more, a short one, Linux plus one in northern Germany. A region in the north of Germany is currently preparing the migration of their entire public administration to a Linux desktop. This migration would become one of the largest Linux on desktop deployments in the EU public sector with 30,000 seats. It's unclear which which operating system will be used. Rumors say it will be based on KDE plasma. If EUOs would be used, resources could be mutualized across all users of EU os. And a reference listed for that was a piece in the ever irreverent Register last April with the headline Germany's northernmost state ditches Windows. Yeah, indeed. And you know Leo, Microsoft must be feeling all of this.

Leo Laporte

I don't know. They still are like 99% of all computing.

Steve Gibson

I know, but they are.

Leo Laporte

I've been advocating for this forever and I think especially in the public sector.

Steve Gibson

Yes.

Leo Laporte

Why should you be using Windows?

Steve Gibson

Yes.

Leo Laporte

Didn't they do this in China though? They have. What is it? Red. The red os.

Steve Gibson

It's, it's. I just talked about it. It's another Kylix or something.

Leo Laporte

Yeah. Oh, that's right. But it's another Linux.

Steve Gibson

It is, it is, yeah. Because you can't create your. You can no longer write an operating system. And why would you. There's a free one that a bunch of really good smart people have been working on for years.

Leo Laporte

Well, and this is why Android is so popular on handsets. Although it's just another spin of Linux. So yeah, it's kind of interesting. I think when you retire you should probably move to Linux. I'm just saying. You're not going to do it, are you?

Steve Gibson

I'm not going to retire.

Leo Laporte

Oh, there. If that's better. Good answer.

Steve Gibson

That's right.

Leo Laporte

We're all going. That was close. What's Leo? Is he nuts? Don't use the R word with Steve.

Steve Gibson

Anyway, so as we know there's still a lock in problem with Microsoft's otherwise very compelling solutions under the headings of cities and communities. Robert wrote only a few cities have migrated to Linux so far.

Leo Laporte

I've had a point is probably part of the issue as well.

Steve Gibson

Right, right, yes, exactly. And that is one of the things that he noted is it will be necessary to be able to get support. So, so I think that's one of the reasons to, to look at Fedora as a possibility is that it's possible to get commercial support until they're able to to like build up enough internal knowledge to do that themselves. But, but, but, but he wrote compatibility with the federal government and the plethora of business processes a city owns are a challenge. So oftentimes reliance is strong on Microsoft Office which historically did not run on Linux. He says with Microsoft 365 working in the browser a workaround may be possible to sort of, you know, pry the operating system out from underneath the browser and look at Microsoft moving all of their focus to the cloud.

Leo Laporte

Sure. They don't mind. They're going to get your money.

Steve Gibson

Yeah, Yep.

Leo Laporte

I would suggest it'd be good to get off the Docx format as well at some point. Yeah, Libra Office is out there. You can use that.

Steve Gibson

So let's see.

Leo Laporte

I'm sorry.

Steve Gibson

So. So, so they stop making snipe comments.

Leo Laporte

It's all, you know, it's not a problem.

Steve Gibson

They have an FAQ that offers some interesting technical insights. They ask themselves, is EU O X EU OS another Linux distribution that I can try out? And Robert answers EUOS is not another Linux distributed. EU OS is a community led proof of concept which employs existing Linux distributions. The challenge of the proof is not that an individual can use Linux on their own computer and actually at one point Robert has like five that he uses at home constantly. So he's like, you know, he's really deep in. He said that the challenge of the proof and it said the challenge is to prove that an admin team exactly to your point, Leo. An admin team can manage users and their data software and devices with or without Active Directory and without Microsoft Windows within a migration period of two years rather than 20 years.

Leo Laporte

Yeah.

Steve Gibson

He said for this EU os wants to propose a common Linux OS and desktop environment as a base and more importantly a common method to manage users and their data software and devices. EU OS is not meant for home users but for system administrators who want to automatically deploy and manage Linux across many corporate computers and laptops. And that's where GitLab comes in. They're talking about this as a, you know, as a deployment management issue where that's what they need to work out. In the same way that Microsoft has done this for Windows in the corporate environment, they want to recreate some of that infrastructure for Linux that doesn't exist currently. So question how can the EU achieve its goals of being secure and sovereign when it relies on software from other countries, for example the the us and he responds to this question EU OS shall not confound sovereignty and protectionism. There's no problem per se in relying on international free and open source software components and oftentimes it is practically unavoidable. However, EU OS promotes the maintenance of strict control over business data and telemetry data, meaning no phoning home, you know, GDPR compliance. This includes the free choice where to store such data on premise or cloud of choice. Furthermore, the availability of know how for a given FOSS component within the EU shall be considered. It remains to be studied if EU OS fast components such as the Linux kernel, systemd, Wayland, Pipeware, Fedora or ALMA Linux could face export limitations which would pose a threat to the sovereignty offered by EU os. Such threads cannot be mitigated by EU OS alone and should be addressed through industry supply chain security policy. Okay, why does EUoS propose to rely on Fedora based Linux distributions? EU OS is not a product yet only a proof of concept. The choice of the employed base Linux distribution or desktop environment, GNOME or KDE is not a core concern as it does not impact how admins manage users and their data software and their devices, and that's the focus. Nevertheless, EUOs cannot avoid picking some base Linux distribution to start with. Advice has been received and considered from individuals in their personal capacity of the following organizations EU OS Community on GitLab, cern, European Commission, DG Digit German center of Digital Sovereignty, Zendesk known from Open Desk, GNOME OS and opensusi through their dedicated blog post. Considering the advice received, the decision was to advance the proof of concept with Fedora for a production deployment. After the proof of concept, any Fedora based Linux distribution with longer release cycles could be used. Also, a switch to any other boot C supported Linux distribution would always remain possible. So this effort in the EU is what we would call definitely handwriting on the wall for Windows. You know, I mean this existing will help to facilitate other small, you know, disconnected movements without any big mandate being needed. Individual entities in the public EU sector can decide hey, here's the support that we've been needing in order to, you know, hold our breath and make the move. But as I was as I was reviewing and assembling all this, I realized how Windows centric most of the US is. And Leo, to your point, how wind, how dominant Windows itself is. And of course I know that many of this podcast listeners have already liberated themselves from Microsoft's proprietary grasp. But throughout most of the United States, encountering anything other than Windows, you know, anywhere you go is a rarity, and that shows little sign of changing. You know, to your point about my retirement, Leo, I'm very comfortable with Windows. I love the platform, which I've been using since before its birth, and as a commercial product developer, it's still where the market is. But I'll also note that I spent some time, for example, just last weekend, updating my Ubuntu system, since I go to whatever lengths are necessary now to assure that anything I do will run smoothly under wine, which of course is the free Windows emulator for Linux in the eu. As we saw mentioned, leaving Windows will not be an easy thing for any large organization to do. I suspect that future migration will not occur from the top down, but rather from the bottom up. You know, the broad pyramid, the broad based pyramid, smaller entities that are more able to leave Microsoft will be under increasing pressure to do so, as Microsoft's, well, what I would consider nearsighted policies force attempt to force wholesale hardware replacement when they force software upgrades. This will cause smaller and inherently more flexible entities to explore what alternatives to Windows 11 may exist for them. And having the EU OS present may provide a path for smaller organizations to take, you know, once Microsoft has pushed them in that direction. Now, as I said at the top, all of that said, I'm haunted again by that brilliant and poignant XKCD cartoon which we've looked at from time to time. It's the one showing that massive stack of various sized blocks all stacked on top, excuse me, of one another. Which is so brilliant because it's exactly the way modern software stacks are created and operate and where amid this towering collection, there's one little block off to the side near the bottom, upon which all the other blocks implicitly rest. Now, as I was putting this together and wanting to find that XKCD cartoon again, I turned to Chat GPT to let it do the legwork for me. I copied and pasted that description which I just read above, since I'd already written it, and I here's what, here's what ChatGPT replied. Yeah, it said the XKCD comic you're referring to is titled dependency comic number 2347. This illustration depicts a precarious tower composed of numerous blocks symbolizing the modern software infrastructure. At the base of this towering structure is a single small block labeled a project some random person in Nebraska has been thanklessly maintaining since 2003, highlighting the fragility and reliance of complex systems on often overlooked components. Now, okay, let me just say, AI. Holy crap. You know, I mean, it produced that.

Leo Laporte

I mean, you could have done a Google search and found it too, but.

Steve Gibson

Okay, yeah, I know.

Leo Laporte

It is kind of cool that it can do that though.

Steve Gibson

It's incredible. And it said the comic serves as a poignant commentary on how critical pieces of modern digital infrastructure can depend heavily on small open source projects maintained by individuals without widespread recognition or support. This theme resonates with real world scenarios where the failure or abandonment of such a project can have widespread repercussions across dependent systems. Okay, now I'm 100% certain that everyone listening to this, who has been following along with this for even a few years, will perfectly understand the motivations surrounding the desire to switch away from an operating system solution, regardless of how functional, compatible and interoperable it may be. That does not appear to be directly driven by a motivation of planned obsolescence. Which is to say, you know, why are we as you said, Leo, support for Windows 10 is ending this coming October, and what is it? A quarter million systems? A quarter million systems currently running Windows 10 will not run Windows 11. So, you know, it's one thing to be a computing enthusiast where we're using and working with computers for their own sake, as many, if not most of people listening to this podcast do and are. But it's entirely different to be a police station out in a small rural town in France where all you want is to be able to bring up records, search the Internet, balance the books, and communicate with colleagues and not needing to play games. This is a place where a computer is a tool, not a toy, and its reduced ability to be used for playing games maybe, you know, maybe a feature, not a bug. So it's clear why a move from Windows to Linux would make so much sense for them. If it's possible for Linux and the tools that run on top of it to get their job done, then it's going to be far more cost effective in the long run to say bye bye to Microsoft and to be able to keep running effectively and efficiently until the day that hardware itself finally dies, because eventually the power supply will or some capacitors will leak or something. But this brings me back to to XKCD'S observation, that of that random person in Nebraska and all of the tens of thousands of other random people everywhere who thanklessly create and maintain that system, the whole, the whole house of cards, the whole stack of bricks, you know, only apparently for the sheer joy of doing so. Right? That's their reward. Now, I suppose this is a sustainable model, but that's my question. The sustainability it has always been, after all, the goal of the free and open source software world that they're that, that this is addressing. That dream is really coming true now in spades. But as more and more incredible value is obtained from the tireless work of volunteers, I don't know, sometimes it feels maybe a bit unfair to them because to use xkcd's word for it, it really is thankless work. You know, I've created a great deal of free software which has been and remains quite popular, but it doesn't feel thankless to me at all because everyone who downloads it knows where it came from and who created it, you know, and I get sufficient feedback, literally in the form of thanks from its users who use it to, you know, find an open port on their router they didn't know about, spot a bogus thumb drive, keep Windows from updating, find faster DNS servers, whatever. I received plenty of thanks. But I worry about those thankless people who toil without any recognition. I suppose the recognition they receive from their peers within the community they share is enough. I hope it's enough, because having achieved the dreams of the likes of Richard Stallman and Linus Torvalds, what we need now is sustainability. You know, as these thankless developers see more and more of the world using their stuff and taking it totally and literally for granted. I hope they see it as a badge of honor that what they've created is helping so much, so many people for such low cost. What has been accomplished, as evidenced by the creation of this EU OS unification project, is truly, I mean, truly a stunning achievement. But now we have to have it keep going, I think.

Leo Laporte

I mean, it's definitely hard to work in open source. The open source communities can often be grading and I know a lot of project leaders, even in the last couple of years, have abandoned their projects because they're so fed up with the process.

Steve Gibson

Or they, they just age out.

Leo Laporte

Well, yeah, I mean most, they're. There are probably many projects that are simply done by one person, but, but most of the big ones have a, a group of people. They have a fearless leader, benevolent dictator for life, and the rest of them Go along and work on it. I think increasingly it'll be politically motivated. Right now it's somewhat altruistic, somewhat just.

Steve Gibson

Well, China and Russia certainly political I think.

Leo Laporte

But even more than that people are starting to resent these big corporations, extraction of value from them.

Steve Gibson

Yeah, I think it's economically motivated.

Leo Laporte

Yeah, well that I'm, yeah, I'm considering that political because it's anti corporate, it's anti capitalistic. It's, it's, it's more of an operating system for the people, by the people. I love, I have to say I have loved Linux since I first installed Slackware 25 years ago. Used it non stop since then and it, I, I can't see any way that it's not superior. What's interesting is that a lot of what people are doing is really just in the cloud. So for a lot of these people, you said all they can do is a browser. Google sheets, it's just a browser. And for that it'd be a simple, I mean that's what a Chromebook is. It's basically Chrome based Linux operating system. But it'd be simple enough to create a browser, you know, open source browser on top of an open source operating system. But then you're still using the big tech, you know, Google, Microsoft's cloud based stuff. I don't know, I'd love to see a world where it's more do it yourself. I mean there's definitely a do it yourself movement in hardware and software. Well, the maker movement, you know.

Steve Gibson

Right. And, and certainly this sort of effort with GitLab and EU os. I mean this is very much, I mean the guy himself who's driving this project has a, you know, we're going to use our own cloud approach.

Leo Laporte

Right.

Steve Gibson

Because you know, we really do want.

Leo Laporte

To as government probably should. Right?

Steve Gibson

Yeah, yeah. For gdpr, we want to. No phoning home. We want to cut the apron strings.

Leo Laporte

Right. Darren makes another, Darren's so good, he makes a lot of good points. He made another good point. He says at some point in the next, I don't know, few years, maintainers of these projects may be AI based, if not fully, at least primarily. And that would be fantastic, right. If you could say, okay, AI, your responsibility is open ssh. Make sure it's reliable, robust and bug.

Steve Gibson

Free and respond to any vulnerabilities that are discovered.

Leo Laporte

And that's one of the problems right now is you get all these pull requests and you get all these rug reports and if it could process them quickly and efficiently. I like that idea. Darren, maybe we are and maybe we'll enter a new world at that point. Because really humans shouldn't have to maintain the infrastructure. Humans, humans should be able to use the benefits of that, the front end of it and maybe something computer based can maintain it.

Steve Gibson

I like it. I've said from the beginning, our first discussions of AI that AI and code really do seem like they go hand in hand. I mean, it is kind of makes sense.

Leo Laporte

The computer speaks its own language, right?

Steve Gibson

Yeah.

Leo Laporte

Better than any human does.

Steve Gibson

Well, and all ultimately logical, you know.

Leo Laporte

Right.

Steve Gibson

I mean it's, it's, it's not, you know, fuzzy English wording, although they sure do have that mastered. My goodness.

Leo Laporte

Yeah, it's pretty, it's pretty amazing. We are going to do some more. We've. Do we talk a lot about AI now? On Wednesday on our Intelligent Machines show. We've got some great guests coming up, including in a couple of weeks, Harper Reed's going to talk about how he uses AI for pair programming. You know, that's where he's writing code in conjunction with AI Coder and he has. His workflow is quite interesting. It's. We live in a new world. It's exciting. We do.

Steve Gibson

We're here for it. Yay. And we're gonna, we're gonna, we're gonna be here for the foreseeable future.

Leo Laporte

Yay. No retirement in the works for this cat. He's gonna stay here. Yay. I feel like I could almost touch you. Steve. I want to clap you on the back. Steve Gibson does this show every Tuesday. I hope you come and watch us. You can watch us live. If you're like in a hurry and you want to know what the latest is. We do it live Tuesdays right after Mac break weekly. We're striving to make that 1/3 as close as we can to 1:30 Pacific. That's 4:30 Eastern, 20:30 UTC. There are eight live streams you can watch it on, including Discord for our club members, YouTube, TikTok, Twitch, we're on LinkedIn, we're on Facebook, we're on X dot com. We're on Kick. So if you want to watch live, you can. You don't have to because we make edited versions available in a variety of places. Steve has his own unique versions of this show on his website. As one might expect, he actually goes in and edits it by hand and creates a 16 kilobit tiny file for bandwidth impaired folks. A very good quality 64 kilobit mono audio version. We don't make that anymore. For a variety of technical reasons, we do 128 bit. So if you want the smallest audio version, Steve's got those. He's got an even smaller version. Handwritten transcripts by Elaine Ferris of every episode. Great for searching or just reading along while you're listening or, you know, just reading. Although I would say if, if you just wanted the content. He also has the show notes there. And Steve does the best show notes I've ever seen. I mean they are everything you need is is there in the show notes, including the picture of the week. So all of that is@grc.com pick up a copy of Spinrite while you're there. The world's best mass storage maintenance, recovery and performance enhancing utility. If you have mass storage, you absolutely must have a copy of Spin. Right. There's other stuff there, including soon. He's got right now a wonderful DNS tool to let you find the fastest DNS server. But DNS Search Pro is coming out or what is it? DNS test, what do you call it?

Steve Gibson

DNS Benchmark. DNS Bench, yeah.

Leo Laporte

DNS Bench Pro is coming soon.

Steve Gibson

Looking very good.

Leo Laporte

If you want to get the notification the minute it ships, go to GRC.com email and that's where you can give Steve your email address. That's mostly just to validate it so that you can send him emails. That's the best way to comment with them. Go to GRC.com email, say I'm going to write to you from this address. And that way he'll allow it through, he'll whitelist you. But the other thing he does, he has two boxes. They're not checked right below it for his newsletters. One is this weekly Security Now Show Notes newsletter. Actually not just weekly. Occasionally Steve will do an emergency release. Well, you've done it at least once with the AI thing. And then a very occasional newsletter announcing new products like the DNS Bench when it comes out, the new Pro version. So do that GRC.com email if you're a fan of the show. That's really a must. You can also get copies of the show on our website. We are the network proudly hosting security Now. Twitter TV SN has a lot of things there. There are links to the show notes. There's a link to the 128 kilobit audio. Our unique version is video. You can watch us. We do video of the show that's there. There's also a YouTube channel dedicated to security. Now. You can see the video there. That's a good tool. To know about because it's a great way to share little clips. So if you, you know, you want to turn somebody on to the show or something that you heard on the show, you can just share with your boss the list of malware attacks, ransomware attacks today. You know, maybe just that clip right there. This is boss. This is why we need help.

Steve Gibson

We don't want to be listed there.

Leo Laporte

Don't want to be in that list. That's one list you do not want to be part of. So that's at YouTube. And then of course, you can subscribe in your favorite podcast player, choose audio or video, and you'll get it automatically the minute it's available. Club Twit members get a unique version of the show. I should mention they get the ad free version of the show. That's actually. If you join Club Twit, seven bucks a month is all it costs. You get ad free versions of every show we do. You get access to that Discord, which is a great hang. That's where Darren is and a whole bunch of great, smart, interesting people. You also get the special events we do. Thursday we're going to have Chris Marquardt's photo workshop. We have that AI. Missed it again. I'm kicking myself. The AI users group is a fourth Friday of every month. Stacy's Book club's coming up. We've got a coffee segment coming up. So there's a lot of stuff we do in the club. And of course, the club itself is a great place to hang out with really smart, interesting people who are very happy to share their, you know, discoveries and experiences. It's kind of like a 24,7 twit going on in the Discord. All that for seven bucks a month. That's a pretty good deal. Makes a big difference to our bottom line. TWiT TV, club, Twitter. If you're not a member, please consider joining. We really appreciate it. I'm sorry, did I spit at you? I got excited.

Steve Gibson

I didn't mean to.

Leo Laporte

Steve. He wiped his eye. Steve, we will be back next week. You will too, right?

Steve Gibson

I'll be here April 8th for. Not April Fool's Day. No, we're not kidding about that. We'll be back.

Leo Laporte

It's no joke.

Steve Gibson

No joke.

Leo Laporte

Security now.