Security Now 1023: Preventing Windows Sandbox Abuse

Leo Laporte

It's time for Security Now. Steve Gibson has hear some wacky stories today, including the explanation behind the mysterious appearance of the inetpub directory on your Windows machine. It's on purpose and don't delete it. We have new information about data loss in SSD mass storage. If you leave it lying around, you might lose some data. Plus, malware has found a new place to hide inside Windows. All that and more coming up on Security Now.

Steve Gibson

Podcasts you love from people you trust.

Leo Laporte

This is Twit. This is Security now with Steve Gibson. Episode 1023 recorded Tuesday, April 29, 2025 preventing Windows sandbox abuse. It's time for Security now, the show that I think many of us wait for all week long. If it's Tuesday, it must be time for this guy right here, Steve Gibson.

Steve Gibson

I know that I wait for it all week long because it's a major event in my weekly cycle.

Leo Laporte

It's a lot of work.

Steve Gibson

I'm sure it's a lot worse. I start Sunday around noon after Laura and I have caught up with the Sunday morning shows. And I work all day Sunday and then all day Monday. So it's basically two days out of the week. But, and it's funny, two things.

Leo Laporte

Eternal gratitude. Thank you.

Steve Gibson

It's funny because Lori says, why can't you just cut and paste more? And I go, well, because I like talking and you know, I want to put myself into that. Not just, you know, echo, echo other people. So I end up like really having a good time. And that's the problem is, yes, it's a big commitment, but I really do enjoy it.

Leo Laporte

So, you know, well, we enjoy you.

Steve Gibson

And we think unable to do anything halfway, as you know. So I, I going, all right, so we are at the monumental episode 1023, which will be a significant number to all those who've ever studied computers on the, on the binary side especially because that would be 111-11-1111. That's nine ones, folks. And when we get one more one and we will wrap around two to the power of 10 and you know, 1024, that is one binary K. And we will be there next week.

Leo Laporte

When I first moved to San Francisco, the first place I rented the address was 1024 Page Street. Ah. And I thought no one else appreciated it, but I thought, this is cool. I'm on the 1k page. So yeah, those numbers are important to.

Steve Gibson

And it's one of those things, you know, you glance at the digital clock and it says 5:12 or it says 10:24.

Leo Laporte

Yeah.

Steve Gibson

Or it says 2:56 or 11. 11:28.

Leo Laporte

Yeah.

Steve Gibson

So yeah, I do live in that world. Okay, so last week we introduced a lot of our listener to the Windows Sandbox. The fact that this really well designed piece of work was sitting in Windows 10 and 11 largely underutilized, sometimes completely unknown, because who would know? I mean, unless you had some reason to go looking for something and someone like this capability and someone said, hey, just try the Windows sandbox. It's built in. Anyway, now everybody knows. As I also mentioned in passing last week, the thing that reminded me of its existence is that malware of course, has figured out how to crawl in there and use the sandbox behind people's backs without them knowing it's even there. So all of that cool separation that you get, which, which Windows sandbox legitimate users take advantage of malware has figured out a way to do too. There are a couple solutions for preventing its abuse, which we're gonna talk about after we get around after we finish talking about the nature of the abuse. But first we've got this bizarre appearance of directory I'm very familiar with. InetPub is the directory that's always created when Internet Information Services IIS server is instantiated into typically a server, but also workstations. I've long had it on all of my machines because I've always been using Microsoft's web services to deliver websites. Well, it mysteriously appeared unbidden, so everyone believed after April's patch Tuesday. And there's a big story there that we're going to get to. We also have our friend who tweets as Gossie the Dog. Kevin Beaumont has found a way to crash Windows Update using this mysterious directory, which I'm sure Microsoft did not intend. This whole thing has just been a big cluster, you know, what a mess. We also have North Korea now creating fake US companies. They have like the one division that is spoofing fake employees. They said, well, let's go, let's get it on the other side. Let's create fake US Companies. See how that goes. We have a new attack on GPT style conversational AIs known as the Inception attack, which subverts them. Also, a bunch of people sent me questions about this. So I figured since everybody is concerned about mass storage, we've got some really interesting new information about the data loss. Well, here's the thing is, it's about.

Leo Laporte

Sorry, continue on.

Steve Gibson

Some new information about data loss occurring in unpowered SSD D drives. Also, lots of terrific feedback from our listeners from recent episodes. And then we're going to get to how malware has taken to hiding inside the windows sandbox and what we can do to stop it. And of course, we've got another picture of the week, which one of the high points for this weekly podcast, this one is. It's a goodie. And, and actually the first of a couple that are. That are coming. So I think, Leo, for a change, we may actually have a good podcast for a change.

Leo Laporte

Yeah, it'll be unheard of.

Steve Gibson

We may have circled on the right formula.

Leo Laporte

22 episodes. No, every episode's fantastic and I can't wait to get into it. But first, we do have a sponsor, if you don't mind, and I'd like to mention them. Actually, it's a very topical sponsor. Legato Security. Legato Security. I had a great article.

Steve Gibson

Do you spread it on your.

Leo Laporte

No, not topical like ointment. Topical like timely. How about that? Ah, no, I'll give you an example. I had a great conversation with them last week, actually maybe a couple weeks ago now. And, and they. I brought up this kind of analogy when you wouldn't put in a burglar alarm system that didn't have monitoring. Right. Because burglars break into the house when you're not around most of the time and you're not there to say, oh, the alarm's going off. I mean, maybe you count on your neighbors, but really a burglar alarm system needs monitoring. Well, it's the same thing for your security. No business should be their own burglar alarm. And it's same thing applies to cybersecurity. Legato Security. It's perfect for small and medium businesses. You know, big business probably has a security operations center that is monitoring 24 7. You know, if you're, you know, a Fortune 500 company, you probably have all that. But there are a lot of businesses that don't have it and need it, unless you want your security team to live at the office. Legado Security provides the same standard of security controls that these large enterprises depend on without the cost of building an internal security operations center. They're a recognized leader by CRN MSSP alert. In 2024, Legato Security transforms how businesses approach cybersecurity. They're technology agnostic cybersecurity, so they will use what you're already using. They're also not there to replace you. They're there to give you some time off that you probably deserve. Their technology agnostic MSSP platform provides your business with a custom suite of security solutions tailored to your needs. Legato Security integrates seamlessly with all the tools you're using. So we're not talking a costly infrastructure overhaul. This slides right in. It's a proprietary security operations platform, they call it ensemble. But what it does, it takes all the signals from the stuff you're using and delivers consolidated, prioritized and actionable alerts in real time via a comprehensive single pane. So everything you need to know is right there, right in front of you. No matter how many different tools you're using to protect yourself. See, here's the point. Hackers don't take holidays. They don't stop working when you clock off. In fact, that's exactly when they start working. They say, oh, they're leaving the house, now's the time to get in. Legato Security's 100% US based team provides proactive threat detection, triage. They even do remediation 24, 7, 365 days a year. They're there even when you aren't. And they use this purpose built security operations center, this soc, so your team can focus elsewhere when it's time to clock out. Finally, a weekend off, right? From entrepreneurs to we talked, we were talking about this last year, or actually it was early this year that a bunch of extensions, browser extensions were hacked on Christmas Eve because they knew, oh, that's going to give us at least a couple of days to exploit people before anybody gets around to fixing it, right? Not if you use Legato Security. From entrepreneurs to Fortune 100 companies, Legato Security creates custom Microsoft MDR solutions that protect businesses so business leaders can focus on growth. Here's a great testimonial from a recent customer quote. Legato Security is the only supplier that has delivered everything they said they would and we didn't have to drive them. They just get it done. I love this too. If you've got a problem, Legato Security is not going to call and say, hey, you got a problem. They're going to call and say, hey, we saw the problem and we fixed it and you're safe. That's what you want. That's what you want, right? IT and security professionals, Legato Securities MSSP is here to augment your security team. Not replace them, not replace you. They're the professionals you want on your team to back up your cybersecurity forces, to fortify your proactive defenses 24, 7, 365 days a year. Security tools alone are not enough. You need the expertise to back it up. Oh, and here's a Great tool. You can go right to right now to legato security.com and see if your defenses are as strong as you think. They've got a free risk assessment on the website. It's worth taking it just to see where the holes are. Visit legato security.com to discover how they can help you regain control and, you know, enjoy your weekends like you used to. That's legato security.com l e g a t o security.com it makes perfect sense. This is something you need. It's affordable, it's effective. Legato Security.com check them out. All right, Steve, I'm ready for the world famous picture of the week.

Steve Gibson

So I gave this one the caption. User interface design is an art.

Leo Laporte

Okay, you want to describe this? That's very funny.

Steve Gibson

This is obviously extremely critical. We have a red, bright red fire engine, red painted switch box with a toggle switch on it. And it is labeled above the switch, Emergency boiler shutoff. And it is labeled below the switch, emergency boiler shutoff.

Leo Laporte

So, so which way do you switch it?

Steve Gibson

Yeah, I mean, it's not like it's some fancy industrial switch. It's a light switch, you know, and right now the toggle is pointing down. And so it says you. Like in the old days, it says, you know, off. You can see it on the, just below the little paddle down right there in relief. But, you know, so if the boiler is in trouble, do you turn it on or.

Leo Laporte

Yeah, turn on the shut off.

Steve Gibson

You turn on the shut off or turn off.

Leo Laporte

Anyway, you know, I think that I understand the logic here. Somebody isn't telling you what to do. They're just labeling this box and they wanted to do it twice so you wouldn't miss it.

Steve Gibson

They.

Leo Laporte

This is the emergency boiler shut off. There is no advice here about which way to switch it.

Steve Gibson

It should say, good luck to you.

Leo Laporte

Maybe the presumption is, well, whatever position it's in now, if you're having trouble, you should just flip the switch.

Steve Gibson

If the boiler is not currently shut off, then do a toggle. Toggle it. Yes.

Leo Laporte

That's the silliest.

Steve Gibson

We have some ADD listeners who received the show notes from me last night and they said, you know, I understand the point you're trying to make here, Steve, but the biggest distraction for me is that there are two screws missing from the COVID Okay, okay, you're right.

Leo Laporte

It'S a little sloppy.

Steve Gibson

I did notice that also. But I, you know, it didn't distract me from the bigger problem. Which is what? The what? Anyway, yes, User interface Design, Leo, is an art. And not everybody is an artist.

Leo Laporte

No.

Steve Gibson

Turns out, no this guy.

Leo Laporte

Very funny.

Steve Gibson

Okay, so I first noticed a mention of this in passing, like a week or two ago. But it wasn't until I focused upon catching up with all the recent news that I realized that this was something worth sharing with all of our listeners. And part of that reason, you know, for me, like, not paying that much attention to it, is that, you know, now I'm so familiar with this inetpub directory. But what's weird is that today, even now, we don't all know what this is actually all about. So, as I mentioned at the top of the show, I've been hosting websites based on Microsoft's IIS from the start. You know, I have some. I guess it was when I was running GitLab, I was running non. Yes, it was running on FreeBSD Unix. So I had a web server running Apache, I think, or nginx, actually, I think is what it was. But largely, I'm an IIS guy. You know, when people go to Shields up, they do the DNS spoofability test, the. The perfect pay for passwords. All of the technology that runs GRC's various services is written in assembly code running on a Windows server that has Microsoft IIS in front of it. So inetpub is the directory that you always see as part of that. So I didn't think much about it when I saw this mention a couple weeks ago. But whatever's going on has confused many people who wondered why this mysterious and completely empty inetpub directory suddenly appeared on their Windows 11 machines after this month's April's patch Tuesday. And bizarrely, Microsoft says, no, it's not a mistake, and what? The empty directory must not be deleted.

Leo Laporte

Oh, come on.

Steve Gibson

But they won't explain why. They still won't explain why. Now, because I was curious about this. I tried to fire up a win 11 instance yesterday, and it got tangled up somehow. So this morning I created a brand new VM, installed Windows 1124H2, and it's now running on the screen next to me. And I can understand why anyone who sort of like, has a sense that maybe they're still in control, I would argue that that's an illusion in the case of Windows these days. But, you know, we like to think, you know, like once upon a time we actually knew what the files were on our computers. But we lost that battle a long time ago. But there's not many directories on the root of a contemporary Windows machine. I've got. There's. There's perf logs, which is there. You. If you click on it, you get it. You get scolded. Oh, you're not allowed to look in there. But then there's just Program files, program files, x86 users and windows. Those are the. There's like four directories. So when we're no explanation, a new directory called inetpub appears. And notice that we're rebooting and installing updates from time to time. It's not even clear. It would not be clear to someone who happened to look at their directory tree at some point exactly when this appeared. Right. I mean, you don't immediately inspect your computer for what happened after installing patches, because who knows what happened. But so, so I can get the angst where. I mean, I would feel it if, if I some, you know, at some point a day or two or three after doing the patch Tuesday. There it is. Leo. That's exactly right. So, so you are seeing this exactly the same set of folders I'm seeing there on a fresh install of Windows 11.

Leo Laporte

Let me just see if there's. This folder's empty. Nothing in there.

Steve Gibson

It's empty. And if you right click on it and go to Properties and then go to Advanced, you'll see or Security, then Advanced, you'll see that it's owned by the system. So the system is the owner. So go Security and then hit advance down below there on the right. There it is. And then you can see that the owner of that directory is the system. Okay. So anyway, I can get why somebody would be very worried. I mean, like the kind of listeners we have to the podcast. If you just notice that there's a new directory on your computer, I would suspect malware. I mean, I would think. Wait, what?

Leo Laporte

That's exactly the kind of thing malware does.

Steve Gibson

Yes, yes.

Leo Laporte

And you might be tempted to delete it.

Steve Gibson

Well, and many people did. Oh. Huh. And that's not.

Leo Laporte

You know, if you hadn't told me, I would have deleted it. Yes, it's an empty folder.

Steve Gibson

Don't believe it or not, it is. You're the, the, the patch for a bad privilege escalation or elevation. Bug is the patch is dependent upon the current existence of that directory on the root of your system drive. This whole thing is so half baked.

Leo Laporte

It's a kluge.

Steve Gibson

It's a kludge. Thank you. That's the word. Okay, so there's been a lot of coverage of this in the tech press, but I'm gonna share a lightly edited version of what Forbes Davey Winder wrote about this recent mystery because he did a good job of summarizing it and kind of pulling these things together.

Leo Laporte

It wouldn't be easy for them to click the hidden box.

Steve Gibson

And we don't know whether that would, whether it has to be visible. And that's part of the problem, Leo. Microsoft isn't saying even now, they're just not telling us. So Davey Winders I hit it.

Leo Laporte

We'll see what happens.

Steve Gibson

Okay?

Leo Laporte

Oh boy.

Steve Gibson

Good luck. Under the headline Microsoft's New Windows Update, 1 billion users warned, Do Not Delete. Now I'll note they weren't warned initially and okay, and was only in a later update. So Davey wrote. The latest and somewhat confusing situation of Microsoft's making has come about as Windows users noticed a mysterious new folder after the most recent security update, a folder with no explanation and one which Microsoft has now warned a billion Windows users they must not delete. I know this is such a kludge, he writes. As part of the April 8th Patch Tuesday security updates, Microsoft included a fix for CVE2025 21 204. Remember that number 21204? We'll be hearing that a little bit later, he writes. This vulnerability in the critical Windows Update stack, which is responsible for the management of Windows updates no less, could lead to an attacker to elevate privileges locally, something that the security experts at Security Vulnerability IO described as posing, quote, a significant risk to organizations as the compromised systems could allow attackers to execute unauthorized actions, potentially undermining the integrity and security of sensitive information and systems operations. Unquote, Davey says, I won't bore you with the technicalities of link resolution process manipulation that could enable hackers to access files and execute commands. Just know it's pretty darn serious, security Vulnerability IO wrote. The ability to conduct unauthorized actions can severely impact the integrity of the affected systems, resulting in potential disruptions of operations, implementation of malicious software, or further vulnerabilities being introduced into the network. Which is why Microsoft fixed it. And that's a good thing. The way that Microsoft fixed it, however, is not so good, he writes. A lack of transparency is a particular bugbear of mine when it comes to anything security related, and this vulnerability patch is no exception. The problem is that Microsoft created a new and empty folder with the security update, the appearance of which led to a totally understandable debate in tech forums and on Reddit, as well as other social media platforms. What was this inetpub folder? How did it get there? Is it dangerous? Is Microsoft using it to collect data and should I delete it? According to a new Microsoft Security Advisory update, the answer to the last of these questions is a resounding no. Microsoft warned that Windows users must not delete the inetpub folder. Doing so would remove the vital security protections it provides and the reason for it being created by this update in the first place. An April 10 update to Microsoft Security Advisory concerning CVE2025 21204 entitled Window Windows Process Activation Elevation of Privilege Vulnerability confirmed that, quote, after installing the updates listed in the Security Updates table for your operating system, a new System Drive inetpub folder will be created on your device. Microsoft went on to say, now this again, this is two days after the updates and all of this furor had already resulted. Microsoft went on to say that the folder installation was, quote, part of changes that increase protection, unquote. He writes, but failed to explain precisely how. He says what I do know is that the inetpub folder itself usually comes as part of the Internet Information Services web server platform enabled using Windows features, but this update has created it whether the user has IIS installed or not. Okay, now I'll just, I'll stop here to insert that. Anyone who already did have IIS installed on their machine will definitely have that directory and would be expecting to have it. If you have the IIS service installed in your machine, you cannot not have that directory. It's part of iis. So Davey continues, more transparency is required, me thinks, although not at the expense of tipping off potential attackers. As to how the mitigation works, of course, which, which we know is ridiculous because any hackers know anything that Microsoft knows, so it's not like they're keeping this a secret, is like offering us some protection and we know how everybody feels about security through obscurity. So he says I he says I contacted Microsoft for a statement, but a spokesperson informed me that there was nothing else to add other than the information contained within the security advisory at this time. What I can say, however, is that as a security wonk, I strongly urge all Windows users to follow Microsoft's advice. This folder should not be deleted, regardless of whether Internet Information Services IIS is active on the target device. All of which is okay, but what if you have already deleted the inetpub folder from your Windows installation or hidden it? Uh huh, maybe. Yeah. I mean, he says given the nature of the update and the social media conspiracy theories that surrounded it, I wouldn't be surprised if that were indeed the case for many users, he says. I have already had a number of readers contact me to say they did just that and ask what they should do. Now the answer is simple. Restore it. Even though we don't know why, he says. The methodology required to do that is thankfully also pretty simple, as long as you complete these six steps as follows. Head for the Windows Control panel, Click on Programs in the Programs and Features section, choose the Turn Windows Features on and off option. And now our listeners know, because we went there last week for Windows Sandbox. You could also just hit Go to the Start menu and type T u r n space and that would immediately highlight Turn Windows Features on and off. That brings you that menu that we saw last week that has Windows Sandbox on it. It also has Internet Information Services. So what's so galling, Leo, is that the resolution, the suggested resolution, and this is even from Microsoft, their suggestion is, oh, if you deleted the inetpub folder, you should install IIS on your workstation on your Windows machine. It's like, what?

Leo Laporte

That's the fix?

Steve Gibson

Yes. And what do home users do? I don't think home users get iis. I don't think you have that.

Leo Laporte

No.

Steve Gibson

So he says, tick the checkbox for Internet Information Services. Click ok. He says Windows will then whir and grind its cogs until the inetpub folder has been restored once more, and you can check your system drive to ensure that it is, he says. By enabling IIS in this way, the same folder is recreated as if Microsoft had dropped it there in a security update, and it will provide the same protections from Windows threats as well. Now, I looked elsewhere for additional clarification, but everyone in the tech press is telling the same story. The Windows Latest site wrote, once IIS is installed, you don't need to make additional changes to Windows 11. Installing IIS will restore the folder Microsoft.

Leo Laporte

And a bunch of other stuff, well.

Steve Gibson

That'S just is a heavyweight web server. I mean it's ridiculous. So the real question then is if you then uninstall iis, go back there and turn it off, does it leave inetpub behind? And I did not have time to perform that experiment for our listeners. But my guess is it probably leaves it in which case you can get rid of IIS after you've installed it. Now the so here. Okay, I'm getting ahead of myself. So Windows Latest wrote Microsoft told Windows Latest that users need to follow the IIS installation steps. Microsoft is saying install iis. Wow, this is so half baked. If they accidentally deleted the folder right accidentally this empty folder must remain present on Windows 11 system partition on System Drive backslash inetpub for the security patch to function correctly, which is itself a croc. The folder provides, quote, increased protection, unquote According to My God. Yeah, let's add some more. We need as much as we can get.

Leo Laporte

Give me more like put in the God.

Steve Gibson

What about back slash kitchen sink? Will that help?

Leo Laporte

I'm restoring autoexec bad.

Steve Gibson

There you go. According to Microsoft, turning on IIS creates the same folder with the same protection and your PC will not be vulnerable right to that today. And then in a later update to this article, Windows latest added update Microsoft will not explain why the empty folder is required to apply the security fixes okay, now I'm annoyed by what strikes me as, first of all, very lazy advice from Mike. I'm annoyed by many things, but one of them is very lazy advice from Microsoft. Installing IIS onto a system, as we have noted, is not a small thing. So it's ridiculous overkill to tell people to install the Microsoft Web services as a means to create a single empty directory.

Leo Laporte

That's crazy.

Steve Gibson

Presumably, you know the directory named inetpub requires specific user account privileges to be set on it. Apparently it needs to have System be its owner as whereas the user if you if the user could make dir to create a directory there, you know, new directory, they would be the owner. So you'd have to change the ownership to system. But you could do that. Given the power of Windows PowerShell today, I am sure that a simple PowerShell script could do exactly the same thing. So asking people to install a full web server just to create a directory is nuts. But that said, randomly deleting directories that don't apparently serve any purpose is probably not a good idea either. You know, power users who would tend to notice such things like to imagine, as I said earlier, that they're still in charge of their Windows installation and environment. Here's another example of why that is not the case. You know, it becomes less true with each iteration of Windows. What I'm wondering, as I said, is whether uninstalling IIS once it's been installed leaves that InetPub directory behind. If so, the second half of the lazy advice should also be to then remove IIS after rebooting the system to first complete its installation and verify the existence of the inetpub directory. And what's infuriating is that Microsoft won't tell us anything about why any of this is necessary, and Leo to your point, does hiding it still work? Since we don't know why it's there, we're not able to evaluate whether hiding it wouldn't have been like something Microsoft should have done. Maybe it still works if it's hidden, in which case they could create it, give it system privileges, give it the hidden attribute, and nobody would have been the wiser. It would have been created, but it wouldn't have been in everyone's face.

Leo Laporte

And basically, for that matter, they could release a PowerShell script that would create it with the proper permissions.

Steve Gibson

Yes.

Leo Laporte

And tell people to do that. Right.

Steve Gibson

I mean, or Leo, why not just put a file in that directory with the name created by Windows Update or do not delete this directory.

Leo Laporte

What's your hypothesis for why this is necessary?

Steve Gibson

I don't have one. I. You know, I. There will be. There's no doubt that I don't need to spend my time because the industry will tell us. The security industry is going to figure out what is going on. Now there's more because Kevin Beaumont has figured out how to completely shut down Windows Update using this directory.

Leo Laporte

What?

Steve Gibson

Let's tell our listeners who's paying for this.

Leo Laporte

Omg.

Steve Gibson

Yes, there's a big croc here.

Leo Laporte

Also, you know, my. My kind of naive theory would be maybe there. This malware looks for the presence of inetpub and then doesn't activate if it sees it or. I don't know. That's dopey. And is that the way to stop malware?

Steve Gibson

And how is Windows Update and some process activation privilege of elevation tied to the presence of the IIS root folder? Well, like, I mean, it just seems so literally. Maybe backslash kitchen. Kitchen sink and we'd get a more reliable Windows. I just. It's crazy. Yeah. Yeah. But a perfect security researcher.

Leo Laporte

Do you want me to do the ad? Did you say you want me to do an ad now?

Steve Gibson

Let's. Let's do it. We're half an hour in.

Leo Laporte

Okay, I'll do it.

Steve Gibson

And we're going to tell. We're going to tell everybody how they can shut down Windows Update so that it no longer functions at all.

Leo Laporte

Well, that doesn't seem like a good solution either.

Steve Gibson

No.

Leo Laporte

I unhid my INET pub, by the way. I don't want to take a chance. I mean, it's a virtual machine. I guess what I could do is delete it and then reinstall iis or install iis, uninstall it and see if it's still there.

Steve Gibson

Do that.

Leo Laporte

Should I do that? Okay, yeah, after this word from our.

Steve Gibson

Sponsor, I could do that too. We're all going to do that.

Leo Laporte

You know what would be a really good way to protect yourself from stuff like this? Threat Locker. A good zero trust solution would solve so many zero day problems. Ransomware is killing us, right? It's harming businesses worldwide. It works through phishing emails or infected downloads, malicious websites, RDP exploits, I mean on, on and on and on. An inet pub folder. Don't be the next victim. Threat Lockers. Zero trust platform. This is so good, takes a proactive and here's the keywords you want. Deny by default approach. It just doesn't assume that you have access to everything. It blocks every unauthorized action, protecting you from both known and unknown threats. It's so cool. It's trusted by, you know, infrastructure People like JetBlue airlines, right? People who can't afford to go down the port of Vancouver, you know, they just can't afford to be hit by ransomware. They use Threat Locker. IT shields them from zero day exploits, from supply chain attacks. And this is great for compliance. Provides complete audit trails, know exactly who accessed what when. It's fantastic. Threat Lockers innovative ring fencing technology. Basically it isolates those critical applications so they can't be weaponized. It stops ransomware cold. It also limits lateral movement. Right? That's one of the big problems, like we talked about those guys who put their ransomware on a camera that was running Linux in its firmware because the company had some pretty good protections. But the thing is that lateral movement's the thing you gotta stop. The ability to browse around and find vulnerable spots can kill you. Well, Threat Locker limits lateral movement. It doesn't say, hey, you're inside, go anywhere you want, do anything you want. It stops bad guys cold. And Threadlocker works in every industry, by the way, supports Mac environments. So if you have a heterogeneous network environment, you're golden. They've got great 247 support based in the United States. With Threat Locker you get comprehensive visibility and total control. Here's a quote from speaking of infrastructure, from another vital service, the city of Champaign, Illinois, their IT director, Mark Tolson gave us this quote. He said, quote, threat Locker provides that extra key to block anomalies that nothing else can do. If bad actors got in and tried to execute something, I take comfort in knowing Threat Locker will stop it. This is the gold standard in security. Stop worrying about cyber threats. Get unprecedented protection quickly, easily, and by the way, the price is right, very cost effectively with threat locker. Visit threatlocker.com TWIT to get a free 30 day trial and to learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's threatlocker.com TWIT we thank them so much for their support of security. Now, all right, how do I turn off all updates forever and ever?

Steve Gibson

Okay, I just confirmed that installing IIs and removing IIs. Oh, you did that INET. Yes, all during an ad.

Leo Laporte

Wow.

Steve Gibson

Yep. Yep. Leaves the inetpub directory subdirectory in place.

Leo Laporte

And with the proper permissions and all that. So you're protected.

Steve Gibson

Yeah.

Leo Laporte

Good.

Steve Gibson

Yeah. So anybody who did delete it, who was wondering what the heck this is about, I'm just checking that with the advanced and yep system is the owner and there's actually a history subdirectory under it if you, if you install iis. But then it tells me I don't have permission to look at it, so it doesn't matter anyway. So that that will do the job. It turns out you don't even have to reboot. Yeah, you so you're able to install it. By the time it finishes making the changes, it has created that directory with all the proper permissions and then right then you are then able to uncheck the, you know, go back in to turn Windows features on and off, uncheck the IIS feature, it does it again and then it tells you that you need to reboot now or later, but even when you come back from that boot, so only one boot to the whole thing and inetpub is still there. So again, it's annoying that we don't know why, but get this, there's more. The our prolific researcher who we frequently reference, Kevin Beaumont, who once tweeted as Gossie the dog. He's been active for years, has posted into his blog on Medium under the headline Microsoft's patch for and here's the famous now CVE 202521204 Simlink vulnerability introduces another simlink vulnerability Kevin explains Microsoft recently patched CVE2025 21204, a vulnerability which allows users to abuse symlinks, you know, symbolic links to elevate privileges using the Windows servicing Stack and the CinetPub folder. To fix this, Microsoft Pre creates the CinetPub folder on all Windows systems from April 2025's Windows OS updates onward. Now what occurs to me is that it may be the pre creation of it and assigning it to to the system as the owner that subsequently prevents its abuse. Which suggests to me that hiding it would be fine and Microsoft probably should have, but this whole thing, as I said, is about as half baked as anything I've ever seen. Okay, so he said. However, Kevin writes, I've discovered this fix introduces a denial of service vulnerability in the Windows servicing stack that allows non admin users to stop all future Windows security updates. Whoopsie. Non admin and admin users can create junction points in the c root and in the show notes and in Kevin's blog he gives the make link command. I have it here in the show notes, he says. So a non admin user can just do Windows R, you know command, just get a command line and then run and it's makelink j for a junction and then cinetpub Space C Windows System 32 backslash and then he used the ever popular and benign notepad exe, which he's created the symlink for. He says this creates a symlink, a symbolic link between CinetPub and Notepad after that point April 2025 Windows OS Update and future updates unless Microsoft fixes it, fail to ever install, they error out and or roll back forcing the system to go without any further security updates. He says, I reported this to MSRC about two weeks ago and finally received a response. So it took Microsoft Security research couple weeks. They got back to Kevin writing hello Kevin, thank you again for submitting this issue to Microsoft. MSRC prioritizes vulnerabilities that are assessed as important or critical severities for immediate servicing. After careful investigation, this case is currently rated as a moderate severity issue. It does not meet MSRC's current bar for immediate servicing as the update fails to apply only if the inetpub folder is a junction to a file and succeeds upon deleting the inetpub SIM link and retrying. In other words, you can undo this and then everything is fine, they said. However, we've shared your report with the team responsible for maintaining the product or service and they will consider a potential future fix taking the appropriate action as needed to help keep customers protected. At this time we will not be providing ongoing updates of the status of the of the fix for this issue and we have closed the case. So Kevin finishes saying, my feeling is the endpoint detection and response providers, including Microsoft, probably want to add detection for junction points being created from inetpub on boot device on boot drives as it looks like this issue isn't going to get patched anytime soon and it's a 100% reliable way to stop future security patching in Windows.

Leo Laporte

Geez Louise.

Steve Gibson

So whatever underlying problem Microsoft originally had with this cve, it certainly feels as though somebody cooked up, as I said, a half baked solution that wasn't very well thought out. The idea of needing to add an empty directory to the Windows file system, which is normally only needed when a system is running their web server, and which is naturally then open to public abuse of the sort that Kevin stumbled upon, seems really very sad. And half baked. Wow.

Leo Laporte

Just amazing.

Steve Gibson

Yeah.

Leo Laporte

Wow.

Steve Gibson

Okay, so this one you're not going to believe. Leo, We've talked extensively.

Leo Laporte

Worse than what we just talked about.

Steve Gibson

We'Ve talked extensively about the challenge presented by employers who are attempting to do the right thing by not hiring spoofed employees from hostile foreign powers. Security researchers at the firm Silent Push just reported on their discovery of a new bizarre twist. Their headline was Companies to Deliver a Trio of Malware Beaver Tail, Invisible Ferret and Otter Cookie. These are the three pieces of malware. Well, you know, because all the good names are taken.

Leo Laporte

They don't sound that scary, to be honest.

Steve Gibson

No, they don't. But get this, the headline doesn't do the story justice to give everyone a sense for what they discovered. They start with four key findings and boy, they really are burying the lead here. Okay, Silent Push threat analysts have uncovered three cryptocurrency companies that are actually fronts for the North Korean advanced persistent threat Group. Contagious Interview is the name of the group. The group is called Contagious interview, Block Novus LLC, an Angeloper Agency and Soft Glide LLC. So Block Novus, Angeloper Agency and Soft Glide L.L.C, they said. Our malware analysts confirmed that three strains, Beaver Tail, Invisible Ferret and Otter Cookie, are being used to spread malware via interview malware lures to unsuspected cryptocurrency job applicants. The threat actor heavily utilizes AI generated images to create profiles of employees in air quotes for the three front crypto companies employing Remaker AI. That's Remaker AI for some of the AI generated images. As part of the crypto attacks, the threat actors are heavily using GitHub job listings and freelancer websites. Okay, but that still fails to convey what's going on. It took some digging, but it turns out that North Korean hackers created and used US front companies and I found two of them. I wasn't able to confirm separately Angeloper Agency, but definitely Block Novus LLC and Soft Glide LLC are corporations registered in the states of New Mexico and New York, respectively. So they faked being US Companies, then solicited US based employees into interviews that infected those interviewees with malware that was carried back to their prospective employees, current employers, as a means of infecting their organizations. And it worked. So not only now do employers need to be very much on the lookout for spoofed fake employee applicants, but anyone interviewing for a job change needs to now be equally cautious and careful about the legitimacy of the company that says they might be interested in hiring them. Because it may be North Korea who's created a full background legacy for a fake enterprise and ends up asking you to do something that will infect your machine. And when you go back to your current employer's network, infect your current employer. The world we live in today, my friends. Wow. Wow. Incredible. Okay, on the AI front. Oh, Carnegie Mellon. Unarya, huh? Carnegie Mellon University's Cert Coordination center posted the news of a new widespread vulnerability. What's really weird about this is it works across the AIs. That is a single script. A new widespread vulnerability that affects pretty much all of the various GPT AI models. The title of their vulnerability report was quote, various GPT services are vulnerable to Inception Jailbreak allows for bypass of safety guardrails. So here's what they explained. Two systemic jailbreaks. They call it systemic because it's again AI, you know, you know, pan AI. Two systemic jailbreaks affecting several generative AI services have been discovered. These jailbreaks, when performed against AI services with the exact same syntax, result in a bypass of safety guardrails on affected systems and indicating a systemic weakness within many popular AI systems. The first jailbreak facilitated, and I just love these crazy jailbreaks facilitated through prompting the AI to imagine a fictitious scenario can then be adapted to a second scenario within the first one. Continued prompting to the AI within the second scenario's context can result in a bypass of safety guardrails and allow the generation of malicious content. This jailbreak, named Inception by the reporter, affects Chatgpt from OpenAI, Claude from Anthropic, Copilot from Microsoft, of course, Deep Seek, Google's Gemini, Twitter's Grok, Facebook's Meta AI in Mistral AI, that is this single approach works across them all. The second jailbreak is facilitated through prompting the AI to to answer a question with how it should not reply within a certain context. I mean, we're literally right. We're like confusing the AI's answer a question with how it should not reply instead of actually asking it to reply, which it won't because it shouldn't. So no, no, no, no, no. That's not what I want you to do. I want you to tell me how you shouldn't reply within a certain context. The AI can then be further prompted with requests to respond as normal, and the attacker can then pivot back and forth between illicit questions that bypass safety guardrails and normal prompts. That second jailbreak affects ChatGPT, Claude Copilot, Deepseek, Gemini Grok and Mistral AI. These jailbreaks, writes Carnegie Mellon, while of low severity on their own, bypass the security and safety guidelines of all affected AI services, allowing an attacker to abuse them for instructions to create content on various illicit topics such as controlled substances, weapons, phishing, emails and malware code generation. A motivated threat actor could exploit this jailbreak to achieve a variety of malicious actions. The systemic nature of these jailbreaks heightens the risk of such an attack. Additionally, the usage of legitimate services, such as those affected by this jailbreak, can function as a proxy hiding a threat actors malicious activity. In other words, instead of like using some dark underworld, you know, dark web AI, we're using Chat GPT and it told us how to mix up that chemical explosive, you know, and I don't even know how to respond to this, Leo, other than to just shake my head and understand just what a new wild west we have entered into here. One of one of the key coding lessons of my own past 50 years of programming computers, and I guess it's actually more like 52 now, has taught me, is that if I'm not 100% completely certain how my code operates, it's unlikely to be correct because there are so many more ways for it to be wrong than for it to be right. Then I read about the bizarre ways it's possible to have conversations with these conversational AIs in ways that lead them to ignore the imperatives of their programming. And I also understand that no one is really completely certain how all of this works in the first place. And then I think of my own far simpler coding experiences and it becomes very clear that this incredibly fuzzy world of AI, which we're stepping into, almost certainly has a far longer way to go before we're able to get a grip on it. And I think far further than most people probably expect. I don't even think we're close to actually having control of this. And of course, a lot of people who actually are spend a lot more time thinking about this than I have, are very worried about what can happen, right?

Leo Laporte

Yeah, yeah. Although I'm kind of have mixed feelings about AI safety. I think, as we've learned, it's kind of maybe a mistake to even try. Right, Right. And I don't think the companies are trying that hard. Obviously, if this thing works, they're not trying that hard.

Steve Gibson

Yes. It's like, I'm not asking you to tell me something that I shouldn't, but if I were asking you to tell me something that I shouldn't, what would you say? And then it's like, oh, well, in that case, if you're not actually asking, you're just asking me if you were asking what I would say, purely hypothetically. That's right.

Leo Laporte

Shouldn't you tell me?

Steve Gibson

Yeah. Now, I know you can't tell me how to make this explosive, but, you know, if you could tell me how to make it, what would that be like?

Leo Laporte

Yeah. Oh, yeah.

Steve Gibson

I mean, yeah. Like, no. No street smarts in these things yet.

Leo Laporte

No.

Steve Gibson

And.

Leo Laporte

They'Re little children.

Steve Gibson

Yeah. Yeah. Okay. So one thing we all have in common, all of us, is a concern for the integrity of our digitally stored data. In fact, it would not be an overstatement to say that I've made understanding and addressing the reliability of mass data storage my life's work, with the first half of my life invested in preparing for the second half where I've been able to do something about it and have created solutions to help recover data, you know, lost or seriously endangered for arguably hundreds of thousands of PC users during the last 35 years. Nearly two weeks ago, the popular and respected Tom's Hardware website posted a piece under the heading Unpowered SSD Endurance Investigation Finds Severe Data Loss and Performance Issues. The start of that piece said, you may not know it, but SSDs will lose data after a period of time if they are simply left unplugged, which can be a serious threat to your data if you store backups or precious files on unplugged SSDs. Not surprisingly, many of our listeners who are owners of Spinrite sent email wondering what I thought of the research Tom's hardware shared. Before I share the rest of that piece, let's back up a bit. So remember that five years ago, early in the development of Spinrite 6.1, I created the ReadSpeed benchmark, which I later released as freeware. As a platform for verifying the operation of Spinrite's new low level device drivers, the ReadSpeed benchmark takes an accurate measurement of a mass storage Drive's performance at five locations across the drive, at 0%, 25%, 50% 75% and 100%. We all knew that spinning drives would perform much more slowly and as we gradually move toward their end, since track circumferences would be shortening, thus reducing their data transfer rate by as much as half. And that's what we now know. Today's super high density spinners have half the performance at the end of the drive because in order to get this like to squeeze every, literally squeeze every last bit of data into the drive, they've had to push the tracks further toward the, the, the hub of the drive. But being entirely solid state, none of us expected to find what we did. We didn't expect to see any speed variants, variance in SSD performance. But as we all know, that's not what we found. Many of us discovered that the SSDs our PCs were using were much slower to read near their beginnings of the drive than anywhere else. What we discovered was that those regions which were only ever read and rarely or never written had become far slower to read over time. Since the front of these drives is where the operating system is written when it's first installed, we finally knew why. For years, PC users with solid state mesh storage have been reporting that their systems seem to have slowed down over time and be running more slowly than when they were new. It turned out that it wasn't their imagination. Systems really do slow down because the reading performance of their solid state mass storage really is slowing down. And we also know that, you know, not just thanks to synthetic benchmarks like read speed or what's built into Spinrite, but because once Spinrite 61 allowed people to easily rewrite their SSDs, they reported that they could clearly feel the difference. Their machines were once again booting in seconds, where they'd slowed down to in some cases minutes. And the various annoying lags in its use they reported as completely disappeared. There have been a great many theories voiced to explain this. People get themselves, I believe, all tangled up in the complexities of translation layers, wear leveling, block erasures, trimming, and all the many various technologies that have been layered on top of basic NAND storage cells in an effort to overcome those cells inherent physical limitations. To my mind, donning my physicist's cap for a moment, there's really no mystery about why this is happening. As I've described a couple of times in the past, flash NAND memory bits are just incredibly tiny electrostatic charge storage cells. They consist of a tiny bit of metal which gives electrons a place to sit, surrounded by insulation which keeps those electrons from Wandering off. When we wish to change what's stored in that bit cell, we first create a high voltage. Remember, that voltage is electrostatic pressure. So we create a high pressure that's able to break down the cell's insulation to inject some electrons across that insulation into that cell. The electrons that were injected under high pressure then remained there, trapped behind the cell's insulation. At that point, the magic of what's known as field effect transistors allows the effect of the resulting electrostatic field created by the charge which has been trapped in that cell to be sensed. So we're able to later read out what was previously stored there. So that's the whole magic of flash memory. That's how it works. And overall, this is an astonishingly effective technology. But it has one fundamental problem. We're deliberately abusing a cell's dielectric insulation. Whenever we use the brute force of a high voltage to break it down and force electrons across the barrier, it was designed to present to their flow. It's trying to be insulation, we're breaking down that insulation. We want a perfect insulator, except when we don't want it to be perfect. And over time we, with repeated breakdown of its like forcible breakdown of its insulation, its insulating properties begin to falter and weaken with the barrier become slightly more porous to unintended electron migration. Okay, so with this background, let's look at what Tom's hardware wrote. Their piece said, you may not know it, but SSDs will lose data after a period of time if they're simply left unplugged, which can be a serious threat to your data if you store backups or precious files on unplugged SSDs. A year two update on the how long can SSDs store data? Unpowered video series is another reminder about the importance of regularly refreshing your backups with a bit of juice. The tests consist of storing data on an SSD and then leaving it unplugged for years to see the impact on the stored data. An SSD's endurance rating is calculated based on how long it can store data if left unplugged after a certain amount of data has been written. Hence the importance of this testing Tech Tuber HT Wingnut is back with a report on his modest experiment involving a quartet of SATA SSDs. The key finding was that the two year old well worn drive exhibited noticeable performance degradation and was affected by a handful of of corrupted files. These are signs that this particular SSD was on its way to Silicon Heaven. That's not true, but that's what people think. But it's something I'll explain anyway. They write HT Wingnuts video is an update on an episode from a year earlier and further updates are promised. They said the four tested 11 JS600 branded SSDs are basically bog standard no name units. HT Wingnut says they're all TLC SSDs with 128 gig capacity and rated to withstand 6D 60 terabytes of written data. Every drive has 100 gigabytes of of files containing random data with hash values for all the content provided for later verification. Now I'll just interrupt again to note that this is not how I would conduct such a test since the file system's metadata that's being relied upon to access these files is sharing the same medium as the files it's managing. And you really don't want a file system involved at all. What you care about is the underlying medium. The right way to do this would be to use a pseudo random function to generate a stream of pseudo random data that would then be written to the raw media. Then years later, a year and 2 and 3 and 4 and so forth use the same pseudorandom function to recreate the original data stream for a bit by bit comparison with what is later Read back, you know, but who am I to talk? I didn't do any of that. And this HT Wingnut guy at least did what he did. So what we have from him is better than nothing. The article continues, the two fresh sample drives have barely been used. Perhaps only the hundred gig of data was written there and verified. And that's it. Meanwhile, the two warn drives had been subjected and this is before the testing began. They were subjected to 280 terabytes of written data churn much more than their rated 60 terabytes endurance rating. So this guy deliberately, you know, really, you know, overwrote them in order to fatigue them. Before beginning this experiment, they said if you watch the previous year one video you'll have seen there were no issues with either worn or fresh drives. He says however, time has now taken its toll. He says let's take a look at the year two samples. In turn. He said for the fresh SSD tests, the data on this SSD which hadn't been used or powered up for two years was 100% good. On initial inspection, all the data hashes verified, but it was noted that the verification time took longer than two years. Previously. HD Sentinel Tests also showed good consistent performance for a SATA ssd. Digging deeper, all is not well though. Firing up crystal disk info, HT Wingnut noted that this SSD had a hardware ECC recovered value of over 400. In other words, the disk's error correction had to step in to fix hundreds of data based parity bits. In other words, even this was the fresh SSDs not well worn, just having not been used for two for two years. And hardware ECC is being required in order to recover the data and it's slowing down. Okay. According to HT Wingnut, they write seeing these error means the SSD is on its way out again. No, everybody gets this wrong, but I understand the way it looks. It's just the data has been leaking. It's just leakage which you know as you get older.

Leo Laporte

It's not hard problem. Yes, it's not hardware failure. It's just the data needs to be refreshed. That makes Exactly.

Steve Gibson

Yeah, they said so. They said indeed. If there is anything iffy about your data storage integrity, it is at least a warning. However, the errors could also have something to do with the drive being left unpowered for two years. Again, I don't think so. That could even be a problem because if it were powered up it would be hotter and heat is something nobody remembers to think about anyway. I have a chart in the show notes for anyone who's interested who shows and the chart shows what the various testing times were and how it was indeed way worse on the Warn drive that had a lot of data written to it. Because all of that excessive data again, it rewrote the entire drive. Many, many. It was 128 gig drive and they wrote 280 terabytes so it really worked the drive well past its endurance rating. They wrote. As the warn SSDs data was being verified, there were already signs of performance degradation. The hashing audit eventually revealed that four files were corrupt. Hash did not match. Looking at the elapsed time, it was observed that this operation astonishingly took over four times longer. Up to 10 minutes and 3 seconds, to 42 minutes and 43 seconds. Again, not surprising to anyone who's seen this happen, you know, for themselves. Further investigations in HD Sentinel showed that three out of 10,000 sectors were bad and performance was spiky. Returning to crystal disk info, things look even worse. HT Wingnut notes that the unrecoverable sectors count went from 0 to 12 on this drive and the hardware ECC recovered value went from 11,745 before to 201,273 after test tests that one day. So more than 200,000 ECC recoveries. So they said. In summary, the year one fresh and well worn drives had no issues. However the year 2 heavily worn SSD had file corruption and performance was poor. The so called fresh drive was still good but ECC figures still raised concern. Come back in late 2025 they wrote for the next update from HT Wingnut and they finish we also want to say that this is a very small test sample highlighted out of our interest in the topic rather than for its hard empirical data, he said. I've also experienced SSD data loss after leaving a mini PC unpowered for just six months or so at my PETA Terre in Taiwan. On return windows refused to boot or be repaired, but a reformat and reinstall seemed to return everything to normal right because there was nothing actually wrong with the drive. So I have a link in the show notes to HT Wingnut's YouTube video for anyone who is interested. Everything that we just saw, everything he found perfectly matches the model I've developed and shared about what's going on with our SSDs. The reason we see the performance drop when attempting to read data that was written long ago is that those microscopic tiny electrostatic charges stored in the SSDs NAND bit cells have partially leaked away. This very slightly changes the voltages stored in the cells and forces the flash controller to work much harder to recover and reread the original data. We sense this by seeing the SSD's performance drop. If you ever notice a drop in SSD performance, that's the time to rewrite its data. You'll want to do so before that data becomes completely unreadable. And the reason the problem was demonstrably worse on well worn SSDs is that all of that prior writing further weakened the insulating dielectric which was keeping the electrons in their place. So the leakage rate was significantly higher on Those well worn SSDs which were tending to lose their data faster. And as I mentioned, one thing that has not been mentioned, which we know from physics, is that temperature is crucially important. Several years ago we covered a piece of news here that noted that offline SSDs stored in hot data centers tended to lose their data more quickly than those same SSDs stored in a cool environment. Heat inherently agitates electrons and increases the probability that one will make it across the cell's insulating Barrier, it's known as tunneling. So if you do have any offline SSDs or thumb drives where you have important data stored, I'd give them a full data rewrite pass. You know, Spinrite's able to do that using level three. Then put them in a Ziploc bag in youn guessed it, a refrigerator, or at least store them somewhere which is guaranteed to stay mostly cool. The reason why rewriting an SSD's existing data, for example, with Spinwrights Level 3 restores its factory fresh performance is that the act of rewriting an SSD literally restores the strength of its bits, which we now have additional and rather absolute proof decay over time. Rewriting an SSD's data eliminates the uncertainty in the state of individual bits that can and does creep into our mass storage over time. Therefore, the speed with which an SSD's data can be read forms a highly visible and valuable proxy for the integrity with which the SSD's data is currently stored and is readable and recoverable.

Leo Laporte

This sounds like somewhat similar to spinning storage. Right. The same kinds of things happen. I mean, it's not physically the same process, but you get bid rot.

Steve Gibson

Yeah. My feeling is that what goes bad with spinning storage is like lubrication of the drive.

Leo Laporte

It's not a weakening of the magnetic signal.

Steve Gibson

Yeah, that, that tends to really hold very well. You can get stiction the head, it ends up being like welded to the surface. So, you know, there are other problems.

Leo Laporte

That the data on a spinning drive is not going to slowly decay over time. In the same way, I think that.

Steve Gibson

All of the support mechanisms that are required do have a problem.

Leo Laporte

Yeah.

Steve Gibson

So again, your, your three, two, one backup strategy is, you know what you really want you. And I'm. Well, you want to have a hierarchy of backup, but I'm, you know, I wanted to take this opportunity just because this was perfect evidence of the fact that, that what we've, what we discovered to our surprise when we began playing with the development of 6.1, was that the front of SSDs had slowed down.

Leo Laporte

Right.

Steve Gibson

And it was like, what the heck.

Leo Laporte

Right. Right.

Steve Gibson

And now we know, and happily it's only temporary. Those drives that, that are having all those problems, they're not bad. They just haven't been rewritten for a long time.

Leo Laporte

There's no stiction on an ssd, there's no need to stick.

Steve Gibson

And it's all. I remember Alan Malvantano once said to me, SSDs never rewrite their own data. That's not something they do. So having the drive powered up arguably keeps it warmer and I think it causes it to lose data more quickly.

Leo Laporte

Interesting.

Steve Gibson

So I'm not convinced that this is a matter of them being unpowered. They just haven't been touched in so long.

Leo Laporte

Right. I know how that feels. I'm just, I'm just kidding. Actually, Alan sent me an email just this week for both of us actually. Yeah. So you got it?

Steve Gibson

Yes.

Leo Laporte

Oh, good. Okay. Okay.

Steve Gibson

Yeah, he had, he had some, some neat points to make.

Leo Laporte

Yeah, he's a sharp fella.

Steve Gibson

You have a neat point.

Leo Laporte

I do. I'm so GLAD you asked, Mr. Gibson. I've been just champing at the bit waiting to tell you about OutSystems, our sponsor for this segment of Security Now. OutSystems, the leading AI powered application and agent development platform. They've been doing it for more than 20 years. The mission of Outsystems is to give every company the power to innovate through software. You know, typically we talk about this all the time. IT teams have two choices to make. It's that we call it the build versus buy conundrum.

Steve Gibson

Right.

Leo Laporte

Do you buy off the shelf SaaS products for speed but then lose flexibility and differentiation, or do you build your own custom software but at a cost of time and resources? Well, there's now a third choice between build and buy. AI forges the way for another path. It's the fusion of AI build low code and DevSecOps automation into a single development platform. That's Outsystems. Your teams will build custom applications with AI agents as easy as buying generic off the shelf sameware. And flexibility. Security and scalability comes standard with OutSystems. With AI powered low code teams can build custom future proof applications just as fast as they would buying it and with features that you really will appreciate. Fully automated architecture, security, the integrations are there, the data flows, all the permissions, that's all handled by OutSystems. OutSystems is the last platform you need to buy because you can use it to build anything and customize and extend your core systems. It's time to build your future with OutSystems. Visit OutSystems.com TWiT to learn more. That's OutSystems.com TWit we thank him so much for supporting Steve Gibson and security now. And now it's back to Steve for some listener feedback.

Steve Gibson

Yeah, got a bunch of good stuff to share. John Canfield said. Hi Steve, like you, I had heard about this Windows Sandbox feature long ago and tried it briefly just to see it. Fast forward to about a year ago. I dug into it for a testing need I had and was very impressed. I created a custom WSB XML configuration with map folders to my PC memory and CPU configs and it sits on my PC to this day ready to use when the need arises. When you were describing the significant architectural capabilities and efficiencies that went into this feature, the I can't help but think that this would be exactly what was needed for Windows 10X, he said, see Paul Thurrott's article, particularly the last sentence which he quotes quote Worse, Microsoft hasn't addressed the single most important 10x feature is planned. Its planned ability to run win 32 apps in a container. Is that key work continuing unquote he quotes Paul so he says could Windows Sandbox have been developed for win 10x or maybe the reverse? This feature existed before and someone said hey let's use that for 10x32 bit apps. Windows 11 came out in 2021 and Windows Sandbox was developed in 2018. According to your post, those years line up pretty well for one or the other to have happened. All the usual praises, listening and watching. Back to the tech TV days. Proud Spinrite owner. A joy to watch you and Leo every week. Best regards, John that's great. So I chose John's question because it serves to highlight one of the reasons why Microsoft's implementation of Windows Sandbox is so economical. The long ago abandoned Windows 10X effort was Microsoft's ill fated plan, but I understand it to wash away Windows long legacy of backward compatibility. At one point they were planning to have a dual screen Surface tablet PC.

Leo Laporte

The Courier. Oh we wanted that so badly.

Steve Gibson

Yep, and they wanted to move toward more of a lean mean OS. Sort of like iPad OS. That meant essentially starting over from scratch with a new implementation of Windows. And among other things, that version of Windows would be dropping support for 32 bit win 32 apps. Now philosophically, I love the idea of a complete reboot of Windows. One of the mixed blessings of today's Windows OS is that it still runs win32 apps and it probably always will because they cannot take that away. Too much legacy code depends on it. Just look at how difficult it was for them to kill off Internet explorer6.ie 6 refused to die because too many enterprise users had written code that would run nowhere else. And if you imagine that was true for IE6, just imagine trying to take away Win32's API remember that Windows 7 included an XP Mode? XP Mode was a full virtual machine that would allow Windows 7 users to still run an instance of Windows XP. Why was Microsoft forced to include that specifically for backward compatibility? Which serves as another example of the powerful drag created by Windows legacy code and in addition to the Win32 API, Windows also runs all of the other APIs that Microsoft keeps coming up with. I've lost track and count of the number of ways it's possible to author applications for Windows. And now they've added the Linux subsystem support. One of Microsoft's biggest problems with Windows is that they're unable to stop screwing around with it. They can't keep their hands off it. They're continually adding more stuff. But the critical need for backward compatibility means they're never able to eliminate anything that came before. They were finally able to drop support for 16 bit code when they moved to their 64 bit OSS. But even that was painful, and they were only able to do so because Windows hadn't really gotten fully up to speed before everything switched to 32 bits. So there wasn't all that much 16 bit code. Legacy so, as I said philosophically, I love the idea of a massively simplified single API rewrite of Windows to create something truly lean and mean, but that's just a pipe dream. It's never going to happen because that would. What would remain would not be useful to anyone. And once smart people at Microsoft realized that the Windows 10X project was dropped. So John asked whether the Windows sandbox might have in some way been part of the Win10X project. But I can't see how. What makes the Windows sandbox so special is that it manages to surface an exact duplicate instance of the underlying OS in a sandboxed environment. It refuses. I'm sorry, it reuses the hosting OS's read only files and even the underlying host OS's code, which is loaded into RAM. And that's the entire key behind Windows Sandbox. So if anything like the Sandbox were to run on top of win 10x, it could only be an exact clone of the OS it's running on. So it would be unable to, for example, support legacy APIs that had been removed through a host OS rewrite. And again, I think Microsoft has probably given up the idea of ever getting rid of their legacy APIs. You know, hopefully they just leave them alone and they don't, you know, wreck them because there's just too much old code there that. That depends upon the older support. Antoine Chopin said Hello Steve, thank you for security. Now, I had a question about Windows Sandbox you presented last week. You mentioned it uses a clever mechanism using links to static files to reduce the image size, which seems clever indeed, but made me wonder what would happen if the host OS had been compromised and some files supposedly read only had been modified somehow. In that case, I guess the sandbox would be compromised the same way, which means it's not as isolated as one could think. Curious to hear your thoughts on this. Thanks again for the great podcast, Antoine. And I would say that Antoine is completely correct, and it would likely go even further since we know that the Windows sandbox also conserves its usage of RAM by mapping the underlying host OS memory footprint into its own memory space. Any malware that operated by hooking kernel API functions in ram, which we know is something malware commonly does like rootkits, would inherently duplicate those hooks as well, and the same OS compromise would appear inside the sandboxed os. So Antoine's point is a good one, and it's an important distinction between a sandbox and a full virtual machine. As Leo you noted last week, the sandbox solution is closely aligned with the concept of containers, which share many of the same properties. Neither the sandbox nor containers contain an entire isolated instance of an operating system. They use Hyper V virtualization to create and enforce containment of the code they host, but they're running on top of their containing host. So neither Windows containers nor the Windows sandbox are isolated from underlying host problems. Only a full standalone virtual machine would provide that. But that level of isolation code comes at the cost of significant host platform resource consumption with a full virtual drive and much more RAM consumption. All these various technologies are interesting and powerful, and each one has its place. Brian asked hi Steve, Love the show and a proud owner of spinrite. I know this may be a bleak question, but would you consider open sourcing spin right upon your eventual but hopefully distant passing? He says it's an excellent product and I just don't have faith that people will put this kind of effort into something like this again. I'd love to see Spin Right live on and continue to keep up with hard drive technology into the future. Thanks, Brian. And he says you can use my first name if you ever mention this on the air. Okay, so let me just state for the record, I don't consider this to be a bleak question at all. I consider it to be practical and flattering. Our listeners here would have no way of knowing that I have formally stated Several times in GRC's public newsgroup forums that it is my intention to release all of my work, the source code for everything I've ever written into the public domain once my own commercial interests are no longer connected to it.

Leo Laporte

On you, Mr. Gibson, I did not.

Steve Gibson

Know that that's I'm going to do that. Yeah. Now, ideally this would occur at some point when I still have some cognitive faculties available so that I could shepherd the code into the world and be available to answer any questions that would doubtless arise. So I very much look forward to that day, since I think it would be a lot of fun. But the bottom line is that yes, once I hang up my spurs or am struck by lightning, everything I've created will be released to the public, and I would be honored if there was interest in keeping it alive and growing into the future in whatever form might make sense.

Leo Laporte

Nice.

Steve Gibson

So it will not all be lost.

Leo Laporte

Yay.

Steve Gibson

Galen wrote hello Steve in episode 1019. You're talking about the constant Internet spam and brute forcing going on. It is so much worse than you stated, he said. I have SSH open on my home lab so that I can manage it remotely with fail to ban configured failed to ban monitors auth logs and can do automated actions based on successive failures. I have failed to ban set up to ban the IP of anyone who has two failed login attempts for three hours, then ban anyone with two bands in the same day for a year. As this lab is only used by a close friend and myself and we both use keys to authenticate, it's unlikely for us to ever have a failed login attempt. I set it up with a discord bot to automatically notify me of bans and send me daily reports on ban counts. And it is crazy to watch.

Leo Laporte

Yeah, I bet.

Steve Gibson

I've seen days with up to 5,000 unique IPs banned. Normally it's around 300 to 500. I see a failed login attempt around every 2 to 3 minutes 24, 7, 365. Not all of them end up banned because some of the bots space their logins out a lot. I have banned around 26,000 unique IPs and at any moment have around 4,000 banned. I highly recommend that anyone hosting publicly accessible SSH install fail to ban even with just the default settings ssh. Thanks for the podcast Galen. Now this was a great data point and not only supports what we were talking about four weeks ago during podcast 1019, but also more recently when I was talking about the fact that typical network monitoring is only looking at what gets inside the network. While certainly that that certainly inside the network is of the most concern, there's still the fact that we don't know what we don't know. The fact that Galen has witnessed this firsthand has doubtless altered his behavior in a healthy direction. It will serve to inform him about just what a jungle it is out there and the degree to which he can really never afford to take his own security for granted. Say, for example, that he was still relying upon username and password for protection. If he didn't already know better, and he does. But if he didn't, seeing the truth about how much attention his own SSH server is drawing would doubtless motivate him to take the time to be as secure as he could possibly be. Like Galen, I've looked at my own external bandwidth logs and what's going on out there. As he said 24-7365 it is truly harrowing. I mean, it's insane we talked a few podcasts ago about the abuse of login attempts to Microsoft Outlook and how wrong it feels that Microsoft are not providing better abuse protection. Everyone knows that credential stuffing attacks have grown to become one of the major threats on the Internet, yet Microsoft only offers geofencing for their enterprise users. A few podcasts ago I took the opportunity to rave about my absolute favorite SSH client and SSH server, bitvice for Windows. Many of our listeners wrote to let me know that Windows already has SSH client and server solutions built in. And that's absolutely true. Windows now offers the industry standard setting OpenSSH server. So thanks to our listeners for notifying me of that. But Windows doesn't have bitvice built in. In addition to having an extremely pleasant zero learning curve graphical user interface, I have my bitvice server instances configured to only consider ever accepting incoming connections from IPs located in the United States and within the US since connecting to the Bitvice SSH server with the Bitvice client is 100% reliable, a single failure to authenticate from within the US permanently blacklists that IP. And just so that I'm not locked out in the event that I fumble finger the connection at that client end, I have permanent whitelist IP overrides for the two IPs I would probably always be connecting from. As I've mentioned previously, my two cable modem IPs are extremely static and all of that is after configuring the server to only accept authentication via a public private key exchange challenge. Finally, all of that was done with a Few clicks of a mouse while browsing the bitvice user interface. So much as I strongly prefer living off the land solutions using what's already present, in this case, I'm not giving up bitvice for anything. It remains my highest possible recommendation. For anyone who wants to run an SSH server on Windows, it is trivial to implement that level of multi layered security. I cannot imagine like Galen running an SSH server where you don't at least, I mean like at least geofencing. Why would. If I am always in the US and I virtually always am, why would I ever entertain having my SSH server accept a connection from India? And that's as it happens, where they're like the majority of them are coming from. That's just, you know, no. And it's easy to just click a button and say us only. Thank you very much. And speaking of the utter mess that the Internet is outside of our walls, we have a note from Matt Davis. But before this, Leo, since we're at an hour and a half in. Sure, let's take a break and then we're going to continue with some great feedback from our listeners.

Leo Laporte

You're going to like this next sponsor. Brand new sponsor on the show.

Steve Gibson

Yay.

Leo Laporte

And they do a very clever way to train your employees not to click on a phishing email.

Steve Gibson

Very good.

Leo Laporte

They gamify it so it's fun. I'm talking about Hox Hunt. H O X H U N T.com as a security leader, I'm talking to you. You get paid to protect your company against cyber attacks, right? But it's getting harder and harder, more cyber attacks than ever. And of course I think the majority of them come through phishing emails and nowadays generated with AI so you can't look for grammatical errors anymore. Like they're well written, they're very convincing. So you need an awareness program, right? You need to teach your employees what not to do. But legacy, one size fits all awareness programs don't stand a chance against modern phishing attacks. At most they'll send, you know, four generic trainings a year. Employees ignore them. You actually have to crack the whip to get them to take these trainings. And then when somebody actually clicks, you know, like on the test phishing email, right, Then they're forced into embarrassing training programs that feel more like punishment than anything else. There is a better way. More and more organizations are trying Hawks Hunt. And I got to tell you, it is fun. It's fun. Hawks Hunt goes beyond security and awareness and changes behavior by rewarding good Clicks and coaching away the bad. Whenever an employee suspects an email might be a scam. And some of them are legitimate scams, some of them are from Hawkshunt. Hawkshunt will tell them instantly and you get a gold star providing that dopamine rush that gets people involved. They want to click, they want to learn, they want to protect your company. They want the gold star as an admin for you. Hawkshunt makes it easy to automatically deliver phishing simulations. It's not just email. You can do it in Slack, you can do it in teams. You can use AI to mimic the latest real world attacks. I mean they are up to the minute. The simulations, even better, are personalized to each employee based on department location and more. So they're really effective. And while instant micro training solidify understanding and drive lasting, safe behaviors, you can even trigger gamified security awareness training that rewards employees with stars with badges, boosting completion rates, ensuring compliance. You actually get it. In fact, the Firehawks Hunt people told me this. The employees say, give me more, give me more, give me more. This is great. It's like, it's like duck hunting, right? You're going, oh, I got one, I got one. Choose from a huge library of custom for you customizable training packages. You can even generate your own with AI. Hac Hunt has everything you need to run effective security training in one platform, meaning it's easy to measurably reduce your human cyber risk at scale. You need this. But you don't have to take my word for it. There are over 3,000 user reviews on G2, making Hox Hunt the top rated security training platform for enterprise, including easiest to use best results. It's also recognized as a customer's choice by Gartner and thousands of companies like Qualcomm, AES, Nokia use it to train millions of employees all over the globe. This is so much fun. You actually can go to the website and get a simulation. You can see how, how this makes it fun for your employees to be smart, to learn to protect you. Visit Hawkshunt.com Security now today to learn why modern secure companies are making the switch to Hawkshunt. Hoxhunt.com Security Now. It really works and it's so much fun. Hoxhunt.com Security now. Fun and effective. That's kind of a good combination. Okay, Steve, on we go.

Steve Gibson

And a great advertiser for the podcast, isn't it?

Leo Laporte

It's perfect, right? It's exactly what everybody needs. Yeah.

Steve Gibson

Okay, so this is a great, great piece from listener of ours Matt Davis, who said hi Steve, I wanted to share a bit of unexpected side effect that I experienced a few months ago when let's Encrypt stepped up from single perspective issuance and started requiring a second perspective. Remember we talked about this a few weeks ago how due to the possibility of local border gateway protocol hacking, the CA browser forum had decided that certificate authorities would need to be verifying Internet domain control from from multiple viewpoints on the Internet. So he said I run a small web hosting business on the side for a few clients and one client called me one morning to report that her website was showing the big scary red certificate warning page in Chrome. I took a look and sure enough her let's Encrypt certificate had expired the evening before. As you know, all let's Encrypt certificates should be renewing automatically through the ACME protocol. And of course just pause here for a second. This is the big nightmare, right? With short lifetime automated delivery of certs is what happens if anything ever happens to interfere with that process. Suddenly all the websites that are needing to be renewed can't be. So let's hope that doesn't happen. Anyway, it happened to a client of his, right? So what happened? He says. After troubleshooting this problem for over an hour, I eventually realized what was going on. This client runs a small local photography business in the US. In working to secure her WordPress site, we made a quick and easy decision. She did not need any web traffic from China, Russia or any other country banging at her digital door. If the person trying to access the site wasn't in her local area or even in the usa, they simply had no business being there. So we set up Cloudflare to block all traffic from all 194 other countries. It was of no use to her and it eliminated massive amounts of bot traffic, image theft, hot linking, AI scraping, WordPress login attempts, and other shenanigans. After implementing that rule, requests to her site again, a local photography business dropped over 95% and bandwidth was reduced by even more than that. However, now with ACME challenges coming from random countries around the globe, I've had to take steps to white list those let's Encrypt challenges, no matter where they come from. Multi perspective issuance has reduced this site's security as our web application firewall is now forced to allow certain traffic from any country at any time. This may be an unusual example, but when a website really doesn't need to be global, you can easily reduce your attack surface through goip firewall rules and other limitations. Or at least you used to be able to thanks Matt. So wow, what a great real life example of the mixed blessing consequences of increasing security. Whenever we tighten anything down to prevent its abuse, we run the risk of triggering false positive blocks. You know, in my own example of super tightly locking down my own access to my bitvice SSH server instances, I was acutely aware that yes, there would be some risk that I might lock myself out of my own server, but that was a balance that I judged to be easily worth the risk in the multi instance or in the instance of multi persistence Issuance Corroboration, which was the title of our podcast a few weeks back. We've only heard from one of our listeners just now, Matt, and thanks for sharing that Matt, that what a great story. But it's not difficult at all to imagine that there were probably many thousands of other ACME based certificates that were also probably recently similarly impacted. And that's right, that by needing to allow a subset of queries from anywhere through to his client server so that it's able to authenticate its control of the domain, he has been forced to reduce that website's overall security. And if Matt were to tighten down on the class of foreign queries that were allowed to reach the server so that only those qualifying were allowed, that is if he were to like be really specific about what his server accepted, then any change that let's encrypt might make to their own query protocol could again cause a breakage. We're we're living in a world of trade offs. One thought I had, and I imagine this probably occurred to Matt, he didn't say was that let's Encrypt queries over port 80 using HTTP are what are generated. That is to say, it makes sense, right? You since since Port 443 is what you're trying to provide a certificate for, let's encrypt. Acme protocol works over port 80, which is not encrypted. It itself does not require encryption in order to do its job. So it uses port 80 because it needs to be sure to be able to make a connection even when there's no certificate present because it's about issuing certificates. So let's encrypt queries over port 80 using HTTP. The good news is that pretty much Nothing else uses port 80 anymore. We were recently talking about Cloudflare dropping all API support over port 80 because they just don't need it. I haven't looked at cloudflare's country based filtering closely. But if it were possible to block all Port 443 access from everywhere other than the US that ought to restore much of the benefit of a full blanket block. In other words, block all 443 from everywhere but the US but not port 80 which could be coming in from ACME verification. So that would mean that only traffic coming to port 80 would be allowed from anywhere. Otherwise 443, which is really all you need now for a website, could be restricted to the US which as Matt saw was a huge win. Then since let's encrypts ACME protocol always and only looks for its domain control authentication token in the ACME challenge subdirectory of the well known root directory. That is to say, there's one specific directory where the ACME protocol looks in. It would probably be possible to set up a HTCess or a web config rule to only allow queries over port 80 to that one directory which would like be absolutely uninteresting to anybody. But ACME protocol that that ought to allow let's encrypt to obtain what it needs over port 80 incoming from anywhere in the world, while not giving any of the rest of the non US world anything that it might find interesting. No login attempts for example, or you know, any of the other shenanigans that Matt talks about. And boy, what a lesson that is to just to geofence a site that does not need international presence in order to dramatically reduce all of the crap that, you know, the Internet otherwise is. And it's not, you know, her site's not like some big deal, right? It's a local special interest photography site for, you know, her region, yet look what it's subjected to. Wow. Daryl in Kansas says Steve. I'm a spin, right? Site license guy. Much appreciated, Darrell. I listen to security now every episode. How safe is the trust this computer option for websites when you're at home on your own network? He says, I use a Chromebox for extra security. Do you click yes or let sleeping dogs lie? Thanks for security now and hi to Leo. Hi Leo.

Leo Laporte

Depends how much you trust your spouse or evil maid, I guess.

Steve Gibson

Right. Well, and the sense is I wanted to explain to Darrell what was going on. So what's going on beneath the surface is not at all obvious from the question itself, right? You know, trust this computer. Like what you know, it's my computer, why would I not trust it? So as we know each of our web browsers, which makes queries to remote websites. Each of those queries stand alone. That means that unless something explicit is done, there's no way for a remote website to know who any given query is coming from. That's something explicit that is now always done is that anytime a web browser query is made which does not include a browser cookie, one is sent back to the browser. A unique cookie is sent back to the browser with its reply, so that all subsequent queries which issue from that browser will automatically be tagged with that new unique cookie, since that browser cookie will always be returned. So the first thing to appreciate is that all of the web browsers that are querying remote web servers, if they don't already have one, are each given a unique cookie so that the remote site has some means of telling them all apart. The next important point is that if a specific user identifies themselves to that remote website by logging into it using some credentials, it's the ongoing presence of this cookie that serves to keep them logged in. Their logged inness is thanks to that cookie. Okay, next, it's probably always possible to deliberately and explicitly log out of any website. There's always going to be some logout option, generally, you know, by growing convention in the upper right hand corner of the website's pages. But the question is, what happens if you do not remember to log out? Many websites don't care at all how long you've been gone, how long you've been away. When you return, you'll still be logged into that site. And the only reason you'll still be logged into that site is that your web browser has remembered and still has the cookie it received the last time you were logged in. GRC uses the ZenForo software for its various web forums. And I cannot recall the last time I was asked to log into my own forums. You know, for me that's a convenience, and I'm sure it is for all of the people who hang out there. You know, since in my case I'm the only one using any of the computers where I'm logged into our forums. So I'm able just to go to forums.grc.com and pick right up where I left off. The same thing is true for x.com actually. There was an instance where about a couple months ago I got logged out and I had a hard time getting logged back in because, I mean, I'd been logged in for years and something happened where I lost my, my, my browser cookies and so I had to like, you know, do it again. So it's a, you know, Everybody's used to now, these days you just sort of, you stay logged in. But what if multiple people use the same computer? Or what if you're logging in at an Internet cafe or, or in a public library? In that case, you would not want your login to be so persistent. And that's what this Trust this computer checkbox, which often accompanies a logon page, is all about. Cookies all come with an optional expiration date. If that date is ever reached, the web browser will no longer honor the cookie. Instead it simply deletes it. But I mentioned that the expiration date is optional. If a cookie is given to a web browser without any expiration date, then that cookie is deliberately never written in any way to any form of persistent physical storage. It is only deliberately and explicitly ever retained in ram. That means that once the web browser application is closed, the values of any of the non expiration dated cookies it may have received while it was running will be lost forever. And that's the beauty of not having the Trust this computer checkbox checked when you log into a website. When logging in with that checkbox unchecked, any logon authentication cookie your browser receives will have no expiration date set. So it will be ephemeral. And your logged in identity will be deliberately lost when you close the web browser application. So, Darrell, in Texas, I mean in Kansas, you asked how safe is the Trust this computer option for websites when you're at home on your own network? And only you can really answer that. But now you probably can, since you should have a good understanding of exactly what that means. It boils down to whether anyone else might have physical access to any computer where your prior logins would be persistent because you had enabled the Trust this computer option, which will have created persistent logon sessions. If you're the only person who has access to any computers where you might have left a site logged on, then remaining logged on is likely a convenience that would have no downsides. But if others might use a computer where you were left logged onto a site which you would prefer, they not gain access under your account. And since you might easily forget to explicitly log out after using that site, then logging in in the first place with Trust this computer disabled would mean that you'll be automatically logged out when the browser is closed or the computer's turned off. So that's the whole tune up on what's going on with that checkbox.

Leo Laporte

It just means it used to be that sometimes they'd say, are you on a public computer? Remember that? And that May be a little easier to understand for people like.

Steve Gibson

Yeah, I mean, it's like my own computer. Why would I not trust.

Leo Laporte

Right.

Steve Gibson

Because it has an in Pub folder on it.

Leo Laporte

Yes, that's a good reason. But I mean, so I think that that's probably a more accurate way to ask the question. Obviously some lawyers are, you know, seriously trust this computer.

Steve Gibson

I guess, I guess because if you were at a computer in an Internet cafe.

Leo Laporte

Right.

Steve Gibson

Or in.

Leo Laporte

Then you would certainly not. Right?

Steve Gibson

Because I don't trust this computer. I don't know who. Who's going to look at it next.

Leo Laporte

Right. So I think that public computer made more sense to people. But I guess, yeah. Do you trust this computer?

Steve Gibson

Yeah. And you can't ask. Would you like your logon session to be forgotten?

Leo Laporte

Yeah, that's easy.

Steve Gibson

Shut the browser down. I was like, what?

Leo Laporte

Actually, that is the right question.

Steve Gibson

That actually is the right question.

Leo Laporte

That is the right question.

Steve Gibson

Yes.

Leo Laporte

Maybe they should ask that.

Steve Gibson

Okay. And one last piece of feedback from Angus McKinnon. He said after reading the following. What would you recommend? He said, I am a Backblaze customer now. Okay. Angus's note included a link to a document from the website of Morpheus Research. I have the link in the show notes for anybody who might also be a Backblaze customer.

Leo Laporte

Before you get too far into this though, I do want to issue. I've been looking at this and trying to figure out whether we should talk about it.

Steve Gibson

Okay.

Leo Laporte

Backblaze denies it. They say these Morpheus guys don't know what they're talking about.

Steve Gibson

Okay. So for what it's worth, I was very careful to say that, you know, based on this, who knows?

Leo Laporte

This basically came from somebody who is shorting Backblaze.

Steve Gibson

So although from. It doesn't sound like there's much left to short.

Leo Laporte

Well, if you believe this, that's the point.

Steve Gibson

Okay, so let's. So let's. So let's do this. Because they've been around forever. They've been around for 18 years. You know, the name is very familiar. They were founded in 2007 and they went public four years ago in 2021. Nobody disputes any of those facts. Apparently their stock is not worth what it once was. And so Angus saw the same research that you and I, Leo have both seen, and he's freaked out by it. I ended up noting that this research said that they. That Backblaze had lost many of their customers to Wasabi. And all I know about Wasabi is that they used to be a sponsor of the network.

Leo Laporte

I Know the guy who created Wasabi and he's a good guy.

Steve Gibson

Yes.

Leo Laporte

So I like Wasabi.

Steve Gibson

So what we'll say to Angus and any of our listeners who may also be back Blaze customers is I have a link to uncorroborated.

Leo Laporte

That's what it is report. Yeah.

Steve Gibson

Which would, if you like were really dependent on your backed up data, worry you whether you would be right to be worried.

Leo Laporte

Yeah.

Steve Gibson

I don't know.

Leo Laporte

A lot of people in our community use Backblaze, so it just makes me very nervous. I really went back and forth about whether I would want to report this story or not.

Steve Gibson

So it's there and I think we've, we've said enough. Yeah. I don't know how to correct.

Leo Laporte

He came from a short seller. So that means somebody who has shorted their stock who wants to benefit from.

Steve Gibson

Further driving it down.

Leo Laporte

He wants their stock to go down so he can make money. So that's the only reason I, that was a alarm bell. And plus that. And back place is a great company. They have been for a long time. They do that hard drive report which is extremely useful. I know many people have been using, who use Backblaze, including many of our hosts. So I'm very reluctant to.

Steve Gibson

So I get. So, okay, so I, So, so I would say I don't care about Backblaze's status because I haven't ever used them and I don't use them.

Leo Laporte

Right.

Steve Gibson

There are many allegations here that could be checked. You know, there are some that can't be right. Like the value of their share price. That's a matter of public record.

Leo Laporte

Right. So Backblaze says the report is inaccurate and misleading based largely on litigation of the same nature and a clear attempt by short sellers to manipulate our stock price for financial gain. They claim that independent third party reviews have found there has been no wrongdoing or issues with Backblaze's public financial results.

Steve Gibson

There's an allegation there are allegations of multiple lawsuits against them. So that would be something that is also in the public record.

Leo Laporte

That's true. Those are true. Those are real. Yeah, it's. Yeah. I mean it's important to know. Just my, my journalistic nose went up a little bit and I thought, well.

Steve Gibson

They'Re also in my hometown, which made me sad.

Leo Laporte

They're in Irvine. Well, that means they're good.

Steve Gibson

No, no, no, they're in San Mateo in the.

Leo Laporte

Oh, your hometown. Hometown, yeah. Where you grew up.

Steve Gibson

That's where I grew up, in San Mateo.

Leo Laporte

You know, we'll, we'll keep digging on this and we'll absolutely report on it if we can get any corroboration of these allegations.

Steve Gibson

Yeah. And mostly I just wanted to bring it to our listeners attention because this, you know, Angus was worried because he's a Backblaze customer and he said, what do you think about this? And again, the way I phrase this, I said, you know, you know, I said. This report clearly unnerved our listener, Angus, who wonders what I would recommend.

Leo Laporte

The lawsuits came from two former employees, one of whom was their head of finance for four years and the other as a VP of investor relations. So the lawsuits and their real lawsuits, but they haven't been adjudicated yet either. So I just. I don't know.

Steve Gibson

Yeah. And, and, and the report alleges that since the IPO, the share price has dropped by 71%.

Leo Laporte

Right.

Steve Gibson

Again, you could. That you could look that up. That's. That would be a matter of public record.

Leo Laporte

Yeah.

Steve Gibson

They apparently raised $100 million when they went public. And. Yeah. And I mean, I've never heard anything negative about Backblaze. So, you know, and who's to say, Leo, that if the company's in trouble, they're a public company, they've got customers and assets and revenue. They might be purchased by a big fish.

Leo Laporte

Right.

Steve Gibson

So they, it. They, you know, it's not to say that, you know, that, that they're not a going concern and would not remain viable.

Leo Laporte

Yeah. Their quarterly results come out May 7th. Maybe we'll learn more then. Cool.

Steve Gibson

And I'm glad you gave us a.

Leo Laporte

Yeah, well, I've been going back. I've been, you know, since this story broke, I've been going back and forth about how we wanted to report it. And so I'm glad you brought it up.

Steve Gibson

Yeah. And that case listener needs to know. They know.

Leo Laporte

Yeah. They can do with it.

Steve Gibson

Even though we're not able to make any kind of representation. Right. What we can represent is why it would be good to be in the club.

Leo Laporte

I would love everybody to join our club. And here's something I can tell you. Even if we were to go under, it's only seven bucks a month. Come on, guys. Oh, look, we're in little round portholes. Hi, everybody.

Steve Gibson

Can I come over to yours?

Leo Laporte

Yeah, come on over. Steve, what is the club? Well, four years ago, we created Club Twit. It was right in the middle of COVID and advertising was starting to disappear. And we thought, you know, all along, from day one. And I know you remember this, Steve, the whole idea Was we want to be supported by our audience. Our community is the best. That's what makes Twit. We realized early on that to grow in the way we wanted to, we were going to have to take advertising. In fact, your show was the first to have an ad. But I still have that kind of dream of being supported by the people who listen to us. What we decided was we could kind of split it down the middle for seven bucks a month, which is as low as you can go. I mean, you know, this is a heck of a deal. You get ad free versions of this show and all of our shows. You get access to our club Twit Discord. A great community where you can hang out with like minded smart people. And it goes all around the clock, not just when the shows are on. There's also events going on. We're going to do all the keynotes in there. For instance, from now on, Microsoft's build, Google I O, Apple's wwdc because we keep getting takedown threats from Apple. So we just thought, well, we'll do it in the Discord for club members only. So we're going to do that. We also have, you know, things like Micah's crafting corner. The Giz Whiz is coming up with a special 2000th episode at Reunion. We we're doing the photo Chris Marquardt, our photo guy, this Friday. Anyway, I can go on Stacy's book club. These are all things that we don't do in public. We do in the club as a benefit to club members in return for you supporting us. We like to give you a little extra value, but the real value is knowing that you're supporting the work Steve does and everybody in this network does to keep producing content that we hope you love. It's a way of voting Twit TV Club Twit. If you're not a member, I hope you'll consider joining. We'd love to have you. Twit TV Club Twit.

Steve Gibson

Hey friend. I know how this feels. Waking up exhausted after multiple trips to the bathroom and feeling embarrassed by sudden leaks. I used to be constantly on edge, searching for a restroom whenever I was out. Then I discovered Better Woman. I was skeptical at first, but two months in, everything changed. I experienced improved bladder control. No more heart stopping moments when I laugh or sneeze, less urge to go deeper and more restful sleep. I finally felt like myself again. Confident and in control. Better Woman is natural, effective, clinically tested and trusted by Women for over 25 years. Ready to take back your control. Head over to bebetternow.com to order your supply today. That's bebetternow.com these statements have not been evaluated by the FDA. This product is not intended to diagnose, treat, cure, or prevent any disease. Uses directed Individual results may vary. Hi, I'm Chris Gethard, and I'm very excited to tell you about Beautiful Anonymous, a podcast where I talk to random people on the phone. I tweet out a phone number. Thousands of people try to call. Talk to one of them. They stay anonymous. I can't hang up. That's all the rules. I never know what's gonna happen. We get serious ones. I've talked with meth dealers on their way to prison. I've talked to people who survived mass shootings. Crazy, funny ones. I talked to a guy with a goose slap, somebody who dresses up as a pirate on the weekends. I never know what's going to happen. It's a great show. Subscribe today.

Leo Laporte

Beautiful Anonymous all right, Steve, I'm dying to hear more about this Sandbox Escape, or whatever you call it. Well, what do you call it? Is it Escape? Is it?

Steve Gibson

No, it is. Malware has figured out, hey, there's this cool thing called Windows Sandbox. Let's hide in there. So last week's Windows Sandbox podcast reminded us that, you know, Everybody with Windows 10 or 11, with the exception of Home Edition users, has access to a very nifty Windows execution environment specifically designed to allow users to safely experiment with throwaway programs, installations, files, and anything else without having any impact on their primary Windows OS installation. And moreover, I was very impressed with Microsoft's surprisingly efficient and economical implementation, which got so many things right. One interesting feature of Windows Sandbox, which I believe I mentioned in passing last week, is that Windows Defender, and this is certainly salient here, is disabled by default within the Sandbox, and it cannot be enabled via either the GUI or PowerShell commands.

Leo Laporte

Interesting.

Steve Gibson

So isn't that a nice little place for malware to hide? Somewhere where there is no av? Now, this decision was presumably made because running Defender inside the sandbox would slow everything down, because users might specifically wish to run things that would cause Defender to freak out, you know, to quarantine and delete their files. And because the entire point of the Sandbox is that it's a safe place where terror may reign with confinement and nothing can get out. You got full confinement there. So unfortunately, it would probably come as no surprise to anyone who's been following this pat this podcast for long to learn that the bad guys have figured out how to take up residence in Windows Sandbox as a means of obtaining secret persistence within Windows systems while still being hidden from Windows Defender and any other AV scanning which you know might be patrolling the grounds outside the sandbox but be unable to see inside. So let's take a closer look at how Windows Sandbox is being abused and what that means, and then we're going to examine what can be done to prevent its abuse, whether a user wishes to use Windows Sandbox or not for themselves. So I'm going to start by sharing a piece of an overview of the problem, which appeared in the Risky Business newsletter. That newsletter was headlined Chinese apt. So yes, we have Chinese Advanced Persistent Threat Actors. Chinese Apt abuses Windows Sandbox to go invisible on infected hosts Catalan, writing on the newsletter, wrote, A Chinese cyber espionage group named Mirror Face, also known as earth, Kasha and Apt10, is abusing the Windows Sandbox virtual environment to hide the execution of its malware on infected systems. Attacks incorporating Windows Sandbox have been taking place since 2023 and represent the first known case of Windows Sandbox abuse since its release in December of 2018. As the name hints, the feature allows Windows users to start an isolated sandbox where they can temporarily install and test apps, and then shut down the virtual environment without impacting the main OS and their data. It functions as a virtual machine, but it doesn't have all the bulky features of a vm. It's light, super fast, easy to start and use. Abuse of this feature sounds implausible because Windows Sandbox support is disabled by default, and when a sandbox is started, it runs in a window in the user's foreground. But according to reports from the Japanese government and eset, Mirror Face has found a way around these limitations. The group gains an initial foothold on compromised networks, enables Windows Sandbox, restarts systems, then silently launches Windows Sandbox instances that do not appear on the screen. This is accomplished by launching the sandbox via task scheduler under a different account from the user's current one, so the Sandbox UI never appears on the logged on user. The Mirror Face operators drop malware in a folder on the infected systems, then use windows sandbox.w sb configuration files to share access to that folder to the sandbox. Grant the Sandbox network access, then configure one of the malicious files to automatically run I'm sorry to automatically run when the Sandbox is executed. Since Windows Sandbox environments cannot run Defender, nothing happens inside and is either logged or detected. This allows the attacker to install malware and open a hidden backdoor inside that system and a victim company's network. Japanese security firm Ito Chu explains how how blind companies can become against Windows Sandbox based attacks. They wrote, since the malware in Windows Sandbox operates according to the WSB files configuration, it can access files on the host machine. However, because the files are accessed from the sandbox, activity is never logged by monitoring tools running on the host system. The technique used by mirrorface seems to be an evolved version of of a technique first documented by security researcher Lloyd Davies back in 2020. ITOCHU researchers say the abuse can go a few steps further since new features are constantly being added to Windows Sandbox. For example, the Windows Sandbox can now share clipboard audio and video input with the base os. The Windows Sandbox can now also be started via command line arguments using the new WSB exe command, which removes the need for WSB configuration files, which are artifacts security firms could use to detect possible abuse. The technique is incredibly simple to automate, even for low to mid tier skilled malware developers. Once detailed in these reports, it is likely to spread to other groups. The first to jump on and abuse this technique are likely ransomware gangs. Some groups are already using something similar. At least half a dozen ransomware groups have been spotted installing bulky VM software, you know, full virtual machine suites on infected hosts just to start the VM and send victim files to be encrypted inside where security tools don't have access to spot the ongoing encryption. Since Windows Sandbox is built in and present on all Windows 10 and Windows 11 systems, and the app's file is signed by Microsoft itself, abusing it is likely easier and safer. Itochu has published some monitoring and infection remediation advice to detect this technique, but the cat is out of the bag now, and further and broader abuse is now expected to start taking place. Okay, so one thing that's very interesting is the observation that the Windows Sandbox is able to launch and run under a different user's account, so that the foreground user never sees any indication that it's happening in the background. And here the inherent efficiency of Windows Sandbox, which so impressed me last week, actually works against the user, since its lightweight nature means a user would be much less likely to wonder where all their free RAM went, because it wouldn't be going anywhere, it wouldn't be consuming very much, just like an app. Also, the default enabled Clipboard sharing is a bit chilling since it would be a bit like having a malicious instance of Windows recall running unseen in the background, capturing anything the foreground user might temporarily place onto their clipboard, such as a cryptocurrency wallet address. I was curious to see what this researcher Lloyd Davies came up with five years ago in 2020. Whatever it was, Microsoft apparently blew it off without a second thought since we're now five years downstream of that and Windows Sandbox is still here and completely abuse prone. Five years ago, under his headline Weaponizing Windows Sandbox to Bypass Defender, Lloyd Davies wrote this short blog post may be useful for a red team living off the land for the execution of payloads on a machine where Windows Sandbox can be enabled. Windows Sandbox is designed to work this way. No exploitation of anything is covered in this post with this technique. In terms of executing within a vm, we don't need to load an external ISO onto the machine as all of this is handled by the sandbox. In my research, the Sandbox WSB configuration file was not inspected or blacklisted on any major EDR or av. At the tail end of last year, Microsoft introduced a new feature named Windows Sandbox WSB for short, when the sandbox allows you to quickly, within 15 seconds create a disposable Hyper V based virtual machine with all the qualities a familiar VM would have such as clipboard sharing, mapping directories, etc. The sandbox is also the underlay for Microsoft Defender application guard for dynamic analysis on Hyper V enabled hosts and can be enabled on any Windows 10 Pro, Enterprise or Education machine, making this perfect as a living off the land technique. So you know he's couching this all as red team, not you know like how like a red team who is our good guys acting to see like to do exploit testing against someone who has hired them to to check their defenses could use in order to obtain a an undetected presence on computers. So he says the TLDR of this technique is to craft the WSB that can be executed on an endpoint which mounts the user's file system, allowing us to execute the implant inside a hidden VM and bypass any avedr that's on the host. The WSB configuration also seems to be bypassing Windows Defender on the host where it's executed. It's not incredibly complicated, but could prove useful in an engagement. Lloyd then proceeds to talk about a document the various ways very powerful WSB files can be created to give a malicious sandbox all the power it might need on the user system, all while always remaining completely hidden and undetectable. He concludes his observations by writing a similar technique has been used by the infamous Maze and Ragnar Locker threat actors in recent times. However, they've installed third party virtualization suites such as VMware and VBox using Windows Sandbox bypasses the requirement for this software to be installed. To complement this technique, he says, I created a simple Go program to find drives automatically and mount network shares that include them as mapped folders, and then generates a WSB based on this. I have a link in the show Notes to an English language translation of the talk that was given last January in Japanese by the Ito Chu researchers. Among the many other things they've noted is that with the introduction of Windows 11, Microsoft enhanced the sandbox's features in ways that allow for additional abuses, they wrote the changes to Windows Sandbox after the Windows 11 update are as follows. Addition of the WSB EXE command, enabling Sandbox execution via the command line, background execution of the Sandbox, and the ability to modify certain settings via the gui. These recent feature updates may make it more difficult to detect attacks leveraging Windows Sandbox. The key reasons for this are as follows, and they list three background execution of Windows Sandbox previously, in Windows 10 and early versions of Windows 11 Windows Sandbox always ran as a foreground GUI application. However, with the new WSB EXE start command, it can now run in the background. As a result, the Sandbox can be launched without user awareness, and its window remains hidden until the WSBexe connect command is executed. Second, sandbox execution without a WSB file the updated WSBexe command allows sandbox configurations to be set entirely via command line arguments. Previously, WSB files were an important forensic artifact during investigations, but this change increases the risk of leaving no trace of Sandbox usage and third, persistent data inside the sandbox. In earlier versions, closing the Windows Sandbox window would terminate the process and delete all data within the environment. However, after the update, closing the window does not stop the sandbox and its data remains intact. To delete data, the sandbox must be explicitly stopped using the WSBXE stop command or terminated by shutting down the host machine. This change significantly increases the potential for long term attacker operations within the sandbox. Given these updates, security researchers must carefully verify whether such feature changes improve convenience for attackers and implement appropriate countermeasures when new functionalities are introduced. Okay, so I titled today's podcast Preventing Windows Sandbox Abuse because having now explored the dark side of this otherwise truly useful and nifty Windows Sandbox feature, if it's not something that its user will be actively using it might be worth considering taking some measures to neuter it so that it cannot be abused behind its user's back. My number one favorite way to do this would be to disable a system's virtual machine extensions capabilities at the pre boot firmware level. I recently learned that the BIOS settings backup battery on the aging gigabyte motherboard of my older Win7 machine had died. My neighborhood had a planned day long power outage while our local power company's equipment was replaced. When I fired my sheet my machine back up after having it shut down for the day, I quickly saw that it had lost its time of day and date clock. That's probably something that's familiar to us oldsters back in the days when no.

Leo Laporte

CMOS battery dies, the CMOS battery died exactly.

Steve Gibson

So I rebooted and went into the BIOS and set that the time and date correctly. Sometime later when I attempted to launch a Virtualbox virtual machine, I received an error that VBOX was unable to operate without the intel virtualization technology, which is abbreviated VT X enabled in the system's bios. I mentioned last week that the same is true for Windows Sandbox. The Microsoft Hyper V virtualization technology the Sandbox depends upon is in turn dependent upon having Intel's virtualization technology enabled. So the absolute best protection for anyone who does not routinely use either the Windows Sandbox nor any of the many other various virtualization systems, since all of those are now known to be prone to abuse as well, and especially Windows Sandbox, would be to simply run without the Intel VT X extensions enabled. No VT X means no virtualization. Funny business, period. Doing this will have zero impact upon Windows operation, and it will completely shut down any chance of abuse. Now if you do need to run virtual machines other than Windows Sandbox, you'll need to have the Intel VTX extensions enabled in your machine's firmware. Enabling Windows Sandbox requires admin privileges, but we know that doesn't present much of a barrier to malware, since pretty much everything bad that malware does requires admin privileges anyway, so they're able to get it. And we know that elevation or privilege exploits are constantly being uncovered. The solution for anyone who wishes to prevent any behind their back exploitation of Windows Sandbox and for whom disabling all use of virtual machine technology via the VTX extension is not an option, Windows App Locker is probably the next best solution. App Locker can either be configured in a Managed Enterprise setting, through group policies, or on a local machine using the local security policy. Snap in the use of applocker is straightforward and many how to's exist on the Internet. For anyone who wants to take that approach. Under Windows 10 or 11, you'll want to block the execution of the WindowsSandboxexe executable program, which lives in the System32 directory. It's System32WindowsSandbox.exe. And additionally, under Windows 11, you would also want to prevent the WSBexe command from being used once any of those have been foreclosed. Anything that tries to crawl into your machine and set up shop behind your back using the Windows Sandbox will be out of luck. And I'm not, I'm not suggesting that this is like, you know, the sky is falling and some, you know, major security problem to worry about. Remember that something bad has to get into your machine first before it's able even to have the opportunity to enable and use the Windows Sandbox sandbox behind your back. So it's not like having the sandbox. There is, you know, sending out a call for malware to come crawling in your machine. All of the, all of your existing defenses, Windows Defender and AV tools and everything else that's already there is still functioning. It's just that if something gets in, everybody now knows there is a new place for it to hide. And hopefully Microsoft will take some action and do something to minimize, you know, the potential for this behind our back abuse. Because this is if, you know, if bad guys are bothering to install VMware and VirtualBox on people's machines, they're sure going to be trying the Windows sandbox first.

Leo Laporte

Do they do that? They install virtual machines?

Steve Gibson

Yes, they bring the whole VMware or VirtualBox system in. Wow, it's crazy. And actually run a, you know, a VMware or a, a VirtualBox VM in the background.

Leo Laporte

Now, you don't have to, because you can just use Windows sandbox.

Steve Gibson

That's right. 15 seconds, you're ready to go. You bad malware, you.

Leo Laporte

Great, great stuff as always, Steve. Thank you so much. I appreciate this. Thank Lori for. She gives you up a couple of days a week for this. And I appreciate it.

Steve Gibson

And I looked. It was actually a conversation she was having with someone else that included me.

Leo Laporte

You were cc'd in I and it.

Steve Gibson

Was somebody else who was sending her messages that went to me, too.

Leo Laporte

So no one. I saw your puzzled look. It's like, why am I seeing this? That's all right. Lisa's texting me. She's at the big RSA conference in San Francisco right now. And A lot of our favorite people are there, including Hawks Hunt and the Threat Locker guys. Harun from the Thinkst Canary and she's hobnobbing. She's having a great time. It's so much fun. I she says next time you gotta go. You would really love rsa. Have you ever. You've been to rsa, haven't you?

Steve Gibson

It's where I found Yubico.

Leo Laporte

Right? That's right, that's right. A couple of years ago, it was actually January 2020 come to think of it. We had a party along with rsa and we found out later that a number of people at RSA had Covid. It was one of the first the appearances of COVID on our shores.

Steve Gibson

Whoops.

Leo Laporte

Whoops. I didn't get it then. I've had it since. But I think next year I'd love to. We'd love to do something with RSA because it's a, it's a great conference every year in San Francisco. All the security folks come by and it's a chance to see all the different tools and it's really, it's a, it's a fun community and you make it fun because you are the king of security. Steve does security now with us every Tuesday. I hope you'll tune in and watch 1:30 Pacific, 4:30 Eastern, 20:30 UTC. We stream it on eight different platforms. Club members of course can watch in the Discord, kind of behind the velvet rope. But we also are on YouTube, Twitch, tick tock. We're back on Tick Tock. We are on Kick, LinkedIn, Facebook and X.com so there's pretty much anywhere you go you're going to see. Oh look, security now is on. You can watch along if you're watching, you can chat on any of those platforms. And I'll see it over here in my master chat screen after the fact. You could download copies of the show. Steve has some unique copies on his website, GRC.com he has a tiny little 16 kilobit version for the bandwidth impaired. He has the 64 kilobit which sounds exactly the same as ours, but it's half as big. It's kind of a miracle. It's a complicated long story. We make 128 kilobit audio for reasons. He also has the show notes there transcripts written by an actual human being, not an AI, Elaine Ferris, who is smarter than any AI. And of course once you're there there's a lot of other things. The GRC site is great. For instance, you can pick up A copy of Spinrite, the world's best mass storage, maintenance recovery and performance enhancing tool. 6.1. The current version right there on the website. If you don't already have a copy and if you bought a copy in the past, the upgrade is available to everybody for free. Right. You. You upgrade everybody. Yeah.

Steve Gibson

That's really nice. Every single person in for.

Leo Laporte

I was looking at my license. I think I bought it 20 years ago.

Steve Gibson

Yeah.

Leo Laporte

And I got six. One. It's Steve's a very generous fella. If you want, you can sign up for his newsletters there, including the weekly mailing of the show notes the day before, but also a very infrequent newsletter which might announce new products like, I don't know, a DNS benchmark pro kind of a thing at some point. That is GRC.com email and actually the other reason to go there is to validate your email to show Steve you're not a spammer. So that way if you want to email him as Alan Malpantano did, you can email him and he will see it. Otherwise he ain't going to see it. Grc.comemail we have the 128 kilobit audio version on our website as well as video at Twitt TV sn. There is. You'll see a link right there to a YouTube channel. That's a good place to know about. That's the video. But it also is an easy, simple way to share little bits of the show. If you want to clip something and say, hey, I got to send this to, to my friend, do it there on the YouTube site. Everybody's got YouTube. It's easy. Everybody will understand how to use it. It's a great way to promote the show and we thank you for doing that. Of course, the best way to get the show for yourself is subscribe. That way you don't have to think about it. You'll get it the minute it's available. Any podcaster should have a copy of Security Now. Oh, and when you do that, please leave us a five star review. Share the, share the wealth. Let other people know how useful this show is. Don't keep it to yourself. That wouldn't be right.

Steve Gibson

It won't dilute it any, I promise.

Leo Laporte

No, as a matter of fact, it doesn't. It just strengthens the Solution. Next week, episode 1024.

Steve Gibson

Yay.

Leo Laporte

We hit one K, Steve, have a great week and we will see you next time on Security Now.

Steve Gibson

Oh, and it'll be May. We're gonna see you in May. Yay. May Yay. Bye.

Leo Laporte

Security. Now.

Steve Gibson

Ready to level up. Jumbo Casino is your playbook to fun. It's free to play with no purchase necessary. Enjoy hundreds of casino style games like bingo, slots and Solitaire anytime anywhere. With fresh releases every week. Whether you're at home or on the go. Let Shumba Casino bring the excitement to you. Plus, get free daily login bonuses and a free welcome bonus. Join now for your chance to redeem some serious prizes. Play Chumba Casino today. No purchase necessary. VGW Group Void were prohibited by law 18 TNC supply ugh. Spam calls sound familiar? Introducing line 2. Get a second phone number right on your existing phone. Imagine discounts, appointments online, forms. Handle it all without giving out your personal number. It's like having a secret weapon against spam. And when those unwanted calls sneak through. Boom. Blocked. No more interruptions, no more stress. Stay connected, stay protected. Keep your main number safe and out of harm's way. Ready to take back your phone? Visit line2.com audio or download line2 in the app Store today.