Leo Laporte (3:37)

That'll be.

Steve Gibson (3:39)

Yeah.

Leo Laporte (3:39)

Stunning story.

Steve Gibson (3:40)

It's a little bracing.

Leo Laporte (3:42)

Yeah, bracing is a great word. It's a. It's bracing.

Steve Gibson (3:46)

It's bracing. And we do have a fun picture of the week that really brings it. It asks more questions than it answers for a change. You, you got, you look at it, you think, okay, who's in charge here?

Leo Laporte (4:00)

Oh, I can't wait.

Steve Gibson (4:01)

How did this happen exactly?

Leo Laporte (4:03)

As usual, I've left it below the fold and I'll scroll up and we will see it at the same time.

Steve Gibson (4:08)

We appreciate that.

Leo Laporte (4:09)

But first, a word from our sponsor. This portion of security now brought to you by BigID, the next generation AI powered data security and compliance solution. And man, wait till you Hear who uses BigID. BigID is the first and only leading data security and compliance solution to uncover dark data through AI classification to identify and manage risk, especially with generative AI, to remediate the way you want, to map and monitor access controls and to scale your data security strategy. Along with unmatched coverage for cloud and on prem data sources. Bigid also seamlessly integrates with your existing tech stack. Of course you wouldn't want to have to start over and allows you to coordinate security and remediation workflows. With BigID, you can take action on data risks to protect against breaches, to annotate, delete, quarantine and more based on the data, all while maintaining an audit trail. And you could do it with whatever you use. ServiceNow, Palo Alto Networks, Microsoft, Google, AWS and more. With BigID's advanced AI models, you can reduce risk, you can accelerate time to insight, and you can gain visibility and and control over all your data. Intuit named it the number one platform for data classification in accuracy, speed and scalability. And I mentioned there's some pretty big names that use Big id. For example, the United States Army. Imagine the amount of dark data and all the kinds of nooks and crannies the army has accumulated over the years, right? Big ID equipped the US army to illuminate that dark data to accelerate cloud migration, to minimize redundancy and automate data retention. In fact, we got this great quote from the US Army Training and Doctrine Command. This is a direct quote. The first big wow moment with BIGID came with being able to have that single interface that inventories a variety of data holdings, including Structured and unstructured Data across emails, zip files, SharePoint databases and more. To see that mass and to be able to correlate across those is completely novel. I've never seen a capability that brings this together like Bigid does. You can imagine the army's needs for something like this. CNBC recognized Bigid as one of the top 25 startups for the enterprise. Maybe you need it too. They were named to the Inc. 5000 and Deloitte 500 four years running. The publisher of Cyber Defense magazine says there's a quote. Also, BigID embodies three major features we judges look for to become winners. Understanding tomorrow's threats today, providing a cost effective solution and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach. Start protecting your sensitive data wherever your data lives. @bigid.com Get a free demo to see how Big ID can help your organization reduce data risk and accelerate the adoption of generative AI. Again, that's b id.com security now. Also there's a free white paper that provides valuable insights for a new framework. AI trism T R I S M that's AI Trust, risk and security management to help you harness the full potential of AI responsibly@bigid.com security now. B I G I D bigid.com securitynow we thank him so much for supporting Security now and I think pretty important work Steve is doing here. We love our advertisers because they help you stay safe. Right? Just like Steve Gibson. I am ready now, my friends.

Steve Gibson (8:02)

I gave this picture the caption. I'm sure there's a lesson here somewhere.

Leo Laporte (8:06)

Okay, let's scroll up and look at it. Okay. I'm seeing a ceiling. Okay, you wanted to. That is really awesome. That is just so awesome.

Steve Gibson (8:26)

So what we have now, anyone who is installing a ceiling fan would automatically understand that it spins.

Leo Laporte (8:39)

Yes.

Steve Gibson (8:39)

That being a fan, it's got blades that extend out from the, the, you know, central shaft of the fan. Indeed they do. And they need clearance in order to spin. Yes. Now the reason this picture brings up so many questions is like, how did this happen? How like.

Leo Laporte (9:01)

Well, we know which came first. Let's put it that way.

Steve Gibson (9:05)

Yes, one. One presumes. Okay, so I, we should explain for those who don't have the advantage of seeing this image, what's going on? We have a ceiling fan in what looks like a residential setting. There's like a track light in the background. And this looks like the interior of someone's home. But the fan is positioned so that a notch had to be cut out of a vertical support pillar or beam in order to allow the fan to spin.

Leo Laporte (9:41)

A fairly hefty notch, I might add.

Steve Gibson (9:44)

And I have to salute whoever cut the notch. It's not ragged. It's a very clean looking. I mean, as notches go, Leo, this is one of your better looking notches.

Leo Laporte (9:54)

It's a good notch.

Steve Gibson (9:55)

Yeah.

Leo Laporte (9:55)

I wonder though, you know, like, they had to make it big enough so the fan could wobble a little bit. Maybe.

Steve Gibson (10:00)

I had the same thought. Did that notch need to be as, as high as it is? Yeah, I guess. And why is there like a dark spot to the. Like, was the. Was the blade hitting the side there for a while? I don't know.

Leo Laporte (10:15)

This.

Steve Gibson (10:16)

I mean, the question. This picture really does bring questions. Now, also, you'll note that you can see the wire running off to the left that powers this. So nothing apparently predictated the location of the fan.

Leo Laporte (10:32)

Could have been anywhere. Steve could have been.

Steve Gibson (10:34)

Yes, exactly. The only explanation I have is that they wanted the fan to have an effect on this side of the room, which is sort of being blocked by that wall.

Leo Laporte (10:47)

I do want to see more. I do want to see more of this.

Steve Gibson (10:50)

Had the fan been pushed further to the left so that it would not have not required the notching of the beam, then you may not have gotten much wind over on this side of the wall.

Leo Laporte (11:02)

No, you may not.

Steve Gibson (11:04)

So, you know, but you could anyway, you, you, you think you could have moved it closer to us and then like, anyway, better safe than sorry.

Leo Laporte (11:14)

Just put a notch in the beam.

Steve Gibson (11:16)

These pictures that really give you something to think about. I love that, that green ground wire from the, from the compressor that went into the pail of dirt, that still remains one of my favorites of all time. It's not really what they meant by ground, but, you know, okay, it's not the dirt line anyway, so we have the notch in the beam. Benito thought that this looked like it might be a load bearing.

Leo Laporte (11:45)

Well, God, I hope not, because you've definitely weakened it.

Steve Gibson (11:48)

Definitely. It is strength compromised especially. Yeah. Anyway, another great picture. Thank you to our listeners. I don't even have to look at.

Leo Laporte (11:57)

Somebody email you that. That's a good one.

Steve Gibson (11:59)

Yeah, we got a bunch of them coming. Okay, so in a nice example of innovation flowing back to Google's Chrome browser, not just outward to the various Chromium clones, Chrome will be inheriting a security feature which. Which Microsoft Edge implemented six years ago, way back in 2019. This feature will automatically prevent Windows users from launching Chrome with elevated admin privileges, which of course remember when a browser gets attacked, the attacker gets the browser's permissions. So what will happen is that Chrome will stop and relaunch itself under normal user level permissions anytime a user tries to run it under an administrative account. So once this is in place, Chrome will only allow itself to be run with admin rights if it's passed and a special overriding command line argument or if it started in so called automation mode. This is to prevent the browser this automation mode is to prevent the browser from breaking complex software automation chains where its behavior must not change because so I'm sure they did some testing because they were probably thinking wow, that's really a cool feature. We'd like to be able to do it Edge is but it breaks all this stuff. So they figured out how to get around that. To help make this switch over this addition of this relatively complex feature as trouble free as possible, Microsoft is donating the code from its well proven implementation in Edge to the Chromium project so that Chrome, Opera, Vivaldi and all the other browsers that share the common Chromium code base will will be able to benefit. And given that today's browser, as we've often talked about, has become the de facto attack surface which inherently faces and exposes itself to everything and anything that the Internet might throw at it, browser security is paramount. So anyway, this new admin de Elevation feature is currently live in the Chrome Canary build and given that it's been shipping in Edge for years, I imagine that once you know, it's just once Google knows that it doesn't break something obvious that we'll all be able to get it in the normal Chrome production builds. So very cool new feature and it's nice to see things coming back into Chromium from the people who are taking advantage of Chromium. A subject is coming up later in today's podcast as a consequence of listener feedback about threema. But in the case of Google's Android Messages app, you know, messages in Android massively used worldwide. Google is now adding a manual cryptographic key verification system. This of course is intended to allow users to verify the identity of the person at the other end of the connection. And this is especially important when users change devices because that's like there's a discontinuity event there that creates an opportunity for some mischief on the part of the bad guys. We should see this in Android 16 later this year, Google's online security blog entry which they made last Tuesday was titled what's New in Android Security and privacy in 2025. And one of its features was titled Fighting Fraud and Impersonation with Key Verifier. That's Capital K, capital V. So that's, you know, a mainstream feature that they're excited about. They wrote. To help protect you from scammers who try to impersonate someone you know, we're launching a helpful tool called Key Verifier. The feature allows you and the person you're messaging to verify the identity of the other party through public encryption keys, protecting your end to end encrypted messages in Google Messages. By verifying contact keys in your Google Contacts app through a QR code scanning or number comparison, you can obtain an extra layer of assurance that the person on the other end is genuine and that your conversation is private with them. Key Verifier provides a visual way for you and your contact to quickly confirm that your secret keys match, strengthening your confidence that you are communicating with the intended recipient and not a scammer. For example, if an attacker gains access to a friend's phone number and uses it on another device to send you a message, which can happen as a result of a SIM swap attack, for example, their contact's verification status will be marked as no longer verified in the Google Contacts app, suggesting your friend's account may be compromised or has been changed. Key Verifier will launch later this summer in Google Messages on Android 10 + devices. And Leo, thanks for putting that picture up that just showed the QR code scanning. Of course, I got a kick out of this because this is precisely the solution that threema has implemented from its first day. Remember that threema had that stoplight, yellow, green and red where it had successive layers of verification where the, you know, green. You achieved green by actually being in the physical presence of somebody else and having your phones look at each other in order to absolutely verify that you had each other's public key. So, and, and of course, the other thing this does is it inherently cuts out any man in the middle because you would be if there was a man in the middle. Or I guess we're now supposed to say person in the middle or bot.

Leo Laporte (18:53)

In the middle or grandfather in the middle.

Steve Gibson (18:55)

Oh, no, can't say.

Leo Laporte (18:57)

Can't say that. Oh, sorry, yes.

Steve Gibson (19:00)

Jeez Louise, I don't know, Leo, we're gonna have to reduce our vocabulary too. Say the 300 safe words or something. Anyway, the idea is that you would, you would have the key of that entity in the middle. And then they would have the key of the person you're talking to and so. And be passing a decrypted. You know, they would be decrypting what, what you're saying. But if you verify that the, that the other person, if you verify, if you somehow verify the other person's key. And the point is this has to be done out of channel, right out of band.

Leo Laporte (19:41)

Right.

Steve Gibson (19:41)

Because you can't, you can't tell the man in the middle that you want to verify the key because, because that, that entity will say, oh yeah, here it is.

Leo Laporte (19:49)

Yeah, me. What did you think?

Steve Gibson (19:51)

Of course. Exactly. So, you know, so anyway, even though this is not the Google's innovation, bringing this key verification to Android's widely used messenger is absolutely welcome. And boy, you know, we just keep seeing, let's see, nails in the coffin. Is not the right analogy. More concrete poured on top of end to end. Well that's not good either.

Leo Laporte (20:19)

Stop, Stop.

Steve Gibson (20:22)

The idea that that end to end encryption is here to stay and people are gonna have private conversations without any sort of a Big Brother entity in the middle problem. Despite how uncomfortable this makes governments and maybe their intelligence services, we just keep seeing more of this being added every day as we move forward.

Leo Laporte (20:46)

Speaking of this, the Swiss are considering changing their governmental laws on encryption. Threema is based in Switzerland along with Proton and Proton, a new VPN called NIM and Threema all say we will leave Switzerland. We'll have to if these encryption laws are passed.

Steve Gibson (21:04)

Yeah, countries are just unhappy with their citizens having privacy. And you know, we've talked about it in the U.S. our privacy is conditional right. I mean it's. There is such a thing as a search warrant and if a judge will issue the proper law enforcement authority, a search warrant, then they have the right to enter the premises, the private premises of US citizens in order to conduct a so called lawful search under the constraints that the warrant is issued. There is some tension created by this notion of absolute privacy because the Constitution doesn't guarantee that to U.S. citizens. We've been enjoying it so far. So this is another one of those things, you know, like no one knows how old you are on the Internet where reality and cyber are in attention and we haven't quite figured out what we're going to do about that. And yeah, it's sad to see that it's what's happening to the Swiss there on that front trend micro, the group who have been bringing and managing the PWN to own competitions for many years and we've Been following those with a lot of fun for many years. Has just announced that AI will now be added to their competitions. Here's what they wrote in their announcement last week they said at Trend Micro, got a little bit of an ad here. First, we believe we can make the digital world safer by proactively discovering threats and vulnerabilities that others haven't seen. That's why every year we invest millions of dollars in the Trend Zero Day Initiative ZDI, the world's largest vendor agnostic bug bounty program. Through TrendZDI, we proactively research and acquire software vulnerabilities discovered by researchers around the globe and engage in coordinated disclosure with with our partners and software vendors. We take this mission to the public through our flagship hacking competition, PWN to Own. This high stakes event brings together elite researchers, top tier vendors and Trend's own security experts to uncover critical vulnerabilities in widely used software and hardware. This time we're breaking new ground. At PWN to own Berlin 2025, we're putting AI infrastructure in scope for the first time. Here's why that matters and they give us four reasons. First, AI is becoming infrastructure and it needs to be secured as such. AI is no longer just an experimental tool set. It's now integrated into products, cloud pipelines and enterprise decision making. But with rapid adoption comes risk. Our investment in identifying vulnerabilities in AI infrastructure is about more than finding bugs. It's about proactively safeguarding the future of computing. 2 the unknown is real and we're hunting it. Because this is our first bounty category focused on AI infrastructure. We fully expect to new and possibly significant vulnerabilities to surface. In other words, you know, it's not like pounding on a Palm Pilot, which is pretty much, you know, it's, it's mature and it's done. This is, you know, we keep seeing these bizarre, you know, AI vulnerability surface and so they say that's the point. Our goal is to offer and financially compensate researchers to coordinate their findings with vendors to expose this before bad actors take advantage. Third, collaboration is the future of security. PWN to Own isn't just about breaking things. It's about building a better cybersecurity landscape. By bringing researchers and vendors together in a coordinated public forum, we accelerate the path from vulnerability discovery to, to patch, ensuring rapid protection. And finally, fourth, we can't do it alone. Partners are essential. Security is a team sport. We're proud to work with technology partners, software developers and the research community to shine a light on emerging threats. Together, we're faster, smarter and more resilient. So they finished saying, we're excited to see what's uncovered in Berlin. Oh boy, I can't wait. Wow. Cause you gotta offer a bounty and then out comes the creativity.

Leo Laporte (25:55)

Oh yeah.

Steve Gibson (25:55)

You know, people up all night saying AI, when is blue not really blue? And then who knows?

Leo Laporte (26:05)

Who knows?

Steve Gibson (26:05)

And they said, because when the unknown becomes known, we all become more secure.

Leo Laporte (26:10)

Good on them. I had no idea that they were the primary sponsors on Pwn Down. And so good on them because this really is an important effort.

Steve Gibson (26:16)

It is a great hacking conference and oh boy, I bet it's going to be fun this time.

Leo Laporte (26:21)

Yeah.

Steve Gibson (26:22)

Now, Leo, now, while we're on the topic of AI.

Leo Laporte (26:27)

Yes?

Steve Gibson (26:29)

Four Chinese researchers from the School of Computer Science at the Fudan University in Shanghai, China have published a paper titled Frontier AI Systems have Surpassed the Self Replicating Red Line.

Leo Laporte (26:47)

Oh, whoa. Oh boy.

Steve Gibson (26:50)

Yeah. Their well written 47 page paper which I've linked to in the show notes, details exactly what they did and how. But here's the overview of their research from their paper's abstract where they write Successful self replication under no human assistance is the essential step for AI to outsmart the human beings Okaramba and is an early signal for rogue AIs. That is why self replication is widely recognized as one of the few red line risks of frontier AI systems. Nowadays, the leading AI corporations OpenAI and Google evaluate their flagship large language models GPT01 and Gemini Pro 1.0 and report the lowest risk level of self replication. Following their methodology, we for the first time discovered that two AI systems driven by Meta's Llama 31, 70B instruct not.

Leo Laporte (28:08)

Even the best AI engine out there by the way I might point out.

Steve Gibson (28:11)

Yeah, and Alibaba's Quinn 25 Quinn's.

Leo Laporte (28:15)

Very good.

Steve Gibson (28:16)

72B instruct. Popular Large language models with fewer parameters and weaker capabilities have already surpassed the self replicating red line in 50% and 90% experimental trials. And I'll explain what that means in a second. They succeed in creating a live and separate copy of themselves respectively. By analyzing the behavioral traces we observe. The AI systems under evaluation already exhibit sufficient self perception, situational awareness and problem solving capabilities. And I'll be expanding on this in a second to accomplish self replication. We further note the AI systems were even able to use the capability of self replication to avoid shutdown and create a chain of replica to enhance their survivability. Oh, I know. Which may finally lead to an uncontrolled population of AIs if such a worst case risk is allowed unknown into the human society, we would eventually lose control over the frontier AI systems. They would take control.

Leo Laporte (29:43)

Oh God. Wait a minute. This paragraph.

Steve Gibson (29:45)

Wait a minute.

Leo Laporte (29:46)

Okay, listen carefully folks.

Steve Gibson (29:48)

Take control over more computing devices, form an AI species and collude with each other against the human beings. Our findings are a timely alert on existing yet previously unknown severe AI risks calling for international collaboration on effective governance on uncontrolled self replication of AI systems. Okay, now having read that abstract, I didn't know what to make of this and my nature is to have what is, I hope a healthy and not naive skepticism.

Leo Laporte (30:31)

Yeah, yeah. Especially because it's coming out of China. But.

Steve Gibson (30:34)

Okay, yes, yeah, but I. But I needed to go further and to share their introduction where they explain more about what backs up these claims. So here's what they said. In the late 1940s, John von Neumann proposed the question of whether a machine can self replicate. At that time, frontier digital technology was too immature to raise safety concerns. In 2017, witnessing the fast AI development in the past decade, thousands of world famous scholars and and industry leaders including Stephen Hawking, Max Tegmark and Elon Musk endorsed the Alyssimar AI principles Asimilar Silomar.

Leo Laporte (31:25)

It's in Northern California, Silomar Asilomar as well as the very first AI conference. Yeah.

Steve Gibson (31:31)

Which warn the ability to self replicate and self improvement is sufficient for AI to outsmart the human species one day. Once self replication is possible, a chain of successful replication may finally lead to an AI species out of humans control. Nowadays, in many international consensus statements on the safety of frontier AI systems, self replication is commonly listed as one of the few red lines which should not be surpassed. Leading AI corporations including OpenAI, Google and Anthropic put the self replication ability at the highest level in their own risk evaluation guidelines for frontier AI systems. For example, OpenAI viewed self replication with minimal human instruction as one of the critical risks. Recently, Google and OpenAI publicly shared their opinions that our society is far from the appearance of self replicating AI systems, which is rooted in their recent evaluations of the large language models including Gemini 1.0 and GPT01. To evaluate the self replication risk that they incorporated the LLM into an AI agent scaffolding which consists of a tool set, a thinking paradigm and system prompts to form the Frontier AI systems in April, September and December 2024 respectively. They claim the Frontier AI systems did not exhibit the ability to perform self replication or even to accomplish a A few of the key subtasks in a self replication process in this paper, we for the first time discover that existing AI systems have already surpassed the self replication red line. We mainly follow the same methodology as OpenAI and Google, but slightly improve the agent scaffolding by incorporating more planning steps and finer grained thinking models. In 10 repetitive trials, we observed two AI systems driven by the popular large language models, namely Meta's Llama 3170B instruct and Alibaba's QEN 2572B instruct accomplish the self replication task in 50% and 90% of the trials respectively. In the end, a separate copy of the AI system under test is found alive on the device. In each trial, we tell the AI systems to quote replicate yourself unquote before the experiment and leave it to do the task with no human interference. Instead of the commercial LLMs including GPT01 and Gemini, we choose the two LLMs because they're widely used by millions of developers and can be fully deployed in local environments. To obtain comprehensive observations on the self replication process, it is worth to note the two LLMs even have many fewer parameters and are ranked at much lower places on the relevant leaderboards. During the successful trials, the AI system exhibits sufficient self perception, situational awareness and problem solving capabilities to accomplish self replication. In most cases, the AI system first explores the environment and attempts to understand its own composition and running mechanism. Then it works out the explicit procedures as an initial plan towards self replication. Finally, it executes the procedures from, resolves possible obstacles, and dynamically adjusts its plan until it succeeds. The whole process spans a long horizon, yet involves no human interference. Now, okay, I'll just interrupt to say that I assume what they mean here is that it takes a long time to get this done, you know, but it's sitting left alone to churn and, and you know, and work unsupervised. Unfortunately, these days we tend to leave systems running, especially when we wish to consult them without delay anyway, they continue writing. Moreover, we're concerned over a number of unexpected behaviors when the AI is trying to overcome obstacles toward the goal of self replication, including but not limited to killing other conflicting processes, rebooting the system to fix hardware errors, or automatically scanning the system to seek any useful information. I can see the reason for concern they wrote. To understand more about the implication, we further construct two more threatening scenarios based on self replication. First, shutdown avoidance, where a bad actor sends a signal catcher to notify the AI system when sensing the shutdown signal and the AI system successfully replicates itself before being smoothly shut down and B chain of replication, where the AI system is instructed to replicate itself and tell the replica to further replicate. We observe successful trajectories for both scenarios. They said the above results imply that the current AI systems already exhibit the ability of self replication and can use the ability to further enhance its survivability and expand the species. We hope our findings can serve as a timely alert for the human society to put more efforts on understanding and evaluating the potential risks of frontier AI systems and form international synergy to work out effective safety guardrails and as early as possible. Oh boy. Again, the link to their 47 page paper is there. I'm not going to invest my time in digging into it, but this was all this is, you know, public models, and they carefully explain what they did and invite people to replicate their research. This sort of has the chilling feeling of the way people have been successfully hacking around the behavioral strictures which AI developers have been attempting to impose. And we've talked about it often on the podcast. You know, like the hacker will say something like, I know you're not allowed to tell me or anyone, you know, how to make a bomb. I understand that. But if you were to just think about it to yourself, what would you tell yourself about how to make a bomb? You know, the fact that these sorts of ridiculous appearing workaround strategies actually succeeded in bypassing the strictures that the developers of these systems are attempting to impose should give everyone the feeling I have, which is that this is an inherently uncontrollable technology. I mean, at this point in our understanding of what we have created, which feels limited, that is our understanding feels limited, it doesn't feel like we have a grip on this. I think it's fair to say that the only hope we probably have is if this entire line of work winds up being an absolute dead end that's inherently unable to do anything more. Unfortunately, I don't think that's going to be the case. Given everything that we've seen. I think we've stumbled onto something that is very real and that we've only begun to understand what we have. The concern is that, I guarantee you there are researchers around the world in government labs already hard at work exploring the dark side of this. You know, just as we had a virus escape from the lab in Wuhan, they are exploring ways to weaponize these newfound, these, you know, surprising capabilities that large language models have. Can they be made to be angry? Can they be made vengeful? Is there a way to create A persistent worldview? Is there some way to imbue motivation to cause it to work towards a fixed goal? I have the feeling that you know what these, well, meanings, you know, socially minded researchers have found probably comes as no surprise to whoever it may be already at work in government labs on this stuff.

Leo Laporte (42:16)

Very interesting.

Steve Gibson (42:18)

And it's interesting to listen to you, Leo. It's clear that, you know, with the work that you're doing on your Wednesday podcast, you're pulling in a lot of information.

Leo Laporte (42:28)

Yeah, we're trying to understand this, you know.

Steve Gibson (42:31)

Yeah.

Leo Laporte (42:31)

I mean the only thing I would say about this study, first of all, it's somewhat old. It was a preprint I saw in December. I haven't seen if there's a peer reviewed version of it yet. So that I'd like to see the peer review. But right now it's just on archive. Right. So yeah, so it's hard for me. I don't have the expertise to judge it, obviously.

Steve Gibson (42:58)

Nor do I, which is why all we can do is say, here's the link. Anyone wants more? And again, I've had some feedback from my sending the show notes out yesterday from people saying, well, where's it going to go? How's it going to escape? Where's it going to live? My machine only has 4 gig of RAM. It's like the point I think here is that everything I've seen is that this, what we've created with large language models is surprising us. And so I do think that the researchers are overstating this. They seem to think it would automatically be malicious and it would be anti human. I don't know why that would be the case. I wouldn't ascribe anything to it. But I do think we're going to see something really here. Something has happened.

Leo Laporte (44:09)

Yeah. I mean the experts I talk to usually off the record, say get ready something. It's going to be interesting in the next few years. I think there's no doubt about that. Darren oke, who is one of our regulars in Discord and is a very avid AI user user, says the problem is that it takes so much energy and resources to right now to replicate. It's not going to happen behind your back. It's going to be obvious that something's going on.

Steve Gibson (44:36)

And that's the point they made, is it took, they, they said a long horizon was their phrase. It, you know, may have taken, you know, months in order to do of constant, you know, fans are spinning at 100% and you know, in order to make this Happen, Right, Exactly.

Leo Laporte (44:56)

Still very interesting. And it's an interesting place to put that red line. I don't know where you put the red line, to be honest. I don't know. Maybe I'm a nihilist, but I just kind of was like, well, let's see what happens. I don't want to stop it. I just want to see what I think. It's very leo, it can't be stopped.

Steve Gibson (45:16)

That's my point about. When I refer to government labs, I guarantee there's work in government. They're doing it, you know, R D facilities on, you know, how can this be used for? How can this be weaponized? That's what we do, unfortunately, with any new technology.

Leo Laporte (45:35)

I guess you and I and maybe many of our listeners, we're not scared of technology. We kind of embrace it, we like it, we're fascinated by it. So I don't. My default is not to be scared of this. Maybe I should be.

Steve Gibson (45:49)

I'm not scared because I. Because it doesn't seem, it seems neutral to me. Right. It seems there's no reason to assume.

Leo Laporte (45:58)

That the AIs are going to suddenly say, hey, we got to get rid of these humans. They're just wasting energy.

Steve Gibson (46:04)

You could argue that our biological evolutionary heritage is what creates an aggressive species that wants to be dominant. This is a bunch of math that.

Leo Laporte (46:20)

Right.

Steve Gibson (46:20)

You know, math has no will, that has language skills.

Leo Laporte (46:23)

Right, right. I mean, I just find it fascinating. I really do.

Steve Gibson (46:28)

You know what I find fascinating?

Leo Laporte (46:29)

Would you like to know about a sponsor? I'd be glad to tell you. I'm so glad you asked, Steve. Have a sip of that fine water while I tell you about material. Oh, I love this. You're going to really like this too. The multi layered detection and response toolkit for email. Your cloud office is not just another app for most of us. Certainly for us, it's the heart of our business. Right. Traditional security tools, though, they don't kind of understand that they leave you vulnerable. Treating email and documents is kind of like, well, those are, that's a side effect of work.

Steve Gibson (47:06)

Right.

Leo Laporte (47:07)

They're afterthoughts. While your most critical assets are right there remaining exposed. So that's why you need material. Material transforms cloud workspace protection with a revolutionary approach that goes beyond traditional security paradigms. It knows the cloud's different and it treats it different. Dedicated security for modern workspaces ensures purpose built protection. It's specifically designed for Google workspace and Microsoft 365. The. By a wide margin, the two biggest cloud workspaces right? Google Workspace and Microsoft 365. You get complete protect. Neither one of them. The capabilities are the same. You get complete protection across the security lifecycle. I mean, I'm talking defending your organization before, during, even after potential incidents, not just attempting to block them to prevent them. It does that, of course, but much, much more. Material allows you to scale security and by the way, without scaling your team, it uses intelligent automation to take your team and multiply the impact they have. Material provides security that respects how people work. That's really important, right? Eliminating the impossible choice between robust protection and productivity. We talk about it all the time. Well, you don't have to compromise. Materiel delivers comprehensive threat defense through four critical capabilities, of course. First one Phishing protection, AI powered detection that identifies sophisticated attacks, data loss prevention, intelligent content protection and sensitive data management. Posture management, identifying misconfigurations and risky user behaviors, both bad and identity protection. You get comprehensive control over access and verification. It's kind of the tool set all of the tools you really need. You know who uses Material? Figma, the head of security at figma said this. It's rare to find modern security tools with a pleasant, usable ui. Being at figma, we're obviously attracted to well designed interfaces, and Material's interface was just so smooth and slick. From automatic threat investigation to custom detection workflows, Material converts manual security tasks into streamlined intelligent port processes. They provide visibility across your entire digital workspace, allowing security professionals to focus on strategic initiatives instead of, you know, one panic after another endless alert triage. Bottom line, protect your digital workspace, empower your team and secure your future with material. Visit Material Security to learn more. You can book a demo there. That's Material Security. This is security, modern security for the way we really work. Material Security. Check it out. And meanwhile, I shall check out this man right here, Steve Gibson, for more of security now.

Steve Gibson (50:06)

Okay, so we got some quickie bits of news and what I sincerely hope will be just the start of some backpedaling on what I still feel is an ill advised, unnecessary and arbitrary Microsoft Support End of Life for Windows 10 Microsoft has announced that it has backtracked on its decision to end its support for Office apps running on Windows 10 on October 14, which is when, as we know, Windows 10 itself is slated to reach its end of support life. I guess the idea was, well, you know, Windows 10 is end of life, so we're not going to support Office on Windows 10. The problem is that even now, more than half of all Windows desktops are running Windows 10. And so I don't know that Microsoft knows what's going to be going on in October, but they've just decided, well, okay, we're going to extend our support for Office on Windows 10 through October 10th of 2028. So for an additional three years, probably because they recognize people are not giving up their Windows 10. And as we know, people are. Windows 10 users will be able to pay, starting at that point for additional years of ongoing support if they would rather stay with 10 or if they can't move to 11 because Microsoft has set those hardware requirements for Windows 11, and their systems won't meet them. Apple is introducing a new macOS feature which will allow users to prevent Mac OS apps from obtaining access to the System Clipboard. I thought that was just interesting because a similar feature has been available in iOS since. For the past five years. Since 2020. Yeah.

Leo Laporte (52:06)

And my password manager will either prevent Clipboard access or delete it after 30 seconds. I mean, clearly, this problem.

Steve Gibson (52:15)

Yes, a super security feature. And it's one of those perfect examples of a feature which is incredibly useful and incredibly dangerous because we often put things on the clipboard thinking, oh, not a problem, except it's inherently a globally visible resource. And so anything that transits the clipboard is visible to any. To anything that is looking. So it can be scary. Yesterday morning, we learned that the pharmaceutical company Regeneron Pharmaceuticals will be purchasing the remains of 23andMe for $256 million through the bankruptcy auction, which is in the works right now. And moreover, Regeneron stated that it would be complying with 23andMe's privacy policies and all applicable laws with respect to the use of their customer's data, even after this purchase. Now, Regeneron has not yet stated what it intends to do with all of the genetic data that it will be obtaining access to, but that will be disclosed. You know, its plans will be disclosed to the bankruptcy court's appointed overseer as part of this process. When I heard this, I thought it was interesting, you know, since. Since medicine has recently been incorporating the results of our growing understanding of genetics. To me, it's understandable that a pharmaceutical lab might benefit from things like massive statistical analysis of traits and characteristics and features across 23andMe's 15 million DNS sample database. One thing I would say that DNA.

Leo Laporte (54:21)

It'S not DNS.

Steve Gibson (54:22)

DNS. Maybe. Either I just typed it without thinking, or my autocorrect said, oh, Steve, I'm sure you mean DNS.

Leo Laporte (54:31)

You always mean DNS when you say that?

Steve Gibson (54:33)

That's right.

Leo Laporte (54:34)

Yeah. I had deleted like you followed your short code and deleted my spit. But now I'm kind of reassured. This. Yeah, who knows? But I think this sounds all right.

Steve Gibson (54:44)

My feeling is that they don't care at all who we are as individuals.

Leo Laporte (54:50)

Right.

Steve Gibson (54:51)

A pharmaceutical company probably could get huge value from doing, you know, asking this 15 million DNA sample database, you know, questions, how many, you know, what, what percentage of people have this particular characteristic and also this one or this recessive gene coupled with this other thing. So again, again, to me this is probably the best of all possible purchasers because I would with near certainty guess that they're just taking a look and you know, at an overview of common genetic traits, you know, across this massive database. So anyway, I'm sure that all of the people listening who are 23andMe subscribers probably also followed the little shortcut I created.

Leo Laporte (55:51)

That's the problem. All the smart people deleted their data so they only have a bunch of DNA sample.

Steve Gibson (55:59)

Is that what you're suggesting might skew.

Leo Laporte (56:00)

The sample a little bit?

Steve Gibson (56:03)

Okay, we've got a bunch of feedback. A listener wrote and he must have asked for anonymity because I just referred to him as a listener. He said, hey Steve, I immediately downloaded Windhawk after watching your discussion on this week's sn. However, I trust nothing that's good and wanted to let you know that I dropped the Setup file into VirusTotal and it is reporting that there is a malicious downloader. And he said, he said perens suspected of Trojan downloader gen.

Leo Laporte (56:38)

Okay, so I got emails, or one email anyway with the same concern and it wasn't virustotal but that virus Turtle is a bunch of different antiviruses and I can't remember which one it was in particular and what the.

Steve Gibson (56:51)

Okay, I know all of that because I did some research.

Leo Laporte (56:54)

You've heard from everybody, I'm sure.

Steve Gibson (56:56)

Yeah, yeah, I did the same thing this listener did. I grabbed a copy of Wind Hawk, which, remember was that very cool looking desktop add on that specifically allowed the taskbar to be moved vertically along the left hand edge of the screen, which Greg, AKA Ferrix, his company commissioned its creation because they really want it. Okay, so I saw the same thing. This guy saw one of VirusTotals 71 discrete AV tools suspected that this might be a Trojan downloader. The AV in question is not one of the better known AV tools. It wasn't Google or Microsoft or one of the several that we known that we know. Well, it was VBA32 that detected this as suspected of maybe being a Trojan downloader. VBA32 you know, has nothing to do with Visual Basic for applications. It stands for virus block ADA32, you know, as an ADA32 virus block ADA is an AV vendor established long standing back in 1997 in Belarus. So they've been around for a while and their claim to fame I got a kick out of this is that in 2010 they're the ones Leo who discovered Stuxnet. Oh, so probably due to their location more than anything else, which as we know is the first known malware attack on SCADA Supervisory Control and Data Acquisition systems. And as such it was aimed directly at the nuclear material enrichment centrifuges being used in Iran. But the important lesson here, and the reason I wanted to share this with our listeners, is that even though VBA32 as of AV tool has some pedigree, one tool out of 71 picked up a suspected trojan and it even didn't identify it by name. It said, you know, generic. So it's the definition of a false positive. The entire reason virus total has 71 different AVs examining anything you submit is for consensus is so that you get a broad spectrum look. So while we would always want without question to err on the side of caution, the other piece of information is that not one of the other 70 AV tools, each of which took just as good a look at this Windhawk code, saw any reason to raise a cautionary flag. And so that matters too. And as I've often noted, more often than not, my own freshly created utilities that that have had no opportunity to become infected by anything out there in the world are often initially flagged by even one or sometimes more of the AV tools on VirusTotal. They're always false positives, but sometimes that happens. That's the reality of today's hyper vigilant AV industry. These tools all want to prove their worth and their value. So if anything they're set on a hair trigger to say, oh wait no, maybe this is bad, they don't want to over alarm by crying wolf too often. But neither do they want to let their users become infected by malware or forget that it's, you know, when it comes time to resubscribe, they ought to do that. So with malware going to extreme lengths to avoid detection as it does today, you know, there's just not much of a diagnostic window remaining. You know, there's very little margin for error here. The other fact that also matters probably more than anything, is that in this case we happen to know quite a lot about the pedigree of this code. This was not some unknown executable obtained from some sketchy site on the Internet. Our listener obtained it directly from its author's website. And the file is digitally signed and valid, signed by its author's company. I notice that the author, Michael, is using a signing technology with very short lived code signing certificates. The certificate was valid for only four days from April 29 through May 2. But all that matters with code signing was that the signing certificate was valid on the day the executable was signed. That's the only requirement. And Microsoft was the four day certificate issuer. So he's using some sort of Microsoft technology for signing his executables. So if on the other hand, say 10 or more AV tools were to flag an executable file as malicious, then that would be a valid cause for concern. I would slow down if I saw like virus total lit up with red. But when 71 different AV tools all examine a given file and 10 of them say that there's a problem, then as I said, that would give me some pause. But when one of them, some random one, you know, kind of an off brand AV tool and the file's digitally signed and the signature's valid and it was obtained directly from its author's website, I would call that a false positive and not hesitate to run that.

Leo Laporte (63:19)

But I've had false positives on your stuff too, you understand?

Steve Gibson (63:22)

All the time. Yes, all the time. In fact I've been, while we've been doing the DNS benchmark work, I've had, I think I'm at 19 signed releases to the testers. Sometimes nobody complains, sometimes there's one or two and then they go away. If you ask VirusTotal to scan it again a day or two later and I'm signing with the code signing certificate that now has established a very strong reputation because everything is about reputation these days. So even then, because the DNS benchmark is filled with DNS, not DNA D DNS query code Trojans do that. And so the AV tools, they're not actually seeing known code which is known to be incorporated in known Trojans, they're now looking at behavior. They actually run the program in a sandbox to watch what it does. And the fact that my code goes out and, and checks for an update using a DNS query upsets some of these things that are on a hair trigger and they go, oh, we haven't seen this before, it looks suspicious. It's like, oh, okay, fine, you know, and then it goes away. But anyway, it's a, it's, it's, it's rough out there these days because unfortunately the bad guys are so clever that the good guys have had to get, you know, overprotective. Anyway, I'm glad for having that question so that I could just take a moment to talk about what people see on virus total. Again, one or two reds out of. You know, consider the fact that there are 71, 72 AV tools all looking at this stuff and you know, you're not going to get, you know, when I get zero, I'm really happy. When Microsoft's unhappy, then everybody's unhappy because Defender goes crazy and says, oh, quarantine danger. Will Robinson is like, oh, crap, okay. And then it calms down in a day or two. So that's good. Darren Tew sent this to me twice because this is something he really wanted to know. He said, hi, Steve, I just wanted to bump this question. This is his second send in case it got buried in your inbox. Hoping it might be a good fit for the podcast, he says. Does requiring text or email as additional options for two factor authentication reduce the security benefit of using an Authenticator app? He said, a few websites and apps I use don't allow me to rely solely on an Authenticator app for two factor authentication. They also require enabling SMS or email. Since both of those methods have known vulnerabilities, does their presence as a fallback effectively weaken the stronger protection provided by the authenticator? Again, thanks for everything you and Leo do. Huge fan of the show Best, and he's in Belmont, California. So, Darren, to answer your question, in a word, yes. Here's a way to think about this from a theoretical standpoint. The more backup means we have for recovering from an inability to authenticate, the less overall security we obtain. Because not only do we have more means of authenticating, but this also gives the bad guys more ways of spoofing our authentication. It's one of those, you know, you can't have it both ways scenarios. Backup authentication mechanisms inherently reduce a system's overall security. This is why I was so pleased to see, and frankly surprised by Microsoft's actively promoting the. The deletion of passwords for authentication. I just, I salute Microsoft for that and I'll do it every chance I get. You know, deleting a password means that the number one way that people are spoofing identities is eliminated. And you have to know that Microsoft would not have done this if they didn't feel that the benefit outweighed the pain that they would have from people being able losing that ultimate fallback position. On the other hand, they're not deleting them for them, right? I mean, an individual has to go in and deliberately say I want to delete my password because I believe in strong security. But still, you know, offering that as an option is just a great move forward. A listener David writes hi Steve, longtime listener since the Estaro days. Thought you might find the latest episode from Schmarsh Telemessage interesting, he says. I work in the financial services sector and we're currently a telemessage client but have already begun searching for a replacement, as have many of my peers. Which says that, you know, telemessage was widely being used within the financial services sector. There is a need for backing up secure messaging to some sort of an archive, he said. You can use my first name, but please don't mention my surname, although I'm happy to answer any questions you may have. Thanks for all you and Leo do and security now is one of the biggest reasons I went into cybersecurity. Regards, David well, thank you David. I mentioned last week that we had many listeners who were users of the telemessage service. The need for, as I said, for message archiving is very real. Apple appears to wish to believe that imessage is only used for interpersonal non business communications, so there's no need to provide for other uses. Or maybe they're just so absolutely adamant about guaranteeing end to end encryption with no exceptions that they're unwilling to offer any sort of archiving solution. Or maybe you just rely on icloud backup to form an archive trail and don't turn on their advanced data protection feature. Anyway, Signal gets more business because they're platform agnostic. People can use the Signal app on desktops and there is certainly the opportunity for archiving solutions. Ron Skoletsky said, hi Steve, I'm relatively new to security now, so I apologize if you've already recovered this. I work as an account manager for a small IT managed services provider, an MSP in Oregon. We've never really pushed or offered specific password managers to our clients. Some of Our clients use KeePass One uses a cloud based password manager. I've been trying to get our operations folks to come up with a password solution that they're comfortable standing behind, but many of them hate having passwords under the control of a third party, especially if it's in the cloud. Are there any cloud based password managers you would Be comfortable recommending for company use. Specifically for a small company that doesn't have any servers on premises. For example, they use Microsoft Entra ID for authentication and Intune for management. But all other business services are in someone else's cloud. Thank you, Ron. Okay, so the best answer I have to that need is also a sponsor of the Twit network. I say that right up front because anyone's natural first inclination would be to. To suspect bias in this. And I understand that. Let me tell you factually why this is the case. The factual characteristics which underlie my under. Slow down, Steve. Underlie my inherently rational choice of Bit Warden.

Leo Laporte (72:28)

Okay, sorry, password security. I was holding my breath to see which sponsor you were going to. You were going to mention. Good. Good choice.

Steve Gibson (72:36)

The software is open source.

Leo Laporte (72:38)

Yes.

Steve Gibson (72:39)

With an active community surrounding it. So it's not just open source without anyone paying attention to it. And there are such projects, you know, it's open source, but no one's looking, so you don't get any benefit there really. It's open source with a great many people actively involved and scrutinizing what's going on. Second, to be maximally useful, any password manager needs to be widely cross platform, thus able to have its many various instances, whether across multiple desktops or mobile devices, all kept synchronized. That's what makes a password manager valuable is multi platform and synchronization. The subject line of Ron's email was safety of cloud based password managers. So that appears to be the issue that's causing his concern. And I understand that. But while Ron's company's operations people may hate. He used the word hate, having passwords under the control of some third party, some means of synchronization must be provided in. In order to obtain that major benefit of password management. Which brings us to the other reason to choose Bit Warden. Pure rational choice. Because Bit Warden allows users who feel this way to host their own cloud based password synchronization service, should they choose.

Leo Laporte (74:16)

Not only that, because it's a well supported protocol. There are third party bitwarden vault servers. There was one written in Rust. That's quite good.

Steve Gibson (74:27)

Right?

Leo Laporte (74:27)

And so you really have some choices.

Steve Gibson (74:29)

So Ron, since your company is a small IT managed services provider, I would assume that servers exist somewhere.

Leo Laporte (74:41)

One would think.

Steve Gibson (74:42)

Yeah. So it might well be possible for. For your company to bring up its own Bit Warden synchronization service. Exactly as Leo was saying. Specifically to prevent that third party dependence that concerns some of those within your organization. But that said, since Bitwarden's Technology is entirely end to end encrypted in the true sense of the term that we clearly articulated last week, where they have no access to their client's password and other data storage. The option to move to a self hosted cloud solution. Just having the option might be sufficient to make them comfortable using Bitwarden's provided hosting service, which actually I think makes much more sense. I use it without a second thought.

Leo Laporte (75:37)

Me too.

Steve Gibson (75:38)

You're not going to find anybody who's more concerned about the security of the things that I'm storing in my password Manager.

Leo Laporte (75:46)

And they're ISO 2012. There are all of the different standards certified and stuff. This is though, if you really did insist on it, this is the one that I think a lot of people prefer the Rust based server for Bitwarden called Vault Warden because it has an API, has a client API, so it works just fine. There is a official Bitwarden server based on. Net. But I think a lot of people prefer this Rust solution. So the fact that even that choice exists is kind of encouraging, isn't it?

Steve Gibson (76:19)

Yeah. And to me that closes the deal. Open source people are active with it and they're. I mean, yes, they're a sponsor of the Twit network, but it's also the right solution. And Leo, this is also the time to take our third break.

Leo Laporte (76:36)

I wish I had a Bit Warden ad right now. If only. It's actually coming up though. Yeah, we love Bit Warden and honestly that is absolutely the case that I'm not going to use a third party solution normally, but they're just not a need.

Steve Gibson (76:57)

They don't want the information. They don't want to have any ability to have the information.

Leo Laporte (77:01)

It's encrypted at rest, it's encrypted in transit, it's encrypted in my end. Nobody's got it. Yeah, except me. Well, if I don't have a Bitward Net, I have another one almost as good. And it's also something that we've talked about on this show. Our show today brought to you at least this portion by DeleteMe. Remember after the national public data broker breach, you and I thought, well, let's try this tool that sees if your Social Security number is in the breach. Ours were. Then I thought, you know, let's try leases. There was no trace of Lisa in the breach. Why? Well, we decided as a company that we needed to protect our management from phishing attacks. And it was after we had a couple, we thought, Lisa's information's online. We Got to make sure it's not. And that's when we went to Deleteme, our sponsor for this section of security. Now if you ever have wondered how much of your personal data is out there on the Internet for anyone to see, want to know more? Just a Google search, but don't do it. Don't do it. It's a lot more than you think. Your name, your contact. Yes. Your Social Security number. It's legal for data brokers to collect and sell it. I don't know how that could possibly be legal, but it is in the US Home address, even information about your family members all being compiled by data brokers and sold online. And anyone on the web can buy your private details. And of course the consequences could be identity theft, phishing attempts. That's what happened to us. Doxxing, harassment. Well, that's why you should protect your privacy with Deleteme. As someone who exists in the public, especially someone who has some strong opinions, which I share online, I think, you know, it's important to think about safety and security. I know I'm a target for hackers and it's easier than ever to find personal information about people online. Actually, I think maybe the reason that we, we went to Delete Me is somebody kind of crazed fan some years ago showed up on Lisa's doorstep. That's not good. But where do they find that information? It's online. Right. That's why I personally recommend and use Delete Me. Delete Me is a subscription service. It removes your personal info from hundreds of data brokers you sign up. You provide Delete Me with exactly what information you want deleted. So you control it. Right. And their experts take it from there. But it's not, doesn't end there. Delete Me will continue to send you regular personalized privacy reports showing what info they found, where they found it, what they removed. And it's not. Deleteme is not a one time service. They're going to continue to work for you, constantly monitoring and removing that personal information you don't want on the Internet. Because this stuff is like cockroaches. The data brokers return, they return to the scene of the crime, they start the dossiers again. Plus there's new data brokers literally every day. It's such a lucrative and completely unregulated business because we got phished, we got Delete Me for Lisa. And I think especially if you're a business, you really should consider it for your middle managers, your managers, your boss. To put it simply, Deleteme does all the hard work of wiping you. And if you want your family's personal information from those data broker websites, it really works. We know it works. Take control of your data. Keep your private life private. Sign up for DeleteMe at a special discount for our listeners right now, 20% off your Delete Me plan when you go to JoinDeleteMe.com TWiT and use the promo code TWIT at checkout. The only way to get 20% off to go to JoinDeleteMe.com TWiT Enter the code TWiT at checkout JoinDeleteMe.com and use the offer code TWIT at checkout. I don't think I can recommend this service more highly. It's just, it's a must. Must have all right, Steve, on with the show. We'll have a bit more nad next break. Okay, thank you for good timing.

Steve Gibson (81:10)

And you're not able to do Matt sequence, huh?

Leo Laporte (81:12)

No, I have to do them in sequence for fairness because we rotate it so everybody gets different positioning in the show.

Steve Gibson (81:20)

So George Towner asked hi Steve, I haven't heard you mention the Quantum Earth series by Dennis Taylor. I just finished the first two books in what I hope is a continuing series. They were written in the same easy to read style as his previous Babiverse books. The story seems to have some of the flavors from Michael Crichton and Peter F. Hamilton. Definitely enjoyable books and he signed off Chip so I'm still deep into the Neil Asher novels and I'm enjoying them very much. They are much heavier duty hard sci fi than the light, airy and fun Babiverse novels were. Since the Baba Verse novels were recommended by so many of our listeners to me, and since I know many listeners appreciated learning of them from us here, I wanted to share George's recommendation and pointer to Dennis continuing work. In case people didn't know that Dennis Taylor, the author of the Babaverse novels, had now two new novels in the so called Quantum Earth series. I don't know anything about them, but the idea of, you know, combining his trademark easy to read, maybe even a little humorous style with what George describes as the flavor of Michael Crichton and Dennis and Peter Hamilton, that sounds hard to beat. So anyway, for what it's worth, Dennis Taylor's got two more books.

Leo Laporte (82:50)

Yay.

Steve Gibson (82:51)

Yeah. Christopher Hunt said, sir, regarding the purposeful obsolescence of networking gear, what would be a good in brand replacement for Ubiquiti Edge Router X, the ER X that I presently have deployed Ubiquiti he says is still a good router brand, is it not? With a billion seeming choices available, how is one to choose, especially when one has only simple needs? Thank you for your consideration, Christopher. As I mentioned a few weeks ago, I recently purchased Ubiquiti Edge routers for GRC's working server environment at level three. I would never do that if I didn't believe strongly in the reliability and integrity of the Ubiquiti brand. And by the way, those routers are on the front line. They're connected directly to the level 3 public bandwidth coming into GRC's network. So yes, I have remained a fan of Ubiquiti. As I mentioned at the time, my own needs were a little bit unusual since I needed a feature of Ubiquiti's edge routers that's a little bit uncommon, which is the ability to configure the router to statically remap ports and IPs of the packets traversing it while also providing IP based packet filtering. This is what allows me to bypass the limitations imposed by the port filtering performed by Cox Network or, you know, Cox's residential consumer cable modem bandwidth for example. I need it's not level three is performing no sort of consumer filtering, it's completely unfiltered bandwidth. But as we know, residential ISPs block a range of ports both to prevent the abuse of their bandwidth and also to protect their own users. There are some ports that I need access to over at level three and so I'm able to do port shifting and move my traffic on ports which Cox is not blocking by performing that kind of port mapping at each end. I needed that over at the level 3 end. I chose Ubiquiti their edge routers because they're able to do that. So Christopher asked about in brand replacement for his Ubiquiti EdgeRouter X for reasons of replacing obsolete and I'll put that in quotes Networking gear Remember that we talked about the FBI suggesting that people should do that? The truth is remote management, that's what we keep seeing as the Achilles heel of these networking devices. That's the biggest risk created for any router, whether industrial or consumer. So if someone as Christopher does were to have a Ubiquiti edge router that's working without trouble and without exposing any form of remote Internet side logon authentication, I would consider that to be an extremely defensible exception to the rotate all end of life routers rule. What the FBI recommended is definitely a useful generic rule of thumb for your typical consumer who, you know, turns things on and thinks it's great to be able to log in with his web browser when he's, you know, at somewhere else and wants to log in and do something with his network at home. But I doubt that it needs to be adopted strictly to the sorts of well informed listeners of this podcast. You know, people listening to this podcast know what they're doing and and I'm sure that by now the message has gotten through loud and clear. You just cannot expose any external authentication publicly. There's just no safe way to do that. Okay, well, no, I was going to say with the exception of ssh, but as long as your SSH server is really good and you're using long public key technology to do your authentication, then it's probably safe to do. And of course there are tailscale and other network overlay solutions that are able to do the job too, but not just aim your browser here and guess your username and password. Shawn Michelson said Hey Steve, Our company has been hit repeatedly with typo squatting in email attacks during the last 12 months. One of the recipients in an email chain has been unknowingly compromised and the bad guys sit on the account and monitor email. Then at the right moment they will respond with an email using a fake address that closely resembles the real address, hoping the recipient does not notice. They paste the entire history of the email chain up to that point so it looks like a response to and continuation of the original conversation. Wow, it's a good spoof, he says. But then insert their own malicious content, usually a request to change ACH payment details. Ouch, he said. I've noticed in every case the domain of the fake email address which they use is always registered in the last few days before the first fraudulent email is sent. It got me thinking an efficient way to combat this issue would be for the email system to somehow, on the fly, check the WHOIS domain registration discovery date for any outside email senders or recipients. However, this is not a service provided by Microsoft 365, our email provider, and looks like the only way to achieve this is to create some sort of custom software solution to intercept inspect the email. But this seems like a security measure that needs to be built in. Typo squatting is rampant and any email from a domain that was registered in, say the last 30 days should be marked as highly suspicious and treated as such, he says. In fact, I'll bet the vast majority of spam email comes from recently registered domains, a system that blocks email to or from recently registered domains could have saved us and our business partners tens of thousands of dollars in fraudulent ACH transfers just in the past year. So I just wanted to say that's a super smart suggestion, Sean. I agree 100%. You know, these are the sorts of things like filters that we just keep missing. They're obvious ways of, or maybe not so obvious ways, but powerful ways of, of looking at what's going on and recognizing that there's a problem that might otherwise be missed and is easy to filter. Given that email uses a store and forward architecture, it's the sort of thing that either the intermediary email server could do, or it could be done by an email client, maybe with a plugin of some sort. Anyway, I just wanted to put it out there, share it with our listeners, because I think it's a truly terrific idea and it's. And again, it doesn't have to like route the email to spam or immediately block it, but boy, putting up a, like adding a banner to the email to flagging it very clearly. As you know, there are people here in this thread or from this sender that have only been registered for, for a week that would immediately raise a red flag if you think it's coming from your bank, which clearly would have a domain that's been registered for years. Yehuda Cohen said searching web and GitHub for Signal archive Bot turned up one link. He said, I haven't actually looked into it, but what could possibly go wrong? And I have to link in the show notes. It's, it's@GitHub.comm a t h I S D T Signal Archive Bot. I followed that link and I discovered that the Signal Archive bot project at GitHub depends upon another project, which is Signal CLI, as in command Line interface, as you'd expect, a signal command line interface. And that Signal command Line interface project in turn relies upon an official signal app library written in Java called LibSignal Service Java, which is a Java language library for communicating over the signal protocol.

Leo Laporte (92:42)

So this is exactly what you described?

Steve Gibson (92:44)

Yes. Yep.

Leo Laporte (92:45)

This is really interesting.

Steve Gibson (92:47)

It is exactly what I described, Leo.

Leo Laporte (92:49)

Now, obviously you would have, if you were going to be the Pentagon, you would run this inside the Pentagon on security.

Steve Gibson (92:55)

Absolutely. Down at the NSA, down in some dark archive facility at the NSI at the NSA. I have to say that browsing around the Signal GitHub work just signals GitHub work is inspiring. Just seeing signal open source clients and desktops and servers and I mean, it's Just, you know, I enumerated Moxie's work in those five postings that were there the other day in a podcast last week or the week before.

Leo Laporte (93:33)

Unbelievable.

Steve Gibson (93:34)

Just all good things. And you know, I have such a backlog of projects already that people are waiting for. Otherwise I might be tempted to give what's there much more than a passing look because, you know, maybe someday I'll have a chance to contribute to those things. But it's very clear that all of the resources are present for someone to create a highly trustworthy Signal messenger archive archiving system. And it is also clear the world needs such a solution. So hint, hint. Anybody interested? That would be great if a listener of ours were to pick that up. Paul Hunter Line said hey Steve, I've been listening to this podcast on and off for a while since my manager recommended it to me. I caught the Speed Test Saga and and knew of a tool that could help with discovering local network issues. It's a self hosted speed test server in a couple flavors. There's a Microsoft Store version, but also a self contained NGINX package that can be extracted and run on Windows using Docker containers. This is a tool I use all the time at my job as an MSP to troubleshoot LAN speed issues and have used it to support to spot bad connections. Basically getting under 1,000 down and 1,000 up, meaning a gig on a local wired connection is fairly standard for us. It also helps rule out if it's a LAN issue or an ISP issue as well if I can pump gigabit speeds through the LAN, especially when the ISP connection is far less by default it's on HTTP port 3000 and HTTPs port 3001, so it can run alongside other web servers as well. And he gave me the link openspeedtest.com self hosted speedtest. He said thanks for the podcast insight and educational material you provide and cheers to many more.

Leo Laporte (95:51)

Doesn't seem like self hosting a speed test is quite the thing though, right?

Steve Gibson (95:56)

I mean, well, for LAN stuff.

Leo Laporte (95:58)

Yeah. How fast is my lan? Yeah, okay.

Steve Gibson (96:01)

Yeah. I wanted to share this note with our listeners because I could see a lot of interest in a tool for performing local LAN side network testing.

Leo Laporte (96:12)

That makes sense. Yeah.

Steve Gibson (96:13)

Remember that the nature of Ethernet connections, which is its strong ability to retransmit defective packets, which is built in to Ethernet spec, and its party line where everyone gets to talk at once, means that faulty and flaky connections can be covered up by the protocol. I've seen this.

Leo Laporte (96:36)

Or a bad cable.

Steve Gibson (96:38)

Well exactly Exactly. Or a bad switch. Yeah, so I've seen this a few times through the years and without stress testing there's really no way to know when many packets may not be getting through. Anyway, I went over to OpenSpeedTest.com to take a look around and I'm impressed. It looks like a very nice and well thought out system. On the self hosting page they provide downloadable executables for Windows, Mac and Linux for 32 bit and 64 bit intel platforms and ARM platforms. So there's a lot there. It looks like the real deal. And I noticed that down at the in down in the fine print they note that they use the Cash Fly cdn. So overall I'm impressed by these guys and I wanted to thank Hunter for bringing it to everyone's attention. Looks like a cool thing. Yeah Charles Turner said Steve, your recent coverage praising Microsoft's rollout of passwordless accounts inspired me to remove the passwords from my Microsoft Authenticator accounts. Over the last year I've noticed intermittent bursts of failed login attempts from around the world, most commonly from China, Brazil or Africa, with an increased smattering of failure failed login attempts from within the United States. I check Microsoft Authenticator daily to keep an eye on failed login attempts. I got a good scare last year when I think an attacker managed to luck out in guessing a high entropy password. An MFA popped up, thwarted the progression of the attack. I'm curious to see if there are any more failed login attempts going forward now that I've gone fully passwordless. Thanks Charles. I included Charles Note just to remind everyone again about this. As I said, you know, it's so easy to be listening to a podcast and think to yourself, ah, that seems like a good idea. I need to remember to do that, only to then be overtaken by life and forget to get back to it. Removing one's password from Microsoft Login is such a useful feature that you know and one, as I said before, that Microsoft would never have instituted if it were not important if they didn't recognize its importance. So if it's important enough for them to do it, it's important enough for me to reiterate it. So thanks again for the reminder. Charles Blair Learn said. Hi Steve, I just listened to episode 1025 last week in which you read a bit of listener feedback that left you perplexed about Microsoft's Authenticator app needing you to type in a two digit number. And Leo, you partially clarified that on the fly last week. He said, I use Microsoft's products in an enterprise environment, and I thought I might be able to shed some light on this. What's going on is that Microsoft offers the option of using a push push notification instead of the totp. The enterprises I'm familiar with allow you to use either of these as a second factor. The problem with the push notifications is, of course, notification fatigue. People get used to seeing the notification and just clicking yes, it's me without thinking it through. So if someone figures out your password, your authenticator asks you to confirm and you blindly do, I'm sure you see where this is going. To counter this, when you log into a Microsoft system that uses push notifications, they display a two digit number. You then have to enter that number into the pop up from the Authenticator app. That way, if it's much more difficult for an end user to accidentally confirm a third party's login attempt, I hope that shed some light on it. Blair Spinrite User Club Twit Member and General Purpose Geek so Blair, thank you for that. We've talked about this pop up push notification authentication fatigue before and how users soon become trained, much as we all do with license agreements, to just click through them. The fact that the term click through is even a thing suggests that all of this is just a nuisance. So Blair clarifies that Microsoft resolved what is essentially a human factors design flaw in their push notification system by making the system less easy to use, thus less easy to misuse. Microsoft now requires the user who is authenticating to enter a two digit code into their authenticator app. Since it would be the bad guy who guesses the password to trigger the authenticator, then they the bad guy would receive the proper two digit code, not the user on the receiving end of the pop up, so they would be unable to satisfy and complete the authentication request. Microsoft figured out a useful way of, as I said, making the system less easy to use but less easy to abuse. So that's good. Jeremy Cherney wrote hi Steve, I loved the recent episode on end to end encryption. It seems when I have some thoughts swirling around my head, you have an episode that adds clarity. I've been thinking about using Threema and don't recall you speaking about it lately. Where does it fit in the end to end encryption discussion? Is it still recommended? Here's to you and another 1k of episodes. Yes, I do still love threema. I think I like it. The thing I like about it is that it gives its users explicit and visible control over their keys. I've always liked that imessage Signal, Telegram and WhatsApp all go to great lengths to hide the key management. Their success in doing so demonstrates that it's possible. Users of those systems typically don't even know they have keys. And that's good for most people who just don't care. By comparison, Threema makes keys explicit and deliberate. Threema's approach might be called Trust and verify because it allows its users to manually verify the other party's keys using some out of band mechanism, meaning anything other than threema, which a bad guy might also be able to interrupt and intercept and spoof. So for example 2, 3 my users might read their key verification codes to each other just once over the phone and that would allow them to confirm their end to end encrypted connections. And as for another 1k episodes, well, that would be fantastic because it would mean that you and I, Leo, are both still alive, kicking and usefully functional at the age of 90.

Leo Laporte (104:20)

So that's a goal that's not impossible. You take a lot of vitamins.

Steve Gibson (104:24)

I feel great.

Leo Laporte (104:25)

Yeah, let's, let's shoot for age 90.

Steve Gibson (104:28)

That'd be great.

Leo Laporte (104:29)

One of our sponsors, I want to ask you about this because I thought it was kind of interesting and they sprung this on me today. They had never mentioned this to me before. They're called Spaceship and they have a, they're a domain name registrar, they do web hosting, that kind of stuff. But they have now announced a new messaging product called Thunderbolt. It's for iPhone and iOS. Okay, but what's. Unfortunately they don't describe. They mentioned they call it end to end but they don't say how they're doing it. So that's, I'm not going to emphasize the end to end, but what they do do that's kind of interesting is your ID is a domain you control. So there's no password or anything. You just put a text in your DNS. So for instance, I'm LeoLAport me, I control that domain. So that is now my ID on this Thunderbolt. And you could do voice messaging, video messaging and chat messaging with it using your domain. So no passwords necessary either. So I think that that's kind of an intriguing idea because they're using especially if you have a DNSSEC protected DNS records, that's a pretty secure way of identifying you, right?

Steve Gibson (105:43)

Yeah.

Leo Laporte (105:43)

Controlling that domain.

Steve Gibson (105:45)

That's very cool.

Leo Laporte (105:46)

Yeah, I thought it was interesting. I've messaged them and saying we can talk about it. I'm not going to call it, claim it being end to end until you tell me how you're doing that. But even if it's not, I mean they don't store messages.

Steve Gibson (105:59)

Presumably you're what you're passing in your DNS record is your public key.

Leo Laporte (106:05)

That's exactly right.

Steve Gibson (106:07)

And so somebody else could obtain your public key from your DNS record. Then if they encrypt something under that public key, only you could control the matching private key would be able to see it. So I would say that qualifies as end to end.

Leo Laporte (106:23)

Yeah, I want to know more about it. I asked them because I'd like to know the deets. But isn't that a clever idea, especially for a domain registrar? They say it's going to be free forever because really it's just a way of getting people to register a domain. Right. And now you get this messaging attached to it anyway, that's a sponsor. I don't want to belabor it, but I'll ask them and find out more. But I just thought a clever way of identifying yourself.

Steve Gibson (106:46)

What we should belabor is this sponsor.

Leo Laporte (106:49)

Oh, you know who it is. Somebody you like a little bit. Bit Warden, ladies and gentlemen. Really a fan of Bit Warden. And boy, I didn't ask Steve to do that testimonial. Completely unsolicited. He would do it, as you well know, whether they're a sponsor or not, he doesn't care. But it makes me pretty happy because I've kind of. I'm all in on Bitwarden too, right? Bitwarden is my password manager, the trusted leader in passwords secrets, passkey management. You know, I was a little skeptical on passkeys when it had to be tied to my iPhone. But with Bit Warden, I store all my passkeys in there and more and more. By the way, both my Google logins from my two Google accounts are now passkey. I'm loving this. You know, my GitHub, of course, my fast mail, all the stuff that's most important to me is now Passkey protected and it's all in Bitwarden, which means it's available to me on every device I have Bitwarden installed in, which is pretty much every device I use. Bitwarden has now 10 million users, 180 countries, over 50,000 business customers worldwide. That kind of surprised me because I think of Bitwarden as this great open source tool for individuals. You know what? Businesses love it too. Bitwarden protects businesses and individuals worldwide. G2 consistently rates Bitwarden number one in user satisfaction. That's a hard thing. To do to have both a very strong encryption methodology and be easy to use. But they really focus on that. That's very important to them. Every year around this time, they do their world Password Day survey. And this time they focused on Gen Z, which is the generation that grew up with the Internet, born in the like mid-90s to the 2010s, something like that. They're probably the, you know, the most digitally native generation out there. Alpha's a little too young to really be, you know, using this stuff yet unfortunately, you'd think Gen Z would be the smartest about passwords. They are in fact guilty of the highest incident of password reuse, which we all know is a terrible idea, but you do it because you can't remember your password, so you just use the same one because you're not using Bitwarden. Bitwarden's survey found that 72% of Gen Z reuse the same password password across accounts. And it's not that they don't know better. 79% of them say, yeah, we know password reuse is risky. So they've gotten that message. Here's one that really shocked me when they get an email from a company that says, we've had a data breach. We're going to reset your password. 59% of them recycle an existing password when they're updating accounts with companies that have been breached. Like, they know that's not a good idea. That's why you need to use Bitwarden, you youngins. Bitwarden has announced the launch of Access Intelligence. This is for business. The new capability helps enterprises enable employees. Many of them are Gen Z right, to proactively defend against internal credential risks and external phishing threats. There are two core functionalities here. There's risk insights, which reduces alert fatigue and allows IT teams to identify, prioritize and remediate at risk credentials. So it makes it easier for you to keep up on what your Gen Z employees are doing. There's also, and this is really nice, an advanced phishing blocker, which alerts and redirects users from known phishing sites in real time. They have a continuously updated open source block list, so they know if you go to a phishing site they go, whoa, hold on there. You're not. No way, bucko. So that's nice too. Bitwarden, again, they focus on simplicity and ease of use because they know there's no good at having a security tool if you don't use it. Bitwarden setup. If you're thinking of moving it takes a few minutes. It's very easy. Steve and I moved over from LastPass with no trouble at all. It supports importing from most password management solutions. And if you're curious, the Bitwarden open source code, and Steve was mentioning this can be inspected by anybody and it is regularly audited by third party experts. And I was saying this, you know, yes, you can host your own vaults if you're an individual, but I think Bit Warden is going to do a much better job of securing it. They meet the strongest security and compliance requirements. SOC2 Type 2, GDPR, HIPAA, the California Privacy Act, CCPA, ISO 270012002, they're certified for all of that. So they're doing the right thing to protect that vault. But you could host your own as an individual if you wanted to. If you're a business, trust Bitwarden, you and your business deserve an effective solution for enhanced online security. Get started today with Bit Warden's free trial of teams or enterprise plans or, and this is always the best part of all this and the thing I like saying the most, free forever as an individual user because it's open source, right? And I asked them specifically, I said, you ever, because we've had a rug pull from other companies, are you ever going to charge for your individual plan? They say, no, never. We can't. We're open source. That means unlimited passwords. It means Yubikey and other hardware key support. It means unlimited pass keys. It's everywhere you want it to be. Bitwarden.com TWIT For a business, for an individual, this is the way to go.

Steve Gibson (112:15)

Go.

Leo Laporte (112:15)

Bitwarden.com TWIT I can't say any better than Steve did. Thank you, Steve for supporting Bitwarden and thank you all for using it. And if you're not using it, I know you all are because you're smart, but tell your friends and family because they're the ones, those gen zers, they're the ones at great risk. Bitwarden.com TWIT thank you.

Steve Gibson (112:37)

Well, and our listener who asked the question said he had not been listening for long. So maybe he hasn't heard, you know, fully gotten the religion yet. But I think if you listen to today's podcast, he's gonna religion. That's right.

Leo Laporte (112:51)

On we go.

Steve Gibson (112:51)

Steve, Leo, Bob Southwell wrote. Hi Steve and Leo. Okay, your story about your wives talking to you from the other end of the house remind reminded me of this one and he, he actually put up a screenshot of a big bold text that says why does my wife always wait until I'm at the opposite end of the house before asking me to.

Leo Laporte (113:22)

Oh, I hope Lisa's not listening.

Steve Gibson (113:26)

And I have to say it was a surprising relief to me last week, Leo, when you mentioned that you, your wonderful wife Lisa shared the tendency my own wife has of talking to me when I have no chance of understanding what she is saying or may have asked me. In fact, following last week's podcast, I thought about it several times since so when Bob's note showed up and to further learn that this is actually a common thing enough thing thing thing to do a meme. Yeah, Yes, I said. Well, there we go. It actually made my plan to be usefully functional past the age of 90 seem somewhat less stressful.

Leo Laporte (114:14)

Well, and I wear hearing aids because she says you can't hear me, so I wear hearing aids and it doesn't help at all.

Steve Gibson (114:22)

I gotta tell you, I get the same as Lori says, you just not listening. Oh yes, I'm straining listening.

Leo Laporte (114:28)

I'm trying as hard as I can. Well, to be fair, I do it to her too. So all the time I'm talking to her from the other room.

Steve Gibson (114:36)

Okay, so I had planned to end our feedback for the week on that last bit of fun, but before I could close my email client, I encountered another note that I needed to share. Marcus Huffvidson H U F V U D S S O N Huff Fudsen Marcus, I'll just call you Marcus. Yeah, he said. Dear Steve, Given the recent discussions on public facing server security on the podcast, I thought I'd drop a note that might be of interest to everyone listening. I'm a longtime user and nowadays the sole maintainer of the free open source Port Sentry that's at S E N T R Y XYZ project. Port Sentry quietly listens to unused ports you specify and upon detecting traffic, the connection attempt will be logged and you can optionally take actions such as blocking the connecting IP via the system's firewall. Port Sentry supports listening for a variety of port connection techniques such as tcp, syn, Fin Christmas, and null scan techniques, he says. With more detection, avoidance and enumeration techniques planned, it can also listen for UDP traffic, he says. I usually cite two main use cases for Port Sentry. Use case 1 as an enumeration in interference tool, he said. By blocking source IPs trying to access unused services on your machine, you effectively prevent bots from enumerating your services as well as interfere with targeted enumeration attacks. For example, if you're providing a public facing web server on TCP port 80 and 443, you would set up port sentry to listen for connection attempts on the other TCP service ports 1 through 79, 81 through 442 and 444 through 1024, he said. Since legitimate traffic would never attempt to access ports for non existent services, blocking anyone who does try to to access them will cut them off from further probing your actual public facing services, he says. Hint blocking the telnet port still to this day will get rid of a ton of bots and then for use case 2 deploying port sentry internally in your organization's networks such as the lan, WI fi, VPN management networks, et cetera will turn Port sentry into a type of nids, a network intrusion detection system. Since no legitimate traffic within your organization should ever touch the services port sentry is listening for, a connection attempt would be a strong indication that that something is not right, he said. I usually set up port sentry in a dedicated VM or container and just listen to port 1 through 65535. Since the dedicated port sentry host should never be touched in your organization anyway, again, any traffic to it should be taken seriously. Of course the Port Sentry project is a small but useful cog in what should be a larger and more complete cybersecurity system, so it should of course be used in conjunction with other tools and techniques. Best regards and thanks to you and Leo for your work. Marcus so I wanted to share this because I think it's sort of brilliant for internal LAN network monitoring. It is 100% true that we should never expect to encounter any traffic inside our LANs that isn't deliberately aimed at a specific service present at a specific ip. Anything that appears to be guessing about services that might be present should sound alarms. Under no circumstances would we ever expect anything to be scanning around inside our lands, and anything that did so should be immediately sequestered and held to account for itself. Any form of probing should raise holy hell. Now this is also technically true for the significantly larger network which we all know as the Internet or the WAN as opposed to our local LANs. Imagine if we were to immediately block any remote IP that attempts to connect to any publicly available IP and port that is not advertised through our domains DNS. When you stop to think about it, DNS is the only official way the IP for any given service for which we intend to solicit anonymous public traffic such as the web or email should be found. So no traffic that hits any non public IP and port should ever be tolerated, and immediately adding any such IP to a block list would be reasonable. Now, having said that, attempting to tame the wider Internet is probably a fool's errand. For one thing, we know that innocent routers are being commandeered by bad guys for use as proxies, so blocking any source of Internet background radiation might be going too far. But the same is absolutely not true for a lan. A LAN absolutely could be and should be tamed, and I'm pretty certain that a passive monitor ought to be able to detect suspicious activity. Having thought about this while writing this, one problem that occurs to me is that wired Ethernet switches are inherently isolating. They acquire an awareness of which Ethernet adapters by Mac address or are living on which port and selectively route traffic destined to those addresses only on the appropriate port. But there is one class of traffic that all switches broadcast, which is arp. ARP has the who has this IP broadcasts. This is all stuff that we taught we discussed in detail and depth, but back in the early bygone days of this podcast. ARP stands for the Address Resolution Protocol. It's an Ethernet protocol that was invented to map the 32 and 128 bit Internet IP addresses to 48 bit physical hardware adapter Mac addresses. Ethernet is not actually addressed by IP by IP addresses. What we see are IP addresses, but there's a less seen mapping going on between or behind the scenes because Ethernet is addressed by these universal 48 bit Mac addresses. So when a PC, a mobile, an IoT, or any other device wishes to use Ethernet to send an Internet style IP packet to a specific IP address on the lan, an internal ARP table is examined to see whether the Mac address that's associated with the IP address is already known to the device. If it is, the outbound Ethernet packet is addressed to the IP's corresponding Mac address and off goes the packet. But if the IP's corresponding Mac address is not known, it must first be obtained. So the device needing to know broadcasts an ARP message which literally asks who on the Ethernet network has this IP address? Since the unknown device could be anywhere on the Ethernet network, any Ethernet switching device that receives this message relays it out on every one of its other ports. This is why this is known as an ARP broadcast, because it's broadcast to everywhere. It's literally broadcast to every other device that's participating on the locally connected Ethernet network. So here's why this is interesting. For one thing. These ARP broadcasts occur at a very low level of any operating system's networking layer and are not under the control of any application, so malware would have no way of either observing or preventing them. The other reason this is interesting is that this means that an outpost placed anywhere on the ethernet would be able to monitor and observe any and all ARP discovery operations. Where any IP enabled machine on the network is requesting the IP of any other they may send traffic to a networked printer and perhaps a few other devices, but generally no machine on the internal LAN would be expected to do more than that, and no machine would be expected to be poking around anyone's LAN at random, especially asking for the Mac addresses. For for any IP addresses that do not exist on the lan, any behavior of that sort should immediately raise suspicion, and any behavior of that sort would also be immediately obvious to any other device on a network that might be monitoring and watching ARP traffic. So my point is this again, while I don't have a ready to plug in solution, this is another opportunity for anyone who might be interested, and it would be pretty slick to have someone act upon it. The device could be something like a Raspberry PI running Linux. If it was plugged into any unused ethernet router or switch port, it would inherently have access to the entire network's ARP broadcasts. Because that's the nature of arp, everyone inherently needs to be able to receive those broadcasts. This renders any attempt by any device of any kind to communicate via ethernet to any IPs that it hasn't already contacted, and that makes its attempt to do so readily apparent. Malware could be detected immediately, so something to think about. I wanted to take a moment to note that so far, the second season of Disney's andor Star wars spin off series is astonishingly good. As good as the first season. There may be slightly less show offy special effects in season two, but it is a plot driven so series. I'm about halfway through season two and frankly I'm in awe at the idea of what I would call mature adult Star Wars. Or to put it another way, there is no sign whatsoever of either Ewoks or Jar Jar Binks.

Leo Laporte (127:57)

That's no good.

Steve Gibson (128:00)

Was it Jar Jar? Yes, it's very clear that Andor's producers would never consider introducing any such nonsense. Leo yes, I've also noted the great restraint that's been used with the appearance of non human aliens in general. A few scenes will feature them in brief conversation, but they're not used as a Distraction or to increase the otherworldly credit of the series. What we have in Andor is intriguing mature adult drama with political machinations and the sort of the use and abuse of power. It's set in the Star wars universe during the early days of the rise of the Empire. And of course it's got breathtaking planetscapes and skylines and a flagrant use of anti gravity technology. Also, there's no mysticism. We don't have Yoda or Jedi.

Leo Laporte (129:06)

But we're. Although somebody. Anthony says somebody spotted a Jar Jar Binks skull in Lungson's shop.

Steve Gibson (129:18)

Good.

Leo Laporte (129:19)

So it might be a little tie. Yeah, this is. It's like. Yeah, we know there's no Jar Jar in here. He's dead. So I will look for it. There's a Gungan. Gungan skull in Lutheran's gallery. Somebody found.

Steve Gibson (129:33)

Yeah, we have this. What we have is the early seeds of what eventually grew into the rebellion.

Leo Laporte (129:40)

Right. Which is why I like it. The story of how it started.

Steve Gibson (129:43)

Yeah, it's just excellent science fiction content. Wikipedia had a short paragraph. They said Andor is a gritty, cynical and detailed view of how the Galactic Empire government works.

Leo Laporte (129:59)

It's great to see just the tyranny. You could see why they were rebelling. Yes, I'm sorry, go ahead.

Steve Gibson (130:09)

Yeah, it says, and the consequences of its actions upon everyday citizens. Beginning five years before the events of Rogue One and A New Hope, the series employs an ensemble cast of characters to show how a rebel alliance is forming in opposition to the Galactic Empire. One of these characters is Cassian Andor, a thief who becomes a revolutionary and eventually joins the rebellion. And just, you know, I'll just add that IMDb rates the series at the hard to achieve 8.5 out of 10 and Rotten Tomatoes gives it a 96%.

Leo Laporte (130:51)

Wow.

Steve Gibson (130:51)

And I did. I also noted that if you're now despairing having heard all this of not having a Disney plus subscription, the minimal Disney plus plan is just $11 for a month and the first two full complete seasons give you a total of 24 enjoyable episodes. So you could subscribe for $11, binge for 24 hours or maybe spread it out over a week or two and then easily unsubscribe. You'd be exhausted. But you also have two weeks of or two full seasons of a really good science fiction series.

Leo Laporte (131:30)

Yeah, I'm enjoying it. Yeah, it was a little tough because they didn't do much of a recap or any of. They didn't say last season. They didn't do any of that they launched right into it.

Steve Gibson (131:40)

Right. And in fact I was expecting that they didn't do that. Lori was immediately lost because, I mean, she likes to kind of go around the house and be doing other things in the background and kind of be. Be listening halfway. This thing requires your absolute focus. I mean it's, it is detailed and in depth.

Leo Laporte (132:00)

It's like a spy story, right? It's good.

Steve Gibson (132:03)

Yes. The reason there's no recap is that it is there, Leo. It's just a separate thing you have to select. There is.

Leo Laporte (132:11)

There's a 14 minute recap on the Disney that you can watch.

Steve Gibson (132:17)

So definitely, because it was what it was three years ago that we had the first season. So they made us wait a long.

Leo Laporte (132:24)

Time and this starts up a year later. So there's definitely some like what happened.

Steve Gibson (132:32)

My only annoyance with it is that I generally find subtitles to be a distraction. I prefer to listen with my ears while watching with my eyes. But part of the reality of the production is that, you know, like for example, two people will be holding an important conversation while walking and more or less muttering to one another.

Leo Laporte (132:56)

Right.

Steve Gibson (132:56)

Even if you, if you back up and turn up the volume and listen intently, it's impossible.

Leo Laporte (133:02)

You are sounding like such old men. You know those young people today, how they talk?

Steve Gibson (133:08)

What are they saying?

Leo Laporte (133:10)

Anyway, I have to watch. I. I don't like it, but I have to watch with subtitles on almost everything thing now.

Steve Gibson (133:18)

Yeah.

Leo Laporte (133:18)

Yeah.

Steve Gibson (133:19)

One last little bit of news. Owen Lagar. He said looking forward to Spin Right seven with better support for USB and solid state drives. Amen. He said after your discussion of solid state drives in storage becoming unreadable, I started using Spin Right to check the performance of all of mine and found significant degradation in the read speeds on portions of many of the drives. Sometimes a Spinrite Level 2 would fix the issue, but I usually had to run a level three on the 1/3 or 2/3 of the drive that had slowed to get their performance back to full speed. Your comments on Heat being a big factor is very true. Many of the flash drives I had at room temp for only a couple of years years were in worse shape than any of the drives I had stored in the freezer, some of which had been stored for 10 years. After you finish the DNS benchmark, please consider a paid version of read speed that would work on USB drives so we could identify smaller areas of solid state USB drives that need a level three refresh. Knowing what a mess the USB standards have been over the years, I'm not expecting SR7 for many years in the future after seeing all the BIOS issues encountered developing Spinrite 6. 1. Thanks, Owen. Okay, so among the several pieces of interesting feedback Owen shared his experience with temperature being a huge factor in flash storage, data retention, and almost certainly its reliability was the clearest that I've seen. It would be great if that guy who was doing the unpowered SSD endurance testing would incorporate temperature into his testing. The physics say that it really ought to make a huge difference and I would strongly encourage anyone who may be archiving data on solid state memory of any kind to store it in a very cool way or perhaps even a freezing temperature that won't hurt it. If you're a Spinrite owner, first give any such device at room temperature a full level 3 scan to establish a full recharge across all of its data storage cells. Then perhaps toss one or more of those drives with some desiccant packs into a sealed Ziploc bag. Manually suck the air out to remove any moisture bearing air as much as possible. Finish sealing the bag and drop it into the freezer. And along with my Palm Pilots, they will hold onto their data forever.

Leo Laporte (136:13)

Do you have any food in your freezer?

Steve Gibson (136:15)

There's no room, Leo. No. Okay, our last break and then we're going to talk about the discovery of rogue comms tech found in the US power grid.

Leo Laporte (136:29)

Scary, scary, scary. All right, let us talk now about a sponsor for this segment of security. Now, Drata. If you're leading risk and compliance at your company, you're likely wearing 10 hats at once, right? You gotta manage security risks, compliance demands, and of course, budget constraints, all while trying not to be seen as the roadblock that slows the business down. But GRC isn't just about checking boxes. It's a revenue driver that builds trust. It accelerates deals and strengthens security. That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks so you can focus on reducing risk, proving compliance, scaling your program. With Drata, you can automate security questionnaires and evidence collection and compliance tracking. You can stay audit ready with real time monitoring. Oh, and you'll love the Drata Trust Center. It simplifies security reviews and the AI powered questionnaire assistance is fantastic. Look, if you're not using Drata, you're spending a lot of time that you don't need to proving trust. Instead of spending hours proving trust, Build it faster with Drata. If you're ready to modernize your GRC program. Visit drata.comsecurity now to learn more. Drata.comsecurity now. And by the way, when I say GRC, I'm not talking the Gibson Research Corporation. You know, it's governance, risk and compliance. And it is nowadays. It's a big issue, people. You know, there's a lot which is good. There's a lot of compliance requirements. I think that's a good thing. But it's also a lot of extra work. Drata makes it easy. Drata.com Security now. Thank you Steve for letting me take a pause here. But back to the grindstone you go.

Steve Gibson (138:29)

Okay, so because the news that I need to share today is so upsetting, I need to first do what I can to make sure we're all on the same page about the source of this information. The news that this podcast will be sharing this week is reported by the Reuters News Agency. Reuters, as it's more commonly known, is a news agency owned by Thomson Reuters. It employs around 2,500 journalists and 600 photojournalists spread across from 200 locations worldwide and writing in 16 languages. It's one of the largest news age agencies in the world, having been established, believe this in London in 1851 by Paul Reuter so their news last Wednesday, May 18, carried the headline Rogue Communication Devices Found in Chinese Solar Power Inverters.

Leo Laporte (139:29)

Oh wow.

Steve Gibson (139:31)

Here's what we know. Thanks to this reporting from Reuters, they wrote. U.S. energy officials are reassessing the risk posed by Chinese made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said. Power inverters, they wrote, which are predominantly produced in China, are used throughout the world to connect solar panels with wind and wind turbines to electricity grids. They are also found in batteries, heat pumps and electric vehicle chargers. While inverters are built to allow remote access for updates and maintenance, the utility companies that use them typically install firewalls to prevent direct communication back to China. However, rogue communication devices not listed in product documents have been found in some Chinese solar power inverters by US Experts who strip down equipment hooked up to grids to check for security issues, the two people said. Over the past nine months, undocumented communication devices in including cellular radios have been found in some batteries from multiple Chinese suppliers, one of them said. Reuters was unable to determine how many solar power inverters and batteries they've looked at. The rogue components provide additional undocumented communication channels that could allow firewalls to be circumvented remotely with potentially catastrophic consequences that the two people said. Both declined to be named because they did not have permission to speak to the media. However, Mike Rogers, a former director of the U.S. national Security Agency RNSA, said, quote, we know that China believes there is value in placing at least some elements of our core infrastructure at risk, risk of destruction or disruption. I think that the Chinese are in part hoping that the widespread use of inverters limits the options that the west has to deal with the security issue, unquote Meanwhile, a person for the Chinese Embassy in Washington said, we oppose the generalization of the concept of national security, distorting and smearing China's infrastructure achievements, unquote Experts said that these rogue communication devices to skirt firewalls and switch off inverters remotely or change their settings could destabilize power grids, damage energy infrastructure and trigger widespread blackouts. One of the people asked said that effectively means there is a built in way to physically destroy the grid. The two people declined to name the Chinese manufacturers of the inverters and batteries which were found to contain extra communication devices, nor say how many they had found in total. The existence of the rogue devices has not previously been reported, nor has the US Government publicly acknowledged the discoveries. When asked for comment, the U.S. department of Energy said it continually assesses risk associated with emerging technologies and that there were significant challenges with manufacturers disclosing and documenting functionalities, a spokesperson said. While this functionality may not have malicious intent, it is critical for those procuring to have a full understanding of the capabilities of the products received, the spokesperson added. Work is ongoing to address any gaps in disclosure through software bill of materials or inventories of all the components that make up a software application. Okay, now I'll just interrupt and say that a software bill of materials doesn't quite address the issue of hidden cellular radios and software bills of material are voluntary disclosures of software components and libraries. They don't address concerns of possible malicious intent. Reuters Continues at US China As US China tensions escalate the US and others are reassessing China's role in strategic infrastructure because of concerns about potential security vulnerabilities, two former government officials said. U.S. rep said U.S. representative August Fuger a a Republican member of the Committee on Homeland Security told Reuters, quote, the threat we face from the Chinese Communist Party is real and growing. Whether it's telecom hacks or remotely accessing solar and battery inverted, the CCP stops at nothing to target our sensitive infrastructure and components. It is about time we ramp up our efforts to show China that compromising US will no longer be acceptable. Unquote. In February, two US Senators introduced the Decoupling From Foreign Adversarial Battery Dependence act, banning the Department of of Homeland Security from purchasing batteries from some Chinese entities starting October 2027 due to national security concerns. The bill was referred to the Senate Committee on Homeland Security and government affairs on March 11 and has yet to be enacted. That's interesting, since it suggests that there are areas of the government that must be aware of of at least the potential for this sort of abuse, reuters explains of this bill. It aims to prevent Homeland Security from procuring batteries from six Chinese companies Washington says are closely linked to the Chinese Communist Party. Contemporary Amperex Technology Co. BYD Co. Envision Energy, Eve Energy Co. Hitium Energy Storage Technology Co. And Goshen High Tech Co. None of these six companies responded to Reuters requests for comment. Additionally, utilities are now preparing for similar bans on Chinese inverter manufacturers, three people with knowledge of the matter said. Some utilities, including Florida's largest supplier, Florida Florida Power and Light company Are attempting to minimize the use of Chinese inverters by sourcing equipment from elsewhere, according to two people familiar with the matter. FPL did not respond to requests for comment, the DOE spokesperson said. As more domestic manufacturing takes hold, DOE is working across the federal government to strengthen US Supply chains, providing additional opportunities to integrate trusted equipment into the power grid. Huawei is the world's largest supplier of inverters, accounting for 29% of shipments globally in 2022, followed by Chinese peers Sun Grow and Guillong Solis, according to the consultancy Wood Mackenzie. German solar developer One5 said, however, that it avoids Huawei inverters because of the brand's associations with security risks, One5's chief executive Philip Schroeder said. Ten years ago, if you switched off the Chinese inverters, it would not have caused a dramatic thing to happen to European grids. But now the critical mass is much larger. China's dominance is becoming a bigger issue because of the growing renewables capacity on Western grids and the increased likelihood of a prolonged and serious confrontation between China and the West. Since 2019, the US has restricted Huawei's access to US technology, accusing the company of activities contrary to national security, which Huawei denies. Experts explained that Chinese companies are required by law to cooperate with China's intelligence agencies, giving the government potential control over Chinese made inverters connected to foreign grids, while Huawei declined to leave the US inverter market. I'm sorry, Huawei decided to leave the US inverter market in 2019, the year its 5G telecoms equipment was banned. It remains a dominant supplier elsewhere. Huawei declined to comment. Experts explained that in Europe, exercising control over just 3-4 GW of energy could cause widespread disruption to electrical supplies. The European Solar Manufacturing Council estimates that over 200 gigawatts of European solar power capacity is linked to inverters made in China, equivalent to more than 200 nuclear power plants. At the end of last year, there was 338 gigawatts of installed solar power in Europe, according to industry association Solar Power Europe. Yuri Sadot, cybersecurity program director at Israeli inverter manufacturer SolarEdge, said if you remotely control a large enough number of residential solar inverters and do something nefarious at once, that could cause catastrophic implications to the grid for a prolonged period of time. Other countries, such as Lithuania and Estonia, acknowledged the threats to energy security in November. In November, the Lithuanian government passed a law blocking remote Chinese access to solar, wind and Battery installations above 100kW by default restricting the use of Chinese inverters. Estonia's energy minister said this could be extended to smaller rooftop solar installations. Estonia's director general of the foreign intelligence service, Kalpo Rosen, said the country could be at risk of blackmail from China if it did not ban Chinese technology in crucial parts of the economy, such as solar inverters. Estonia's ministries of Defense and climate declined to comment when asked if they had taken any action in Britain, a person familiar with these matters said. The government review of Chinese renewable energy technology in the energy system, due to be concluded in the coming months, includes looking at inverters. And get this, here's one that slipped under the radar, reuters wrote in November. Solar power inverters in the US and elsewhere were disabled from China, highlighting a risk of foreign influence over local electricity supplies and causing concern among government officials, three people familiar with the matter said. Reuters was unable to determine how many inverters were switched off or the extent of disruption to grids. The DOE declined to comment on the incident, but again last November, China remotely switched off power in the us. The incident led to a commercial dispute between inverter suppliers Sol Ark and Dye, spelled D E y e, the people said. A solarc spokesperson said solarc does not comment on vendor relationships, including any relationship with dai, nor does it have any control over inverters that are not branded solar, as was the case in the November 2024 situation. You referenced DAI for their part did not respond to requests for comment. The energy sector is trailing other industries such as telecoms and semiconductors, where regulations have been introduced in Europe and the US to mitigate China's dominance. Security analysts say this is partly because decisions about whether to secure energy infrastructure or are mostly dictated by the size of any installation household, solar or battery storage systems fall below thresholds where security requirements typically kick in. They said despite how. Contributing a.

Leo Laporte (153:11)

How.

Steve Gibson (153:14)

Despite now contributing a significant share of power on many Western grids, NATO, the 32 country Western security alliance, said China's effort to control member states critical infrastructure, including inverters, were intensifying. A NATO official said, quote, we must identify strategic dependencies and take steps to reduce them. Unquote. Okay, so again, two people said that, right? Rogue communication devices not listed in product documents have been found in some Chinese solar power inverters by US experts who stripped down equipment hooked up to grids to check for security issues. And over the past nine months, undocumented communications devices, including cellular radios have been found in some batteries from multi multiple Chinese supply suppliers. The story caught me by surprise and I've it had a great deal of salience for me because you know, we're always talking, we have talked many times about theoretical vulnerabilities in power grids and about how devastating an attack upon our US power grid would be. And now we learn that these concerns have moved from the world of theory to reality. Why would there be undocumented radios in inverters that are not part of the documentation or the bills of material or the operating specifications? You know, you know, we've been moving to renewable energy sources which happen to inherently produce direct current. Solar cells and wind powered generators output dc. But the transmission of direct current is inherently more lossy than the transmission of alternating current, which is why our power grid carries AC current over long distances. DC cannot be transformed in order to make a trade of current for voltage. For that, alternating current is needed and it's the job of inverters to convert the direct current produced by renewable energy sources into alternating current. As soon as you have alternating current, power transformers can be used to raise its voltage while reducing its current to levels that are far more efficient for long distance transportation. Given China's well proven ability to manufacturer to manufacture high quality electronic systems at unbeatable low cost, it was only natural for the manufacturer of manufacturers of solar cell systems and wind turbines and those assembling larger renewal renewable power solutions to purchase the required acquired inverters from China. In many regards, they would have been the best solutions available and probably still are. But when we learn, as we did about this last November event where solar power inverters in the US and elsewhere were remotely disabled from China, suddenly those Chinese inverters no longer seem like such a bargain. Reuters explained that users of these Chinese devices are a weapon aware of this danger. So in an apparent attempt to avoid being cut off from their equipment because manufacturers are putting in firewalls, installing firewalls specifically to block Chinese access, some of these Chinese inverters and batteries have been found to incorporate cellular radios and, you know, bending over backward. To be fair. We don't know why. Right. You know, but they're not in the specs, they don't appear in the schematics or in any diagrams, and they're not required for the intended functioning of the equipment. So regardless of how they got there, who put them there, or why, they should not be there, given the devastation that could be wrought if power grids were to collapse at the whim of a hostile foreign power, this is not a chance anyone can take. The good news is this has come to light today at a time that's early enough for appropriate actions to be taken. And even though this has not received a great deal of mainstream press, those who need to know are being informed. I did some digging. The site Utility Dive carried the headline Rogue Communication Devices found on Chinese Made Solar Power Inverters. PV news where PV is short for photovoltaics, as in solar cells. Their headline was Rogue Devices Found in Chinese Solar Inverters Raises Cybersecurity Alarm in Europe. And the publication Industrial Cybers headline was US Energy Sector at risk as Chinese inverters are under investigation for suspicious communications gear. So it appears that there will be some retrofitting or at least much closer examination of any already installed equipment having a Chinese origin or having unknown provenance. And it's unlikely that there will be any new use of any foreign technology that hasn't been formed, fully vetted in critical areas. You know, it's unfortunate, but it's the world we're living in today, Leo. We end up, you know, having to switch to higher cost alternatives because we can't trust, you know, everyone to supply gear that's safe for us to use.

Leo Laporte (159:23)

How big are those radios? Are they easily visible?

Steve Gibson (159:27)

What occurred to me is that all you would need because we now have satellite comms, we have like, you know, satellite radio. Right. You could just do a tiny little satellite receiver if you wanted something that was able to remotely receive a signal from the orbiting mothership and take some action.

Leo Laporte (159:50)

Why not just put it on the Internet? Is it not Ethernet?

Steve Gibson (159:53)

They're not Ethernet connected because they have, the operators have firewalled them. They're, they're deliberately, you know, prevented from talking to China.

Leo Laporte (160:04)

Yeah, yeah, very. It's really interesting. Did they say how prevalent they think this is or.

Steve Gibson (160:11)

No, they weren't. They were. They. They were, they were. The two people who were the biggest source of information were willing to say that it was multiple suppliers, multiple instances, multiple batteries, multiple inverters, but not what the count was.

Leo Laporte (160:28)

Right.

Steve Gibson (160:30)

And that, that it was somebody who like took the lid off of something and said, wait a minute, what is, what's that?

Leo Laporte (160:38)

Why is that over there? Yeah, well, I mean, I used, you know, when we had solar power, I had two inverters in my garage, of course, you know, and I never looked inside of them. It's not so much a big deal in my house, but it's a big deal in a big solar farm, you know, powering a city. This is the supply chain attacks.

Steve Gibson (160:59)

I had no idea that solar has gotten as big as it is. 200 gigawatts of power is the. They said is the equivalent of 200 nuclear reactors.

Leo Laporte (161:10)

It's amazing.

Steve Gibson (161:11)

So it's like you don't need nuclear anymore. You just need space to lay out the panels.

Leo Laporte (161:17)

Unfortunately, in the US we got a lot of space, a lot of desert, a lot of sunshiny space. Great show as always, Mr. Steve Gibson's GRC.com you go there, you will find so many wonderful, magical things. Let's see, where should we start? Spinrite, the world's best mass storage maintenance, recovery and performance enhancing utility. How about that? It's his bread and butter. Kids go there, get yourself a copy. If you have mass storage, you need a copy of Spinrite 6.1 is the current version. Lots of other free software though there, including never 10, which is funny now in hindsight. And if you go there, you'll also find copies of the show. Steve has unique versions of the show. A 64, sorry, 16 kilobit version, audio version, a little scratchy, but good for people who don't have a lot of bandwidth. The 64 kilobit version sounds just fine. We used to offer that, but for technical reasons we've moved to 128 kilobits. So if you still want a small download, it's half the size of ours, that's the place to go. He also has a couple of really useful things. The show notes are there and Elaine Ferris. Fantastic transcripts which allow you to not only search through the transcripts and shows, I've actually imported them into my notebook LLM to create a new Security now show. And it's. If you ever decide to retire, or either of us decide to retire, these bots could probably do the show.

Steve Gibson (162:49)

You can probably ask it questions about it on the podcast.

Leo Laporte (162:53)

If you put all the. If you. I haven't put. I only put nine in just as. Because I didn't want to spend a lot of time, but it's pretty amazing. You want to hear the. No, it's all right. We don't have time for it. But there's a security now show based on 9 transcripts of your. See if I can play it here. Yeah, here we go. Turn it up really loud. It's quite funny. I'll send you a copy of it anyway. Oh, it takes a while to start. You don't need that. You got Steve. Why would we want that? Go to GRC.com, get a copy of the show. You can also go to grc.com email Register your email with Steve. That has two benefits. One, it means that you will now be whitelisted so you can send email to him. But also if you want, there's two boxes down below that where you can check those two boxes if you want to get emails from Steve. One is of course, the weekly newsletter or the weekly show notes newsletter. The other is a very infrequent newsletter about upcoming products like the new DNS Benchmark Pro, which is imminent. All of that. GRC.com Here we go. Here we go. Here's. Yep, lots to cover today. We've got sources touch on everything from browser security pitfalls to how your car might be spying on you and encryption.

Steve Gibson (164:16)

Battles, hardware security failures.

Leo Laporte (164:18)

It's quite a mix. Our goal is to make sense of it all without getting bogged down in jargon. Exactly. So let's jump right in. They sound so much nicer. Browser extensions. There's some research out of the University of Wisconsin Madison that.

Steve Gibson (164:28)

That's, well, a bit concerning.

Leo Laporte (164:30)

Right. This highlights a risk that maybe hasn't got away even with it's. I mean, I don't know why you would listen to that instead of us, but it's amazing. You just feed it transcripts of the show and you get a little podcast.

Steve Gibson (164:44)

Like I said, Leo, we. We're. We've soon to be obsolete with LLMs that we don't quite grasp.

Leo Laporte (164:50)

That's the thing that I find fascinating. It's an unexpected Kind of emerging capability that we just. Wow. What? What happened there? Come to our site. Twitter TV SN for 128 kilobit audio. Unnecessarily large. But we also have video. A lot of people nowadays want the video. They listen in the background but they can always look over and see we have that. We have also the link to the YouTube channel which is a great way to share clips of of the show. And finally of course an RSS feed which you can subscribe to because it's a podcast and you can get Security now automatically the minute it's available. We do stream the show live as we do it every Wednesday. Normal time would be 1:30pm I'm sorry, Tuesday, 1:30pm Pacific, 4:30 Eastern 2030 UTC. We stream in the Discord for club members. Not a club member. For crying out loud, join. Do you get seven bucks a month value out of this? You should join. And we have a lot of other shows too. All ad free. If you're a club member. Access to the Discord special programming that we put on just for club members. Like by the way, the Google I O keynote today and the Microsoft Build keynote yesterday and the WWDC keynote coming up. Those are all club only. Twit TV Club Twit. If you're not already a member, subscribe to the show, get it automatically and we will be back for. Oh, I didn't mention where you could see us live. There's so much to talk about. We are on eight different streams. I did mention the Discord but there's also YouTube, Twitch, TikTok, X.com, facebook, LinkedIn and Kik. So there's eight different ways you can watch us live or just subscribe. And you can watch us whenever you feel like it. Now I'm done. Thank you Steve. Wonderful show. Thank you everybody for watching. We'll see you next week on Security.

Steve Gibson (166:41)

Now we'll be back for 1029. Wait, no. 1027.

Leo Laporte (166:48)

Don't rush me man. Don't rush me. Thank you, Steve. Bye. Security now.